lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <c9370f6fde62205356f4c864891a3c35ef811877.camel@kernel.org>
Date:   Wed, 02 Aug 2023 14:15:55 -0400
From:   Jeff Layton <jlayton@...nel.org>
To:     dai.ngo@...cle.com, Chuck Lever <chuck.lever@...cle.com>,
        Neil Brown <neilb@...e.de>,
        Olga Kornievskaia <kolga@...app.com>,
        Tom Talpey <tom@...pey.com>
Cc:     linux-nfs@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] nfsd: don't hand out write delegations on O_WRONLY
 opens

On Wed, 2023-08-02 at 09:29 -0700, dai.ngo@...cle.com wrote:
> On 8/1/23 6:33 AM, Jeff Layton wrote:
> > I noticed that xfstests generic/001 was failing against linux-next nfsd.
> > 
> > The client would request a OPEN4_SHARE_ACCESS_WRITE open, and the server
> > would hand out a write delegation. The client would then try to use that
> > write delegation as the source stateid in a COPY
> 
> not sure why the client opens the source file of a COPY operation with
> OPEN4_SHARE_ACCESS_WRITE?
> 

It doesn't. The original open is to write the data for the file being
copied. It then opens the file again for READ, but since it has a write
delegation, it doesn't need to talk to the server at all -- it can just
use that stateid for later operations.

> >   or CLONE operation, and
> > the server would respond with NFS4ERR_STALE.
> 
> If the server does not allow client to use write delegation for the
> READ, should the correct error return be NFS4ERR_OPENMODE?
> 

The server must allow the client to use a write delegation for read
operations. It's required by the spec, AFAIU.

The error in this case was just bogus. The vfs copy routine would return
-EBADF since the file didn't have FMODE_READ, and the nfs server would
translate that into NFS4ERR_STALE.

Probably there is a better v4 error code that we could translate EBADF
to, but with this patch it shouldn't be a problem any longer. 

> > 
> > The problem is that the struct file associated with the delegation does
> > not necessarily have read permissions. It's handing out a write
> > delegation on what is effectively an O_WRONLY open. RFC 8881 states:
> > 
> >   "An OPEN_DELEGATE_WRITE delegation allows the client to handle, on its
> >    own, all opens."
> > 
> > Given that the client didn't request any read permissions, and that nfsd
> > didn't check for any, it seems wrong to give out a write delegation.
> > 
> > Only hand out a write delegation if we have a O_RDWR descriptor
> > available. If it fails to find an appropriate write descriptor, go
> > ahead and try for a read delegation if NFS4_SHARE_ACCESS_READ was
> > requested.
> > 
> > This fixes xfstest generic/001.
> > 
> > Closes: https://bugzilla.linux-nfs.org/show_bug.cgi?id=412
> > Signed-off-by: Jeff Layton <jlayton@...nel.org>
> > ---
> > Changes in v2:
> > - Rework the logic when finding struct file for the delegation. The
> >    earlier patch might still have attached a O_WRONLY file to the deleg
> >    in some cases, and could still have handed out a write delegation on
> >    an O_WRONLY OPEN request in some cases.
> > ---
> >   fs/nfsd/nfs4state.c | 29 ++++++++++++++++++-----------
> >   1 file changed, 18 insertions(+), 11 deletions(-)
> > 
> > diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
> > index ef7118ebee00..e79d82fd05e7 100644
> > --- a/fs/nfsd/nfs4state.c
> > +++ b/fs/nfsd/nfs4state.c
> > @@ -5449,7 +5449,7 @@ nfs4_set_delegation(struct nfsd4_open *open, struct nfs4_ol_stateid *stp,
> >   	struct nfs4_file *fp = stp->st_stid.sc_file;
> >   	struct nfs4_clnt_odstate *odstate = stp->st_clnt_odstate;
> >   	struct nfs4_delegation *dp;
> > -	struct nfsd_file *nf;
> > +	struct nfsd_file *nf = NULL;
> >   	struct file_lock *fl;
> >   	u32 dl_type;
> >   
> > @@ -5461,21 +5461,28 @@ nfs4_set_delegation(struct nfsd4_open *open, struct nfs4_ol_stateid *stp,
> >   	if (fp->fi_had_conflict)
> >   		return ERR_PTR(-EAGAIN);
> >   
> > -	if (open->op_share_access & NFS4_SHARE_ACCESS_WRITE) {
> > -		nf = find_writeable_file(fp);
> > +	/*
> > +	 * Try for a write delegation first. We need an O_RDWR file
> > +	 * since a write delegation allows the client to perform any open
> > +	 * from its cache.
> > +	 */
> > +	if ((open->op_share_access & NFS4_SHARE_ACCESS_BOTH) == NFS4_SHARE_ACCESS_BOTH) {
> > +		nf = nfsd_file_get(fp->fi_fds[O_RDWR]);
> >   		dl_type = NFS4_OPEN_DELEGATE_WRITE;
> > -	} else {
> 
> Does this mean OPEN4_SHARE_ACCESS_WRITE do not get a write delegation?
> It does not seem right.
> 
> -Dai
> 

Why? Per RFC 8881:

"An OPEN_DELEGATE_WRITE delegation allows the client to handle, on its
own, all opens."

All opens. That includes read opens.

An OPEN4_SHARE_ACCESS_WRITE open will succeed on a file to which the
user has no read permissions. Therefore, we can't grant a write
delegation since can't guarantee that the user is allowed to do that.


> > +	}
> > +
> > +	/*
> > +	 * If the file is being opened O_RDONLY or we couldn't get a O_RDWR
> > +	 * file for some reason, then try for a read deleg instead.
> > +	 */
> > +	if (!nf && (open->op_share_access & NFS4_SHARE_ACCESS_READ)) {
> >   		nf = find_readable_file(fp);
> >   		dl_type = NFS4_OPEN_DELEGATE_READ;
> >   	}
> > -	if (!nf) {
> > -		/*
> > -		 * We probably could attempt another open and get a read
> > -		 * delegation, but for now, don't bother until the
> > -		 * client actually sends us one.
> > -		 */
> > +
> > +	if (!nf)
> >   		return ERR_PTR(-EAGAIN);
> > -	}
> > +
> >   	spin_lock(&state_lock);
> >   	spin_lock(&fp->fi_lock);
> >   	if (nfs4_delegation_exists(clp, fp))
> > 
> > ---
> > base-commit: a734662572708cf062e974f659ae50c24fc1ad17
> > change-id: 20230731-wdeleg-bbdb6b25a3c6
> > 
> > Best regards,

-- 
Jeff Layton <jlayton@...nel.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ