From 271da49386e259723ef574713339f04886630604 Mon Sep 17 00:00:00 2001 From: Nicolás Reynolds Date: Tue, 14 Jan 2014 03:47:29 +0000 Subject: Tue Jan 14 03:40:13 UTC 2014 --- kernels/linux-libre-grsec/PKGBUILD | 31 ++- .../nfs-check-gssd-running-before-krb5i-auth.patch | 48 +++++ ...my-gssd-directory-when-notification-fails.patch | 50 +++++ ...the-clntXX-dir-if-creating-the-pipe-fails.patch | 32 +++ ...-add-an-info-file-for-the-dummy-gssd-pipe.patch | 96 +++++++++ ...te-a-new-dummy-pipe-for-gssd-to-hold-open.patch | 233 +++++++++++++++++++++ ...ace-gssd_running-with-more-reliable-check.patch | 139 ++++++++++++ 7 files changed, 625 insertions(+), 4 deletions(-) create mode 100644 kernels/linux-libre-grsec/nfs-check-gssd-running-before-krb5i-auth.patch create mode 100644 kernels/linux-libre-grsec/rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-notification-fails.patch create mode 100644 kernels/linux-libre-grsec/rpc_pipe-remove-the-clntXX-dir-if-creating-the-pipe-fails.patch create mode 100644 kernels/linux-libre-grsec/sunrpc-add-an-info-file-for-the-dummy-gssd-pipe.patch create mode 100644 kernels/linux-libre-grsec/sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch create mode 100644 kernels/linux-libre-grsec/sunrpc-replace-gssd_running-with-more-reliable-check.patch (limited to 'kernels/linux-libre-grsec') diff --git a/kernels/linux-libre-grsec/PKGBUILD b/kernels/linux-libre-grsec/PKGBUILD index f0d01f56b..e089e5eb6 100644 --- a/kernels/linux-libre-grsec/PKGBUILD +++ b/kernels/linux-libre-grsec/PKGBUILD @@ -1,4 +1,4 @@ -# $Id: PKGBUILD 203405 2014-01-10 08:45:42Z tpowa $ +# $Id: PKGBUILD 203524 2014-01-12 13:05:55Z tpowa $ # Maintainer: Tobias Powalowski # Maintainer: Thomas Baechler # Maintainer (Parabola): André Silva @@ -12,9 +12,9 @@ pkgbase=linux-libre-grsec # Build stock -LIBRE-GRSEC kernel _basekernel=3.12 _sublevel=7 _grsecver=3.0 -_timestamp=201401091837 +_timestamp=201401120824 pkgver=${_basekernel}.${_sublevel} -pkgrel=1 +pkgrel=2 _lxopkgver=${_basekernel}.7 # nearly always the same as pkgver arch=('i686' 'x86_64' 'mips64el') url="http://linux-libre.fsfla.org/" @@ -33,13 +33,19 @@ source=("http://linux-libre.fsfla.org/pub/linux-libre/releases/${_basekernel}-gn 'boot-logo.patch' 'change-default-console-loglevel.patch' 'criu-no-expert.patch' + 'sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch' + 'sunrpc-replace-gssd_running-with-more-reliable-check.patch' + 'nfs-check-gssd-running-before-krb5i-auth.patch' + 'rpc_pipe-remove-the-clntXX-dir-if-creating-the-pipe-fails.patch' + 'sunrpc-add-an-info-file-for-the-dummy-gssd-pipe.patch' + 'rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-notification-fails.patch' 'module-blacklist.conf' 'sysctl.conf' 'known-exploit-detection.patch' "http://www.linux-libre.fsfla.org/pub/linux-libre/lemote/gnewsense/pool/debuginfo/linux-patches-${_lxopkgver}-gnu_0loongsonlibre_mipsel.tar.bz2") md5sums=('254f59707b6676b59ce5ca5c3c698319' 'c42ff446236915fe1a6e2b6f9724d267' - 'e4a7b8f1543e9c2c3ab0ed77ff93b04a' + 'a90b0bcd0ece5c0bee4fa8155a0122fd' 'ce2f5067862192ce2dcb897e362b24f6' '93ff5264c547d894cc68e0c30a0dbdd8' '5f66bed97a5c37e48eb2f71b2d354b9a' @@ -48,6 +54,12 @@ md5sums=('254f59707b6676b59ce5ca5c3c698319' '14bb375a8a1d86d2875f72fcbaa03f3e' '0892ce6045478bea4a005a6d82c0819e' 'b5509f6c3889a1b32f2e1f90ee2508f1' + 'd4a75f77e6bd5d700dcd534cd5f0dfce' + 'dc86fdc37615c97f03c1e0c31b7b833a' + '88eef9d3b5012ef7e82af1af8cc4e517' + 'cec0bb8981936eab2943b2009b7a6fff' + '88d9cddf9e0050a76ec4674f264fb2a1' + 'cb9016630212ef07b168892fbcfd4e5d' 'f93ef6157fbb23820bd5ae08fd3f451e' '0db7629711f4ed76bd1f9da9f97bc4ea' '34f7e421a25ebc3c1406e04db56accfa' @@ -87,6 +99,17 @@ prepare() { # patch from fedora patch -Np1 -i "${srcdir}/criu-no-expert.patch" + # fix 15 seocnds nfs delay + patch -Np1 -i "${srcdir}/sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch" + patch -Np1 -i "${srcdir}/sunrpc-replace-gssd_running-with-more-reliable-check.patch" + patch -Np1 -i "${srcdir}/nfs-check-gssd-running-before-krb5i-auth.patch" + # fix nfs kernel oops + # #37866 + patch -Np1 -i "${srcdir}/rpc_pipe-remove-the-clntXX-dir-if-creating-the-pipe-fails.patch" + patch -Np1 -i "${srcdir}/sunrpc-add-an-info-file-for-the-dummy-gssd-pipe.patch" + + patch -Np1 -i "${srcdir}/rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-notification-fails.patch" + # add known exploit detection patch # http://lkml.org/lkml/2013/12/12/358 patch -Np1 -i "${srcdir}/known-exploit-detection.patch" diff --git a/kernels/linux-libre-grsec/nfs-check-gssd-running-before-krb5i-auth.patch b/kernels/linux-libre-grsec/nfs-check-gssd-running-before-krb5i-auth.patch new file mode 100644 index 000000000..be81fec76 --- /dev/null +++ b/kernels/linux-libre-grsec/nfs-check-gssd-running-before-krb5i-auth.patch @@ -0,0 +1,48 @@ +Bugzilla: N/A +Upstream-status: queued in NFS git tree (for 3.13/3.14?) + +Currently, the client will attempt to use krb5i in the SETCLIENTID call +even if rpc.gssd isn't running. When that fails, it'll then fall back to +RPC_AUTH_UNIX. This introduced a delay when mounting if rpc.gssd isn't +running, and causes warning messages to pop up in the ring buffer. + +Check to see if rpc.gssd is running before even attempting to use krb5i +auth, and just silently skip trying to do so if it isn't. In the event +that the admin is actually trying to mount with krb5*, it will still +fail at a later stage of the mount attempt. + +Signed-off-by: Jeff Layton +Signed-off-by: Trond Myklebust +--- + fs/nfs/nfs4client.c | 7 ++++++- + 1 files changed, 6 insertions(+), 1 deletions(-) + +diff -up linux-3.11.9-200.fc19.x86_64/fs/nfs/nfs4client.c.orig linux-3.11.9-200.fc19.x86_64/fs/nfs/nfs4client.c +--- linux-3.11.9-200.fc19.x86_64/fs/nfs/nfs4client.c.orig 2013-09-02 16:46:10.000000000 -0400 ++++ linux-3.11.9-200.fc19.x86_64/fs/nfs/nfs4client.c 2013-11-21 10:20:27.288286000 -0500 +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + #include "internal.h" + #include "callback.h" + #include "delegation.h" +@@ -206,7 +207,11 @@ struct nfs_client *nfs4_init_client(stru + if (clp->cl_minorversion != 0) + __set_bit(NFS_CS_INFINITE_SLOTS, &clp->cl_flags); + __set_bit(NFS_CS_DISCRTRY, &clp->cl_flags); +- error = nfs_create_rpc_client(clp, timeparms, RPC_AUTH_GSS_KRB5I); ++ ++ error = -EINVAL; ++ if (gssd_running(clp->cl_net)) ++ error = nfs_create_rpc_client(clp, timeparms, ++ RPC_AUTH_GSS_KRB5I); + if (error == -EINVAL) + error = nfs_create_rpc_client(clp, timeparms, RPC_AUTH_UNIX); + if (error < 0) + +_______________________________________________ +kernel mailing list +kernel@lists.fedoraproject.org +https://admin.fedoraproject.org/mailman/listinfo/kernel diff --git a/kernels/linux-libre-grsec/rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-notification-fails.patch b/kernels/linux-libre-grsec/rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-notification-fails.patch new file mode 100644 index 000000000..ed03f34dd --- /dev/null +++ b/kernels/linux-libre-grsec/rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-notification-fails.patch @@ -0,0 +1,50 @@ +Bugzilla: 1037793 +Upstream-status: submitted for 3.14 + +Currently, it could leak dentry references in some cases. Make sure +we clean up properly. + +Signed-off-by: Jeff Layton +--- + net/sunrpc/rpc_pipe.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/net/sunrpc/rpc_pipe.c b/net/sunrpc/rpc_pipe.c +index 5d973b2..b185548 100644 +--- a/net/sunrpc/rpc_pipe.c ++++ b/net/sunrpc/rpc_pipe.c +@@ -1369,6 +1369,18 @@ out: + return pipe_dentry; + } + ++static void ++rpc_gssd_dummy_depopulate(struct dentry *pipe_dentry) ++{ ++ struct dentry *clnt_dir = pipe_dentry->d_parent; ++ struct dentry *gssd_dir = clnt_dir->d_parent; ++ ++ __rpc_rmpipe(clnt_dir->d_inode, pipe_dentry); ++ __rpc_depopulate(clnt_dir, gssd_dummy_info_file, 0, 1); ++ __rpc_depopulate(gssd_dir, gssd_dummy_clnt_dir, 0, 1); ++ dput(pipe_dentry); ++} ++ + static int + rpc_fill_super(struct super_block *sb, void *data, int silent) + { +@@ -1412,7 +1424,7 @@ rpc_fill_super(struct super_block *sb, void *data, int silent) + return 0; + + err_depopulate: +- dput(gssd_dentry); ++ rpc_gssd_dummy_depopulate(gssd_dentry); + blocking_notifier_call_chain(&rpc_pipefs_notifier_list, + RPC_PIPEFS_UMOUNT, + sb); +-- +1.8.4.2 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-nfs" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/kernels/linux-libre-grsec/rpc_pipe-remove-the-clntXX-dir-if-creating-the-pipe-fails.patch b/kernels/linux-libre-grsec/rpc_pipe-remove-the-clntXX-dir-if-creating-the-pipe-fails.patch new file mode 100644 index 000000000..e4b1a255f --- /dev/null +++ b/kernels/linux-libre-grsec/rpc_pipe-remove-the-clntXX-dir-if-creating-the-pipe-fails.patch @@ -0,0 +1,32 @@ +Bugzilla: 1037793 +Upstream-status: submitted for 3.14 + +In the event that we create the gssd/clntXX dir, but the pipe creation +subsequently fails, then we should remove the clntXX dir before +returning. + +Signed-off-by: Jeff Layton +--- + net/sunrpc/rpc_pipe.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/sunrpc/rpc_pipe.c b/net/sunrpc/rpc_pipe.c +index 5cd7ad1..0b74c61 100644 +--- a/net/sunrpc/rpc_pipe.c ++++ b/net/sunrpc/rpc_pipe.c +@@ -1313,6 +1313,8 @@ rpc_gssd_dummy_populate(struct dentry *root, struct rpc_pipe *pipe_data) + } + + pipe_dentry = rpc_mkpipe_dentry(clnt_dentry, "gssd", NULL, pipe_data); ++ if (IS_ERR(pipe_dentry)) ++ __rpc_depopulate(gssd_dentry, gssd_dummy_clnt_dir, 0, 1); + out: + dput(clnt_dentry); + dput(gssd_dentry); +-- +1.8.4.2 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-nfs" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/kernels/linux-libre-grsec/sunrpc-add-an-info-file-for-the-dummy-gssd-pipe.patch b/kernels/linux-libre-grsec/sunrpc-add-an-info-file-for-the-dummy-gssd-pipe.patch new file mode 100644 index 000000000..dd3b5ba2f --- /dev/null +++ b/kernels/linux-libre-grsec/sunrpc-add-an-info-file-for-the-dummy-gssd-pipe.patch @@ -0,0 +1,96 @@ +Bugzilla: 1037793 +Upstream-status: submitted for 3.14 + +rpc.gssd expects to see an "info" file in each clntXX dir. Since adding +the dummy gssd pipe, users that run rpc.gssd see a lot of these messages +spamming the logs: + + rpc.gssd[508]: ERROR: can't open /var/lib/nfs/rpc_pipefs/gssd/clntXX/info: No such file or directory + rpc.gssd[508]: ERROR: failed to read service info + +Add a dummy gssd/clntXX/info file to help silence these messages. + +Signed-off-by: Jeff Layton +--- + net/sunrpc/rpc_pipe.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 49 insertions(+), 1 deletion(-) + +diff --git a/net/sunrpc/rpc_pipe.c b/net/sunrpc/rpc_pipe.c +index 0b74c61..5d973b2 100644 +--- a/net/sunrpc/rpc_pipe.c ++++ b/net/sunrpc/rpc_pipe.c +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -1275,6 +1276,44 @@ static const struct rpc_pipe_ops gssd_dummy_pipe_ops = { + .downcall = dummy_downcall, + }; + ++/* ++ * Here we present a bogus "info" file to keep rpc.gssd happy. We don't expect ++ * that it will ever use this info to handle an upcall, but rpc.gssd expects ++ * that this file will be there and have a certain format. ++ */ ++static int ++rpc_show_dummy_info(struct seq_file *m, void *v) ++{ ++ seq_printf(m, "RPC server: %s\n", utsname()->nodename); ++ seq_printf(m, "service: foo (1) version 0\n"); ++ seq_printf(m, "address: 127.0.0.1\n"); ++ seq_printf(m, "protocol: tcp\n"); ++ seq_printf(m, "port: 0\n"); ++ return 0; ++} ++ ++static int ++rpc_dummy_info_open(struct inode *inode, struct file *file) ++{ ++ return single_open(file, rpc_show_dummy_info, NULL); ++} ++ ++static const struct file_operations rpc_dummy_info_operations = { ++ .owner = THIS_MODULE, ++ .open = rpc_dummy_info_open, ++ .read = seq_read, ++ .llseek = seq_lseek, ++ .release = single_release, ++}; ++ ++static const struct rpc_filelist gssd_dummy_info_file[] = { ++ [0] = { ++ .name = "info", ++ .i_fop = &rpc_dummy_info_operations, ++ .mode = S_IFREG | S_IRUSR, ++ }, ++}; ++ + /** + * rpc_gssd_dummy_populate - create a dummy gssd pipe + * @root: root of the rpc_pipefs filesystem +@@ -1312,9 +1351,18 @@ rpc_gssd_dummy_populate(struct dentry *root, struct rpc_pipe *pipe_data) + goto out; + } + ++ ret = rpc_populate(clnt_dentry, gssd_dummy_info_file, 0, 1, NULL); ++ if (ret) { ++ __rpc_depopulate(gssd_dentry, gssd_dummy_clnt_dir, 0, 1); ++ pipe_dentry = ERR_PTR(ret); ++ goto out; ++ } ++ + pipe_dentry = rpc_mkpipe_dentry(clnt_dentry, "gssd", NULL, pipe_data); +- if (IS_ERR(pipe_dentry)) ++ if (IS_ERR(pipe_dentry)) { ++ __rpc_depopulate(clnt_dentry, gssd_dummy_info_file, 0, 1); + __rpc_depopulate(gssd_dentry, gssd_dummy_clnt_dir, 0, 1); ++ } + out: + dput(clnt_dentry); + dput(gssd_dentry); +-- +1.8.4.2 diff --git a/kernels/linux-libre-grsec/sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch b/kernels/linux-libre-grsec/sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch new file mode 100644 index 000000000..805498a70 --- /dev/null +++ b/kernels/linux-libre-grsec/sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch @@ -0,0 +1,233 @@ +Bugzilla: N/A +Upstream-status: queued in NFS git tree (for 3.13/3.14?) + +rpc.gssd will naturally hold open any pipe named */clnt*/gssd that shows +up under rpc_pipefs. That behavior gives us a reliable mechanism to tell +whether it's actually running or not. + +Create a new toplevel "gssd" directory in rpc_pipefs when it's mounted. +Under that directory create another directory called "clntXX", and then +within that a pipe called "gssd". + +We'll never send an upcall along that pipe, and any downcall written to +it will just return -EINVAL. + +Signed-off-by: Jeff Layton +Signed-off-by: Trond Myklebust +--- + include/linux/sunrpc/rpc_pipe_fs.h | 3 +- + net/sunrpc/netns.h | 1 + + net/sunrpc/rpc_pipe.c | 93 ++++++++++++++++++++++++++++++++++- + net/sunrpc/sunrpc_syms.c | 8 +++- + 4 files changed, 100 insertions(+), 5 deletions(-) + +diff -up linux-3.11.9-200.fc19.x86_64/include/linux/sunrpc/rpc_pipe_fs.h.orig linux-3.11.9-200.fc19.x86_64/include/linux/sunrpc/rpc_pipe_fs.h +--- linux-3.11.9-200.fc19.x86_64/include/linux/sunrpc/rpc_pipe_fs.h.orig 2013-09-02 16:46:10.000000000 -0400 ++++ linux-3.11.9-200.fc19.x86_64/include/linux/sunrpc/rpc_pipe_fs.h 2013-11-21 10:11:17.893026000 -0500 +@@ -64,7 +64,8 @@ enum { + + extern struct dentry *rpc_d_lookup_sb(const struct super_block *sb, + const unsigned char *dir_name); +-extern void rpc_pipefs_init_net(struct net *net); ++extern int rpc_pipefs_init_net(struct net *net); ++extern void rpc_pipefs_exit_net(struct net *net); + extern struct super_block *rpc_get_sb_net(const struct net *net); + extern void rpc_put_sb_net(const struct net *net); + +diff -up linux-3.11.9-200.fc19.x86_64/net/sunrpc/netns.h.orig linux-3.11.9-200.fc19.x86_64/net/sunrpc/netns.h +--- linux-3.11.9-200.fc19.x86_64/net/sunrpc/netns.h.orig 2013-09-02 16:46:10.000000000 -0400 ++++ linux-3.11.9-200.fc19.x86_64/net/sunrpc/netns.h 2013-11-21 10:11:17.897029000 -0500 +@@ -14,6 +14,7 @@ struct sunrpc_net { + struct cache_detail *rsi_cache; + + struct super_block *pipefs_sb; ++ struct rpc_pipe *gssd_dummy; + struct mutex pipefs_sb_lock; + + struct list_head all_clients; +diff -up linux-3.11.9-200.fc19.x86_64/net/sunrpc/rpc_pipe.c.orig linux-3.11.9-200.fc19.x86_64/net/sunrpc/rpc_pipe.c +--- linux-3.11.9-200.fc19.x86_64/net/sunrpc/rpc_pipe.c.orig 2013-09-02 16:46:10.000000000 -0400 ++++ linux-3.11.9-200.fc19.x86_64/net/sunrpc/rpc_pipe.c 2013-11-21 10:11:17.903026000 -0500 +@@ -38,7 +38,7 @@ + #define NET_NAME(net) ((net == &init_net) ? " (init_net)" : "") + + static struct file_system_type rpc_pipe_fs_type; +- ++static const struct rpc_pipe_ops gssd_dummy_pipe_ops; + + static struct kmem_cache *rpc_inode_cachep __read_mostly; + +@@ -1019,6 +1019,7 @@ enum { + RPCAUTH_nfsd4_cb, + RPCAUTH_cache, + RPCAUTH_nfsd, ++ RPCAUTH_gssd, + RPCAUTH_RootEOF + }; + +@@ -1055,6 +1056,10 @@ static const struct rpc_filelist files[] + .name = "nfsd", + .mode = S_IFDIR | S_IRUGO | S_IXUGO, + }, ++ [RPCAUTH_gssd] = { ++ .name = "gssd", ++ .mode = S_IFDIR | S_IRUGO | S_IXUGO, ++ }, + }; + + /* +@@ -1068,13 +1073,25 @@ struct dentry *rpc_d_lookup_sb(const str + } + EXPORT_SYMBOL_GPL(rpc_d_lookup_sb); + +-void rpc_pipefs_init_net(struct net *net) ++int rpc_pipefs_init_net(struct net *net) + { + struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); + ++ sn->gssd_dummy = rpc_mkpipe_data(&gssd_dummy_pipe_ops, 0); ++ if (IS_ERR(sn->gssd_dummy)) ++ return PTR_ERR(sn->gssd_dummy); ++ + mutex_init(&sn->pipefs_sb_lock); + sn->gssd_running = 1; + sn->pipe_version = -1; ++ return 0; ++} ++ ++void rpc_pipefs_exit_net(struct net *net) ++{ ++ struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); ++ ++ rpc_destroy_pipe_data(sn->gssd_dummy); + } + + /* +@@ -1104,11 +1121,73 @@ void rpc_put_sb_net(const struct net *ne + } + EXPORT_SYMBOL_GPL(rpc_put_sb_net); + ++static const struct rpc_filelist gssd_dummy_clnt_dir[] = { ++ [0] = { ++ .name = "clntXX", ++ .mode = S_IFDIR | S_IRUGO | S_IXUGO, ++ }, ++}; ++ ++static ssize_t ++dummy_downcall(struct file *filp, const char __user *src, size_t len) ++{ ++ return -EINVAL; ++} ++ ++static const struct rpc_pipe_ops gssd_dummy_pipe_ops = { ++ .upcall = rpc_pipe_generic_upcall, ++ .downcall = dummy_downcall, ++}; ++ ++/** ++ * rpc_gssd_dummy_populate - create a dummy gssd pipe ++ * @root: root of the rpc_pipefs filesystem ++ * @pipe_data: pipe data created when netns is initialized ++ * ++ * Create a dummy set of directories and a pipe that gssd can hold open to ++ * indicate that it is up and running. ++ */ ++static struct dentry * ++rpc_gssd_dummy_populate(struct dentry *root, struct rpc_pipe *pipe_data) ++{ ++ int ret = 0; ++ struct dentry *gssd_dentry; ++ struct dentry *clnt_dentry = NULL; ++ struct dentry *pipe_dentry = NULL; ++ struct qstr q = QSTR_INIT(files[RPCAUTH_gssd].name, ++ strlen(files[RPCAUTH_gssd].name)); ++ ++ /* We should never get this far if "gssd" doesn't exist */ ++ gssd_dentry = d_hash_and_lookup(root, &q); ++ if (!gssd_dentry) ++ return ERR_PTR(-ENOENT); ++ ++ ret = rpc_populate(gssd_dentry, gssd_dummy_clnt_dir, 0, 1, NULL); ++ if (ret) { ++ pipe_dentry = ERR_PTR(ret); ++ goto out; ++ } ++ ++ q.name = gssd_dummy_clnt_dir[0].name; ++ q.len = strlen(gssd_dummy_clnt_dir[0].name); ++ clnt_dentry = d_hash_and_lookup(gssd_dentry, &q); ++ if (!clnt_dentry) { ++ pipe_dentry = ERR_PTR(-ENOENT); ++ goto out; ++ } ++ ++ pipe_dentry = rpc_mkpipe_dentry(clnt_dentry, "gssd", NULL, pipe_data); ++out: ++ dput(clnt_dentry); ++ dput(gssd_dentry); ++ return pipe_dentry; ++} ++ + static int + rpc_fill_super(struct super_block *sb, void *data, int silent) + { + struct inode *inode; +- struct dentry *root; ++ struct dentry *root, *gssd_dentry; + struct net *net = data; + struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); + int err; +@@ -1126,6 +1205,13 @@ rpc_fill_super(struct super_block *sb, v + return -ENOMEM; + if (rpc_populate(root, files, RPCAUTH_lockd, RPCAUTH_RootEOF, NULL)) + return -ENOMEM; ++ ++ gssd_dentry = rpc_gssd_dummy_populate(root, sn->gssd_dummy); ++ if (IS_ERR(gssd_dentry)) { ++ __rpc_depopulate(root, files, RPCAUTH_lockd, RPCAUTH_RootEOF); ++ return PTR_ERR(gssd_dentry); ++ } ++ + dprintk("RPC: sending pipefs MOUNT notification for net %p%s\n", + net, NET_NAME(net)); + mutex_lock(&sn->pipefs_sb_lock); +@@ -1140,6 +1226,7 @@ rpc_fill_super(struct super_block *sb, v + return 0; + + err_depopulate: ++ dput(gssd_dentry); + blocking_notifier_call_chain(&rpc_pipefs_notifier_list, + RPC_PIPEFS_UMOUNT, + sb); +diff -up linux-3.11.9-200.fc19.x86_64/net/sunrpc/sunrpc_syms.c.orig linux-3.11.9-200.fc19.x86_64/net/sunrpc/sunrpc_syms.c +--- linux-3.11.9-200.fc19.x86_64/net/sunrpc/sunrpc_syms.c.orig 2013-09-02 16:46:10.000000000 -0400 ++++ linux-3.11.9-200.fc19.x86_64/net/sunrpc/sunrpc_syms.c 2013-11-21 10:11:17.908026000 -0500 +@@ -44,12 +44,17 @@ static __net_init int sunrpc_init_net(st + if (err) + goto err_unixgid; + +- rpc_pipefs_init_net(net); ++ err = rpc_pipefs_init_net(net); ++ if (err) ++ goto err_pipefs; ++ + INIT_LIST_HEAD(&sn->all_clients); + spin_lock_init(&sn->rpc_client_lock); + spin_lock_init(&sn->rpcb_clnt_lock); + return 0; + ++err_pipefs: ++ unix_gid_cache_destroy(net); + err_unixgid: + ip_map_cache_destroy(net); + err_ipmap: +@@ -60,6 +65,7 @@ err_proc: + + static __net_exit void sunrpc_exit_net(struct net *net) + { ++ rpc_pipefs_exit_net(net); + unix_gid_cache_destroy(net); + ip_map_cache_destroy(net); + rpc_proc_exit(net); + diff --git a/kernels/linux-libre-grsec/sunrpc-replace-gssd_running-with-more-reliable-check.patch b/kernels/linux-libre-grsec/sunrpc-replace-gssd_running-with-more-reliable-check.patch new file mode 100644 index 000000000..8cd5c0090 --- /dev/null +++ b/kernels/linux-libre-grsec/sunrpc-replace-gssd_running-with-more-reliable-check.patch @@ -0,0 +1,139 @@ +Bugzilla: N/A +Upstream-status: queued in NFS git tree (for 3.13/3.14?) + +Now that we have a more reliable method to tell if gssd is running, we +can replace the sn->gssd_running flag with a function that will query to +see if it's up and running. + +There's also no need to attempt an upcall that we know will fail, so +just return -EACCES if gssd isn't running. Finally, fix the warn_gss() +message not to claim that that the upcall timed out since we don't +necesarily perform one now when gssd isn't running, and remove the +extraneous newline from the message. + +Signed-off-by: Jeff Layton +Signed-off-by: Trond Myklebust +--- + Fixed up to apply to 3.12.1 by Josh Boyer + + include/linux/sunrpc/rpc_pipe_fs.h | 2 ++ + net/sunrpc/auth_gss/auth_gss.c | 17 +++++++---------- + net/sunrpc/netns.h | 2 -- + net/sunrpc/rpc_pipe.c | 14 ++++++++++---- + 4 files changed, 19 insertions(+), 16 deletions(-) + +diff --git a/include/linux/sunrpc/rpc_pipe_fs.h b/include/linux/sunrpc/rpc_pipe_fs.h +index 85f1342..7f490be 100644 +--- a/include/linux/sunrpc/rpc_pipe_fs.h ++++ b/include/linux/sunrpc/rpc_pipe_fs.h +@@ -131,5 +131,7 @@ extern int rpc_unlink(struct dentry *); + extern int register_rpc_pipefs(void); + extern void unregister_rpc_pipefs(void); + ++extern bool gssd_running(struct net *net); ++ + #endif + #endif +diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c +index 0846566..1ada878 100644 +--- a/net/sunrpc/auth_gss/auth_gss.c ++++ b/net/sunrpc/auth_gss/auth_gss.c +@@ -517,8 +517,7 @@ static void warn_gssd(void) + unsigned long now = jiffies; + + if (time_after(now, ratelimit)) { +- printk(KERN_WARNING "RPC: AUTH_GSS upcall timed out.\n" +- "Please check user daemon is running.\n"); ++ pr_warn("RPC: AUTH_GSS upcall failed. Please check user daemon is running.\n"); + ratelimit = now + 15*HZ; + } + } +@@ -581,7 +580,6 @@ gss_create_upcall(struct gss_auth *gss_auth, struct gss_cred *gss_cred) + struct rpc_pipe *pipe; + struct rpc_cred *cred = &gss_cred->gc_base; + struct gss_upcall_msg *gss_msg; +- unsigned long timeout; + DEFINE_WAIT(wait); + int err; + +@@ -589,17 +587,16 @@ gss_create_upcall(struct gss_auth *gss_auth, struct gss_cred *gss_cred) + __func__, from_kuid(&init_user_ns, cred->cr_uid)); + retry: + err = 0; +- /* Default timeout is 15s unless we know that gssd is not running */ +- timeout = 15 * HZ; +- if (!sn->gssd_running) +- timeout = HZ >> 2; ++ /* if gssd is down, just skip upcalling altogether */ ++ if (!gssd_running(net)) { ++ warn_gssd(); ++ return -EACCES; ++ } + gss_msg = gss_setup_upcall(gss_auth, cred); + if (PTR_ERR(gss_msg) == -EAGAIN) { + err = wait_event_interruptible_timeout(pipe_version_waitqueue, +- sn->pipe_version >= 0, timeout); ++ sn->pipe_version >= 0, 15 * HZ); + if (sn->pipe_version < 0) { +- if (err == 0) +- sn->gssd_running = 0; + warn_gssd(); + err = -EACCES; + } +diff --git a/net/sunrpc/netns.h b/net/sunrpc/netns.h +index 8a8e841..94e506f 100644 +--- a/net/sunrpc/netns.h ++++ b/net/sunrpc/netns.h +@@ -33,8 +33,6 @@ struct sunrpc_net { + int pipe_version; + atomic_t pipe_users; + struct proc_dir_entry *use_gssp_proc; +- +- unsigned int gssd_running; + }; + + extern int sunrpc_net_id; +diff --git a/net/sunrpc/rpc_pipe.c b/net/sunrpc/rpc_pipe.c +index 40aef18..ad444f3 100644 +--- a/net/sunrpc/rpc_pipe.c ++++ b/net/sunrpc/rpc_pipe.c +@@ -216,14 +216,11 @@ rpc_destroy_inode(struct inode *inode) + static int + rpc_pipe_open(struct inode *inode, struct file *filp) + { +- struct net *net = inode->i_sb->s_fs_info; +- struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); + struct rpc_pipe *pipe; + int first_open; + int res = -ENXIO; + + mutex_lock(&inode->i_mutex); +- sn->gssd_running = 1; + pipe = RPC_I(inode)->pipe; + if (pipe == NULL) + goto out; +@@ -1231,7 +1228,6 @@ int rpc_pipefs_init_net(struct net *net) + return PTR_ERR(sn->gssd_dummy); + + mutex_init(&sn->pipefs_sb_lock); +- sn->gssd_running = 1; + sn->pipe_version = -1; + return 0; + } +@@ -1385,6 +1381,16 @@ err_depopulate: + return err; + } + ++bool ++gssd_running(struct net *net) ++{ ++ struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); ++ struct rpc_pipe *pipe = sn->gssd_dummy; ++ ++ return pipe->nreaders || pipe->nwriters; ++} ++EXPORT_SYMBOL_GPL(gssd_running); ++ + static struct dentry * + rpc_mount(struct file_system_type *fs_type, + int flags, const char *dev_name, void *data) -- cgit v1.2.3-54-g00ecf