From: Chuck Lever <cel@kernel.org>
To: Jeff Layton <jlayton@kernel.org>, NeilBrown <neil@brown.name>,
Olga Kornievskaia <okorniev@redhat.com>,
Dai Ngo <Dai.Ngo@oracle.com>, Tom Talpey <tom@talpey.com>
Cc: linux-nfs@vger.kernel.org, Wolfgang Walter <linux@stwm.de>,
Chuck Lever <cel@kernel.org>
Subject: [PATCH v2 0/6] NFSD: Fix UAFs in client teardown and state revocation
Date: Sun, 05 Jul 2026 21:25:36 -0400 [thread overview]
Message-ID: <20260705-cel-v2-0-d88c3b68e8bc@kernel.org> (raw)
A NULL-pointer dereference reported during NFSv4 client teardown
(patch 1) proved to be one instance of a broader lifetime bug in
NFSD's state-revocation machinery. This series fixes the reported
crash and the sibling races found by auditing the same pattern, then
consolidates the fixes.
A stateid, and a bare lock owner reachable through the client's owner
hash, hold only a raw pointer to the owning nfs4_client; a reference
on the stateid or owner does not keep the client alive. The client
outlives its state solely because __destroy_client() drains that state
before free_client() runs. Several paths break that invariant. The
laundromat unhashes an expired delegation before revoke_delegation()
re-links it, leaving it momentarily on no client-reachable list
(patch 2). nfsd4_revoke_states() and its export and NFSv4.0
admin-revoke siblings drop nn->client_lock and then dereference the
client again (patches 3-5). __destroy_client() walks the owner hash
and frees blocked locks with no reference held (patch 1).
---
Changes since v1:
- Add matching UAF fixes in several other paths
---
Chuck Lever (6):
NFSD: Prevent lock owner use-after-free during client teardown
NFSD: Prevent client use-after-free during delegation revoke
NFSD: Prevent client use-after-free during admin state revocation
NFSD: Prevent client use-after-free during export state revocation
NFSD: Prevent client use-after-free during NFSv4.0 revoked-state cleanup
NFSD: Consolidate the revocation-path client unpin
fs/nfsd/netns.h | 6 ++-
fs/nfsd/nfs4state.c | 108 +++++++++++++++++++++++++++++++++++++++++++---------
2 files changed, 94 insertions(+), 20 deletions(-)
---
base-commit: ee6ae4a6bf3565b880dfb420017337475dfbc9ea
change-id: 20260705-cel-61c1c70caa03
Best regards,
--
Chuck Lever
next reply other threads:[~2026-07-06 1:25 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-06 1:25 Chuck Lever [this message]
2026-07-06 1:25 ` [PATCH v2 1/6] NFSD: Prevent lock owner use-after-free during client teardown Chuck Lever
2026-07-06 1:25 ` [PATCH v2 2/6] NFSD: Prevent client use-after-free during delegation revoke Chuck Lever
2026-07-06 17:29 ` Jeff Layton
2026-07-06 1:25 ` [PATCH v2 3/6] NFSD: Prevent client use-after-free during admin state revocation Chuck Lever
2026-07-06 1:25 ` [PATCH v2 4/6] NFSD: Prevent client use-after-free during export " Chuck Lever
2026-07-06 1:25 ` [PATCH v2 5/6] NFSD: Prevent client use-after-free during NFSv4.0 revoked-state cleanup Chuck Lever
2026-07-06 1:25 ` [PATCH v2 6/6] NFSD: Consolidate the revocation-path client unpin Chuck Lever
2026-07-06 3:53 ` [PATCH v2 0/6] NFSD: Fix UAFs in client teardown and state revocation NeilBrown
2026-07-06 16:42 ` Jeff Layton
2026-07-06 17:14 ` Chuck Lever
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260705-cel-v2-0-d88c3b68e8bc@kernel.org \
--to=cel@kernel.org \
--cc=Dai.Ngo@oracle.com \
--cc=jlayton@kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux@stwm.de \
--cc=neil@brown.name \
--cc=okorniev@redhat.com \
--cc=tom@talpey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox