Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp3381751pxb; Mon, 1 Mar 2021 08:37:40 -0800 (PST) X-Google-Smtp-Source: ABdhPJxE86wco4WM3u/tbJ4n5this99gflRyogUV5mm2yfVrSV5wU0rkfYXMCyYruVjr4tVjHZkT X-Received: by 2002:a50:ee05:: with SMTP id g5mr1064814eds.164.1614616660076; Mon, 01 Mar 2021 08:37:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614616660; cv=none; d=google.com; s=arc-20160816; b=CL+PHdqqJdJfYyRLafDE+ED5ex9lIpr4ZT9PjXPDWUXbY4meveYRhfm//b+ob6Ut0e u3CwECRXAM5S2Oc+RDCVXhuSPYgDNayHYeiP0Cfdd7W0Ttu4QLnhbO5Ug+yloqlpZ2LA HtSCtJn7+cqEm1QYVLd73i3YP8yCkmrA66qmnwYfl3JdP4SyjLZygD/KnvY7RAVQ2OSD crfXUhlxtYRZJHp5AFpmrzzOBGiEJvMU2zEX5AaLbMrjGMmfqFAgjVokXF06bOvvUbQf PIR2EhkrblP6DtfS01n0CDtk4zciCYI4w+uaNpuO1wdDsA0bKznA451AgMWzJHC/U2Q0 D7Xw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:dkim-filter; bh=ymVMq/eXAVbkZeEY+nrCAwW7Zx5tBeFoXvrYV9FBuno=; b=cbOO9CBfbonJriNfkT19w0SX6LD5+oK5ZkF23Ho3b6CES3RN8dsoKnqOSHtfDr4hOz Td0Rzds4aP9CPwv8PXBMKX5kOA6HjIee60CSfhPBc7Vwek5I2JpdFeAJQDxZ6hjGq8Tk OG7h+qIGOCskaLTU2QeQo81iuoczQOFncirw8XzFsPFTkgn8SDb4Ud2iEMzU7jNgE0cA Pq7MzSRa3np7TspXxhoyAjlB1u6zPRSH3DE5YrVgpbFZVedw/3ICE+qWotTuCyY40Rgl MqeQJUiKH6q0ZdNzOJPik3tZfrkPhVDHal7l61+WQTlLtsVvg4vP5x3iKKd5yrzH/K5y ycKg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@fieldses.org header.s=default header.b=s4s13Igg; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v21si11794340ejg.258.2021.03.01.08.37.09; Mon, 01 Mar 2021 08:37:40 -0800 (PST) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@fieldses.org header.s=default header.b=s4s13Igg; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234519AbhCAQfX (ORCPT + 99 others); Mon, 1 Mar 2021 11:35:23 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36766 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234860AbhCAQ3L (ORCPT ); Mon, 1 Mar 2021 11:29:11 -0500 Received: from fieldses.org (fieldses.org [IPv6:2600:3c00:e000:2f7::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 36A18C06178A for ; Mon, 1 Mar 2021 08:28:28 -0800 (PST) Received: by fieldses.org (Postfix, from userid 2815) id 6EDD325FE; Mon, 1 Mar 2021 11:28:20 -0500 (EST) DKIM-Filter: OpenDKIM Filter v2.11.0 fieldses.org 6EDD325FE DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fieldses.org; s=default; t=1614616100; bh=ymVMq/eXAVbkZeEY+nrCAwW7Zx5tBeFoXvrYV9FBuno=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=s4s13Igg/8XcARRXWb11mZI6Jw/IDMUbbKMoGqF6/lG4zhZpT0gVbHRZm9aN6Sfpy 54vPvnYA0CHfaS+XqOXZS08lxKUhVec0OD8d6JE7jncC+SLsYkKlpFMhy41TvpbTQU mgw70x73EycixkH+A4rfUfSm2KGDrxLFGuoJkxYw= Date: Mon, 1 Mar 2021 11:28:20 -0500 From: Bruce Fields To: Chuck Lever Cc: Daniel Kobras , Linux NFS Mailing List Subject: Re: [PATCH] sunrpc: fix refcount leak for rpc auth modules Message-ID: <20210301162820.GB11772@fieldses.org> References: <20210226230437.jfgagcq5magzlrtv@tuedko18.puzzle-itc.de> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Mon, Mar 01, 2021 at 03:20:24PM +0000, Chuck Lever wrote: > > > On Feb 26, 2021, at 6:04 PM, Daniel Kobras wrote: > > > > If an auth module's accept op returns SVC_CLOSE, svc_process_common() > > enters a call path that does not call svc_authorise() before leaving the > > function, and thus leaks a reference on the auth module's refcount. Hence, > > make sure calls to svc_authenticate() and svc_authorise() are paired for > > all call paths, to make sure rpc auth modules can be unloaded. > > > > Fixes: 4d712ef1db05 ("svcauth_gss: Close connection when dropping an incoming message") > > Signed-off-by: Daniel Kobras > > --- > > Hi! > > > > While debugging NFS on a system with misconfigured krb5 settings, we noticed > > a suspiciously high refcount on the auth_rpcgss module, despite all of its > > consumers already unloaded. I wasn't able to analyze any further on the live > > system, but had a look at the code afterwards, and found a path that seems > > to leak references if the mechanism's accept() op shuts down a connection > > early. Although I couldn't verify, this seem to be a plausible fix. > > > > Kind regards, > > > > Daniel > > Hi Daniel- > > I've provisionally included your patch in my NFSD for-rc topic branch > here: > > git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git > > Your bug report seems plausible, but I need to take a closer look at that > code and your proposed change. Would very much like to hear from others, > too. So, the effect of this is to call svc_authorise more often. I think that's always safe, because svc_authorise is a no-op unless rq_authops is set, it clears rq_authops itself, and rq_authops being set is a guarantee that ->accept() already ran. It's harder to know if this solves the problem, as I see a lot of other mentions of THIS_MODULE in svcauth_gss.c. Possibly orthogonal to this problem, but: svcauth_gss_release unconditionally dereferences rqstp->rq_auth_data. Isn't that a NULL dereference if the kmalloc at the start of svcauth_gss_accept() fails? Finally, should we care about module reference leaks? Does anyone really *need* to unload modules? And will bad stuff happen when the count overflows, or does the module code fail safely somehow in the overflow case? I know, bugs are bugs, I should care about fixing all of them, shame on me.... --b. > > > > net/sunrpc/svc.c | 6 ++++-- > > 1 file changed, 4 insertions(+), 2 deletions(-) > > > > diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c > > index 61fb8a18552c..d76dc9d95d16 100644 > > --- a/net/sunrpc/svc.c > > +++ b/net/sunrpc/svc.c > > @@ -1413,7 +1413,7 @@ svc_process_common(struct svc_rqst *rqstp, struct kvec *argv, struct kvec *resv) > > > > sendit: > > if (svc_authorise(rqstp)) > > - goto close; > > + goto close_xprt; > > return 1; /* Caller can now send it */ > > > > release_dropit: > > @@ -1425,6 +1425,8 @@ svc_process_common(struct svc_rqst *rqstp, struct kvec *argv, struct kvec *resv) > > return 0; > > > > close: > > + svc_authorise(rqstp); > > +close_xprt: > > if (rqstp->rq_xprt && test_bit(XPT_TEMP, &rqstp->rq_xprt->xpt_flags)) > > svc_close_xprt(rqstp->rq_xprt); > > dprintk("svc: svc_process close\n"); > > @@ -1433,7 +1435,7 @@ svc_process_common(struct svc_rqst *rqstp, struct kvec *argv, struct kvec *resv) > > err_short_len: > > svc_printk(rqstp, "short len %zd, dropping request\n", > > argv->iov_len); > > - goto close; > > + goto close_xprt; > > > > err_bad_rpc: > > serv->sv_stats->rpcbadfmt++; > > -- > > 2.25.1 > > > > > > -- > > Puzzle ITC Deutschland GmbH > > Sitz der Gesellschaft: Eisenbahnstraße 1, 72072 > > Tübingen > > > > Eingetragen am Amtsgericht Stuttgart HRB 765802 > > Geschäftsführer: > > Lukas Kallies, Daniel Kobras, Mark Pröhl > > > > -- > Chuck Lever > > >