Linux kernel documentation tree maintained by Jonathan Corbet http://mirrors.hust.edu.cn/git/lwn.git/atom?h=docs-fixes 2026-04-13T21:04:16+00:00 2026-04-13T21:04:16+00:00 Jenny Guanni Qu qguanni@gmail.com 2026-03-13T22:42:07+00:00 urn:sha1:94545ffc0ae8ae6ab6590e9d7fed4da8123060cb nfs4_ff_alloc_deviceid_node() reads version_count from XDR without checking it is non-zero. When a malicious NFS server sends a pNFS LAYOUTGET response with version_count=0, kcalloc(0, ...) returns ZERO_SIZE_PTR (0x10). The subsequent ds_versions[0] access in nfs4_ff_layout_ds_version() and other callers dereferences this invalid pointer, causing an out-of-bounds read. Add a check for version_count == 0 after parsing it from XDR, before the allocation. The OOB read was confirmed with KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] from accessing ZERO_SIZE_PTR. Fixes: d67ae825a59d ("pnfs/flexfiles: Add the FlexFile Layout Driver") Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com> Reported-by: Dawid Moczadło <dawid@vidocsecurity.com> Tested-by: Jenny Guanni Qu <qguanni@gmail.com> Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com> Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> 2026-02-21T09:02:28+00:00 Kees Cook kees@kernel.org 2026-02-21T07:49:23+00:00 urn:sha1:69050f8d6d075dc01af7a5f2f550a8067510366f This is the result of running the Coccinelle script from scripts/coccinelle/api/kmalloc_objs.cocci. The script is designed to avoid scalar types (which need careful case-by-case checking), and instead replace kmalloc-family calls that allocate struct or union object instances: Single allocations: kmalloc(sizeof(TYPE), ...) are replaced with: kmalloc_obj(TYPE, ...) Array allocations: kmalloc_array(COUNT, sizeof(TYPE), ...) are replaced with: kmalloc_objs(TYPE, COUNT, ...) Flex array allocations: kmalloc(struct_size(PTR, FAM, COUNT), ...) are replaced with: kmalloc_flex(*PTR, FAM, COUNT, ...) (where TYPE may also be *VAR) The resulting allocations no longer return "void *", instead returning "TYPE *". Signed-off-by: Kees Cook <kees@kernel.org> 2026-01-05T04:03:25+00:00 Zilin Guan zilin@seu.edu.cn 2025-12-25T07:41:03+00:00 urn:sha1:0c728083654f0066f5e10a1d2b0bd0907af19a58 In nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails, the function jumps to the out_scratch label without freeing the already allocated dsaddrs list, leading to a memory leak. Fix this by jumping to the out_err_drain_dsaddrs label, which properly frees the dsaddrs list before cleaning up other resources. Fixes: d67ae825a59d6 ("pnfs/flexfiles: Add the FlexFile Layout Driver") Signed-off-by: Zilin Guan <zilin@seu.edu.cn> Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> 2025-09-26T19:35:02+00:00 Jonathan Curley jcurley@purestorage.com 2025-09-24T16:20:45+00:00 urn:sha1:a1491919c8805b3874f76fd273ae224ec9768aec Updates common helper functions to be dss_id aware. Most cases simply add a dss_id parameter. The has_available functions have been updated with a loop. Signed-off-by: Jonathan Curley <jcurley@purestorage.com> Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com> 2025-09-26T19:32:24+00:00 Jonathan Curley jcurley@purestorage.com 2025-09-24T16:20:44+00:00 urn:sha1:d442670c0f63c46b7f348f68fb2002af597708f2 Adds a new struct nfs4_ff_layout_ds_stripe that represents a data server stripe within a layout. A new dynamically allocated array of this type has been added to nfs4_ff_layout_mirror and per stripe configuration information has been moved from the mirror type to the stripe based on the RFC. Signed-off-by: Jonathan Curley <jcurley@purestorage.com> Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com> 2025-09-23T17:29:50+00:00 Anna Schumaker anna.schumaker@oracle.com 2025-06-30T17:42:51+00:00 urn:sha1:4b7c3b4c673d40e4b98cdaf642495929f43787e6 Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com> 2025-07-22T12:10:17+00:00 Tigran Mkrtchyan tigran.mkrtchyan@desy.de 2025-06-27T07:17:51+00:00 urn:sha1:f06bedfa62d57f7b67d44aacd6badad2e13a803f When an applications get killed (SIGTERM/SIGINT) while pNFS client performs a connection to DS, client ends in an infinite loop of connect-disconnect. This source of the issue, it that flexfilelayoutdev#nfs4_ff_layout_prepare_ds gets an error on nfs4_pnfs_ds_connect with status ERESTARTSYS, which is set by rpc_signal_task, but the error is treated as transient, thus retried. The issue is reproducible with Ctrl+C the following script(there should be ~1000 files in a directory, client should must not have any connections to DSes): ``` echo 3 > /proc/sys/vm/drop_caches for i in * do head -1 $i done ``` The change aims to propagate the nfs4_ff_layout_prepare_ds error state to the caller that can decide whatever this is a retryable error or not. Signed-off-by: Tigran Mkrtchyan <tigran.mkrtchyan@desy.de> Link: https://lore.kernel.org/r/20250627071751.189663-1-tigran.mkrtchyan@desy.de Fixes: 260f32adb88d ("pNFS/flexfiles: Check the result of nfs4_pnfs_ds_connect") Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> 2025-05-28T21:17:13+00:00 Mike Snitzer snitzer@kernel.org 2025-05-13T16:08:31+00:00 urn:sha1:1ff4716f420b5a6e6ef095b23bb5db76f46be7fc It was reported that NFS client mounts of AWS Elastic File System (EFS) volumes is slow, this is because the AWS firewall disallows LOCALIO (because it doesn't consider the use of NFS_LOCALIO_PROGRAM valid), see: https://bugzilla.redhat.com/show_bug.cgi?id=2335129 Switch to performing the LOCALIO probe asynchronously to address the potential for the NFS LOCALIO protocol being disallowed and/or slowed by the remote server's response. While at it, fix nfs_local_probe_async() to always take/put a reference on the nfs_client that is using the LOCALIO protocol. Also, unexport the nfs_local_probe() symbol and make it private to fs/nfs/localio.c This change has the side-effect of initially issuing reads, writes and commits over the wire via SUNRPC until the LOCALIO probe completes. Suggested-by: Jeff Layton <jlayton@kernel.org> # to always probe async Fixes: 76d4cb6345da ("nfs: probe for LOCALIO when v4 client reconnects to server") Cc: stable@vger.kernel.org # 6.14+ Signed-off-by: Mike Snitzer <snitzer@kernel.org> Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com> 2025-04-28T03:25:44+00:00 Jeff Layton jlayton@kernel.org 2025-04-10T20:42:03+00:00 urn:sha1:6b9785dc8b13d9fb75ceec8cf4ea7ec3f3b1edbc Currently, different NFS clients can share the same DS connections, even when they are in different net namespaces. If a containerized client creates a DS connection, another container can find and use it. When the first client exits, the connection will close which can lead to stalls in other clients. Add a net namespace pointer to struct nfs4_pnfs_ds, and compare those value to the caller's netns in _data_server_lookup_locked() when searching for a nfs4_pnfs_ds to match. Reported-by: Omar Sandoval <osandov@osandov.com> Reported-by: Sargun Dillon <sargun@sargun.me> Closes: https://lore.kernel.org/linux-nfs/Z_ArpQC_vREh_hEA@telecaster/ Tested-by: Sargun Dillon <sargun@sargun.me> Signed-off-by: Jeff Layton <jlayton@kernel.org> Reviewed-by: Benjamin Coddington <bcodding@redhat.com> Link: https://lore.kernel.org/r/20250410-nfs-ds-netns-v2-1-f80b7979ba80@kernel.org Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> 2024-09-23T19:03:30+00:00 Trond Myklebust trond.myklebust@hammerspace.com 2024-09-05T19:09:55+00:00 urn:sha1:d488b9d01fbc2ff5ccf15bcd47422eb156726c0d If the DS is local to this client use localio to write the data. Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> Signed-off-by: Mike Snitzer <snitzer@kernel.org> Reviewed-by: NeilBrown <neilb@suse.de> Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>