lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 12 Jun 2019 20:09:27 +0800 From: Wenbin Zeng <wenbin.zeng@...il.com> To: bfields@...ldses.org, davem@...emloft.net, viro@...iv.linux.org.uk Cc: jlayton@...nel.org, trond.myklebust@...merspace.com, anna.schumaker@...app.com, wenbinzeng@...cent.com, dsahern@...il.com, nicolas.dichtel@...nd.com, willy@...radead.org, edumazet@...gle.com, jakub.kicinski@...ronome.com, tyhicks@...onical.com, chuck.lever@...cle.com, neilb@...e.com, linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, netdev@...r.kernel.org, linux-nfs@...r.kernel.org Subject: [PATCH v3 0/3] auth_gss: netns refcount leaks when use-gss-proxy==1 This patch series fixes an auth_gss bug that results in netns refcount leaks when use-gss-proxy is set to 1. The problem was found in privileged docker containers with gssproxy service enabled and /proc/net/rpc/use-gss-proxy set to 1, the corresponding struct net->count ends up at 2 after container gets killed, the consequence is that the struct net cannot be freed. It turns out that write_gssp() called gssp_rpc_create() to create a rpc client, this increases net->count by 2; rpcsec_gss_exit_net() is supposed to decrease net->count but it never gets called because its call-path is: net->count==0 -> cleanup_net -> ops_exit_list -> rpcsec_gss_exit_net Before rpcsec_gss_exit_net() gets called, net->count cannot reach 0, this is a deadlock situation. To fix the problem, we must break the deadlock, rpcsec_gss_exit_net() should move out of the put() path and find another chance to get called, I think nsfs_evict() is a good place to go, when netns inode gets evicted we call rpcsec_gss_exit_net() to free the rpc client, this requires a new callback i.e. evict to be added in struct proc_ns_operations, and add netns_evict() as one of netns_operations as well. v1->v2: * in nsfs_evict(), move ->evict() in front of ->put() v2->v3: * rpcsec_gss_evict_net() directly call gss_svc_shutdown_net() regardless if gssp_clnt is null, this is exactly same to what rpcsec_gss_exit_net() previously did Wenbin Zeng (3): nsfs: add evict callback into struct proc_ns_operations netns: add netns_evict into netns_operations auth_gss: fix deadlock that blocks rpcsec_gss_exit_net when use-gss-proxy==1 fs/nsfs.c | 2 ++ include/linux/proc_ns.h | 1 + include/net/net_namespace.h | 1 + net/core/net_namespace.c | 12 ++++++++++++ net/sunrpc/auth_gss/auth_gss.c | 4 ++-- 5 files changed, 18 insertions(+), 2 deletions(-) -- 1.8.3.1
Powered by blists - more mailing lists