kernel-ark/net/sunrpc/svcauth.c
Bruce Allan f35279d3f7 [PATCH] sunrpc: cache_register can use wrong module reference
When registering an RPC cache, cache_register() always sets the owner as the
sunrpc module.  However, there are RPC caches owned by other modules.  With
the incorrect owner setting, the real owning module can be removed potentially
with an open reference to the cache from userspace.

For example, if one were to stop the nfs server and unmount the nfsd
filesystem, the nfsd module could be removed eventhough rpc.idmapd had
references to the idtoname and nametoid caches (i.e.
/proc/net/rpc/nfs4.<cachename>/channel is still open).  This resulted in a
system panic on one of our machines when attempting to restart the nfs
services after reloading the nfsd module.

The following patch adds a 'struct module *owner' field in struct
cache_detail.  The owner is further assigned to the struct proc_dir_entry
in cache_register() so that the module cannot be unloaded while user-space
daemons have an open reference on the associated file under /proc.

Signed-off-by: Bruce Allan <bwa@us.ibm.com>
Cc: Trond Myklebust <trond.myklebust@fys.uio.no>
Cc: Neil Brown <neilb@cse.unsw.edu.au>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-07 16:57:25 -07:00

218 lines
5.2 KiB
C

/*
* linux/net/sunrpc/svcauth.c
*
* The generic interface for RPC authentication on the server side.
*
* Copyright (C) 1995, 1996 Olaf Kirch <okir@monad.swb.de>
*
* CHANGES
* 19-Apr-2000 Chris Evans - Security fix
*/
#include <linux/types.h>
#include <linux/sched.h>
#include <linux/module.h>
#include <linux/sunrpc/types.h>
#include <linux/sunrpc/xdr.h>
#include <linux/sunrpc/svcsock.h>
#include <linux/sunrpc/svcauth.h>
#include <linux/err.h>
#include <linux/hash.h>
#define RPCDBG_FACILITY RPCDBG_AUTH
/*
* Table of authenticators
*/
extern struct auth_ops svcauth_null;
extern struct auth_ops svcauth_unix;
static DEFINE_SPINLOCK(authtab_lock);
static struct auth_ops *authtab[RPC_AUTH_MAXFLAVOR] = {
[0] = &svcauth_null,
[1] = &svcauth_unix,
};
int
svc_authenticate(struct svc_rqst *rqstp, u32 *authp)
{
rpc_authflavor_t flavor;
struct auth_ops *aops;
*authp = rpc_auth_ok;
flavor = ntohl(svc_getu32(&rqstp->rq_arg.head[0]));
dprintk("svc: svc_authenticate (%d)\n", flavor);
spin_lock(&authtab_lock);
if (flavor >= RPC_AUTH_MAXFLAVOR || !(aops = authtab[flavor])
|| !try_module_get(aops->owner)) {
spin_unlock(&authtab_lock);
*authp = rpc_autherr_badcred;
return SVC_DENIED;
}
spin_unlock(&authtab_lock);
rqstp->rq_authop = aops;
return aops->accept(rqstp, authp);
}
int svc_set_client(struct svc_rqst *rqstp)
{
return rqstp->rq_authop->set_client(rqstp);
}
/* A request, which was authenticated, has now executed.
* Time to finalise the the credentials and verifier
* and release and resources
*/
int svc_authorise(struct svc_rqst *rqstp)
{
struct auth_ops *aops = rqstp->rq_authop;
int rv = 0;
rqstp->rq_authop = NULL;
if (aops) {
rv = aops->release(rqstp);
module_put(aops->owner);
}
return rv;
}
int
svc_auth_register(rpc_authflavor_t flavor, struct auth_ops *aops)
{
int rv = -EINVAL;
spin_lock(&authtab_lock);
if (flavor < RPC_AUTH_MAXFLAVOR && authtab[flavor] == NULL) {
authtab[flavor] = aops;
rv = 0;
}
spin_unlock(&authtab_lock);
return rv;
}
void
svc_auth_unregister(rpc_authflavor_t flavor)
{
spin_lock(&authtab_lock);
if (flavor < RPC_AUTH_MAXFLAVOR)
authtab[flavor] = NULL;
spin_unlock(&authtab_lock);
}
EXPORT_SYMBOL(svc_auth_unregister);
/**************************************************
* cache for domain name to auth_domain
* Entries are only added by flavours which will normally
* have a structure that 'inherits' from auth_domain.
* e.g. when an IP -> domainname is given to auth_unix,
* and the domain name doesn't exist, it will create a
* auth_unix_domain and add it to this hash table.
* If it finds the name does exist, but isn't AUTH_UNIX,
* it will complain.
*/
/*
* Auth auth_domain cache is somewhat different to other caches,
* largely because the entries are possibly of different types:
* each auth flavour has it's own type.
* One consequence of this that DefineCacheLookup cannot
* allocate a new structure as it cannot know the size.
* Notice that the "INIT" code fragment is quite different
* from other caches. When auth_domain_lookup might be
* creating a new domain, the new domain is passed in
* complete and it is used as-is rather than being copied into
* another structure.
*/
#define DN_HASHBITS 6
#define DN_HASHMAX (1<<DN_HASHBITS)
#define DN_HASHMASK (DN_HASHMAX-1)
static struct cache_head *auth_domain_table[DN_HASHMAX];
static void auth_domain_drop(struct cache_head *item, struct cache_detail *cd)
{
struct auth_domain *dom = container_of(item, struct auth_domain, h);
if (cache_put(item,cd))
authtab[dom->flavour]->domain_release(dom);
}
struct cache_detail auth_domain_cache = {
.owner = THIS_MODULE,
.hash_size = DN_HASHMAX,
.hash_table = auth_domain_table,
.name = "auth.domain",
.cache_put = auth_domain_drop,
};
void auth_domain_put(struct auth_domain *dom)
{
auth_domain_drop(&dom->h, &auth_domain_cache);
}
static inline int auth_domain_hash(struct auth_domain *item)
{
return hash_str(item->name, DN_HASHBITS);
}
static inline int auth_domain_match(struct auth_domain *tmp, struct auth_domain *item)
{
return strcmp(tmp->name, item->name) == 0;
}
struct auth_domain *
auth_domain_lookup(struct auth_domain *item, int set)
{
struct auth_domain *tmp = NULL;
struct cache_head **hp, **head;
head = &auth_domain_cache.hash_table[auth_domain_hash(item)];
if (set)
write_lock(&auth_domain_cache.hash_lock);
else
read_lock(&auth_domain_cache.hash_lock);
for (hp=head; *hp != NULL; hp = &tmp->h.next) {
tmp = container_of(*hp, struct auth_domain, h);
if (!auth_domain_match(tmp, item))
continue;
if (!set) {
cache_get(&tmp->h);
goto out_noset;
}
*hp = tmp->h.next;
tmp->h.next = NULL;
auth_domain_drop(&tmp->h, &auth_domain_cache);
goto out_set;
}
/* Didn't find anything */
if (!set)
goto out_nada;
auth_domain_cache.entries++;
out_set:
item->h.next = *head;
*head = &item->h;
cache_get(&item->h);
write_unlock(&auth_domain_cache.hash_lock);
cache_fresh(&auth_domain_cache, &item->h, item->h.expiry_time);
cache_get(&item->h);
return item;
out_nada:
tmp = NULL;
out_noset:
read_unlock(&auth_domain_cache.hash_lock);
return tmp;
}
struct auth_domain *auth_domain_find(char *name)
{
struct auth_domain *rv, ad;
ad.name = name;
rv = auth_domain_lookup(&ad, 0);
return rv;
}