Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.0 required=3.0 tests=INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8A54CC43387 for ; Thu, 20 Dec 2018 09:33:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 58FFF20449 for ; Thu, 20 Dec 2018 09:33:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732943AbeLTJac (ORCPT ); Thu, 20 Dec 2018 04:30:32 -0500 Received: from relay.sw.ru ([185.231.240.75]:35634 "EHLO relay.sw.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732935AbeLTJac (ORCPT ); Thu, 20 Dec 2018 04:30:32 -0500 Received: from [172.16.24.21] by relay.sw.ru with esmtp (Exim 4.91) (envelope-from ) id 1gZuep-0003Mk-7Z; Thu, 20 Dec 2018 12:30:19 +0300 Subject: Re: [PATCH 1/4] nfs: use-after-free in svc_process_common() To: Trond Myklebust , "bfields@fieldses.org" Cc: "anna.schumaker@netapp.com" , "khorenko@virtuozzo.com" , "linux-nfs@vger.kernel.org" , "eshatokhin@virtuozzo.com" , "chuck.lever@oracle.com" , "jlayton@kernel.org" References: <134cf19c-e698-abed-02de-1659f9a5d4fb@virtuozzo.com> <20181217215026.GA8564@fieldses.org> <67f477b704d34b369f0530891a219f383f964001.camel@hammerspace.com> <4d878140-02c0-e306-fee6-1573d9fdecf2@virtuozzo.com> <068f1741afc54367853a2e4501fd95c2ab12a989.camel@hammerspace.com> <48844583b23fbbac600dfc86c49a7c71c5db36eb.camel@hammerspace.com> <2459cc18-3c14-fb68-def6-eb09fc096613@virtuozzo.com> <76d71f3412b3104b917aa836eede3447db35bda0.camel@hammerspace.com> From: Vasily Averin Message-ID: <11b7dec4-cd81-cb23-68f9-d56b5df79337@virtuozzo.com> Date: Thu, 20 Dec 2018 12:30:18 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1 MIME-Version: 1.0 In-Reply-To: <76d71f3412b3104b917aa836eede3447db35bda0.camel@hammerspace.com> Content-Type: multipart/mixed; boundary="------------D8FFCEC06629EB9473563817" Content-Language: en-US Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org This is a multi-part message in MIME format. --------------D8FFCEC06629EB9473563817 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit On 12/20/18 4:58 AM, Trond Myklebust wrote: > On Thu, 2018-12-20 at 04:39 +0300, Vasily Averin wrote: >> Dear Trond, >> Red Hat security believes the problem is quite important security >> issue: >> https://access.redhat.com/security/cve/cve-2018-16884 >> >> Fix should be backported to affected distributions. >> >> Could you please approve my first patch and push it to stable@ ? >> From my PoV it is correctly fixes the problem, it breaks nothing and >> easy for backports, >> lightly modified it can be even live-patched. >> >> Other patches including switch to using empty rqst->rq_xprt can wait. >> > > That patch is not acceptable for upstream. In this case how about my initial plan B -- make svc_serv per net-namespace? It executes additional per-netns nfsv4 callback threads but does not require any changes in existing sunrpc code? --------------D8FFCEC06629EB9473563817 Content-Type: text/plain; charset=UTF-8; name="diff-ms-nfs-make-svc_serv-per-netns" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="diff-ms-nfs-make-svc_serv-per-netns" ZGlmZiAtLWdpdCBhL2ZzL25mcy9jYWxsYmFjay5jIGIvZnMvbmZzL2NhbGxiYWNrLmMKaW5k ZXggNTA5ZGM1YWRlYjhmLi5kZjY5MzlkYTlkNzMgMTAwNjQ0Ci0tLSBhL2ZzL25mcy9jYWxs YmFjay5jCisrKyBiL2ZzL25mcy9jYWxsYmFjay5jCkBAIC0zMCwxMiArMzAsNiBAQAogCiAj ZGVmaW5lIE5GU0RCR19GQUNJTElUWSBORlNEQkdfQ0FMTEJBQ0sKIAotc3RydWN0IG5mc19j YWxsYmFja19kYXRhIHsKLQl1bnNpZ25lZCBpbnQgdXNlcnM7Ci0Jc3RydWN0IHN2Y19zZXJ2 ICpzZXJ2OwotfTsKLQotc3RhdGljIHN0cnVjdCBuZnNfY2FsbGJhY2tfZGF0YSBuZnNfY2Fs bGJhY2tfaW5mb1tORlM0X01BWF9NSU5PUl9WRVJTSU9OICsgMV07CiBzdGF0aWMgREVGSU5F X01VVEVYKG5mc19jYWxsYmFja19tdXRleCk7CiBzdGF0aWMgc3RydWN0IHN2Y19wcm9ncmFt IG5mczRfY2FsbGJhY2tfcHJvZ3JhbTsKIApAQCAtMjUyLDIyICsyNDYsMjMgQEAgc3RhdGlj IGNvbnN0IHN0cnVjdCBzdmNfc2Vydl9vcHMgKm5mczRfY2Jfc3Zfb3BzW10gPSB7CiB9Owog I2VuZGlmCiAKLXN0YXRpYyBzdHJ1Y3Qgc3ZjX3NlcnYgKm5mc19jYWxsYmFja19jcmVhdGVf c3ZjKGludCBtaW5vcnZlcnNpb24pCitzdGF0aWMgc3RydWN0IHN2Y19zZXJ2ICpuZnNfY2Fs bGJhY2tfY3JlYXRlX3N2YyhpbnQgbWlub3J2ZXJzaW9uLAorCQkJCQkJc3RydWN0IG5ldCAq bmV0KQogewotCXN0cnVjdCBuZnNfY2FsbGJhY2tfZGF0YSAqY2JfaW5mbyA9ICZuZnNfY2Fs bGJhY2tfaW5mb1ttaW5vcnZlcnNpb25dOworCXN0cnVjdCBuZnNfbmV0ICpubiA9IG5ldF9n ZW5lcmljKG5ldCwgbmZzX25ldF9pZCk7CiAJY29uc3Qgc3RydWN0IHN2Y19zZXJ2X29wcyAq c3Zfb3BzOwotCXN0cnVjdCBzdmNfc2VydiAqc2VydjsKKwlzdHJ1Y3Qgc3ZjX3NlcnYgKnNl cnYgPSBubi0+c2VydlttaW5vcnZlcnNpb25dOwogCiAJLyoKIAkgKiBDaGVjayB3aGV0aGVy IHdlJ3JlIGFscmVhZHkgdXAgYW5kIHJ1bm5pbmcuCiAJICovCi0JaWYgKGNiX2luZm8tPnNl cnYpIHsKKwlpZiAoc2VydikgewogCQkvKgogCQkgKiBOb3RlOiBpbmNyZWFzZSBzZXJ2aWNl IHVzYWdlLCBiZWNhdXNlIGxhdGVyIGluIGNhc2Ugb2YgZXJyb3IKIAkJICogc3ZjX2Rlc3Ry b3koKSB3aWxsIGJlIGNhbGxlZC4KIAkJICovCi0JCXN2Y19nZXQoY2JfaW5mby0+c2Vydik7 Ci0JCXJldHVybiBjYl9pbmZvLT5zZXJ2OworCQlzdmNfZ2V0KHNlcnYpOworCQlyZXR1cm4g c2VydjsKIAl9CiAKIAlzd2l0Y2ggKG1pbm9ydmVyc2lvbikgewpAQCAtMjgxLDIwICsyNzYs MTIgQEAgc3RhdGljIHN0cnVjdCBzdmNfc2VydiAqbmZzX2NhbGxiYWNrX2NyZWF0ZV9zdmMo aW50IG1pbm9ydmVyc2lvbikKIAlpZiAoc3Zfb3BzID09IE5VTEwpCiAJCXJldHVybiBFUlJf UFRSKC1FTk9UU1VQUCk7CiAKLQkvKgotCSAqIFNhbml0eSBjaGVjazogaWYgdGhlcmUncyBu byB0YXNrLAotCSAqIHdlIHNob3VsZCBiZSB0aGUgZmlyc3QgdXNlciAuLi4KLQkgKi8KLQlp ZiAoY2JfaW5mby0+dXNlcnMpCi0JCXByaW50ayhLRVJOX1dBUk5JTkcgIm5mc19jYWxsYmFj a19jcmVhdGVfc3ZjOiBubyBrdGhyZWFkLCAlZCB1c2Vycz8/XG4iLAotCQkJY2JfaW5mby0+ dXNlcnMpOwotCiAJc2VydiA9IHN2Y19jcmVhdGVfcG9vbGVkKCZuZnM0X2NhbGxiYWNrX3By b2dyYW0sIE5GUzRfQ0FMTEJBQ0tfQlVGU0laRSwgc3Zfb3BzKTsKIAlpZiAoIXNlcnYpIHsK IAkJcHJpbnRrKEtFUk5fRVJSICJuZnNfY2FsbGJhY2tfY3JlYXRlX3N2YzogY3JlYXRlIHNl cnZpY2UgZmFpbGVkXG4iKTsKIAkJcmV0dXJuIEVSUl9QVFIoLUVOT01FTSk7CiAJfQotCWNi X2luZm8tPnNlcnYgPSBzZXJ2OworCW5uLT5zZXJ2W21pbm9ydmVyc2lvbl0gPSBzZXJ2Owog CS8qIEFzIHRoZXJlIGlzIG9ubHkgb25lIHRocmVhZCB3ZSBuZWVkIHRvIG92ZXItcmlkZSB0 aGUKIAkgKiBkZWZhdWx0IG1heGltdW0gb2YgODAgY29ubmVjdGlvbnMKIAkgKi8KQEAgLTMw OCwxNCArMjk1LDE0IEBAIHN0YXRpYyBzdHJ1Y3Qgc3ZjX3NlcnYgKm5mc19jYWxsYmFja19j cmVhdGVfc3ZjKGludCBtaW5vcnZlcnNpb24pCiAgKi8KIGludCBuZnNfY2FsbGJhY2tfdXAo dTMyIG1pbm9ydmVyc2lvbiwgc3RydWN0IHJwY194cHJ0ICp4cHJ0KQogewotCXN0cnVjdCBz dmNfc2VydiAqc2VydjsKLQlzdHJ1Y3QgbmZzX2NhbGxiYWNrX2RhdGEgKmNiX2luZm8gPSAm bmZzX2NhbGxiYWNrX2luZm9bbWlub3J2ZXJzaW9uXTsKLQlpbnQgcmV0OwogCXN0cnVjdCBu ZXQgKm5ldCA9IHhwcnQtPnhwcnRfbmV0OworCXN0cnVjdCBuZnNfbmV0ICpubiA9IG5ldF9n ZW5lcmljKG5ldCwgbmZzX25ldF9pZCk7CisJc3RydWN0IHN2Y19zZXJ2ICpzZXJ2ID0gbm4t PnNlcnZbbWlub3J2ZXJzaW9uXTsKKwlpbnQgcmV0OwogCiAJbXV0ZXhfbG9jaygmbmZzX2Nh bGxiYWNrX211dGV4KTsKIAotCXNlcnYgPSBuZnNfY2FsbGJhY2tfY3JlYXRlX3N2YyhtaW5v cnZlcnNpb24pOworCXNlcnYgPSBuZnNfY2FsbGJhY2tfY3JlYXRlX3N2YyhtaW5vcnZlcnNp b24sIG5ldCk7CiAJaWYgKElTX0VSUihzZXJ2KSkgewogCQlyZXQgPSBQVFJfRVJSKHNlcnYp OwogCQlnb3RvIGVycl9jcmVhdGU7CkBAIC0zMjksNyArMzE2LDYgQEAgaW50IG5mc19jYWxs YmFja191cCh1MzIgbWlub3J2ZXJzaW9uLCBzdHJ1Y3QgcnBjX3hwcnQgKnhwcnQpCiAJaWYg KHJldCA8IDApCiAJCWdvdG8gZXJyX3N0YXJ0OwogCi0JY2JfaW5mby0+dXNlcnMrKzsKIAkv KgogCSAqIHN2Y19jcmVhdGUgY3JlYXRlcyB0aGUgc3ZjX3NlcnYgd2l0aCBzdl9ucnRocmVh ZHMgPT0gMSwgYW5kIHRoZW4KIAkgKiBzdmNfcHJlcGFyZV90aHJlYWQgaW5jcmVtZW50cyB0 aGF0LiBTbyB3ZSBuZWVkIHRvIGNhbGwgc3ZjX2Rlc3Ryb3kKQEAgLTMzNyw4ICszMjMsOCBA QCBpbnQgbmZzX2NhbGxiYWNrX3VwKHUzMiBtaW5vcnZlcnNpb24sIHN0cnVjdCBycGNfeHBy dCAqeHBydCkKIAkgKiB0aHJlYWQgZXhpdHMuCiAJICovCiBlcnJfbmV0OgotCWlmICghY2Jf aW5mby0+dXNlcnMpCi0JCWNiX2luZm8tPnNlcnYgPSBOVUxMOworCWlmICghbm4tPmNiX3Vz ZXJzW21pbm9ydmVyc2lvbl0pCisJCW5uLT5zZXJ2W21pbm9ydmVyc2lvbl0gPSBOVUxMOwog CXN2Y19kZXN0cm95KHNlcnYpOwogZXJyX2NyZWF0ZToKIAltdXRleF91bmxvY2soJm5mc19j YWxsYmFja19tdXRleCk7CkBAIC0zNTUsMTkgKzM0MSwxOCBAQCBpbnQgbmZzX2NhbGxiYWNr X3VwKHUzMiBtaW5vcnZlcnNpb24sIHN0cnVjdCBycGNfeHBydCAqeHBydCkKICAqLwogdm9p ZCBuZnNfY2FsbGJhY2tfZG93bihpbnQgbWlub3J2ZXJzaW9uLCBzdHJ1Y3QgbmV0ICpuZXQp CiB7Ci0Jc3RydWN0IG5mc19jYWxsYmFja19kYXRhICpjYl9pbmZvID0gJm5mc19jYWxsYmFj a19pbmZvW21pbm9ydmVyc2lvbl07CisJc3RydWN0IG5mc19uZXQgKm5uID0gbmV0X2dlbmVy aWMobmV0LCBuZnNfbmV0X2lkKTsKIAlzdHJ1Y3Qgc3ZjX3NlcnYgKnNlcnY7CiAKIAltdXRl eF9sb2NrKCZuZnNfY2FsbGJhY2tfbXV0ZXgpOwotCXNlcnYgPSBjYl9pbmZvLT5zZXJ2Owor CXNlcnYgPSBubi0+c2VydlttaW5vcnZlcnNpb25dOwogCW5mc19jYWxsYmFja19kb3duX25l dChtaW5vcnZlcnNpb24sIHNlcnYsIG5ldCk7Ci0JY2JfaW5mby0+dXNlcnMtLTsKLQlpZiAo Y2JfaW5mby0+dXNlcnMgPT0gMCkgeworCWlmIChubi0+Y2JfdXNlcnNbbWlub3J2ZXJzaW9u XSA9PSAwKSB7CiAJCXN2Y19nZXQoc2Vydik7CiAJCXNlcnYtPnN2X29wcy0+c3ZvX3NldHVw KHNlcnYsIE5VTEwsIDApOwogCQlzdmNfZGVzdHJveShzZXJ2KTsKIAkJZHByaW50aygibmZz X2NhbGxiYWNrX2Rvd246IHNlcnZpY2UgZGVzdHJveWVkXG4iKTsKLQkJY2JfaW5mby0+c2Vy diA9IE5VTEw7CisJCW5uLT5zZXJ2W21pbm9ydmVyc2lvbl0gPSBOVUxMOwogCX0KIAltdXRl eF91bmxvY2soJm5mc19jYWxsYmFja19tdXRleCk7CiB9CmRpZmYgLS1naXQgYS9mcy9uZnMv bmV0bnMuaCBiL2ZzL25mcy9uZXRucy5oCmluZGV4IGZjOTk3OGM1ODI2NS4uYTQ5OTc4ZDJm YjBkIDEwMDY0NAotLS0gYS9mcy9uZnMvbmV0bnMuaAorKysgYi9mcy9uZnMvbmV0bnMuaApA QCAtMjksNiArMjksNyBAQCBzdHJ1Y3QgbmZzX25ldCB7CiAJdW5zaWduZWQgc2hvcnQgbmZz X2NhbGxiYWNrX3RjcHBvcnQ2OwogCWludCBjYl91c2Vyc1tORlM0X01BWF9NSU5PUl9WRVJT SU9OICsgMV07CiAjZW5kaWYKKwlzdHJ1Y3Qgc3ZjX3NlcnYgKnNlcnZbTkZTNF9NQVhfTUlO T1JfVkVSU0lPTiArIDFdOwogCXNwaW5sb2NrX3QgbmZzX2NsaWVudF9sb2NrOwogCWt0aW1l X3QgYm9vdF90aW1lOwogI2lmZGVmIENPTkZJR19QUk9DX0ZTCg== --------------D8FFCEC06629EB9473563817--