On Thu, 2018-12-20 at 12:30 +0300, Vasily Averin wrote: > On 12/20/18 4:58 AM, Trond Myklebust wrote: > > On Thu, 2018-12-20 at 04:39 +0300, Vasily Averin wrote: > > > Dear Trond, > > > Red Hat security believes the problem is quite important security > > > issue: > > > https://access.redhat.com/security/cve/cve-2018-16884 > > > > > > Fix should be backported to affected distributions. > > > > > > Could you please approve my first patch and push it to stable@ ? > > > From my PoV it is correctly fixes the problem, it breaks nothing > > > and > > > easy for backports, > > > lightly modified it can be even live-patched. > > > > > > Other patches including switch to using empty rqst->rq_xprt can > > > wait. > > > > > > > That patch is not acceptable for upstream. > > In this case how about my initial plan B -- make svc_serv per net- > namespace? > It executes additional per-netns nfsv4 callback threads > but does not require any changes in existing sunrpc code? Can we please fix this issue properly without adding more hacks? The hacks are what has caused the problem in the first place. The server transport code is completely irrelevant to the client backchannel and so anything in the backchannel code path that relies on tests or checks of the "server transport state" is going to be broken. -- Trond Myklebust CTO, Hammerspace Inc 4300 El Camino Real, Suite 105 Los Altos, CA 94022 www.hammer.space
