ACK: [SRU][F][PATCH 0/1] CVE-2024-49974

Koichiro Den koichiro.den at canonical.com
Mon Feb 17 03:19:29 UTC 2025 

On Tue, Jan 28, 2025 at 11:28:43AM GMT, Massimiliano Pellizzer wrote:
> [Impact]
> 
> NFSD: Limit the number of concurrent async COPY operations
> 
> Nothing appears to limit the number of concurrent async COPY
> operations that clients can start. In addition, AFAICT each async
> COPY can copy an unlimited number of 4MB chunks, so can run for a
> long time. Thus IMO async COPY can become a DoS vector.
> 
> Add a restriction mechanism that bounds the number of concurrent
> background COPY operations. Start simple and try to be fair -- this
> patch implements a per-namespace limit.
> 
> An async COPY request that occurs while this limit is exceeded gets
> NFS4ERR_DELAY. The requesting client can choose to send the request
> again after a delay or fall back to a traditional read/write style
> copy.
> 
> [Fix]
> 
> Oracular: Fixed via upstream stable updates (LP: #2089052)
> Noble: Fixed via upstream stable updates (LP: #2089884)
> Jammy: Fixed via upstream stable updates (LP: #2095283)
> Focal: Backported from mainline
> Bionic: Not affected
> Xenial: Not affected
> Trusty: Not affected
> 
> [Test Case]
> 
> Compile and boot tested.
> Stress tested a nfs share using stress-ng.
> 
> Server side:
> $ sudo exportfs -v
> /srv/nfs/testdir
> 		<world>(rw,wdelay,root_squash,no_subtree_check,sec=sys,rw,secure,root_squash,no_all_squash)
> $ sudo dmesg | tail
> [   97.859444] RPC: Registered named UNIX socket transport module.
> [   97.859445] RPC: Registered udp transport module.
> [   97.859446] RPC: Registered tcp transport module.
> [   97.859446] RPC: Registered tcp NFSv4.1 backchannel transport module.
> [   97.871592] Installing knfsd (copyright (C) 1996 okir at monad.swb.de).
> [   99.596971] NFSD: Using UMH upcall client tracking operations.
> [   99.596973] NFSD: starting 90-second grace period (net f0000098)
> $ sudo cat /proc/fs/nfsd/versions
> -2 +3 +4 +4.1 +4.2
> 
> Client side:
> $ nfsstat -m
> /mnt/nfs from xxx.xxx.xxx.xxx:/srv/nfs/testdir
>  Flags:	rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys
> $ cd /mnt/nfs
> $ sudo stress-ng --hdd 8 --timeout 600s --metrics-brief
> stress-ng: info:  [2822] setting to a 600 second (10 mins, 0.00 secs) run per stressor
> stress-ng: info:  [2822] dispatching hogs: 8 hdd
> stress-ng: info:  [2822] successful run completed in 600.35s (10 mins, 0.35 secs)
> stress-ng: info:  [2822] stressor       bogo ops real time  usr time  sys time   bogo ops/s     bogo ops/s
> stress-ng: info:  [2822]                           (secs)    (secs)    (secs)   (real time) (usr+sys time)
> stress-ng: info:  [2822] hdd            11829248    600.33    279.89    430.13     19704.55       16660.44
> 
> [Where problems could occur]
> 
> The fix affects the NFS server subsystem, specifically the
> implementation of the asynchronous COPY operation. An issue with this
> fix may lead to instability in handling client file copy requests.
> 
> [Notes]
> 
> The backport is not straightforward, primarily due to considerations
> related to the cleanup logic of nfsd4_copy(). In Focal, the async_copy
> structure is correctly initialized only if the call to
> nfs4_init_cp_state() succeeds (see commit message of 81e722978ad210).
> Before initialization, the function exits via the out: label (freeing
> async_copy if necessary), whereas after initialization, it exits via the
> out_errL label. The key distinction between exiting via out: and exiting
> via out_err: lies in the invocation of cleanup_async_copy().
> 
> Upstream, the execution flow for cleanup has undergone significant
> changes, now almost always passing through cleanup_async_copy(). This
> function has been modified to differentiate between an initialized and
> an uninitialized async_copy structure, thanks to the changes introduced
> by commit 81e722978ad210.
> 
> The patch has been backported, considering the cleanup logic implemented
> in Focal.
> 
> It is also worth noting that upstream, the fix commit aadc3bbea163b has
> two follow-ups (63fab04cbd0f9 and 8286f8b622990). These follow-ups
> introduce fixes that are required only for the upstream cleanup logic
> and are not relevant to the logic implemented in Focal. The two
> follow-ups have not been backported.
> 
> Chuck Lever (1):
>   NFSD: Limit the number of concurrent async COPY operations
> 
>  fs/nfsd/netns.h     | 1 +
>  fs/nfsd/nfs4proc.c  | 9 +++++++++
>  fs/nfsd/nfs4state.c | 1 +
>  fs/nfsd/xdr4.h      | 1 +
>  4 files changed, 12 insertions(+)
> 

Acked-by: Koichiro Den <koichiro.den at canonical.com>

More information about the kernel-team mailing list