summaryrefslogtreecommitdiffstats
path: root/sys/rpc
Commit message (Collapse)AuthorAgeFilesLines
* When the regular NFS server replied to a UDP client out of the replayrmacklem2010-03-231-0/+2
| | | | | | | | | | | cache, it did not free the request argument mbuf list, resulting in a leak. This patch fixes that leak. Tested by: danny AT cs.huji.ac.il PR: kern/144330 Submitted by: to.my.trociny AT gmail.com (earlier version) Reviewed by: dfr MFC after: 2 weeks
* Replace the static NGROUPS=NGROUPS_MAX+1=1024 with a dynamicbrooks2010-01-121-3/+3
| | | | | | | | kern.ngroups+1. kern.ngroups can range from NGROUPS_MAX=1023 to INT_MAX-1. Given that the Windows group limit is 1024, this range should be sufficient for most applications. MFC after: 1 month
* Make options KGSSAPI build and add it to NOTES.brooks2010-01-082-8/+11
| | | | | | | | rpcsec_gss_prot.c: Use kernel printf and headers. vc_rpcsec_gss.c: Use a local RPCAUTH_UNIXGIDS definition for 16 instead of using NGROUPS.
* Remove extraneous semicolons, no functional changes.mbr2010-01-071-1/+1
| | | | | Submitted by: Marc Balmer <marc@msys.ch> MFC after: 1 week
* (S)LIST_HEAD_INITIALIZER takes a (S)LIST_HEAD as an argument.antoine2009-12-281-2/+2
| | | | | | | | | Fix some wrong usages. Note: this does not affect generated binaries as this argument is not used. PR: 137213 Submitted by: Eygene Ryabinkin (initial version) MFC after: 1 month
* Add a check for the connection being shut down to the krpcrmacklem2009-11-081-0/+16
| | | | | | | | | | | | | | | | | | client just before queuing a request for the connection. The code already had a check for the connection being shut down while the request was queued, but not one for the shut down having been initiated by the server before the request was in the queue. This appears to fix the problem of slow reconnects against an NFS server that drops inactive connections reported by Olaf Seibert, but does not fix the case where the FreeBSD client generates RST segments at about the same time as ACKs. This is still a problem that is being investigated. This patch does not cause a regression for this case. Tested by: Olaf Seibert, Daniel Braniss Reviewed by: dfr MFC after: 5 days
* Set the prison in NFS anon and GSS SVC creds (as I indended to in r197581).jamie2009-09-281-0/+2
| | | | Reviewed by: marcel
* Back out r197581, which replaced this file witk sys/kern/vfs_export.c.jamie2009-09-281-369/+1363
| | | | | | | | Who knew that "svn export" was an actual command, or that I would have vfs_export.c stuck in my mind deep enough to type "export" instead of "commit"? Pointy Hat to: jamie
* Set the prison in NFS anon and GSS SVC creds.jamie2009-09-281-1363/+369
| | | | | Reviewed by: marcel MFC after: 3 days
* Fix NFS panics with options VIMAGE kernels by apropriately setting curvnetzec2009-08-247-7/+56
| | | | | | | | | | | | | context inside the RPC code. Temporarily set td's cred to mount's cred before calling socreate() via __rpc_nconf2socket(). Submitted by: rmacklem (in part) Reviewed by: rmacklem, rwatson Discussed with: dfr, bz Approved by: re (rwatson), julian (mentor) MFC after: 3 days
* Use PBDRY flag for msleep(9) in NFS and NLM when sleeping thread ownskib2009-07-142-3/+5
| | | | | | | | | | kernel resources that block other threads, like vnode locks. The SIGSTOP sent to such thread (process, rather) shall not stop it until thread releases the resources. Tested by: pho Reviewed by: jhb Approved by: re (kensmith)
* When unmounting an NFS mount using sec=krb5[ip], the umount systemrmacklem2009-07-011-0/+14
| | | | | | | | | | | | | call could get hung sleeping on "gsssta" if the credentials for a user that had been accessing the mount point have expired. This happened because rpc_gss_destroy_context() would end up calling itself when the "destroy context" RPC was attempted, trying to refresh the credentials. This patch just checks for this case in rpc_gss_refresh() and returns without attempting the refresh, which avoids the recursive call to rpc_gss_destroy_context() and the subsequent hang. Reviewed by: dfr Approved by: re (Ken Smith), kib (mentor)
* Make sure that cr_error is set to ESHUTDOWN when closing the connection.rmacklem2009-07-011-2/+4
| | | | | | | | | | This is normally done by a loop in clnt_dg_close(), but requests that aren't in the pending queue at the time of closing, don't get set. This avoids a panic in xdrmbuf_create() when it is called with a NULL cr_mrep if cr_error doesn't get set to ESHUTDOWN while closing. Reviewed by: dfr Approved by: re (Ken Smith), kib (mentor)
* Fix two known problems in clnt_rc.c, plus issues w.r.t. smp notedrmacklem2009-06-251-42/+74
| | | | | | | | | | | | | | | during reading of the code. Change the code so that it never accesses rc_connecting, rc_closed or rc_client when the rc_lock mutex is not held. Also, it now performs the CLNT_CLOSE(client) and CLNT_RELEASE(client) calls after the rc_lock mutex has been released, since those calls do msleep()s with another mutex held. Change clnt_reconnect_call() so that releasing the reference count is delayed until after the "if (rc->rc_client == client)" check, so that rc_client cannot have been recycled. Tested by: pho Reviewed by: dfr Approved by: kib (mentor)
* If the initial attempt to refresh credentials in the RPCSEC_GSS clientrmacklem2009-06-241-3/+15
| | | | | | | | | | | | | | side fails, the entry in the cache is left with no valid context (gd_ctx == GSS_C_NO_CONTEXT). As such, subsequent hits on the cache will result in persistent authentication failure, even after the user has done a kinit or similar and acquired a new valid TGT. This patch adds a test for that case upon a cache hit and calls rpc_gss_init() to make another attempt at getting valid credentials. It also moves the setting of gc_proc to before the import of the principal name to ensure that, if that case fails, it will be detected as a failure after going to "out:". Reviewed by: dfr Approved by: kib (mentor)
* Delete the declaration of an unused variable so that it will build.rmacklem2009-06-201-1/+0
| | | | Approved by: rwatson (mentor)
* Rework the credential code to support larger values of NGROUPS andbrooks2009-06-193-12/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | NGROUPS_MAX, eliminate ABI dependencies on them, and raise the to 1024 and 1023 respectively. (Previously they were equal, but under a close reading of POSIX, NGROUPS_MAX was defined to be too large by 1 since it is the number of supplemental groups, not total number of groups.) The bulk of the change consists of converting the struct ucred member cr_groups from a static array to a pointer. Do the equivalent in kinfo_proc. Introduce new interfaces crcopysafe() and crsetgroups() for duplicating a process credential before modifying it and for setting group lists respectively. Both interfaces take care for the details of allocating groups array. crsetgroups() takes care of truncating the group list to the current maximum (NGROUPS) if necessary. In the future, crsetgroups() may be responsible for insuring invariants such as sorting the supplemental groups to allow groupmember() to be implemented as a binary search. Because we can not change struct xucred without breaking application ABIs, we leave it alone and introduce a new XU_NGROUPS value which is always 16 and is to be used or NGRPS as appropriate for things such as NFS which need to use no more than 16 groups. When feasible, truncate the group list rather than generating an error. Minor changes: - Reduce the number of hand rolled versions of groupmember(). - Do not assign to both cr_gid and cr_groups[0]. - Modify ipfw to cache ucreds instead of part of their contents since they are immutable once referenced by more than one entity. Submitted by: Isilon Systems (initial implementation) X-MFC after: never PR: bin/113398 kern/133867
* Since svc_[dg|vc|tli|tp]_create() did not hold a reference count on thermacklem2009-06-173-3/+12
| | | | | | | | | | | | | SVCXPTR structure returned by them, it was possible for the structure to be free'd before svc_reg() had been completed using the structure. This patch acquires a reference count on the newly created structure that is returned by svc_[dg|vc|tli|tp]_create(). It also adds the appropriate SVC_RELEASE() calls to the callers, except the experimental nfs subsystem. The latter will be committed separately. Submitted by: dfr Tested by: pho Approved by: kib (mentor)
* Replace the global references to "hostid" in svc_rpcsec_gss.c to localrmacklem2009-06-151-1/+7
| | | | | | | | | | variables set via the getcredhostid() function. I also changed the type of ci_hostid to "unsigned long" so that it matches what is returned by getcredhostid(). Although "struct svc_rpc_gss_clientid" goes on the wire during RPCSEC_GSS, it is just a variable # of opaque bytes to the client, so it doesn't matter how much storage ci_hostid uses. Approved by: kib (mentor)
* When a Solaris10 client does an NFS mount using krb5i or krb5p, thermacklem2009-06-131-1/+1
| | | | | | | | | | | | server would crash because the Solaris10 client would attempt to use Sun's NFSACL protocol, which FreeBSD doesn't support. When the server generated the error reply via svcerr_noprog(), it would cause a crash because it would try and wrap a NULL reply. According to RFC2203, no wrapping is required for error cases. This one line change avoids wrapping of NULL replies. Reviewed by: dfr Approved by: kib (mentor)
* For the case where another thread was doing a connect and thatrmacklem2009-06-101-2/+2
| | | | | | | | | | connect failed, the thread would be left stuck in msleep() indefinitely, since it would call msleep() again for the case where rc_client == NULL. Change the loop criteria and the if just after the loop, so that this case is handled correctly. Reviewed by: dfr Approved by: kib (mentor)
* Add a temporary workaround for panics being seen on NFS servers with ZFS,rwatson2009-06-071-0/+3
| | | | | | | | | where an improperly initialized prison field could lead to a panic. This is not the correct solution, since it fails to address similar problems for both AUDIT and MAC, which also rely on properly initialized credentials, but should reduce panic reports while we work that out. Reported by: ps, kan, others
* Add a check to xprt_unregister() to catch the case where anotherrmacklem2009-06-071-0/+7
| | | | | | | | | | thread has already unregistered the structure. Also add a KASSERT() to xprt_unregister_locked() to check that the structure hasn't already been unregistered. Reviewed by: jhb Tested by: pho Approved by: kib (mentor)
* Fix a lockorder reversal I introduced in r193436 when I moved thermacklem2009-06-071-0/+1
| | | | | | | | | | | mtx_destroy() of the pool mutex to after SVC_RELEASE(), because the pool mutex was still locked when soclose() was called by svc_dg_destroy(). To fix this, an mtx_unlock() was added where mtx_destroy() was before r193436. Reviewed by: jhb Tested by: pho Approved by: rwatson (mentor)
* Correct MAC compile problems resulting from the new RPC code copying andrwatson2009-06-051-1/+4
| | | | | pasting code from the general socket code without also bringing along required opt_mac.h includes.
* Fix upcall races in the client side krpc. For the client side upcall,rmacklem2009-06-042-3/+53
| | | | | | | | | | | | | | | | | holding SOCKBUF_LOCK() isn't sufficient to guarantee that there is no upcall in progress, since SOCKBUF_LOCK() is released/re-acquired in the upcall. An upcall reference counter was added to the upcall structure that is incremented at the beginning of the upcall and decremented at the end of the upcall. As such, a reference count == 0 when holding the SOCKBUF_LOCK() guarantees there is no upcall in progress. Add a function that is called just after soupcall_clear(), which waits until the reference count == 0. Also, move the mtx_destroy() down to after soupcall_clear(), so that the mutex is not destroyed before upcalls are done. Reviewed by: dfr, jhb Tested by: pho Approved by: kib (mentor)
* Fix two races in the server side krpc w.r.t upcalls:rmacklem2009-06-043-7/+20
| | | | | | | | | | | | | | Add a flag so that soupcall_clear() is only called once to cancel an upcall. Move the test for xprt_registered in the upcall down to after the mtx_lock() of the pool mutex, to catch the case where it is unregistered while the upcall is waiting for the mutex. Also, move the mtx_destroy() of the pool mutex to after SVC_RELEASE(), so that it isn't destroyed before the upcalls are disabled. Reviewed by: dfr, jhb Tested by: pho Approved by: kib (mentor)
* Add internal 'mac_policy_count' counter to the MAC Framework, which is arwatson2009-06-021-2/+0
| | | | | | | | | | | | | | | | | | count of the number of registered policies. Rather than unconditionally locking sockets before passing them into MAC, lock them in the MAC entry points only if mac_policy_count is non-zero. This avoids locking overhead for a number of socket system calls when no policies are registered, eliminating measurable overhead for the MAC Framework for the socket subsystem when there are no active policies. Possibly socket locks should be acquired by policies if they are required for socket labels, which would further avoid locking overhead when there are policies but they don't require labeling of sockets, or possibly don't even implement socket controls. Obtained from: TrustedBSD Project
* Rework socket upcalls to close some races with setup/teardown of upcalls.jhb2009-06-014-62/+53
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Each socket upcall is now invoked with the appropriate socket buffer locked. It is not permissible to call soisconnected() with this lock held; however, so socket upcalls now return an integer value. The two possible values are SU_OK and SU_ISCONNECTED. If an upcall returns SU_ISCONNECTED, then the soisconnected() will be invoked on the socket after the socket buffer lock is dropped. - A new API is provided for setting and clearing socket upcalls. The API consists of soupcall_set() and soupcall_clear(). - To simplify locking, each socket buffer now has a separate upcall. - When a socket upcall returns SU_ISCONNECTED, the upcall is cleared from the receive socket buffer automatically. Note that a SO_SND upcall should never return SU_ISCONNECTED. - All this means that accept filters should now return SU_ISCONNECTED instead of calling soisconnected() directly. They also no longer need to explicitly clear the upcall on the new socket. - The HTTP accept filter still uses soupcall_set() to manage its internal state machine, but other accept filters no longer have any explicit knowlege of socket upcall internals aside from their return value. - The various RPC client upcalls currently drop the socket buffer lock while invoking soreceive() as a temporary band-aid. The plan for the future is to add a new flag to allow soreceive() to be called with the socket buffer locked. - The AIO callback for socket I/O is now also invoked with the socket buffer locked. Previously sowakeup() would drop the socket buffer lock only to call aio_swake() which immediately re-acquired the socket buffer lock for the duration of the function call. Discussed with: rwatson, rmacklem
* fix xdrmem_control to be safe in an if statementkmacy2009-05-301-2/+2
| | | | | | | fix zfs to depend on krpc remove xdr from zfs makefile Submitted by: dchagin@freebsd.org
* Place hostnames and similar information fully under the prison system.jamie2009-05-291-8/+5
| | | | | | | | | | | | | | | | | The system hostname is now stored in prison0, and the global variable "hostname" has been removed, as has the hostname_mtx mutex. Jails may have their own host information, or they may inherit it from the parent/system. The proper way to read the hostname is via getcredhostname(), which will copy either the hostname associated with the passed cred, or the system hostname if you pass NULL. The system hostname can still be accessed directly (and without locking) at prison0.pr_host, but that should be avoided where possible. The "similar information" referred to is domainname, hostid, and hostuuid, which have also become prison parameters and had their associated global variables removed. Approved by: bz (mentor)
* MFdevbranch 192944kmacy2009-05-281-0/+16
| | | | | | - add FreeBSD implementation of xdrmem_control needed by zfs - have zfs define xdr_ops using FreeBSD's definition - remove solaris xdr files from zfs compile
* Remove the unmaintained University of Michigan NFSv4 client from 8.xrwatson2009-05-222-2468/+0
| | | | | | | prior to 8.0-RELEASE. Rick Macklem's new and more feature-rich NFSv234 client and server are replacing it. Discussed with: rmacklem
* Added a field to the SVCXPRT structure that the nfsv4 server canrmacklem2009-04-161-0/+1
| | | | | | | | | | | | use to identify if the socket is the same one that a cached request came in on. It is set by nfsrvd_addsock() to a unique value generated by incrementing an unsigned 64bit static variable for each assignment and then the value of xp_sockref is tested to see if it is equal to the value that was saved with the cached reply. Submitted by: rmacklem Reviewed by: dfr Approved by: kib (mentor)
* Use the correct creds when reconnecting so that we have enough privilege todfr2009-02-051-2/+3
| | | | | | bind reserved ports (if necessary). Submitted by: Jaakko Heinonen <jh at saualaht dot fi>
* Add a missing call to mtx_destroy().dfr2008-11-121-0/+1
|
* Implement support for RPCSEC_GSS authentication to both the NFS clientdfr2008-11-0329-738/+5957
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | and server. This replaces the RPC implementation of the NFS client and server with the newer RPC implementation originally developed (actually ported from the userland sunrpc code) to support the NFS Lock Manager. I have tested this code extensively and I believe it is stable and that performance is at least equal to the legacy RPC implementation. The NFS code currently contains support for both the new RPC implementation and the older legacy implementation inherited from the original NFS codebase. The default is to use the new implementation - add the NFS_LEGACYRPC option to fall back to the old code. When I merge this support back to RELENG_7, I will probably change this so that users have to 'opt in' to get the new code. To use RPCSEC_GSS on either client or server, you must build a kernel which includes the KGSSAPI option and the crypto device. On the userland side, you must build at least a new libc, mountd, mount_nfs and gssd. You must install new versions of /etc/rc.d/gssd and /etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf. As long as gssd is running, you should be able to mount an NFS filesystem from a server that requires RPCSEC_GSS authentication. The mount itself can happen without any kerberos credentials but all access to the filesystem will be denied unless the accessing user has a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There is currently no support for situations where the ticket file is in a different place, such as when the user logged in via SSH and has delegated credentials from that login. This restriction is also present in Solaris and Linux. In theory, we could improve this in future, possibly using Brooks Davis' implementation of variant symlinks. Supporting RPCSEC_GSS on a server is nearly as simple. You must create service creds for the server in the form 'nfs/<fqdn>@<REALM>' and install them in /etc/krb5.keytab. The standard heimdal utility ktutil makes this fairly easy. After the service creds have been created, you can add a '-sec=krb5' option to /etc/exports and restart both mountd and nfsd. The only other difference an administrator should notice is that nfsd doesn't fork to create service threads any more. In normal operation, there will be two nfsd processes, one in userland waiting for TCP connections and one in the kernel handling requests. The latter process will create as many kthreads as required - these should be visible via 'top -H'. The code has some support for varying the number of service threads according to load but initially at least, nfsd uses a fixed number of threads according to the value supplied to its '-n' option. Sponsored by: Isilon Systems MFC after: 1 month
* Retire the MALLOC and FREE macros. They are an abomination unto style(9).des2008-10-231-6/+6
| | | | MFC after: 3 months
* Step 1.5 of importing the network stack virtualization infrastructurezec2008-10-021-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | from the vimage project, as per plan established at devsummit 08/08: http://wiki.freebsd.org/Image/Notes200808DevSummit Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator macros, and CURVNET_SET() context setting macros, all currently resolving to NOPs. Prepare for virtualization of selected SYSCTL objects by introducing a family of SYSCTL_V_*() macros, currently resolving to their global counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT(). Move selected #defines from sys/sys/vimage.h to newly introduced header files specific to virtualized subsystems (sys/net/vnet.h, sys/netinet/vinet.h etc.). All the changes are verified to have zero functional impact at this point in time by doing MD5 comparision between pre- and post-change object files(*). (*) netipsec/keysock.c did not validate depending on compile time options. Implemented by: julian, bz, brooks, zec Reviewed by: julian, bz, brooks, kris, rwatson, ... Approved by: julian (mentor) Obtained from: //depot/projects/vimage-commit2/... X-MFC after: never Sponsored by: NLnet Foundation, The FreeBSD Foundation
* Rename RPC's 'struct pmap' to 'struct portmap' to avoid confusing it withdfr2008-08-252-7/+7
| | | | | | | the other 'struct pmap'. Pointed out by: kmacy MFC after: 2 weeks
* Rename the static M_RPC defined here to M_RPCCLNT, since a global M_RPCkris2008-08-181-6/+6
| | | | | | | now optionally exists. Reviewed by: dfr MFC after: 3 days
* Commit step 1 of the vimage project, (network stack)bz2008-08-171-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | virtualization work done by Marko Zec (zec@). This is the first in a series of commits over the course of the next few weeks. Mark all uses of global variables to be virtualized with a V_ prefix. Use macros to map them back to their global names for now, so this is a NOP change only. We hope to have caught at least 85-90% of what is needed so we do not invalidate a lot of outstanding patches again. Obtained from: //depot/projects/vimage-commit2/... Reviewed by: brooks, des, ed, mav, julian, jamie, kris, rwatson, zec, ... (various people I forgot, different versions) md5 (with a bit of help) Sponsored by: NLnet Foundation, The FreeBSD Foundation X-MFC after: never V_Commit_Message_Reviewed_By: more people than the patch
* Add a missing call to mtx_destroy() in clnt_reconnect_destroy().dfr2008-08-131-0/+1
| | | | | Submitted by: zachary.loafman at isilon.com MFC after: 2 weeks
* Re-work the code slightly to avoid a possible livelock.dfr2008-07-231-23/+27
| | | | MFC after: 2 weeks
* Move the NFS/RPC code away from lbolt.ed2008-07-221-2/+3
| | | | | | | | | | | | | | The kernel has a special wchan called `lbolt', which is triggered each second. It doesn't seem to be used a lot and it seems pretty redundant, because we can specify a timeout value to the *sleep() routines. In an attempt to eventually remove lbolt, make the NFS/RPC code use a timeout of `hz' when trying to reconnect. Only the TTY code (not MPSAFE TTY) and the VFS syncer seem to use lbolt now. Reviewed by: attilio, jhb Approved by: philip (mentor), alfred, dfr
* Introduce a new lock, hostname_mtx, and use it to synchronize accessrwatson2008-07-051-0/+4
| | | | | | | | | | | | to global hostname and domainname variables. Where necessary, copy to or from a stack-local buffer before performing copyin() or copyout(). A few uses, such as in cd9660 and daemon_saver, remain under-synchronized and will require further updates. Correct a bug in which a failed copyin() of domainname would leave domainname potentially corrupted. MFC after: 3 weeks
* It may be #if 0'd out code, but change a varname to not shadow a global.julian2008-06-291-4/+4
|
* Include <sys/pcpu.h> for curthread.dfr2008-06-271-0/+1
|
* Re-implement the client side of rpc.lockd in the kernel. This implementationdfr2008-06-267-182/+556
| | | | | | | | | | | | provides the correct semantics for flock(2) style locks which are used by the lockf(1) command line tool and the pidfile(3) library. It also implements recovery from server restarts and ensures that dirty cache blocks are written to the server before obtaining locks (allowing multiple clients to use file locking to safely share data). Sponsored by: Isilon Systems PR: 94256 MFC after: 2 weeks
* Fix some issues that showed up during Kris' testing.dfr2008-04-111-2/+8
| | | | | Reported by: kris MFC after: 3 days
OpenPOWER on IntegriCloud