Page MenuHomeFreeBSD

fix ordering of VNET_SYSUNINIT()s within the nfsd module
ClosedPublic

Authored by rmacklem on Feb 23 2023, 10:34 PM.
Tags
None
Referenced Files
F102199074: D38750.diff
Fri, Nov 8, 8:47 PM
Unknown Object (File)
Sep 30 2024, 2:23 PM
Unknown Object (File)
Sep 27 2024, 10:20 PM
Unknown Object (File)
Sep 26 2024, 1:46 PM
Unknown Object (File)
Sep 25 2024, 7:16 PM
Unknown Object (File)
Sep 23 2024, 7:01 PM
Unknown Object (File)
Sep 19 2024, 11:04 PM
Unknown Object (File)
Sep 19 2024, 11:50 AM
Subscribers

Details

Summary

The Kasan tests show the fsrvd_cleancache() results
in a modify after free. I think this occurs because the
nfsrv_cleanup() function gets executed after nfs_cleanup()
which free's the nfsstatsv1_p.

This patch makes them use the same subsystem and sets
SI_ORDER_FIRST for nfs_cleanup(). I think this is correct,
since it does reverse ordering for VNET_SYSUNINIT().

Test Plan

I can see that the odering is correct for VNET_SYSINIT().
Unfortunately my test setup never gets VNET_STSUNINIT()
functions to get called except when the module is kldunloaded.
(This is a known issue related to "jail -r" when kernels are
built with "options VIMAGE". jamie has reproduced it for
jails that have nothing to do with NFS and so have I.)

However, for some reason, the test environment does call
them when vnets are removed, so I have left the printfs
in so I can hopefully see if they order correctly.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

I messed up the uniquifier during editting.
They don't really matter, since there is only
one/file, but I put them back the way they were
in the VNET_SYSINIT()/VNET_SYSUNINIT() calls.

I also set nfsstatsv1_p NULL, so that uses after
free will cause a crash.

I was able to reproduce the problem locally and verified that this patch appears to fix the use-after-free. I see

NFS_VNETINIT!!
NFSD_MNTINIT!!
NFSRV_CLEANUP!!
NFS_CLEANUP!!

which looks like the intended ordering.

This revision is now accepted and ready to land.Feb 24 2023, 2:59 PM