From 1759f089e1424311de8437e7923ba40838dba9ef Mon Sep 17 00:00:00 2001 From: Jeff Layton Date: Tue, 12 Aug 2008 14:32:54 -0400 Subject: cifs.upcall: negatively instantiate keys on error When a request-key upcall exits without instantiating a key, the kernel will negatively instantiate the key with a 60s timeout. Older kernels, however seem to also link that key into the session keyring. This behavior can interefere with subsequent mount attempts until the key times out. The next request_key() call will get this negative key even if the upcall would have worked the second time. Fix this by having cifs.upcall negatively instantiate the key itself with a 1s timeout and don't attach it to the session keyring. Signed-off-by: Jeff Layton (This used to be commit f760dd3f3128c846cdeab16cc52bbb5189427955) --- source3/client/cifs.upcall.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'source3') diff --git a/source3/client/cifs.upcall.c b/source3/client/cifs.upcall.c index 5a2a22a73c..aa5eb57310 100644 --- a/source3/client/cifs.upcall.c +++ b/source3/client/cifs.upcall.c @@ -213,7 +213,7 @@ int main(const int argc, char *const argv[]) DATA_BLOB secblob = data_blob_null; DATA_BLOB sess_key = data_blob_null; secType_t sectype; - key_serial_t key; + key_serial_t key = 0; size_t datalen; long rc = 1; uid_t uid; @@ -250,6 +250,7 @@ int main(const int argc, char *const argv[]) errno = 0; key = strtol(argv[optind], NULL, 10); if (errno != 0) { + key = 0; syslog(LOG_WARNING, "Invalid key format: %s", strerror(errno)); goto out; } @@ -361,7 +362,14 @@ int main(const int argc, char *const argv[]) /* BB: maybe we need use timeout for key: for example no more then * ticket lifietime? */ /* keyctl_set_timeout( key, 60); */ - out: +out: + /* + * on error, negatively instantiate the key ourselves so that we can + * make sure the kernel doesn't hang it off of a searchable keyring + * and interfere with the next attempt to instantiate the key. + */ + if (rc != 0 && key == 0) + keyctl_negate(key, 1, KEY_REQKEY_DEFL_DEFAULT); data_blob_free(&secblob); data_blob_free(&sess_key); SAFE_FREE(hostname); -- cgit