[PATCH v2 0/9] nfsd: a pile of fixes for random bugs

[Jeff Layton]

These bugs were categorized as remotely-triggerable panics, UAFs, DoS's,
etc., but they aren't reliable. There are also a few protocol fixes in
here too, etc. It's a grab bag.

There are a number of substantial changes in this version. See the
changelog below:

Signed-off-by: Jeff Layton <jlayton@xxxxxxxxxx>
---
Changes in v2:
- dropped "NFSD: Enable return of an updated stable_how to NFS clients"
- dropped "nfsd: serialize nfsd4_end_grace() with atomic test-and-set";
  replaced with "nfsd: convert nfsd_net boolean flags to unsigned long
  flags word" which addresses the same race using test_and_set_bit.
- dropped "nfsd: drain callbacks and clear cl_cb_session"; replaced with
  "nfsd: RCU-protect cl_cb_session to fix use-after-free on session
  teardown" which uses RCU and kfree_rcu instead of synchronous draining
- "nfsd: validate symlink target length in NFSv4 CREATE": use
  NFS4_MAXPATHLEN instead of PATH_MAX for the length check
- "nfsd: cap decoded POSIX ACL count to bound sort cost": return
  nfserr_inval instead of nfserr_resource for over-limit count; return
  nfserr_jukebox instead of nfserr_resource on allocation failure; added
  comment explaining why NFS_ACL_MAX_ENTRIES is the right cap
- rework "nfsd: dedup nfs4_client_to_reclaim inserts" to use rwsem
  instead of memory barriers
- Link to v1: https://lore.kernel.org/r/20260528-nfsd-fixes-v1-0-e78708eff77d@xxxxxxxxxx

---
Chris Mason (4):
      nfsd: convert nfsd_net boolean flags to unsigned long flags word
      nfsd: gate nfs3 setacl by argp->mask
      nfsd: fix partial-write detection in nfsd_direct_write
      nfsd: cap decoded POSIX ACL count to bound sort cost

Chuck Lever (1):
      NFSD: check truncate permission under inode lock

Jeff Layton (4):
      nfsd: fix BUG_ON in nfsd4_alloc_layout_stateid on racing delegation revoke
      nfsd: RCU-protect cl_cb_session to fix use-after-free on session teardown
      nfsd: dedup nfs4_client_to_reclaim inserts
      nfsd: validate symlink target length in NFSv4 CREATE

 fs/nfsd/netns.h        |  25 ++++++++----
 fs/nfsd/nfs3acl.c      |  17 +++++---
 fs/nfsd/nfs4callback.c | 109 ++++++++++++++++++++++++++++++++++++++++---------
 fs/nfsd/nfs4layouts.c  |  14 +++++--
 fs/nfsd/nfs4proc.c     |   2 +-
 fs/nfsd/nfs4recover.c  |  48 ++++++++++++++++------
 fs/nfsd/nfs4state.c    | 103 +++++++++++++++++++++++++++++++++++-----------
 fs/nfsd/nfs4xdr.c      |  15 ++++++-
 fs/nfsd/nfsctl.c       |   2 +-
 fs/nfsd/nfssvc.c       |  22 +++++-----
 fs/nfsd/state.h        |   3 +-
 fs/nfsd/trace.h        |  14 +++----
 fs/nfsd/vfs.c          |  35 ++++++++++------
 13 files changed, 299 insertions(+), 110 deletions(-)
---
base-commit: 2d0c1f87f37de51bd96df415c7c1d498989570ac
change-id: 20260528-nfsd-fixes-89a6e5e20c9d

Best regards,
-- 
Jeff Layton <jlayton@xxxxxxxxxx>