From: Chuck Lever <cel@kernel.org>
To: Jeff Layton <jlayton@kernel.org>, NeilBrown <neil@brown.name>,
Olga Kornievskaia <okorniev@redhat.com>,
Dai Ngo <Dai.Ngo@oracle.com>, Tom Talpey <tom@talpey.com>
Cc: linux-nfs@vger.kernel.org, Wolfgang Walter <linux@stwm.de>,
Chuck Lever <cel@kernel.org>
Subject: [PATCH v2 0/6] NFSD: Fix UAFs in client teardown and state revocation
Date: Sun, 05 Jul 2026 21:25:36 -0400 [thread overview]
Message-ID: <20260705-cel-v2-0-d88c3b68e8bc@kernel.org> (raw)
A NULL-pointer dereference reported during NFSv4 client teardown
(patch 1) proved to be one instance of a broader lifetime bug in
NFSD's state-revocation machinery. This series fixes the reported
crash and the sibling races found by auditing the same pattern, then
consolidates the fixes.
A stateid, and a bare lock owner reachable through the client's owner
hash, hold only a raw pointer to the owning nfs4_client; a reference
on the stateid or owner does not keep the client alive. The client
outlives its state solely because __destroy_client() drains that state
before free_client() runs. Several paths break that invariant. The
laundromat unhashes an expired delegation before revoke_delegation()
re-links it, leaving it momentarily on no client-reachable list
(patch 2). nfsd4_revoke_states() and its export and NFSv4.0
admin-revoke siblings drop nn->client_lock and then dereference the
client again (patches 3-5). __destroy_client() walks the owner hash
and frees blocked locks with no reference held (patch 1).
---
Changes since v1:
- Add matching UAF fixes in several other paths
---
Chuck Lever (6):
NFSD: Prevent lock owner use-after-free during client teardown
NFSD: Prevent client use-after-free during delegation revoke
NFSD: Prevent client use-after-free during admin state revocation
NFSD: Prevent client use-after-free during export state revocation
NFSD: Prevent client use-after-free during NFSv4.0 revoked-state cleanup
NFSD: Consolidate the revocation-path client unpin
fs/nfsd/netns.h | 6 ++-
fs/nfsd/nfs4state.c | 108 +++++++++++++++++++++++++++++++++++++++++++---------
2 files changed, 94 insertions(+), 20 deletions(-)
---
base-commit: ee6ae4a6bf3565b880dfb420017337475dfbc9ea
change-id: 20260705-cel-61c1c70caa03
Best regards,
--
Chuck Lever
next reply other threads:[~2026-07-06 1:25 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-06 1:25 Chuck Lever [this message]
2026-07-06 1:25 ` [PATCH v2 1/6] NFSD: Prevent lock owner use-after-free during client teardown Chuck Lever
2026-07-06 1:25 ` [PATCH v2 2/6] NFSD: Prevent client use-after-free during delegation revoke Chuck Lever
2026-07-06 17:29 ` Jeff Layton
2026-07-06 1:25 ` [PATCH v2 3/6] NFSD: Prevent client use-after-free during admin state revocation Chuck Lever
2026-07-06 1:25 ` [PATCH v2 4/6] NFSD: Prevent client use-after-free during export " Chuck Lever
2026-07-06 1:25 ` [PATCH v2 5/6] NFSD: Prevent client use-after-free during NFSv4.0 revoked-state cleanup Chuck Lever
2026-07-06 1:25 ` [PATCH v2 6/6] NFSD: Consolidate the revocation-path client unpin Chuck Lever
2026-07-06 3:53 ` [PATCH v2 0/6] NFSD: Fix UAFs in client teardown and state revocation NeilBrown
2026-07-06 16:42 ` Jeff Layton
2026-07-06 17:14 ` Chuck Lever
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260705-cel-v2-0-d88c3b68e8bc@kernel.org \
--to=cel@kernel.org \
--cc=Dai.Ngo@oracle.com \
--cc=jlayton@kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux@stwm.de \
--cc=neil@brown.name \
--cc=okorniev@redhat.com \
--cc=tom@talpey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.