system/freebsd-src
system/freebsd-src
1
0
Fork 0
mirror of https://github.com/freebsd/freebsd-src synced 2024-07-22 10:48:02 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

nfscl: Fix handling of expired Kerberos credentials (NFSv4.1/4.2)

Browse source 
If the NFS server detects that the Kerberos credentials provided
by a NFSv4.1/4.2 mount using sec=krb5[ip] have expired, the NFS
server replies with a krpc layer error of RPC_AUTHERROR.
When this happened, the client erroneously left the NFSv4.1/4.2
session slot busy, so that it could not be used by other RPCs.
If this happened for all session slots, the mount point would
hang.

This patch fixes the problem by releasing the session slot
and resetting its sequence# upon receiving a RPC_AUTHERROR
reply.

This bug only affects NFSv4.1/4.2 mounts using sec=krb5[ip],
but has existed since NFSv4.1 client support was added to
FreeBSD.

So, why has the bug remained undetected for so long?
I cannot be sure, but I suspect that, often, the client detected
the Kerberos credential expiration before attempting the RPC.
For this case, the client would not do the RPC and, as such,
there would be no busy session slot.  Also, no hang would
occur until all session slots are busied (64 for a FreeBSD
client/server), so many cases of the bug probably went undetected?
Also, use of sec=krb5[ip] mounts are not that common.

PR:	275905
Tested by:	Lexi <lexi.freebsd@le-fay.org>
MFC after:	1 week
This commit is contained in:
Rick Macklem 2023-12-26 14:33:39 -08:00
parent 08c33cd94d
commit a558130881
1 changed files with 16 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
sys/fs/nfs/nfs_commonkrpc.c
View file

@ -1047,6 +1047,22 @@ newnfs_request(struct nfsrv_descript *nd, struct nfsmount *nmp,
NFSINCRGLOBAL(nfsstatsv1.rpcinvalid);
error = ENXIO;
}
} else if (stat == RPC_AUTHERROR) {
/* Check for a session slot that needs to be free'd. */
if ((nd->nd_flag & (ND_NFSV41 | ND_HASSLOTID)) ==
(ND_NFSV41 | ND_HASSLOTID) && nmp != NULL &&
nd->nd_procnum != NFSPROC_NULL) {
/*
* This can occur when a Kerberos/RPCSEC_GSS session
* expires, due to TGT expiration.
* Free the slot, resetting the slot's sequence#.
*/
if (sep == NULL)
sep = nfsmnt_mdssession(nmp);
nfsv4_freeslot(sep, nd->nd_slotid, true);
}
NFSINCRGLOBAL(nfsstatsv1.rpcinvalid);
error = EACCES;
} else {
NFSINCRGLOBAL(nfsstatsv1.rpcinvalid);
error = EACCES;