Hi Linus-
We are still working on an infrequent UAF that happens during
an NFSv4 DELEGRETURN request, as documented here:
https://bugzilla.linux-nfs.org/show_bug.cgi?id=394
This appears to have been an issue for the past several
releases (maybe since v5.14 or v5.15?). I expect Jeff and I
will have this addressed in the next couple of weeks.
However, the other v6.1 changes for NFSD are ready for you now.
---- Pull request follows ----
The following changes since commit 521a547ced6477c54b4b0cc206000406c221b4d6:
Linux 6.0-rc6 (2022-09-18 13:44:14 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git tags/nfsd-6.1
for you to fetch changes up to 895ddf5ed4c54ea9e3533606d7a8b4e4f27f95ef:
nfsd: extra checks when freeing delegation stateids (2022-09-26 14:50:58 -0400)
----------------------------------------------------------------
NFSD 6.1 Release Notes
This release is mostly bug fixes, clean-ups, and optimizations.
One notable set of fixes addresses a subtle buffer overflow issue
that occurs if a small RPC Call message arrives in an oversized
RPC record. This is only possible on a framed RPC transport such
as TCP.
Because NFSD shares the receive and send buffers in one set of
pages, an oversized RPC record steals pages from the send buffer
that will be used to construct the RPC Reply message. NFSD must
not assume that a full-sized buffer is always available to it;
otherwise, it will walk off the end of the send buffer while
constructing its reply.
In this release, we also introduce the ability for the server to
wait a moment for clients to return delegations before it responds
with NFS4ERR_DELAY. This saves a retransmit and a network round-
trip when a delegation recall is needed. This work will be built
upon in future releases.
The NFS server adds another shrinker to its collection. Because
courtesy clients can linger for quite some time, they might be
freeable when the server host comes under memory pressure. A new
shrinker has been added that releases courtesy client resources
during low memory scenarios.
Lastly, of note: the maximum number of operations per NFSv4
COMPOUND that NFSD can handle is increased from 16 to 50. There
are NFSv4 client implementations that need more than 16 to
successfully perform a mount operation that uses a pathname
with many components.
----------------------------------------------------------------
Anna Schumaker (1):
NFSD: Return nfserr_serverfault if splice_ok but buf->pages have data
ChenXiaoSong (5):
nfsd: use DEFINE_PROC_SHOW_ATTRIBUTE to define nfsd_proc_ops
nfsd: use DEFINE_SHOW_ATTRIBUTE to define export_features_fops and supported_enctypes_fops
nfsd: use DEFINE_SHOW_ATTRIBUTE to define client_info_fops
nfsd: use DEFINE_SHOW_ATTRIBUTE to define nfsd_reply_cache_stats_fops
nfsd: use DEFINE_SHOW_ATTRIBUTE to define nfsd_file_cache_stats_fops
Christophe JAILLET (3):
nfsd: Fix a memory leak in an error handling path
nfsd: Avoid some useless tests
nfsd: Propagate some error code returned by memdup_user()
Chuck Lever (30):
NFSD: Increase NFSD_MAX_OPS_PER_COMPOUND
SUNRPC: Fix svcxdr_init_decode's end-of-buffer calculation
SUNRPC: Fix svcxdr_init_encode's buflen calculation
NFSD: Protect against send buffer overflow in NFSv2 READDIR
NFSD: Protect against send buffer overflow in NFSv3 READDIR
NFSD: Protect against send buffer overflow in NFSv2 READ
NFSD: Protect against send buffer overflow in NFSv3 READ
NFSD: Fix handling of oversized NFSv4 COMPOUND requests
NFSD: Replace dprintk() call site in fh_verify()
NFSD: Trace NFSv4 COMPOUND tags
NFSD: Add tracepoints to report NFSv4 callback completions
NFSD: Add a mechanism to wait for a DELEGRETURN
NFSD: Refactor nfsd_setattr()
NFSD: Make nfsd4_setattr() wait before returning NFS4ERR_DELAY
NFSD: Make nfsd4_rename() wait before returning NFS4ERR_DELAY
NFSD: Make nfsd4_remove() wait before returning NFS4ERR_DELAY
SUNRPC: Optimize svc_process()
SUNRPC: Parametrize how much of argsize should be zeroed
NFSD: Reduce amount of struct nfsd4_compoundargs that needs clearing
SUNRPC: Clarify comment that documents svc_max_payload()
NFSD: Refactor common code out of dirlist helpers
NFSD: Use xdr_inline_decode() to decode NFSv3 symlinks
NFSD: Clean up WRITE arg decoders
SUNRPC: Fix typo in xdr_buf_subsegment's kdoc comment
NFSD: Clean up nfs4svc_encode_compoundres()
NFSD: Remove "inline" directives on op_rsize_bop helpers
NFSD: Remove unused nfsd4_compoundargs::cachetype field
NFSD: Pack struct nfsd4_compoundres
NFSD: Rename the fields in copy_stateid_t
NFSD: Cap rsize_bop result based on send buffer size
Dai Ngo (3):
NFSD: keep track of the number of courtesy clients in the system
NFSD: add shrinker to reap courtesy clients on low memory condition
NFSD: fix use-after-free on source server when doing inter-server copy
Gaosheng Cui (1):
nfsd: remove nfsd4_prepare_cb_recall() declaration
Jeff Layton (5):
nfsd: clean up mounted_on_fileid handling
nfsd: only fill out return pointer on success in nfsd4_lookup_stateid
nfsd: fix comments about spinlock handling with delegations
nfsd: make nfsd4_run_cb a bool return function
nfsd: extra checks when freeing delegation stateids
Jinpeng Cui (1):
NFSD: remove redundant variable status
NeilBrown (1):
NFSD: drop fname and flen args from nfsd_create_locked()
Olga Kornievskaia (1):
NFSD enforce filehandle check for source file in COPY
Wolfram Sang (2):
NFSD: move from strlcpy with unused retval to strscpy
lockd: move from strlcpy with unused retval to strscpy
fs/lockd/host.c | 2 +-
fs/lockd/svc4proc.c | 24 ++++++++++++
fs/lockd/svcproc.c | 24 ++++++++++++
fs/nfs/callback_xdr.c | 1 +
fs/nfsd/cache.h | 2 +-
fs/nfsd/filecache.c | 7 +---
fs/nfsd/filecache.h | 2 +-
fs/nfsd/netns.h | 4 ++
fs/nfsd/nfs2acl.c | 5 +++
fs/nfsd/nfs3acl.c | 3 ++
fs/nfsd/nfs3proc.c | 43 ++++++++++++++-------
fs/nfsd/nfs3xdr.c | 18 ++-------
fs/nfsd/nfs4callback.c | 14 ++++++-
fs/nfsd/nfs4idmap.c | 8 ++--
fs/nfsd/nfs4layouts.c | 2 +-
fs/nfsd/nfs4proc.c | 226 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---------------------------------------------
fs/nfsd/nfs4recover.c | 14 ++++---
fs/nfsd/nfs4state.c | 218 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------------------
fs/nfsd/nfs4xdr.c | 102 ++++++++++++++++++++++++++++++++-----------------
fs/nfsd/nfscache.c | 13 ++-----
fs/nfsd/nfsctl.c | 54 +++++++-------------------
fs/nfsd/nfsd.h | 13 ++++++-
fs/nfsd/nfsfh.c | 8 +---
fs/nfsd/nfsproc.c | 39 +++++++++++--------
fs/nfsd/nfssvc.c | 2 +-
fs/nfsd/nfsxdr.c | 4 +-
fs/nfsd/state.h | 11 +++---
fs/nfsd/stats.c | 14 +------
fs/nfsd/trace.h | 131 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-----
fs/nfsd/vfs.c | 128 ++++++++++++++++++++++++++++++++++++++++----------------------
fs/nfsd/vfs.h | 4 +-
fs/nfsd/xdr4.h | 9 +++--
include/linux/sunrpc/svc.h | 20 ++++++++--
include/linux/sunrpc/xdr.h | 2 +
net/sunrpc/svc.c | 34 +++++++++--------
net/sunrpc/xdr.c | 24 +++++++++++-
36 files changed, 829 insertions(+), 400 deletions(-)
--
Chuck Lever
The pull request you sent on Mon, 3 Oct 2022 14:12:38 +0000:
> https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git tags/nfsd-6.1
has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/f90497a16e434c2211c66e3de8e77b17868382b8
Thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/prtracker.html