Re: [PATCH] sunrpc: fix TLS connect_worker rpc_clnt lifetime UAF

Next message: Greg Kroah-Hartman: "Re: [PATCH v2 2/2] gpib: lpvo_usb: rename driver symbol prefix"
Previous message: Bartosz Golaszewski: "Re: [PATCH v3 4/7] gpio: gpiolib: fix allocation order in hierarchical IRQ domains"
In reply to: Benjamin Coddington: "Re: [PATCH] sunrpc: fix TLS connect_worker rpc_clnt lifetime UAF"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Chuck Lever

Date: Wed Mar 11 2026 - 10:21:06 EST

On 3/11/26 10:18 AM, Benjamin Coddington wrote:
> On 9 Mar 2026, at 7:19, bsdhenrymartin@xxxxxxxxx wrote:

>> @@ -2805,7 +2811,11 @@ static void xs_connect(struct rpc_xprt *xprt, struct rpc_task *task)
>> } else
>> dprintk("RPC: xs_connect scheduled xprt %p\n", xprt);
>>
>> - transport->clnt = task->tk_client;
>> + if (transport->connect_worker.work.func == xs_tcp_tls_setup_socket) {
>
> ^^ .. this seems a bit brittle..

This caught my eye as well.

>
>> + WARN_ON_ONCE(transport->clnt != NULL);
>> + refcount_inc(&task->tk_client->cl_count);
>> + transport->clnt = task->tk_client;
>> + }
>> queue_delayed_work(xprtiod_workqueue,
>> &transport->connect_worker,
>> delay);
>
> This fix works and I think its great for stable:
>
> Reviewed-by: Benjamin Coddington <bcodding@xxxxxxxxxxxxxxx>
>
> But I think we ended up with this problem because we're re-using the
> rpc_clnt in order to set up the lower_transport, and maybe we don't have to
> actually mix those layers.
>
> Chuck, Trond - can we use a "dummy" rpc_program to create the lower rpc_clnt,
> and keep the lifetime of the original rpc_clnt disconnected from the
> sock_xprt? I can send a patch..

The upper/lower architecture was Trond's suggestion. I just implemented
it (poorly). Let's see whatcha got!

--
Chuck Lever