Commit 61ca49a9 authored by Ilya Dryomov's avatar Ilya Dryomov

libceph: don't set global_id until we get an auth ticket

With the introduction of enforcing mode, setting global_id as soon
as we get it in the first MAuth reply will result in EACCES if the
connection is reset before we get the second MAuth reply containing
an auth ticket -- because on retry we would attempt to reclaim that
global_id with no auth ticket at hand.

Neither ceph_auth_client nor ceph_mon_client depend on global_id
being set ealy, so just delay the setting until we get and process
the second MAuth reply.  While at it, complain if the monitor sends
a zero global_id or changes our global_id as the session is likely
to fail after that.

Cc: stable@vger.kernel.org # needs backporting for < 5.11
Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
Reviewed-by: default avatarSage Weil <sage@redhat.com>
parent 7807dafd
...@@ -36,6 +36,20 @@ static int init_protocol(struct ceph_auth_client *ac, int proto) ...@@ -36,6 +36,20 @@ static int init_protocol(struct ceph_auth_client *ac, int proto)
} }
} }
static void set_global_id(struct ceph_auth_client *ac, u64 global_id)
{
dout("%s global_id %llu\n", __func__, global_id);
if (!global_id)
pr_err("got zero global_id\n");
if (ac->global_id && global_id != ac->global_id)
pr_err("global_id changed from %llu to %llu\n", ac->global_id,
global_id);
ac->global_id = global_id;
}
/* /*
* setup, teardown. * setup, teardown.
*/ */
...@@ -222,11 +236,6 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac, ...@@ -222,11 +236,6 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
payload_end = payload + payload_len; payload_end = payload + payload_len;
if (global_id && ac->global_id != global_id) {
dout(" set global_id %lld -> %lld\n", ac->global_id, global_id);
ac->global_id = global_id;
}
if (ac->negotiating) { if (ac->negotiating) {
/* server does not support our protocols? */ /* server does not support our protocols? */
if (!protocol && result < 0) { if (!protocol && result < 0) {
...@@ -253,11 +262,16 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac, ...@@ -253,11 +262,16 @@ int ceph_handle_auth_reply(struct ceph_auth_client *ac,
ret = ac->ops->handle_reply(ac, result, payload, payload_end, ret = ac->ops->handle_reply(ac, result, payload, payload_end,
NULL, NULL, NULL, NULL); NULL, NULL, NULL, NULL);
if (ret == -EAGAIN) if (ret == -EAGAIN) {
ret = build_request(ac, true, reply_buf, reply_len); ret = build_request(ac, true, reply_buf, reply_len);
else if (ret) goto out;
} else if (ret) {
pr_err("auth protocol '%s' mauth authentication failed: %d\n", pr_err("auth protocol '%s' mauth authentication failed: %d\n",
ceph_auth_proto_name(ac->protocol), result); ceph_auth_proto_name(ac->protocol), result);
goto out;
}
set_global_id(ac, global_id);
out: out:
mutex_unlock(&ac->mutex); mutex_unlock(&ac->mutex);
...@@ -484,15 +498,11 @@ int ceph_auth_handle_reply_done(struct ceph_auth_client *ac, ...@@ -484,15 +498,11 @@ int ceph_auth_handle_reply_done(struct ceph_auth_client *ac,
int ret; int ret;
mutex_lock(&ac->mutex); mutex_lock(&ac->mutex);
if (global_id && ac->global_id != global_id) {
dout("%s global_id %llu -> %llu\n", __func__, ac->global_id,
global_id);
ac->global_id = global_id;
}
ret = ac->ops->handle_reply(ac, 0, reply, reply + reply_len, ret = ac->ops->handle_reply(ac, 0, reply, reply + reply_len,
session_key, session_key_len, session_key, session_key_len,
con_secret, con_secret_len); con_secret, con_secret_len);
if (!ret)
set_global_id(ac, global_id);
mutex_unlock(&ac->mutex); mutex_unlock(&ac->mutex);
return ret; return ret;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment