lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 28 Aug 2021 19:26:30 +0800
From:   "wanghai (M)" <wanghai38@...wei.com>
To:     "J. Bruce Fields" <bfields@...ldses.org>,
        Wenbin Zeng <wenbin.zeng@...il.com>
CC:     <davem@...emloft.net>, <viro@...iv.linux.org.uk>,
        <jlayton@...nel.org>, <trond.myklebust@...merspace.com>,
        <anna.schumaker@...app.com>, <wenbinzeng@...cent.com>,
        <dsahern@...il.com>, <nicolas.dichtel@...nd.com>,
        <willy@...radead.org>, <edumazet@...gle.com>,
        <jakub.kicinski@...ronome.com>, <tyhicks@...onical.com>,
        <chuck.lever@...cle.com>, <neilb@...e.com>,
        <linux-fsdevel@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
        <netdev@...r.kernel.org>, <linux-nfs@...r.kernel.org>
Subject: Re: Re: [PATCH v3 0/3] auth_gss: netns refcount leaks when
 use-gss-proxy==1


在 2019/8/2 3:53, J. Bruce Fields 写道:
> I lost track, what happened to these patches?
>
> --b.
>
> On Wed, Jun 12, 2019 at 08:09:27PM +0800, Wenbin Zeng wrote:
>> This patch series fixes an auth_gss bug that results in netns refcount
>> leaks when use-gss-proxy is set to 1.
>>
>> The problem was found in privileged docker containers with gssproxy service
>> enabled and /proc/net/rpc/use-gss-proxy set to 1, the corresponding
>> struct net->count ends up at 2 after container gets killed, the consequence
>> is that the struct net cannot be freed.
>>
>> It turns out that write_gssp() called gssp_rpc_create() to create a rpc
>> client, this increases net->count by 2; rpcsec_gss_exit_net() is supposed
>> to decrease net->count but it never gets called because its call-path is:
>>          net->count==0 -> cleanup_net -> ops_exit_list -> rpcsec_gss_exit_net
>> Before rpcsec_gss_exit_net() gets called, net->count cannot reach 0, this
>> is a deadlock situation.
>>
>> To fix the problem, we must break the deadlock, rpcsec_gss_exit_net()
>> should move out of the put() path and find another chance to get called,
>> I think nsfs_evict() is a good place to go, when netns inode gets evicted
>> we call rpcsec_gss_exit_net() to free the rpc client, this requires a new
>> callback i.e. evict to be added in struct proc_ns_operations, and add
>> netns_evict() as one of netns_operations as well.
>>
>> v1->v2:
>>   * in nsfs_evict(), move ->evict() in front of ->put()
>> v2->v3:
>>   * rpcsec_gss_evict_net() directly call gss_svc_shutdown_net() regardless
>>     if gssp_clnt is null, this is exactly same to what rpcsec_gss_exit_net()
>>     previously did
>>
>> Wenbin Zeng (3):
>>    nsfs: add evict callback into struct proc_ns_operations
>>    netns: add netns_evict into netns_operations
>>    auth_gss: fix deadlock that blocks rpcsec_gss_exit_net when
>>      use-gss-proxy==1
>>
>>   fs/nsfs.c                      |  2 ++
>>   include/linux/proc_ns.h        |  1 +
>>   include/net/net_namespace.h    |  1 +
>>   net/core/net_namespace.c       | 12 ++++++++++++
>>   net/sunrpc/auth_gss/auth_gss.c |  4 ++--
>>   5 files changed, 18 insertions(+), 2 deletions(-)
>>
>> -- 
>> 1.8.3.1
These patchsets don't seem to merge into the mainline, are there any 
other patches that fix this bug?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ