Regarding EKEYEXPIRED error during dns_query

Regarding EKEYEXPIRED error during dns_query

[Shyam Prasad N]

Hi David,

I was recently working on validating the recent fixes in cifs.ko and
key.dns_resolver.
However, I've stumbled on a different issue now.

The call to dns_query from cifs initially upcalls into userspace and
key.dns_resolver seems to resolve the name to IPv4 address. This comes
back with an expiry value of 5 sec; so the key is set a timeout of 5s.

However, at some later point, the IPv4 address changes for this DNS
name. The resolution in userspace happens just fine, and I get the new
IP address. However, I can see that the dns_query call from cifs is
not upcalling to userspace anymore. And the dns_query calls are
returning -127 (EKEYEXPIRED).

I also tried to "keyctl describe KEY", and it also says "Key has expired".

1. How can I debug this further?
2. Is this a known issue? If so, what's the issue?
3. I see that afs.ko calls dns_query with invalidate passed in as
true. What was the reason for not using the dns cache in the kernel
keyring? Was it once used and later changed? If so, can you please
explain why? cifs.ko does not set invalidate=true during dns_query
calls today. I'd like to understand if there are any risks associated
with this?

-- 
Regards,
Shyam

Re: Regarding EKEYEXPIRED error during dns_query

[Shyam Prasad N]

On Wed, Mar 23, 2022 at 10:42 PM Shyam Prasad N <nspmangalore@gmail.com> wrote:
>
> Hi David,
>
> I was recently working on validating the recent fixes in cifs.ko and
> key.dns_resolver.
> However, I've stumbled on a different issue now.
>
> The call to dns_query from cifs initially upcalls into userspace and
> key.dns_resolver seems to resolve the name to IPv4 address. This comes
> back with an expiry value of 5 sec; so the key is set a timeout of 5s.
>
> However, at some later point, the IPv4 address changes for this DNS
> name. The resolution in userspace happens just fine, and I get the new
> IP address. However, I can see that the dns_query call from cifs is
> not upcalling to userspace anymore. And the dns_query calls are
> returning -127 (EKEYEXPIRED).
>
> I also tried to "keyctl describe KEY", and it also says "Key has expired".
>
> 1. How can I debug this further?
> 2. Is this a known issue? If so, what's the issue?
> 3. I see that afs.ko calls dns_query with invalidate passed in as
> true. What was the reason for not using the dns cache in the kernel
> keyring? Was it once used and later changed? If so, can you please
> explain why? cifs.ko does not set invalidate=true during dns_query
> calls today. I'd like to understand if there are any risks associated
> with this?
>
> --
> Regards,
> Shyam

Did some more digging into this.
It looks like cifs.ko may sometimes end up doing very frequent dns_query calls.

David: Do you know if making frequent calls to dns_query can possibly
prevent expired keys from being cleaned up?

-- 
Regards,
Shyam

Re: Regarding EKEYEXPIRED error during dns_query

[Enzo Matsumiya]

On 03/29, Shyam Prasad N wrote:
>David: Do you know if making frequent calls to dns_query can possibly
>prevent expired keys from being cleaned up?

The problem is that the key is being created with a permanent TTL:

2135708b I------     1 perm 1f030000     0     0 keyring   .dns_resolver: 2

But answering your question, if a request to the same key is done before
it expires, yes, it will extend its TTL. But, again, in the current
case, cifs is only doing unnecessary upcalls every 5s, while also
possibly getting outdated cached records.

I sent my patch to fix this as RFC to David, but he probably missed. I'll
re-submit it to a public ML with him on CC.


Cheers,

Enzo

Re: Regarding EKEYEXPIRED error during dns_query

[Shyam Prasad N]

Hi Enzo,

Thanks for the reply.

On Tue, Mar 29, 2022 at 8:49 PM Enzo Matsumiya <ematsumiya@suse.de> wrote:
>
> On 03/29, Shyam Prasad N wrote:
> >David: Do you know if making frequent calls to dns_query can possibly
> >prevent expired keys from being cleaned up?
>
> The problem is that the key is being created with a permanent TTL:
>
> 2135708b I------     1 perm 1f030000     0     0 keyring   .dns_resolver: 2
>
I'm seeing this issue while trying to validate the fix to this problem.
In cases where dns_query gets called repeatedly, I'm seeing that
dns_query returns -EKEYEXPIRED. I don't see the userspace utility even
getting the upcall.
I see that keyring gc is scheduled with a default interval of 5 min.
But I don't see the situation recovering even after that.

> But answering your question, if a request to the same key is done before
> it expires, yes, it will extend its TTL. But, again, in the current
> case, cifs is only doing unnecessary upcalls every 5s, while also
> possibly getting outdated cached records.
Again, I'm trying with Paulo's fix that sets a minimum upcall interval to 2 min.

>
> I sent my patch to fix this as RFC to David, but he probably missed. I'll
> re-submit it to a public ML with him on CC.
I'll let Dave comment on this.

>
>
> Cheers,
>
> Enzo



-- 
Regards,
Shyam