From patchwork Wed Oct 30 03:50:05 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Ruffell X-Patchwork-Id: 1186480 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 472vcL1yNkz9sPf; Wed, 30 Oct 2019 14:50:26 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1iPf00-0001I6-T7; Wed, 30 Oct 2019 03:50:20 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iPezy-0001HG-D9 for kernel-team@lists.ubuntu.com; Wed, 30 Oct 2019 03:50:18 +0000 Received: from mail-pg1-f200.google.com ([209.85.215.200]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iPezy-0001RP-3K for kernel-team@lists.ubuntu.com; Wed, 30 Oct 2019 03:50:18 +0000 Received: by mail-pg1-f200.google.com with SMTP id m20so630703pgv.6 for ; Tue, 29 Oct 2019 20:50:18 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=0SyUs0SfCRzDzi4WH/rOSJum/drW3w1ralzipJXoesU=; b=BZDiYZ4/SuGwJqvNNWULuCU+moJee/s0IvBTs/V41X06oHMCVE6OCicIe6CVEBeYQq WgB9JVEdt/nNeIKSo23qkhy+5QYIP9UbO9ZBMzE8eor6zjhYmeN9y1gdvW3kyTWMr0mj GoygWbtCzUwXuYmLFWBoIDnRFON/6kl6yMFrxbsHuy9fZ6qM1n7g4RDY1GlIR/xyRMKH zyKx07x/tqk95lQxj8s7vPqMMhdZLpgZqktoHGtATYdk+KLPh25XiDa1qy5rq08F1jXm JztWsdnGHdUot2lT/L0aox1Vu0vhKdY2haCsVaHOHfMIOg88WW1J9Xzn5oLehiDG5DSO ZDwA== X-Gm-Message-State: APjAAAV8pJdbg1X4wQK8Cw2flds2loGPVLq9vQbXmDM1WytHiBqbZOz4 ueAt50XCtySIHTBSkFhUD3R4GzkxeAWNE5tc3f71aVvx4f3paQxlIdxNk8FxyGAT5g7gPScDVfH 2wnu02Tgy9S0XVEldSSOLCrFTL/On8wxhfYKZsH88gQ== X-Received: by 2002:a63:a055:: with SMTP id u21mr32204671pgn.0.1572407416385; Tue, 29 Oct 2019 20:50:16 -0700 (PDT) X-Google-Smtp-Source: APXvYqxmf6g787T8LDTnvrf6/i3HjCgWAVCTPmVus4Y/e7/7t9I3YmcozRw8GTBDuWeWImuzvc8zmA== X-Received: by 2002:a63:a055:: with SMTP id u21mr32204647pgn.0.1572407416087; Tue, 29 Oct 2019 20:50:16 -0700 (PDT) Received: from localhost.localdomain (222-154-99-146-fibre.sparkbb.co.nz. [222.154.99.146]) by smtp.gmail.com with ESMTPSA id w2sm504855pjt.1.2019.10.29.20.50.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Oct 2019 20:50:15 -0700 (PDT) From: Matthew Ruffell To: kernel-team@lists.ubuntu.com Subject: [SRU][Disco][PATCH 1/2] SUNRPC: Clean up Date: Wed, 30 Oct 2019 16:50:05 +1300 Message-Id: <20191030035006.31696-2-matthew.ruffell@canonical.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191030035006.31696-1-matthew.ruffell@canonical.com> References: <20191030035006.31696-1-matthew.ruffell@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Trond Myklebust BugLink: https://bugs.launchpad.net/bugs/1842037 Replace remaining callers of call_timeout() with rpc_check_timeout(). Signed-off-by: Trond Myklebust (backported from commit cea57789e4081870ac3498fbefabbbd0d0fd8434) [mruffell: changed comment and minor context adjustment] Signed-off-by: Matthew Ruffell --- net/sunrpc/clnt.c | 52 ++++++++++++++++------------------------------- 1 file changed, 17 insertions(+), 35 deletions(-) diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c index 0f3ee58aeaf1..f9568b0dc63e 100644 --- a/net/sunrpc/clnt.c +++ b/net/sunrpc/clnt.c @@ -70,7 +70,6 @@ static void call_status(struct rpc_task *task); static void call_transmit_status(struct rpc_task *task); static void call_refresh(struct rpc_task *task); static void call_refreshresult(struct rpc_task *task); -static void call_timeout(struct rpc_task *task); static void call_connect(struct rpc_task *task); static void call_connect_status(struct rpc_task *task); @@ -1887,7 +1886,8 @@ call_bind_status(struct rpc_task *task) retry_timeout: task->tk_status = 0; - task->tk_action = call_timeout; + task->tk_action = call_encode; + rpc_check_timeout(task); } /* @@ -2176,10 +2176,8 @@ call_status(struct rpc_task *task) case -EHOSTUNREACH: case -ENETUNREACH: case -EPERM: - if (RPC_IS_SOFTCONN(task)) { - rpc_exit(task, status); - break; - } + if (RPC_IS_SOFTCONN(task)) + goto out_exit; /* * Delay any retries for 3 seconds, then handle as if it * were a timeout. @@ -2187,7 +2185,6 @@ call_status(struct rpc_task *task) rpc_delay(task, 3*HZ); /* fall through */ case -ETIMEDOUT: - task->tk_action = call_timeout; break; case -ECONNREFUSED: case -ECONNRESET: @@ -2200,18 +2197,21 @@ call_status(struct rpc_task *task) /* fall through */ case -EPIPE: case -EAGAIN: - task->tk_action = call_timeout; break; case -EIO: /* shutdown or soft timeout */ - rpc_exit(task, status); - break; + goto out_exit; default: if (clnt->cl_chatty) printk("%s: RPC call returned error %d\n", clnt->cl_program->name, -status); - rpc_exit(task, status); + goto out_exit; } + task->tk_action = call_encode; + rpc_check_timeout(task); + return; +out_exit: + rpc_exit(task, status); } static void @@ -2258,19 +2258,6 @@ rpc_check_timeout(struct rpc_task *task) rpcauth_invalcred(task); } -/* - * 6a. Handle RPC timeout - * We do not release the request slot, so we keep using the - * same XID for all retransmits. - */ -static void -call_timeout(struct rpc_task *task) -{ - task->tk_action = call_encode; - task->tk_status = 0; - rpc_check_timeout(task); -} - /* * 7. Decode the RPC reply */ @@ -2309,16 +2296,8 @@ call_decode(struct rpc_task *task) WARN_ON(memcmp(&req->rq_rcv_buf, &req->rq_private_buf, sizeof(req->rq_rcv_buf)) != 0); - if (req->rq_rcv_buf.len < 12) { - if (!RPC_IS_SOFT(task)) { - task->tk_action = call_encode; - goto out_retry; - } - dprintk("RPC: %s: too small RPC reply size (%d bytes)\n", - clnt->cl_program->name, task->tk_status); - task->tk_action = call_timeout; + if (req->rq_rcv_buf.len < 12) goto out_retry; - } p = rpc_verify_header(task); if (IS_ERR(p)) { @@ -2339,11 +2318,14 @@ call_decode(struct rpc_task *task) /* Note: rpc_verify_header() may have freed the RPC slot */ if (task->tk_rqstp == req) { xdr_free_bvec(&req->rq_rcv_buf); - req->rq_reply_bytes_recvd = req->rq_rcv_buf.len = 0; + req->rq_reply_bytes_recvd = 0; + req->rq_rcv_buf.len = 0; if (task->tk_client->cl_discrtry) xprt_conditional_disconnect(req->rq_xprt, - req->rq_connect_cookie); + req->rq_connect_cookie); } + task->tk_action = call_encode; + rpc_check_timeout(task); } static __be32 * From patchwork Wed Oct 30 03:50:06 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Ruffell X-Patchwork-Id: 1186482 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 472vcM5ty2z9sQm; Wed, 30 Oct 2019 14:50:27 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1iPf04-0001It-27; Wed, 30 Oct 2019 03:50:24 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iPf00-0001I0-Cf for kernel-team@lists.ubuntu.com; Wed, 30 Oct 2019 03:50:20 +0000 Received: from mail-pf1-f200.google.com ([209.85.210.200]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iPf00-0001Rf-2m for kernel-team@lists.ubuntu.com; Wed, 30 Oct 2019 03:50:20 +0000 Received: by mail-pf1-f200.google.com with SMTP id 20so652000pfp.19 for ; Tue, 29 Oct 2019 20:50:20 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=OJFgo6RNe3/iVqRuA9e8CxRmC/kxSMv7yCgXGE4k3rY=; b=iDowJ3O7qcrk+tcePGSvnQvmx7WknfqOKl1aQ/6hEOfSLCK4FNC0Gc8+KUXQ3CPo6Y ltj5EnyqMg9wZBpyEDdSFZuhZEdkzXQrb89cszbAti/auGEUyRUAaV+lrBnChmD9j8i+ XW3yBgLzbNHPTFXg0ZuKaQXstzRbM5TtDTR6hng0IBq+vBUzkL0tD3a4xWDC1oTilDiz VrpUtMHbeU5HcEtz8677fh7R02ORMg6WyTAEN74bOZHTC8u1GZ7nNC7ijCiCMTuP1RVS EEgAAoeK2EAsMh2oD0iGFSRyi1oo/51KnO5hCWaxxrvqC/f/GyXJXQGb/4IF5RD7ixYD BvoQ== X-Gm-Message-State: APjAAAUdv/XVWc/QC5jAUUmAgtPx1WLyFYwWXHt/o8MQoOhdI3nPIVXP 8mqLQG0FPgKvapJAdVrDPIPjJnyPAqitfRZgu6+GE9bDlfhwfup6L33HYIGxAD4J9+DbdnuMXca yVQji1otZ8Shpvu4h4pid3epFDWFSoTiNnGwf1jxhZA== X-Received: by 2002:aa7:8b02:: with SMTP id f2mr31876797pfd.31.1572407418547; Tue, 29 Oct 2019 20:50:18 -0700 (PDT) X-Google-Smtp-Source: APXvYqy0gip/e03SZ+nzYuhsatSN2JdBURoP8oBVvKafhacygmQqlZWAIlMh+Yr/EEKpdPdybQxqNQ== X-Received: by 2002:aa7:8b02:: with SMTP id f2mr31876779pfd.31.1572407418324; Tue, 29 Oct 2019 20:50:18 -0700 (PDT) Received: from localhost.localdomain (222-154-99-146-fibre.sparkbb.co.nz. [222.154.99.146]) by smtp.gmail.com with ESMTPSA id w2sm504855pjt.1.2019.10.29.20.50.16 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Oct 2019 20:50:17 -0700 (PDT) From: Matthew Ruffell To: kernel-team@lists.ubuntu.com Subject: [SRU][Disco][PATCH 2/2] SUNRPC: Fix a use after free when a server rejects the RPCSEC_GSS credential Date: Wed, 30 Oct 2019 16:50:06 +1300 Message-Id: <20191030035006.31696-3-matthew.ruffell@canonical.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191030035006.31696-1-matthew.ruffell@canonical.com> References: <20191030035006.31696-1-matthew.ruffell@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Trond Myklebust BugLink: https://bugs.launchpad.net/bugs/1842037 The addition of rpc_check_timeout() to call_decode causes an Oops when the RPCSEC_GSS credential is rejected. The reason is that rpc_decode_header() will call xprt_release() in order to free task->tk_rqstp, which is needed by rpc_check_timeout() to check whether or not we should exit due to a soft timeout. The fix is to move the call to xprt_release() into call_decode() so we can perform it after rpc_check_timeout(). Reported-by: Olga Kornievskaia Reported-by: Nick Bowler Fixes: cea57789e408 ("SUNRPC: Clean up") Cc: stable@vger.kernel.org # v5.1+ Signed-off-by: Trond Myklebust Signed-off-by: Anna Schumaker (backported from commit 7987b694ade8cc465ce10fb3dceaa614f13ceaf3) [mruffell: rewrite goto error handling, medium context adjustments] Signed-off-by: Matthew Ruffell --- net/sunrpc/clnt.c | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c index f9568b0dc63e..5ea3c62fff9f 100644 --- a/net/sunrpc/clnt.c +++ b/net/sunrpc/clnt.c @@ -2303,6 +2303,8 @@ call_decode(struct rpc_task *task) if (IS_ERR(p)) { if (p == ERR_PTR(-EAGAIN)) goto out_retry; + if (p == ERR_PTR(-EKEYREJECTED)) + goto out_key_rejected; return; } task->tk_action = rpc_exit_task; @@ -2315,17 +2317,21 @@ call_decode(struct rpc_task *task) return; out_retry: task->tk_status = 0; - /* Note: rpc_verify_header() may have freed the RPC slot */ - if (task->tk_rqstp == req) { - xdr_free_bvec(&req->rq_rcv_buf); - req->rq_reply_bytes_recvd = 0; - req->rq_rcv_buf.len = 0; - if (task->tk_client->cl_discrtry) - xprt_conditional_disconnect(req->rq_xprt, - req->rq_connect_cookie); - } + xdr_free_bvec(&req->rq_rcv_buf); + req->rq_reply_bytes_recvd = 0; + req->rq_rcv_buf.len = 0; + if (task->tk_client->cl_discrtry) + xprt_conditional_disconnect(req->rq_xprt, + req->rq_connect_cookie); task->tk_action = call_encode; rpc_check_timeout(task); + return; +out_key_rejected: + task->tk_action = call_reserve; + rpc_check_timeout(task); + rpcauth_invalcred(task); + /* Ensure we obtain a new XID if we retry! */ + xprt_release(task); } static __be32 * @@ -2413,11 +2419,7 @@ rpc_verify_header(struct rpc_task *task) task->tk_cred_retry--; dprintk("RPC: %5u %s: retry stale creds\n", task->tk_pid, __func__); - rpcauth_invalcred(task); - /* Ensure we obtain a new XID! */ - xprt_release(task); - task->tk_action = call_reserve; - goto out_retry; + return ERR_PTR(-EKEYREJECTED); case RPC_AUTH_BADCRED: case RPC_AUTH_BADVERF: /* possibly garbled cred/verf? */