Bug#863550: linux: NFSv4 callback processes fills process table

2017-06-01 Thread Salvatore Bonaccorso 
Hi

Additional information, the commits
9e0d87680d689f1758185851c3da6eafb16e71e1 and
ed6473ddc704a2005b9900ca08e236ebb2d8540a upstream are associated to
for CVE-2017-9059.

Regards,
Salvatore

Bug#863550: linux: NFSv4 callback processes fills process table

2017-05-28 Thread Aurelien Jarno 
Source: linux
Version: 4.9.25-1
Severity: important
User: debian-ad...@lists.debian.org
Usertags: needed-by-DSA-Team

Hi,

DSA uses NFS through autofs, and machines using the Stretch kernel are
affected by the following bug:

  https://bugzilla.redhat.com/show_bug.cgi?id=1427493

Basically each time a NFS filesystem is unmounted and remounted, a few
NFSv4 callback processes are leaked. After one week, a few hundred of
processes are there:

|  aurel32@lindsay:~$ uptime
|   12:10:15 up 8 days, 15:14,  2 users,  load average: 0,00, 0,03, 0,04
|  aurel32@lindsay:~$ ps aux | grep -c "NFSv4 callback"
|  693


It seems the issues is fixed since 4.12-rc1 by the following set of
commts:

|  commit ed6473ddc704a2005b9900ca08e236ebb2d8540a
|  Author: Trond Myklebust 
|  Date:   Wed Apr 26 11:55:27 2017 -0400
|  
|  NFSv4: Fix callback server shutdown
|  
|  We want to use kthread_stop() in order to ensure the threads are
|  shut down before we tear down the nfs_callback_info in nfs_callback_down.
|  
|  Tested-and-reviewed-by: Kinglong Mee 
|  Reported-by: Kinglong Mee 
|  Fixes: bb6aeba736ba9 ("NFSv4.x: Switch to using 
svc_set_num_threads()...")
|  Signed-off-by: Trond Myklebust 
|  Signed-off-by: J. Bruce Fields 
|  
|  commit 9e0d87680d689f1758185851c3da6eafb16e71e1
|  Author: Trond Myklebust 
|  Date:   Wed Apr 26 11:55:26 2017 -0400
|  
|  SUNRPC: Refactor svc_set_num_threads()
|  
|  Refactor to separate out the functions of starting and stopping threads
|  so that they can be used in other helpers.
|  
|  Signed-off-by: Trond Myklebust 
|  Tested-and-reviewed-by: Kinglong Mee 
|  Signed-off-by: J. Bruce Fields 
|  
|  commit df807fffaabde625fa9adb82e3e5b88cdaa5709a
|  Author: Kinglong Mee 
|  Date:   Thu Apr 27 11:13:38 2017 +0800
|  
|  NFSv4.x/callback: Create the callback service through svc_create_pooled
|  
|  As the comments for svc_set_num_threads() said,
|  " Destroying threads relies on the service threads filling in
|  rqstp->rq_task, which only the nfs ones do.  Assumes the serv
|  has been created using svc_create_pooled()."
|  
|  If creating service through svc_create(), the svc_pool_map_put()
|  will be called in svc_destroy(), but the pool map isn't used.
|  So that, the reference of pool map will be drop, the next using
|  of pool map will get a zero npools.

That said I haven't tried to backport them and sta...@vger.kernel.org
hasn't been Cc:ed.

Aurelien

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)