Commit ba8ca427 authored Mar 01, 2025 by Dai Ngo Committed by Li Lingfeng Mar 01, 2025

NFSD: fix hang in nfsd4_shutdown_callback

mainline inclusion
from mainline-v6.14-rc3
commit 036ac2778f7b28885814c6fbc07e156ad1624d03
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBPC4R
CVE: CVE-2025-21795

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=036ac2778f7b28885814c6fbc07e156ad1624d03



--------------------------------

commit 036ac2778f7b28885814c6fbc07e156ad1624d03 upstream.

If nfs4_client is in courtesy state then there is no point to send
the callback. This causes nfsd4_shutdown_callback to hang since
cl_cb_inflight is not 0. This hang lasts about 15 minutes until TCP
notifies NFSD that the connection was dropped.

This patch modifies nfsd4_run_cb_work to skip the RPC call if
nfs4_client is in courtesy state.

Signed-off-by: Dai Ngo <dai.ngo@oracle.com>
Fixes: 66af2579 ("NFSD: add courteous server support for thread with only delegation")
Cc: stable@vger.kernel.org
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>

parent 305d3014

fs/nfsd/nfs4callback.c

+5 −2

Original line number	Diff line number	Diff line
		@@ -1410,8 +1410,11 @@ nfsd4_run_cb_work(struct work_struct *work)
		nfsd4_process_cb_update(cb);

		clnt = clp->cl_cb_client;
		if (!clnt) {
		/* Callback channel broken, or client killed; give up: */
		if (!clnt \|\| clp->cl_state == NFSD4_COURTESY) {
		/*
		* Callback channel broken, client killed or
		* nfs4_client in courtesy state; give up.
		*/
		nfsd41_destroy_cb(cb);
		return;
		}