TEST PLEASE IGNORE nfsd: release svc_expkey/svc_export with rcu_work

[roxanan1996]

cve CVE-2024-53216
commit-author Yang Erkun yangerkun@huawei.com
commit f8c989a

The last reference for cache_head can be reduced to zero in c_show and e_show(using rcu_read_lock and rcu_read_unlock). Consequently, svc_export_put and expkey_put will be invoked, leading to two issues:

1. The svc_export_put will directly free ex_uuid. However, e_show/c_show will access ex_uuid after cache_put, which can trigger a use-after-free issue, shown below.

   ================================================================== BUG: KASAN: slab-use-after-free in svc_export_show+0x362/0x430 [nfsd] Read of size 1 at addr ff11000010fdc120 by task cat/870

   CPU: 1 UID: 0 PID: 870 Comm: cat Not tainted 6.12.0-rc3+ Initialize README #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: dump_stack_lvl+0x53/0x70 print_address_description.constprop.0+0x2c/0x3a0 print_report+0xb9/0x280 kasan_report+0xae/0xe0 svc_export_show+0x362/0x430 [nfsd] c_show+0x161/0x390 [sunrpc] seq_read_iter+0x589/0x770 seq_read+0x1e5/0x270 proc_reg_read+0xe1/0x140 vfs_read+0x125/0x530 ksys_read+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e

   Allocated by task 830: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __kmalloc_node_track_caller_noprof+0x1bc/0x400 kmemdup_noprof+0x22/0x50 svc_export_parse+0x8a9/0xb80 [nfsd] cache_do_downcall+0x71/0xa0 [sunrpc] cache_write_procfs+0x8e/0xd0 [sunrpc] proc_reg_write+0xe1/0x140 vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e

   Freed by task 868: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x37/0x50 kfree+0xf3/0x3e0 svc_export_put+0x87/0xb0 [nfsd] cache_purge+0x17f/0x1f0 [sunrpc] nfsd_destroy_serv+0x226/0x2d0 [nfsd] nfsd_svc+0x125/0x1e0 [nfsd] write_threads+0x16a/0x2a0 [nfsd] nfsctl_transaction_write+0x74/0xa0 [nfsd] vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e

2. We cannot sleep while using rcu_read_lock/rcu_read_unlock. However, svc_export_put/expkey_put will call path_put, which subsequently triggers a sleeping operation due to the following dput.

   ============================= WARNING: suspicious RCU usage 5.10.0-dirty [rocky8_10] History Rebuild for kernel-4.18.0-553.40.1.el8_10 #141 Not tainted ----------------------------- ... Call Trace: dump_stack+0x9a/0xd0 ___might_sleep+0x231/0x240 dput+0x39/0x600 path_put+0x1b/0x30 svc_export_put+0x17/0x80 e_show+0x1c9/0x200 seq_read_iter+0x63f/0x7c0 seq_read+0x226/0x2d0 vfs_read+0x113/0x2c0 ksys_read+0xc9/0x170 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x67/0xd1

Fix these issues by using rcu_work to help release svc_expkey/svc_export. This approach allows for an asynchronous context to invoke path_put and also facilitates the freeing of uuid/exp/key after an RCU grace period.

Fixes: 9ceddd9 ("knfsd: Allow lockless lookups of the exports")
Signed-off-by: Yang Erkun yangerkun@huawei.com
Reviewed-by: Jeff Layton jlayton@kernel.org
Signed-off-by: Chuck Lever chuck.lever@oracle.com
(cherry picked from commit f8c989a)
Signed-off-by: Roxana Nicolescu rnicolescu@ciq.com

[github-actions]

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/26814051749

[github-actions]

🔍 Upstream Linux Kernel Commit Check

• ⚠️ PR commit aa9ba24df19 (nfsd: release svc_expkey/svc_export with rcu_work) references upstream commit
  f8c989a0c89a which has been referenced by a Fixes: tag in the upstream
  Linux kernel:

    69d803c40ed nfsd: Revert "nfsd: release svc_expkey/svc_export with rcu_work" (Yang Erkun)

This is an automated message from the kernel commit checker workflow.

[github-actions]

🔍 Interdiff Analysis

• ⚠️ PR commit aa9ba24df19 (nfsd: release svc_expkey/svc_export with rcu_work) → upstream f8c989a0c89a
  Differences found:

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/fs/nfsd/export.c
+++ b/fs/nfsd/export.c
@@ -348,4 +348,4 @@
-					     EXP_STATS_COUNTERS_NUM);
+					    EXP_STATS_COUNTERS_NUM);
 }
 
 static void svc_export_put(struct kref *ref)

This is an automated interdiff check for backported commits.

[github-actions]

✅ Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/26814051749

[ciq-kernel-automation]

Summary

This PR has been automatically created after successful completion of all CI stages.

Commit Message(s)

nfsd: release svc_expkey/svc_export with rcu_work

cve CVE-2024-53216
commit-author Yang Erkun <yangerkun@huawei.com>
commit f8c989a0c89a75d30f899a7cabdc14d72522bb8d

Test Results

✅ Build Stage

Architecture	Build Time	Total Time
x86_64	33m 0s	33m 55s
aarch64	18m 45s	19m 28s

• View build logs

✅ Boot Verification

• Status: Passed (all architectures)
• View boot logs

✅ Kernel Selftests

Architecture	Passed	Failed	Compared Against	Status
x86_64	206	43	ciqlts9_6	✅ No regressions
aarch64	154	45	ciqlts9_6	✅ No regressions

• View kselftest logs

✅ LTP Results

Architecture	Passed	Failed	Compared Against	Status
x86_64	1453	82	ciqlts9_6	✅ No regressions
aarch64	1426	83	ciqlts9_6	✅ No regressions

• View LTP logs

x86_64 newly passing:

• cve-2017-5754 (FAIL -> PASS)

---

🤖 This PR was automatically generated by GitHub Actions
Run ID: 26813737410