[PATCH] [lucid] NLM: Don't hang forever on NLM unlock requests - CVE-2011-2491

Paolo Pisati paolo.pisati at canonical.com
Wed Oct 12 14:32:17 UTC 2011 

From: Trond Myklebust <Trond.Myklebust at netapp.com>

NLM: Don't hang forever on NLM unlock requests

If the NLM daemon is killed on the NFS server, we can currently end up
hanging forever on an 'unlock' request, instead of aborting. Basically,
if the rpcbind request fails, or the server keeps returning garbage, we
really want to quit instead of retrying.

Tested-by: Vasily Averin <vvs at sw.ru>
Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
Cc: stable at kernel.org

CVE-2011-2491

BugLink: http://bugs.launchpad.net/bugs/869237

commit upstream 0b760113a3a155269a3fba93a409c640031dd68f

Signed-off-by: Paolo Pisati <paolo.pisati at canonical.com>
---
 fs/lockd/clntproc.c          |    8 +++++++-
 include/linux/sunrpc/sched.h |    1 +
 net/sunrpc/clnt.c            |    3 +++
 net/sunrpc/sched.c           |    1 +
 4 files changed, 12 insertions(+), 1 deletions(-)

diff --git a/fs/lockd/clntproc.c b/fs/lockd/clntproc.c
index c81249f..c325a83 100644
--- a/fs/lockd/clntproc.c
+++ b/fs/lockd/clntproc.c
@@ -709,7 +709,13 @@ static void nlmclnt_unlock_callback(struct rpc_task *task, void *data)
 
 	if (task->tk_status < 0) {
 		dprintk("lockd: unlock failed (err = %d)\n", -task->tk_status);
-		goto retry_rebind;
+		switch (task->tk_status) {
+		case -EACCES:
+		case -EIO:
+			goto die;
+		default:
+			goto retry_rebind;
+		}
 	}
 	if (status == NLM_LCK_DENIED_GRACE_PERIOD) {
 		rpc_delay(task, NLMCLNT_GRACE_WAIT);
diff --git a/include/linux/sunrpc/sched.h b/include/linux/sunrpc/sched.h
index 4010977..46c6514 100644
--- a/include/linux/sunrpc/sched.h
+++ b/include/linux/sunrpc/sched.h
@@ -55,6 +55,7 @@ struct rpc_task {
 	struct rpc_message	tk_msg;		/* RPC call info */
 	__u8			tk_garb_retry;
 	__u8			tk_cred_retry;
+	__u8			tk_rebind_retry;
 
 	/*
 	 * callback	to be executed after waking up
diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
index d838bea..b0c5646 100644
--- a/net/sunrpc/clnt.c
+++ b/net/sunrpc/clnt.c
@@ -1052,6 +1052,9 @@ call_bind_status(struct rpc_task *task)
 			status = -EOPNOTSUPP;
 			break;
 		}
+		if (task->tk_rebind_retry == 0)
+			break;
+		task->tk_rebind_retry--;
 		rpc_delay(task, 3*HZ);
 		goto retry_timeout;
 	case -ETIMEDOUT:
diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c
index 570da30..ac94477 100644
--- a/net/sunrpc/sched.c
+++ b/net/sunrpc/sched.c
@@ -784,6 +784,7 @@ static void rpc_init_task(struct rpc_task *task, const struct rpc_task_setup *ta
 	/* Initialize retry counters */
 	task->tk_garb_retry = 2;
 	task->tk_cred_retry = 2;
+	task->tk_rebind_retry = 2;
 
 	task->tk_priority = task_setup_data->priority - RPC_PRIORITY_LOW;
 	task->tk_owner = current->tgid;
-- 
1.7.5.4

More information about the kernel-team mailing list