platform/kernel/linux-rpi.git
11 years agonfsd: fix oops when legacy_recdir_name_error is passed a -ENOENT error
Jeff Layton [Thu, 9 May 2013 12:36:23 +0000 (08:36 -0400)]
nfsd: fix oops when legacy_recdir_name_error is passed a -ENOENT error

Toralf reported the following oops to the linux-nfs mailing list:

    -----------------[snip]------------------
    NFSD: unable to generate recoverydir name (-2).
    NFSD: disabling legacy clientid tracking. Reboot recovery will not function correctly!
    BUG: unable to handle kernel NULL pointer dereference at 000003c8
    IP: [<f90a3d91>] nfsd4_client_tracking_exit+0x11/0x50 [nfsd]
    *pdpt = 000000002ba33001 *pde = 0000000000000000
    Oops: 0000 [#1] SMP
    Modules linked in: loop nfsd auth_rpcgss ipt_MASQUERADE xt_owner xt_multiport ipt_REJECT xt_tcpudp xt_recent xt_conntrack nf_conntrack_ftp xt_limit xt_LOG iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_filter ip_tables x_tables af_packet pppoe pppox ppp_generic slhc bridge stp llc tun arc4 iwldvm mac80211 coretemp kvm_intel uvcvideo sdhci_pci sdhci mmc_core videobuf2_vmalloc videobuf2_memops usblp videobuf2_core i915 iwlwifi psmouse videodev cfg80211 kvm fbcon bitblit cfbfillrect acpi_cpufreq mperf evdev softcursor font cfbimgblt i2c_algo_bit cfbcopyarea intel_agp intel_gtt drm_kms_helper snd_hda_codec_conexant drm agpgart fb fbdev tpm_tis thinkpad_acpi tpm nvram e1000e rfkill thermal ptp wmi pps_core tpm_bios 8250_pci processor 8250 ac snd_hda_intel snd_hda_codec snd_pcm battery video i2c_i801 snd_page_alloc snd_timer button serial_core i2c_core snd soundcore thermal_sys hwmon aesni_intel ablk_helper cryp
td lrw aes_i586 xts gf128mul cbc fuse nfs lockd sunrpc dm_crypt dm_mod hid_monterey hid_microsoft hid_logitech hid_ezkey hid_cypress hid_chicony hid_cherry hid_belkin hid_apple hid_a4tech hid_generic usbhid hid sr_mod cdrom sg [last unloaded: microcode]
    Pid: 6374, comm: nfsd Not tainted 3.9.1 #6 LENOVO 4180F65/4180F65
    EIP: 0060:[<f90a3d91>] EFLAGS: 00010202 CPU: 0
    EIP is at nfsd4_client_tracking_exit+0x11/0x50 [nfsd]
    EAX: 00000000 EBX: fffffffe ECX: 00000007 EDX: 00000007
    ESI: eb9dcb00 EDI: eb2991c0 EBP: eb2bde38 ESP: eb2bde34
    DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
    CR0: 80050033 CR2: 000003c8 CR3: 2ba80000 CR4: 000407f0
    DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
    DR6: ffff0ff0 DR7: 00000400
    Process nfsd (pid: 6374, ti=eb2bc000 task=eb2711c0 task.ti=eb2bc000)
    Stack:
    fffffffe eb2bde4c f90a3e0c f90a7754 fffffffe eb0a9c00 eb2bdea0 f90a41ed
    eb2991c0 1b270000 eb2991c0 eb2bde7c f9099ce9 eb2bde98 0129a020 eb29a020
    eb2bdecc eb2991c0 eb2bdea8 f9099da5 00000000 eb9dcb00 00000001 67822f08
    Call Trace:
    [<f90a3e0c>] legacy_recdir_name_error+0x3c/0x40 [nfsd]
    [<f90a41ed>] nfsd4_create_clid_dir+0x15d/0x1c0 [nfsd]
    [<f9099ce9>] ? nfsd4_lookup_stateid+0x99/0xd0 [nfsd]
    [<f9099da5>] ? nfs4_preprocess_seqid_op+0x85/0x100 [nfsd]
    [<f90a4287>] nfsd4_client_record_create+0x37/0x50 [nfsd]
    [<f909d6ce>] nfsd4_open_confirm+0xfe/0x130 [nfsd]
    [<f90980b1>] ? nfsd4_encode_operation+0x61/0x90 [nfsd]
    [<f909d5d0>] ? nfsd4_free_stateid+0xc0/0xc0 [nfsd]
    [<f908fd0b>] nfsd4_proc_compound+0x41b/0x530 [nfsd]
    [<f9081b7b>] nfsd_dispatch+0x8b/0x1a0 [nfsd]
    [<f857b85d>] svc_process+0x3dd/0x640 [sunrpc]
    [<f908165d>] nfsd+0xad/0x110 [nfsd]
    [<f90815b0>] ? nfsd_destroy+0x70/0x70 [nfsd]
    [<c1054824>] kthread+0x94/0xa0
    [<c1486937>] ret_from_kernel_thread+0x1b/0x28
    [<c1054790>] ? flush_kthread_work+0xd0/0xd0
    Code: 86 b0 00 00 00 90 c5 0a f9 c7 04 24 70 76 0a f9 e8 74 a9 3d c8 eb ba 8d 76 00 55 89 e5 53 66 66 66 66 90 8b 15 68 c7 0a f9 85 d2 <8b> 88 c8 03 00 00 74 2c 3b 11 77 28 8b 5c 91 08 85 db 74 22 8b
    EIP: [<f90a3d91>] nfsd4_client_tracking_exit+0x11/0x50 [nfsd] SS:ESP 0068:eb2bde34
    CR2: 00000000000003c8
    ---[ end trace 09e54015d145c9c6 ]---

The problem appears to be a regression that was introduced in commit
9a9c6478 "nfsd: make NFSv4 recovery client tracking options per net".
Prior to that commit, it was safe to pass a NULL net pointer to
nfsd4_client_tracking_exit in the legacy recdir case, and
legacy_recdir_name_error did so. After that comit, the net pointer must
be valid.

This patch just fixes legacy_recdir_name_error to pass in a valid net
pointer to that function.

Cc: <stable@vger.kernel.org> # v3.8+
Cc: Stanislav Kinsbursky <skinsbursky@parallels.com>
Reported-and-tested-by: Toralf Förster <toralf.foerster@gmx.de>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agoSUNRPC: fix decoding of optional gss-proxy xdr fields
J. Bruce Fields [Tue, 7 May 2013 21:45:20 +0000 (17:45 -0400)]
SUNRPC: fix decoding of optional gss-proxy xdr fields

The current code works, but sort of by accident: it obviously didn't
intend the error return to be interpreted as "true".

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agoSUNRPC: Refactor gssx_dec_option_array() to kill uninitialized warning
Geert Uytterhoeven [Mon, 6 May 2013 07:21:03 +0000 (09:21 +0200)]
SUNRPC: Refactor gssx_dec_option_array() to kill uninitialized warning

net/sunrpc/auth_gss/gss_rpc_xdr.c: In function ‘gssx_dec_option_array’:
net/sunrpc/auth_gss/gss_rpc_xdr.c:258: warning: ‘creds’ may be used uninitialized in this function

Return early if count is zero, to make it clearer to the compiler (and the
casual reviewer) that no more processing is done.

Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agonfsd4: don't allow owner override on 4.1 CLAIM_FH opens
J. Bruce Fields [Fri, 3 May 2013 20:09:09 +0000 (16:09 -0400)]
nfsd4: don't allow owner override on 4.1 CLAIM_FH opens

The Linux client is using CLAIM_FH to implement regular opens, not just
recovery cases, so it depends on the server to check permissions
correctly.

Therefore the owner override, which may make sense in the delegation
recovery case, isn't right in the CLAIM_FH case.

Symptoms: on a client with 49f9a0fafd844c32f2abada047c0b9a5ba0d6255
"NFSv4.1: Enable open-by-filehandle", Bryan noticed this:

touch test.txt
chmod 000 test.txt
echo test > test.txt

succeeding.

Cc: stable@kernel.org
Reported-by: Bryan Schumaker <bjschuma@netapp.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agoNFSD: SECINFO doesn't handle unsupported pseudoflavors correctly
Chuck Lever [Tue, 30 Apr 2013 22:48:54 +0000 (18:48 -0400)]
NFSD: SECINFO doesn't handle unsupported pseudoflavors correctly

If nfsd4_do_encode_secinfo() can't find GSS info that matches an
export security flavor, it assumes the flavor is not a GSS
pseudoflavor, and simply puts it on the wire.

However, if this XDR encoding logic is given a legitimate GSS
pseudoflavor but the RPC layer says it does not support that
pseudoflavor for some reason, then the server leaks GSS pseudoflavor
numbers onto the wire.

I confirmed this happens by blacklisting rpcsec_gss_krb5, then
attempted a client transition from the pseudo-fs to a Kerberos-only
share.  The client received a flavor list containing the Kerberos
pseudoflavor numbers, rather than GSS tuples.

The encoder logic can check that each pseudoflavor in flavs[] is
less than MAXFLAVOR before writing it into the buffer, to prevent
this.  But after "nflavs" is written into the XDR buffer, the
encoder can't skip writing flavor information into the buffer when
it discovers the RPC layer doesn't support that flavor.

So count the number of valid flavors as they are written into the
XDR buffer, then write that count into a placeholder in the XDR
buffer when all recognized flavors have been encoded.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agoNFSD: Simplify GSS flavor encoding in nfsd4_do_encode_secinfo()
Chuck Lever [Tue, 30 Apr 2013 22:48:45 +0000 (18:48 -0400)]
NFSD: Simplify GSS flavor encoding in nfsd4_do_encode_secinfo()

Clean up.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agonfsd: make symbol nfsd_reply_cache_shrinker static
Wei Yongjun [Fri, 5 Apr 2013 13:22:39 +0000 (21:22 +0800)]
nfsd: make symbol nfsd_reply_cache_shrinker static

symbol 'nfsd_reply_cache_shrinker' only used within this file. It should
be static.

Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agosvcauth_gss: fix error return code in rsc_parse()
Wei Yongjun [Thu, 18 Apr 2013 02:49:09 +0000 (10:49 +0800)]
svcauth_gss: fix error return code in rsc_parse()

Fix to return a negative error code from the error handling
case instead of 0, as returned elsewhere in this function.

Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agonfsd4: don't remap EISDIR errors in rename
J. Bruce Fields [Tue, 30 Apr 2013 19:28:51 +0000 (15:28 -0400)]
nfsd4: don't remap EISDIR errors in rename

We're going out of our way here to remap an error to make rfc 3530
happy--but the rfc itself (nor rfc 1813, which has similar language)
gives no justification.  And disagrees with local filesystem behavior,
with Linux and posix man pages, and knfsd's implemented behavior for v2
and v3.

And the documented behavior seems better, in that it gives a little more
information--you could implement the 3530 behavior using the posix
behavior, but not the other way around.

Also, the Linux client makes no attempt to remap this error in the v4
case, so it can end up just returning EEXIST to the application in a
case where it should return EISDIR.

So honestly I think the rfc's are just buggy here--or in any case it
doesn't see worth the trouble to remap this error.

Reported-by: Frank S Filz <ffilz@us.ibm.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agosvcrpc: fix gss-proxy to respect user namespaces
J. Bruce Fields [Mon, 29 Apr 2013 22:21:29 +0000 (18:21 -0400)]
svcrpc: fix gss-proxy to respect user namespaces

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agoSUNRPC: gssp_procedures[] can be static
Fengguang Wu [Mon, 29 Apr 2013 21:19:48 +0000 (17:19 -0400)]
SUNRPC: gssp_procedures[] can be static

Cc: Simo Sorce <simo@redhat.com>
Signed-off-by: Fengguang Wu <fengguang.wu@intel.com>
11 years agoSUNRPC: define {create,destroy}_use_gss_proxy_proc_entry in !PROC case
J. Bruce Fields [Mon, 29 Apr 2013 21:03:31 +0000 (17:03 -0400)]
SUNRPC: define {create,destroy}_use_gss_proxy_proc_entry in !PROC case

Though I wonder whether we should really just depend on CONFIG_PROC_FS
at some point.

Reported-by: kbuild test robot <fengguang.wu@intel.com>
11 years agoMerge branch 'nfs-for-next' of git://linux-nfs.org/~trondmy/nfs-2.6 into for-3.10
J. Bruce Fields [Mon, 29 Apr 2013 18:03:30 +0000 (14:03 -0400)]
Merge branch 'nfs-for-next' of git://linux-nfs.org/~trondmy/nfs-2.6 into for-3.10

Note conflict: Chuck's patches modified (and made static)
gss_mech_get_by_OID, which is still needed by gss-proxy patches.

The conflict resolution is a bit minimal; we may want some more cleanup.

11 years agoNFSv4: Warn once about servers that incorrectly apply open mode to setattr
Trond Myklebust [Mon, 29 Apr 2013 15:11:58 +0000 (11:11 -0400)]
NFSv4: Warn once about servers that incorrectly apply open mode to setattr

Debugging aid to help identify servers that incorrectly apply open mode
checks to setattr requests that are not changing the file size.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agoNFSv4: Servers should only check SETATTR stateid open mode on size change
Trond Myklebust [Mon, 29 Apr 2013 14:35:36 +0000 (10:35 -0400)]
NFSv4: Servers should only check SETATTR stateid open mode on size change

The NFSv4 and NFSv4.1 specs are both clear that the server should only check
stateid open mode if a SETATTR specifies the size attribute. If the
open mode is not one that allows writing, then it returns NFS4ERR_OPENMODE.

In the case where the SETATTR is not changing the size, the client will
still pass it the delegation stateid to ensure that the server does not
recall that delegation. In that case, the server should _ignore_ the
delegation open mode, and simply apply standard permission checks.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agonfsd4: better error return to indicate SSV non-support
J. Bruce Fields [Fri, 12 Apr 2013 22:10:56 +0000 (18:10 -0400)]
nfsd4: better error return to indicate SSV non-support

As 4.1 becomes less experimental and SSV still isn't implemented, we
have to admit it's not going to be, and return some sensible error
rather than just saying "our server's broken".  Discussion in the ietf
group hasn't turned up any objections to using NFS4ERR_ENC_ALG_UNSUPP
for that purpose.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agonfsd: fix EXDEV checking in rename
J. Bruce Fields [Mon, 15 Apr 2013 20:03:46 +0000 (16:03 -0400)]
nfsd: fix EXDEV checking in rename

We again check for the EXDEV a little later on, so the first check is
redundant.  This check is also slightly racier, since a badly timed
eviction from the export cache could leave us with the two fh_export
pointers pointing to two different cache entries which each refer to the
same underlying export.

It's better to compare vfsmounts as the later check does, but that
leaves a minor security hole in the case where the two exports refer to
two different directories especially if (for example) they have
different root-squashing options.

So, compare ex_path.dentry too.

Reported-by: Joe Habermann <joe.habermann@gmail.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agoSUNRPC: Use gssproxy upcall for server RPCGSS authentication.
Simo Sorce [Fri, 25 May 2012 22:09:56 +0000 (18:09 -0400)]
SUNRPC: Use gssproxy upcall for server RPCGSS authentication.

The main advantge of this new upcall mechanism is that it can handle
big tickets as seen in Kerberos implementations where tickets carry
authorization data like the MS-PAC buffer with AD or the Posix Authorization
Data being discussed in IETF on the krbwg working group.

The Gssproxy program is used to perform the accept_sec_context call on the
kernel's behalf. The code is changed to also pass the input buffer straight
to upcall mechanism to avoid allocating and copying many pages as tokens can
be as big (potentially more in future) as 64KiB.

Signed-off-by: Simo Sorce <simo@redhat.com>
[bfields: containerization, negotiation api]
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agoSUNRPC: Add RPC based upcall mechanism for RPCGSS auth
Simo Sorce [Fri, 25 May 2012 22:09:55 +0000 (18:09 -0400)]
SUNRPC: Add RPC based upcall mechanism for RPCGSS auth

This patch implements a sunrpc client to use the services of the gssproxy
userspace daemon.

In particular it allows to perform calls in user space using an RPC
call instead of custom hand-coded upcall/downcall messages.

Currently only accept_sec_context is implemented as that is all is needed for
the server case.

File server modules like NFS and CIFS can use full gssapi services this way,
once init_sec_context is also implemented.

For the NFS server case this code allow to lift the limit of max 2k krb5
tickets. This limit is prevents legitimate kerberos deployments from using krb5
authentication with the Linux NFS server as they have normally ticket that are
many kilobytes large.

It will also allow to lift the limitation on the size of the credential set
(uid,gid,gids) passed down from user space for users that have very many groups
associated. Currently the downcall mechanism used by rpc.svcgssd is limited
to around 2k secondary groups of the 65k allowed by kernel structures.

Signed-off-by: Simo Sorce <simo@redhat.com>
[bfields: containerization, concurrent upcalls, misc. fixes and cleanup]
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agoSUNRPC: conditionally return endtime from import_sec_context
Simo Sorce [Fri, 25 May 2012 22:09:53 +0000 (18:09 -0400)]
SUNRPC: conditionally return endtime from import_sec_context

We expose this parameter for a future caller.
It will be used to extract the endtime from the gss-proxy upcall mechanism,
in order to set the rsc cache expiration time.

Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agoSUNRPC: allow disabling idle timeout
J. Bruce Fields [Thu, 11 Apr 2013 19:06:36 +0000 (15:06 -0400)]
SUNRPC: allow disabling idle timeout

In the gss-proxy case we don't want to have to reconnect at random--we
want to connect only on gss-proxy startup when we can steal gss-proxy's
context to do the connect in the right namespace.

So, provide a flag that allows the rpc_create caller to turn off the
idle timeout.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agoSUNRPC: attempt AF_LOCAL connect on setup
J. Bruce Fields [Thu, 21 Feb 2013 15:14:22 +0000 (10:14 -0500)]
SUNRPC: attempt AF_LOCAL connect on setup

In the gss-proxy case, setup time is when I know I'll have the right
namespace for the connect.

In other cases, it might be useful to get any connection errors
earlier--though actually in practice it doesn't make any difference for
rpcbind.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agoMerge Trond's nfs-for-next
J. Bruce Fields [Fri, 26 Apr 2013 15:37:29 +0000 (11:37 -0400)]
Merge Trond's nfs-for-next

Merging Trond's nfs-for-next branch, mainly to get
b7993cebb841b0da7a33e9d5ce301a9fd3209165 "SUNRPC: Allow rpc_create() to
request that TCP slots be unlimited", which a small piece of the
gss-proxy work depends on.

11 years agoMerge branch 'bugfixes' into linux-next
Trond Myklebust [Tue, 23 Apr 2013 19:52:14 +0000 (15:52 -0400)]
Merge branch 'bugfixes' into linux-next

Fix up a conflict between the linux-next branch and mainline.
Conflicts:
fs/nfs/nfs4proc.c

11 years agoMerge branch 'rpcsec_gss-from_cel' into linux-next
Trond Myklebust [Tue, 23 Apr 2013 19:40:40 +0000 (15:40 -0400)]
Merge branch 'rpcsec_gss-from_cel' into linux-next

* rpcsec_gss-from_cel: (21 commits)
  NFS: Retry SETCLIENTID with AUTH_SYS instead of AUTH_NONE
  NFSv4: Don't clear the machine cred when client establish returns EACCES
  NFSv4: Fix issues in nfs4_discover_server_trunking
  NFSv4: Fix the fallback to AUTH_NULL if krb5i is not available
  NFS: Use server-recommended security flavor by default (NFSv3)
  SUNRPC: Don't recognize RPC_AUTH_MAXFLAVOR
  NFS: Use "krb5i" to establish NFSv4 state whenever possible
  NFS: Try AUTH_UNIX when PUTROOTFH gets NFS4ERR_WRONGSEC
  NFS: Use static list of security flavors during root FH lookup recovery
  NFS: Avoid PUTROOTFH when managing leases
  NFS: Clean up nfs4_proc_get_rootfh
  NFS: Handle missing rpc.gssd when looking up root FH
  SUNRPC: Remove EXPORT_SYMBOL_GPL() from GSS mech switch
  SUNRPC: Make gss_mech_get() static
  SUNRPC: Refactor nfsd4_do_encode_secinfo()
  SUNRPC: Consider qop when looking up pseudoflavors
  SUNRPC: Load GSS kernel module by OID
  SUNRPC: Introduce rpcauth_get_pseudoflavor()
  SUNRPC: Define rpcsec_gss_info structure
  NFS: Remove unneeded forward declaration
  ...

11 years agoNFSv4: Don't recheck permissions on open in case of recovery cached open
Trond Myklebust [Tue, 23 Apr 2013 18:52:44 +0000 (14:52 -0400)]
NFSv4: Don't recheck permissions on open in case of recovery cached open

If we already checked the user access permissions on the original open,
then don't bother checking again on recovery. Doing so can cause a
deadlock with NFSv4.1, since the may_open() operation is not privileged.
Furthermore, we can't report an access permission failure here anyway.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agonfsd: Decode and send 64bit time values
Bryan Schumaker [Fri, 19 Apr 2013 20:09:38 +0000 (16:09 -0400)]
nfsd: Decode and send 64bit time values

The seconds field of an nfstime4 structure is 64bit, but we are assuming
that the first 32bits are zero-filled.  So if the client tries to set
atime to a value before the epoch (touch -t 196001010101), then the
server will save the wrong value on disk.

Signed-off-by: Bryan Schumaker <bjschuma@netapp.com>
Cc: stable@kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agoNFSv4.1: Don't do a delegated open for NFS4_OPEN_CLAIM_DELEG_CUR_FH modes
Trond Myklebust [Tue, 23 Apr 2013 18:46:25 +0000 (14:46 -0400)]
NFSv4.1: Don't do a delegated open for NFS4_OPEN_CLAIM_DELEG_CUR_FH modes

If we're in a delegation recall situation, we can't do a delegated open.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agoNFSv4.1: Use the more efficient open_noattr call for open-by-filehandle
Trond Myklebust [Tue, 23 Apr 2013 18:31:19 +0000 (14:31 -0400)]
NFSv4.1: Use the more efficient open_noattr call for open-by-filehandle

When we're doing open-by-filehandle in NFSv4.1, we shouldn't need to
do the cache consistency revalidation on the directory. It is
therefore more efficient to just use open_noattr, which returns the
file attributes, but not the directory attributes.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agoNFS: Retry SETCLIENTID with AUTH_SYS instead of AUTH_NONE
Chuck Lever [Mon, 22 Apr 2013 19:42:48 +0000 (15:42 -0400)]
NFS: Retry SETCLIENTID with AUTH_SYS instead of AUTH_NONE

Recently I changed the SETCLIENTID code to use AUTH_GSS(krb5i), and
then retry with AUTH_NONE if that didn't work.  This was to enable
Kerberos NFS mounts to work without forcing Linux NFS clients to
have a keytab on hand.

Rick Macklem reports that the FreeBSD server accepts AUTH_NONE only
for NULL operations (thus certainly not for SETCLIENTID).  Falling
back to AUTH_NONE means our proposed 3.10 NFS client will not
interoperate with FreeBSD servers over NFSv4 unless Kerberos is
fully configured on both ends.

If the Linux client falls back to using AUTH_SYS instead for
SETCLIENTID, all should work fine as long as the NFS server is
configured to allow AUTH_SYS for SETCLIENTID.

This may still prevent access to Kerberos-only FreeBSD servers by
Linux clients with no keytab.  Rick is of the opinion that the
security settings the server applies to its pseudo-fs should also
apply to the SETCLIENTID operation.

Linux and Solaris NFS servers do not place that limitation on
SETCLIENTID.  The security settings for the server's pseudo-fs are
determined automatically as the union of security flavors allowed on
real exports, as recommended by RFC 3530bis; and the flavors allowed
for SETCLIENTID are all flavors supported by the respective server
implementation.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agoNFSv4: Ensure that we clear the NFS_OPEN_STATE flag when appropriate
Trond Myklebust [Mon, 22 Apr 2013 15:29:51 +0000 (11:29 -0400)]
NFSv4: Ensure that we clear the NFS_OPEN_STATE flag when appropriate

We should always clear it before initiating file recovery.
Also ensure that we clear it after a CLOSE and/or after TEST_STATEID fails.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agoLOCKD: Ensure that nlmclnt_block resets block->b_status after a server reboot
Trond Myklebust [Sun, 21 Apr 2013 22:01:06 +0000 (18:01 -0400)]
LOCKD: Ensure that nlmclnt_block resets block->b_status after a server reboot

After a server reboot, the reclaimer thread will recover all the existing
locks. For locks that are blocked, however, it will change the value
of block->b_status to nlm_lck_denied_grace_period in order to signal that
they need to wake up and resend the original blocking lock request.

Due to a bug, however, the block->b_status never gets reset after the
blocked locks have been woken up, and so the process goes into an
infinite loop of resends until the blocked lock is satisfied.

Reported-by: Marc Eshel <eshel@us.ibm.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Cc: stable@vger.kernel.org
11 years agoNFSv4: Ensure the LOCK call cannot use the delegation stateid
Trond Myklebust [Sat, 20 Apr 2013 05:30:53 +0000 (01:30 -0400)]
NFSv4: Ensure the LOCK call cannot use the delegation stateid

Defensive patch to ensure that we copy the state->open_stateid, which
can never be set to the delegation stateid.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agoNFSv4: Use the open stateid if the delegation has the wrong mode
Trond Myklebust [Sat, 20 Apr 2013 05:25:45 +0000 (01:25 -0400)]
NFSv4: Use the open stateid if the delegation has the wrong mode

Fix nfs4_select_rw_stateid() so that it chooses the open stateid
(or an all-zero stateid) if the delegation does not match the selected
read/write mode.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agonfs: Send atime and mtime as a 64bit value
Bryan Schumaker [Fri, 19 Apr 2013 20:09:37 +0000 (16:09 -0400)]
nfs: Send atime and mtime as a 64bit value

RFC 3530 says that the seconds value of a nfstime4 structure is a 64bit
value, but we are instead sending a 32-bit 0 and then a 32bit conversion
of the 64bit Linux value.  This means that if we try to set atime to a
value before the epoch (touch -t 196001010101) the client will only send
part of the new value due to lost precision.

Signed-off-by: Bryan Schumaker <bjschuma@netapp.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agonfsd4: put_client_renew_locked can be static
Fengguang Wu [Wed, 17 Apr 2013 02:14:15 +0000 (22:14 -0400)]
nfsd4: put_client_renew_locked can be static

Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agonfsd4: remove unused macro
J. Bruce Fields [Wed, 17 Apr 2013 01:29:03 +0000 (21:29 -0400)]
nfsd4: remove unused macro

Cleanup a piece I forgot to remove in
9411b1d4c7df26dca6bc6261b5dc87a5b4c81e5c "nfsd4: cleanup handling of
nfsv4.0 closed stateid's".

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agoNFSv4: Record the OPEN create mode used in the nfs4_opendata structure
Trond Myklebust [Tue, 16 Apr 2013 22:42:34 +0000 (18:42 -0400)]
NFSv4: Record the OPEN create mode used in the nfs4_opendata structure

If we're doing NFSv4.1 against a server that has persistent sessions,
then we should not need to call SETATTR in order to reset the file
attributes immediately after doing an exclusive create.

Note that since the create mode depends on the type of session that
has been negotiated with the server, we should not choose the
mode until after we've got a session slot.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agonfsd4: remove some useless code
fanchaoting [Thu, 11 Apr 2013 13:24:13 +0000 (21:24 +0800)]
nfsd4: remove some useless code

The "list_empty(&oo->oo_owner.so_stateids)" is aways true, so remove it.

Signed-off-by: fanchaoting <fanchaoting@cn.fujitsu.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agonfsd4: implement SEQ4_STATUS_RECALLABLE_STATE_REVOKED
J. Bruce Fields [Tue, 9 Apr 2013 21:02:51 +0000 (17:02 -0400)]
nfsd4: implement SEQ4_STATUS_RECALLABLE_STATE_REVOKED

A 4.1 server must notify a client that has had any state revoked using
the SEQ4_STATUS_RECALLABLE_STATE_REVOKED flag.  The client can figure
out exactly which state is the problem using CHECK_STATEID and then free
it using FREE_STATEID.  The status flag will be unset once all such
revoked stateids are freed.

Our server's only recallable state is delegations.  So we keep with each
4.1 client a list of delegations that have timed out and been recalled,
but haven't yet been freed by FREE_STATEID.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agoNFSv4.1: Set the RPC_CLNT_CREATE_INFINITE_SLOTS flag for NFSv4.1 transports
Trond Myklebust [Sun, 14 Apr 2013 15:49:51 +0000 (11:49 -0400)]
NFSv4.1: Set the RPC_CLNT_CREATE_INFINITE_SLOTS flag for NFSv4.1 transports

This ensures that the RPC layer doesn't override the NFS session
negotiation.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agoSUNRPC: Allow rpc_create() to request that TCP slots be unlimited
Trond Myklebust [Sun, 14 Apr 2013 15:42:00 +0000 (11:42 -0400)]
SUNRPC: Allow rpc_create() to request that TCP slots be unlimited

This is mainly for use by NFSv4.1, where the session negotiation
ultimately wants to decide how many RPC slots we can fill.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agoSUNRPC: Fix a livelock problem in the xprt->backlog queue
Trond Myklebust [Sun, 14 Apr 2013 14:49:37 +0000 (10:49 -0400)]
SUNRPC: Fix a livelock problem in the xprt->backlog queue

This patch ensures that we throttle new RPC requests if there are
requests already waiting in the xprt->backlog queue. The reason for
doing this is to fix livelock issues that can occur when an existing
(high priority) task is waiting in the backlog queue, gets woken up
by xprt_free_slot(), but a new task then steals the slot.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agoNFSv4: Fix handling of revoked delegations by setattr
Trond Myklebust [Fri, 12 Apr 2013 19:04:51 +0000 (15:04 -0400)]
NFSv4: Fix handling of revoked delegations by setattr

Currently, _nfs4_do_setattr() will use the delegation stateid if no
writeable open file stateid is available.
If the server revokes that delegation stateid, then the call to
nfs4_handle_exception() will fail to handle the error due to the
lack of a struct nfs4_state, and will just convert the error into
an EIO.

This patch just removes the requirement that we must have a
struct nfs4_state in order to invalidate the delegation and
retry.

Reported-by: Andy Adamson <andros@netapp.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agoNFSv4 release the sequence id in the return on close case
Andy Adamson [Thu, 11 Apr 2013 13:28:45 +0000 (09:28 -0400)]
NFSv4 release the sequence id in the return on close case

Otherwise we deadlock if state recovery is initiated while we
sleep.

Signed-off-by: Andy Adamson <andros@netapp.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agonfs: remove unnecessary check for NULL inode->i_flock from nfs_delegation_claim_locks
Jeff Layton [Wed, 10 Apr 2013 19:36:48 +0000 (15:36 -0400)]
nfs: remove unnecessary check for NULL inode->i_flock from nfs_delegation_claim_locks

The second check was added in commit 65b62a29 but it will never be true.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agoNFSv4: Doh! Typo in the fix to nfs41_walk_client_list
Trond Myklebust [Wed, 10 Apr 2013 16:44:18 +0000 (12:44 -0400)]
NFSv4: Doh! Typo in the fix to nfs41_walk_client_list

Make sure that we set the status to 0 on success. Missed in testing
because it never appears when doing multiple mounts to _different_
servers.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Cc: <stable@vger.kernel.org> # 3.7.x: 7b1f1fd: NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list
11 years agonfsd4: clean up validate_stateid
J. Bruce Fields [Tue, 9 Apr 2013 21:42:28 +0000 (17:42 -0400)]
nfsd4: clean up validate_stateid

The logic here is better expressed with a switch statement.

While we're here, CLOSED stateids (or stateids of an unkown type--which
would indicate a server bug) should probably return nfserr_bad_stateid,
though this behavior shouldn't affect any non-buggy client.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agonfsd4: check backchannel attributes on create_session
J. Bruce Fields [Tue, 9 Apr 2013 15:34:36 +0000 (11:34 -0400)]
nfsd4: check backchannel attributes on create_session

Make sure the client gives us an adequate backchannel.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agonfsd4: fix forechannel attribute negotiation
J. Bruce Fields [Mon, 8 Apr 2013 20:44:14 +0000 (16:44 -0400)]
nfsd4: fix forechannel attribute negotiation

Negotiation of the 4.1 session forechannel attributes is a mess.  Fix:

- Move it all into check_forechannel_attrs instead of spreading
  it between that, alloc_session, and init_forechannel_attrs.
- set a minimum "slotsize" so that our drc memory limits apply
  even for small maxresponsesize_cached.  This also fixes some
  bugs when slotsize becomes <= 0.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agonfsd4: cleanup check_forechannel_attrs
J. Bruce Fields [Mon, 8 Apr 2013 19:42:12 +0000 (15:42 -0400)]
nfsd4: cleanup check_forechannel_attrs

Pass this struct by reference, not by value, and return an error instead
of a boolean to allow for future additions.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agoNFSv4: Fix another potential state manager deadlock
Trond Myklebust [Tue, 9 Apr 2013 16:56:52 +0000 (12:56 -0400)]
NFSv4: Fix another potential state manager deadlock

Don't hold the NFSv4 sequence id while we check for open permission.
The call to ACCESS may block due to reboot recovery.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agonfsd4: don't close read-write opens too soon
J. Bruce Fields [Fri, 29 Mar 2013 00:37:14 +0000 (20:37 -0400)]
nfsd4: don't close read-write opens too soon

Don't actually close any opens until we don't need them at all.

This means being left with write access when it's not really necessary,
but that's better than putting a file that might still have posix locks
held on it, as we have been.

Reported-by: Toralf Förster <toralf.foerster@gmx.de>
Cc: stable@kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agonfsd4: release lockowners on last unlock in 4.1 case
J. Bruce Fields [Sun, 7 Apr 2013 17:28:16 +0000 (13:28 -0400)]
nfsd4: release lockowners on last unlock in 4.1 case

In the 4.1 case we're supposed to release lockowners as soon as they're
no longer used.

It would probably be more efficient to reference count them, but that's
slightly fiddly due to the need to have callbacks from locks.c to take
into account lock merging and splitting.

For most cases just scanning the inode's lock list on unlock for
matching locks will be sufficient.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agonfsd4: more sessions/open-owner-replay cleanup
J. Bruce Fields [Fri, 22 Mar 2013 22:03:49 +0000 (18:03 -0400)]
nfsd4: more sessions/open-owner-replay cleanup

More logic that's unnecessary in the 4.1 case.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agonfsd4: no need for replay_owner in sessions case
J. Bruce Fields [Fri, 22 Mar 2013 21:44:19 +0000 (17:44 -0400)]
nfsd4: no need for replay_owner in sessions case

The replay_owner will never be used in the sessions case.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agonfsd4: remove some redundant comments
J. Bruce Fields [Sun, 7 Apr 2013 17:21:08 +0000 (13:21 -0400)]
nfsd4: remove some redundant comments

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agonfsd: use kmem_cache_free() instead of kfree()
Wei Yongjun [Tue, 9 Apr 2013 06:15:31 +0000 (14:15 +0800)]
nfsd: use kmem_cache_free() instead of kfree()

memory allocated by kmem_cache_alloc() should be freed using
kmem_cache_free(), not kfree().

Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Cc: stable@kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agoNFS: Ensure that NFS file unlock waits for readahead to complete
Trond Myklebust [Tue, 9 Apr 2013 01:49:53 +0000 (21:49 -0400)]
NFS: Ensure that NFS file unlock waits for readahead to complete

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agoNFS: Add functionality to allow waiting on all outstanding reads to complete
Trond Myklebust [Tue, 9 Apr 2013 01:38:12 +0000 (21:38 -0400)]
NFS: Add functionality to allow waiting on all outstanding reads to complete

This will later allow NFS locking code to wait for readahead to complete
before releasing byte range locks.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agoNFSv4: Handle timeouts correctly when probing for lease validity
Trond Myklebust [Mon, 8 Apr 2013 21:50:28 +0000 (17:50 -0400)]
NFSv4: Handle timeouts correctly when probing for lease validity

When we send a RENEW or SEQUENCE operation in order to probe if the
lease is still valid, we want it to be able to time out since the
lease we are probing is likely to time out too. Currently, because
we use soft mount semantics for these RPC calls, the return value
is EIO, which causes the state manager to exit with an "unhandled
error" message.
This patch changes the call semantics, so that the RPC layer returns
ETIMEDOUT instead of EIO. We then have the state manager default to
a simple retry instead of exiting.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agonfsd4: cleanup handling of nfsv4.0 closed stateid's
J. Bruce Fields [Mon, 1 Apr 2013 20:37:12 +0000 (16:37 -0400)]
nfsd4: cleanup handling of nfsv4.0 closed stateid's

Closed stateid's are kept around a little while to handle close replays
in the 4.0 case.  So we stash them in the last-used stateid in the
oo_last_closed_stateid field of the open owner.  We can free that in
encode_seqid_op_tail once the seqid on the open owner is next
incremented.  But we don't want to do that on the close itself; so we
set NFS4_OO_PURGE_CLOSE flag set on the open owner, skip freeing it the
first time through encode_seqid_op_tail, then when we see that flag set
next time we free it.

This is unnecessarily baroque.

Instead, just move the logic that increments the seqid out of the xdr
code and into the operation code itself.

The justification given for the current placement is that we need to
wait till the last minute to be sure we know whether the status is a
sequence-id-mutating error or not, but examination of the code shows
that can't actually happen.

Reported-by: Yanchuan Nian <ycnian@gmail.com>
Tested-by: Yanchuan Nian <ycnian@gmail.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agoNFSv4: Fix CB_RECALL_ANY to only return delegations that are not in use
Trond Myklebust [Wed, 3 Apr 2013 23:27:52 +0000 (19:27 -0400)]
NFSv4: Fix CB_RECALL_ANY to only return delegations that are not in use

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agoNFSv4: Clean up nfs_expire_all_delegations
Trond Myklebust [Wed, 3 Apr 2013 23:23:58 +0000 (19:23 -0400)]
NFSv4: Clean up nfs_expire_all_delegations

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agoNFSv4: Fix nfs_server_return_all_delegations
Trond Myklebust [Wed, 3 Apr 2013 23:04:58 +0000 (19:04 -0400)]
NFSv4: Fix nfs_server_return_all_delegations

If the state manager thread is already running, we may end up
racing with it in nfs_client_return_marked_delegations. Better to
just allow the state manager thread to do the job.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agoNFSv4: Be less aggressive about returning delegations for open files
Trond Myklebust [Wed, 3 Apr 2013 18:33:49 +0000 (14:33 -0400)]
NFSv4: Be less aggressive about returning delegations for open files

Currently, if the application that holds the file open isn't doing
I/O, we may end up returning the delegation. This means that we can
no longer cache the file as aggressively, and often also that we
multiply the state that both the server and the client needs to track.

This patch adds a check for open files to the routine that scans
for delegations that are unreferenced.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agoNFSv4: Clean up delegation recall error handling
Trond Myklebust [Mon, 1 Apr 2013 19:56:46 +0000 (15:56 -0400)]
NFSv4: Clean up delegation recall error handling

Unify the error handling in nfs4_open_delegation_recall and
nfs4_lock_delegation_recall.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agoNFSv4: Clean up nfs4_open_delegation_recall
Trond Myklebust [Mon, 1 Apr 2013 19:40:44 +0000 (15:40 -0400)]
NFSv4: Clean up nfs4_open_delegation_recall

Make it symmetric with nfs4_lock_delegation_recall

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agoNFSv4: Clean up nfs4_lock_delegation_recall
Trond Myklebust [Mon, 1 Apr 2013 18:47:22 +0000 (14:47 -0400)]
NFSv4: Clean up nfs4_lock_delegation_recall

All error cases are handled by the switch() statement, meaning that the
call to nfs4_handle_exception() is unreachable.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agoNFSv4: Handle NFS4ERR_DELAY and NFS4ERR_GRACE in nfs4_open_delegation_recall
Trond Myklebust [Mon, 1 Apr 2013 19:34:05 +0000 (15:34 -0400)]
NFSv4: Handle NFS4ERR_DELAY and NFS4ERR_GRACE in nfs4_open_delegation_recall

A server shouldn't normally return NFS4ERR_GRACE if the client holds a
delegation, since no conflicting lock reclaims can be granted, however
the spec does not require the server to grant the open in this
instance

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Cc: stable@vger.kernel.org
11 years agoNFSv4: Handle NFS4ERR_DELAY and NFS4ERR_GRACE in nfs4_lock_delegation_recall
Trond Myklebust [Mon, 1 Apr 2013 18:27:29 +0000 (14:27 -0400)]
NFSv4: Handle NFS4ERR_DELAY and NFS4ERR_GRACE in nfs4_lock_delegation_recall

A server shouldn't normally return NFS4ERR_GRACE if the client holds a
delegation, since no conflicting lock reclaims can be granted, however
the spec does not require the server to grant the lock in this
instance.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Cc: stable@vger.kernel.org
11 years agosunrpc: drop "select NETVM"
Paul Bolle [Sat, 9 Mar 2013 16:02:31 +0000 (17:02 +0100)]
sunrpc: drop "select NETVM"

The Kconfig entry for SUNRPC_SWAP selects NETVM. That select statement
was added in commit a564b8f0398636ba30b07c0eaebdef7ff7837249 ("nfs:
enable swap on NFS"). But there's no Kconfig symbol NETVM. It apparently
was only in used in development versions of the swap over nfs
functionality but never entered mainline. Anyhow, it is a nop and can
safely be dropped.

Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agonfs: allow the v4.1 callback thread to freeze
Jeff Layton [Mon, 25 Mar 2013 11:59:57 +0000 (07:59 -0400)]
nfs: allow the v4.1 callback thread to freeze

The v4.1 callback thread has set_freezable() at the top, but it doesn't
ever try to freeze within the loop. Have it call try_to_freeze() at the
top of the loop. If a freeze event occurs, recheck kthread_should_stop()
after thawing.

Reported-by: Yanchuan Nian <ycnian@gmail.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agoSUNRPC: Fix a potential memory leak in rpc_new_client
Trond Myklebust [Fri, 5 Apr 2013 18:13:21 +0000 (14:13 -0400)]
SUNRPC: Fix a potential memory leak in rpc_new_client

If the call to rpciod_up() fails, we currently leak a reference to the
struct rpc_xprt.
As part of the fix, we also remove the redundant check for xprt!=NULL.
This is already taken care of by the callers.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agoNFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list
Trond Myklebust [Fri, 5 Apr 2013 20:11:11 +0000 (16:11 -0400)]
NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list

It is unsafe to use list_for_each_entry_safe() here, because
when we drop the nn->nfs_client_lock, we pin the _current_ list
entry and ensure that it stays in the list, but we don't do the
same for the _next_ list entry. Use of list_for_each_entry() is
therefore the correct thing to do.

Also fix the refcounting in nfs41_walk_client_list().

Finally, ensure that the nfs_client has finished being initialised
and, in the case of NFSv4.1, that the session is set up.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Cc: Chuck Lever <chuck.lever@oracle.com>
Cc: Bryan Schumaker <bjschuma@netapp.com>
Cc: stable@vger.kernel.org [>= 3.7]
11 years agoNFSv4: Fix a memory leak in nfs4_discover_server_trunking
Trond Myklebust [Thu, 4 Apr 2013 19:55:00 +0000 (15:55 -0400)]
NFSv4: Fix a memory leak in nfs4_discover_server_trunking

When we assign a new rpc_client to clp->cl_rpcclient, we need to destroy
the old one.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Cc: Chuck Lever <chuck.lever@oracle.com>
Cc: stable@vger.kernel.org [>=3.7]
11 years agoSUNRPC: Remove extra xprt_put()
Chuck Lever [Fri, 22 Mar 2013 16:52:59 +0000 (12:52 -0400)]
SUNRPC: Remove extra xprt_put()

While testing error cases where rpc_new_client() fails, I saw
some oopses.

If rpc_new_client() fails, it already invokes xprt_put().  Thus
__rpc_clone_client() does not need to invoke it again.

Introduced by commit 1b63a751 "SUNRPC: Refactor rpc_clone_client()"
Fri Sep 14, 2012.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Cc: stable@vger.kernel.org [>=3.7]
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agoNFSv4: Don't clear the machine cred when client establish returns EACCES
Trond Myklebust [Fri, 5 Apr 2013 19:37:04 +0000 (15:37 -0400)]
NFSv4: Don't clear the machine cred when client establish returns EACCES

The expected behaviour is that the client will decide at mount time
whether or not to use a krb5i machine cred, or AUTH_NULL.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Cc: Chuck Lever <chuck.lever@oracle.com>
Cc: Bryan Schumaker <bjschuma@netapp.com>
11 years agoNFSv4: Fix issues in nfs4_discover_server_trunking
Trond Myklebust [Fri, 5 Apr 2013 17:22:50 +0000 (13:22 -0400)]
NFSv4: Fix issues in nfs4_discover_server_trunking

- Ensure that we exit with ENOENT if the call to ops->get_clid_cred()
  fails.
- Handle the case where ops->detect_trunking() exits with an
  unexpected error, and return EIO.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agoNFSv4: Fix the fallback to AUTH_NULL if krb5i is not available
Trond Myklebust [Thu, 4 Apr 2013 20:14:11 +0000 (16:14 -0400)]
NFSv4: Fix the fallback to AUTH_NULL if krb5i is not available

If the rpcsec_gss_krb5 module cannot be loaded, the attempt to create
an rpc_client in nfs4_init_client will currently fail with an EINVAL.
Fix is to retry with AUTH_NULL.

Regression introduced by the commit "NFS: Use "krb5i" to establish NFSv4
state whenever possible"

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Cc: Chuck Lever <chuck.lever@oracle.com>
Cc: Bryan Schumaker <bjschuma@netapp.com>
11 years agoNFS: Use server-recommended security flavor by default (NFSv3)
Chuck Lever [Fri, 22 Mar 2013 16:53:17 +0000 (12:53 -0400)]
NFS: Use server-recommended security flavor by default (NFSv3)

Since commit ec88f28d in 2009, checking if the user-specified flavor
is in the server's flavor list has been the source of a few
noticeable regressions (now fixed), but there is one that is still
vexing.

An NFS server can list AUTH_NULL in its flavor list, which suggests
a client should try to mount the server with the flavor of the
client's choice, but the server will squash all accesses.  In some
cases, our client fails to mount a server because of this check,
when the mount could have proceeded successfully.

Skip this check if the user has specified "sec=" on the mount
command line.  But do consult the server-provided flavor list to
choose a security flavor if no sec= option is specified on the mount
command.

If a server lists Kerberos pseudoflavors before "sys" in its export
options, our client now chooses Kerberos over AUTH_UNIX for mount
points, when no security flavor is specified by the mount command.
This could be surprising to some administrators or users, who would
then need to have Kerberos credentials to access the export.

Or, a client administrator may not have enabled rpc.gssd.  In this
case, auth_rpcgss.ko might still be loadable, which is enough for
the new logic to choose Kerberos over AUTH_UNIX.  But the mount
would fail since no GSS context can be created without rpc.gssd
running.

To retain the use of AUTH_UNIX by default:

  o  The server administrator can ensure that "sys" is listed before
     Kerberos flavors in its export security options (see
     exports(5)),

  o  The client administrator can explicitly specify "sec=sys" on
     its mount command line (see nfs(5)),

  o  The client administrator can use "Sec=sys" in an appropriate
     section of /etc/nfsmount.conf (see nfsmount.conf(5)), or

  o  The client administrator can blacklist auth_rpcgss.ko.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agoSUNRPC: Don't recognize RPC_AUTH_MAXFLAVOR
Chuck Lever [Fri, 22 Mar 2013 16:53:08 +0000 (12:53 -0400)]
SUNRPC: Don't recognize RPC_AUTH_MAXFLAVOR

RPC_AUTH_MAXFLAVOR is an invalid flavor, on purpose.  Don't allow
any processing whatsoever if a caller passes it to rpcauth_create()
or rpcauth_get_gssinfo().

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
11 years agonfsd4: remove unused nfs4_check_deleg argument
J. Bruce Fields [Thu, 21 Mar 2013 19:49:47 +0000 (15:49 -0400)]
nfsd4: remove unused nfs4_check_deleg argument

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agonfsd4: make del_recall_lru per-network-namespace
J. Bruce Fields [Thu, 21 Mar 2013 19:19:33 +0000 (15:19 -0400)]
nfsd4: make del_recall_lru per-network-namespace

If nothing else this simplifies the nfs4_state_shutdown_net logic a tad.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agonfsd4: shut down more of delegation earlier
J. Bruce Fields [Thu, 21 Mar 2013 15:21:50 +0000 (11:21 -0400)]
nfsd4: shut down more of delegation earlier

Once we've unhashed the delegation, it's only hanging around for the
benefit of an oustanding recall, which only needs the encoded
filehandle, stateid, and dl_retries counter.  No point keeping the file
around any longer, or keeping it hashed.

This also fixes a race: calls to idr_remove should really be serialized
by the caller, but the nfs4_put_delegation call from the callback code
isn't taking the state lock.

(Better might be to cancel the callback before destroying the
delegation, and remove any need for reference counting--but I don't see
an easy way to cancel an rpc call.)

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agonfsd4: minor cb_recall simplification
J. Bruce Fields [Thu, 21 Mar 2013 14:59:29 +0000 (10:59 -0400)]
nfsd4: minor cb_recall simplification

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agoSUNRPC/cache: add module_put() on error path in cache_open()
Alexey Khoroshilov [Fri, 22 Mar 2013 20:36:44 +0000 (00:36 +0400)]
SUNRPC/cache: add module_put() on error path in cache_open()

If kmalloc() fails in cache_open(), module cd->owner left locked.
The patch adds module_put(cd->owner) on this path.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agonfsd: remove /proc/fs/nfs when create /proc/fs/nfs/exports error
fanchaoting [Wed, 27 Mar 2013 08:31:18 +0000 (16:31 +0800)]
nfsd: remove /proc/fs/nfs when create /proc/fs/nfs/exports error

when create /proc/fs/nfs/exports error, we should remove /proc/fs/nfs,
if don't do it, it maybe cause Memory leak.

Signed-off-by: fanchaoting <fanchaoting@cn.fujitsu.com>
Reviewed-by: chendt.fnst <chendt.fnst@cn.fujitsu.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agonfsd: don't run get_file if nfs4_preprocess_stateid_op return error
fanchaoting [Mon, 1 Apr 2013 13:07:22 +0000 (21:07 +0800)]
nfsd: don't run get_file if nfs4_preprocess_stateid_op return error

we should return error status directly when nfs4_preprocess_stateid_op
return error.

Signed-off-by: fanchaoting <fanchaoting@cn.fujitsu.com>
Cc: stable@vger.kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agonfsd: convert the file_hashtbl to a hlist
Jeff Layton [Tue, 2 Apr 2013 13:01:59 +0000 (09:01 -0400)]
nfsd: convert the file_hashtbl to a hlist

We only ever traverse the hash chains in the forward direction, so a
double pointer list head isn't really necessary.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agonfsd4: don't destroy in-use session
J. Bruce Fields [Tue, 19 Mar 2013 16:05:39 +0000 (12:05 -0400)]
nfsd4: don't destroy in-use session

This changes session destruction to be similar to client destruction in
that attempts to destroy a session while in use (which should be rare
corner cases) result in DELAY.  This simplifies things somewhat and
helps meet a coming 4.2 requirement.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agonfsd4: don't destroy in-use clients
J. Bruce Fields [Tue, 2 Apr 2013 02:23:49 +0000 (22:23 -0400)]
nfsd4: don't destroy in-use clients

When a setclientid_confirm or create_session confirms a client after a
client reboot, it also destroys any previous state held by that client.

The shutdown of that previous state must be careful not to free the
client out from under threads processing other requests that refer to
the client.

This is a particular problem in the NFSv4.1 case when we hold a
reference to a session (hence a client) throughout compound processing.

The server attempts to handle this by unhashing the client at the time
it's destroyed, then delaying the final free to the end.  But this still
leaves some races in the current code.

I believe it's simpler just to fail the attempt to destroy the client by
returning NFS4ERR_DELAY.  This is a case that should never happen
anyway.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agonfsd4: simplify bind_conn_to_session locking
J. Bruce Fields [Mon, 18 Mar 2013 21:31:30 +0000 (17:31 -0400)]
nfsd4: simplify bind_conn_to_session locking

The locking here is very fiddly, and there's no reason for us to be
setting cstate->session, since this is the only op in the compound.
Let's just take the state lock and drop the reference counting.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agonfsd4: fix destroy_session race
J. Bruce Fields [Thu, 14 Mar 2013 23:55:33 +0000 (19:55 -0400)]
nfsd4: fix destroy_session race

destroy_session uses the session and client without continuously holding
any reference or locks.

Put the whole thing under the state lock for now.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agonfsd4: clientid lookup cleanup
J. Bruce Fields [Thu, 14 Mar 2013 22:24:52 +0000 (18:24 -0400)]
nfsd4: clientid lookup cleanup

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agonfsd4: destroy_clientid simplification
J. Bruce Fields [Thu, 14 Mar 2013 22:20:01 +0000 (18:20 -0400)]
nfsd4: destroy_clientid simplification

I'm not sure what the check for clientid expiry was meant to do here.

The check for a matching session is redundant given the previous check
for state: a client without state is, in particular, a client without
sessions.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agonfsd4: remove some dprintk's
J. Bruce Fields [Thu, 14 Mar 2013 22:12:03 +0000 (18:12 -0400)]
nfsd4: remove some dprintk's

E.g. printk's that just report the return value from an op are
uninteresting as we already do that in the main proc_compound loop.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agonfsd4: STALE_STATEID cleanup
J. Bruce Fields [Tue, 12 Mar 2013 21:36:17 +0000 (17:36 -0400)]
nfsd4: STALE_STATEID cleanup

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agonfsd4: warn on odd create_session state
J. Bruce Fields [Tue, 12 Mar 2013 14:12:37 +0000 (10:12 -0400)]
nfsd4: warn on odd create_session state

This should never happen.

(Note: the comparable case in setclientid_confirm *can* happen, since
updating a client record can result in both confirmed and unconfirmed
records with the same clientid.)

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
11 years agonfsd: fix bug on nfs4 stateid deallocation
ycnian@gmail.com [Mon, 11 Mar 2013 00:46:14 +0000 (08:46 +0800)]
nfsd: fix bug on nfs4 stateid deallocation

NFS4_OO_PURGE_CLOSE is not handled properly. To avoid memory leak, nfs4
stateid which is pointed by oo_last_closed_stid is freed in nfsd4_close(),
but NFS4_OO_PURGE_CLOSE isn't cleared meanwhile. So the stateid released in
THIS close procedure may be freed immediately in the coming encoding function.
Sorry that Signed-off-by was forgotten in last version.

Signed-off-by: Yanchuan Nian <ycnian@gmail.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>