Received: by 10.213.65.68 with SMTP id h4csp24626imn; Tue, 27 Mar 2018 15:31:43 -0700 (PDT) X-Google-Smtp-Source: AIpwx48d5qzKyDi5dofI/3yl3pCOMRCd6b0EJThvbZdkX/OqD6T8LEByW/U5ZN7qFHY2hKoRNK5b X-Received: by 2002:a17:902:740c:: with SMTP id g12-v6mr1119143pll.406.1522189903821; Tue, 27 Mar 2018 15:31:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522189903; cv=none; d=google.com; s=arc-20160816; b=jLXpdVP+Fu2z68wgqhGKt9fvATljTHMT0QoMlrfPbmmaTsHXIVCnLedTM0ZSgW8iLt Nf5LkAXa3vra0euV9A7gndy/uL2Ekj2JWw3LY/ZAAwo+GFOp/L3JQdWR5CzyGOQPycr6 IpIg6pNmM3xOOyQTM7FJK0alPJEGHtx8Us9CTdd3p62yrpaqhoQNEGvl0eM/ld0MLx19 dS9H/3Nu/5OrepKqkE4ktvRZ3jyFZlryw7ZcFh8h11bVSdI3ms8CAiwv6n0gpr1axoOD sy4++HsG5cksXS5K6q0Th5xFEVzIf/57EOAtFuFuBfJzhs6CxGcyJG2hASRFe0O5WQoV T4Pg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=aqBXzRocBJSOrLfS6ItopkkjFh6hFk5TLh+A4JBHErY=; b=BHM9PYEDiSVQBmvwD+TMLJVob2/wQDEGYGyzml/E7LoEdhVChyF/x9T5Dfs5Zg2eSr JOL2FPy/zCLXOcm9QE+mAEd/6qplWAAHfk96DHIBuCGzPB6A5RnV6uye1B2wG3Y6xFrm m/jXinMZ2DE+iC8qfQLwlrAExaSRXu9TpFoUPXFYeCvfmObSxkQUgzIPFUoVZmETMGxZ k6WdoGkTcXjqPk+mlZd3Q79sFWt6SQmtF0v+YU+pkt8UGZe2rMWYjWHrMGjEzNE/eToy NWt9xX7kFgE+1Ezlw6mBNhxMx6g/gBLN8HEmzGLt2mie9nayl83QjBQxCA33JneJEgtR NEig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=gb6uR4SC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a68si1714036pfk.35.2018.03.27.15.30.59; Tue, 27 Mar 2018 15:31:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=gb6uR4SC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752494AbeC0W34 (ORCPT + 99 others); Tue, 27 Mar 2018 18:29:56 -0400 Received: from mail-pg0-f66.google.com ([74.125.83.66]:46039 "EHLO mail-pg0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752338AbeC0W3y (ORCPT ); Tue, 27 Mar 2018 18:29:54 -0400 Received: by mail-pg0-f66.google.com with SMTP id y63so180384pgy.12 for ; Tue, 27 Mar 2018 15:29:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=aqBXzRocBJSOrLfS6ItopkkjFh6hFk5TLh+A4JBHErY=; b=gb6uR4SCE6SFdR9PfutHBJzC8esfKzcQCBO+FBGqY9GGaJrkIzOI95hPYUpX/gWK+U T2L3on0Hsli8flyKW98R0PGuMBip+bu/636mblXXEUin2BP93yQBe+QZQcx7+/ojcJ6b I168Ni4XjMkOoZ0J2yBQYzvkki5qQCKODGWaB39rxTA/AdOzpktFEblLpIjfXU35u+Xo 0tjWl3qGN5izxFfOR2SLRxnv+BZtT2e8zwwsbWR57a7oLi/08TrALH4TtDKdPF2Y/pKd JpEX+L5P54AuSNlEXvjnP/wPlctT2iDI1Od3rjRaSrsMmVsvZ51O04tuuW8KWOIeyQML 37ag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=aqBXzRocBJSOrLfS6ItopkkjFh6hFk5TLh+A4JBHErY=; b=DsX1BL1r7/jc2BGZNEWM/5ZUBNlIfbB5plOmkQ+o29+o8Nnn7UpHtz87VaWDRODoRF WgCitMIVueFk9N2qc/OlI9lYx08san+plIJKKnEDtWI+lmX98ekEmjqCBEs4auv1kEHk 1k8FQ6LPLGK4GH7rozukL5eDP210qE0QL27UbHu840zUPvKhq6+4p2/eU8Eu8HjgutkK cbPP7oMb+OUOm1Xac+ghUPBk9CQqjm1AZZbvbSw71HoDCtMyTgzglUiXn2vPeyrSVYxE DYNlBxJI5jAaQY7rZGHkSNyWPvsGp+m81lcX9TZFz6BS1btmoq0zmLV/nxjvYxotlsGC t2Iw== X-Gm-Message-State: AElRT7FZV+1qLUKWJ3/Zgf5RmpY/L6OTNCoGxlGkGfHZSV6CC0oic50H RPrj4r0akEPE/MlDdMy/O5MjvA== X-Received: by 10.167.129.90 with SMTP id d26mr874646pfn.108.1522189793730; Tue, 27 Mar 2018 15:29:53 -0700 (PDT) Received: from google.com ([2620:15c:17:3:dc28:5c82:b905:e8a8]) by smtp.gmail.com with ESMTPSA id f64sm4805423pfa.154.2018.03.27.15.29.52 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 27 Mar 2018 15:29:52 -0700 (PDT) Date: Tue, 27 Mar 2018 15:29:50 -0700 From: Eric Biggers To: Michael Young Cc: Herbert Xu , "J. Bruce Fields" , Jeff Layton , Trond Myklebust , Anna Schumaker , linux-nfs@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: NFS mounts failing when keytab present on client Message-ID: <20180327222950.GB257332@google.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.2 (2017-12-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Michael, On Tue, Mar 27, 2018 at 11:06:14PM +0100, Michael Young wrote: > NFS mounts stopped working on one of my computers after a kernel update from > 4.15.3 to 4.15.4. I traced the problem to the commit > [46e8d06e423c4f35eac7a8b677b713b3ec9b0684] crypto: hash - prevent using > keyed hashes without setting key > and a later kernel with this patch reverted works normally. > > The problem seems to be related to kerberos as the mount fails when the > keytab is present, but works if I rename the keytab file. This is true even > though the mount is with sec=sys . The mount should also work with sec=krb5 > but that also fails in the same way. When the mount fails there are errors > in dmesg like > [ 1232.522816] gss_marshal: gss_get_mic FAILED (851968) > [ 1232.522819] RPC: couldn't encode RPC header, exit EIO > [ 1232.522856] gss_marshal: gss_get_mic FAILED (851968) > [ 1232.522857] RPC: couldn't encode RPC header, exit EIO > [ 1232.522863] NFS: nfs4_discover_server_trunking unhandled error -5. > Exiting with error EIO > [ 1232.525039] gss_marshal: gss_get_mic FAILED (851968) > [ 1232.525042] RPC: couldn't encode RPC header, exit EIO > > Michael Young Thanks for the bug report. I think the error is coming from net/sunrpc/auth_gss/gss_krb5_crypto.c. There are two potential problems I see. The first one, which is definitely a bug, is that make_checksum_hmac_md5() allocates an HMAC transform and request, then does these crypto API calls: crypto_ahash_init() crypto_ahash_setkey() crypto_ahash_digest() This is wrong because it makes no sense to init() the HMAC request before the key has been set, and doubly so when it's calling digest() which is shorthand for init() + update() + final(). So I think it just needs to be removed. You can test the following patch: diff --git a/net/sunrpc/auth_gss/gss_krb5_crypto.c b/net/sunrpc/auth_gss/gss_krb5_crypto.c index 12649c9fedab..8654494b4d0a 100644 --- a/net/sunrpc/auth_gss/gss_krb5_crypto.c +++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c @@ -237,9 +237,6 @@ make_checksum_hmac_md5(struct krb5_ctx *kctx, char *header, int hdrlen, ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL); - err = crypto_ahash_init(req); - if (err) - goto out; err = crypto_ahash_setkey(hmac_md5, cksumkey, kctx->gk5e->keylength); if (err) goto out; If that's not it, it's also possible that the error is coming from the crypto_ahash_init() in make_checksum(). That can only happen if 'cksumkey' is NULL and the hash algorithm is keyed, which implies a logical error as it doesn't make sense to use a keyed hash algorithm without the key. The callers do check kctx->gk5e->keyed_cksum which I'd hope would prevent this, though perhaps kctx->cksum can be NULL. Eric