1. Patchew
  2. linux
  3. View series

[PATCH v2 0/9] nfsd: a pile of fixes for random bugs

Jeff Layton posted 9 patches 1 week, 1 day ago 
fs/nfsd/netns.h        |  25 ++++++++----
fs/nfsd/nfs3acl.c      |  17 +++++---
fs/nfsd/nfs4callback.c | 109 ++++++++++++++++++++++++++++++++++++++++---------
fs/nfsd/nfs4layouts.c  |  14 +++++--
fs/nfsd/nfs4proc.c     |   2 +-
fs/nfsd/nfs4recover.c  |  48 ++++++++++++++++------
fs/nfsd/nfs4state.c    | 103 +++++++++++++++++++++++++++++++++++-----------
fs/nfsd/nfs4xdr.c      |  15 ++++++-
fs/nfsd/nfsctl.c       |   2 +-
fs/nfsd/nfssvc.c       |  22 +++++-----
fs/nfsd/state.h        |   3 +-
fs/nfsd/trace.h        |  14 +++----
fs/nfsd/vfs.c          |  35 ++++++++++------
13 files changed, 299 insertions(+), 110 deletions(-)
[PATCH v2 0/9] nfsd: a pile of fixes for random bugs
Posted by Jeff Layton 1 week, 1 day ago 
These bugs were categorized as remotely-triggerable panics, UAFs, DoS's,
etc., but they aren't reliable. There are also a few protocol fixes in
here too, etc. It's a grab bag.

There are a number of substantial changes in this version. See the
changelog below:

Signed-off-by: Jeff Layton <jlayton@kernel.org>
---
Changes in v2:
- dropped "NFSD: Enable return of an updated stable_how to NFS clients"
- dropped "nfsd: serialize nfsd4_end_grace() with atomic test-and-set";
  replaced with "nfsd: convert nfsd_net boolean flags to unsigned long
  flags word" which addresses the same race using test_and_set_bit.
- dropped "nfsd: drain callbacks and clear cl_cb_session"; replaced with
  "nfsd: RCU-protect cl_cb_session to fix use-after-free on session
  teardown" which uses RCU and kfree_rcu instead of synchronous draining
- "nfsd: validate symlink target length in NFSv4 CREATE": use
  NFS4_MAXPATHLEN instead of PATH_MAX for the length check
- "nfsd: cap decoded POSIX ACL count to bound sort cost": return
  nfserr_inval instead of nfserr_resource for over-limit count; return
  nfserr_jukebox instead of nfserr_resource on allocation failure; added
  comment explaining why NFS_ACL_MAX_ENTRIES is the right cap
- rework "nfsd: dedup nfs4_client_to_reclaim inserts" to use rwsem
  instead of memory barriers
- Link to v1: https://lore.kernel.org/r/20260528-nfsd-fixes-v1-0-e78708eff77d@kernel.org

---
Chris Mason (4):
      nfsd: convert nfsd_net boolean flags to unsigned long flags word
      nfsd: gate nfs3 setacl by argp->mask
      nfsd: fix partial-write detection in nfsd_direct_write
      nfsd: cap decoded POSIX ACL count to bound sort cost

Chuck Lever (1):
      NFSD: check truncate permission under inode lock

Jeff Layton (4):
      nfsd: fix BUG_ON in nfsd4_alloc_layout_stateid on racing delegation revoke
      nfsd: RCU-protect cl_cb_session to fix use-after-free on session teardown
      nfsd: dedup nfs4_client_to_reclaim inserts
      nfsd: validate symlink target length in NFSv4 CREATE

 fs/nfsd/netns.h        |  25 ++++++++----
 fs/nfsd/nfs3acl.c      |  17 +++++---
 fs/nfsd/nfs4callback.c | 109 ++++++++++++++++++++++++++++++++++++++++---------
 fs/nfsd/nfs4layouts.c  |  14 +++++--
 fs/nfsd/nfs4proc.c     |   2 +-
 fs/nfsd/nfs4recover.c  |  48 ++++++++++++++++------
 fs/nfsd/nfs4state.c    | 103 +++++++++++++++++++++++++++++++++++-----------
 fs/nfsd/nfs4xdr.c      |  15 ++++++-
 fs/nfsd/nfsctl.c       |   2 +-
 fs/nfsd/nfssvc.c       |  22 +++++-----
 fs/nfsd/state.h        |   3 +-
 fs/nfsd/trace.h        |  14 +++----
 fs/nfsd/vfs.c          |  35 ++++++++++------
 13 files changed, 299 insertions(+), 110 deletions(-)
---
base-commit: 2d0c1f87f37de51bd96df415c7c1d498989570ac
change-id: 20260528-nfsd-fixes-89a6e5e20c9d

Best regards,
-- 
Jeff Layton <jlayton@kernel.org>
Re: [PATCH v2 0/9] nfsd: a pile of fixes for random bugs
Posted by Chuck Lever 1 week, 1 day ago 
From: Chuck Lever <chuck.lever@oracle.com>

On Sat, 30 May 2026 09:19:16 -0400, Jeff Layton wrote:
> These bugs were categorized as remotely-triggerable panics, UAFs, DoS's,
> etc., but they aren't reliable. There are also a few protocol fixes in
> here too, etc. It's a grab bag.
> 
> There are a number of substantial changes in this version. See the
> changelog below:
> 
> [...]

Applied to nfsd-testing, thanks!

[1/9] nfsd: fix BUG_ON in nfsd4_alloc_layout_stateid on racing delegation revoke
      commit: 4b32baefd3dc7d91d0c9b947247874d4b66bdad8
[2/9] nfsd: RCU-protect cl_cb_session to fix use-after-free on session teardown
      commit: a2070a5688503d8fa27163a42ac3fda04d69c90b
[3/9] nfsd: convert nfsd_net boolean flags to unsigned long flags word
      commit: 7118e4c25d7598498620018e321eebbd6e50d4d3
[4/9] nfsd: dedup nfs4_client_to_reclaim inserts
      commit: 4b2ddffd38f4cedf8b3ee8f48773140dfd6b42c9
[5/9] nfsd: gate nfs3 setacl by argp->mask
      commit: 3f0949f6d0c7744aedb01c825347ed26438e8535
[6/9] NFSD: check truncate permission under inode lock
      commit: 89c66302414a43713dc21f4d8f8055bb7d9c238a
[7/9] nfsd: fix partial-write detection in nfsd_direct_write
      commit: cd38d5ab0f3adfd19a4ed045a7a341e685287eaf
[8/9] nfsd: cap decoded POSIX ACL count to bound sort cost
      commit: 67fda0293e2fea8b35f46ba741befa4ee24c7a9e
[9/9] nfsd: validate symlink target length in NFSv4 CREATE
      commit: d23e024771f93ca606dbbcc210651f4e61c74313

--
Chuck Lever <chuck.lever@oracle.com>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.