AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2024-12-22 19:03:28 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity
d4b09acf92
linux_dsm_epyc7002/include/linux/sunrpc
History
Vasily Averin d4b09acf92 sunrpc: use-after-free in svc_process_common() 
if node have NFSv41+ mounts inside several net namespaces
it can lead to use-after-free in svc_process_common()

svc_process_common()
        /* Setup reply header */
        rqstp->rq_xprt->xpt_ops->xpo_prep_reply_hdr(rqstp); <<< HERE

svc_process_common() can use incorrect rqstp->rq_xprt,
its caller function bc_svc_process() takes it from serv->sv_bc_xprt.
The problem is that serv is global structure but sv_bc_xprt
is assigned per-netnamespace.

According to Trond, the whole "let's set up rqstp->rq_xprt
for the back channel" is nothing but a giant hack in order
to work around the fact that svc_process_common() uses it
to find the xpt_ops, and perform a couple of (meaningless
for the back channel) tests of xpt_flags.

All we really need in svc_process_common() is to be able to run
rqstp->rq_xprt->xpt_ops->xpo_prep_reply_hdr()

Bruce J Fields points that this xpo_prep_reply_hdr() call
is an awfully roundabout way just to do "svc_putnl(resv, 0);"
in the tcp case.

This patch does not initialiuze rqstp->rq_xprt in bc_svc_process(),
now it calls svc_process_common() with rqstp->rq_xprt = NULL.

To adjust reply header svc_process_common() just check
rqstp->rq_prot and calls svc_tcp_prep_reply_hdr() for tcp case.

To handle rqstp->rq_xprt = NULL case in functions called from
svc_process_common() patch intruduces net namespace pointer
svc_rqst->rq_bc_net and adjust SVC_NET() definition.
Some other function was also adopted to properly handle described case.

Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Cc: stable@vger.kernel.org
Fixes: 23c20ecd44 ("NFS: callback up - users counting cleanup")
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
2018-12-27 21:00:58 -05:00
..
addr.h
auth_gss.h SUNRPC: The transmitted message must lie in the RPCSEC window of validity 2018-09-30 15:35:13 -04:00
auth.h SUNRPC: Convert the auth cred cache to use refcount_t 2018-10-23 12:24:33 -04:00
bc_xprt.h SUNRPC: Fix up the back channel transmit 2018-09-30 15:35:15 -04:00
cache.h SUNRPC: Replace the cache_detail->hash_lock with a regular spinlock 2018-10-29 16:58:04 -04:00
clnt.h NFSv4 client live hangs after live data migration recovery 2018-07-31 12:53:40 -04:00
debug.h
gss_api.h
gss_asn1.h
gss_err.h
gss_krb5_enctypes.h
gss_krb5.h NFS client bugfixes for Linux 4.20 2018-11-04 08:20:09 -08:00
metrics.h sunrpc: Change rpc_print_iostats to rpc_clnt_show_stats and handle rpc_clnt clones 2018-07-31 12:53:35 -04:00
msg_prot.h
rpc_pipe_fs.h remove rpc_rmdir() 2018-04-16 14:20:26 -04:00
rpc_rdma.h xprtrdma: Add proper SPDX tags for NetApp-contributed source 2018-05-07 09:20:03 -04:00
sched.h SUNRPC: Fix priority queue fairness 2018-09-30 15:35:16 -04:00
stats.h
svc_rdma.h svcrdma: Optimize the logic that selects the R_key to invalidate 2018-11-28 18:36:03 -05:00
svc_xprt.h SUNRPC: Clean up transport write space handling 2018-09-30 15:35:15 -04:00
svc.h sunrpc: use-after-free in svc_process_common() 2018-12-27 21:00:58 -05:00
svcauth_gss.h
svcauth.h SUNRPC: Add lockless lookup of the server's auth domain 2018-10-03 11:32:59 -04:00
svcsock.h
timer.h
types.h
xdr.h SUNRPC: Unexport xdr_partial_copy_from_skb() 2018-09-30 15:35:16 -04:00
xprt.h SUNRPC: Add a bvec array to struct xdr_buf for use with iovec_iter() 2018-09-30 15:35:16 -04:00
xprtmultipath.h
xprtrdma.h xprtrdma: Add proper SPDX tags for NetApp-contributed source 2018-05-07 09:20:03 -04:00
xprtsock.h SUNRPC: Simplify TCP receive code by switching to using iterators 2018-09-30 15:35:16 -04:00