]>
Commit | Line | Data |
---|---|---|
83f48a73 GKH |
1 | From a4e187d83d88eeaba6252aac0a2ffe5eaa73a818 Mon Sep 17 00:00:00 2001 |
2 | From: Chuck Lever <chuck.lever@oracle.com> | |
3 | Date: Wed, 29 Jun 2016 13:55:22 -0400 | |
4 | Subject: NFS: Don't drop CB requests with invalid principals | |
5 | ||
6 | From: Chuck Lever <chuck.lever@oracle.com> | |
7 | ||
8 | commit a4e187d83d88eeaba6252aac0a2ffe5eaa73a818 upstream. | |
9 | ||
10 | Before commit 778be232a207 ("NFS do not find client in NFSv4 | |
11 | pg_authenticate"), the Linux callback server replied with | |
12 | RPC_AUTH_ERROR / RPC_AUTH_BADCRED, instead of dropping the CB | |
13 | request. Let's restore that behavior so the server has a chance to | |
14 | do something useful about it, and provide a warning that helps | |
15 | admins correct the problem. | |
16 | ||
17 | Fixes: 778be232a207 ("NFS do not find client in NFSv4 ...") | |
18 | Signed-off-by: Chuck Lever <chuck.lever@oracle.com> | |
19 | Tested-by: Steve Wise <swise@opengridcomputing.com> | |
20 | Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com> | |
21 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
22 | ||
23 | --- | |
24 | fs/nfs/callback_xdr.c | 6 +++++- | |
25 | net/sunrpc/svc.c | 5 +++++ | |
26 | 2 files changed, 10 insertions(+), 1 deletion(-) | |
27 | ||
28 | --- a/fs/nfs/callback_xdr.c | |
29 | +++ b/fs/nfs/callback_xdr.c | |
30 | @@ -925,7 +925,7 @@ static __be32 nfs4_callback_compound(str | |
31 | if (hdr_arg.minorversion == 0) { | |
32 | cps.clp = nfs4_find_client_ident(SVC_NET(rqstp), hdr_arg.cb_ident); | |
33 | if (!cps.clp || !check_gss_callback_principal(cps.clp, rqstp)) | |
34 | - return rpc_drop_reply; | |
35 | + goto out_invalidcred; | |
36 | } | |
37 | ||
38 | cps.minorversion = hdr_arg.minorversion; | |
39 | @@ -953,6 +953,10 @@ static __be32 nfs4_callback_compound(str | |
40 | nfs_put_client(cps.clp); | |
41 | dprintk("%s: done, status = %u\n", __func__, ntohl(status)); | |
42 | return rpc_success; | |
43 | + | |
44 | +out_invalidcred: | |
45 | + pr_warn_ratelimited("NFS: NFSv4 callback contains invalid cred\n"); | |
46 | + return rpc_autherr_badcred; | |
47 | } | |
48 | ||
49 | /* | |
50 | --- a/net/sunrpc/svc.c | |
51 | +++ b/net/sunrpc/svc.c | |
52 | @@ -1194,6 +1194,11 @@ svc_process_common(struct svc_rqst *rqst | |
53 | procp->pc_release(rqstp, NULL, rqstp->rq_resp); | |
54 | goto dropit; | |
55 | } | |
56 | + if (*statp == rpc_autherr_badcred) { | |
57 | + if (procp->pc_release) | |
58 | + procp->pc_release(rqstp, NULL, rqstp->rq_resp); | |
59 | + goto err_bad_auth; | |
60 | + } | |
61 | if (*statp == rpc_success && | |
62 | (xdr = procp->pc_encode) && | |
63 | !xdr(rqstp, resv->iov_base+resv->iov_len, rqstp->rq_resp)) { |