From: Chuck Lever <chuck.lever@oracle.com>
To: Bruce Fields <bfields@fieldses.org>
Cc: Daniel Kobras <kobras@puzzle-itc.de>,
Linux NFS Mailing List <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH] sunrpc: fix refcount leak for rpc auth modules
Date: Mon, 1 Mar 2021 18:21:27 +0000 [thread overview]
Message-ID: <3A372E86-B7E4-495C-83F5-6B092E708AC8@oracle.com> (raw)
In-Reply-To: <20210301181501.GC11772@fieldses.org>
> On Mar 1, 2021, at 1:15 PM, Bruce Fields <bfields@fieldses.org> wrote:
>
> On Mon, Mar 01, 2021 at 05:44:02PM +0000, Chuck Lever wrote:
>>> So, the effect of this is to call svc_authorise more often. I think
>>> that's always safe, because svc_authorise is a no-op unless rq_authops
>>> is set, it clears rq_authops itself, and rq_authops being set is a
>>> guarantee that ->accept() already ran.
>>>
>>> It's harder to know if this solves the problem, as I see a lot of other
>>> mentions of THIS_MODULE in svcauth_gss.c.
>>
>> Perhaps a deeper audit is necessary.
>>
>> A small code change to inject SVC_CLOSE returns at random would enable
>> a more dynamic analysis.
>
> That might be interesting.
>
> I don't think this patch necessarily has to wait for that.
OK. It's in for-rc now, and sounds like that doesn't need to change.
Poking around a little, I see a try_module_get() and module_put() done
for every RPC. Considering that both have a preempt_disable/enable pair,
that seems a little expensive for the value it provides. One might like
to see the module reference count handled a little less frequently, but
I don't see an obvious way to address that.
>>> Possibly orthogonal to this problem, but: svcauth_gss_release
>>> unconditionally dereferences rqstp->rq_auth_data. Isn't that a NULL
>>> dereference if the kmalloc at the start of svcauth_gss_accept() fails?
>>>
>>> Finally, should we care about module reference leaks?
>>
>> I would prefer that module reference counting work as expected. When it
>> doesn't that tends to lead to people (say, me) hunting for bugs that
>> might actually be serious.
>>
>>
>>> Does anyone really *need* to unload modules?
>>
>> Anyone who wants to replace the module with a newer build that fixes a
>> bug. It avoids a full reboot, and for some that's important.
>
> Fair enough.
>
> --b.
--
Chuck Lever
next prev parent reply other threads:[~2021-03-01 18:23 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-26 23:04 [PATCH] sunrpc: fix refcount leak for rpc auth modules Daniel Kobras
2021-03-01 15:20 ` Chuck Lever
2021-03-01 16:28 ` Bruce Fields
2021-03-01 17:44 ` Chuck Lever
2021-03-01 18:15 ` Bruce Fields
2021-03-01 18:21 ` Chuck Lever [this message]
2021-03-02 11:50 ` Daniel Kobras
2021-03-02 15:48 ` Chuck Lever
2021-03-02 15:48 ` [PATCH] rpc: fix NULL dereference on kmalloc failure Bruce Fields
2021-03-03 15:16 ` Chuck Lever
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3A372E86-B7E4-495C-83F5-6B092E708AC8@oracle.com \
--to=chuck.lever@oracle.com \
--cc=bfields@fieldses.org \
--cc=kobras@puzzle-itc.de \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).