linux/fs
NeilBrown 1cff14b7fc nfsd: ensure SEQUENCE replay sends a valid reply.
nfsd4_enc_sequence_replay() uses nfsd4_encode_operation() to encode a
new SEQUENCE reply when replaying a request from the slot cache - only
ops after the SEQUENCE are replayed from the cache in ->sl_data.

However it does this in nfsd4_replay_cache_entry() which is called
*before* nfsd4_sequence() has filled in reply fields.

This means that in the replayed SEQUENCE reply:
 maxslots will be whatever the client sent
 target_maxslots will be -1 (assuming init to zero, and
      nfsd4_encode_sequence() subtracts 1)
 status_flags will be zero

The incorrect maxslots value, in particular, can cause the client to
think the slot table has been reduced in size so it can discard its
knowledge of current sequence number of the later slots, though the
server has not discarded those slots.  When the client later wants to
use a later slot, it can get NFS4ERR_SEQ_MISORDERED from the server.

This patch moves the setup of the reply into a new helper function and
call it *before* nfsd4_replay_cache_entry() is called.  Only one of the
updated fields was used after this point - maxslots.  So the
nfsd4_sequence struct has been extended to have separate maxslots for
the request and the response.

Reported-by: Olga Kornievskaia <okorniev@redhat.com>
Closes: https://lore.kernel.org/linux-nfs/20251010194449.10281-1-okorniev@redhat.com/
Tested-by: Olga Kornievskaia <okorniev@redhat.com>
Signed-off-by: NeilBrown <neil@brown.name>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
2025-11-10 09:31:52 -05:00
..
9p vfs-6.17-rc1.mmap_prepare 2025-07-28 13:43:25 -07:00
adfs vfs-6.17-rc1.mmap_prepare 2025-07-28 13:43:25 -07:00
affs vfs-6.17-rc1.mmap_prepare 2025-07-28 13:43:25 -07:00
afs vfs-6.17-rc1.mmap_prepare 2025-07-28 13:43:25 -07:00
autofs
bcachefs vfs-6.17-rc1.fileattr 2025-07-28 15:24:14 -07:00
befs
bfs vfs-6.17-rc1.mmap_prepare 2025-07-28 13:43:25 -07:00
btrfs for-6.17-rc6-tag 2025-09-20 21:41:26 -07:00
cachefiles
ceph ceph: fix crash after fscrypt_encrypt_pagecache_blocks() error 2025-09-09 12:57:03 +02:00
coda vfs-6.17-rc1.mmap_prepare 2025-07-28 13:43:25 -07:00
configfs
cramfs
crypto
debugfs debugfs: fix mount options not being applied 2025-08-17 12:22:25 +02:00
devpts
dlm
ecryptfs vfs-6.17-rc1.fileattr 2025-07-28 15:24:14 -07:00
efivarfs efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare 2025-08-28 08:39:49 +02:00
efs
erofs erofs: fix long xattr name prefix placement 2025-09-12 03:37:07 +08:00
exfat exfat: add cluster chain loop check for dir 2025-08-01 08:34:23 +09:00
exportfs
ext2 \n 2025-07-28 16:16:09 -07:00
ext4 Ext4 bug fixes and cleanups for 6.17-rc3, including most notably: 2025-08-18 09:01:00 -07:00
f2fs f2fs-for-6.17-rc1 2025-08-04 16:27:21 -07:00
fat Significant patch series in this pull request: 2025-08-03 16:23:09 -07:00
freevxfs
fuse fuse: virtio_fs: fix page fault for DAX page address 2025-09-05 15:56:30 +02:00
gfs2 vfs-6.17-rc1.iomap 2025-07-28 16:09:03 -07:00
hfs hfs/hfsplus updates for v6.17 2025-07-28 16:17:44 -07:00
hfsplus hfs/hfsplus updates for v6.17 2025-07-28 16:17:44 -07:00
hostfs vfs-6.17-rc1.mmap_prepare 2025-07-28 13:43:25 -07:00
hpfs vfs-6.17-rc1.mmap_prepare 2025-07-28 13:43:25 -07:00
hugetlbfs Summary of significant series in this pull request: 2025-07-31 14:57:54 -07:00
iomap iomap: Fix broken data integrity guarantees for O_SYNC writes 2025-08-11 14:51:49 +02:00
isofs
jbd2 jbd2: prevent softlockup in jbd2_log_do_checkpoint() 2025-08-13 14:24:14 -04:00
jffs2 vfs-6.17-rc1.mmap_prepare 2025-07-28 13:43:25 -07:00
jfs Fixes and cleanups for JFS filesystem 2025-07-31 10:27:11 -07:00
kernfs kernfs: Fix UAF in polling when open file is released 2025-09-06 20:11:27 +02:00
lockd SUNRPC: Move the svc_rpcb_cleanup() call sites 2025-09-21 19:24:50 -04:00
minix vfs-6.17-rc1.mmap_prepare 2025-07-28 13:43:25 -07:00
netfs netfs: Fix unbuffered write error handling 2025-08-15 15:56:49 +02:00
nfs SUNRPC: Move the svc_rpcb_cleanup() call sites 2025-09-21 19:24:50 -04:00
nfs_common NFS/localio: nfs_uuid_put() fix the wake up after unlinking the file 2025-08-05 16:45:40 -07:00
nfsd nfsd: ensure SEQUENCE replay sends a valid reply. 2025-11-10 09:31:52 -05:00
nilfs2 nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/* 2025-09-13 13:05:38 -07:00
nls
notify \n 2025-07-31 10:31:00 -07:00
ntfs3 vfs-6.17-rc1.mmap_prepare 2025-07-28 13:43:25 -07:00
ocfs2 ocfs2: fix recursive semaphore deadlock in fiemap call 2025-09-08 23:45:11 -07:00
omfs vfs-6.17-rc1.mmap_prepare 2025-07-28 13:43:25 -07:00
openpromfs
orangefs orangefs: fixes for string handling in debugfs and sysfs 2025-07-31 10:22:48 -07:00
overlayfs ovl: fix possible double unlink 2025-08-18 13:16:49 +02:00
proc proc: fix type confusion in pde_set_flags() 2025-09-08 23:45:12 -07:00
pstore
qnx4
qnx6
quota
ramfs vfs-6.17-rc1.mmap_prepare 2025-07-28 13:43:25 -07:00
resctrl fs/resctrl: Eliminate false positive lockdep warning when reading SNC counters 2025-09-09 12:43:36 +02:00
romfs
smb six smb3.1.1 client fixes, all for stable 2025-09-19 16:11:30 -07:00
squashfs squashfs: fix memory leak in squashfs_fill_super 2025-08-19 16:35:53 -07:00
sysfs
tests
tracefs
ubifs This pull request contains the following changes for UBI and UBIFS: 2025-07-31 10:08:44 -07:00
udf \n 2025-07-28 16:16:09 -07:00
ufs vfs-6.17-rc1.mmap_prepare 2025-07-28 13:43:25 -07:00
unicode
vboxsf vfs-6.17-rc1.mmap_prepare 2025-07-28 13:43:25 -07:00
verity
xfs xfs: do not propagate ENODATA disk errors into xattr code 2025-08-26 11:00:33 +02:00
zonefs zonefs changes for 6.17-rc1 2025-07-28 17:06:51 -07:00
Kconfig
Kconfig.binfmt
Makefile
aio.c
anon_inodes.c module: Rename EXPORT_SYMBOL_GPL_FOR_MODULES to EXPORT_SYMBOL_FOR_MODULES 2025-08-11 16:16:36 +02:00
attr.c vfs: add ATTR_CTIME_SET flag 2025-09-21 19:24:50 -04:00
backing-file.c vfs-6.17-rc1.mmap_prepare 2025-07-28 13:43:25 -07:00
bad_inode.c
binfmt_elf.c execve updates for v6.17 2025-07-28 17:11:40 -07:00
binfmt_elf_fdpic.c execve updates for v6.17 2025-07-28 17:11:40 -07:00
binfmt_flat.c
binfmt_misc.c
binfmt_script.c
bpf_fs_kfuncs.c
buffer.c fs/buffer: fix use-after-free when call bh_read() helper 2025-08-19 13:51:28 +02:00
char_dev.c
compat_binfmt_elf.c
coredump.c coredump: don't pointlessly check and spew warnings 2025-08-21 13:54:40 +02:00
d_path.c
dax.c fs/dax: Reject IOCB_ATOMIC in dax_iomap_rw() 2025-08-11 14:03:38 +02:00
dcache.c
direct-io.c Summary of significant series in this pull request: 2025-07-31 14:57:54 -07:00
drop_caches.c
eventfd.c
eventpoll.c
exec.c coredump: don't pointlessly check and spew warnings 2025-08-21 13:54:40 +02:00
fcntl.c
fhandle.c fhandle: use more consistent rules for decoding file handle from userns 2025-08-29 09:48:31 +02:00
file.c
file_attr.c
file_table.c \n 2025-07-31 10:31:00 -07:00
filesystems.c
fs-writeback.c fs: writeback: fix use-after-free in __mark_inode_dirty() 2025-08-11 14:51:45 +02:00
fs_context.c
fs_parser.c
fs_pin.c
fs_struct.c
fs_types.c
fsopen.c
init.c
inode.c
internal.h vfs-6.17-rc1.pidfs 2025-07-28 14:10:15 -07:00
ioctl.c
kernel_read_file.c
libfs.c vfs-6.17-rc1.pidfs 2025-07-28 14:10:15 -07:00
locks.c
mbcache.c
mnt_idmapping.c
mount.h
mpage.c
namei.c vfs-6.17-rc1.pidfs 2025-07-28 14:10:15 -07:00
namespace.c fs: fix indentation style 2025-08-21 10:27:05 +02:00
nsfs.c
open.c \n 2025-07-31 10:31:00 -07:00
pidfs.c pidfs: Fix memory leak in pidfd_info() 2025-08-15 16:10:46 +02:00
pipe.c
pnode.c change_mnt_propagation(): calculate propagation source only if we'll need it 2025-08-19 12:05:59 -04:00
pnode.h
posix_acl.c
proc_namespace.c
read_write.c vfs-6.17-rc1.mmap_prepare 2025-07-28 13:43:25 -07:00
readdir.c
remap_range.c
select.c
seq_file.c
signalfd.c
splice.c netfs: Fix unbuffered write error handling 2025-08-15 15:56:49 +02:00
stack.c
stat.c
statfs.c
super.c vfs-6.17-rc1.super 2025-07-28 15:50:15 -07:00
sync.c
sysctls.c
timerfd.c
userfaultfd.c
utimes.c
xattr.c