1. Patchew
  2. linux
  3. View series

[PATCH] nfsd: fix dead ACL conflict guard in nfsd4_create

Jeff Layton posted 1 patch 3 days, 7 hours ago 
fs/nfsd/nfs4proc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] nfsd: fix dead ACL conflict guard in nfsd4_create
Posted by Jeff Layton 3 days, 7 hours ago 
nfsd4_create() steals create->cr_dpacl/cr_pacl into the local
nfsd_attrs via the designated initializer, then immediately sets the
source pointers to NULL. The subsequent conflict guard tests the
already-nilled source fields, making it permanently dead code:

    if (create->cr_acl) {
        if (create->cr_dpacl || create->cr_pacl)  /* always false */

When a client encodes both FATTR4_WORD0_ACL and
FATTR4_WORD2_POSIX_{DEFAULT,ACCESS}_ACL in the same CREATE fattr
bitmap, nfsd4_acl_to_attr() overwrites attrs.na_pacl/na_dpacl without
releasing the originals, leaking two posix_acl slab objects per
request. Repeated requests cause unbounded slab exhaustion.

Fix by checking attrs.na_dpacl/na_pacl (the stolen values) instead of
the nilled create->cr_dpacl/cr_pacl, matching the correct pattern
already used in nfsd4_setattr().

Reported-by: Chris Mason <clm@meta.com>
Assisted-by: kres:claude-opus-4-6
Fixes: d2ca50606f5f ("NFSD: Add support for POSIX draft ACLs for file creation")
Signed-off-by: Jeff Layton <jlayton@kernel.org>
---
 fs/nfsd/nfs4proc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
index 85e94c30285a..fa995cb34b16 100644
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -837,7 +837,7 @@ nfsd4_create(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
 		goto out_aftermask;
 
 	if (create->cr_acl) {
-		if (create->cr_dpacl || create->cr_pacl) {
+		if (attrs.na_dpacl || attrs.na_pacl) {
 			status = nfserr_inval;
 			goto out_aftermask;
 		}

---
base-commit: de5bbd421a35ab18ed71f442aee49c956d6dafb1
change-id: 20260520-nfsd4_create_acl_posix_acl_overwrite_leak-a06bd957804c

Best regards,
-- 
Jeff Layton <jlayton@kernel.org>
Re: [PATCH] nfsd: fix dead ACL conflict guard in nfsd4_create
Posted by Chuck Lever 3 days, 3 hours ago 
From: Chuck Lever <chuck.lever@oracle.com>

On Thu, 21 May 2026 07:50:21 -0400, Jeff Layton wrote:
> nfsd4_create() steals create->cr_dpacl/cr_pacl into the local
> nfsd_attrs via the designated initializer, then immediately sets the
> source pointers to NULL. The subsequent conflict guard tests the
> already-nilled source fields, making it permanently dead code:
> 
>     if (create->cr_acl) {
>         if (create->cr_dpacl || create->cr_pacl)  /* always false */
> 
> [...]

Applied to nfsd-testing, thanks!

[1/1] nfsd: fix dead ACL conflict guard in nfsd4_create
      commit: e18fa5137111b7d2ab7002d041c05ee7c52694ef

--
Chuck Lever <chuck.lever@oracle.com>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.