From: David Windsor <dwindsor@gmail.com>
To: linux-nfs@vger.kernel.org, netdev@vger.kernel.org
Cc: kernel-hardening@lists.openwall.com, bfields@fieldses.org,
jlayton@poochiereds.net, keescook@chromium.org,
elena.reshetova@intel.com, dwindsor@gmail.com
Subject: [RFC][PATCH] nfsd: add +1 to reference counting scheme for struct nfsd4_session
Date: Thu, 9 Feb 2017 02:38:21 -0500 [thread overview]
Message-ID: <1486625901-10094-1-git-send-email-dwindsor@gmail.com> (raw)
In furtherance of the KSPP effort to add overflow protection to kernel
reference counters, a new type (refcount_t) and API have been created.
Part of the refcount_t API is refcount_inc(), which will not increment a
refcount_t variable if its value is 0 (as this would indicate a possible
use-after-free condition).
In auditing the kernel for refcounting corner cases, we've come across the
case of struct nfsd4_session.
>From fs/nfsd/state.h:
/*
* Representation of a v4.1+ session. These are refcounted in a similar
* fashion to the nfs4_client. References are only taken when the server
* is actively working on the object (primarily during the processing of
* compounds).
*/
struct nfsd4_session {
atomic_t se_ref;
...
};
>From fs/nfsd/nfs4state.c:
static void init_session(..., struct nfsd4_session *new, ...)
{
...
atomic_set(&new->se_ref, 0);
...
}
Since nfsd4_session objects are initialized with refcount = 0, subsequent
increments will fail using the new refcount_t API.
Being largely unfamiliar with this subsystem's garbage collection
mechanism, I'm unsure how to best fix this. Attached is a patch that
performs a logical +1 on struct nfsd4_session's reference counting
scheme.
If this is the correct route to take, I will resubmit this patch with
updated comments for how struct nfsd4_session is refcounted (see the above
comment from fs/nsfd/state.h). This is in preparation for the previously
mentioned refcount_t API series.
Thanks,
David Windsor
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
fs/nfsd/nfs4state.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index a0dee8a..b0f3010 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -196,7 +196,7 @@ static void nfsd4_put_session_locked(struct nfsd4_session *ses)
lockdep_assert_held(&nn->client_lock);
- if (atomic_dec_and_test(&ses->se_ref) && is_session_dead(ses))
+ if (!atomic_add_unless(&ses->se_ref, -1, 1) && is_session_des(ses))
free_session(ses);
put_client_renew_locked(clp);
}
@@ -1645,7 +1645,7 @@ static void init_session(struct svc_rqst *rqstp, struct nfsd4_session *new, stru
new->se_flags = cses->flags;
new->se_cb_prog = cses->callback_prog;
new->se_cb_sec = cses->cb_sec;
- atomic_set(&new->se_ref, 0);
+ atomic_set(&new->se_ref, 1);
idx = hash_sessionid(&new->se_sessionid);
list_add(&new->se_hash, &nn->sessionid_hashtbl[idx]);
spin_lock(&clp->cl_lock);
@@ -1792,7 +1792,7 @@ free_client(struct nfs4_client *clp)
ses = list_entry(clp->cl_sessions.next, struct nfsd4_session,
se_perclnt);
list_del(&ses->se_perclnt);
- WARN_ON_ONCE(atomic_read(&ses->se_ref));
+ WARN_ON_ONCE((atomic_read(&ses->se_ref) > 1));
free_session(ses);
}
rpc_destroy_wait_queue(&clp->cl_cb_waitq);
--
2.7.4
WARNING: multiple messages have this Message-ID (diff)
From: David Windsor <dwindsor@gmail.com>
To: linux-nfs@vger.kernel.org, netdev@vger.kernel.org
Cc: kernel-hardening@lists.openwall.com, bfields@fieldses.org,
jlayton@poochiereds.net, keescook@chromium.org,
elena.reshetova@intel.com, dwindsor@gmail.com
Subject: [RFC][PATCH] nfsd: add +1 to reference counting scheme for struct nfsd4_session
Date: Thu, 9 Feb 2017 02:38:21 -0500 [thread overview]
Message-ID: <1486625901-10094-1-git-send-email-dwindsor@gmail.com> (raw)
In furtherance of the KSPP effort to add overflow protection to kernel
reference counters, a new type (refcount_t) and API have been created.
Part of the refcount_t API is refcount_inc(), which will not increment a
refcount_t variable if its value is 0 (as this would indicate a possible
use-after-free condition).
In auditing the kernel for refcounting corner cases, we've come across the
case of struct nfsd4_session.
WARNING: multiple messages have this Message-ID (diff)
From: David Windsor <dwindsor@gmail.com>
To: linux-nfs@vger.kernel.org, netdev@vger.kernel.org
Cc: kernel-hardening@lists.openwall.com, bfields@fieldses.org,
jlayton@poochiereds.net, keescook@chromium.org,
elena.reshetova@intel.com, dwindsor@gmail.com
Subject: [kernel-hardening] [RFC][PATCH] nfsd: add +1 to reference counting scheme for struct nfsd4_session
Date: Thu, 9 Feb 2017 02:38:21 -0500 [thread overview]
Message-ID: <1486625901-10094-1-git-send-email-dwindsor@gmail.com> (raw)
In furtherance of the KSPP effort to add overflow protection to kernel
reference counters, a new type (refcount_t) and API have been created.
Part of the refcount_t API is refcount_inc(), which will not increment a
refcount_t variable if its value is 0 (as this would indicate a possible
use-after-free condition).
In auditing the kernel for refcounting corner cases, we've come across the
case of struct nfsd4_session.
>From fs/nfsd/state.h:
/*
* Representation of a v4.1+ session. These are refcounted in a similar
* fashion to the nfs4_client. References are only taken when the server
* is actively working on the object (primarily during the processing of
* compounds).
*/
struct nfsd4_session {
atomic_t se_ref;
...
};
>From fs/nfsd/nfs4state.c:
static void init_session(..., struct nfsd4_session *new, ...)
{
...
atomic_set(&new->se_ref, 0);
...
}
Since nfsd4_session objects are initialized with refcount = 0, subsequent
increments will fail using the new refcount_t API.
Being largely unfamiliar with this subsystem's garbage collection
mechanism, I'm unsure how to best fix this. Attached is a patch that
performs a logical +1 on struct nfsd4_session's reference counting
scheme.
If this is the correct route to take, I will resubmit this patch with
updated comments for how struct nfsd4_session is refcounted (see the above
comment from fs/nsfd/state.h). This is in preparation for the previously
mentioned refcount_t API series.
Thanks,
David Windsor
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
fs/nfsd/nfs4state.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index a0dee8a..b0f3010 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -196,7 +196,7 @@ static void nfsd4_put_session_locked(struct nfsd4_session *ses)
lockdep_assert_held(&nn->client_lock);
- if (atomic_dec_and_test(&ses->se_ref) && is_session_dead(ses))
+ if (!atomic_add_unless(&ses->se_ref, -1, 1) && is_session_des(ses))
free_session(ses);
put_client_renew_locked(clp);
}
@@ -1645,7 +1645,7 @@ static void init_session(struct svc_rqst *rqstp, struct nfsd4_session *new, stru
new->se_flags = cses->flags;
new->se_cb_prog = cses->callback_prog;
new->se_cb_sec = cses->cb_sec;
- atomic_set(&new->se_ref, 0);
+ atomic_set(&new->se_ref, 1);
idx = hash_sessionid(&new->se_sessionid);
list_add(&new->se_hash, &nn->sessionid_hashtbl[idx]);
spin_lock(&clp->cl_lock);
@@ -1792,7 +1792,7 @@ free_client(struct nfs4_client *clp)
ses = list_entry(clp->cl_sessions.next, struct nfsd4_session,
se_perclnt);
list_del(&ses->se_perclnt);
- WARN_ON_ONCE(atomic_read(&ses->se_ref));
+ WARN_ON_ONCE((atomic_read(&ses->se_ref) > 1));
free_session(ses);
}
rpc_destroy_wait_queue(&clp->cl_cb_waitq);
--
2.7.4
next reply other threads:[~2017-02-09 7:38 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-09 7:38 David Windsor [this message]
2017-02-09 7:38 ` [kernel-hardening] [RFC][PATCH] nfsd: add +1 to reference counting scheme for struct nfsd4_session David Windsor
2017-02-09 7:38 ` David Windsor
2017-02-11 6:42 ` David Windsor
2017-02-11 6:42 ` [kernel-hardening] " David Windsor
[not found] ` <CAEXv5_jUa8Av4JABoKSAueiLHSLzibMvaE-8DrVcxZHFceckMg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-02-11 12:31 ` Jeff Layton
2017-02-11 12:31 ` [kernel-hardening] " Jeff Layton
2017-02-11 12:31 ` Jeff Layton
[not found] ` <1486816302.4233.29.camel-vpEMnDpepFuMZCB2o+C8xQ@public.gmane.org>
2017-02-11 14:01 ` David Windsor
2017-02-11 14:01 ` [kernel-hardening] " David Windsor
2017-02-11 14:01 ` David Windsor
2017-02-11 14:09 ` Jeff Layton
2017-02-11 14:09 ` [kernel-hardening] " Jeff Layton
[not found] ` <CAEXv5_gd7F-eaazzU1BWPzH4huhEcO1Y-FWov5UP9T+6R+fv-A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-02-13 10:38 ` Christoph Hellwig
2017-02-13 10:38 ` [kernel-hardening] " Christoph Hellwig
2017-02-13 10:38 ` Christoph Hellwig
[not found] ` <20170213103815.GA5131-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>
2017-02-13 11:42 ` David Windsor
2017-02-13 11:42 ` [kernel-hardening] " David Windsor
2017-02-13 11:42 ` David Windsor
[not found] ` <CAEXv5_g=DS4wk0mgZuw-doVCqountb-CxZki1LOoQH-P7W1U4A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-02-13 12:12 ` Christoph Hellwig
2017-02-13 12:12 ` [kernel-hardening] " Christoph Hellwig
2017-02-13 12:12 ` Christoph Hellwig
2017-02-14 13:48 ` David Windsor
2017-02-14 13:48 ` [kernel-hardening] " David Windsor
2017-02-12 1:15 ` Bruce Fields
2017-02-12 1:15 ` [kernel-hardening] " Bruce Fields
2017-02-12 1:15 ` Bruce Fields
2017-02-12 1:42 ` David Windsor
2017-02-12 1:42 ` [kernel-hardening] " David Windsor
2017-02-13 10:54 ` Hans Liljestrand
2017-02-13 10:54 ` Hans Liljestrand
2017-02-13 11:46 ` David Windsor
[not found] ` <CAEXv5_hP39k7HSLP-G_khx7MMQHnk=8Z5caa+U5n3bYvUTE1gQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-02-15 16:45 ` Bruce Fields
2017-02-15 16:45 ` Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1486625901-10094-1-git-send-email-dwindsor@gmail.com \
--to=dwindsor@gmail.com \
--cc=bfields@fieldses.org \
--cc=elena.reshetova@intel.com \
--cc=jlayton@poochiereds.net \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-nfs@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.