Merge tag 'rxrpc-fixes-20191220' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

David Howells says:

====================
rxrpc: Fixes

Here are a couple of bugfixes plus a patch that makes one of the bugfixes
easier:

(1) Move the ping and mutex unlock on a new call from rxrpc_input_packet()
into rxrpc_new_incoming_call(), which it calls. This means the
lock-unlock section is entirely within the latter function. This
simplifies patch (2).

(2) Don't take the call->user_mutex at all in the softirq path. Mutexes
aren't allowed to be taken or released there and a patch was merged
that caused a warning to be emitted every time this happened. Looking
at the code again, it looks like that taking the mutex isn't actually
necessary, as the value of call->state will block access to the call.

(3) Fix the incoming call path to check incoming calls earlier to reject
calls to RPC services for which we don't have a security key of the
appropriate class. This avoids an assertion failure if YFS tries
making a secure call to the kafs cache manager RPC service.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

David S. Miller 6 years ago ff43ae4b 7c3125f0

+85 -98

7 changed files

expand all

net

rxrpc

ar-internal.h

call_accept.c

conn_event.c

conn_service.c

input.c

rxkad.c

security.c

+7 -3

net/rxrpc/ar-internal.h

··· 209 209 struct rxrpc_security { 210 210 const char *name; /* name of this service */ 211 211 u8 security_index; /* security type provided */ 212 + u32 no_key_abort; /* Abort code indicating no key */ 212 213 213 214 /* Initialise a security service */ 214 215 int (*init)(void); ··· 978 977 struct rxrpc_connection *rxrpc_find_service_conn_rcu(struct rxrpc_peer *, 979 978 struct sk_buff *); 980 979 struct rxrpc_connection *rxrpc_prealloc_service_connection(struct rxrpc_net *, gfp_t); 981 - void rxrpc_new_incoming_connection(struct rxrpc_sock *, 982 - struct rxrpc_connection *, struct sk_buff *); 980 + void rxrpc_new_incoming_connection(struct rxrpc_sock *, struct rxrpc_connection *, 981 + const struct rxrpc_security *, struct key *, 982 + struct sk_buff *); 983 983 void rxrpc_unpublish_service_conn(struct rxrpc_connection *); 984 984 985 985 /* ··· 1105 1103 int __init rxrpc_init_security(void); 1106 1104 void rxrpc_exit_security(void); 1107 1105 int rxrpc_init_client_conn_security(struct rxrpc_connection *); 1108 - int rxrpc_init_server_conn_security(struct rxrpc_connection *); 1106 + bool rxrpc_look_up_server_security(struct rxrpc_local *, struct rxrpc_sock *, 1107 + const struct rxrpc_security **, struct key **, 1108 + struct sk_buff *); 1109 1109 1110 1110 /* 1111 1111 * sendmsg.c

+37 -23

net/rxrpc/call_accept.c

··· 240 240 } 241 241 242 242 /* 243 + * Ping the other end to fill our RTT cache and to retrieve the rwind 244 + * and MTU parameters. 245 + */ 246 + static void rxrpc_send_ping(struct rxrpc_call *call, struct sk_buff *skb) 247 + { 248 + struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 249 + ktime_t now = skb->tstamp; 250 + 251 + if (call->peer->rtt_usage < 3 || 252 + ktime_before(ktime_add_ms(call->peer->rtt_last_req, 1000), now)) 253 + rxrpc_propose_ACK(call, RXRPC_ACK_PING, sp->hdr.serial, 254 + true, true, 255 + rxrpc_propose_ack_ping_for_params); 256 + } 257 + 258 + /* 243 259 * Allocate a new incoming call from the prealloc pool, along with a connection 244 260 * and a peer as necessary. 245 261 */ ··· 263 247 struct rxrpc_local *local, 264 248 struct rxrpc_peer *peer, 265 249 struct rxrpc_connection *conn, 250 + const struct rxrpc_security *sec, 251 + struct key *key, 266 252 struct sk_buff *skb) 267 253 { 268 254 struct rxrpc_backlog *b = rx->backlog; ··· 312 294 conn->params.local = rxrpc_get_local(local); 313 295 conn->params.peer = peer; 314 296 rxrpc_see_connection(conn); 315 - rxrpc_new_incoming_connection(rx, conn, skb); 297 + rxrpc_new_incoming_connection(rx, conn, sec, key, skb); 316 298 } else { 317 299 rxrpc_get_connection(conn); 318 300 } ··· 351 333 struct sk_buff *skb) 352 334 { 353 335 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 336 + const struct rxrpc_security *sec = NULL; 354 337 struct rxrpc_connection *conn; 355 338 struct rxrpc_peer *peer = NULL; 356 - struct rxrpc_call *call; 339 + struct rxrpc_call *call = NULL; 340 + struct key *key = NULL; 357 341 358 342 _enter(""); 359 343 ··· 366 346 sp->hdr.seq, RX_INVALID_OPERATION, ESHUTDOWN); 367 347 skb->mark = RXRPC_SKB_MARK_REJECT_ABORT; 368 348 skb->priority = RX_INVALID_OPERATION; 369 - _leave(" = NULL [close]"); 370 - call = NULL; 371 - goto out; 349 + goto no_call; 372 350 } 373 351 374 352 /* The peer, connection and call may all have sprung into existence due ··· 376 358 */ 377 359 conn = rxrpc_find_connection_rcu(local, skb, &peer); 378 360 379 - call = rxrpc_alloc_incoming_call(rx, local, peer, conn, skb); 361 + if (!conn && !rxrpc_look_up_server_security(local, rx, &sec, &key, skb)) 362 + goto no_call; 363 + 364 + call = rxrpc_alloc_incoming_call(rx, local, peer, conn, sec, key, skb); 365 + key_put(key); 380 366 if (!call) { 381 367 skb->mark = RXRPC_SKB_MARK_REJECT_BUSY; 382 - _leave(" = NULL [busy]"); 383 - call = NULL; 384 - goto out; 368 + goto no_call; 385 369 } 386 370 387 371 trace_rxrpc_receive(call, rxrpc_receive_incoming, 388 372 sp->hdr.serial, sp->hdr.seq); 389 - 390 - /* Lock the call to prevent rxrpc_kernel_send/recv_data() and 391 - * sendmsg()/recvmsg() inconveniently stealing the mutex once the 392 - * notification is generated. 393 - * 394 - * The BUG should never happen because the kernel should be well 395 - * behaved enough not to access the call before the first notification 396 - * event and userspace is prevented from doing so until the state is 397 - * appropriate. 398 - */ 399 - if (!mutex_trylock(&call->user_mutex)) 400 - BUG(); 401 373 402 374 /* Make the call live. */ 403 375 rxrpc_incoming_call(rx, call, skb); ··· 429 421 BUG(); 430 422 } 431 423 spin_unlock(&conn->state_lock); 424 + spin_unlock(&rx->incoming_lock); 425 + 426 + rxrpc_send_ping(call, skb); 432 427 433 428 if (call->state == RXRPC_CALL_SERVER_ACCEPTING) 434 429 rxrpc_notify_socket(call); ··· 444 433 rxrpc_put_call(call, rxrpc_call_put); 445 434 446 435 _leave(" = %p{%d}", call, call->debug_id); 447 - out: 448 - spin_unlock(&rx->incoming_lock); 449 436 return call; 437 + 438 + no_call: 439 + spin_unlock(&rx->incoming_lock); 440 + _leave(" = NULL [%u]", skb->mark); 441 + return NULL; 450 442 } 451 443 452 444 /*

+1 -15

net/rxrpc/conn_event.c

··· 376 376 _enter("{%d}", conn->debug_id); 377 377 378 378 ASSERT(conn->security_ix != 0); 379 - 380 - if (!conn->params.key) { 381 - _debug("set up security"); 382 - ret = rxrpc_init_server_conn_security(conn); 383 - switch (ret) { 384 - case 0: 385 - break; 386 - case -ENOENT: 387 - abort_code = RX_CALL_DEAD; 388 - goto abort; 389 - default: 390 - abort_code = RXKADNOAUTH; 391 - goto abort; 392 - } 393 - } 379 + ASSERT(conn->server_key); 394 380 395 381 if (conn->security->issue_challenge(conn) < 0) { 396 382 abort_code = RX_CALL_DEAD;

net/rxrpc/conn_service.c

··· 148 148 */ 149 149 void rxrpc_new_incoming_connection(struct rxrpc_sock *rx, 150 150 struct rxrpc_connection *conn, 151 + const struct rxrpc_security *sec, 152 + struct key *key, 151 153 struct sk_buff *skb) 152 154 { 153 155 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); ··· 162 160 conn->service_id = sp->hdr.serviceId; 163 161 conn->security_ix = sp->hdr.securityIndex; 164 162 conn->out_clientflag = 0; 163 + conn->security = sec; 164 + conn->server_key = key_get(key); 165 165 if (conn->security_ix) 166 166 conn->state = RXRPC_CONN_SERVICE_UNSECURED; 167 167 else

-18

net/rxrpc/input.c

··· 193 193 } 194 194 195 195 /* 196 - * Ping the other end to fill our RTT cache and to retrieve the rwind 197 - * and MTU parameters. 198 - */ 199 - static void rxrpc_send_ping(struct rxrpc_call *call, struct sk_buff *skb) 200 - { 201 - struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 202 - ktime_t now = skb->tstamp; 203 - 204 - if (call->peer->rtt_usage < 3 || 205 - ktime_before(ktime_add_ms(call->peer->rtt_last_req, 1000), now)) 206 - rxrpc_propose_ACK(call, RXRPC_ACK_PING, sp->hdr.serial, 207 - true, true, 208 - rxrpc_propose_ack_ping_for_params); 209 - } 210 - 211 - /* 212 196 * Apply a hard ACK by advancing the Tx window. 213 197 */ 214 198 static bool rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to, ··· 1380 1396 call = rxrpc_new_incoming_call(local, rx, skb); 1381 1397 if (!call) 1382 1398 goto reject_packet; 1383 - rxrpc_send_ping(call, skb); 1384 - mutex_unlock(&call->user_mutex); 1385 1399 } 1386 1400 1387 1401 /* Process a call packet; this either discards or passes on the ref

+3 -2

net/rxrpc/rxkad.c

··· 648 648 u32 serial; 649 649 int ret; 650 650 651 - _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key)); 651 + _enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key)); 652 652 653 - ret = key_validate(conn->params.key); 653 + ret = key_validate(conn->server_key); 654 654 if (ret < 0) 655 655 return ret; 656 656 ··· 1293 1293 const struct rxrpc_security rxkad = { 1294 1294 .name = "rxkad", 1295 1295 .security_index = RXRPC_SECURITY_RXKAD, 1296 + .no_key_abort = RXKADUNKNOWNKEY, 1296 1297 .init = rxkad_init, 1297 1298 .exit = rxkad_exit, 1298 1299 .init_connection_security = rxkad_init_connection_security,

+33 -37

net/rxrpc/security.c

··· 101 101 } 102 102 103 103 /* 104 - * initialise the security on a server connection 104 + * Find the security key for a server connection. 105 105 */ 106 - int rxrpc_init_server_conn_security(struct rxrpc_connection *conn) 106 + bool rxrpc_look_up_server_security(struct rxrpc_local *local, struct rxrpc_sock *rx, 107 + const struct rxrpc_security **_sec, 108 + struct key **_key, 109 + struct sk_buff *skb) 107 110 { 108 111 const struct rxrpc_security *sec; 109 - struct rxrpc_local *local = conn->params.local; 110 - struct rxrpc_sock *rx; 111 - struct key *key; 112 - key_ref_t kref; 112 + struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 113 + key_ref_t kref = NULL; 113 114 char kdesc[5 + 1 + 3 + 1]; 114 115 115 116 _enter(""); 116 117 117 - sprintf(kdesc, "%u:%u", conn->service_id, conn->security_ix); 118 + sprintf(kdesc, "%u:%u", sp->hdr.serviceId, sp->hdr.securityIndex); 118 119 119 - sec = rxrpc_security_lookup(conn->security_ix); 120 + sec = rxrpc_security_lookup(sp->hdr.securityIndex); 120 121 if (!sec) { 121 - _leave(" = -ENOKEY [lookup]"); 122 - return -ENOKEY; 122 + trace_rxrpc_abort(0, "SVS", 123 + sp->hdr.cid, sp->hdr.callNumber, sp->hdr.seq, 124 + RX_INVALID_OPERATION, EKEYREJECTED); 125 + skb->mark = RXRPC_SKB_MARK_REJECT_ABORT; 126 + skb->priority = RX_INVALID_OPERATION; 127 + return false; 123 128 } 124 129 125 - /* find the service */ 126 - read_lock(&local->services_lock); 127 - rx = rcu_dereference_protected(local->service, 128 - lockdep_is_held(&local->services_lock)); 129 - if (rx && (rx->srx.srx_service == conn->service_id || 130 - rx->second_service == conn->service_id)) 131 - goto found_service; 130 + if (sp->hdr.securityIndex == RXRPC_SECURITY_NONE) 131 + goto out; 132 132 133 - /* the service appears to have died */ 134 - read_unlock(&local->services_lock); 135 - _leave(" = -ENOENT"); 136 - return -ENOENT; 137 - 138 - found_service: 139 133 if (!rx->securities) { 140 - read_unlock(&local->services_lock); 141 - _leave(" = -ENOKEY"); 142 - return -ENOKEY; 134 + trace_rxrpc_abort(0, "SVR", 135 + sp->hdr.cid, sp->hdr.callNumber, sp->hdr.seq, 136 + RX_INVALID_OPERATION, EKEYREJECTED); 137 + skb->mark = RXRPC_SKB_MARK_REJECT_ABORT; 138 + skb->priority = RX_INVALID_OPERATION; 139 + return false; 143 140 } 144 141 145 142 /* look through the service's keyring */ 146 143 kref = keyring_search(make_key_ref(rx->securities, 1UL), 147 144 &key_type_rxrpc_s, kdesc, true); 148 145 if (IS_ERR(kref)) { 149 - read_unlock(&local->services_lock); 150 - _leave(" = %ld [search]", PTR_ERR(kref)); 151 - return PTR_ERR(kref); 146 + trace_rxrpc_abort(0, "SVK", 147 + sp->hdr.cid, sp->hdr.callNumber, sp->hdr.seq, 148 + sec->no_key_abort, EKEYREJECTED); 149 + skb->mark = RXRPC_SKB_MARK_REJECT_ABORT; 150 + skb->priority = sec->no_key_abort; 151 + return false; 152 152 } 153 153 154 - key = key_ref_to_ptr(kref); 155 - read_unlock(&local->services_lock); 156 - 157 - conn->server_key = key; 158 - conn->security = sec; 159 - 160 - _leave(" = 0"); 161 - return 0; 154 + out: 155 + *_sec = sec; 156 + *_key = key_ref_to_ptr(kref); 157 + return true; 162 158 }