[v2] nfs: protect nfs41_impl_id by rcu

Message ID	20240829133743.1008788-1-lilingfeng3@huawei.com (mailing list archive)
State	New
Headers	show Received: from szxga06-in.huawei.com (szxga06-in.huawei.com [45.249.212.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 033831AE84C; Thu, 29 Aug 2024 13:27:52 +0000 (UTC) From: Li Lingfeng <lilingfeng3@huawei.com> To: <trondmy@kernel.org>, <anna@kernel.org> CC: <jlayton@kernel.org>, <linux-nfs@vger.kernel.org>, <linux-kernel@vger.kernel.org>, <yukuai1@huaweicloud.com>, <houtao1@huawei.com>, <yi.zhang@huawei.com>, <yangerkun@huawei.com>, <lilingfeng@huaweicloud.com>, <lilingfeng3@huawei.com> Subject: [PATCH v2] nfs: protect nfs41_impl_id by rcu Date: Thu, 29 Aug 2024 21:37:43 +0800 Message-ID: <20240829133743.1008788-1-lilingfeng3@huawei.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	[v2] nfs: protect nfs41_impl_id by rcu \| expand [v2] nfs: protect nfs41_impl_id by rcu

Message ID

20240829133743.1008788-1-lilingfeng3@huawei.com (mailing list archive)

State

New

Headers

From: Li Lingfeng <lilingfeng3@huawei.com>
To: <trondmy@kernel.org>, <anna@kernel.org>
CC: <jlayton@kernel.org>, <linux-nfs@vger.kernel.org>,
	<linux-kernel@vger.kernel.org>, <yukuai1@huaweicloud.com>,
	<houtao1@huawei.com>, <yi.zhang@huawei.com>, <yangerkun@huawei.com>,
	<lilingfeng@huaweicloud.com>, <lilingfeng3@huawei.com>
Subject: [PATCH v2] nfs: protect nfs41_impl_id by rcu
Date: Thu, 29 Aug 2024 21:37:43 +0800
Message-ID: <20240829133743.1008788-1-lilingfeng3@huawei.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain

Series

[v2] nfs: protect nfs41_impl_id by rcu | expand

Commit Message

Li Lingfeng Aug. 29, 2024, 1:37 p.m. UTC

When performing exchange id call, a new nfs41_impl_id will be allocated to
store some information from server. The pointers to the old and new
nfs41_impl_ids are swapped, and the old one will be freed.

However, UAF may be triggered as follows:

After T2 has got a pointer to the nfs41_impl_id, the nfs41_impl_id is
freed by T1 before it is used.
         T1                                           T2
nfs4_proc_exchange_id
 _nfs4_proc_exchange_id
  nfs4_run_exchange_id
   kzalloc // alloc nfs41_impl_id-B
   rpc_run_task
                                nfs_show_stats
                                 show_implementation_id
                                  impl_id = nfss->nfs_client->cl_implid
                                  // get alloc nfs41_impl_id-A
  swap(clp->cl_implid, resp->impl_id)
  rpc_put_task
   ...
    nfs4_exchange_id_release
     kfree // free nfs41_impl_id-A
                                  impl_id->name // UAF

Fix this issue by using rcu to protect the nfs41_impl_id.

Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
---
v1->v2:
  Free nfs41_impl_id by call_rcu in nfs4_shutdown_client to resolve
  warning.
 fs/nfs/nfs4client.c       | 10 +++++++++-
 fs/nfs/nfs4proc.c         | 12 ++++++++++--
 fs/nfs/super.c            | 12 +++++++++---
 include/linux/nfs_fs_sb.h |  2 +-
 include/linux/nfs_xdr.h   |  1 +
 5 files changed, 30 insertions(+), 7 deletions(-)

Comments

kernel test robot Aug. 30, 2024, 3:26 p.m. UTC | #1

Hi Li,

kernel test robot noticed the following build errors:

[auto build test ERROR on trondmy-nfs/linux-next]
[also build test ERROR on linus/master v6.11-rc5 next-20240830]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Li-Lingfeng/nfs-protect-nfs41_impl_id-by-rcu/20240829-213622
base:   git://git.linux-nfs.org/projects/trondmy/linux-nfs.git linux-next
patch link:    https://lore.kernel.org/r/20240829133743.1008788-1-lilingfeng3%40huawei.com
patch subject: [PATCH v2] nfs: protect nfs41_impl_id by rcu
config: i386-randconfig-001-20240830 (https://download.01.org/0day-ci/archive/20240830/202408302315.02P7HuVM-lkp@intel.com/config)
compiler: clang version 18.1.5 (https://github.com/llvm/llvm-project 617a15a9eac96088ae5e9134248d8236e34b91b1)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240830/202408302315.02P7HuVM-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202408302315.02P7HuVM-lkp@intel.com/

All errors (new ones prefixed by >>):

>> fs/nfs/nfs4client.c:286:34: error: incomplete definition of type 'struct nfs41_impl_id'
     286 |         struct nfs41_impl_id *impl_id = container_of(head, struct nfs41_impl_id, __rcu_head);
         |                                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/container_of.h:20:47: note: expanded from macro 'container_of'
      20 |         static_assert(__same_type(*(ptr), ((type *)0)->member) ||       \
         |         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~
      21 |                       __same_type(*(ptr), void),                        \
         |                       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      22 |                       "pointer type mismatch in container_of()");       \
         |                       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/compiler_types.h:451:74: note: expanded from macro '__same_type'
     451 | #define __same_type(a, b) __builtin_types_compatible_p(typeof(a), typeof(b))
         |                                                                          ^
   include/linux/build_bug.h:77:50: note: expanded from macro 'static_assert'
      77 | #define static_assert(expr, ...) __static_assert(expr, ##__VA_ARGS__, #expr)
         |                                  ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/build_bug.h:78:56: note: expanded from macro '__static_assert'
      78 | #define __static_assert(expr, msg, ...) _Static_assert(expr, msg)
         |                                                        ^~~~
   include/linux/nfs_fs_sb.h:23:8: note: forward declaration of 'struct nfs41_impl_id'
      23 | struct nfs41_impl_id;
         |        ^
>> fs/nfs/nfs4client.c:286:34: error: offsetof of incomplete type 'struct nfs41_impl_id'
     286 |         struct nfs41_impl_id *impl_id = container_of(head, struct nfs41_impl_id, __rcu_head);
         |                                         ^                  ~~~~~~
   include/linux/container_of.h:23:21: note: expanded from macro 'container_of'
      23 |         ((type *)(__mptr - offsetof(type, member))); })
         |                            ^        ~~~~
   include/linux/stddef.h:16:32: note: expanded from macro 'offsetof'
      16 | #define offsetof(TYPE, MEMBER)  __builtin_offsetof(TYPE, MEMBER)
         |                                 ^                  ~~~~
   include/linux/nfs_fs_sb.h:23:8: note: forward declaration of 'struct nfs41_impl_id'
      23 | struct nfs41_impl_id;
         |        ^
>> fs/nfs/nfs4client.c:286:24: error: initializing 'struct nfs41_impl_id *' with an expression of incompatible type 'void'
     286 |         struct nfs41_impl_id *impl_id = container_of(head, struct nfs41_impl_id, __rcu_head);
         |                               ^         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   fs/nfs/nfs4client.c:304:27: error: incomplete definition of type 'struct nfs41_impl_id'
     304 |                 call_rcu(&clp->cl_implid->__rcu_head, nfs4_free_impl_id_rcu);
         |                           ~~~~~~~~~~~~~~^
   include/linux/nfs_fs_sb.h:23:8: note: forward declaration of 'struct nfs41_impl_id'
      23 | struct nfs41_impl_id;
         |        ^
   4 errors generated.

Kconfig warnings: (for reference only)
   WARNING: unmet direct dependencies detected for FB_IOMEM_HELPERS
   Depends on [n]: HAS_IOMEM [=y] && FB_CORE [=n]
   Selected by [m]:
   - DRM_XE_DISPLAY [=y] && HAS_IOMEM [=y] && DRM [=y] && DRM_XE [=m] && DRM_XE [=m]=m [=m]


vim +286 fs/nfs/nfs4client.c

   283	
   284	static void nfs4_free_impl_id_rcu(struct rcu_head *head)
   285	{
 > 286		struct nfs41_impl_id *impl_id = container_of(head, struct nfs41_impl_id, __rcu_head);
   287	
   288		kfree(impl_id);
   289	}
   290

kernel test robot Aug. 31, 2024, 2:07 a.m. UTC | #2

Hi Li,

kernel test robot noticed the following build errors:

[auto build test ERROR on trondmy-nfs/linux-next]
[also build test ERROR on linus/master v6.11-rc5 next-20240830]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Li-Lingfeng/nfs-protect-nfs41_impl_id-by-rcu/20240829-213622
base:   git://git.linux-nfs.org/projects/trondmy/linux-nfs.git linux-next
patch link:    https://lore.kernel.org/r/20240829133743.1008788-1-lilingfeng3%40huawei.com
patch subject: [PATCH v2] nfs: protect nfs41_impl_id by rcu
config: x86_64-defconfig (https://download.01.org/0day-ci/archive/20240831/202408310936.nUVC9Uw3-lkp@intel.com/config)
compiler: gcc-11 (Debian 11.3.0-12) 11.3.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240831/202408310936.nUVC9Uw3-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202408310936.nUVC9Uw3-lkp@intel.com/

All errors (new ones prefixed by >>):

   In file included from include/linux/container_of.h:5,
                    from include/linux/list.h:5,
                    from include/linux/module.h:12,
                    from fs/nfs/nfs4client.c:6:
   fs/nfs/nfs4client.c: In function 'nfs4_free_impl_id_rcu':
>> include/linux/container_of.h:20:54: error: invalid use of undefined type 'struct nfs41_impl_id'
      20 |         static_assert(__same_type(*(ptr), ((type *)0)->member) ||       \
         |                                                      ^~
   include/linux/build_bug.h:78:56: note: in definition of macro '__static_assert'
      78 | #define __static_assert(expr, msg, ...) _Static_assert(expr, msg)
         |                                                        ^~~~
   include/linux/container_of.h:20:9: note: in expansion of macro 'static_assert'
      20 |         static_assert(__same_type(*(ptr), ((type *)0)->member) ||       \
         |         ^~~~~~~~~~~~~
   include/linux/container_of.h:20:23: note: in expansion of macro '__same_type'
      20 |         static_assert(__same_type(*(ptr), ((type *)0)->member) ||       \
         |                       ^~~~~~~~~~~
   fs/nfs/nfs4client.c:286:41: note: in expansion of macro 'container_of'
     286 |         struct nfs41_impl_id *impl_id = container_of(head, struct nfs41_impl_id, __rcu_head);
         |                                         ^~~~~~~~~~~~
   include/linux/compiler_types.h:451:27: error: expression in static assertion is not an integer
     451 | #define __same_type(a, b) __builtin_types_compatible_p(typeof(a), typeof(b))
         |                           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/build_bug.h:78:56: note: in definition of macro '__static_assert'
      78 | #define __static_assert(expr, msg, ...) _Static_assert(expr, msg)
         |                                                        ^~~~
   include/linux/container_of.h:20:9: note: in expansion of macro 'static_assert'
      20 |         static_assert(__same_type(*(ptr), ((type *)0)->member) ||       \
         |         ^~~~~~~~~~~~~
   include/linux/container_of.h:20:23: note: in expansion of macro '__same_type'
      20 |         static_assert(__same_type(*(ptr), ((type *)0)->member) ||       \
         |                       ^~~~~~~~~~~
   fs/nfs/nfs4client.c:286:41: note: in expansion of macro 'container_of'
     286 |         struct nfs41_impl_id *impl_id = container_of(head, struct nfs41_impl_id, __rcu_head);
         |                                         ^~~~~~~~~~~~
   In file included from include/uapi/linux/posix_types.h:5,
                    from include/uapi/linux/types.h:14,
                    from include/linux/types.h:6,
                    from include/linux/kasan-checks.h:5,
                    from include/asm-generic/rwonce.h:26,
                    from ./arch/x86/include/generated/asm/rwonce.h:1,
                    from include/linux/compiler.h:314,
                    from include/linux/build_bug.h:5,
                    from include/linux/container_of.h:5,
                    from include/linux/list.h:5,
                    from include/linux/module.h:12,
                    from fs/nfs/nfs4client.c:6:
>> include/linux/stddef.h:16:33: error: invalid use of undefined type 'struct nfs41_impl_id'
      16 | #define offsetof(TYPE, MEMBER)  __builtin_offsetof(TYPE, MEMBER)
         |                                 ^~~~~~~~~~~~~~~~~~
   include/linux/container_of.h:23:28: note: in expansion of macro 'offsetof'
      23 |         ((type *)(__mptr - offsetof(type, member))); })
         |                            ^~~~~~~~
   fs/nfs/nfs4client.c:286:41: note: in expansion of macro 'container_of'
     286 |         struct nfs41_impl_id *impl_id = container_of(head, struct nfs41_impl_id, __rcu_head);
         |                                         ^~~~~~~~~~~~
   fs/nfs/nfs4client.c: In function 'nfs4_shutdown_client':
>> fs/nfs/nfs4client.c:304:41: error: invalid use of undefined type 'struct nfs41_impl_id'
     304 |                 call_rcu(&clp->cl_implid->__rcu_head, nfs4_free_impl_id_rcu);
         |                                         ^~


vim +20 include/linux/container_of.h

d2a8ebbf8192b8 Andy Shevchenko  2021-11-08   9  
d2a8ebbf8192b8 Andy Shevchenko  2021-11-08  10  /**
d2a8ebbf8192b8 Andy Shevchenko  2021-11-08  11   * container_of - cast a member of a structure out to the containing structure
d2a8ebbf8192b8 Andy Shevchenko  2021-11-08  12   * @ptr:	the pointer to the member.
d2a8ebbf8192b8 Andy Shevchenko  2021-11-08  13   * @type:	the type of the container struct this is embedded in.
d2a8ebbf8192b8 Andy Shevchenko  2021-11-08  14   * @member:	the name of the member within the struct.
d2a8ebbf8192b8 Andy Shevchenko  2021-11-08  15   *
7376e561fd2e01 Sakari Ailus     2022-10-24  16   * WARNING: any const qualifier of @ptr is lost.
d2a8ebbf8192b8 Andy Shevchenko  2021-11-08  17   */
d2a8ebbf8192b8 Andy Shevchenko  2021-11-08  18  #define container_of(ptr, type, member) ({				\
d2a8ebbf8192b8 Andy Shevchenko  2021-11-08  19  	void *__mptr = (void *)(ptr);					\
e1edc277e6f6df Rasmus Villemoes 2021-11-08 @20  	static_assert(__same_type(*(ptr), ((type *)0)->member) ||	\
e1edc277e6f6df Rasmus Villemoes 2021-11-08  21  		      __same_type(*(ptr), void),			\
d2a8ebbf8192b8 Andy Shevchenko  2021-11-08  22  		      "pointer type mismatch in container_of()");	\
d2a8ebbf8192b8 Andy Shevchenko  2021-11-08  23  	((type *)(__mptr - offsetof(type, member))); })
d2a8ebbf8192b8 Andy Shevchenko  2021-11-08  24

diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c
index 83378f69b35e..1aee1cfb6f1f 100644
--- a/fs/nfs/nfs4client.c
+++ b/fs/nfs/nfs4client.c
@@ -281,6 +281,13 @@  static void nfs4_destroy_callback(struct nfs_client *clp)
 		nfs_callback_down(clp->cl_mvops->minor_version, clp->cl_net);
 }
 
+static void nfs4_free_impl_id_rcu(struct rcu_head *head)
+{
+	struct nfs41_impl_id *impl_id = container_of(head, struct nfs41_impl_id, __rcu_head);
+
+	kfree(impl_id);
+}
+
 static void nfs4_shutdown_client(struct nfs_client *clp)
 {
 	if (__test_and_clear_bit(NFS_CS_RENEWD, &clp->cl_res_state))
@@ -293,7 +300,8 @@  static void nfs4_shutdown_client(struct nfs_client *clp)
 	rpc_destroy_wait_queue(&clp->cl_rpcwaitq);
 	kfree(clp->cl_serverowner);
 	kfree(clp->cl_serverscope);
-	kfree(clp->cl_implid);
+	if (clp->cl_implid)
+		call_rcu(&clp->cl_implid->__rcu_head, nfs4_free_impl_id_rcu);
 	kfree(clp->cl_owner_id);
 }
 
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index b8ffbe52ba15..6bb820bd205e 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -8866,13 +8866,21 @@  struct nfs41_exchange_id_data {
 	struct nfs41_exchange_id_args args;
 };
 
+static void nfs4_free_impl_id_rcu(struct rcu_head *head)
+{
+	struct nfs41_impl_id *impl_id = container_of(head, struct nfs41_impl_id, __rcu_head);
+
+	kfree(impl_id);
+}
+
 static void nfs4_exchange_id_release(void *data)
 {
 	struct nfs41_exchange_id_data *cdata =
 					(struct nfs41_exchange_id_data *)data;
 
 	nfs_put_client(cdata->args.client);
-	kfree(cdata->res.impl_id);
+	if (cdata->res.impl_id)
+		call_rcu(&cdata->res.impl_id->__rcu_head, nfs4_free_impl_id_rcu);
 	kfree(cdata->res.server_scope);
 	kfree(cdata->res.server_owner);
 	kfree(cdata);
@@ -9034,7 +9042,7 @@  static int _nfs4_proc_exchange_id(struct nfs_client *clp, const struct cred *cre
 
 	swap(clp->cl_serverowner, resp->server_owner);
 	swap(clp->cl_serverscope, resp->server_scope);
-	swap(clp->cl_implid, resp->impl_id);
+	resp->impl_id = rcu_replace_pointer(clp->cl_implid, resp->impl_id, 1);
 
 	/* Save the EXCHANGE_ID verifier session trunk tests */
 	memcpy(clp->cl_confirm.data, argp->verifier.data,
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index 97b386032b71..6097dbe8e334 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -612,13 +612,19 @@  static void show_pnfs(struct seq_file *m, struct nfs_server *server)
 
 static void show_implementation_id(struct seq_file *m, struct nfs_server *nfss)
 {
-	if (nfss->nfs_client && nfss->nfs_client->cl_implid) {
-		struct nfs41_impl_id *impl_id = nfss->nfs_client->cl_implid;
+	struct nfs_client *clp = nfss->nfs_client;
+	struct nfs41_impl_id *impl_id;
+
+	if (!clp)
+		return;
+	rcu_read_lock();
+	impl_id = rcu_dereference(clp->cl_implid);
+	if (impl_id)
 		seq_printf(m, "\n\timpl_id:\tname='%s',domain='%s',"
 			   "date='%llu,%u'",
 			   impl_id->name, impl_id->domain,
 			   impl_id->date.seconds, impl_id->date.nseconds);
-	}
+	rcu_read_unlock();
 }
 #else
 #if IS_ENABLED(CONFIG_NFS_V4)
diff --git a/include/linux/nfs_fs_sb.h b/include/linux/nfs_fs_sb.h
index 1df86ab98c77..29c98c9df42f 100644
--- a/include/linux/nfs_fs_sb.h
+++ b/include/linux/nfs_fs_sb.h
@@ -102,7 +102,7 @@  struct nfs_client {
 	bool			cl_preserve_clid;
 	struct nfs41_server_owner *cl_serverowner;
 	struct nfs41_server_scope *cl_serverscope;
-	struct nfs41_impl_id	*cl_implid;
+	struct nfs41_impl_id __rcu *cl_implid;
 	/* nfs 4.1+ state protection modes: */
 	unsigned long		cl_sp4_flags;
 #define NFS_SP4_MACH_CRED_MINIMAL  1	/* Minimal sp4_mach_cred - state ops
diff --git a/include/linux/nfs_xdr.h b/include/linux/nfs_xdr.h
index 45623af3e7b8..b3c96ea2a64b 100644
--- a/include/linux/nfs_xdr.h
+++ b/include/linux/nfs_xdr.h
@@ -1374,6 +1374,7 @@  struct nfs41_impl_id {
 	char				domain[NFS4_OPAQUE_LIMIT + 1];
 	char				name[NFS4_OPAQUE_LIMIT + 1];
 	struct nfstime4			date;
+	struct rcu_head			__rcu_head;
 };
 
 #define MAX_BIND_CONN_TO_SESSION_RETRIES 3

[v2] nfs: protect nfs41_impl_id by rcu

Commit Message

Comments

Patch