From 6e2cbd51c3c9f3f58f2df131f061b577d4a8ba8a Mon Sep 17 00:00:00 2001
From: Yuan Wang <yuan.wang@redis.com>
Date: Sun, 25 Jan 2026 18:41:16 +0800
Subject: [PATCH] Fix deferring free object that refcount is more than 1
 (#14738)

in https://github.com/redis/redis/pull/14440, we remove the refcount
check in
[tryDeferFreeClientObject](https://github.com/redis/redis/commit/235e688b010b38496ea1de06b0bfc2786b1ebc63#diff-252bce0cc340542712f0c1adf62e9035ea47a4a064321fbf40ec3dd4b814aaf2R1509),
it is ok in 8.4 version, since after command execution, the refcount of
a kvobject always is 1.
but in #14608 (8.6 RC1) we change this assumption, increment refcount
when a client refer a kvobject in reply, so now if the refcount of
kvobject is more than 1, we may let the io thread call `decrRefCount`,
there is data race, maybe it causes memory leak.
---
 src/db.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/db.c b/src/db.c
index e96a43c52..04d94184f 100644
--- a/src/db.c
+++ b/src/db.c
@@ -687,7 +687,7 @@ static void dbSetValue(redisDb *db, robj *key, robj **valref, dictEntryLink link
         }
     }
 
-    if (server.io_threads_num > 1 && old->encoding == OBJ_ENCODING_RAW) {
+    if (server.io_threads_num > 1 && old->encoding == OBJ_ENCODING_RAW && old->refcount == 1) {
         /* In multi-threaded mode, the OBJ_ENCODING_RAW string object usually is
          * allocated in the IO thread, so we defer the free to the IO thread.
          * Besides, we never free a string object in BIO threads, so, even with