[PATCH] nfsd: fix use-after-free in nfsd4_lock() when releasing new lock stateid

Next message: Alice Ryhl: "Re: [PATCH 4/4] s390: enable Rust support"
Previous message: Jonathan Cameron: "Re: [PATCH v11 3/6] iio: adc: ad4691: add triggered buffer support"
Next in thread: Jeff Layton: "Re: [PATCH] nfsd: fix use-after-free in nfsd4_lock() when releasing new lock stateid"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Wentao Liang

Date: Mon May 18 2026 - 11:35:33 EST

When processing a new lock request that fails with an error,
nfsd4_lock() may call release_lock_stateid() on a newly created
lock stateid. release_lock_stateid() can free the stateid via
nfs4_put_stid() if it is the last reference, but the caller
subsequently accesses lock_stp->st_mutex and lock_stp->st_stid,
leading to a use-after-free.

Fix this by moving mutex_unlock() before release_lock_stateid()
and jumping over the remaining lock_stp cleanup after release,
since release_lock_stateid() already handles the final put.
This ensures no further access to lock_stp after it may be freed.

Fixes: 5db1c03feb00 ("nfsd: clean up lockowner refcounting when finding them")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Wentao Liang <vulab@xxxxxxxxxxx>
---
fs/nfsd/nfs4state.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index 88c347957da5..cef9d8ddfc43 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -8388,13 +8388,18 @@ nfsd4_lock(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
* If this is a new, never-before-used stateid, and we are
* returning an error, then just go ahead and release it.
*/
- if (status && new)
+ if (status && new) {
+ mutex_unlock(&lock_stp->st_mutex);
release_lock_stateid(lock_stp);
+ goto out_no_lock_stp;
+ }

mutex_unlock(&lock_stp->st_mutex);

nfs4_put_stid(&lock_stp->st_stid);
}
+
+out_no_lock_stp:
if (open_stp)
nfs4_put_stid(&open_stp->st_stid);
nfsd4_bump_seqid(cstate, status);
--
2.34.1