From owner-svn-src-all@freebsd.org Mon Sep 21 01:39:01 2020 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A85263E1DEA; Mon, 21 Sep 2020 01:39:01 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BvnCn3zYdz4pTK; Mon, 21 Sep 2020 01:39:01 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 6BF88266D0; Mon, 21 Sep 2020 01:39:01 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 08L1d1Hc077931; Mon, 21 Sep 2020 01:39:01 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 08L1d1Lb077930; Mon, 21 Sep 2020 01:39:01 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202009210139.08L1d1Lb077930@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Mon, 21 Sep 2020 01:39:01 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r365935 - stable/11/sys/fs/nfsserver X-SVN-Group: stable-11 X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: stable/11/sys/fs/nfsserver X-SVN-Commit-Revision: 365935 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Sep 2020 01:39:01 -0000 Author: rmacklem Date: Mon Sep 21 01:39:00 2020 New Revision: 365935 URL: https://svnweb.freebsd.org/changeset/base/365935 Log: MFC: r365703 Fix a case where the NFSv4.0 server might crash if delegations are enabled. asomers@ reported a crash on an NFSv4.0 server with a backtrace of: kdb_backtrace vpanic panic nfsrv_docallback nfsrv_checkgetattr nfsrvd_getattr nfsrvd_dorpc nfssvc_program svc_run_internal svc_thread_start fork_exit fork_trampoline where the panic message was "docallb", which indicates that a callback was attempted when the ClientID is unconfirmed. This would not normally occur, but it is possible to have an unconfirmed ClientID structure with delegation structure(s) chained off it if the client were to issue a SetClientID with the same "id" but different "verifier" after acquiring delegations on the previously confirmed ClientID. The bug appears to be that nfsrv_checkgetattr() failed to check for this uncommon case of an unconfirmed ClientID with a delegation structure that no longer refers to a delegation the client knows about. This patch adds a check for this case, handling it as if no delegation exists, which is the case when the above occurs. Although difficult to reproduce, this change should avoid the panic(). PR: 249127 Modified: stable/11/sys/fs/nfsserver/nfs_nfsdstate.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/fs/nfsserver/nfs_nfsdstate.c ============================================================================== --- stable/11/sys/fs/nfsserver/nfs_nfsdstate.c Mon Sep 21 00:50:32 2020 (r365934) +++ stable/11/sys/fs/nfsserver/nfs_nfsdstate.c Mon Sep 21 01:39:00 2020 (r365935) @@ -5572,8 +5572,14 @@ nfsrv_checkgetattr(struct nfsrv_descript *nd, vnode_t goto out; } clp = stp->ls_clp; - delegfilerev = stp->ls_filerev; + /* If the clientid is not confirmed, ignore the delegation. */ + if (clp->lc_flags & LCL_NEEDSCONFIRM) { + NFSUNLOCKSTATE(); + goto out; + } + + delegfilerev = stp->ls_filerev; /* * If the Write delegation was issued as a part of this Compound RPC * or if we have an Implied Clientid (used in a previous Op in this