2013-05-14 14:26:23

by Chuck Lever

[permalink] [raw]
Subject: [PATCH] NFS: Fix security flavor negotiation with legacy binary mounts

Commit 4580a92d44 "NFS: Use server-recommended security flavor by
default (NFSv3)" introduced a behavior regression for NFS mounts
done via a legacy binary mount(2) call.

Darrick J. Wong <[email protected]> reports:

> I have a kvm-based testing setup that netboots VMs over NFS, the
> client end of which seems to have broken somehow in 3.10-rc1. The
> server's exports file looks like this:
>
> /storage/mtr/x64 192.168.122.0/24(ro,sync,no_root_squash,no_subtree_check)
>
> On the client end (inside the VM), the initrd runs the following
> command to try to mount the rootfs over NFS:
>
> # mount -o nolock -o ro -o retrans=10 192.168.122.1:/storage/mtr/x64/ /root
>
> (Note: This is the busybox mount command.)
>
> The mount fails with -EINVAL.

Ensure that a default security flavor is specified for legacy binary
mounts, since they do not invoke nfs_select_flavor() in the kernel.

Reported-by: Darrick J. Wong <[email protected]>
Signed-off-by: Chuck Lever <[email protected]>
---
fs/nfs/super.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index a366107..2d7525f 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -1942,6 +1942,7 @@ static int nfs23_validate_mount_data(void *options,
args->namlen = data->namlen;
args->bsize = data->bsize;

+ args->auth_flavors[0] = RPC_AUTH_UNIX;
if (data->flags & NFS_MOUNT_SECFLAVOUR)
args->auth_flavors[0] = data->pseudoflavor;
if (!args->nfs_server.hostname)
@@ -2637,6 +2638,7 @@ static int nfs4_validate_mount_data(void *options,
goto out_no_address;
args->nfs_server.port = ntohs(((struct sockaddr_in *)sap)->sin_port);

+ args->auth_flavors[0] = RPC_AUTH_UNIX;
if (data->auth_flavourlen) {
if (data->auth_flavourlen > 1)
goto out_inval_auth;



2013-05-14 17:47:18

by Darrick J. Wong

[permalink] [raw]
Subject: Re: [PATCH] NFS: Fix security flavor negotiation with legacy binary mounts

On Tue, May 14, 2013 at 10:26:20AM -0400, Chuck Lever wrote:
> Commit 4580a92d44 "NFS: Use server-recommended security flavor by
> default (NFSv3)" introduced a behavior regression for NFS mounts
> done via a legacy binary mount(2) call.

NFS mount with klibc nfsmount is working again with this patch, thank you!

You may add:
Tested-by: Darrick J. Wong <[email protected]>

Though you might want to clarify in the commit message that it's really the
klibc nfsmount command, since that was really what was being called by busybox
& friends.

--D
>
> Darrick J. Wong <[email protected]> reports:
>
> > I have a kvm-based testing setup that netboots VMs over NFS, the
> > client end of which seems to have broken somehow in 3.10-rc1. The
> > server's exports file looks like this:
> >
> > /storage/mtr/x64 192.168.122.0/24(ro,sync,no_root_squash,no_subtree_check)
> >
> > On the client end (inside the VM), the initrd runs the following
> > command to try to mount the rootfs over NFS:
> >
> > # mount -o nolock -o ro -o retrans=10 192.168.122.1:/storage/mtr/x64/ /root
> >
> > (Note: This is the busybox mount command.)
> >
> > The mount fails with -EINVAL.
>
> Ensure that a default security flavor is specified for legacy binary
> mounts, since they do not invoke nfs_select_flavor() in the kernel.
>
> Reported-by: Darrick J. Wong <[email protected]>
> Signed-off-by: Chuck Lever <[email protected]>
> ---
> fs/nfs/super.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/fs/nfs/super.c b/fs/nfs/super.c
> index a366107..2d7525f 100644
> --- a/fs/nfs/super.c
> +++ b/fs/nfs/super.c
> @@ -1942,6 +1942,7 @@ static int nfs23_validate_mount_data(void *options,
> args->namlen = data->namlen;
> args->bsize = data->bsize;
>
> + args->auth_flavors[0] = RPC_AUTH_UNIX;
> if (data->flags & NFS_MOUNT_SECFLAVOUR)
> args->auth_flavors[0] = data->pseudoflavor;
> if (!args->nfs_server.hostname)
> @@ -2637,6 +2638,7 @@ static int nfs4_validate_mount_data(void *options,
> goto out_no_address;
> args->nfs_server.port = ntohs(((struct sockaddr_in *)sap)->sin_port);
>
> + args->auth_flavors[0] = RPC_AUTH_UNIX;
> if (data->auth_flavourlen) {
> if (data->auth_flavourlen > 1)
> goto out_inval_auth;
>

2013-05-14 18:21:13

by Adamson, Dros

[permalink] [raw]
Subject: Re: [PATCH] NFS: Fix security flavor negotiation with legacy binary mounts

Acked-by: Weston Andros Adamson <[email protected]>

-dros

On May 14, 2013, at 10:26 AM, Chuck Lever <[email protected]> wrote:

> Commit 4580a92d44 "NFS: Use server-recommended security flavor by
> default (NFSv3)" introduced a behavior regression for NFS mounts
> done via a legacy binary mount(2) call.
>
> Darrick J. Wong <[email protected]> reports:
>
>> I have a kvm-based testing setup that netboots VMs over NFS, the
>> client end of which seems to have broken somehow in 3.10-rc1. The
>> server's exports file looks like this:
>>
>> /storage/mtr/x64 192.168.122.0/24(ro,sync,no_root_squash,no_subtree_check)
>>
>> On the client end (inside the VM), the initrd runs the following
>> command to try to mount the rootfs over NFS:
>>
>> # mount -o nolock -o ro -o retrans=10 192.168.122.1:/storage/mtr/x64/ /root
>>
>> (Note: This is the busybox mount command.)
>>
>> The mount fails with -EINVAL.
>
> Ensure that a default security flavor is specified for legacy binary
> mounts, since they do not invoke nfs_select_flavor() in the kernel.
>
> Reported-by: Darrick J. Wong <[email protected]>
> Signed-off-by: Chuck Lever <[email protected]>
> ---
> fs/nfs/super.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/fs/nfs/super.c b/fs/nfs/super.c
> index a366107..2d7525f 100644
> --- a/fs/nfs/super.c
> +++ b/fs/nfs/super.c
> @@ -1942,6 +1942,7 @@ static int nfs23_validate_mount_data(void *options,
> args->namlen = data->namlen;
> args->bsize = data->bsize;
>
> + args->auth_flavors[0] = RPC_AUTH_UNIX;
> if (data->flags & NFS_MOUNT_SECFLAVOUR)
> args->auth_flavors[0] = data->pseudoflavor;
> if (!args->nfs_server.hostname)
> @@ -2637,6 +2638,7 @@ static int nfs4_validate_mount_data(void *options,
> goto out_no_address;
> args->nfs_server.port = ntohs(((struct sockaddr_in *)sap)->sin_port);
>
> + args->auth_flavors[0] = RPC_AUTH_UNIX;
> if (data->auth_flavourlen) {
> if (data->auth_flavourlen > 1)
> goto out_inval_auth;
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html


2013-05-14 14:32:26

by Chuck Lever

[permalink] [raw]
Subject: Re: [PATCH] NFS: Fix security flavor negotiation with legacy binary mounts

This is build-tested only. Darrick, can you give it a whirl?

--
Chuck Lever
[email protected]


On May 14, 2013, at 10:26 AM, Chuck Lever <[email protected]> wrote:

> Commit 4580a92d44 "NFS: Use server-recommended security flavor by
> default (NFSv3)" introduced a behavior regression for NFS mounts
> done via a legacy binary mount(2) call.
>
> Darrick J. Wong <[email protected]> reports:
>
>> I have a kvm-based testing setup that netboots VMs over NFS, the
>> client end of which seems to have broken somehow in 3.10-rc1. The
>> server's exports file looks like this:
>>
>> /storage/mtr/x64 192.168.122.0/24(ro,sync,no_root_squash,no_subtree_check)
>>
>> On the client end (inside the VM), the initrd runs the following
>> command to try to mount the rootfs over NFS:
>>
>> # mount -o nolock -o ro -o retrans=10 192.168.122.1:/storage/mtr/x64/ /root
>>
>> (Note: This is the busybox mount command.)
>>
>> The mount fails with -EINVAL.
>
> Ensure that a default security flavor is specified for legacy binary
> mounts, since they do not invoke nfs_select_flavor() in the kernel.
>
> Reported-by: Darrick J. Wong <[email protected]>
> Signed-off-by: Chuck Lever <[email protected]>
> ---
> fs/nfs/super.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/fs/nfs/super.c b/fs/nfs/super.c
> index a366107..2d7525f 100644
> --- a/fs/nfs/super.c
> +++ b/fs/nfs/super.c
> @@ -1942,6 +1942,7 @@ static int nfs23_validate_mount_data(void *options,
> args->namlen = data->namlen;
> args->bsize = data->bsize;
>
> + args->auth_flavors[0] = RPC_AUTH_UNIX;
> if (data->flags & NFS_MOUNT_SECFLAVOUR)
> args->auth_flavors[0] = data->pseudoflavor;
> if (!args->nfs_server.hostname)
> @@ -2637,6 +2638,7 @@ static int nfs4_validate_mount_data(void *options,
> goto out_no_address;
> args->nfs_server.port = ntohs(((struct sockaddr_in *)sap)->sin_port);
>
> + args->auth_flavors[0] = RPC_AUTH_UNIX;
> if (data->auth_flavourlen) {
> if (data->auth_flavourlen > 1)
> goto out_inval_auth;
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html