tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

nvmet-auth: expire authentication sessions

Each authentication step is required to be completed within the
KATO interval (or two minutes if not set). So add a workqueue function
to reset the transaction ID and the expected next protocol step;
this will automatically the next authentication command referring
to the terminated authentication.

Signed-off-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

authored by

Hannes Reinecke and committed by
Jens Axboe 1a70200f 7a277c37

+21 -1
+1
drivers/nvme/target/auth.c
··· 218 218 219 219 void nvmet_auth_sq_free(struct nvmet_sq *sq) 220 220 { 221 + cancel_delayed_work(&sq->auth_expired_work); 221 222 kfree(sq->dhchap_c1); 222 223 sq->dhchap_c1 = NULL; 223 224 kfree(sq->dhchap_c2);
+19 -1
drivers/nvme/target/fabrics-cmd-auth.c
··· 12 12 #include <crypto/kpp.h> 13 13 #include "nvmet.h" 14 14 15 + static void nvmet_auth_expired_work(struct work_struct *work) 16 + { 17 + struct nvmet_sq *sq = container_of(to_delayed_work(work), 18 + struct nvmet_sq, auth_expired_work); 19 + 20 + pr_debug("%s: ctrl %d qid %d transaction %u expired, resetting\n", 21 + __func__, sq->ctrl->cntlid, sq->qid, sq->dhchap_tid); 22 + sq->dhchap_step = NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE; 23 + sq->dhchap_tid = -1; 24 + } 25 + 15 26 void nvmet_init_auth(struct nvmet_ctrl *ctrl, struct nvmet_req *req) 16 27 { 17 28 u32 result = le32_to_cpu(req->cqe->result.u32); 18 29 19 30 /* Initialize in-band authentication */ 31 + INIT_DELAYED_WORK(&req->sq->auth_expired_work, 32 + nvmet_auth_expired_work); 20 33 req->sq->authenticated = false; 21 34 req->sq->dhchap_step = NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE; 22 35 result |= (u32)NVME_CONNECT_AUTHREQ_ATR << 16; ··· 346 333 req->cqe->result.u64 = 0; 347 334 nvmet_req_complete(req, status); 348 335 if (req->sq->dhchap_step != NVME_AUTH_DHCHAP_MESSAGE_SUCCESS2 && 349 - req->sq->dhchap_step != NVME_AUTH_DHCHAP_MESSAGE_FAILURE2) 336 + req->sq->dhchap_step != NVME_AUTH_DHCHAP_MESSAGE_FAILURE2) { 337 + unsigned long auth_expire_secs = ctrl->kato ? ctrl->kato : 120; 338 + 339 + mod_delayed_work(system_wq, &req->sq->auth_expired_work, 340 + auth_expire_secs * HZ); 350 341 return; 342 + } 351 343 /* Final states, clear up variables */ 352 344 nvmet_auth_sq_free(req->sq); 353 345 if (req->sq->dhchap_step == NVME_AUTH_DHCHAP_MESSAGE_FAILURE2)
+1
drivers/nvme/target/nvmet.h
··· 109 109 u32 sqhd; 110 110 bool sqhd_disabled; 111 111 #ifdef CONFIG_NVME_TARGET_AUTH 112 + struct delayed_work auth_expired_work; 112 113 bool authenticated; 113 114 u16 dhchap_tid; 114 115 u16 dhchap_status;