[PATCH 0/8] nfsd: fixes for locally-triggerable bugs

Next message: Krishna Chaitanya Chundru: "[PATCH v2 0/3] PCI: qcom: Add support for Eliza"
Previous message: Steven Rostedt: "Re: [PATCH v8] tracing/eprobes: Allow use of BTF names to dereference pointers"
Next in thread: Jeff Layton: "[PATCH 2/8] nfsd: hold rcu across localio cmpxchg retry"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jeff Layton

Date: Mon Jun 01 2026 - 13:31:56 EST

These are bugs that Claude classified as locally-triggerable. A couple
can be triggered by an unprivileged user, but the rest require admin
access.

The last 3 patches fix one bug. I originally had a more targeted fix
that kres generated, but I think it's better to simplify the filecache
disposal mechanism to get rid of the bug rather than add more
complexity.

Signed-off-by: Jeff Layton <jlayton@xxxxxxxxxx>
---
Chris Mason (3):
nfsd: hold rcu across localio cmpxchg retry
nfs/localio: fix ref leak on nfs_uuid_add_file failure
nfsd: guard nfsd_serv deref in nfsd_file_net_dispose

Jeff Layton (5):
nfsd: defer vfree of compound ops to fix rpc_status UAF
nfsd: widen nfsd_genl_rqstp address fields to sockaddr_storage
nfsd: fix refcount leak in nfsd_file_lru_add on insertion failure
nfsd: fix fcache_disposal UAF by inlining dispose state into nfsd_net
nfsd: hold net namespace reference in nfsd_file

fs/nfs_common/nfslocalio.c | 14 +++++-
fs/nfsd/filecache.c | 120 +++++++++++++++++----------------------------
fs/nfsd/filecache.h | 2 +-
fs/nfsd/localio.c | 12 +++--
fs/nfsd/netns.h | 3 +-
fs/nfsd/nfs4xdr.c | 2 +-
fs/nfsd/nfsctl.c | 12 ++---
include/linux/nfslocalio.h | 9 +---
8 files changed, 80 insertions(+), 94 deletions(-)
---
base-commit: d7203affbe85baad683cef946f661c5541966d97
change-id: 20260601-nfsd-testing-e3509d5e035e

Best regards,
--
Jeff Layton <jlayton@xxxxxxxxxx>