From: Jeff Layton <jlayton@kernel.org>
To: Chuck Lever <cel@kernel.org>, NeilBrown <neil@brown.name>,
Olga Kornievskaia <okorniev@redhat.com>,
Dai Ngo <Dai.Ngo@oracle.com>, Tom Talpey <tom@talpey.com>
Cc: linux-nfs@vger.kernel.org, Wolfgang Walter <linux@stwm.de>
Subject: Re: [PATCH v2 0/6] NFSD: Fix UAFs in client teardown and state revocation
Date: Mon, 06 Jul 2026 12:42:40 -0400 [thread overview]
Message-ID: <e23f733abb0274d8ecb0404478e5fec8ebe849a2.camel@kernel.org> (raw)
In-Reply-To: <20260705-cel-v2-0-d88c3b68e8bc@kernel.org>
On Sun, 2026-07-05 at 21:25 -0400, Chuck Lever wrote:
> A NULL-pointer dereference reported during NFSv4 client teardown
> (patch 1) proved to be one instance of a broader lifetime bug in
> NFSD's state-revocation machinery. This series fixes the reported
> crash and the sibling races found by auditing the same pattern, then
> consolidates the fixes.
>
> A stateid, and a bare lock owner reachable through the client's owner
> hash, hold only a raw pointer to the owning nfs4_client; a reference
> on the stateid or owner does not keep the client alive. The client
> outlives its state solely because __destroy_client() drains that state
> before free_client() runs. Several paths break that invariant. The
> laundromat unhashes an expired delegation before revoke_delegation()
> re-links it, leaving it momentarily on no client-reachable list
> (patch 2). nfsd4_revoke_states() and its export and NFSv4.0
> admin-revoke siblings drop nn->client_lock and then dereference the
> client again (patches 3-5). __destroy_client() walks the owner hash
> and frees blocked locks with no reference held (patch 1).
>
> ---
> Changes since v1:
> - Add matching UAF fixes in several other paths
>
> ---
> Chuck Lever (6):
> NFSD: Prevent lock owner use-after-free during client teardown
> NFSD: Prevent client use-after-free during delegation revoke
> NFSD: Prevent client use-after-free during admin state revocation
> NFSD: Prevent client use-after-free during export state revocation
> NFSD: Prevent client use-after-free during NFSv4.0 revoked-state cleanup
> NFSD: Consolidate the revocation-path client unpin
>
> fs/nfsd/netns.h | 6 ++-
> fs/nfsd/nfs4state.c | 108 +++++++++++++++++++++++++++++++++++++++++++---------
> 2 files changed, 94 insertions(+), 20 deletions(-)
> ---
> base-commit: ee6ae4a6bf3565b880dfb420017337475dfbc9ea
> change-id: 20260705-cel-61c1c70caa03
>
> Best regards,
> --
> Chuck Lever
This all looks pretty good, aside from patch #2 which seems like it
might cause an ABBA deadlock (according to Sashiko).
You can add this to patches 1 and 3-5 though:
Reviewed-by: Jeff Layton <jlayton@kernel.org>
next prev parent reply other threads:[~2026-07-06 16:42 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-06 1:25 [PATCH v2 0/6] NFSD: Fix UAFs in client teardown and state revocation Chuck Lever
2026-07-06 1:25 ` [PATCH v2 1/6] NFSD: Prevent lock owner use-after-free during client teardown Chuck Lever
2026-07-06 1:25 ` [PATCH v2 2/6] NFSD: Prevent client use-after-free during delegation revoke Chuck Lever
2026-07-06 17:29 ` Jeff Layton
2026-07-06 1:25 ` [PATCH v2 3/6] NFSD: Prevent client use-after-free during admin state revocation Chuck Lever
2026-07-06 1:25 ` [PATCH v2 4/6] NFSD: Prevent client use-after-free during export " Chuck Lever
2026-07-06 1:25 ` [PATCH v2 5/6] NFSD: Prevent client use-after-free during NFSv4.0 revoked-state cleanup Chuck Lever
2026-07-06 1:25 ` [PATCH v2 6/6] NFSD: Consolidate the revocation-path client unpin Chuck Lever
2026-07-06 3:53 ` [PATCH v2 0/6] NFSD: Fix UAFs in client teardown and state revocation NeilBrown
2026-07-06 16:42 ` Jeff Layton [this message]
2026-07-06 17:14 ` Chuck Lever
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e23f733abb0274d8ecb0404478e5fec8ebe849a2.camel@kernel.org \
--to=jlayton@kernel.org \
--cc=Dai.Ngo@oracle.com \
--cc=cel@kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux@stwm.de \
--cc=neil@brown.name \
--cc=okorniev@redhat.com \
--cc=tom@talpey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox