git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Chuck Lever <chuck.lever@oracle.com>
	Thu, 2 Oct 2025 14:00:51 +0000 (10:00 -0400)
committer	Chuck Lever <chuck.lever@oracle.com>
	Tue, 21 Oct 2025 15:03:50 +0000 (11:03 -0400)
commit	3e7f011c255582d7c914133785bbba1990441713
tree	cc5883406a03e3a2abef80d687e3ff73f597127a	tree \| snapshot
parent	29cdfb4950702bb849f70f7e3b58b4eeb5c1441c	commit \| diff

Revert "NFSD: Remove the cap on number of operations per NFSv4 COMPOUND"

I've found that pynfs COMP6 now leaves the connection or lease in a
strange state, which causes CLOSE9 to hang indefinitely. I've dug
into it a little, but I haven't been able to root-cause it yet.
However, I bisected to commit 48aab1606fa8 ("NFSD: Remove the cap on
number of operations per NFSv4 COMPOUND").

Tianshuo Han also reports a potential vulnerability when decoding
an NFSv4 COMPOUND. An attacker can place an arbitrarily large op
count in the COMPOUND header, which results in:

[ 51.410584] nfsd: vmalloc error: size 1209533382144, exceeds total
pages, mode:0xdc0(GFP_KERNEL|__GFP_ZERO),
nodemask=(null),cpuset=/,mems_allowed=0

when NFSD attempts to allocate the COMPOUND op array.

Let's restore the operation-per-COMPOUND limit, but increased to 200
for now.

Reported-by: tianshuo han <hantianshuo233@gmail.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Cc: stable@vger.kernel.org
Tested-by: Tianshuo Han <hantianshuo233@gmail.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

fs/nfsd/nfs4proc.c		diff \| blob \| blame \| history
fs/nfsd/nfs4state.c		diff \| blob \| blame \| history
fs/nfsd/nfs4xdr.c		diff \| blob \| blame \| history
fs/nfsd/nfsd.h		diff \| blob \| blame \| history
fs/nfsd/xdr4.h		diff \| blob \| blame \| history