Created attachment 230004 [details] Crash an NFS v4 server with a bad SECINFO_NO_NAME RPC. If the client sends a SECINFO_NO_NAME RPC with style=PARENT, and the current file handle refers to a file (not a directory), nfsrvd_secinfononame() calls nfsvno_namei() to look up ".." relative to that file. nfsvno_namei() returns ENOTDIR, and does not modify ni_startdir. But nfsrvd_secinfononame() calls vrele() on named.ni_startdir, which was never initialized. I've attached a demo. Exception 6 is a RISC-V mis-aligned atomic operation. # uname -a FreeBSD 14.0-CURRENT FreeBSD 14.0-CURRENT #141 main-n250910-5ebdc4cea5b6-dirty: Thu Dec 9 18:01:04 EST 2021 rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM riscv # cc fnfsd_13.c # ./a.out ... panic: Unknown kernel exception 6 trap value ffffffc00025f562 --- exception 6, tval = 0xffffffc00025f562 atomic_fetchadd_32() at atomic_fetchadd_32+0x8 refcount_releasen() at refcount_releasen+0x1c refcount_release() at refcount_release+0xc vrele() at vrele+0x14 nfsrvd_secinfononame() at nfsrvd_secinfononame+0x120 nfsrvd_compound() at nfsrvd_compound+0xdc8 nfsrvd_dorpc() at nfsrvd_dorpc+0x294 nfs_proc() at nfs_proc+0x11a nfssvc_program() at nfssvc_program+0x426 svc_executereq() at svc_executereq+0xa2 svc_run_internal() at svc_run_internal+0x302 svc_run() at svc_run+0x146 nfsrvd_nfsd() at nfsrvd_nfsd+0x194 nfssvc_nfsd() at nfssvc_nfsd+0x300 sys_nfssvc() at sys_nfssvc+0xdc syscallenter() at syscallenter+0xf4 ecall_handler() at ecall_handler+0x18 do_trap_user() at do_trap_user+0xea cpu_exception_handler_user() at cpu_exception_handler_user+0x72
Created attachment 233180 [details] check for a VDIR vnode for secinfo_name/parent This patch adds a check for the vnode (CFH) being a directory for Secinfo_No_Name with the Parent style. It should fix the crash. Maybe the reporter can confirm it fixes the problem for them?
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=47d75c29f5510ad844f0bc7fbc07d481ebb7fd9e commit 47d75c29f5510ad844f0bc7fbc07d481ebb7fd9e Author: Rick Macklem <rmacklem@FreeBSD.org> AuthorDate: 2022-05-01 20:41:31 +0000 Commit: Rick Macklem <rmacklem@FreeBSD.org> CommitDate: 2022-05-01 20:41:31 +0000 nfsd: Add a sanity check to SecinfoNoname for file type Robert Morris reported that, for the case of SecinfoNoname with the Parent option, providing a non-directory could cause a crash. This patch adds a sanity check for v_type == VDIR for this case, to avoid the crash. Reported by: rtm@lcs.mit.edu PR: 260300 MFC after: 2 weeks sys/fs/nfsserver/nfs_nfsdserv.c | 5 +++++ 1 file changed, 5 insertions(+)
Patch has been committed and will be MFC'd.
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=a1735a7698a60eff1e0682261033e37fc530f85d commit a1735a7698a60eff1e0682261033e37fc530f85d Author: Rick Macklem <rmacklem@FreeBSD.org> AuthorDate: 2022-05-01 20:41:31 +0000 Commit: Rick Macklem <rmacklem@FreeBSD.org> CommitDate: 2022-05-15 19:17:11 +0000 nfsd: Add a sanity check to SecinfoNoname for file type Robert Morris reported that, for the case of SecinfoNoname with the Parent option, providing a non-directory could cause a crash. This patch adds a sanity check for v_type == VDIR for this case, to avoid the crash. PR: 260300 (cherry picked from commit 47d75c29f5510ad844f0bc7fbc07d481ebb7fd9e) sys/fs/nfsserver/nfs_nfsdserv.c | 5 +++++ 1 file changed, 5 insertions(+)
Patch has been committed and MFC'd. Not needed for stable/12, since secinfononame is not in the stable/12 NFS server.