Re: [PATCH v2 0/9] nfsd: fixes for locally-triggerable bugs

Next message: tip-bot2 for Tianyang Zhang: "[tip: irq/drivers] irqchip/loongarch-avec: Return IRQ_SET_MASK_OK_DONE when keep affinity"
Previous message: Jacob Keller: "Re: [PATCH net] net: ibm: emac: fix unchecked platform_get_irq return value"
In reply to: Jeff Layton: "Re: [PATCH v2 8/9] nfsd: hold net namespace reference for delayed-dispose nfsd_files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Chuck Lever

Date: Wed Jun 03 2026 - 16:31:12 EST

From: Chuck Lever <chuck.lever@xxxxxxxxxx>

On Tue, 02 Jun 2026 12:23:12 -0400, Jeff Layton wrote:
> Just some minor changes in this version, plus a cleanup patch from Al.
>
> These are bugs that Claude classified as locally-triggerable. A couple
> can be triggered by an unprivileged user, but the rest require admin
> access.
>
> The last 3 patches fix one bug. I originally had a more targeted fix
> that kres generated, but I think it's better to simplify the filecache
> disposal mechanism to get rid of the bug rather than add more
> complexity.
>
> [...]

Applied to nfsd-testing, thanks!

[1/9] nfsd: defer vfree of compound ops to fix rpc_status UAF
commit: 45bdeda0ff0e26e43b5c84ead5a8859696df4a24
[2/9] nfsd: hold rcu across localio cmpxchg retry
commit: 3132933172044d02951470c99c8cbbe54756ae45
[3/9] nfs/localio: fix ref leak on nfs_uuid_add_file failure
(no commit info)
[4/9] nfsd: guard nfsd_serv deref in nfsd_file_net_dispose
commit: a6dfbd5e70527b91d610bd4864d9de725b06c5ba
[5/9] nfsd: widen nfsd_genl_rqstp address fields to sockaddr_storage
commit: a9a83f4a2b3d065f26efb7dd8153fecd55f10622
[6/9] nfsd: fix refcount leak in nfsd_file_lru_add on insertion failure
commit: d72ae7cbbf14e2f0bc4bc5fecc06c12180fd5b66
[7/9] nfsd: fix fcache_disposal UAF by inlining dispose state into nfsd_net
commit: fcafdda0423b27637a27594ec81b9b07ab6069e1
[9/9] nfsd: unify cleanups in nfsd_cross_mnt() exits
commit: 3275806873389963d81e9ddd17d047e7c1812f3b

--
Chuck Lever <chuck.lever@xxxxxxxxxx>