Re: [PATCH 0/6] SUNRPC: Address remaining cache_check_rcu() UAF in cache content files

[Chuck Lever]

Hello Erkun -

On Thu, May 7, 2026, at 11:09 AM, yangerkun wrote:
> Hi,
>
> 在 2026/5/1 22:51, Chuck Lever 写道:
>> Misbah Anjum reported a use-after-free in cache_check_rcu()
>> reached through e_show() while sosreport was reading
>> /proc/fs/nfsd/exports on ppc64le.  Two fixes for that report
>> landed in v7.0:
>> 
>>    48db892356d6 ("NFSD: Defer sub-object cleanup in export put callbacks")
>>    e7fcf179b82d ("NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd")
>
> Back to the problem fixed by this patches, I'm a little confused why
> this UAF can be trigged.
>
> Before this patches, svc_export_put show as follow:
>
>   368 static void svc_export_put(struct kref *ref)
>   369 {
>   370         struct svc_export *exp = container_of(ref, struct 
> svc_export, h.ref);
>   371
>   372         path_put(&exp->ex_path);
>   373         auth_domain_put(exp->ex_client);
>   374         call_rcu(&exp->ex_rcu, svc_export_release);
>   375 }
>
> The auth_domain_put function releases ->name using call_rcu, and
> path_put may release the dentry also via call_rcu. All of this seems to
> prevent e_show from causing a UAF. Could you point out which line in
> d_path triggers the issue?

The dentry, the mount, and the auth_domain ->name buffer all
end up RCU-freed (dentry_free() and delayed_free_vfsmnt in
fs/, svcauth_unix_domain_release_rcu() in svcauth_unix.c).
The eventual kfree isn't the problem.

The problem is the synchronous teardown inside path_put(),
which runs before svc_export_put() ever reaches its own
call_rcu():

  path_put(&exp->ex_path)
    -> dput(dentry)
       -> __dentry_kill()              [if last ref]
          -> __d_drop()                /* unhashes */
          -> dentry_unlink_inode()     /* d_inode = NULL */
          -> d_op->d_release() if set
          -> drops parent d_lockref    /* may cascade up */
          -> dentry_free()             /* call_rcu deferred */
    -> mntput(mnt)                     /* deferred via task_work */

The dentry pointer itself is RCU-safe, so prepend_path()'s walk
of d_parent and d_name doesn't read freed memory.  But by the
time the reader gets there, __d_clear_type_and_inode() has
already stored NULL into d_inode, __d_drop() has broken the
hash linkage, and the parent's d_lockref has been decremented
-- which can in turn fire __dentry_kill() on the parent, and
on up the tree.  An e_show() that's still inside its cache RCU
read section walks into that half-dismantled state through
seq_path(), and that's the NULL deref Misbah reported.

The earlier fix (2530766492ec, "nfsd: fix UAF when access
ex_uuid or ex_stats") moved the kfree of ex_uuid and ex_stats
into svc_export_release() so those are RCU-safe now.
path_put() and auth_domain_put() couldn't go in there because
both may sleep, and call_rcu callbacks run in softirq context.
This series uses queue_rcu_work() instead: it defers past the
grace period AND runs the callback in process context, so the
sleeping puts move into the deferred path and the window
closes.


-- 
Chuck Lever