From nobody Mon Dec 1 22:06:11 2025 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 40CB6259CB9 for ; Fri, 28 Nov 2025 10:19:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764325161; cv=none; b=Zrpi9RzHGr7F+MkuOXEziePuhoktq9/6OaN9FMWLcAWwoF+cowx3XCO0pax0XnD231+B93vilqnUTDCpLBo3SUEgw2cyY4bvZUxbwvhRbmP0N/aPQH8XCCjurlu/lZaappoa6QucRexChc1B1yCo/vZPgkbA1qIkSETIDnSqPq0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764325161; c=relaxed/simple; bh=2e/mz9hWihgcZCXhOMQc0oIxaZiboXX8ZtttBgFa1Mw=; h=From:To:cc:Subject:MIME-Version:Content-Type:Date:Message-ID; b=s3ra1AKtgGfXIOPJU84OlrWOWKPhbLZjIOWicFBk2mlqKiFaJSY4PaZBSduWKy4dKk0PJmFVLRimp3zxjZSosAuXZC3jTngIXECM8r2eAwWf/t22kkZr/63e7b4MayViIW6WPcS3gWz+QZJzeeevmSq+r/a1MB2AvnMD6GF9VmA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=YTAQ36UO; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="YTAQ36UO" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1764325154; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=2fGtcgC7L/4zeQhv/UijC1VyqdSGwSQbXxRUFqOBbvA=; b=YTAQ36UOc2LgSjDEFv5DosZ8jc3xyGvDp2MwMEq5AZ9OYZLv0srjMxmVCRZiOMlpnqlwvu +GAU36lH0yGSZTnnJj7ENhu7zQ944IwOPE/cqP0U1DIwggNK549493RWznukcLFLyi/kZm JOkqm3PJXWANI1kxpgWmXDXba/Kyfmc= Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-544-dtIZIuGQPdymdxhlwXh_NQ-1; Fri, 28 Nov 2025 05:19:11 -0500 X-MC-Unique: dtIZIuGQPdymdxhlwXh_NQ-1 X-Mimecast-MFC-AGG-ID: dtIZIuGQPdymdxhlwXh_NQ_1764325149 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 6B1FA1800473; Fri, 28 Nov 2025 10:19:09 +0000 (UTC) Received: from warthog.procyon.org.uk (unknown [10.42.28.14]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 652A819560B0; Fri, 28 Nov 2025 10:19:07 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells To: Christian Brauner cc: dhowells@redhat.com, syzbot+41c68824eefb67cdf00c@syzkaller.appspotmail.com, Marc Dionne , linux-afs@lists.infradead.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v3] afs: Fix delayed allocation of a cell's anonymous key Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-ID: <800327.1764325144.1@warthog.procyon.org.uk> Content-Transfer-Encoding: quoted-printable Date: Fri, 28 Nov 2025 10:19:05 +0000 Message-ID: <800328.1764325145@warthog.procyon.org.uk> X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 Content-Type: text/plain; charset="utf-8" The allocation of a cell's anonymous key is done in a background thread along with other cell setup such as doing a DNS upcall. In the reported bug, this is triggered by afs_parse_source() parsing the device name given to mount() and calling afs_lookup_cell() with the name of the cell. The normal key lookup then tries to use the key description on the anonymous authentication key as the reference for request_key() - but it may not yet be set and so an oops can happen. This has been made more likely to happen by the fix for dynamic lookup failure. Fix this by firstly allocating a reference name and attaching it to the afs_cell record when the record is created. It can share the memory allocation with the cell name (unfortunately it can't just overlap the cell name by prepending it with "afs@" as the cell name already has a '.' prepended for other purposes). This reference name is then passed to request_key(). Secondly, the anon key is now allocated on demand at the point a key is requested in afs_request_key() if it is not already allocated. A mutex is used to prevent multiple allocation for a cell. Thirdly, make afs_request_key_rcu() return NULL if the anonymous key isn't yet allocated (if we need it) and then the caller can return -ECHILD to drop out of RCU-mode and afs_request_key() can be called. Note that the anonymous key is kind of necessary to make the key lookup cache work as that doesn't currently cache a negative lookup, but it's probably worth some investigation to see if NULL can be used instead. Fixes: 330e2c514823 ("afs: Fix dynamic lookup to fail on cell lookup failur= e") Reported-by: syzbot+41c68824eefb67cdf00c@syzkaller.appspotmail.com Signed-off-by: David Howells cc: Marc Dionne cc: linux-afs@lists.infradead.org cc: linux-fsdevel@vger.kernel.org --- Changes =3D=3D=3D=3D=3D=3D=3D ver #3) - Deactivated debugging statement. ver #2) - Allocated the anon key on demand to avoid race. fs/afs/cell.c | 43 ++++++++----------------------------------- fs/afs/internal.h | 1 + fs/afs/security.c | 48 ++++++++++++++++++++++++++++++++++++++++-------- 3 files changed, 49 insertions(+), 43 deletions(-) diff --git a/fs/afs/cell.c b/fs/afs/cell.c index d9b6fa1088b7..71c10a05cebe 100644 --- a/fs/afs/cell.c +++ b/fs/afs/cell.c @@ -140,7 +140,9 @@ static struct afs_cell *afs_alloc_cell(struct afs_net *= net, return ERR_PTR(-ENOMEM); } =20 - cell->name =3D kmalloc(1 + namelen + 1, GFP_KERNEL); + /* Allocate the cell name and the key name in one go. */ + cell->name =3D kmalloc(1 + namelen + 1 + + 4 + namelen + 1, GFP_KERNEL); if (!cell->name) { kfree(cell); return ERR_PTR(-ENOMEM); @@ -151,7 +153,11 @@ static struct afs_cell *afs_alloc_cell(struct afs_net = *net, cell->name_len =3D namelen; for (i =3D 0; i < namelen; i++) cell->name[i] =3D tolower(name[i]); - cell->name[i] =3D 0; + cell->name[i++] =3D 0; + + cell->key_desc =3D cell->name + i; + memcpy(cell->key_desc, "afs@", 4); + memcpy(cell->key_desc + 4, cell->name, cell->name_len + 1); =20 cell->net =3D net; refcount_set(&cell->ref, 1); @@ -710,33 +716,6 @@ void afs_set_cell_timer(struct afs_cell *cell, unsigne= d int delay_secs) timer_reduce(&cell->management_timer, jiffies + delay_secs * HZ); } =20 -/* - * Allocate a key to use as a placeholder for anonymous user security. - */ -static int afs_alloc_anon_key(struct afs_cell *cell) -{ - struct key *key; - char keyname[4 + AFS_MAXCELLNAME + 1], *cp, *dp; - - /* Create a key to represent an anonymous user. */ - memcpy(keyname, "afs@", 4); - dp =3D keyname + 4; - cp =3D cell->name; - do { - *dp++ =3D tolower(*cp); - } while (*cp++); - - key =3D rxrpc_get_null_key(keyname); - if (IS_ERR(key)) - return PTR_ERR(key); - - cell->anonymous_key =3D key; - - _debug("anon key %p{%x}", - cell->anonymous_key, key_serial(cell->anonymous_key)); - return 0; -} - /* * Activate a cell. */ @@ -746,12 +725,6 @@ static int afs_activate_cell(struct afs_net *net, stru= ct afs_cell *cell) struct afs_cell *pcell; int ret; =20 - if (!cell->anonymous_key) { - ret =3D afs_alloc_anon_key(cell); - if (ret < 0) - return ret; - } - ret =3D afs_proc_cell_setup(cell); if (ret < 0) return ret; diff --git a/fs/afs/internal.h b/fs/afs/internal.h index b92f96f56767..009064b8d661 100644 --- a/fs/afs/internal.h +++ b/fs/afs/internal.h @@ -413,6 +413,7 @@ struct afs_cell { =20 u8 name_len; /* Length of name */ char *name; /* Cell name, case-flattened and NUL-padded */ + char *key_desc; /* Authentication key description */ }; =20 /* diff --git a/fs/afs/security.c b/fs/afs/security.c index 6a7744c9e2a2..ff8830e6982f 100644 --- a/fs/afs/security.c +++ b/fs/afs/security.c @@ -16,6 +16,30 @@ =20 static DEFINE_HASHTABLE(afs_permits_cache, 10); static DEFINE_SPINLOCK(afs_permits_lock); +static DEFINE_MUTEX(afs_key_lock); + +/* + * Allocate a key to use as a placeholder for anonymous user security. + */ +static int afs_alloc_anon_key(struct afs_cell *cell) +{ + struct key *key; + + mutex_lock(&afs_key_lock); + if (!cell->anonymous_key) { + key =3D rxrpc_get_null_key(cell->key_desc); + if (!IS_ERR(key)) + cell->anonymous_key =3D key; + } + mutex_unlock(&afs_key_lock); + + if (IS_ERR(key)) + return PTR_ERR(key); + + _debug("anon key %p{%x}", + cell->anonymous_key, key_serial(cell->anonymous_key)); + return 0; +} =20 /* * get a key @@ -23,11 +47,12 @@ static DEFINE_SPINLOCK(afs_permits_lock); struct key *afs_request_key(struct afs_cell *cell) { struct key *key; + int ret; =20 - _enter("{%x}", key_serial(cell->anonymous_key)); + _enter("{%s}", cell->key_desc); =20 - _debug("key %s", cell->anonymous_key->description); - key =3D request_key_net(&key_type_rxrpc, cell->anonymous_key->description, + _debug("key %s", cell->key_desc); + key =3D request_key_net(&key_type_rxrpc, cell->key_desc, cell->net->net, NULL); if (IS_ERR(key)) { if (PTR_ERR(key) !=3D -ENOKEY) { @@ -35,6 +60,12 @@ struct key *afs_request_key(struct afs_cell *cell) return key; } =20 + if (!cell->anonymous_key) { + ret =3D afs_alloc_anon_key(cell); + if (ret < 0) + return ERR_PTR(ret); + } + /* act as anonymous user */ _leave(" =3D {%x} [anon]", key_serial(cell->anonymous_key)); return key_get(cell->anonymous_key); @@ -52,11 +83,10 @@ struct key *afs_request_key_rcu(struct afs_cell *cell) { struct key *key; =20 - _enter("{%x}", key_serial(cell->anonymous_key)); + _enter("{%s}", cell->key_desc); =20 - _debug("key %s", cell->anonymous_key->description); - key =3D request_key_net_rcu(&key_type_rxrpc, - cell->anonymous_key->description, + _debug("key %s", cell->key_desc); + key =3D request_key_net_rcu(&key_type_rxrpc, cell->key_desc, cell->net->net); if (IS_ERR(key)) { if (PTR_ERR(key) !=3D -ENOKEY) { @@ -65,6 +95,8 @@ struct key *afs_request_key_rcu(struct afs_cell *cell) } =20 /* act as anonymous user */ + if (!cell->anonymous_key) + return NULL; /* Need to allocate */ _leave(" =3D {%x} [anon]", key_serial(cell->anonymous_key)); return key_get(cell->anonymous_key); } else { @@ -408,7 +440,7 @@ int afs_permission(struct mnt_idmap *idmap, struct inod= e *inode, =20 if (mask & MAY_NOT_BLOCK) { key =3D afs_request_key_rcu(vnode->volume->cell); - if (IS_ERR(key)) + if (IS_ERR_OR_NULL(key)) return -ECHILD; =20 ret =3D -ECHILD;