kernel/linux.git/fs/nfsd/trace.h, branch linux-7.1.y

NFSD: Report whether fh_key was actually updated

2026-05-21T21:08:47+00:00

The nfsd_ctl_fh_key_set tracepoint was introduced to capture operator activity on the filehandle signing key. Earlier revisions logged the key bytes verbatim; the version that landed hashes the 16 key bytes through crc32_le and stores the result. CRC32 is a linear projection of its input rather than a one-way function, and truncating any hash of fixed-size secret material leaves the key recoverable under offline brute force when the threat model includes an attacker with access to the trace ring. The operational question the fingerprint was meant to answer is whether a NFSD_CMD_THREADS_SET call that carries an NFSD_A_SERVER_FH_KEY attribute actually replaced the active key or re-installed the value already in place. Answer that question directly: compare the incoming key bytes against the current nn->fh_key inside nfsd_nl_fh_key_set() and surface a single bit to the tracepoint. The event now prints "updated" when the stored key changed and "unmodified" otherwise. A first set that fails kmalloc reports "unmodified" because no key was installed. Reported-by: jaeyeong Fixes: 62346217fd72 ("NFSD: Add a key for signing filehandles") Cc: Benjamin Coddington Reviewed-by: Benjamin Coddington Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever

NFSD: Sign filehandles

2026-03-30T01:25:09+00:00

NFS clients may bypass restrictive directory permissions by using open_by_handle() (or other available OS system call) to guess the filehandles for files below that directory. In order to harden knfsd servers against this attack, create a method to sign and verify filehandles using SipHash-2-4 as a MAC (Message Authentication Code). According to https://cr.yp.to/siphash/siphash-20120918.pdf, SipHash can be used as a MAC, and our use of SipHash-2-4 provides a low 1 in 2^64 chance of forgery. Filehandles that have been signed cannot be tampered with, nor can clients reasonably guess correct filehandles and hashes that may exist in parts of the filesystem they cannot access due to directory permissions. Append the 8 byte SipHash to encoded filehandles for exports that have set the "sign_fh" export option. Filehandles received from clients are verified by comparing the appended hash to the expected hash. If the MAC does not match the server responds with NFS error _STALE. If unsigned filehandles are received for an export with "sign_fh" they are rejected with NFS error _STALE. Signed-off-by: Benjamin Coddington Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever

NFSD: Add a key for signing filehandles

2026-03-30T01:25:09+00:00

A future patch will enable NFSD to sign filehandles by appending a Message Authentication Code(MAC). To do this, NFSD requires a secret 128-bit key that can persist across reboots. A persisted key allows the server to accept filehandles after a restart. Enable NFSD to be configured with this key via the netlink interface. Link: https://lore.kernel.org/linux-nfs/cover.1772022373.git.bcodding@hammerspace.com Signed-off-by: Benjamin Coddington Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever

nfsd: add controls to set the minimum number of threads per pool

2026-01-28T15:15:42+00:00

Add a new "min_threads" variable to the nfsd_net, along with the corresponding netlink interface, to set that value from userland. Pass that value to svc_set_pool_threads() and svc_set_num_threads(). Signed-off-by: Jeff Layton Signed-off-by: Chuck Lever

nfsd: adjust number of running nfsd threads based on activity

2026-01-28T15:15:42+00:00

nfsd() is changed to pass a timeout to svc_recv() when there is a min number of threads set, and to handle error returns from it: In the case of -ETIMEDOUT, if the service mutex can be taken (via trylock), the thread becomes an RQ_VICTIM so that it will exit, providing that the actual number of threads is above pool->sp_nrthrmin. In the case of -EBUSY, if the actual number of threads is below pool->sp_nrthrmax, it will attempt to start a new thread. This attempt is gated on a new SP_TASK_STARTING pool flag that serializes thread creation attempts within a pool, and further by mutex_trylock(). Neil says: "I think we want memory pressure to be able to push a thread into returning -ETIMEDOUT. That can come later." Signed-off-by: NeilBrown Signed-off-by: Jeff Layton Signed-off-by: Chuck Lever

NFSD: Implement NFSD_IO_DIRECT for NFS WRITE

2025-12-01T14:57:10+00:00

When NFSD_IO_DIRECT is selected via the /sys/kernel/debug/nfsd/io_cache_write experimental tunable, split incoming unaligned NFS WRITE requests into a prefix, middle and suffix segment, as needed. The middle segment is now DIO-aligned and the prefix and/or suffix are unaligned. Synchronous buffered IO is used for the unaligned segments, and IOCB_DIRECT is used for the middle DIO-aligned extent. Although IOCB_DIRECT avoids the use of the page cache, by itself it doesn't guarantee data durability. For UNSTABLE WRITE requests, durability is obtained by a subsequent NFS COMMIT request. Signed-off-by: Mike Snitzer Co-developed-by: Chuck Lever Reviewed-by: Christoph Hellwig Signed-off-by: Chuck Lever

NFSD: Add trace point for SCSI fencing operation.

2025-11-25T14:09:42+00:00

Add trace point to print client IP address, net namespace number, device name and status of SCSI pr_preempt command. Signed-off-by: Dai Ngo Signed-off-by: Chuck Lever

NFSD: Implement NFSD_IO_DIRECT for NFS READ

2025-11-16T23:20:11+00:00

Add an experimental option that forces NFS READ operations to use direct I/O instead of reading through the NFS server's page cache. There is already at least one other layer of read caching: the page cache on NFS clients. The server's page cache, in many cases, is unlikely to provide additional benefit. Some benchmarks have demonstrated that the server's page cache is actively detrimental for workloads whose working set is larger than the server's available physical memory. For instance, on small NFS servers, cached NFS file content can squeeze out local memory consumers. For large sequential workloads, an enormous amount of data flows into and out of the page cache and is consumed by NFS clients exactly once -- caching that data is expensive to do and totally valueless. For now this is a hidden option that can be enabled on test systems for benchmarking. In the longer term, this option might be enabled persistently or per-export. When the exported file system does not support direct I/O, NFSD falls back to using either DONTCACHE or buffered I/O to fulfill NFS READ requests. Suggested-by: Mike Snitzer Reviewed-by: Mike Snitzer Reviewed-by: Jeff Layton Reviewed-by: NeilBrown Signed-off-by: Chuck Lever

NFSD: filecache: add STATX_DIOALIGN and STATX_DIO_READ_ALIGN support

2025-09-30T20:10:05+00:00

Use STATX_DIOALIGN and STATX_DIO_READ_ALIGN to get DIO alignment attributes from the underlying filesystem and store them in the associated nfsd_file. This is done when the nfsd_file is first opened for each regular file. Signed-off-by: Mike Snitzer Reviewed-by: Jeff Layton Reviewed-by: NeilBrown Signed-off-by: Chuck Lever Acked-by: Chuck Lever Signed-off-by: Anna Schumaker

NFSD: Remove definition for trace_nfsd_ctl_maxconn

2025-07-14T16:46:43+00:00

trace_nfsd_ctl_maxconn() was removed by commit a4b853f183a1 ("sunrpc: remove all connection limit configuration") but did not remove the event. Reported-by: Steven Rostedt Closes: https://lore.kernel.org/linux-nfs/5ccae2f9-1560-4ac5-b506-b235ed4e4f4f@oracle.com/T/#t Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever