Hi Linus- We are still working on an infrequent UAF that happens during an NFSv4 DELEGRETURN request, as documented here: https://bugzilla.linux-nfs.org/show_bug.cgi?id=394 This appears to have been an issue for the past several releases (maybe since v5.14 or v5.15?). I expect Jeff and I will have this addressed in the next couple of weeks. However, the other v6.1 changes for NFSD are ready for you now. ---- Pull request follows ---- The following changes since commit 521a547ced6477c54b4b0cc206000406c221b4d6: Linux 6.0-rc6 (2022-09-18 13:44:14 -0700) are available in the Git repository at: https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git tags/nfsd-6.1 for you to fetch changes up to 895ddf5ed4c54ea9e3533606d7a8b4e4f27f95ef: nfsd: extra checks when freeing delegation stateids (2022-09-26 14:50:58 -0400) ---------------------------------------------------------------- NFSD 6.1 Release Notes This release is mostly bug fixes, clean-ups, and optimizations. One notable set of fixes addresses a subtle buffer overflow issue that occurs if a small RPC Call message arrives in an oversized RPC record. This is only possible on a framed RPC transport such as TCP. Because NFSD shares the receive and send buffers in one set of pages, an oversized RPC record steals pages from the send buffer that will be used to construct the RPC Reply message. NFSD must not assume that a full-sized buffer is always available to it; otherwise, it will walk off the end of the send buffer while constructing its reply. In this release, we also introduce the ability for the server to wait a moment for clients to return delegations before it responds with NFS4ERR_DELAY. This saves a retransmit and a network round- trip when a delegation recall is needed. This work will be built upon in future releases. The NFS server adds another shrinker to its collection. Because courtesy clients can linger for quite some time, they might be freeable when the server host comes under memory pressure. A new shrinker has been added that releases courtesy client resources during low memory scenarios. Lastly, of note: the maximum number of operations per NFSv4 COMPOUND that NFSD can handle is increased from 16 to 50. There are NFSv4 client implementations that need more than 16 to successfully perform a mount operation that uses a pathname with many components. ---------------------------------------------------------------- Anna Schumaker (1): NFSD: Return nfserr_serverfault if splice_ok but buf->pages have data ChenXiaoSong (5): nfsd: use DEFINE_PROC_SHOW_ATTRIBUTE to define nfsd_proc_ops nfsd: use DEFINE_SHOW_ATTRIBUTE to define export_features_fops and supported_enctypes_fops nfsd: use DEFINE_SHOW_ATTRIBUTE to define client_info_fops nfsd: use DEFINE_SHOW_ATTRIBUTE to define nfsd_reply_cache_stats_fops nfsd: use DEFINE_SHOW_ATTRIBUTE to define nfsd_file_cache_stats_fops Christophe JAILLET (3): nfsd: Fix a memory leak in an error handling path nfsd: Avoid some useless tests nfsd: Propagate some error code returned by memdup_user() Chuck Lever (30): NFSD: Increase NFSD_MAX_OPS_PER_COMPOUND SUNRPC: Fix svcxdr_init_decode's end-of-buffer calculation SUNRPC: Fix svcxdr_init_encode's buflen calculation NFSD: Protect against send buffer overflow in NFSv2 READDIR NFSD: Protect against send buffer overflow in NFSv3 READDIR NFSD: Protect against send buffer overflow in NFSv2 READ NFSD: Protect against send buffer overflow in NFSv3 READ NFSD: Fix handling of oversized NFSv4 COMPOUND requests NFSD: Replace dprintk() call site in fh_verify() NFSD: Trace NFSv4 COMPOUND tags NFSD: Add tracepoints to report NFSv4 callback completions NFSD: Add a mechanism to wait for a DELEGRETURN NFSD: Refactor nfsd_setattr() NFSD: Make nfsd4_setattr() wait before returning NFS4ERR_DELAY NFSD: Make nfsd4_rename() wait before returning NFS4ERR_DELAY NFSD: Make nfsd4_remove() wait before returning NFS4ERR_DELAY SUNRPC: Optimize svc_process() SUNRPC: Parametrize how much of argsize should be zeroed NFSD: Reduce amount of struct nfsd4_compoundargs that needs clearing SUNRPC: Clarify comment that documents svc_max_payload() NFSD: Refactor common code out of dirlist helpers NFSD: Use xdr_inline_decode() to decode NFSv3 symlinks NFSD: Clean up WRITE arg decoders SUNRPC: Fix typo in xdr_buf_subsegment's kdoc comment NFSD: Clean up nfs4svc_encode_compoundres() NFSD: Remove "inline" directives on op_rsize_bop helpers NFSD: Remove unused nfsd4_compoundargs::cachetype field NFSD: Pack struct nfsd4_compoundres NFSD: Rename the fields in copy_stateid_t NFSD: Cap rsize_bop result based on send buffer size Dai Ngo (3): NFSD: keep track of the number of courtesy clients in the system NFSD: add shrinker to reap courtesy clients on low memory condition NFSD: fix use-after-free on source server when doing inter-server copy Gaosheng Cui (1): nfsd: remove nfsd4_prepare_cb_recall() declaration Jeff Layton (5): nfsd: clean up mounted_on_fileid handling nfsd: only fill out return pointer on success in nfsd4_lookup_stateid nfsd: fix comments about spinlock handling with delegations nfsd: make nfsd4_run_cb a bool return function nfsd: extra checks when freeing delegation stateids Jinpeng Cui (1): NFSD: remove redundant variable status NeilBrown (1): NFSD: drop fname and flen args from nfsd_create_locked() Olga Kornievskaia (1): NFSD enforce filehandle check for source file in COPY Wolfram Sang (2): NFSD: move from strlcpy with unused retval to strscpy lockd: move from strlcpy with unused retval to strscpy fs/lockd/host.c | 2 +- fs/lockd/svc4proc.c | 24 ++++++++++++ fs/lockd/svcproc.c | 24 ++++++++++++ fs/nfs/callback_xdr.c | 1 + fs/nfsd/cache.h | 2 +- fs/nfsd/filecache.c | 7 +--- fs/nfsd/filecache.h | 2 +- fs/nfsd/netns.h | 4 ++ fs/nfsd/nfs2acl.c | 5 +++ fs/nfsd/nfs3acl.c | 3 ++ fs/nfsd/nfs3proc.c | 43 ++++++++++++++------- fs/nfsd/nfs3xdr.c | 18 ++------- fs/nfsd/nfs4callback.c | 14 ++++++- fs/nfsd/nfs4idmap.c | 8 ++-- fs/nfsd/nfs4layouts.c | 2 +- fs/nfsd/nfs4proc.c | 226 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--------------------------------------------- fs/nfsd/nfs4recover.c | 14 ++++--- fs/nfsd/nfs4state.c | 218 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---------------------- fs/nfsd/nfs4xdr.c | 102 ++++++++++++++++++++++++++++++++----------------- fs/nfsd/nfscache.c | 13 ++----- fs/nfsd/nfsctl.c | 54 +++++++------------------- fs/nfsd/nfsd.h | 13 ++++++- fs/nfsd/nfsfh.c | 8 +--- fs/nfsd/nfsproc.c | 39 +++++++++++-------- fs/nfsd/nfssvc.c | 2 +- fs/nfsd/nfsxdr.c | 4 +- fs/nfsd/state.h | 11 +++--- fs/nfsd/stats.c | 14 +------ fs/nfsd/trace.h | 131 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----- fs/nfsd/vfs.c | 128 ++++++++++++++++++++++++++++++++++++++++---------------------- fs/nfsd/vfs.h | 4 +- fs/nfsd/xdr4.h | 9 +++-- include/linux/sunrpc/svc.h | 20 ++++++++-- include/linux/sunrpc/xdr.h | 2 + net/sunrpc/svc.c | 34 +++++++++-------- net/sunrpc/xdr.c | 24 +++++++++++- 36 files changed, 829 insertions(+), 400 deletions(-) -- Chuck Lever
