27 Sep, 2019

1 commit

  • Pull NFS client updates from Anna Schumaker:
    "Stable bugfixes:
    - Dequeue the request from the receive queue while we're re-encoding
    # v4.20+
    - Fix buffer handling of GSS MIC without slack # 5.1

    Features:
    - Increase xprtrdma maximum transport header and slot table sizes
    - Add support for nfs4_call_sync() calls using a custom
    rpc_task_struct
    - Optimize the default readahead size
    - Enable pNFS filelayout LAYOUTGET on OPEN

    Other bugfixes and cleanups:
    - Fix possible null-pointer dereferences and memory leaks
    - Various NFS over RDMA cleanups
    - Various NFS over RDMA comment updates
    - Don't receive TCP data into a reset request buffer
    - Don't try to parse incomplete RPC messages
    - Fix congestion window race with disconnect
    - Clean up pNFS return-on-close error handling
    - Fixes for NFS4ERR_OLD_STATEID handling"

    * tag 'nfs-for-5.4-1' of git://git.linux-nfs.org/projects/anna/linux-nfs: (53 commits)
    pNFS/filelayout: enable LAYOUTGET on OPEN
    NFS: Optimise the default readahead size
    NFSv4: Handle NFS4ERR_OLD_STATEID in LOCKU
    NFSv4: Handle NFS4ERR_OLD_STATEID in CLOSE/OPEN_DOWNGRADE
    NFSv4: Fix OPEN_DOWNGRADE error handling
    pNFS: Handle NFS4ERR_OLD_STATEID on layoutreturn by bumping the state seqid
    NFSv4: Add a helper to increment stateid seqids
    NFSv4: Handle RPC level errors in LAYOUTRETURN
    NFSv4: Handle NFS4ERR_DELAY correctly in return-on-close
    NFSv4: Clean up pNFS return-on-close error handling
    pNFS: Ensure we do clear the return-on-close layout stateid on fatal errors
    NFS: remove unused check for negative dentry
    NFSv3: use nfs_add_or_obtain() to create and reference inodes
    NFS: Refactor nfs_instantiate() for dentry referencing callers
    SUNRPC: Fix congestion window race with disconnect
    SUNRPC: Don't try to parse incomplete RPC messages
    SUNRPC: Rename xdr_buf_read_netobj to xdr_buf_read_mic
    SUNRPC: Fix buffer handling of GSS MIC without slack
    SUNRPC: RPC level errors should always set task->tk_rpc_status
    SUNRPC: Don't receive TCP data into a request buffer that has been reset
    ...

    Linus Torvalds
     

21 Sep, 2019

1 commit


05 Sep, 2019

1 commit


16 May, 2019

1 commit

  • Pull nfsd updates from Bruce Fields:
    "This consists mostly of nfsd container work:

    Scott Mayhew revived an old api that communicates with a userspace
    daemon to manage some on-disk state that's used to track clients
    across server reboots. We've been using a usermode_helper upcall for
    that, but it's tough to run those with the right namespaces, so a
    daemon is much friendlier to container use cases.

    Trond fixed nfsd's handling of user credentials in user namespaces. He
    also contributed patches that allow containers to support different
    sets of NFS protocol versions.

    The only remaining container bug I'm aware of is that the NFS reply
    cache is shared between all containers. If anyone's aware of other
    gaps in our container support, let me know.

    The rest of this is miscellaneous bugfixes"

    * tag 'nfsd-5.2' of git://linux-nfs.org/~bfields/linux: (23 commits)
    nfsd: update callback done processing
    locks: move checks from locks_free_lock() to locks_release_private()
    nfsd: fh_drop_write in nfsd_unlink
    nfsd: allow fh_want_write to be called twice
    nfsd: knfsd must use the container user namespace
    SUNRPC: rsi_parse() should use the current user namespace
    SUNRPC: Fix the server AUTH_UNIX userspace mappings
    lockd: Pass the user cred from knfsd when starting the lockd server
    SUNRPC: Temporary sockets should inherit the cred from their parent
    SUNRPC: Cache the process user cred in the RPC server listener
    nfsd: Allow containers to set supported nfs versions
    nfsd: Add custom rpcbind callbacks for knfsd
    SUNRPC: Allow further customisation of RPC program registration
    SUNRPC: Clean up generic dispatcher code
    SUNRPC: Add a callback to initialise server requests
    SUNRPC/nfs: Fix return value for nfs4_callback_compound()
    nfsd: handle legacy client tracking records sent by nfsdcld
    nfsd: re-order client tracking method selection
    nfsd: keep a tally of RECLAIM_COMPLETE operations when using nfsdcld
    nfsd: un-deprecate nfsdcld
    ...

    Linus Torvalds
     

10 May, 2019

3 commits

  • Pull NFS client updates from Anna Schumaker:
    "Highlights include:

    Stable bugfixes:
    - Fall back to MDS if no deviceid is found rather than aborting # v4.11+
    - NFS4: Fix v4.0 client state corruption when mount

    Features:
    - Much improved handling of soft mounts with NFS v4.0:
    - Reduce risk of false positive timeouts
    - Faster failover of reads and writes after a timeout
    - Added a "softerr" mount option to return ETIMEDOUT instead of
    EIO to the application after a timeout
    - Increase number of xprtrdma backchannel requests
    - Add additional xprtrdma tracepoints
    - Improved send completion batching for xprtrdma

    Other bugfixes and cleanups:
    - Return -EINVAL when NFS v4.2 is passed an invalid dedup mode
    - Reduce usage of GFP_ATOMIC pages in SUNRPC
    - Various minor NFS over RDMA cleanups and bugfixes
    - Use the correct container namespace for upcalls
    - Don't share superblocks between user namespaces
    - Various other container fixes
    - Make nfs_match_client() killable to prevent soft lockups
    - Don't mark all open state for recovery when handling recallable
    state revoked flag"

    * tag 'nfs-for-5.2-1' of git://git.linux-nfs.org/projects/anna/linux-nfs: (69 commits)
    SUNRPC: Rebalance a kref in auth_gss.c
    NFS: Fix a double unlock from nfs_match,get_client
    nfs: pass the correct prototype to read_cache_page
    NFSv4: don't mark all open state for recovery when handling recallable state revoked flag
    SUNRPC: Fix an error code in gss_alloc_msg()
    SUNRPC: task should be exit if encode return EKEYEXPIRED more times
    NFS4: Fix v4.0 client state corruption when mount
    PNFS fallback to MDS if no deviceid found
    NFS: make nfs_match_client killable
    lockd: Store the lockd client credential in struct nlm_host
    NFS: When mounting, don't share filesystems between different user namespaces
    NFS: Convert NFSv2 to use the container user namespace
    NFSv4: Convert the NFS client idmapper to use the container user namespace
    NFS: Convert NFSv3 to use the container user namespace
    SUNRPC: Use namespace of listening daemon in the client AUTH_GSS upcall
    SUNRPC: Use the client user namespace when encoding creds
    NFS: Store the credential of the mount process in the nfs_server
    SUNRPC: Cache cred of process creating the rpc_client
    xprtrdma: Remove stale comment
    xprtrdma: Update comments that reference ib_drain_qp
    ...

    Linus Torvalds
     
  • Restore the kref_get that matches the gss_put_auth(gss_msg->auth)
    done by gss_release_msg().

    Fixes: ac83228a7101 ("SUNRPC: Use namespace of listening daemon ...")
    Signed-off-by: Chuck Lever
    Signed-off-by: Anna Schumaker

    Chuck Lever
     
  • If kstrdup_const() then this function returns zero (success) but it
    should return -ENOMEM.

    Fixes: ac83228a7101 ("SUNRPC: Use namespace of listening daemon in the client AUTH_GSS upcall")
    Signed-off-by: Dan Carpenter
    Signed-off-by: Anna Schumaker

    Dan Carpenter
     

27 Apr, 2019

2 commits


26 Apr, 2019

1 commit


25 Apr, 2019

1 commit

  • The flags field in 'struct shash_desc' never actually does anything.
    The only ostensibly supported flag is CRYPTO_TFM_REQ_MAY_SLEEP.
    However, no shash algorithm ever sleeps, making this flag a no-op.

    With this being the case, inevitably some users who can't sleep wrongly
    pass MAY_SLEEP. These would all need to be fixed if any shash algorithm
    actually started sleeping. For example, the shash_ahash_*() functions,
    which wrap a shash algorithm with the ahash API, pass through MAY_SLEEP
    from the ahash API to the shash API. However, the shash functions are
    called under kmap_atomic(), so actually they're assumed to never sleep.

    Even if it turns out that some users do need preemption points while
    hashing large buffers, we could easily provide a helper function
    crypto_shash_update_large() which divides the data into smaller chunks
    and calls crypto_shash_update() and cond_resched() for each chunk. It's
    not necessary to have a flag in 'struct shash_desc', nor is it necessary
    to make individual shash algorithms aware of this at all.

    Therefore, remove shash_desc::flags, and document that the
    crypto_shash_*() functions can be called from any context.

    Signed-off-by: Eric Biggers
    Signed-off-by: Herbert Xu

    Eric Biggers
     

24 Apr, 2019

1 commit


03 Mar, 2019

1 commit


25 Feb, 2019

1 commit


16 Feb, 2019

1 commit

  • While trying to reproduce a reported kernel panic on arm64, I discovered
    that AUTH_GSS basically doesn't work at all with older enctypes on arm64
    systems with CONFIG_VMAP_STACK enabled. It turns out there still a few
    places using stack memory with scatterlists, causing krb5_encrypt() and
    krb5_decrypt() to produce incorrect results (or a BUG if CONFIG_DEBUG_SG
    is enabled).

    Tested with cthon on v4.0/v4.1/v4.2 with krb5/krb5i/krb5p using
    des3-cbc-sha1 and arcfour-hmac-md5.

    Signed-off-by: Scott Mayhew
    Cc: stable@vger.kernel.org
    Signed-off-by: J. Bruce Fields

    Scott Mayhew
     

15 Feb, 2019

2 commits

  • Currently rpc_inline_rcv_pages() uses au_rslack to estimate the
    size of the upper layer reply header. This is fine for auth flavors
    where au_verfsize == au_rslack.

    However, some auth flavors have more going on. krb5i for example has
    two more words after the verifier, and another blob following the
    RPC message. The calculation involving au_rslack pushes the upper
    layer reply header too far into the rcv_buf.

    au_rslack is still valuable: it's the amount of buffer space needed
    for the reply, and is used when allocating the reply buffer. We'll
    keep that.

    But, add a new field that can be used to properly estimate the
    location of the upper layer header in each RPC reply, based on the
    auth flavor in use.

    Signed-off-by: Chuck Lever
    Signed-off-by: Anna Schumaker

    Chuck Lever
     
  • au_verfsize will be needed for a non-flavor-specific computation
    in a subsequent patch.

    Signed-off-by: Chuck Lever
    Signed-off-by: Anna Schumaker

    Chuck Lever
     

14 Feb, 2019

8 commits

  • Files under net/sunrpc/auth_gss/ do not yet have SPDX ID tags.
    This directory is somewhat complicated because most of these files
    have license boilerplate that is not strictly GPL 2.0.

    In this patch I add ID tags where there is an obvious match. The
    less recognizable licenses are still under research.

    For reference, SPDX IDs added in this patch correspond to the
    following license text:

    GPL-2.0 https://spdx.org/licenses/GPL-2.0.html
    GPL-2.0+ https://spdx.org/licenses/GPL-2.0+.html
    BSD-3-Clause https://spdx.org/licenses/BSD-3-Clause.html

    Cc: Simo Sorce
    Cc: Kate Stewart
    Signed-off-by: Chuck Lever
    Signed-off-by: Anna Schumaker

    Chuck Lever
     
  • The key action of xdr_buf_trim() is that it shortens buf->len, the
    length of the xdr_buf's content. The other actions -- shortening the
    head, pages, and tail components -- are actually not necessary. In
    particular, changing the size of those components can corrupt the
    RPC message contained in the buffer. This is an accident waiting to
    happen rather than a current bug, as far as we know.

    Signed-off-by: Chuck Lever
    Acked-by: Bruce Fields
    Signed-off-by: Anna Schumaker

    Chuck Lever
     
  • Add infrastructure for trace points in the RPC_AUTH_GSS kernel
    module, and add a few sample trace points. These report exceptional
    or unexpected events, and observe the assignment of GSS sequence
    numbers.

    Signed-off-by: Chuck Lever
    Signed-off-by: Anna Schumaker

    Chuck Lever
     
  • Modernize and harden the code path that parses an RPC Reply
    message.

    Signed-off-by: Chuck Lever
    Signed-off-by: Anna Schumaker

    Chuck Lever
     
  • Modernize and harden the code path that constructs each RPC Call
    message.

    Signed-off-by: Chuck Lever
    Signed-off-by: Anna Schumaker

    Chuck Lever
     
  • Enable distributions to enforce the rejection of ancient and
    insecure Kerberos enctypes in the kernel's RPCSEC_GSS
    implementation. These are the single-DES encryption types that
    were deprecated in 2012 by RFC 6649.

    Enctypes that were deprecated more recently (by RFC 8429) remain
    fully supported for now because they are still likely to be widely
    used.

    Signed-off-by: Chuck Lever
    Acked-by: Simo Sorce
    Signed-off-by: Anna Schumaker

    Chuck Lever
     
  • tsh_size was added to accommodate transports that send a pre-amble
    before each RPC message. However, this assumes the pre-amble is
    fixed in size, which isn't true for some transports. That makes
    tsh_size not very generic.

    Also I'd like to make the estimation of RPC send and receive
    buffer sizes more precise. tsh_size doesn't currently appear to be
    accounted for at all by call_allocate.

    Therefore let's just remove the tsh_size concept, and make the only
    transports that have a non-zero tsh_size employ a direct approach.

    Signed-off-by: Chuck Lever
    Signed-off-by: Anna Schumaker

    Chuck Lever
     
  • Having access to the controlling rpc_rqst means a trace point in the
    XDR code can report:

    - the XID
    - the task ID and client ID
    - the p_name of RPC being processed

    Subsequent patches will introduce such trace points.

    Signed-off-by: Chuck Lever
    Signed-off-by: Anna Schumaker

    Chuck Lever
     

16 Jan, 2019

1 commit


03 Jan, 2019

3 commits

  • Pull NFS client updates from Anna Schumaker:
    "Stable bugfixes:
    - xprtrdma: Yet another double DMA-unmap # v4.20

    Features:
    - Allow some /proc/sys/sunrpc entries without CONFIG_SUNRPC_DEBUG
    - Per-xprt rdma receive workqueues
    - Drop support for FMR memory registration
    - Make port= mount option optional for RDMA mounts

    Other bugfixes and cleanups:
    - Remove unused nfs4_xdev_fs_type declaration
    - Fix comments for behavior that has changed
    - Remove generic RPC credentials by switching to 'struct cred'
    - Fix crossing mountpoints with different auth flavors
    - Various xprtrdma fixes from testing and auditing the close code
    - Fixes for disconnect issues when using xprtrdma with krb5
    - Clean up and improve xprtrdma trace points
    - Fix NFS v4.2 async copy reboot recovery"

    * tag 'nfs-for-4.21-1' of git://git.linux-nfs.org/projects/anna/linux-nfs: (63 commits)
    sunrpc: convert to DEFINE_SHOW_ATTRIBUTE
    sunrpc: Add xprt after nfs4_test_session_trunk()
    sunrpc: convert unnecessary GFP_ATOMIC to GFP_NOFS
    sunrpc: handle ENOMEM in rpcb_getport_async
    NFS: remove unnecessary test for IS_ERR(cred)
    xprtrdma: Prevent leak of rpcrdma_rep objects
    NFSv4.2 fix async copy reboot recovery
    xprtrdma: Don't leak freed MRs
    xprtrdma: Add documenting comment for rpcrdma_buffer_destroy
    xprtrdma: Replace outdated comment for rpcrdma_ep_post
    xprtrdma: Update comments in frwr_op_send
    SUNRPC: Fix some kernel doc complaints
    SUNRPC: Simplify defining common RPC trace events
    NFS: Fix NFSv4 symbolic trace point output
    xprtrdma: Trace mapping, alloc, and dereg failures
    xprtrdma: Add trace points for calls to transport switch methods
    xprtrdma: Relocate the xprtrdma_mr_map trace points
    xprtrdma: Clean up of xprtrdma chunk trace points
    xprtrdma: Remove unused fields from rpcrdma_ia
    xprtrdma: Cull dprintk() call sites
    ...

    Linus Torvalds
     
  • Pull nfsd updates from Bruce Fields:
    "Thanks to Vasily Averin for fixing a use-after-free in the
    containerized NFSv4.2 client, and cleaning up some convoluted
    backchannel server code in the process.

    Otherwise, miscellaneous smaller bugfixes and cleanup"

    * tag 'nfsd-4.21' of git://linux-nfs.org/~bfields/linux: (25 commits)
    nfs: fixed broken compilation in nfs_callback_up_net()
    nfs: minor typo in nfs4_callback_up_net()
    sunrpc: fix debug message in svc_create_xprt()
    sunrpc: make visible processing error in bc_svc_process()
    sunrpc: remove unused xpo_prep_reply_hdr callback
    sunrpc: remove svc_rdma_bc_class
    sunrpc: remove svc_tcp_bc_class
    sunrpc: remove unused bc_up operation from rpc_xprt_ops
    sunrpc: replace svc_serv->sv_bc_xprt by boolean flag
    sunrpc: use-after-free in svc_process_common()
    sunrpc: use SVC_NET() in svcauth_gss_* functions
    nfsd: drop useless LIST_HEAD
    lockd: Show pid of lockd for remote locks
    NFSD remove OP_CACHEME from 4.2 op_flags
    nfsd: Return EPERM, not EACCES, in some SETATTR cases
    sunrpc: fix cache_head leak due to queued request
    nfsd: clean up indentation, increase indentation in switch statement
    svcrdma: Optimize the logic that selects the R_key to invalidate
    nfsd: fix a warning in __cld_pipe_upcall()
    nfsd4: fix crash on writing v4_end_grace before nfsd startup
    ...

    Linus Torvalds
     
  • Clean up some warnings observed when building with "make W=1".

    Signed-off-by: Chuck Lever
    Signed-off-by: Anna Schumaker

    Chuck Lever
     

28 Dec, 2018

1 commit


20 Dec, 2018

6 commits

  • Just use ->cr_cred->fsuid directly.

    Signed-off-by: NeilBrown
    Signed-off-by: Anna Schumaker

    NeilBrown
     
  • This now always just does get_rpccred(), so we
    don't need an operation pointer to know to do that.

    Signed-off-by: NeilBrown
    Signed-off-by: Anna Schumaker

    NeilBrown
     
  • NFS needs to know when a credential is about to expire so that
    it can modify write-back behaviour to finish the write inside the
    expiry time.
    It currently uses functions in SUNRPC code which make use of a
    fairly complex callback scheme and flags in the generic credientials.

    As I am working to discard the generic credentials, this has to change.

    This patch moves the logic into NFS, in part by finding and caching
    the low-level credential in the open_context. We then make direct
    cred-api calls on that.

    This makes the code much simpler and removes a dependency on generic
    rpc credentials.

    Signed-off-by: NeilBrown
    Signed-off-by: Anna Schumaker

    NeilBrown
     
  • The cred is a machine_cred iff ->principal is set, so there is no
    need for the extra flag.

    There is one case which deserves some
    explanation. nfs4_root_machine_cred() calls rpc_lookup_machine_cred()
    with a NULL principal name which results in not getting a machine
    credential, but getting a root credential instead.
    This appears to be what is expected of the caller, and is
    clearly the result provided by both auth_unix and auth_gss
    which already ignore the flag.

    Signed-off-by: NeilBrown
    Signed-off-by: Anna Schumaker

    NeilBrown
     
  • Use cred->fsuid and cred->fsgid instead.

    Signed-off-by: NeilBrown
    Signed-off-by: Anna Schumaker

    NeilBrown
     
  • The SUNRPC credential framework was put together before
    Linux has 'struct cred'. Now that we have it, it makes sense to
    use it.
    This first step just includes a suitable 'struct cred *' pointer
    in every 'struct auth_cred' and almost every 'struct rpc_cred'.

    The rpc_cred used for auth_null has a NULL 'struct cred *' as nothing
    else really makes sense.

    For rpc_cred, the pointer is reference counted.
    For auth_cred it isn't. struct auth_cred are either allocated on
    the stack, in which case the thread owns a reference to the auth,
    or are part of 'struct generic_cred' in which case gc_base owns the
    reference, and "acred" shares it.

    Signed-off-by: NeilBrown
    Signed-off-by: Anna Schumaker

    NeilBrown
     

02 Dec, 2018

1 commit

  • call_encode can be invoked more than once per RPC call. Ensure that
    each call to gss_wrap_req_priv does not overwrite pointers to
    previously allocated memory.

    Signed-off-by: Chuck Lever
    Cc: stable@kernel.org
    Signed-off-by: Trond Myklebust

    Chuck Lever
     

13 Nov, 2018

1 commit

  • Commit 07d02a67b7fa causes a use-after free in the RPCSEC_GSS credential
    destroy code, because the call to get_rpccred() in gss_destroying_context()
    will now always fail to increment the refcount.

    While we could just replace the get_rpccred() with a refcount_set(), that
    would have the unfortunate consequence of resurrecting a credential in
    the credential cache for which we are in the process of destroying the
    RPCSEC_GSS context. Rather than do this, we choose to make a copy that
    is never added to the cache and use that to destroy the context.

    Fixes: 07d02a67b7fa ("SUNRPC: Simplify lookup code")
    Signed-off-by: Trond Myklebust

    Trond Myklebust
     

05 Nov, 2018

1 commit


02 Nov, 2018

1 commit

  • The seq_send & seq_send64 fields in struct krb5_ctx are used as
    atomically incrementing counters. This is implemented using cmpxchg() &
    cmpxchg64() to implement what amount to custom versions of
    atomic_fetch_inc() & atomic64_fetch_inc().

    Besides the duplication, using cmpxchg64() has another major drawback in
    that some 32 bit architectures don't provide it. As such commit
    571ed1fd2390 ("SUNRPC: Replace krb5_seq_lock with a lockless scheme")
    resulted in build failures for some architectures.

    Change seq_send to be an atomic_t and seq_send64 to be an atomic64_t,
    then use atomic(64)_* functions to manipulate the values. The atomic64_t
    type & associated functions are provided even on architectures which
    lack real 64 bit atomic memory access via CONFIG_GENERIC_ATOMIC64 which
    uses spinlocks to serialize access. This fixes the build failures for
    architectures lacking cmpxchg64().

    A potential alternative that was raised would be to provide cmpxchg64()
    on the 32 bit architectures that currently lack it, using spinlocks.
    However this would provide a version of cmpxchg64() with semantics a
    little different to the implementations on architectures with real 64
    bit atomics - the spinlock-based implementation would only work if all
    access to the memory used with cmpxchg64() is *always* performed using
    cmpxchg64(). That is not currently a requirement for users of
    cmpxchg64(), and making it one seems questionable. As such avoiding
    cmpxchg64() outside of architecture-specific code seems best,
    particularly in cases where atomic64_t seems like a better fit anyway.

    The CONFIG_GENERIC_ATOMIC64 implementation of atomic64_* functions will
    use spinlocks & so faces the same issue, but with the key difference
    that the memory backing an atomic64_t ought to always be accessed via
    the atomic64_* functions anyway making the issue moot.

    Signed-off-by: Paul Burton
    Fixes: 571ed1fd2390 ("SUNRPC: Replace krb5_seq_lock with a lockless scheme")
    Cc: Trond Myklebust
    Cc: Anna Schumaker
    Cc: J. Bruce Fields
    Cc: Jeff Layton
    Cc: David S. Miller
    Cc: linux-nfs@vger.kernel.org
    Cc: netdev@vger.kernel.org
    Signed-off-by: Trond Myklebust

    Paul Burton