Re: [PATCH] nfs: fix oops when trying to set SELinux label

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri,  1 Nov 2013 10:49:32 -0400
Jeff Layton <jlayton@xxxxxxxxxx> wrote:

> Chao reported the following oops when testing labeled NFS:
> 
> BUG: unable to handle kernel NULL pointer dereference at           (null)
> IP: [<ffffffffa0568703>] nfs4_xdr_enc_setattr+0x43/0x110 [nfsv4]
> PGD 277bbd067 PUD 2777ea067 PMD 0
> Oops: 0000 [#1] SMP
> Modules linked in: rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache sg coretemp kvm_intel kvm crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel lrw gf128mul iTCO_wdt glue_helper ablk_helper cryptd iTCO_vendor_support bnx2 pcspkr serio_raw i7core_edac cdc_ether microcode usbnet edac_core mii lpc_ich i2c_i801 mfd_core shpchp ioatdma dca acpi_cpufreq mperf nfsd auth_rpcgss nfs_acl lockd sunrpc xfs libcrc32c sr_mod sd_mod cdrom crc_t10dif mgag200 syscopyarea sysfillrect sysimgblt i2c_algo_bit drm_kms_helper ata_generic ttm pata_acpi drm ata_piix libata megaraid_sas i2c_core dm_mirror dm_region_hash dm_log dm_mod
> CPU: 4 PID: 25657 Comm: chcon Not tainted 3.10.0-33.el7.x86_64 #1
> Hardware name: IBM System x3550 M3 -[7944OEJ]-/90Y4784     , BIOS -[D6E150CUS-1.11]- 02/08/2011
> task: ffff880178397220 ti: ffff8801595d2000 task.ti: ffff8801595d2000
> RIP: 0010:[<ffffffffa0568703>]  [<ffffffffa0568703>] nfs4_xdr_enc_setattr+0x43/0x110 [nfsv4]
> RSP: 0018:ffff8801595d3888  EFLAGS: 00010296
> RAX: 0000000000000000 RBX: ffff8801595d3b30 RCX: 0000000000000b4c
> RDX: ffff8801595d3b30 RSI: ffff8801595d38e0 RDI: ffff880278b6ec00
> RBP: ffff8801595d38c8 R08: ffff8801595d3b30 R09: 0000000000000001
> R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801595d38e0
> R13: ffff880277a4a780 R14: ffffffffa05686c0 R15: ffff8802765f206c
> FS:  00007f2c68486800(0000) GS:ffff88027fc00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000000 CR3: 000000027651a000 CR4: 00000000000007e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> Stack:
>  0000000000000000 0000000000000000 0000000000000000 0000000000000000
>  0000000000000000 ffff880277865800 ffff880278b6ec00 ffff880277a4a780
>  ffff8801595d3948 ffffffffa02ad926 ffff8801595d3b30 ffff8802765f206c
> Call Trace:
>  [<ffffffffa02ad926>] rpcauth_wrap_req+0x86/0xd0 [sunrpc]
>  [<ffffffffa02a1d40>] ? call_connect+0xb0/0xb0 [sunrpc]
>  [<ffffffffa02a1d40>] ? call_connect+0xb0/0xb0 [sunrpc]
>  [<ffffffffa02a1ecb>] call_transmit+0x18b/0x290 [sunrpc]
>  [<ffffffffa02a1d40>] ? call_connect+0xb0/0xb0 [sunrpc]
>  [<ffffffffa02aae14>] __rpc_execute+0x84/0x400 [sunrpc]
>  [<ffffffffa02ac40e>] rpc_execute+0x5e/0xa0 [sunrpc]
>  [<ffffffffa02a2ea0>] rpc_run_task+0x70/0x90 [sunrpc]
>  [<ffffffffa02a2f03>] rpc_call_sync+0x43/0xa0 [sunrpc]
>  [<ffffffffa055284d>] _nfs4_do_set_security_label+0x11d/0x170 [nfsv4]
>  [<ffffffffa0558861>] nfs4_set_security_label.isra.69+0xf1/0x1d0 [nfsv4]
>  [<ffffffff815fca8b>] ? avc_alloc_node+0x24/0x125
>  [<ffffffff815fcd2f>] ? avc_compute_av+0x1a3/0x1b5
>  [<ffffffffa055897b>] nfs4_xattr_set_nfs4_label+0x3b/0x50 [nfsv4]
>  [<ffffffff811bc772>] generic_setxattr+0x62/0x80
>  [<ffffffff811bcfc3>] __vfs_setxattr_noperm+0x63/0x1b0
>  [<ffffffff811bd1c5>] vfs_setxattr+0xb5/0xc0
>  [<ffffffff811bd2fe>] setxattr+0x12e/0x1c0
>  [<ffffffff811a4d22>] ? final_putname+0x22/0x50
>  [<ffffffff811a4f2b>] ? putname+0x2b/0x40
>  [<ffffffff811aa1cf>] ? user_path_at_empty+0x5f/0x90
>  [<ffffffff8119bc29>] ? __sb_start_write+0x49/0x100
>  [<ffffffff811bd66f>] SyS_lsetxattr+0x8f/0xd0
>  [<ffffffff8160cf99>] system_call_fastpath+0x16/0x1b
> Code: 48 8b 02 48 c7 45 c0 00 00 00 00 48 c7 45 c8 00 00 00 00 48 c7 45 d0 00 00 00 00 48 c7 45 d8 00 00 00 00 48 c7 45 e0 00 00 00 00 <48> 8b 00 48 8b 00 48 85 c0 0f 84 ae 00 00 00 48 8b 80 b8 03 00
> RIP  [<ffffffffa0568703>] nfs4_xdr_enc_setattr+0x43/0x110 [nfsv4]
>  RSP <ffff8801595d3888>
> CR2: 0000000000000000
> 
> The problem is that _nfs4_do_set_security_label calls rpc_call_sync()
> directly which fails to do any setup of the SEQUENCE call. Have it use
> nfs4_call_sync() instead which does the right thing. While we're at it
> change the name of "args" to "arg" to better match the pattern in
> _nfs4_do_setattr.
> 
> Reported-by: Chao Ye <cye@xxxxxxxxxx>
> Cc: David Quigley <dpquigl@xxxxxxxxxxxxxxx>
> Signed-off-by: Jeff Layton <jlayton@xxxxxxxxxx>
> ---
>  fs/nfs/nfs4proc.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
> index b02c4cc..d436c57 100644
> --- a/fs/nfs/nfs4proc.c
> +++ b/fs/nfs/nfs4proc.c
> @@ -4657,7 +4657,7 @@ static int _nfs4_do_set_security_label(struct inode *inode,
>  	struct iattr sattr = {0};
>  	struct nfs_server *server = NFS_SERVER(inode);
>  	const u32 bitmask[3] = { 0, 0, FATTR4_WORD2_SECURITY_LABEL };
> -	struct nfs_setattrargs args = {
> +	struct nfs_setattrargs arg = {
>  		.fh             = NFS_FH(inode),
>  		.iap            = &sattr,
>  		.server		= server,
> @@ -4671,14 +4671,14 @@ static int _nfs4_do_set_security_label(struct inode *inode,
>  	};
>  	struct rpc_message msg = {
>  		.rpc_proc       = &nfs4_procedures[NFSPROC4_CLNT_SETATTR],
> -		.rpc_argp       = &args,
> +		.rpc_argp       = &arg,
>  		.rpc_resp       = &res,
>  	};
>  	int status;
>  
> -	nfs4_stateid_copy(&args.stateid, &zero_stateid);
> +	nfs4_stateid_copy(&arg.stateid, &zero_stateid);
>  
> -	status = rpc_call_sync(server->client, &msg, 0);
> +	status = nfs4_call_sync(server->client, server, &msg, &arg.seq_args, &res.seq_res, 1);
>  	if (status)
>  		dprintk("%s failed: %d\n", __func__, status);
>  

Oh and btw...

It looks like _nfs4_get_security_label() has the same problem, but I've
so far been unable to get it to be called, so I didn't patch it. It
seems like getxattr does some special stuff for SELinux labels that
cause them only to ever be fetched once.

Is there some trick to it?

-- 
Jeff Layton <jlayton@xxxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux