mirror of
https://github.com/torvalds/linux.git
synced 2026-03-08 07:44:49 +01:00
bf94dea7fd
NFSD has always supported added network listeners. The new netlink protocol now enables the removal of listeners. Olga noticed that if an RDMA listener is removed and immediately re-added, the deferred __svc_rdma_free() function might not have run yet, so some or all of the old listener's RDMA resources linger, which prevents a new listener on the same address from being created. Also, svc_xprt_free() does a module_put() just after calling ->xpo_free(). That means if there is deferred work going on, the module could be unloaded before that work is even started, resulting in a UAF. Neil asks: > What particular part of __svc_rdma_free() needs to run in order for a > subsequent registration to succeed? > Can that bit be run directory from svc_rdma_free() rather than be > delayed? > (I know almost nothing about rdma so forgive me if the answers to these > questions seems obvious) The reasons I can recall are: - Some of the transport tear-down work can sleep - Releasing a cm_id is tricky and can deadlock We might be able to mitigate the second issue with judicious application of transport reference counting. Reported-by: Olga Kornievskaia <okorniev@redhat.com> Closes: https://lore.kernel.org/linux-nfs/20250821204328.89218-1-okorniev@redhat.com/ Suggested-by: NeilBrown <neil@brown.name> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> |
||
|---|---|---|
| .. | ||
| auth_gss | ||
| xprtrdma | ||
| .kunitconfig | ||
| addr.c | ||
| auth.c | ||
| auth_null.c | ||
| auth_tls.c | ||
| auth_unix.c | ||
| backchannel_rqst.c | ||
| cache.c | ||
| clnt.c | ||
| debugfs.c | ||
| fail.h | ||
| Kconfig | ||
| Makefile | ||
| netns.h | ||
| rpc_pipe.c | ||
| rpcb_clnt.c | ||
| sched.c | ||
| socklib.c | ||
| socklib.h | ||
| stats.c | ||
| sunrpc.h | ||
| sunrpc_syms.c | ||
| svc.c | ||
| svc_xprt.c | ||
| svcauth.c | ||
| svcauth_unix.c | ||
| svcsock.c | ||
| sysctl.c | ||
| sysfs.c | ||
| sysfs.h | ||
| timer.c | ||
| xdr.c | ||
| xprt.c | ||
| xprtmultipath.c | ||
| xprtsock.c | ||