On Fri, Nov 01, 2024 at 09:05:07AM -0400, Jeff Layton wrote:
> On Thu, 2024-10-31 at 09:40 -0400, cel@xxxxxxxxxx wrote:
> > From: Chuck Lever <chuck.lever@xxxxxxxxxx>
> >
> > If an async COPY operation happens to be running when the server is
> > shut down, notify the requesting client that the copy has completed.
> >
> > Since the nfs4_client is going away, seems like this could introduce
> > some UAFs.
> >
> > Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx>
> > ---
> > fs/nfsd/nfs4proc.c | 6 +++++-
> > 1 file changed, 5 insertions(+), 1 deletion(-)
> >
> > diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
> > index 4c964bce6bd7..51b3f85f3791 100644
> > --- a/fs/nfsd/nfs4proc.c
> > +++ b/fs/nfsd/nfs4proc.c
> > @@ -68,6 +68,8 @@ MODULE_PARM_DESC(nfsd4_ssc_umount_timeout,
> >
> > #define NFSDDBG_FACILITY NFSDDBG_PROC
> >
> > +static void nfsd4_send_cb_offload(struct nfsd4_copy *copy);
> > +
> > static u32 nfsd_attrmask[] = {
> > NFSD_WRITEABLE_ATTRS_WORD0,
> > NFSD_WRITEABLE_ATTRS_WORD1,
> > @@ -1381,8 +1383,10 @@ void nfsd4_shutdown_copy(struct nfs4_client *clp)
> > {
> > struct nfsd4_copy *copy;
> >
> > - while ((copy = nfsd4_get_copy(clp)) != NULL)
> > + while ((copy = nfsd4_get_copy(clp)) != NULL) {
> > nfsd4_stop_copy(copy);
> > + nfsd4_send_cb_offload(copy);
> > + }
>
> Not sure about a UAF, but it seems like NFS4ERR_DELAY returns might
> delay the client destruction for quite a while.
The nfsd4_copy() is removed from the nfs4_client's async_copies
list, and the RPC proceeds in the background. It doesn't block the
destruction of the CLIENTID.
But it might be a problem for the RPC logic to transmit the call
when there's no nfs4_client to dereference. I should probably
drop this patch and try a different approach.
> Maybe this CB_OFFLOAD shouldn't retry on DELAY?
>
>
> > }
> > #ifdef CONFIG_NFSD_V4_2_INTER_SSC
> >
>
>
> --
> Jeff Layton <jlayton@xxxxxxxxxx>
>
--
Chuck Lever
