tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

afs: Fix delayed allocation of a cell's anonymous key

The allocation of a cell's anonymous key is done in a background thread
along with other cell setup such as doing a DNS upcall. In the reported
bug, this is triggered by afs_parse_source() parsing the device name given
to mount() and calling afs_lookup_cell() with the name of the cell.

The normal key lookup then tries to use the key description on the
anonymous authentication key as the reference for request_key() - but it
may not yet be set and so an oops can happen.

This has been made more likely to happen by the fix for dynamic lookup
failure.

Fix this by firstly allocating a reference name and attaching it to the
afs_cell record when the record is created. It can share the memory
allocation with the cell name (unfortunately it can't just overlap the cell
name by prepending it with "afs@" as the cell name already has a '.'
prepended for other purposes). This reference name is then passed to
request_key().

Secondly, the anon key is now allocated on demand at the point a key is
requested in afs_request_key() if it is not already allocated. A mutex is
used to prevent multiple allocation for a cell.

Thirdly, make afs_request_key_rcu() return NULL if the anonymous key isn't
yet allocated (if we need it) and then the caller can return -ECHILD to
drop out of RCU-mode and afs_request_key() can be called.

Note that the anonymous key is kind of necessary to make the key lookup
cache work as that doesn't currently cache a negative lookup, but it's
probably worth some investigation to see if NULL can be used instead.

Fixes: 330e2c514823 ("afs: Fix dynamic lookup to fail on cell lookup failure")
Reported-by: syzbot+41c68824eefb67cdf00c@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhowells@redhat.com>
Link: https://patch.msgid.link/800328.1764325145@warthog.procyon.org.uk
cc: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>

authored by David Howells and committed by Christian Brauner d27c7125 e9c70084

options
unified split
Changed files
+49 -43
fs
afs
cell.c
internal.h
security.c
+8 -35
fs/afs/cell.c
··· 140 140 return ERR_PTR(-ENOMEM); 141 141 } 142 142 143 - cell->name = kmalloc(1 + namelen + 1, GFP_KERNEL); 143 + /* Allocate the cell name and the key name in one go. */ 144 + cell->name = kmalloc(1 + namelen + 1 + 145 + 4 + namelen + 1, GFP_KERNEL); 144 146 if (!cell->name) { 145 147 kfree(cell); 146 148 return ERR_PTR(-ENOMEM); ··· 153 151 cell->name_len = namelen; 154 152 for (i = 0; i < namelen; i++) 155 153 cell->name[i] = tolower(name[i]); 156 - cell->name[i] = 0; 154 + cell->name[i++] = 0; 155 + 156 + cell->key_desc = cell->name + i; 157 + memcpy(cell->key_desc, "afs@", 4); 158 + memcpy(cell->key_desc + 4, cell->name, cell->name_len + 1); 157 159 158 160 cell->net = net; 159 161 refcount_set(&cell->ref, 1); ··· 717 711 } 718 712 719 713 /* 720 - * Allocate a key to use as a placeholder for anonymous user security. 721 - */ 722 - static int afs_alloc_anon_key(struct afs_cell *cell) 723 - { 724 - struct key *key; 725 - char keyname[4 + AFS_MAXCELLNAME + 1], *cp, *dp; 726 - 727 - /* Create a key to represent an anonymous user. */ 728 - memcpy(keyname, "afs@", 4); 729 - dp = keyname + 4; 730 - cp = cell->name; 731 - do { 732 - *dp++ = tolower(*cp); 733 - } while (*cp++); 734 - 735 - key = rxrpc_get_null_key(keyname); 736 - if (IS_ERR(key)) 737 - return PTR_ERR(key); 738 - 739 - cell->anonymous_key = key; 740 - 741 - _debug("anon key %p{%x}", 742 - cell->anonymous_key, key_serial(cell->anonymous_key)); 743 - return 0; 744 - } 745 - 746 - /* 747 714 * Activate a cell. 748 715 */ 749 716 static int afs_activate_cell(struct afs_net *net, struct afs_cell *cell) ··· 724 745 struct hlist_node **p; 725 746 struct afs_cell *pcell; 726 747 int ret; 727 - 728 - if (!cell->anonymous_key) { 729 - ret = afs_alloc_anon_key(cell); 730 - if (ret < 0) 731 - return ret; 732 - } 733 748 734 749 ret = afs_proc_cell_setup(cell); 735 750 if (ret < 0)
+1
fs/afs/internal.h
··· 413 413 414 414 u8 name_len; /* Length of name */ 415 415 char *name; /* Cell name, case-flattened and NUL-padded */ 416 + char *key_desc; /* Authentication key description */ 416 417 }; 417 418 418 419 /*
+40 -8
fs/afs/security.c
··· 16 16 17 17 static DEFINE_HASHTABLE(afs_permits_cache, 10); 18 18 static DEFINE_SPINLOCK(afs_permits_lock); 19 + static DEFINE_MUTEX(afs_key_lock); 20 + 21 + /* 22 + * Allocate a key to use as a placeholder for anonymous user security. 23 + */ 24 + static int afs_alloc_anon_key(struct afs_cell *cell) 25 + { 26 + struct key *key; 27 + 28 + mutex_lock(&afs_key_lock); 29 + if (!cell->anonymous_key) { 30 + key = rxrpc_get_null_key(cell->key_desc); 31 + if (!IS_ERR(key)) 32 + cell->anonymous_key = key; 33 + } 34 + mutex_unlock(&afs_key_lock); 35 + 36 + if (IS_ERR(key)) 37 + return PTR_ERR(key); 38 + 39 + _debug("anon key %p{%x}", 40 + cell->anonymous_key, key_serial(cell->anonymous_key)); 41 + return 0; 42 + } 19 43 20 44 /* 21 45 * get a key ··· 47 23 struct key *afs_request_key(struct afs_cell *cell) 48 24 { 49 25 struct key *key; 26 + int ret; 50 27 51 - _enter("{%x}", key_serial(cell->anonymous_key)); 28 + _enter("{%s}", cell->key_desc); 52 29 53 - _debug("key %s", cell->anonymous_key->description); 54 - key = request_key_net(&key_type_rxrpc, cell->anonymous_key->description, 30 + _debug("key %s", cell->key_desc); 31 + key = request_key_net(&key_type_rxrpc, cell->key_desc, 55 32 cell->net->net, NULL); 56 33 if (IS_ERR(key)) { 57 34 if (PTR_ERR(key) != -ENOKEY) { 58 35 _leave(" = %ld", PTR_ERR(key)); 59 36 return key; 37 + } 38 + 39 + if (!cell->anonymous_key) { 40 + ret = afs_alloc_anon_key(cell); 41 + if (ret < 0) 42 + return ERR_PTR(ret); 60 43 } 61 44 62 45 /* act as anonymous user */ ··· 83 52 { 84 53 struct key *key; 85 54 86 - _enter("{%x}", key_serial(cell->anonymous_key)); 55 + _enter("{%s}", cell->key_desc); 87 56 88 - _debug("key %s", cell->anonymous_key->description); 89 - key = request_key_net_rcu(&key_type_rxrpc, 90 - cell->anonymous_key->description, 57 + _debug("key %s", cell->key_desc); 58 + key = request_key_net_rcu(&key_type_rxrpc, cell->key_desc, 91 59 cell->net->net); 92 60 if (IS_ERR(key)) { 93 61 if (PTR_ERR(key) != -ENOKEY) { ··· 95 65 } 96 66 97 67 /* act as anonymous user */ 68 + if (!cell->anonymous_key) 69 + return NULL; /* Need to allocate */ 98 70 _leave(" = {%x} [anon]", key_serial(cell->anonymous_key)); 99 71 return key_get(cell->anonymous_key); 100 72 } else { ··· 440 408 441 409 if (mask & MAY_NOT_BLOCK) { 442 410 key = afs_request_key_rcu(vnode->volume->cell); 443 - if (IS_ERR(key)) 411 + if (IS_ERR_OR_NULL(key)) 444 412 return -ECHILD; 445 413 446 414 ret = -ECHILD;