NFSD: fix hang in nfsd4_shutdown_callback

2025-08-06 14:03:04 +00:00 · 2025-08-06 14:03:04 +00:00 · 595f70809e
commit 595f70809e
parent 151f0dbd2d
2 changed files with 60 additions and 1 deletions
--- a/config.yaml
+++ b/config.yaml
@ -40,6 +40,10 @@ actions:
        name: "ppc64le-kvm-support.patch"
        number: "Latest"
        modify_spec: false
+      - type: "patch"
+        name: "b86dbf455d75ce54314efc826364259b8a87a8d0.patch"
+        number: "Latest"
+        modify_spec: false

  - replace:
      - target: "kernel*rhel.config"
@ -440,7 +444,7 @@ actions:
        cwd: "rpms"

  - changelog_entry:
-      - name: "Andrei Lukoshko"
+      - name: "Andrew Lukoshko"
        email: "alukoshko@almalinux.org"
        line:
          - "hpsa: bring back deprecated PCI ids #CFHack #CFHack2024"
@ -451,6 +455,7 @@ actions:
          - "lpfc: bring back deprecated PCI ids"
          - "be2iscsi: bring back deprecated PCI ids"
          - "kernel/rh_messages.h: enable all disabled pci devices by moving to unmaintained"
+          - "NFSD: fix hang in nfsd4_shutdown_callback"
      - name: "Eduard Abdullin"
        email: "eabdullin@almalinux.org"
        line:
--- a/files/b86dbf455d75ce54314efc826364259b8a87a8d0.patch
+++ b/files/b86dbf455d75ce54314efc826364259b8a87a8d0.patch
@ -0,0 +1,54 @@
+From b86dbf455d75ce54314efc826364259b8a87a8d0 Mon Sep 17 00:00:00 2001
+From: Olga Kornievskaia <okorniev@redhat.com>
+Date: Mon, 3 Mar 2025 12:09:08 -0500
+Subject: [PATCH] NFSD: fix hang in nfsd4_shutdown_callback
+
+JIRA: https://issues.redhat.com/browse/RHEL-81291
+CVE: CVE-2025-21795
+
+commit 036ac2778f7b28885814c6fbc07e156ad1624d03
+Author: Dai Ngo <dai.ngo@oracle.com>
+Date:   Thu Jan 30 11:01:27 2025 -0800
+
+    NFSD: fix hang in nfsd4_shutdown_callback
+
+    If nfs4_client is in courtesy state then there is no point to send
+    the callback. This causes nfsd4_shutdown_callback to hang since
+    cl_cb_inflight is not 0. This hang lasts about 15 minutes until TCP
+    notifies NFSD that the connection was dropped.
+
+    This patch modifies nfsd4_run_cb_work to skip the RPC call if
+    nfs4_client is in courtesy state.
+
+    Signed-off-by: Dai Ngo <dai.ngo@oracle.com>
+    Fixes: 66af25799940 ("NFSD: add courteous server support for thread with only delegation")
+    Cc: stable@vger.kernel.org
+    Reviewed-by: Jeff Layton <jlayton@kernel.org>
+    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+
+Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
+---
+ fs/nfsd/nfs4callback.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c
+index 0d7cc2f9a8e07..d8eed853d528d 100644
+--- a/fs/nfsd/nfs4callback.c
+++ b/fs/nfsd/nfs4callback.c
+@@ -1480,8 +1480,11 @@ nfsd4_run_cb_work(struct work_struct *work)
+ 		nfsd4_process_cb_update(cb);
+ 
+ 	clnt = clp->cl_cb_client;
+-	if (!clnt) {
+-		/* Callback channel broken, or client killed; give up: */
+	if (!clnt || clp->cl_state == NFSD4_COURTESY) {
+		/*
+		 * Callback channel broken, client killed or
+		 * nfs4_client in courtesy state; give up.
+		 */
+ 		nfsd41_destroy_cb(cb);
+ 		return;
+ 	}
+-- 
+GitLab
+