lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <c915e63b-1c7e-40ba-a02f-a003ffc75e20@huawei.com>
Date: Thu, 9 Oct 2025 10:33:53 +0800
From: Li Lingfeng <lilingfeng3@...wei.com>
To: Chuck Lever <chuck.lever@...cle.com>
CC: <yukuai1@...weicloud.com>, <houtao1@...wei.com>, <yi.zhang@...wei.com>,
	<yangerkun@...wei.com>, <lilingfeng@...weicloud.com>,
	<zhangjian496@...wei.com>, <bcodding@...hat.com>,
	<linux-kernel@...r.kernel.org>, <linux-nfs@...r.kernel.org>,
	<tom@...pey.com>, <Dai.Ngo@...cle.com>, <neil@...wn.name>,
	<jlayton@...nel.org>, <okorniev@...hat.com>
Subject: Re: [PATCH v3] nfsd: remove long-standing revoked delegations by
 force

Hi,

在 2025/10/2 23:09, Chuck Lever 写道:
> On 9/29/25 3:40 PM, Chuck Lever wrote:
>> On 9/4/25 7:48 PM, Li Lingfeng wrote:
>>> When file access conflicts occur between clients, the server recalls
>>> delegations. If the client holding delegation fails to return it after
>>> a recall, nfs4_laundromat adds the delegation to cl_revoked list.
>>> This causes subsequent SEQUENCE operations to set the
>>> SEQ4_STATUS_RECALLABLE_STATE_REVOKED flag, forcing the client to
>>> validate all delegations and return the revoked one.
>>>
>>> However, if the client fails to return the delegation like this:
>>> nfs4_laundromat                       nfsd4_delegreturn
>>>   unhash_delegation_locked
>>>   list_add // add dp to reaplist
>>>            // by dl_recall_lru
>>>   list_del_init // delete dp from
>>>                 // reaplist
>>>                                         destroy_delegation
>>>                                          unhash_delegation_locked
>>>                                           // do nothing but return false
>>>   revoke_delegation
>>>   list_add // add dp to cl_revoked
>>>            // by dl_recall_lru
>>>
>>> The delegation will remain in the server's cl_revoked list while the
>>> client marks it revoked and won't find it upon detecting
>>> SEQ4_STATUS_RECALLABLE_STATE_REVOKED.
>>> This leads to a loop:
>>> the server persistently sets SEQ4_STATUS_RECALLABLE_STATE_REVOKED, and the
>>> client repeatedly tests all delegations, severely impacting performance
>>> when numerous delegations exist.
>>>
>>> Since abnormal delegations are removed from flc_lease via nfs4_laundromat
>>> --> revoke_delegation --> destroy_unhashed_deleg -->
>>> nfs4_unlock_deleg_lease --> kernel_setlease, and do not block new open
>>> requests indefinitely, retaining such a delegation on the server is
>>> unnecessary.
>>>
>>> Fixes: 3bd64a5ba171 ("nfsd4: implement SEQ4_STATUS_RECALLABLE_STATE_REVOKED")
>>> Reported-by: Zhang Jian <zhangjian496@...wei.com>
>>> Closes: https://lore.kernel.org/all/ff8debe9-6877-4cf7-ba29-fc98eae0ffa0@huawei.com/
>>> Signed-off-by: Li Lingfeng <lilingfeng3@...wei.com>
>>> Reviewed-by: Jeff Layton <jlayton@...nel.org>
>>> ---
>>>    Changes in v2:
>>>    1) Set SC_STATUS_CLOSED unconditionally in destroy_delegation();
>>>    2) Determine whether to remove the delegation based on SC_STATUS_CLOSED,
>>>       rather than by timeout;
>>>    3) Modify the commit message.
>>>
>>>    Changes in v3:
>>>    1) Move variables used for traversal inside the if statement;
>>>    2) Add a comment to explain why we have to do this;
>>>    3) Move the second check of cl_revoked inside the if statement of
>>>       the first check.
>>>   fs/nfsd/nfs4state.c | 35 +++++++++++++++++++++++++++++++++--
>>>   1 file changed, 33 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
>>> index 88c347957da5..20fae3449af6 100644
>>> --- a/fs/nfsd/nfs4state.c
>>> +++ b/fs/nfsd/nfs4state.c
>>> @@ -1336,6 +1336,11 @@ static void destroy_delegation(struct nfs4_delegation *dp)
>>>   
>>>   	spin_lock(&state_lock);
>>>   	unhashed = unhash_delegation_locked(dp, SC_STATUS_CLOSED);
>>> +	/*
>>> +	 * Unconditionally set SC_STATUS_CLOSED, regardless of whether the
>>> +	 * delegation is hashed, to mark the current delegation as invalid.
>>> +	 */
>>> +	dp->dl_stid.sc_status |= SC_STATUS_CLOSED;
>>>   	spin_unlock(&state_lock);
>>>   	if (unhashed)
>>>   		destroy_unhashed_deleg(dp);
>>> @@ -4470,8 +4475,34 @@ nfsd4_sequence(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
>>>   	default:
>>>   		seq->status_flags = 0;
>>>   	}
>>> -	if (!list_empty(&clp->cl_revoked))
>>> -		seq->status_flags |= SEQ4_STATUS_RECALLABLE_STATE_REVOKED;
>>> +	if (!list_empty(&clp->cl_revoked)) {
>>> +		struct list_head *pos, *next;
>>> +		struct nfs4_delegation *dp;
>>> +
>>> +		/*
>>> +		 * Concurrent nfs4_laundromat() and nfsd4_delegreturn()
>>> +		 * may add a delegation to cl_revoked even after the
>>> +		 * client has returned it, causing persistent
>>> +		 * SEQ4_STATUS_RECALLABLE_STATE_REVOKED, disrupting normal
>>> +		 * operations.
>>> +		 * Remove delegations with SC_STATUS_CLOSED from cl_revoked
>>> +		 * to resolve.
>>> +		 */
>>> +		spin_lock(&clp->cl_lock);
>>> +		list_for_each_safe(pos, next, &clp->cl_revoked) {
>>> +			dp = list_entry(pos, struct nfs4_delegation, dl_recall_lru);
>>> +			if (dp->dl_stid.sc_status & SC_STATUS_CLOSED) {
>>> +				list_del_init(&dp->dl_recall_lru);
>>> +				spin_unlock(&clp->cl_lock);
>> Does unlocking cl_lock here allow another CPU to free the object
>> that @next is pointing to? That pointer address would then be
>> dereferenced on the next loop iteration.
I understand the problem as follows:
     CPU1                                    CPU2
list: cl_revoked-->dp1-->dp2-->dp3-->...
spin_lock
pos = dp1
next = dp2
list: cl_revoked-->dp2-->dp3-->...
spin_unlock
                                         spin_lock
                                         // remove and free dp2
                                         list: cl_revoked-->dp3-->...
                                         spin_unlock
spin_lock
pos = next = dp2
next = dp2->next // UAF

Apologies for the problem caused by my insufficient understanding of
list_for_each_safe.
>> Might be better to stuff dp onto a local list, then "put" all
>> the items on that list once this loop has terminated and cl_lock
>> has been released.
Thank you for your advice, I will send v4 soon.
> I intended to include this patch in nfsd-next for v6.18, but since I
> haven't gotten a response, I have dropped it for now.
>
> When we get closure on my question above, I am happy to requeue it
> for a later merge window.
Please accept my apologies for the belated reply. I have been on a break
for the National Day holiday and have just returned to work.
>
>>> +				nfs4_put_stid(&dp->dl_stid);
>>> +				spin_lock(&clp->cl_lock);
>>> +			}
>>> +		}
>>> +		spin_unlock(&clp->cl_lock);
>>> +
>>> +		if (!list_empty(&clp->cl_revoked))
>>> +			seq->status_flags |= SEQ4_STATUS_RECALLABLE_STATE_REVOKED;
>>> +	}
>>>   	if (atomic_read(&clp->cl_admin_revoked))
>>>   		seq->status_flags |= SEQ4_STATUS_ADMIN_STATE_REVOKED;
>>>   	trace_nfsd_seq4_status(rqstp, seq);
>>
>
>
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ