Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp6806826rwb; Mon, 12 Dec 2022 06:41:48 -0800 (PST) X-Google-Smtp-Source: AA0mqf4Nbaq75jN7WhAdVoRmD82t6auAKJNj8OPdBRJc8ymsfADcZroxAArY8I3/BJWmzMkSt0Mw X-Received: by 2002:a17:902:6b08:b0:186:644f:bef1 with SMTP id o8-20020a1709026b0800b00186644fbef1mr17211115plk.6.1670856108647; Mon, 12 Dec 2022 06:41:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1670856108; cv=none; d=google.com; s=arc-20160816; b=fIklPtRw5yqi9r7OPatwm/nt9K10aY5LYFlkqc7s6UZO7nF6bUimokmDmMBFgQl5vO n50eLK5kkFqHYhfT6TJjeVuaZfF6Th6FD35iihp9U6gwkgmSlATv3rgLErvmh+zC5c+p 3aAZRpjcM7lVrMefiKDJBd42wel+MEur2yO3aohFauTaTd/d5cKUZH9rXE8Y6YiJkCJ6 Cr5uylZXIJuGRmc/FrBD4DKa4oVvibb9jx0eNgyRCW4aWNEbgzNE0Yg+6uhnI+uRGCOy EmFxrBgAwnIQhPdX6X26yH7sCkb0qVwACfnKqEGhOeoahSfDnS2xAhiCy/vn9jd0m/l7 pJ9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent :content-transfer-encoding:references:in-reply-to:date:cc:to:from :subject:message-id:dkim-signature; bh=t/98IicAiY2ZQH7Y0P7FBVcvQaGh5F3XhXcJPSmj/vE=; b=u8R1mjsCPPCPcxK0xgXndg5h3MBZE7T8Ozy0/pjzvG22D+AHZDDEy0xTqjnXtswF1F GTTGKJF2SL/dJgf/pbCpnIyRlWkJTNT5rU5C3ikEVaTDIeDxNZaHjxf3SFBc2A2e456O CLDvHHDeCq1TQA4flavo70uw57G1ePdvWRm5CLPrxLC9ITontgntHVuBSzJg9TJbRCfm +bd934gVQvUyXqHWer0M/1AJ3+ASgOr62wWC8y6lV3HJnLqbosyMJHbqj3a4QNe9dLby FwODNdVf/dt3M4OkYdxk2WSmDsAQkT/MXSFbOyjHNTvbz/xgfjQuzWScAjhmaVqMHHZF tGaw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=pAkmZHLU; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t191-20020a6381c8000000b00478701e57c8si9820162pgd.807.2022.12.12.06.41.29; Mon, 12 Dec 2022 06:41:48 -0800 (PST) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=pAkmZHLU; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232498AbiLLObl (ORCPT + 99 others); Mon, 12 Dec 2022 09:31:41 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48836 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232280AbiLLObe (ORCPT ); Mon, 12 Dec 2022 09:31:34 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 18B5E13CD4 for ; Mon, 12 Dec 2022 06:31:23 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id ABA0960FF4 for ; Mon, 12 Dec 2022 14:31:22 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 63FBBC433EF; Mon, 12 Dec 2022 14:31:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1670855482; bh=XfK4PKYNCfcWHqk1Ar0UUs2C/zZ1v7onM5ym1reqPvI=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=pAkmZHLUHfXTYCn2qtmicnzV3DYDoBb9v0PjQf4zM8bVHqCFUeNYxz83ondbVpU5B wUDHy2+VzW4kC++OPD4AXSTWl+mSIHFrLtHoTKzrMSlO4pWRo2qQCKSFu4Fn2IpVjM FjA2447NGifZuC3PKiYf3M0Mef0MW9c7FF20Ud+2X37yH7Ro9I+5Vjmz238GNh2h1p ottGT5qYSP8OmjWkT0EPkmyC+LdwXUSuoYxM7k1WZM371kbc6IxEeiPD9a1ODVAlHg YbGdQE57r/O6IsKI9wxDmwgiiupEifxufMzAAfJsqD3m/SL1ngEKtMxytPdb51K/M6 Z6avvmmBWXZKw== Message-ID: Subject: Re: [PATCH 1/1] NFSD: fix use-after-free in __nfs42_ssc_open() From: Jeff Layton To: Greg KH Cc: dai.ngo@oracle.com, chuck.lever@oracle.com, kolga@netapp.com, hdthky0@gmail.com, linux-nfs@vger.kernel.org, security@kernel.org Date: Mon, 12 Dec 2022 09:31:19 -0500 In-Reply-To: References: <1670786549-27041-1-git-send-email-dai.ngo@oracle.com> <7f68cb23445820b4a1c12b74dce0954f537ae5e2.camel@kernel.org> <56b0cb4f-dfe9-6892-7fef-1a2965cf1d99@oracle.com> <0ab8efccae708faa092a56c6935c33564814bfed.camel@kernel.org> Content-Type: text/plain; charset="ISO-8859-15" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.2 (3.46.2-1.fc37) MIME-Version: 1.0 X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Mon, 2022-12-12 at 14:59 +0100, Greg KH wrote: > On Mon, Dec 12, 2022 at 08:40:31AM -0500, Jeff Layton wrote: > > On Mon, 2022-12-12 at 05:34 -0800, dai.ngo@oracle.com wrote: > > > On 12/12/22 4:22 AM, Jeff Layton wrote: > > > > On Sun, 2022-12-11 at 11:22 -0800, Dai Ngo wrote: > > > > > Problem caused by source's vfsmount being unmounted but remains > > > > > on the delayed unmount list. This happens when nfs42_ssc_open() > > > > > return errors. > > > > > Fixed by removing nfsd4_interssc_connect(), leave the vfsmount > > > > > for the laundromat to unmount when idle time expires. > > > > >=20 > > > > > Reported-by: Xingyuan Mo > > > > > Signed-off-by: Dai Ngo > > > > > --- > > > > > fs/nfsd/nfs4proc.c | 23 +++++++---------------- > > > > > 1 file changed, 7 insertions(+), 16 deletions(-) > > > > >=20 > > > > > diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c > > > > > index 8beb2bc4c328..756e42cf0d01 100644 > > > > > --- a/fs/nfsd/nfs4proc.c > > > > > +++ b/fs/nfsd/nfs4proc.c > > > > > @@ -1463,13 +1463,6 @@ nfsd4_interssc_connect(struct nl4_server *= nss, struct svc_rqst *rqstp, > > > > > return status; > > > > > } > > > > > =20 > > > > > -static void > > > > > -nfsd4_interssc_disconnect(struct vfsmount *ss_mnt) > > > > > -{ > > > > > - nfs_do_sb_deactive(ss_mnt->mnt_sb); > > > > > - mntput(ss_mnt); > > > > > -} > > > > > - > > > > > /* > > > > > * Verify COPY destination stateid. > > > > > * > > > > > @@ -1572,11 +1565,6 @@ nfsd4_cleanup_inter_ssc(struct vfsmount *s= s_mnt, struct file *filp, > > > > > { > > > > > } > > > > > =20 > > > > > -static void > > > > > -nfsd4_interssc_disconnect(struct vfsmount *ss_mnt) > > > > > -{ > > > > > -} > > > > > - > > > > > static struct file *nfs42_ssc_open(struct vfsmount *ss_mnt, > > > > > struct nfs_fh *src_fh, > > > > > nfs4_stateid *stateid) > > > > > @@ -1762,7 +1750,8 @@ static int nfsd4_do_async_copy(void *data) > > > > > struct file *filp; > > > > > =20 > > > > > filp =3D nfs42_ssc_open(copy->ss_mnt, ©->c_fh, > > > > > - ©->stateid); > > > > > + ©->stateid); > > > > > + > > > > > if (IS_ERR(filp)) { > > > > > switch (PTR_ERR(filp)) { > > > > > case -EBADF: > > > > > @@ -1771,7 +1760,7 @@ static int nfsd4_do_async_copy(void *data) > > > > > default: > > > > > nfserr =3D nfserr_offload_denied; > > > > > } > > > > > - nfsd4_interssc_disconnect(copy->ss_mnt); > > > > > + /* ss_mnt will be unmounted by the laundromat */ > > > > > goto do_callback; > > > > > } > > > > > nfserr =3D nfsd4_do_copy(copy, filp, copy->nf_dst->nf_file, > > > > > @@ -1852,8 +1841,10 @@ nfsd4_copy(struct svc_rqst *rqstp, struct = nfsd4_compound_state *cstate, > > > > > if (async_copy) > > > > > cleanup_async_copy(async_copy); > > > > > status =3D nfserrno(-ENOMEM); > > > > > - if (nfsd4_ssc_is_inter(copy)) > > > > > - nfsd4_interssc_disconnect(copy->ss_mnt); > > > > > + /* > > > > > + * source's vfsmount of inter-copy will be unmounted > > > > > + * by the laundromat > > > > > + */ > > > > > goto out; > > > > > } > > > > > =20 > > > > This looks reasonable at first glance, but I have some concerns wit= h the > > > > refcounting around ss_mnt elsewhere in this code.=A0nfsd4_ssc_setup= _dul > > > > looks for an existing connection and bumps the ni->nsui_refcnt if i= t > > > > finds one. > > > >=20 > > > > But then later, nfsd4_cleanup_inter_ssc has a couple of cases where= it > > > > just does a bare mntput: > > > >=20 > > > > if (!nn) { > > > > mntput(ss_mnt); > > > > return; > > > > } > > > > ... > > > > if (!found) { > > > > mntput(ss_mnt); > > > > return; > > > > } > > > >=20 > > > > The first one looks bogus. Can net_generic return NULL? If so how, = and > > > > why is it not a problem elsewhere in the kernel? > > >=20 > > > it looks like net_generic can not fail, no where else check for NULL > > > so I will remove this check. > > >=20 > > > >=20 > > > > For the second case, if the ni is no longer on the list, where did = the > > > > extra ss_mnt reference come from? Maybe that should be a WARN_ON or > > > > BUG_ON? > > >=20 > > > if ni is not found on the list then it's a bug somewhere so I will ad= d > > > a BUG_ON on this. > > >=20 > >=20 > > Probably better to just WARN_ON and let any references leak in that > > case. A BUG_ON implies a panic in some environments, and it's best to > > avoid that unless there really is no choice. >=20 > WARN_ON also causes machines to boot that have panic_on_warn enabled. > Why not just handle the error and keep going? Why panic at all? >=20 Who the hell sets panic_on_warn (outside of testing environments)? I'm suggesting a WARN_ON because not finding an entry at this point represents a bug that we'd want reported. The caller should hold a reference to the object that holds a vfsmount reference. It relies on that vfsmount to do a copy. If it's gone at this point where we're releasing that reference, then we're looking at a refcounting bug of some sort. I would expect anyone who sets panic_on_warn to _desire_ a panic in this situation. After all, they asked for it. Presumably they want it to do some coredump analysis or something? It is debatable whether the stack trace at this point would be helpful though, so you might consider a pr_warn or something less log-spammy. --=20 Jeff Layton