nfsd-6.14 fixes:

- Introduced during the v6.14 merge window: - A fix for CB_GETATTR reply decoding was not quite correct - Fix the NFSD connection limiting logic - Fix a bug in the new session table resizing logic - Bugs that pre-date v6.14 - Support for courteous clients (5.19) introduced a shutdown hang - Fix a crash in the filecache laundrette (6.9) - Fix a zero-day crash in NFSD's NFSv3 ACL implementation -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEKLLlsBKG3yQ88j7+M2qzM29mf5cFAmeqSYIACgkQM2qzM29m f5cuTQ//crg4df/QhLAFNXdUaqQd12C5s9pcQuNsOK5JVrRCEQXchL48SCOd6/xn 9SLbgSoq2kuE6ZeCTuE88U6fo3MqX6XpLZ7kPhFO9rmpULFxFvavT89iWFSpNO1p 00Ges+Y1RA7+S9QgurYTgvcwhwlTbIzIMtGmqh4BawIG1VKfT9lxHeC2NXN8Fe3W 63p3yd9+cOM2BaXm2GbFf24YKTCvecrMYK0Li2xBmRZn5bDvpmWCFiHxRcHXnDtk cbEUt+ZLl2IVqlgQPOlZly7/VOAVPEQfRKM/a9YLIiLxR0GqoLWjUQEprO6N8jz8 6b4qiPHX5Mbh/zpgwyKFril7pfdtuT+KIvSbw70XDwMoS7voWpc4uGQfL3tZ4Znt S9wzTCJAcdZvz7PZ1LXkaAL8mbXY5ItIgfKsQCJ70RStRsqQ8tuyFEx7j6Rrp6Iy 5KkRO3HAcBJnhL89NgZ2kYc/E8pvuW53LhYZcZbL7Vx4u0aVn/BbFUjVtmhp8/pm njj2RCYJ7AKZW2Wf5XLW3nIEke2lFRlwIlmOAdREYHTFFUT0v/TGsSMQe4Yx5FEF c+fkIO9lXNThqcibOis5sAKIRx5X/Y+lsqP7Z+eSpoIPEhheQo3HXdYeJ6Ewcws1 xk288Lmx8RqIUoZU9tF2EujYkTOqyEaAKtQZ7aktQ1tOPKRdiCE= =bre8 -----END PGP SIGNATURE----- Merge tag 'nfsd-6.14-1' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux Pull nfsd fixes from Chuck Lever: "Fixes for new bugs: - A fix for CB_GETATTR reply decoding was not quite correct - Fix the NFSD connection limiting logic - Fix a bug in the new session table resizing logic Bugs that pre-date v6.14: - Support for courteous clients (5.19) introduced a shutdown hang - Fix a crash in the filecache laundrette (6.9) - Fix a zero-day crash in NFSD's NFSv3 ACL implementation" * tag 'nfsd-6.14-1' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux: NFSD: Fix CB_GETATTR status fix NFSD: fix hang in nfsd4_shutdown_callback nfsd: fix __fh_verify for localio nfsd: fix uninitialised slot info when a request is retried nfsd: validate the nfsd_serv pointer before calling svc_wake_up nfsd: clear acl_access/acl_default after releasing them
2025-02-10 13:11:24 -08:00 · 2025-02-10 13:11:24 -08:00 · febbc555cf
parent 58c9bf3363 4990d09843
commit febbc555cf
6 changed files with 25 additions and 7 deletions
--- a/fs/nfsd/filecache.c
+++ b/fs/nfsd/filecache.c
@ -446,11 +446,20 @@ nfsd_file_dispose_list_delayed(struct list_head *dispose)
 						struct nfsd_file, nf_gc);
 		struct nfsd_net *nn = net_generic(nf->nf_net, nfsd_net_id);
 		struct nfsd_fcache_disposal *l = nn->fcache_disposal;
+		struct svc_serv *serv;

 		spin_lock(&l->lock);
 		list_move_tail(&nf->nf_gc, &l->freeme);
 		spin_unlock(&l->lock);
-		svc_wake_up(nn->nfsd_serv);
+
+		/*
+		 * The filecache laundrette is shut down after the
+		 * nn->nfsd_serv pointer is cleared, but before the
+		 * svc_serv is freed.
+		 */
+		serv = nn->nfsd_serv;
+		if (serv)
+			svc_wake_up(serv);
 	}
 }

--- a/fs/nfsd/nfs2acl.c
+++ b/fs/nfsd/nfs2acl.c
@ -84,6 +84,8 @@ out:
 fail:
 	posix_acl_release(resp->acl_access);
 	posix_acl_release(resp->acl_default);
+	resp->acl_access = NULL;
+	resp->acl_default = NULL;
 	goto out;
 }

--- a/fs/nfsd/nfs3acl.c
+++ b/fs/nfsd/nfs3acl.c
@ -76,6 +76,8 @@ out:
 fail:
 	posix_acl_release(resp->acl_access);
 	posix_acl_release(resp->acl_default);
+	resp->acl_access = NULL;
+	resp->acl_default = NULL;
 	goto out;
 }

--- a/fs/nfsd/nfs4callback.c
+++ b/fs/nfsd/nfs4callback.c
@ -679,7 +679,7 @@ static int nfs4_xdr_dec_cb_getattr(struct rpc_rqst *rqstp,
 		return status;

 	status = decode_cb_op_status(xdr, OP_CB_GETATTR, &cb->cb_status);
-	if (unlikely(status || cb->cb_seq_status))
+	if (unlikely(status || cb->cb_status))
 		return status;
 	if (xdr_stream_decode_uint32_array(xdr, bitmap, 3) < 0)
 		return -NFSERR_BAD_XDR;
@ -1583,8 +1583,11 @@ nfsd4_run_cb_work(struct work_struct *work)
 		nfsd4_process_cb_update(cb);

 	clnt = clp->cl_cb_client;
-	if (!clnt) {
-		/* Callback channel broken, or client killed; give up: */
+	if (!clnt || clp->cl_state == NFSD4_COURTESY) {
+		/*
+		 * Callback channel broken, client killed or
+		 * nfs4_client in courtesy state; give up.
+		 */
 		nfsd41_destroy_cb(cb);
 		return;
 	}
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@ -4459,10 +4459,11 @@ nfsd4_sequence(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
 			}
 		} while (slot && --cnt > 0);
 	}
+
+out:
 	seq->maxslots = max(session->se_target_maxslots, seq->maxslots);
 	seq->target_maxslots = session->se_target_maxslots;

-out:
 	switch (clp->cl_cb_state) {
 	case NFSD4_CB_DOWN:
 		seq->status_flags = SEQ4_STATUS_CB_PATH_DOWN;
--- a/fs/nfsd/nfsfh.c
+++ b/fs/nfsd/nfsfh.c
@ -380,8 +380,9 @@ __fh_verify(struct svc_rqst *rqstp,
 	error = check_nfsd_access(exp, rqstp, may_bypass_gss);
 	if (error)
 		goto out;
-
-	svc_xprt_set_valid(rqstp->rq_xprt);
+	/* During LOCALIO call to fh_verify will be called with a NULL rqstp */
+	if (rqstp)
+		svc_xprt_set_valid(rqstp->rq_xprt);

 	/* Finally, check access permissions. */
 	error = nfsd_permission(cred, exp, dentry, access);