Merge tag 'nfsd-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux

	echo "fencing client ${CLIENT} serial ${EVPD}" >> /var/log/pnfsd-fence.log

	EOF

If the nfsd server needs to fence a non-responding client and the

fencing operation fails, the server logs a warning message in the

system log with the following format:

    FENCE failed client[IP_address] clid[#n] device[dev_name]

    where:

    - IP_address: refers to the IP address of the affected client.

    - #n: indicates the unique client identifier.

    - dev_name: specifies the name of the block device related

      to the fencing attempt.

The server will repeatedly retry the operation indefinitely. During

this time, access to the affected file is restricted for all other

clients. This is to prevent potential data corruption if multiple

clients access the same file simultaneously.

To restore access to the affected file for other clients, the admin

needs to take the following actions:

    - shutdown or power off the client being fenced.

    - manually expire the client to release all its state on the server::

        echo 'expire' > /proc/fs/nfsd/clients/clid/ctl

    where:

      - clid: is the unique client identifier displayed in the system log.

On the client make sure the kernel has the CONFIG_PNFS_BLOCK option

enabled, and the file system is mounted using the NFSv4.1 protocol

version (mount -o vers=4.1).

If the nfsd server needs to fence a non-responding client and the

fencing operation fails, the server logs a warning message in the

system log with the following format:

    FENCE failed client[IP_address] clid[#n] device[dev_name]

    where:

    - IP_address: refers to the IP address of the affected client.

    - #n: indicates the unique client identifier.

    - dev_name: specifies the name of the block device related

      to the fencing attempt.

The server will repeatedly retry the operation indefinitely. During

this time, access to the affected file is restricted for all other

clients. This is to prevent potential data corruption if multiple

clients access the same file simultaneously.

To restore access to the affected file for other clients, the admin

needs to take the following actions:

    - shutdown or power off the client being fenced.

    - manually expire the client to release all its state on the server::

        echo 'expire' > /proc/fs/nfsd/clients/clid/ctl

    where:

      - clid: is the unique client identifier displayed in the system log.

	bool (*lm_breaker_owns_lease)(struct file_lock *);

        bool (*lm_lock_expirable)(struct file_lock *);

        void (*lm_expire_lock)(void);

        bool (*lm_breaker_timedout)(struct file_lease *);

locking rules:

lm_lock_expirable	yes		no			no

lm_expire_lock		no		no			yes

lm_open_conflict	yes		no			no

lm_breaker_timedout     yes             no                      no

======================	=============	=================	=========

buffer_head

    all of an inode's dirty data on last close. Exports that behave this

    way should set EXPORT_OP_FLUSH_ON_CLOSE so that NFSD knows to skip

    waiting for writeback when closing such files.

Signed Filehandles

------------------

To protect against filehandle guessing attacks, the Linux NFS server can be

configured to sign filehandles with a Message Authentication Code (MAC).

Standard NFS filehandles are often predictable. If an attacker can guess

a valid filehandle for a file they do not have permission to access via

directory traversal, they may be able to bypass path-based permissions

(though they still remain subject to inode-level permissions).

Signed filehandles prevent this by appending a MAC to the filehandle

before it is sent to the client. Upon receiving a filehandle back from a

client, the server re-calculates the MAC using its internal key and

verifies it against the one provided. If the signatures do not match,

the server treats the filehandle as invalid (returning NFS[34]ERR_STALE).

Note that signing filehandles provides integrity and authenticity but

not confidentiality. The contents of the filehandle remain visible to

the client; they simply cannot be forged or modified.

Configuration

~~~~~~~~~~~~~

To enable signed filehandles, the administrator must provide a signing

key to the kernel and enable the "sign_fh" export option.

1. Providing a Key

   The signing key is managed via the nfsd netlink interface. This key

   is per-network-namespace and must be set before any exports using

   "sign_fh" become active.

2. Export Options

   The feature is controlled on a per-export basis in /etc/exports:

   sign_fh

     Enables signing for all filehandles generated under this export.

   no_sign_fh

     (Default) Disables signing.

Key Management and Rotation

~~~~~~~~~~~~~~~~~~~~~~~~~~~

The security of this mechanism relies entirely on the secrecy of the

signing key.

Initial Setup:

  The key should be generated using a high-quality random source and

  loaded early in the boot process or during the nfs-server startup

  sequence.

Changing Keys:

  If a key is changed while clients have active mounts, existing

  filehandles held by those clients will become invalid, resulting in

  "Stale file handle" errors on the client side.

Safe Rotation:

  Currently, there is no mechanism for "graceful" key rotation

  (maintaining multiple valid keys). Changing the key is an atomic

  operation that immediately invalidates all previous signatures.

Transitioning Exports

~~~~~~~~~~~~~~~~~~~~~

When adding or removing the "sign_fh" flag from an active export, the

following behaviors should be expected:

+-------------------+---------------------------------------------------+

| Change            | Result for Existing Clients                       |

+===================+===================================================+

| Adding sign_fh    | Clients holding unsigned filehandles will find    |

|                   | them rejected, as the server now expects a        |

|                   | signature.                                        |

+-------------------+---------------------------------------------------+

| Removing sign_fh  | Clients holding signed filehandles will find them |

|                   | rejected, as the server now expects the           |

|                   | filehandle to end at its traditional boundary     |

|                   | without a MAC.                                    |

+-------------------+---------------------------------------------------+

Because filehandles are often cached persistently by clients, adding or

removing this option should generally be done during a scheduled maintenance

window involving a NFS client unmount/remount.

      -

        name: min-threads

        type: u32

      -

        name: fh-key

        type: binary

        checks:

            exact-len: 16

  -

    name: version

    attributes:

            - leasetime

            - scope

            - min-threads

            - fh-key

    -

      name: threads-get

      doc: get the maximum number of running threads