0837e49ab3
rcu_dereference_key() and user_key_payload() are currently being used in
two different, incompatible ways:
(1) As a wrapper to rcu_dereference() - when only the RCU read lock used
to protect the key.
(2) As a wrapper to rcu_dereference_protected() - when the key semaphor is
used to protect the key and the may be being modified.
Fix this by splitting both of the key wrappers to produce:
(1) RCU accessors for keys when caller has the key semaphore locked:
dereference_key_locked()
user_key_payload_locked()
(2) RCU accessors for keys when caller holds the RCU read lock:
dereference_key_rcu()
user_key_payload_rcu()
This should fix following warning in the NFS idmapper
===============================
[ INFO: suspicious RCU usage. ]
4.10.0 #1 Tainted: G W
-------------------------------
./include/keys/user-type.h:53 suspicious rcu_dereference_protected() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 0
1 lock held by mount.nfs/5987:
#0: (rcu_read_lock){......}, at: [<d000000002527abc>] nfs_idmap_get_key+0x15c/0x420 [nfsv4]
stack backtrace:
CPU: 1 PID: 5987 Comm: mount.nfs Tainted: G W 4.10.0 #1
Call Trace:
dump_stack+0xe8/0x154 (unreliable)
lockdep_rcu_suspicious+0x140/0x190
nfs_idmap_get_key+0x380/0x420 [nfsv4]
nfs_map_name_to_uid+0x2a0/0x3b0 [nfsv4]
decode_getfattr_attrs+0xfac/0x16b0 [nfsv4]
decode_getfattr_generic.constprop.106+0xbc/0x150 [nfsv4]
nfs4_xdr_dec_lookup_root+0xac/0xb0 [nfsv4]
rpcauth_unwrap_resp+0xe8/0x140 [sunrpc]
call_decode+0x29c/0x910 [sunrpc]
__rpc_execute+0x140/0x8f0 [sunrpc]
rpc_run_task+0x170/0x200 [sunrpc]
nfs4_call_sync_sequence+0x68/0xa0 [nfsv4]
_nfs4_lookup_root.isra.44+0xd0/0xf0 [nfsv4]
nfs4_lookup_root+0xe0/0x350 [nfsv4]
nfs4_lookup_root_sec+0x70/0xa0 [nfsv4]
nfs4_find_root_sec+0xc4/0x100 [nfsv4]
nfs4_proc_get_rootfh+0x5c/0xf0 [nfsv4]
nfs4_get_rootfh+0x6c/0x190 [nfsv4]
nfs4_server_common_setup+0xc4/0x260 [nfsv4]
nfs4_create_server+0x278/0x3c0 [nfsv4]
nfs4_remote_mount+0x50/0xb0 [nfsv4]
mount_fs+0x74/0x210
vfs_kern_mount+0x78/0x220
nfs_do_root_mount+0xb0/0x140 [nfsv4]
nfs4_try_mount+0x60/0x100 [nfsv4]
nfs_fs_mount+0x5ec/0xda0 [nfs]
mount_fs+0x74/0x210
vfs_kern_mount+0x78/0x220
do_mount+0x254/0xf70
SyS_mount+0x94/0x100
system_call+0x38/0xe0
Reported-by: Jan Stancek <jstancek@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Jan Stancek <jstancek@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
167 lines
4.6 KiB
C
167 lines
4.6 KiB
C
/* Upcall routine, designed to work as a key type and working through
|
|
* /sbin/request-key to contact userspace when handling DNS queries.
|
|
*
|
|
* See Documentation/networking/dns_resolver.txt
|
|
*
|
|
* Copyright (c) 2007 Igor Mammedov
|
|
* Author(s): Igor Mammedov (niallain@gmail.com)
|
|
* Steve French (sfrench@us.ibm.com)
|
|
* Wang Lei (wang840925@gmail.com)
|
|
* David Howells (dhowells@redhat.com)
|
|
*
|
|
* The upcall wrapper used to make an arbitrary DNS query.
|
|
*
|
|
* This function requires the appropriate userspace tool dns.upcall to be
|
|
* installed and something like the following lines should be added to the
|
|
* /etc/request-key.conf file:
|
|
*
|
|
* create dns_resolver * * /sbin/dns.upcall %k
|
|
*
|
|
* For example to use this module to query AFSDB RR:
|
|
*
|
|
* create dns_resolver afsdb:* * /sbin/dns.afsdb %k
|
|
*
|
|
* This library is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU Lesser General Public License as published
|
|
* by the Free Software Foundation; either version 2.1 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This library is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
|
|
* the GNU Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public License
|
|
* along with this library; if not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#include <linux/module.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/dns_resolver.h>
|
|
#include <linux/err.h>
|
|
#include <keys/dns_resolver-type.h>
|
|
#include <keys/user-type.h>
|
|
|
|
#include "internal.h"
|
|
|
|
/**
|
|
* dns_query - Query the DNS
|
|
* @type: Query type (or NULL for straight host->IP lookup)
|
|
* @name: Name to look up
|
|
* @namelen: Length of name
|
|
* @options: Request options (or NULL if no options)
|
|
* @_result: Where to place the returned data.
|
|
* @_expiry: Where to store the result expiry time (or NULL)
|
|
*
|
|
* The data will be returned in the pointer at *result, and the caller is
|
|
* responsible for freeing it.
|
|
*
|
|
* The description should be of the form "[<query_type>:]<domain_name>", and
|
|
* the options need to be appropriate for the query type requested. If no
|
|
* query_type is given, then the query is a straight hostname to IP address
|
|
* lookup.
|
|
*
|
|
* The DNS resolution lookup is performed by upcalling to userspace by way of
|
|
* requesting a key of type dns_resolver.
|
|
*
|
|
* Returns the size of the result on success, -ve error code otherwise.
|
|
*/
|
|
int dns_query(const char *type, const char *name, size_t namelen,
|
|
const char *options, char **_result, time64_t *_expiry)
|
|
{
|
|
struct key *rkey;
|
|
struct user_key_payload *upayload;
|
|
const struct cred *saved_cred;
|
|
size_t typelen, desclen;
|
|
char *desc, *cp;
|
|
int ret, len;
|
|
|
|
kenter("%s,%*.*s,%zu,%s",
|
|
type, (int)namelen, (int)namelen, name, namelen, options);
|
|
|
|
if (!name || namelen == 0 || !_result)
|
|
return -EINVAL;
|
|
|
|
/* construct the query key description as "[<type>:]<name>" */
|
|
typelen = 0;
|
|
desclen = 0;
|
|
if (type) {
|
|
typelen = strlen(type);
|
|
if (typelen < 1)
|
|
return -EINVAL;
|
|
desclen += typelen + 1;
|
|
}
|
|
|
|
if (!namelen)
|
|
namelen = strnlen(name, 256);
|
|
if (namelen < 3 || namelen > 255)
|
|
return -EINVAL;
|
|
desclen += namelen + 1;
|
|
|
|
desc = kmalloc(desclen, GFP_KERNEL);
|
|
if (!desc)
|
|
return -ENOMEM;
|
|
|
|
cp = desc;
|
|
if (type) {
|
|
memcpy(cp, type, typelen);
|
|
cp += typelen;
|
|
*cp++ = ':';
|
|
}
|
|
memcpy(cp, name, namelen);
|
|
cp += namelen;
|
|
*cp = '\0';
|
|
|
|
if (!options)
|
|
options = "";
|
|
kdebug("call request_key(,%s,%s)", desc, options);
|
|
|
|
/* make the upcall, using special credentials to prevent the use of
|
|
* add_key() to preinstall malicious redirections
|
|
*/
|
|
saved_cred = override_creds(dns_resolver_cache);
|
|
rkey = request_key(&key_type_dns_resolver, desc, options);
|
|
revert_creds(saved_cred);
|
|
kfree(desc);
|
|
if (IS_ERR(rkey)) {
|
|
ret = PTR_ERR(rkey);
|
|
goto out;
|
|
}
|
|
|
|
down_read(&rkey->sem);
|
|
set_bit(KEY_FLAG_ROOT_CAN_INVAL, &rkey->flags);
|
|
rkey->perm |= KEY_USR_VIEW;
|
|
|
|
ret = key_validate(rkey);
|
|
if (ret < 0)
|
|
goto put;
|
|
|
|
/* If the DNS server gave an error, return that to the caller */
|
|
ret = PTR_ERR(rkey->payload.data[dns_key_error]);
|
|
if (ret)
|
|
goto put;
|
|
|
|
upayload = user_key_payload_locked(rkey);
|
|
len = upayload->datalen;
|
|
|
|
ret = -ENOMEM;
|
|
*_result = kmalloc(len + 1, GFP_KERNEL);
|
|
if (!*_result)
|
|
goto put;
|
|
|
|
memcpy(*_result, upayload->data, len);
|
|
(*_result)[len] = '\0';
|
|
|
|
if (_expiry)
|
|
*_expiry = rkey->expiry;
|
|
|
|
ret = len;
|
|
put:
|
|
up_read(&rkey->sem);
|
|
key_put(rkey);
|
|
out:
|
|
kleave(" = %d", ret);
|
|
return ret;
|
|
}
|
|
EXPORT_SYMBOL(dns_query);
|