From b86dbf455d75ce54314efc826364259b8a87a8d0 Mon Sep 17 00:00:00 2001
From: Olga Kornievskaia <okorniev@redhat.com>
Date: Mon, 3 Mar 2025 12:09:08 -0500
Subject: [PATCH] NFSD: fix hang in nfsd4_shutdown_callback

JIRA: https://issues.redhat.com/browse/RHEL-81291
CVE: CVE-2025-21795

commit 036ac2778f7b28885814c6fbc07e156ad1624d03
Author: Dai Ngo <dai.ngo@oracle.com>
Date:   Thu Jan 30 11:01:27 2025 -0800

    NFSD: fix hang in nfsd4_shutdown_callback

    If nfs4_client is in courtesy state then there is no point to send
    the callback. This causes nfsd4_shutdown_callback to hang since
    cl_cb_inflight is not 0. This hang lasts about 15 minutes until TCP
    notifies NFSD that the connection was dropped.

    This patch modifies nfsd4_run_cb_work to skip the RPC call if
    nfs4_client is in courtesy state.

    Signed-off-by: Dai Ngo <dai.ngo@oracle.com>
    Fixes: 66af25799940 ("NFSD: add courteous server support for thread with only delegation")
    Cc: stable@vger.kernel.org
    Reviewed-by: Jeff Layton <jlayton@kernel.org>
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
---
 fs/nfsd/nfs4callback.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c
index 0d7cc2f9a8e07..d8eed853d528d 100644
--- a/fs/nfsd/nfs4callback.c
+++ b/fs/nfsd/nfs4callback.c
@@ -1480,8 +1480,11 @@ nfsd4_run_cb_work(struct work_struct *work)
 		nfsd4_process_cb_update(cb);
 
 	clnt = clp->cl_cb_client;
-	if (!clnt) {
-		/* Callback channel broken, or client killed; give up: */
+	if (!clnt || clp->cl_state == NFSD4_COURTESY) {
+		/*
+		 * Callback channel broken, client killed or
+		 * nfs4_client in courtesy state; give up.
+		 */
 		nfsd41_destroy_cb(cb);
 		return;
 	}
-- 
GitLab