| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 21 Dec 2023 15:30:14 +0000
From: David Howells <dhowells@...hat.com>
To: torvalds@...ux-foundation.org
cc: dhowells@...hat.com, Markus Suvanto <markus.suvanto@...il.com>,
Marc Dionne <marc.dionne@...istor.com>,
Wang Lei <wang840925@...il.com>, Jeff Layton <jlayton@...hat.com>,
Steve French <smfrench@...il.com>,
Jarkko Sakkinen <jarkko@...nel.org>,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>, linux-afs@...ts.infradead.org,
keyrings@...r.kernel.org, linux-cifs@...r.kernel.org,
linux-nfs@...r.kernel.org, ceph-devel@...r.kernel.org,
netdev@...r.kernel.org, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: [GIT PULL] afs, dns: Fix dynamic root interaction with negative DNS
Hi Linus,
Could you apply this, please? It's intended to improve the interaction of
arbitrary lookups in the AFS dynamic root that hit DNS lookup failures[1]
where kafs behaves differently from openafs and causes some applications to
fail that aren't expecting that. Further, negative DNS results aren't
getting removed and are causing failures to persist.
(1) Always delete unused (particularly negative) dentries as soon as
possible so that they don't prevent future lookups from retrying.
(2) Fix the handling of new-style negative DNS lookups in ->lookup() to
make them return ENOENT so that userspace doesn't get confused when
stat succeeds but the following open on the looked up file then fails.
(3) Fix key handling so that DNS lookup results are reclaimed almost as
soon as they expire rather than sitting round either forever or for an
additional 5 mins beyond a set expiry time returning EKEYEXPIRED.
They persist for 1s as /bin/ls will do a second stat call if the first
fails.
Reviewed-by: Jeffrey Altman <jaltman@...istor.com>
Thanks,
David
Link: https://bugzilla.kernel.org/show_bug.cgi?id=216637 [1]
Link: https://lore.kernel.org/r/20231211163412.2766147-1-dhowells@redhat.com/ # v1
Link: https://lore.kernel.org/r/20231211213233.2793525-1-dhowells@redhat.com/ # v2
Link: https://lore.kernel.org/r/20231212144611.3100234-1-dhowells@redhat.com/ # v3
Link: https://lore.kernel.org/r/20231221134558.1659214-1-dhowells@redhat.com/ # v4
---
The following changes since commit ceb6a6f023fd3e8b07761ed900352ef574010bcb:
Linux 6.7-rc6 (2023-12-17 15:19:28 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git tags/afs-fixes-20231221
for you to fetch changes up to 39299bdd2546688d92ed9db4948f6219ca1b9542:
keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry (2023-12-21 13:47:38 +0000)
----------------------------------------------------------------
AFS fixes
----------------------------------------------------------------
David Howells (3):
afs: Fix the dynamic root's d_delete to always delete unused dentries
afs: Fix dynamic root lookup DNS check
keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry
fs/afs/dynroot.c | 31 +++++++++++++++++--------------
include/linux/key-type.h | 1 +
net/dns_resolver/dns_key.c | 10 +++++++++-
security/keys/gc.c | 31 +++++++++++++++++++++----------
security/keys/internal.h | 11 ++++++++++-
security/keys/key.c | 15 +++++----------
security/keys/proc.c | 2 +-
7 files changed, 64 insertions(+), 37 deletions(-)
Powered by blists - more mailing lists