From nobody Mon Jun 8 08:28:18 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A93B5386576; Sun, 31 May 2026 12:07:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780229231; cv=none; b=KqdwuUBdiiRRFz+98LkYoOO4pAmsO2djtIObyoirq4g/C9cJVfEwOhTiIExdDRaYOrq7ACuIiB0jLSFF/TgEn4WkMN9jbgyZ2RxbZYK+9wPGD8xqNT9pxU8PxXg3vqTvKPe6p0C4PDKbDu3PhMmzi95yddaVxiTL40oFdh6MWRg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780229231; c=relaxed/simple; bh=64u5Ul+xqTSb5rRj1hmUXpte0cuXwsv1Env2BJhxpn8=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=Gisp9VRSOmeBI6z93BDDwVIbaLfZOPzGI/DBEsMTiCGqbrp6fWwIVSHxrUsdOaZsEnvxmQLls6m5sQKZT6bbAnsglR5Seb4QxvttGiOuDVYwY63+41A1eo3jiCfguuZLytWSmpGaFQyt9WY3m0bI91CkqkFyN7LxmpHdwkuvps8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Lq82Z7Wk; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Lq82Z7Wk" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6B5A71F00898; Sun, 31 May 2026 12:07:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780229230; bh=kZNbxB7wKYlevcJJobkWbc4vfQxHHhzun3nc92sGqM0=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=Lq82Z7WksVaFNhPcOaEEZjmNYIymItxaXVPUeq26BAuYs6eu0cWplXO1hEnljZe+N ZR6Tyo5ErTVWuyUaijDCyCQYMQO/JvOXMRe0aPfFZRBoAXt7vI+pPaiCZLZ0YcHPa0 lmPEfT89ENwWjcUaOcOb9OEiVAynEt8b/ETeZQlpt/KqxhwIBG7P4o+ow41U4AXmjD uQcO9wBMMpb0fL7wMqW841Y6gzNdEKm7RWAx+43pHr6ehg2F/weOSxj+GdhEkten2M d7yZ6t7mt1joVoTX1sUTcfmEIZ4+EyHxQxibDcKZZiwf6rUgppu6LbBjQfKk6/XnUr biWGcUaPlZgtA== From: Jeff Layton Date: Sun, 31 May 2026 08:06:58 -0400 Subject: [PATCH 1/6] nfsd: size fh_verify server sockaddr slot by xpt_locallen Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260531-nfsd-testing-v1-1-7bfa481b0540@kernel.org> References: <20260531-nfsd-testing-v1-0-7bfa481b0540@kernel.org> In-Reply-To: <20260531-nfsd-testing-v1-0-7bfa481b0540@kernel.org> To: Chuck Lever , NeilBrown , Olga Kornievskaia , Dai Ngo , Tom Talpey , David Howells , Al Viro , Rick Macklem , Chris Mason Cc: linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org, Jeff Layton X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=openpgp-sha256; l=2698; i=jlayton@kernel.org; h=from:subject:message-id; bh=DaEpCa5QFYyJa/GWwlqRdWIspy4HMPc365Q8vph+iXE=; b=owEBbQKS/ZANAwAKAQAOaEEZVoIVAcsmYgBqHCRqideoPPwp9ZgCO2ZqBCx9JHgea5jEcvO+q j9ZuSpIVxGJAjMEAAEKAB0WIQRLwNeyRHGyoYTq9dMADmhBGVaCFQUCahwkagAKCRAADmhBGVaC Fb6TEADRwsCcMHDF8qo3BpNJyHaV5kVibgcPcBMOmY0LxSB9gn639quiU8bHC4v1D4KjCmq8pMc pB9OuxS1G9qDU/oFD6QwwExKORZqhc3pDoURI66B4UOu8j0Ap1cwOidftKERK1p4JnPzp2OSV85 7U7PagdJUbg6pC25p8f8uT2a4XFl2SFoosUptG8xs4cGLZrxSfU5mGqScHQnrP191QCqf6VP/SU rTnmSfIGRZsBgS50zzW0nFV2sOB5a9Ja/PMC/WxPm7y0nBBvAM52TvLeTIJ1Uqvaif0HXOP48D8 s8Rat0flsPQlMq3mcu0yihKnpvcDt6fwBfMuUjx+CSziGMHAFW6xu6/sqgF6RboJbXZ7R1O8OsE DLutRqRz0r25bb4xLzXVpZkChWqjpl2veNUUaEeZE5tf0ugqrayqrN/za9L5CoYeEysfHnYPa6g lgHnnxKa5rI7ldttsen6JwRpwwbEpC7EW9bnuidNsvdyTHThU3a6XG4DHub4Bdzr0Ci7CmzCKi/ 1eLDJi/2vHzMrRxdmJ5baMpb0lI3VECJQ5Fg3QhWTD5uXqRpCxmAKYzATecfqW0YG3utjZFERoM XiIOVf04udHa9hL4vsmOU4OV4o3gfvqlhqF0/VMEWd1PbmthJYiDpLURlQRc1H6Se+1PlUEFm9y YyUNlM/xULKIoCA== X-Developer-Key: i=jlayton@kernel.org; a=openpgp; fpr=4BC0D7B24471B2A184EAF5D3000E684119568215 From: Chris Mason The nfsd_fh_verify and nfsd_fh_verify_err tracepoints declare the server sockaddr slot sized by xpt_remotelen but fill it from xpt_local using xpt_locallen: TP_STRUCT__entry( ... __sockaddr(server, rqstp->rq_xprt->xpt_remotelen) ... ) TP_fast_assign( ... __assign_sockaddr(server, &rqstp->rq_xprt->xpt_local, rqstp->rq_xprt->xpt_locallen); ... ) When xpt_locallen exceeds xpt_remotelen, __assign_sockaddr's memcpy writes past the reserved ring-buffer slot. In the reverse direction (xpt_locallen < xpt_remotelen) the slot is oversized and the unwritten tail leaks prior ring-buffer contents to trace consumers. The write-past-end case is reachable on NFS/UDP. svc_xprt_set_remote() is only called from svc_tcp_accept() (net/sunrpc/svcsock.c) and from the RDMA connect path; svc_create_socket() for UDP calls only svc_xprt_set_local(), so xpt_remotelen stays 0 for the xprt's lifetime. Every fh_verify trace for an NFSv2/v3-over-UDP request then copies 16 or 28 bytes from xpt_local into a zero-byte slot. The other NFSD tracepoints that record the server address (NFSD_TRACE_PROC_CALL_FIELDS, NFSD_TRACE_PROC_RES_FIELDS, SVC_RQST_ENDPOINT_FIELDS) already size the server slot by xpt_locallen; nfsd_fh_verify and nfsd_fh_verify_err were the only exceptions. Fix by sizing the server slot with xpt_locallen so the declared slot matches the copy length. The client slot and its assignment already agree on xpt_remotelen and are left untouched. Fixes: 051382885552 ("NFSD: Instrument fh_verify()") Assisted-by: kres:claude-opus-4-7 Signed-off-by: Chris Mason --- fs/nfsd/trace.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/nfsd/trace.h b/fs/nfsd/trace.h index 9917c0440522..db0a0dc70660 100644 --- a/fs/nfsd/trace.h +++ b/fs/nfsd/trace.h @@ -272,7 +272,7 @@ TRACE_EVENT_CONDITION(nfsd_fh_verify, TP_CONDITION(rqstp !=3D NULL), TP_STRUCT__entry( __field(unsigned int, netns_ino) - __sockaddr(server, rqstp->rq_xprt->xpt_remotelen) + __sockaddr(server, rqstp->rq_xprt->xpt_locallen) __sockaddr(client, rqstp->rq_xprt->xpt_remotelen) __field(u32, xid) __field(u32, fh_hash) @@ -311,7 +311,7 @@ TRACE_EVENT_CONDITION(nfsd_fh_verify_err, TP_CONDITION(rqstp !=3D NULL && error), TP_STRUCT__entry( __field(unsigned int, netns_ino) - __sockaddr(server, rqstp->rq_xprt->xpt_remotelen) + __sockaddr(server, rqstp->rq_xprt->xpt_locallen) __sockaddr(client, rqstp->rq_xprt->xpt_remotelen) __field(u32, xid) __field(u32, fh_hash) --=20 2.54.0 From nobody Mon Jun 8 08:28:18 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EE73B3876BB; Sun, 31 May 2026 12:07:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780229233; cv=none; b=EQ4bR7n/XDzu/t5pRdc7xLsCUQONw2W/J+URhSC1T5O5uhP1YdI370wfqwGngJMMx6DEarHb3FFCVu9W/RGzX1b6DNh67rwXOULulyKcypTvoKHKM7gcO1a37x5kRiDVjuhhG+DoLVudGDY8rl4rFac/qrQPj4oI5Nal5DRGoJw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780229233; c=relaxed/simple; bh=/I9bxMCfFdOH1dP4+9zNv55LZwzdl+pNMwwbwLA2LBo=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=ZAjO6GZopp2qB46YkKalMcpTGXU66xLzuYs4HPDYC59cA3sstBNcldyQ9+QVtOIQDDgHtbXSCVXPmeZNy8iwRYNIP2vctyTSNYgPTztEUxRAdZf/iO0Q2d9AElgRJvib8sUroJA0BA7LsZz8ZL/l4WfUYuQ73PIXxBpDv6ERCwE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Y7PN48cR; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Y7PN48cR" Received: by smtp.kernel.org (Postfix) with ESMTPSA id AAFAA1F00899; Sun, 31 May 2026 12:07:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780229231; bh=l+psfsetjirdLnxmYGWA5Z9djwl1K/0Xqmz2IAvhk70=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=Y7PN48cR68QxerMInpIl4i4z5SbcmLTKa+Z6A/j5eq8a0ByOsFnSzroiB1yARBdRi ZpEn7WO45F480sWo4Si8FDaIeGqFNv/8LiuMeAtvznTfwKAu328BYgdfZ5wnsxSoGS Nz4Ji5t24qrmO6S+mSqNqMoQ55D1AfvCaDGu+qGvogE/ZKjT20HcIttTvWRwQEILuw 6b2ap+qZZUXeKOiRX4HKnuUL/EgCWhgq7n1VDOpsexd5JJq5vGm1fA+UZdAKI1x8TU Gd+P5omP3ON4+0SL0vg1FUSq59s7uKHvZANsopqZfLQR0gBahCx/LL/mknIIkW7sWP aQCHw4p/sMKWw== From: Jeff Layton Date: Sun, 31 May 2026 08:06:59 -0400 Subject: [PATCH 2/6] nfsd: release path refs on follow_down() error Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260531-nfsd-testing-v1-2-7bfa481b0540@kernel.org> References: <20260531-nfsd-testing-v1-0-7bfa481b0540@kernel.org> In-Reply-To: <20260531-nfsd-testing-v1-0-7bfa481b0540@kernel.org> To: Chuck Lever , NeilBrown , Olga Kornievskaia , Dai Ngo , Tom Talpey , David Howells , Al Viro , Rick Macklem , Chris Mason Cc: linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org, Jeff Layton X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=openpgp-sha256; l=1874; i=jlayton@kernel.org; h=from:subject:message-id; bh=1TY1jt6D0q/SS9QkSVMe2NiA77tvkl4xIAcyTR9UWJk=; b=owEBbQKS/ZANAwAKAQAOaEEZVoIVAcsmYgBqHCRqhPRa0v7OQwEoQLHqS2bExcSEeWQ4SqKxk AIvnqJtvVSJAjMEAAEKAB0WIQRLwNeyRHGyoYTq9dMADmhBGVaCFQUCahwkagAKCRAADmhBGVaC FcE4D/0cDH0wSdF3TYWXF5gLEcZiqlCLDiMf8JlizVrbe2ERn0nIJD3G6t7r+WB1Pu05mEUmPWr 4pt8/40dy8p7fT9lMT3XNooEmQzKheJni0bgfrcs0ZhFukwF4WKKgYlmBlvkX5JOXBkK7AfXSc8 CE37ujKLEqvylIy2exD0POLloEo2njbWKpJIXAKiGMWkVPWgl6yD4J1MjCafWnQtgUg8JxR3Rdp 9f3w1KYCWqvO6g1A961VzVcD5MHU0hp/KJ+1l3inlmF1ZSz8RACMBraT8WBjhxhQsrBg5oQ2Ten U6vop6JA36q3KVHL9sTTqBluJXHvm9fSK2nZ8q4xkiev6M1xFvc/yal8U+8C0CLlom9r6N9GBCQ przbBtYjjwwbMNVDl4kQh9xAbZA6vN0Vla0agjhyVgu+6i72gZCdAyqebTp8KvHVIl0lGx99MIn awirtCgXfZUzxiZ+76Pktf6BejE/XKmsLJVrAkRABBtRbx9BGX4mC8YpPRJiEVz40Rw0+B0u/RX 5eKAzC5pC0qrQGTpUkhjytC2qH9dV1mmbl3MzmNLyrYCIqHvosYSvH5ExE/btn8yFnDFZe2ytHW st/trX1sBvkZLxM/e9mlZf4Lg7B6LlcsvppwlWbjjE5M0mrHnl7YwKJ4zMA9SXpQ461AwSARRl1 JTCyhEQT4Wqw41Q== X-Developer-Key: i=jlayton@kernel.org; a=openpgp; fpr=4BC0D7B24471B2A184EAF5D3000E684119568215 From: Chris Mason nfsd_cross_mnt() initializes a local struct path with mntget() and dget() before calling follow_down(). On a negative return the error arm jumps to out without releasing those references: err =3D follow_down(&path, follow_flags); if (err < 0) goto out; follow_down() never drops the caller's entry-time refs on any error sub-case; for example a pre-cross d_manage() failure leaves path untouched, so the mntget()/dget() taken on entry survive the call. Every other early-exit arm in nfsd_cross_mnt() (other-namespace return, IS_ERR(exp2), and the success tail after the swap) already calls path_put(&path); the err < 0 arm is the lone omission. The leak inflates mnt_count and d_count on each failed cross-mount, blocking umount and pinning dentries against the shrinker, and is reachable by any authenticated NFS client through nfsd_lookup_dentry or the NFSv4 READDIR encode path. Fix by calling path_put(&path) before the goto out in the err < 0 arm so the entry-time refs are released on all follow_down() error returns. Fixes: cc53ce53c869 ("Add a dentry op to allow processes to be held during = pathwalk transit") Assisted-by: kres:claude-opus-4-7 Signed-off-by: Chris Mason --- fs/nfsd/vfs.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c index 62b56d73432a..95ce15440492 100644 --- a/fs/nfsd/vfs.c +++ b/fs/nfsd/vfs.c @@ -137,8 +137,10 @@ nfsd_cross_mnt(struct svc_rqst *rqstp, struct dentry *= *dpp, follow_flags =3D LOOKUP_AUTOMOUNT; =20 err =3D follow_down(&path, follow_flags); - if (err < 0) + if (err < 0) { + path_put(&path); goto out; + } if (path.mnt =3D=3D exp->ex_path.mnt && path.dentry =3D=3D dentry && nfsd_mountpoint(dentry, exp) =3D=3D 2) { /* This is only a mountpoint in some other namespace */ --=20 2.54.0 From nobody Mon Jun 8 08:28:18 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5460F38838A; Sun, 31 May 2026 12:07:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780229234; cv=none; b=tZcM+81m1eVqTRcApS9KCguhFDyjTnVnocd3ynB9604FH+G+LEu6rL4Pq9o+jRhv2dvqK4xNI25yXur6HyndzxDbjabLdfz9BdzGcjVjVfvRXn12EXUmxbIyHLa/35aNBfj8IpVFFmouOUk0wdJ9f+TaH0c5TkqAJg9XhaNCMSs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780229234; c=relaxed/simple; bh=1vfWi9y3a7gGGmAoW4IQEoCTMgYGcpuY/jSiFCrofK0=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=tLUFeFwvY6ESXvqfSsfj+JPPyBXUeJqVVZESCPPWA5UNIegauzyAFmbfBp67xbFqmKJjXr2f0UZGtoy7jELyxDU2GDzaYviAyTXT4e5BPoG10Keh7IhlBo10ff7+AZDkvDOAAVqra3KZhVY7IRoCY0SipklPYDhQYIwi7cYWgFg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=O5qw0ytC; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="O5qw0ytC" Received: by smtp.kernel.org (Postfix) with ESMTPSA id EB0A21F00898; Sun, 31 May 2026 12:07:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780229233; bh=1xc+zaGDrjFNlfES7FXlGY0hjKA4MQ66aFt0cOyujuI=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=O5qw0ytCKkTTC417y9H0xN7mXhOnzB+aeijE5sHaS5/ZkBIQF0tAtb63lU2IBzwT1 aVRjt2T+Ygh3thPAgHYq0mS7mc5Lu1t9groNjR5lJQFbwrCf+cffWMVI8jbC6iG2yU dGHJjIUcHBD4U+qyC1q1OgRVYb207VrtZvrU3hZEmsQ3OJx87GzU1n6VifyzFsGdsr gtlz9D1VlxThX32PSGXhnloJoSLgas5Xu7B/yVJdLeeqIXSKejVw/Js0bVjzV8OQMu Thrva7jvBT1E0gr8ZwwaYYXQ0tXZbS2doPTKlHWU3wjIZRk1H8mDn+UymNfzQ966Yt kk7LN8eTCgtIg== From: Jeff Layton Date: Sun, 31 May 2026 08:07:00 -0400 Subject: [PATCH 3/6] nfsd: fix nfsd_file leak on inter-server COPY setup failure Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260531-nfsd-testing-v1-3-7bfa481b0540@kernel.org> References: <20260531-nfsd-testing-v1-0-7bfa481b0540@kernel.org> In-Reply-To: <20260531-nfsd-testing-v1-0-7bfa481b0540@kernel.org> To: Chuck Lever , NeilBrown , Olga Kornievskaia , Dai Ngo , Tom Talpey , David Howells , Al Viro , Rick Macklem , Chris Mason Cc: linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org, Jeff Layton X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=openpgp-sha256; l=1376; i=jlayton@kernel.org; h=from:subject:message-id; bh=1vfWi9y3a7gGGmAoW4IQEoCTMgYGcpuY/jSiFCrofK0=; b=owEBbQKS/ZANAwAKAQAOaEEZVoIVAcsmYgBqHCRrcUnYo3uNx6MJt1u2PqJQzdTdMr+5hy9q0 1/GoiMjJN+JAjMEAAEKAB0WIQRLwNeyRHGyoYTq9dMADmhBGVaCFQUCahwkawAKCRAADmhBGVaC FQnLD/kBS2iJkVP64AVpHwuZNtEG3toLukRoSsYS4MWpY6dP0z6xKD7LBPqAdKjD9EEZdB0apUA CLkSzBdgqFtf77fwRR4zMP+jqNAgXlRt24C1CZbW5Pr2NV20A5qRTG97jx1vge1N/BcweyJgo3Q dq+A4FD02HiEfEbKtgIpfz1s+Atvh7D0TZmk2i0c/71ivJwQKLFx/ycbO3M+s1PC8/hUdlceAR/ PYoHV3nY9N0taEaeKetBerPAjQoS8O9O8olb+VfIV2y1xZT8A+YDYx0juEH8vTirBtN1dSFrZId UZAevmOwdvu14iFAfS8YK+FdXscQG2wh9n5DWAbNbcpQuANvjTPOJvKZv9PvUryLfTiA/2sS5Es 3A/Ewm+99xMB1mdltsnkBrWwyvVZhGyYdMuB04yJtqz6LFcQdehJylMPkhSmu+ocCsf7wgzJG1J Ifnc8Fejs0lJqi9LIEvSCTKWZqdpL5NbPu2qnoWUDY8W/JDQm0tYhq0r0pmUotZf6B51kdqRhGL ae564r042DWC5TuOSxw9l975oefc2EERx4Kte5KK22nJvE8O9+PhZMp1UMUxQcvM/ax73H4VfnU U4tNyCdkh9VOju8CMf7DTmPqZazbrXqOYjDhn+BLhioZCR8I5vMrtQKvISr3IQsl7Fpv43cf+aF WyEDfx7+puccSvQ== X-Developer-Key: i=jlayton@kernel.org; a=openpgp; fpr=4BC0D7B24471B2A184EAF5D3000E684119568215 When nfsd4_setup_inter_ssc() fails, nfsd4_copy() returns nfserr_offload_denied directly, bypassing the out: label where release_copy_files() would drop the nf_dst reference taken by nfs4_preprocess_stateid_op(). Each failed inter-server COPY leaks one nfsd_file, pinning file/inode/dentry/vfsmount. Fix by setting status and jumping to out: instead of returning directly. Fixes: ce0887ac96d3 ("NFSD add nfs4 inter ssc to nfsd4_copy") Assisted-by: kres:claude-opus-4-7 Signed-off-by: Jeff Layton --- fs/nfsd/nfs4proc.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c index 9473aeb53f72..017474cd63b5 100644 --- a/fs/nfsd/nfs4proc.c +++ b/fs/nfsd/nfs4proc.c @@ -2159,16 +2159,14 @@ nfsd4_copy(struct svc_rqst *rqstp, struct nfsd4_com= pound_state *cstate, } status =3D nfsd4_setup_inter_ssc(rqstp, cstate, copy); if (status) { - trace_nfsd_copy_done(copy, status); - return nfserr_offload_denied; + status =3D nfserr_offload_denied; + goto out; } } else { trace_nfsd_copy_intra(copy); status =3D nfsd4_setup_intra_ssc(rqstp, cstate, copy); - if (status) { - trace_nfsd_copy_done(copy, status); - return status; - } + if (status) + goto out; } =20 memcpy(©->fh, &cstate->current_fh.fh_handle, --=20 2.54.0 From nobody Mon Jun 8 08:28:18 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5414C3876CE; Sun, 31 May 2026 12:07:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780229235; cv=none; b=JrFnOqG7DcB0f/yzbAs/NhwVT350IaSFuc8wFg8pqna1pN3D0sPFdbctUATxQ9S0ObPDxNt1CRGPqCLD+5BRD83bi/qNjnkFNgUh+jImpHxvkMsCFcmbllU2DMmpQB2jzOfYp1+XdE+KVsNNKbEfJ+dlw7xPmkfnIoKRWGPNeEQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780229235; c=relaxed/simple; bh=/6uYWy7xN9U+vxj0A962PY5S2/SNMk5yLo4tDWUdyS4=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=CJWU+KYe/CCkMQZk/5A9bVKmOfPG7TCu2slVzKQcp46ygCQgKM80p+cnfIIEXQ3ss0dDFQMrv4R+piRDj+d0mgkv+deqwkoUOQ1dNrsjR0K1Ri3XQyTzORtvHPYDIDRKpuJYuVdMVFfMIAixpN6WqoXBbG1uP1fNBfPWRWuknnI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=CgeAfHH0; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="CgeAfHH0" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 368B61F00899; Sun, 31 May 2026 12:07:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780229234; bh=5NwygWEjoNbqbCU3Xq23XELrYKTK5E005O/Uv3eJaoQ=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=CgeAfHH09ixGpOlGEg8npN4zZO37tRzTsSYR16ygobE66DKi57bfIpXP2kvo1t8C2 KEhBw69dCvbCd/JPCHIytfESNs3/6kpd1yL0VotZb411hENocPwFkExjajjSivgfWD gQ9282zyjfhTXdsYfw0ds6M/sUdvRn+GfrIb/NmksTfmfuq+4zrYN3eCgYgjV6cm+C DKHEfxI1ihPf5m2c966C4YsyvGn6BnOyxrIYiTz+YLmhFNU2Vqiu9/85TlQrQKIJWC GhOYCr6N0aNsT/yEXAWG/zAdnjttPaCAhX/Bgt48ruwRvxvv6enouJeEI4GdRlC62o /eP4nlI5VkwFg== From: Jeff Layton Date: Sun, 31 May 2026 08:07:01 -0400 Subject: [PATCH 4/6] nfsd: fix dentry ref leak on V4ROOT export filehandle lookup Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260531-nfsd-testing-v1-4-7bfa481b0540@kernel.org> References: <20260531-nfsd-testing-v1-0-7bfa481b0540@kernel.org> In-Reply-To: <20260531-nfsd-testing-v1-0-7bfa481b0540@kernel.org> To: Chuck Lever , NeilBrown , Olga Kornievskaia , Dai Ngo , Tom Talpey , David Howells , Al Viro , Rick Macklem , Chris Mason Cc: linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org, Jeff Layton X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=openpgp-sha256; l=1406; i=jlayton@kernel.org; h=from:subject:message-id; bh=/6uYWy7xN9U+vxj0A962PY5S2/SNMk5yLo4tDWUdyS4=; b=kA0DAAoBAA5oQRlWghUByyZiAGocJGuiw6HQ/YZcvBLXcDE6WUVYJlwc1GUeaaS5Ftdg8wzDG IkCMwQAAQoAHRYhBEvA17JEcbKhhOr10wAOaEEZVoIVBQJqHCRrAAoJEAAOaEEZVoIVlpYQAMk/ +VYz3AoK2wYKMBn6acBXEeEnSNFArBtvbkREIHgj3ucmEHaMIVYdBlVqWKY7sFToZ7Szs3ZCGjh zspi1Su/H7Yq6hp2L+kSA9MyHoVhBASKgZ6WONZQg2QhpcUurYd9qkoonRNv4XATVTuR3sRVZZ6 EyJYX4J9eblSrVEW9D04um37fjNZRmcTPJrjtAbkmgYSnvmzkmmbOneVXvOgua/PJ5q4KNXBHt0 9Zw3MAG4fFN4pzu3rmmW727R9+WuwpqSYAwIH+WW4YsNmsUGh4clv8p3TU1gCU06vKuP9Ws2oh4 MTBE99BwgRhhePO/KYPVlXPeYBRLARktLVEUxlVdzn7ouGEYlTOaLCRcG8cwaUjpJ5KGQiuWWop ChVLqazOmUl2b46mA6DawnCcGTq2q9HS3nW/SEwV1bnLP3Q8771AXMmw3YQiVt8QIZaLk2kTD41 KNeS85QQem+Z1Kvvd5hE3QT4JI3fcH/BZyRI1M/3Y5vZRlA6n5uKNLbl9EspBHloHbFUQ5oAlsZ ezwRD3TVVfVw0C0oJXOKwtrdqGckw+fqL6O/lkNtRDTTWlTcyIKVrdnK8jIsVPdNtn2/ur9bMVO AIYFGN+Qq6cOL4bjX8ePtkDvJK6UR22lWJVTjj/FT7it+bQ6lYZo4j2/TBbPtD6eknul8Nyc3qA yd+6i X-Developer-Key: i=jlayton@kernel.org; a=openpgp; fpr=4BC0D7B24471B2A184EAF5D3000E684119568215 nfsd_set_fh_dentry() leaks the dentry reference from exportfs_decode_fh_raw() when the NFS3_FHSIZE or NFS_FHSIZE switch cases detect NFSEXP_V4ROOT and goto out. The out: label calls exp_put() but never dput(dentry), and fhp->fh_dentry was never assigned so fh_put() cannot compensate. A crafted NFSv3 filehandle targeting a V4ROOT export's fsid triggers the leak on every request. Fixes: 6e171106dce7 ("nfsd: move V4ROOT version check to nfsd_set_fh_dentry= ()") Assisted-by: kres:claude-opus-4-7 Signed-off-by: Jeff Layton --- fs/nfsd/nfsfh.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/fs/nfsd/nfsfh.c b/fs/nfsd/nfsfh.c index 429ca5c6ec08..b36915401758 100644 --- a/fs/nfsd/nfsfh.c +++ b/fs/nfsd/nfsfh.c @@ -344,15 +344,19 @@ static __be32 nfsd_set_fh_dentry(struct svc_rqst *rqs= tp, struct net *net, if (dentry->d_sb->s_export_op->flags & EXPORT_OP_NOWCC) fhp->fh_no_wcc =3D true; fhp->fh_64bit_cookies =3D true; - if (exp->ex_flags & NFSEXP_V4ROOT) + if (exp->ex_flags & NFSEXP_V4ROOT) { + dput(dentry); goto out; + } break; case NFS_FHSIZE: fhp->fh_no_wcc =3D true; if (EX_WGATHER(exp)) fhp->fh_use_wgather =3D true; - if (exp->ex_flags & NFSEXP_V4ROOT) + if (exp->ex_flags & NFSEXP_V4ROOT) { + dput(dentry); goto out; + } } =20 fhp->fh_dentry =3D dentry; --=20 2.54.0 From nobody Mon Jun 8 08:28:18 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 06DE435675A; Sun, 31 May 2026 12:07:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780229240; cv=none; b=OwumpkWTaSDk1aHWx0ajSvghGWibj+/H/MYKuvnXT0I2yAPQ7k18HTJVbObGiAPnB4eA+2GSEOBwoOxQwiFg/5A8GBMrRf5CDSaPRK1quJ6HXFnlCWSrqUYKpiP+1Z+yowjlJrWz/pGLaI7KJkZ7mevwZ2YNPEiERLYOIJeeyYc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780229240; c=relaxed/simple; bh=pDfefIwGeTqgym4zVoCl76BNhjW6fjA8nWkPCV+le70=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=a1ywsk1oul4+TVFTRZoHYDbfMfUEKmNz/9b9G18PmQFicEjA8bDJaKgG7bbcI07puXhnjnJMs/ISSmtAf05wjG2Hstt3pAhG8avsckyyXMW052ca/ENVDJJvW9LvRpgIM1y5X4u6ItLczCwgsdWKl7Hh/nHJlAJWmSwG64LL8ZA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=ivLgseGV; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="ivLgseGV" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7695D1F00898; Sun, 31 May 2026 12:07:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780229235; bh=YoRiMUaryZSGFhT8wAUY9kTP9Cw6Kv6CxgoFKueVcnY=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=ivLgseGVg+defFclyq522USBkTZRnX1wEw/xCeE+OwVMq5KbQMlC8R4tPcyYN0mkO 8TO+9RnHXBmyLqMdf+lBNTffZpXFwVXgp13Y2G59xeLLy067oIHn4NLtcidCfske0U C5bSTh87F152lOn2EZlK41xmVMzLHImzcURZDdCpE4D8hbx/3aiet42Giv2ZMGeW2H LKWeStlC5VDZOYxTTZ/l5UwVp89JUhpDcHGpIckA9KC09BizEWvmFw6K6XaHb2/nsf Q6mZCngqR8QmHzcHUiMI1u0buY5LmMyFPh/MEcEjiA3PdlZwloaIVHKmBrgcDWe12u qkoHh68gOF1og== From: Jeff Layton Date: Sun, 31 May 2026 08:07:02 -0400 Subject: [PATCH 5/6] nfsd: release OPEN-decoded posix ACLs via op_release Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260531-nfsd-testing-v1-5-7bfa481b0540@kernel.org> References: <20260531-nfsd-testing-v1-0-7bfa481b0540@kernel.org> In-Reply-To: <20260531-nfsd-testing-v1-0-7bfa481b0540@kernel.org> To: Chuck Lever , NeilBrown , Olga Kornievskaia , Dai Ngo , Tom Talpey , David Howells , Al Viro , Rick Macklem , Chris Mason Cc: linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org, Jeff Layton X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=openpgp-sha256; l=2868; i=jlayton@kernel.org; h=from:subject:message-id; bh=1tZ8B9UhB+Bx9KMTHtRshtVhe+siQXAJ59Qok3jyItA=; b=owEBbQKS/ZANAwAKAQAOaEEZVoIVAcsmYgBqHCRrgZXwA9r4vBk8s2b+RxWxigny0hXBA3hgR kIAzE/EhbeJAjMEAAEKAB0WIQRLwNeyRHGyoYTq9dMADmhBGVaCFQUCahwkawAKCRAADmhBGVaC FSgJEAC3/Uk0SVnr+BKELqi14bliUkpkfcFM85OmfqSh2gvTFwE9odtAAll4Om0uwLpRG9qe6Ez GCyBtCYBSQ7GhlBzDUZo6ypspitWwE7ugIjCdrDheU+PuC0DEz+s/t5Ois3e6Kl1+lqIQLHenW5 HZH7X39KMSSLP8bWvMURNa026HV8xXydNAmv6TbHG466D48rF/h2JfOm9mFPe4WKTzo1jMtdJet 09zYAeYXB7nNVoYa3T18KjNEZo2l6J4umIlrwxmVFzlXeQuylwLNlD93egE7kbsNRjTmsSr8DfA +1vX8I9MEexGTfp5lDQKoWK2g+N71IC6VokU9zB6dboQjpsUQ+i88CAPAeHmL19sXnGQn518Tue AkftR1NK/ll67uy2f7rzEzDFAHYOhZSSYQdWgEzn2Z9DamC1lbRgG99gRke6hYj/HxWNFpX9l1K 4mS/t5Gr6hYHcxwQARhwIZUySINZEFTjiglIYGt4hxOzHz5y2SxUOKsM6ZxRBFIL+exh72a1Ysj P3+OqzM4DPwiXrEBX22nzj5XZvsOhEwdjNNcA+cBGyuNsT9+2S5NDxEPps7RRn8c/9Ybq0eTZyj T2VH4b/bD/LkUHylE+Tr957//FquzerxU1ocWGtMfTSogBNfWRuxgezJ9GYVQhhGQ7xj1+xOMOP bQje12CQK/B71RA== X-Developer-Key: i=jlayton@kernel.org; a=openpgp; fpr=4BC0D7B24471B2A184EAF5D3000E684119568215 From: Chris Mason nfsd4_decode_createhow4() calls nfsd4_decode_fattr4(), which allocates refcounted struct posix_acl objects via posix_acl_alloc() and stores them in open->op_pacl and open->op_dpacl. These pointers must be released once the OPEN compound finishes. When nfsd4_decode_open_claim4() returns a non-seqid-mutating error, the dispatcher short-circuits before op_func runs: nfsd4_proc_compound() opdesc->op_func =3D=3D nfsd4_open_omfg if (!seqid_mutating_err(ntohl(op->status))) return op->status; /* nfsd4_open() never runs */ opdesc->op_release(&op->u) /* must still release op_pacl/op_dpacl */ Before this change OP_OPEN had no .op_release in nfsd4_ops[], and the release pair lived inside nfsd4_open() at its out_err: label. On the short-circuit path nfsd4_open() is never invoked, so both posix_acl refs leak on every malformed OPEN compound that carries valid POSIX ACL createhow4 attributes. Add nfsd4_open_release() and wire it as .op_release for OP_OPEN. posix_acl_release() is NULL-safe, so the single release site covers both the normal path and the nfsd4_open_omfg short-circuit. Remove the matching posix_acl_release() pair from nfsd4_open()'s out_err: label: the compound dispatcher calls op_release unconditionally after every op, so leaving the in-function pair in place would double-release op_pacl and op_dpacl on every ACL-bearing OPEN that reaches nfsd4_open(), underflowing the refcount and freeing the posix_acl while it is still reachable through op->u. Fixes: 5fc51dfc2eb1 ("NFSD: Add support for XDR decoding POSIX draft ACLs") Assisted-by: kres:claude-opus-4-7 Signed-off-by: Chris Mason --- fs/nfsd/nfs4proc.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c index 017474cd63b5..76de265bb9e1 100644 --- a/fs/nfsd/nfs4proc.c +++ b/fs/nfsd/nfs4proc.c @@ -681,8 +681,6 @@ nfsd4_open(struct svc_rqst *rqstp, struct nfsd4_compoun= d_state *cstate, nfsd4_cleanup_open_state(cstate, open); nfsd4_bump_seqid(cstate, status); out_err: - posix_acl_release(open->op_dpacl); - posix_acl_release(open->op_pacl); return status; } =20 @@ -704,6 +702,13 @@ static __be32 nfsd4_open_omfg(struct svc_rqst *rqstp, = struct nfsd4_compound_stat return nfsd4_open(rqstp, cstate, &op->u); } =20 +static void +nfsd4_open_release(union nfsd4_op_u *u) +{ + posix_acl_release(u->open.op_dpacl); + posix_acl_release(u->open.op_pacl); +} + /* * filehandle-manipulating ops. */ @@ -3718,6 +3723,7 @@ static const struct nfsd4_operation nfsd4_ops[] =3D { }, [OP_OPEN] =3D { .op_func =3D nfsd4_open, + .op_release =3D nfsd4_open_release, .op_flags =3D OP_HANDLES_WRONGSEC | OP_MODIFIES_SOMETHING, .op_name =3D "OP_OPEN", .op_rsize_bop =3D nfsd4_open_rsize, --=20 2.54.0 From nobody Mon Jun 8 08:28:18 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 06E73372060; Sun, 31 May 2026 12:07:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780229244; cv=none; b=S0dqcZVAjUlIJfq0kDf05hWKJ00NpQsr+vkbw+oPn0th9PnHjPBsDQ9h0Gqqli9TZ94T+jcd8zV7Mr8Wd+H+KCWKBWME1mKtHJUfaCdlNmyP/ZgYxu2U/W7pTBAfrBWh1pemFb3Wiu3Tst0aUoWLFLFO36sQf1quqjWh9gemVMI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780229244; c=relaxed/simple; bh=Hm0zCW9aG+ykmGtE6Szcl+eqPu2Q842Gl9Am0VOU948=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=TDxIxSJMFYXwfAMAoMfD/cqwj1lkJL2fgXJ7fLwY9Rh06783CC+OF0jwDUdgKKBV1aH0b+ONrF7iIJtgQbCzCVmsELkA6GWfK6VMIt74+rQZwzK30EmrIJ7+NPgnPsw4HvzbLhlQpHxBR11N+myOoTL5qBCDiCEWYaqZD5FZ3U4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=KQpWbY7d; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="KQpWbY7d" Received: by smtp.kernel.org (Postfix) with ESMTPSA id B68611F00899; Sun, 31 May 2026 12:07:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780229236; bh=uDaxjB3lMGip+HPjVkemne90SSI/5/0SDYtKUx199As=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=KQpWbY7dGJ3IHc/OXLo+hjNlFpTIqGWjwM0pUgWOmZDfONGzYs1JdOQZzNboWCIWe jVYyr/W445BSLy5y0bC82wkeA3pXPmpAvyHh16UOmnbqrXGvohrbaseoILnv2k/Xr3 xaDS8YAwV4EoufyniPWBrKy8v5NdLQ/trSds/ICBJmMVS00Eix6xcJcUiFhCtQBvOh G74yy6cpQ6RTduX7/YoilvEerdrz4RwEv8WXYh1rxWbLj/K2zQHazf8LvCUWjCH5rL GReo6i9dNLj+H8DfCtLfVV7s+6qdw8frua/RWGvzNcE2rUhTVYx3k7TddXWG2HvATw U97E9wwxfQKpA== From: Jeff Layton Date: Sun, 31 May 2026 08:07:03 -0400 Subject: [PATCH 6/6] nfsd: fix layout fence worker double-reference race Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260531-nfsd-testing-v1-6-7bfa481b0540@kernel.org> References: <20260531-nfsd-testing-v1-0-7bfa481b0540@kernel.org> In-Reply-To: <20260531-nfsd-testing-v1-0-7bfa481b0540@kernel.org> To: Chuck Lever , NeilBrown , Olga Kornievskaia , Dai Ngo , Tom Talpey , David Howells , Al Viro , Rick Macklem , Chris Mason Cc: linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org, Jeff Layton X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=openpgp-sha256; l=3802; i=jlayton@kernel.org; h=from:subject:message-id; bh=Hm0zCW9aG+ykmGtE6Szcl+eqPu2Q842Gl9Am0VOU948=; b=owEBbQKS/ZANAwAKAQAOaEEZVoIVAcsmYgBqHCRrW3UJ8TzwL9ad6g2rLYlGjVenfRkq6nRKz h4ornlUQ2iJAjMEAAEKAB0WIQRLwNeyRHGyoYTq9dMADmhBGVaCFQUCahwkawAKCRAADmhBGVaC FdAKEACD99RjZjSwstwe02l92r843e1PlO/llI+9pH3KbmitIS24TVBxThmdUCW8YE4KCkAMmUL gvjEDoyk2/444nkAK0OEmpZVD3BQOjW9PgF319CO5H2Nj1mVKl/NJY7bmo7+FTG/xWaPfMSEkHC Lu7z2bdBAP9b5cbp+ZcnbHh2G/rKL6xJZaIxy5oDPoq58XMrR+oJxyzyk0OI4MdABRHCU5nzYZj vrBoT8Vwd9U0+Px0FALLOsJhdzIYfj90f2ZOdQMhv6JzHhue78qM4lhccU9yMLkeyVqB0dHcqxa EtvKAQ7VvGj9uOgp/yHmZ8bEddN1sakpygOjevefwPeok0Z4eMFn+ye+MjAs2lB6lI8jtXTGlMM EsxsEO+CTPjYELxTLqmLqm47iJHP+5eLydC/aYbNeBzv6jP+pNBfvZOUQgBy9Qce3cX/s76CJ0w 2WXFGYF3eSChUzFexvQVxGR/piDhMv2CihwrlgE+Bnw2dQFMs6U+etqrrGaG7GMAYquMP1Kt4Fu 22Y1pOFWl9Jd6uuRD1NqKCc2Wgyl5fM82ntVT6eH9jkS6TJX1mRESq6NznWb0O942GUTS+vBaKq 9+i6sKzDrrpBLxTMXUitZP2Az3ghyVEDYErVtCDoxbQrlCz2BKJmwU9vzi5szMuzi38lkWKkDyO 6hXtmpFIDLgJLkQ== X-Developer-Key: i=jlayton@kernel.org; a=openpgp; fpr=4BC0D7B24471B2A184EAF5D3000E684119568215 The workqueue core clears WORK_STRUCT_PENDING before the callback is invoked, so delayed_work_pending() in lm_breaker_timedout() can return false while the fence worker is already running. This lets the breaker take a duplicate sc_count reference and schedule a new worker that coalesces with the in-progress one. The extra reference is never put, leaking the layout stateid. Replace the racy delayed_work_pending() check with an ls_fence_inflight boolean set atomically with refcount_inc_not_zero() under ls_lock, and cleared under ls_lock before nfs4_put_stid() on every exit path. Remove the self-rearm mod_delayed_work() at the top of the worker. Fixes: f52792f484ba ("NFSD: Enforce timeout on layout recall and integrate = lease manager fencing") Assisted-by: kres:claude-opus-4-7 Signed-off-by: Jeff Layton --- fs/nfsd/nfs4layouts.c | 27 +++++++++++++++------------ fs/nfsd/state.h | 1 + 2 files changed, 16 insertions(+), 12 deletions(-) diff --git a/fs/nfsd/nfs4layouts.c b/fs/nfsd/nfs4layouts.c index 6c4e4fdd6c05..475246c0e20c 100644 --- a/fs/nfsd/nfs4layouts.c +++ b/fs/nfsd/nfs4layouts.c @@ -260,6 +260,7 @@ nfsd4_alloc_layout_stateid(struct nfsd4_compound_state = *cstate, } =20 ls->ls_fenced =3D false; + ls->ls_fence_inflight =3D false; ls->ls_fence_delay =3D 0; INIT_DELAYED_WORK(&ls->ls_fence_work, nfsd4_layout_fence_worker); =20 @@ -798,15 +799,6 @@ nfsd4_layout_fence_worker(struct work_struct *work) struct nfs4_client *clp; struct nfsd_net *nn; =20 - /* - * The workqueue clears WORK_STRUCT_PENDING before invoking - * this callback. Re-arm immediately so that - * delayed_work_pending() returns true while the fence - * operation is in progress, preventing - * lm_breaker_timedout() from taking a duplicate reference. - */ - mod_delayed_work(system_dfl_wq, &ls->ls_fence_work, 0); - spin_lock(&ls->ls_lock); if (list_empty(&ls->ls_layouts)) { spin_unlock(&ls->ls_lock); @@ -816,6 +808,9 @@ nfsd4_layout_fence_worker(struct work_struct *work) nfsd4_close_layout(ls); =20 ls->ls_fenced =3D true; + spin_lock(&ls->ls_lock); + ls->ls_fence_inflight =3D false; + spin_unlock(&ls->ls_lock); nfs4_put_stid(&ls->ls_stid); return; } @@ -901,18 +896,26 @@ nfsd4_layout_lm_breaker_timedout(struct file_lease *f= l) if ((!nfsd4_layout_ops[ls->ls_layout_type]->fence_client) || ls->ls_fenced) return true; - if (delayed_work_pending(&ls->ls_fence_work)) - return false; /* * Make sure layout has not been returned yet before - * taking a reference count on the layout stateid. + * taking a reference count on the layout stateid. The + * ls_fence_inflight flag is set together with the sc_count + * increment under ls_lock so that a fence worker invocation + * already in progress (which has cleared WORK_STRUCT_PENDING + * but not yet reached dispose:) cannot be coalesced with a + * fresh schedule that takes an extra unmatched reference. */ spin_lock(&ls->ls_lock); + if (ls->ls_fence_inflight) { + spin_unlock(&ls->ls_lock); + return false; + } if (list_empty(&ls->ls_layouts) || !refcount_inc_not_zero(&ls->ls_stid.sc_count)) { spin_unlock(&ls->ls_lock); return true; } + ls->ls_fence_inflight =3D true; spin_unlock(&ls->ls_lock); =20 mod_delayed_work(system_dfl_wq, &ls->ls_fence_work, 0); diff --git a/fs/nfsd/state.h b/fs/nfsd/state.h index c26b2384d694..05b6f12040d8 100644 --- a/fs/nfsd/state.h +++ b/fs/nfsd/state.h @@ -812,6 +812,7 @@ struct nfs4_layout_stateid { struct delayed_work ls_fence_work; unsigned int ls_fence_delay; bool ls_fenced; + bool ls_fence_inflight; }; =20 static inline struct nfs4_layout_stateid *layoutstateid(struct nfs4_stid *= s) --=20 2.54.0