* [PATCH] libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS
@ 2021-03-04 19:19 Scott Mayhew
2021-03-04 19:30 ` Scott Mayhew
2021-03-15 21:43 ` Steve Dickson
0 siblings, 2 replies; 3+ messages in thread
From: Scott Mayhew @ 2021-03-04 19:19 UTC (permalink / raw)
To: libtirpc-devel; +Cc: linux-nfs
Disallow calling auth_refresh from clnt_{dg,vc}_call if the client is
using RPCSEC_GSS. Doing so can recurse back into clnt_{dg,vc}_call,
where we'll self-deadlock waiting on the condition variable.
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
---
src/auth_gss.c | 6 ++++++
src/clnt_dg.c | 8 ++++++++
src/clnt_vc.c | 9 +++++++++
tirpc/rpc/auth_gss.h | 2 ++
4 files changed, 25 insertions(+)
diff --git a/src/auth_gss.c b/src/auth_gss.c
index d871672..e317664 100644
--- a/src/auth_gss.c
+++ b/src/auth_gss.c
@@ -982,3 +982,9 @@ rpc_gss_max_data_length(AUTH *auth, int maxlen)
rpc_gss_clear_error();
return result;
}
+
+bool_t
+is_authgss_client(CLIENT *clnt)
+{
+ return (clnt->cl_auth->ah_ops == &authgss_ops);
+}
diff --git a/src/clnt_dg.c b/src/clnt_dg.c
index abc09f1..e1255de 100644
--- a/src/clnt_dg.c
+++ b/src/clnt_dg.c
@@ -61,6 +61,9 @@
#include <sys/uio.h>
#endif
+#ifdef HAVE_RPCSEC_GSS
+#include <rpc/auth_gss.h>
+#endif
#define MAX_DEFAULT_FDS 20000
@@ -334,6 +337,11 @@ clnt_dg_call(cl, proc, xargs, argsp, xresults, resultsp, utimeout)
salen = cu->cu_rlen;
}
+#ifdef HAVE_RPCSEC_GSS
+ if (is_authgss_client(cl))
+ nrefreshes = 0;
+#endif
+
/* Clean up in case the last call ended in a longjmp(3) call. */
call_again:
xdrs = &(cu->cu_outxdrs);
diff --git a/src/clnt_vc.c b/src/clnt_vc.c
index 6f7f7da..a07e297 100644
--- a/src/clnt_vc.c
+++ b/src/clnt_vc.c
@@ -69,6 +69,10 @@
#include "rpc_com.h"
#include "clnt_fd_locks.h"
+#ifdef HAVE_RPCSEC_GSS
+#include <rpc/auth_gss.h>
+#endif
+
#define MCALL_MSG_SIZE 24
#define CMGROUP_MAX 16
@@ -363,6 +367,11 @@ clnt_vc_call(cl, proc, xdr_args, args_ptr, xdr_results, results_ptr, timeout)
(xdr_results == NULL && timeout.tv_sec == 0
&& timeout.tv_usec == 0) ? FALSE : TRUE;
+#ifdef HAVE_RPCSEC_GSS
+ if (is_authgss_client(cl))
+ refreshes = 0;
+#endif
+
call_again:
xdrs->x_op = XDR_ENCODE;
ct->ct_error.re_status = RPC_SUCCESS;
diff --git a/tirpc/rpc/auth_gss.h b/tirpc/rpc/auth_gss.h
index 5316ed6..f2af6e9 100644
--- a/tirpc/rpc/auth_gss.h
+++ b/tirpc/rpc/auth_gss.h
@@ -120,6 +120,8 @@ void gss_log_debug (const char *fmt, ...);
void gss_log_status (char *m, OM_uint32 major, OM_uint32 minor);
void gss_log_hexdump (const u_char *buf, int len, int offset);
+bool_t is_authgss_client (CLIENT *);
+
#ifdef __cplusplus
}
#endif
--
2.25.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS
2021-03-04 19:19 [PATCH] libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS Scott Mayhew
@ 2021-03-04 19:30 ` Scott Mayhew
2021-03-15 21:43 ` Steve Dickson
1 sibling, 0 replies; 3+ messages in thread
From: Scott Mayhew @ 2021-03-04 19:30 UTC (permalink / raw)
To: libtirpc-devel; +Cc: linux-nfs
On Thu, 04 Mar 2021, Scott Mayhew wrote:
> Disallow calling auth_refresh from clnt_{dg,vc}_call if the client is
> using RPCSEC_GSS. Doing so can recurse back into clnt_{dg,vc}_call,
> where we'll self-deadlock waiting on the condition variable.
Note this fixes the issue that some folks were having at the Virtual
Bakeathon where clients were hanging when mounting some servers that
didn't have krb5 configured.
-Scott
>
> Signed-off-by: Scott Mayhew <smayhew@redhat.com>
> ---
> src/auth_gss.c | 6 ++++++
> src/clnt_dg.c | 8 ++++++++
> src/clnt_vc.c | 9 +++++++++
> tirpc/rpc/auth_gss.h | 2 ++
> 4 files changed, 25 insertions(+)
>
> diff --git a/src/auth_gss.c b/src/auth_gss.c
> index d871672..e317664 100644
> --- a/src/auth_gss.c
> +++ b/src/auth_gss.c
> @@ -982,3 +982,9 @@ rpc_gss_max_data_length(AUTH *auth, int maxlen)
> rpc_gss_clear_error();
> return result;
> }
> +
> +bool_t
> +is_authgss_client(CLIENT *clnt)
> +{
> + return (clnt->cl_auth->ah_ops == &authgss_ops);
> +}
> diff --git a/src/clnt_dg.c b/src/clnt_dg.c
> index abc09f1..e1255de 100644
> --- a/src/clnt_dg.c
> +++ b/src/clnt_dg.c
> @@ -61,6 +61,9 @@
> #include <sys/uio.h>
> #endif
>
> +#ifdef HAVE_RPCSEC_GSS
> +#include <rpc/auth_gss.h>
> +#endif
>
> #define MAX_DEFAULT_FDS 20000
>
> @@ -334,6 +337,11 @@ clnt_dg_call(cl, proc, xargs, argsp, xresults, resultsp, utimeout)
> salen = cu->cu_rlen;
> }
>
> +#ifdef HAVE_RPCSEC_GSS
> + if (is_authgss_client(cl))
> + nrefreshes = 0;
> +#endif
> +
> /* Clean up in case the last call ended in a longjmp(3) call. */
> call_again:
> xdrs = &(cu->cu_outxdrs);
> diff --git a/src/clnt_vc.c b/src/clnt_vc.c
> index 6f7f7da..a07e297 100644
> --- a/src/clnt_vc.c
> +++ b/src/clnt_vc.c
> @@ -69,6 +69,10 @@
> #include "rpc_com.h"
> #include "clnt_fd_locks.h"
>
> +#ifdef HAVE_RPCSEC_GSS
> +#include <rpc/auth_gss.h>
> +#endif
> +
> #define MCALL_MSG_SIZE 24
>
> #define CMGROUP_MAX 16
> @@ -363,6 +367,11 @@ clnt_vc_call(cl, proc, xdr_args, args_ptr, xdr_results, results_ptr, timeout)
> (xdr_results == NULL && timeout.tv_sec == 0
> && timeout.tv_usec == 0) ? FALSE : TRUE;
>
> +#ifdef HAVE_RPCSEC_GSS
> + if (is_authgss_client(cl))
> + refreshes = 0;
> +#endif
> +
> call_again:
> xdrs->x_op = XDR_ENCODE;
> ct->ct_error.re_status = RPC_SUCCESS;
> diff --git a/tirpc/rpc/auth_gss.h b/tirpc/rpc/auth_gss.h
> index 5316ed6..f2af6e9 100644
> --- a/tirpc/rpc/auth_gss.h
> +++ b/tirpc/rpc/auth_gss.h
> @@ -120,6 +120,8 @@ void gss_log_debug (const char *fmt, ...);
> void gss_log_status (char *m, OM_uint32 major, OM_uint32 minor);
> void gss_log_hexdump (const u_char *buf, int len, int offset);
>
> +bool_t is_authgss_client (CLIENT *);
> +
> #ifdef __cplusplus
> }
> #endif
> --
> 2.25.4
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS
2021-03-04 19:19 [PATCH] libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS Scott Mayhew
2021-03-04 19:30 ` Scott Mayhew
@ 2021-03-15 21:43 ` Steve Dickson
1 sibling, 0 replies; 3+ messages in thread
From: Steve Dickson @ 2021-03-15 21:43 UTC (permalink / raw)
To: Scott Mayhew, libtirpc-devel; +Cc: linux-nfs
On 3/4/21 2:19 PM, Scott Mayhew wrote:
> Disallow calling auth_refresh from clnt_{dg,vc}_call if the client is
> using RPCSEC_GSS. Doing so can recurse back into clnt_{dg,vc}_call,
> where we'll self-deadlock waiting on the condition variable.
>
> Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Committed... (tag: libtirpc-1-3-2-rc1)
steved.
> ---
> src/auth_gss.c | 6 ++++++
> src/clnt_dg.c | 8 ++++++++
> src/clnt_vc.c | 9 +++++++++
> tirpc/rpc/auth_gss.h | 2 ++
> 4 files changed, 25 insertions(+)
>
> diff --git a/src/auth_gss.c b/src/auth_gss.c
> index d871672..e317664 100644
> --- a/src/auth_gss.c
> +++ b/src/auth_gss.c
> @@ -982,3 +982,9 @@ rpc_gss_max_data_length(AUTH *auth, int maxlen)
> rpc_gss_clear_error();
> return result;
> }
> +
> +bool_t
> +is_authgss_client(CLIENT *clnt)
> +{
> + return (clnt->cl_auth->ah_ops == &authgss_ops);
> +}
> diff --git a/src/clnt_dg.c b/src/clnt_dg.c
> index abc09f1..e1255de 100644
> --- a/src/clnt_dg.c
> +++ b/src/clnt_dg.c
> @@ -61,6 +61,9 @@
> #include <sys/uio.h>
> #endif
>
> +#ifdef HAVE_RPCSEC_GSS
> +#include <rpc/auth_gss.h>
> +#endif
>
> #define MAX_DEFAULT_FDS 20000
>
> @@ -334,6 +337,11 @@ clnt_dg_call(cl, proc, xargs, argsp, xresults, resultsp, utimeout)
> salen = cu->cu_rlen;
> }
>
> +#ifdef HAVE_RPCSEC_GSS
> + if (is_authgss_client(cl))
> + nrefreshes = 0;
> +#endif
> +
> /* Clean up in case the last call ended in a longjmp(3) call. */
> call_again:
> xdrs = &(cu->cu_outxdrs);
> diff --git a/src/clnt_vc.c b/src/clnt_vc.c
> index 6f7f7da..a07e297 100644
> --- a/src/clnt_vc.c
> +++ b/src/clnt_vc.c
> @@ -69,6 +69,10 @@
> #include "rpc_com.h"
> #include "clnt_fd_locks.h"
>
> +#ifdef HAVE_RPCSEC_GSS
> +#include <rpc/auth_gss.h>
> +#endif
> +
> #define MCALL_MSG_SIZE 24
>
> #define CMGROUP_MAX 16
> @@ -363,6 +367,11 @@ clnt_vc_call(cl, proc, xdr_args, args_ptr, xdr_results, results_ptr, timeout)
> (xdr_results == NULL && timeout.tv_sec == 0
> && timeout.tv_usec == 0) ? FALSE : TRUE;
>
> +#ifdef HAVE_RPCSEC_GSS
> + if (is_authgss_client(cl))
> + refreshes = 0;
> +#endif
> +
> call_again:
> xdrs->x_op = XDR_ENCODE;
> ct->ct_error.re_status = RPC_SUCCESS;
> diff --git a/tirpc/rpc/auth_gss.h b/tirpc/rpc/auth_gss.h
> index 5316ed6..f2af6e9 100644
> --- a/tirpc/rpc/auth_gss.h
> +++ b/tirpc/rpc/auth_gss.h
> @@ -120,6 +120,8 @@ void gss_log_debug (const char *fmt, ...);
> void gss_log_status (char *m, OM_uint32 major, OM_uint32 minor);
> void gss_log_hexdump (const u_char *buf, int len, int offset);
>
> +bool_t is_authgss_client (CLIENT *);
> +
> #ifdef __cplusplus
> }
> #endif
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-03-15 21:42 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-04 19:19 [PATCH] libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS Scott Mayhew
2021-03-04 19:30 ` Scott Mayhew
2021-03-15 21:43 ` Steve Dickson
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.