mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2025-01-15 13:15:57 +00:00
f8c989a0c8
The last reference for `cache_head` can be reduced to zero in `c_show` and `e_show`(using `rcu_read_lock` and `rcu_read_unlock`). Consequently, `svc_export_put` and `expkey_put` will be invoked, leading to two issues: 1. The `svc_export_put` will directly free ex_uuid. However, `e_show`/`c_show` will access `ex_uuid` after `cache_put`, which can trigger a use-after-free issue, shown below. ================================================================== BUG: KASAN: slab-use-after-free in svc_export_show+0x362/0x430 [nfsd] Read of size 1 at addr ff11000010fdc120 by task cat/870 CPU: 1 UID: 0 PID: 870 Comm: cat Not tainted 6.12.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x53/0x70 print_address_description.constprop.0+0x2c/0x3a0 print_report+0xb9/0x280 kasan_report+0xae/0xe0 svc_export_show+0x362/0x430 [nfsd] c_show+0x161/0x390 [sunrpc] seq_read_iter+0x589/0x770 seq_read+0x1e5/0x270 proc_reg_read+0xe1/0x140 vfs_read+0x125/0x530 ksys_read+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 830: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __kmalloc_node_track_caller_noprof+0x1bc/0x400 kmemdup_noprof+0x22/0x50 svc_export_parse+0x8a9/0xb80 [nfsd] cache_do_downcall+0x71/0xa0 [sunrpc] cache_write_procfs+0x8e/0xd0 [sunrpc] proc_reg_write+0xe1/0x140 vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 868: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x37/0x50 kfree+0xf3/0x3e0 svc_export_put+0x87/0xb0 [nfsd] cache_purge+0x17f/0x1f0 [sunrpc] nfsd_destroy_serv+0x226/0x2d0 [nfsd] nfsd_svc+0x125/0x1e0 [nfsd] write_threads+0x16a/0x2a0 [nfsd] nfsctl_transaction_write+0x74/0xa0 [nfsd] vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e 2. We cannot sleep while using `rcu_read_lock`/`rcu_read_unlock`. However, `svc_export_put`/`expkey_put` will call path_put, which subsequently triggers a sleeping operation due to the following `dput`. ============================= WARNING: suspicious RCU usage 5.10.0-dirty #141 Not tainted ----------------------------- ... Call Trace: dump_stack+0x9a/0xd0 ___might_sleep+0x231/0x240 dput+0x39/0x600 path_put+0x1b/0x30 svc_export_put+0x17/0x80 e_show+0x1c9/0x200 seq_read_iter+0x63f/0x7c0 seq_read+0x226/0x2d0 vfs_read+0x113/0x2c0 ksys_read+0xc9/0x170 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Fix these issues by using `rcu_work` to help release `svc_expkey`/`svc_export`. This approach allows for an asynchronous context to invoke `path_put` and also facilitates the freeing of `uuid/exp/key` after an RCU grace period. Fixes: 9ceddd9da134 ("knfsd: Allow lockless lookups of the exports") Signed-off-by: Yang Erkun <yangerkun@huawei.com> Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
137 lines
3.5 KiB
C
137 lines
3.5 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
/*
|
|
* Copyright (C) 1995-1997 Olaf Kirch <okir@monad.swb.de>
|
|
*/
|
|
#ifndef NFSD_EXPORT_H
|
|
#define NFSD_EXPORT_H
|
|
|
|
#include <linux/sunrpc/cache.h>
|
|
#include <linux/percpu_counter.h>
|
|
#include <uapi/linux/nfsd/export.h>
|
|
#include <linux/nfs4.h>
|
|
|
|
struct knfsd_fh;
|
|
struct svc_fh;
|
|
struct svc_rqst;
|
|
|
|
/*
|
|
* FS Locations
|
|
*/
|
|
|
|
#define MAX_FS_LOCATIONS 128
|
|
|
|
struct nfsd4_fs_location {
|
|
char *hosts; /* colon separated list of hosts */
|
|
char *path; /* slash separated list of path components */
|
|
};
|
|
|
|
struct nfsd4_fs_locations {
|
|
uint32_t locations_count;
|
|
struct nfsd4_fs_location *locations;
|
|
/* If we're not actually serving this data ourselves (only providing a
|
|
* list of replicas that do serve it) then we set "migrated": */
|
|
int migrated;
|
|
};
|
|
|
|
/*
|
|
* We keep an array of pseudoflavors with the export, in order from most
|
|
* to least preferred. For the foreseeable future, we don't expect more
|
|
* than the eight pseudoflavors null, unix, krb5, krb5i, krb5p, skpm3,
|
|
* spkm3i, and spkm3p (and using all 8 at once should be rare).
|
|
*/
|
|
#define MAX_SECINFO_LIST 8
|
|
#define EX_UUID_LEN 16
|
|
|
|
struct exp_flavor_info {
|
|
u32 pseudoflavor;
|
|
u32 flags;
|
|
};
|
|
|
|
/* Per-export stats */
|
|
enum {
|
|
EXP_STATS_FH_STALE,
|
|
EXP_STATS_IO_READ,
|
|
EXP_STATS_IO_WRITE,
|
|
EXP_STATS_COUNTERS_NUM
|
|
};
|
|
|
|
struct export_stats {
|
|
time64_t start_time;
|
|
struct percpu_counter counter[EXP_STATS_COUNTERS_NUM];
|
|
};
|
|
|
|
struct svc_export {
|
|
struct cache_head h;
|
|
struct auth_domain * ex_client;
|
|
int ex_flags;
|
|
int ex_fsid;
|
|
struct path ex_path;
|
|
kuid_t ex_anon_uid;
|
|
kgid_t ex_anon_gid;
|
|
unsigned char * ex_uuid; /* 16 byte fsid */
|
|
struct nfsd4_fs_locations ex_fslocs;
|
|
uint32_t ex_nflavors;
|
|
struct exp_flavor_info ex_flavors[MAX_SECINFO_LIST];
|
|
u32 ex_layout_types;
|
|
struct nfsd4_deviceid_map *ex_devid_map;
|
|
struct cache_detail *cd;
|
|
struct rcu_work ex_rcu_work;
|
|
unsigned long ex_xprtsec_modes;
|
|
struct export_stats *ex_stats;
|
|
};
|
|
|
|
/* an "export key" (expkey) maps a filehandlefragement to an
|
|
* svc_export for a given client. There can be several per export,
|
|
* for the different fsid types.
|
|
*/
|
|
struct svc_expkey {
|
|
struct cache_head h;
|
|
|
|
struct auth_domain * ek_client;
|
|
int ek_fsidtype;
|
|
u32 ek_fsid[6];
|
|
|
|
struct path ek_path;
|
|
struct rcu_work ek_rcu_work;
|
|
};
|
|
|
|
#define EX_ISSYNC(exp) (!((exp)->ex_flags & NFSEXP_ASYNC))
|
|
#define EX_NOHIDE(exp) ((exp)->ex_flags & NFSEXP_NOHIDE)
|
|
#define EX_WGATHER(exp) ((exp)->ex_flags & NFSEXP_GATHERED_WRITES)
|
|
|
|
struct svc_cred;
|
|
int nfsexp_flags(struct svc_cred *cred, struct svc_export *exp);
|
|
__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp,
|
|
bool may_bypass_gss);
|
|
|
|
/*
|
|
* Function declarations
|
|
*/
|
|
int nfsd_export_init(struct net *);
|
|
void nfsd_export_shutdown(struct net *);
|
|
void nfsd_export_flush(struct net *);
|
|
struct svc_export * rqst_exp_get_by_name(struct svc_rqst *,
|
|
struct path *);
|
|
struct svc_export * rqst_exp_parent(struct svc_rqst *,
|
|
struct path *);
|
|
struct svc_export * rqst_find_fsidzero_export(struct svc_rqst *);
|
|
int exp_rootfh(struct net *, struct auth_domain *,
|
|
char *path, struct knfsd_fh *, int maxsize);
|
|
__be32 exp_pseudoroot(struct svc_rqst *, struct svc_fh *);
|
|
|
|
static inline void exp_put(struct svc_export *exp)
|
|
{
|
|
cache_put(&exp->h, exp->cd);
|
|
}
|
|
|
|
static inline struct svc_export *exp_get(struct svc_export *exp)
|
|
{
|
|
cache_get(&exp->h);
|
|
return exp;
|
|
}
|
|
struct svc_export *rqst_exp_find(struct cache_req *reqp, struct net *net,
|
|
struct auth_domain *cl, struct auth_domain *gsscl,
|
|
int fsid_type, u32 *fsidv);
|
|
|
|
#endif /* NFSD_EXPORT_H */
|