Simon Wilkinson [Sat, 31 Mar 2012 18:33:33 +0000 (14:33 -0400)]
auth: Handle empty lists of keys
Handle the case where a list of keys may be empty - don't attempt
to calloc a 0 length array, and have Put handle the case where the
array being freed has no elements.
Simon Wilkinson [Sat, 31 Mar 2012 18:23:18 +0000 (14:23 -0400)]
Unix CM: We're disconnected if RW disconnected too
At the moment, the Unix CM doesn't support entering a purely RO
disconnected mode (the historical AFS_IS_DISCONNECTED mode). If we
go disconnected, or reconnect we always toggle RW discon at the same
time as we toggle RO. Arguably, the RO disconnected mode should just
be removed, as it is now superceded.
For the moment, make it clear to the compiler that RW disconnected
implies RO disconnected, so that static analysis can make more sensible
decisions about code paths.
Simon Wilkinson [Sat, 31 Mar 2012 16:20:25 +0000 (12:20 -0400)]
auth: Make sure we get AF_INET addresses from DNS
The routines which do AFSDB and SRV lookups copy the results of
gethostbyname directly into an afs_int32, and use the size of the
result to limit the copy. If, for any reason, they get a result that
isn't an int, then they will overflow this value.
Check that the result we get from gethostbyname is in the INET
address family, and also limit the size of the copy by the size of the
destination, rather than that of the source.
Simon Wilkinson [Sat, 31 Mar 2012 15:59:16 +0000 (11:59 -0400)]
vos: Initialise total counters
When VolumeStats_int calls DisplayFormat, it isn't interested in
the total counters it provides. So, it doesn't both initialising the
variables it passes in to hold these counters - garbage in, garbage out.
However, this shows up as an uninitialises variable warning, so set them
all to 0 to keep clang happy.
Simon Wilkinson [Sat, 31 Mar 2012 15:51:19 +0000 (11:51 -0400)]
vol: Don't return an uninited val from LookupNode
If the SalvageHashTable for a particular node is empty, then LookupNode
can return an uninitialised value to the caller. It isn't clear from a
broader code inspection whether LookupNode can ever be called with an
empty SalvageHashTable, but returning a NULL vsp does seem like the
correct thing to do in this situation.
Simon Wilkinson [Sat, 31 Mar 2012 11:01:46 +0000 (07:01 -0400)]
fs: Fix bad frees
On an error GetLastComponent was freeing completely the wrong thing.
Fix this so it frees the memory it has allocated, and not some random
stack pointer.
Simon Wilkinson [Sat, 31 Mar 2012 10:58:01 +0000 (06:58 -0400)]
cmd: Use strl* rather than strn* to avoid overrun
The NName function was using strncat(a, b, sizeof(a)), which doesn't
work as you would expect if 'a' already contains data. To avoid the
potential buffer overflow, switch to just using strlcat.
Simon Wilkinson [Fri, 30 Mar 2012 19:36:56 +0000 (20:36 +0100)]
autoconf: One CC to rule them all
(well, in userspace at least)
We have 3 different ways of specifying the C compiler - CC, CCOBJ and
MT_CC. On most platforms these are set to identical values by the
configure script. However, this causes problems for a user who wants
to override the default complier choice by doing
make CC=my-favorite-compiler
as this doesn't catch all of the ways we specify the compiler [1]
So, change the specification of CCOBJ and MT_CC so that, by default,
they reference CC, rather than copying its value. This means that on
platforms where CC is the appropriate compiler to use in all situations,
a user need only change CC to modify their compiler choice.
[1] - it might be argued that the correct place to substitue the
compiler is in configure's environment, which does currently work.
However, this doesn't work with special things, like static
analysers, that can build the source tree, but not the configure
tests.
Simon Wilkinson [Fri, 30 Mar 2012 18:41:17 +0000 (19:41 +0100)]
afs: Handle reading past the end of a file
... except that this change doesn't actually handle this, it just
stops clang from throwing an error about the bogus code that's already
in there. This needs fixed properly ...
Simon Wilkinson [Fri, 30 Mar 2012 18:39:51 +0000 (19:39 +0100)]
rx: Remove needless braces
Doing if ((a==b)) is unecessary. It's also potentially dangerous, as
that's the syntax required to do assignment within an if statement.
clang now issues warnings (errors in -Werror mode) when it encounters
these.
Remove pointless braces from the Unix CM to make clang happy.
Simon Wilkinson [Fri, 30 Mar 2012 18:37:36 +0000 (19:37 +0100)]
rx: Handle negative returns on packet reads
rxi_RecvMsg returns an int, because it can return a negative value upon
error. Don't store its return value as an unsigned int, because this may
hide the potential errors.
Modify the error handling loop so that errors get to where they are
intended.
Simon Wilkinson [Fri, 30 Mar 2012 18:35:51 +0000 (19:35 +0100)]
venus: Make clang happy with strlcpy use
clang now expects that strlcpy will always be used to prevent overflow
of the destination string, and gives a warning if the size parameter is
based solely on the length of the source string.
Modify the BreakUpPath function so that it takes the size of the
destination string as an argument, and uses this to limit the amount of
data pasted into it.
Simon Wilkinson [Fri, 30 Mar 2012 18:34:53 +0000 (19:34 +0100)]
viced: Remove pointless braces
Doing if ((a==b)) is unecessary. It's also potentially dangerous, as
that's the syntax required to do assignment within an if statement.
clang now issues warnings (errors in -Werror mode) when it encounters
these.
Remove pointless braces from viced to make clang happy.
Simon Wilkinson [Thu, 5 Jan 2012 10:51:06 +0000 (10:51 +0000)]
rxgen: Tidy up server side freeing
The way in which rxgen handles freeing of objects allocated by the RPC
stub has evolved over the years. Originally, there appears to have been
a "somefrees" parameter which was used to track whether objects required
freeing or not. However, this parameter has fallen in to disuse, as
support for typedefs and unions were added, and which parameters
require freed is now tracked within the description structures
themselves. So, get rid of somefrees, as it is now just confusing.
The generated code to free a set of RPC arguments currently looks
something like:
fail:
z_xdrs->x_op = XDR_FREE;
if (!xdr_string(z_xdrs, &Name, AFSNAMEMAX)) goto fail1;
if (!xdr_string(z_xdrs, &OfflineMsg, AFSOPAQUEMAX)) goto fail1;
if (!xdr_string(z_xdrs, &Motd, AFSOPAQUEMAX)) goto fail1;
if (rx_enable_stats) {
rx_RecordCallStatistics(z_call, RXAFS_STATINDEX,
19, RXAFS_NO_OF_STAT_FUNCS, 0);
}
Simon Wilkinson [Sun, 8 Apr 2012 12:58:25 +0000 (13:58 +0100)]
fileserver: Fix NeverAttach support
Commit 35becabed870d4bfe49abaa499d99a3ffb0a2d31 added support for
the /vicepXX/NeverAttach. However this code only appears to work on
Linux. It fails build testing on (at least) Mac OS X, FreeBSD, and AIX.
Modify the code so that the NeverAttach call uses the same variable to
locate the path of the partition as the AlwaysAttach call does.
Simon Wilkinson [Fri, 30 Mar 2012 18:30:18 +0000 (19:30 +0100)]
vol: Remove unneeded braces
Doing if ((a==b)) is unecessary. It's also potentially dangerous, as
that's the syntax required to do assignment within an if statement.
clang now issues warnings (errors in -Werror mode) when it encounters
these.
Remove pointless braces from vol to make clang happy.
Simon Wilkinson [Fri, 30 Mar 2012 18:27:30 +0000 (19:27 +0100)]
vice & vol: Cast FDH_SYNC results to void
FDH_SYNC is a macro which returns a result. This leads to clang
complaining about an unused expression when the macro is expanded.
Avoid this by just casting the macro result to (void) when we aren't
interested in it.
Simon Wilkinson [Fri, 30 Mar 2012 18:24:23 +0000 (19:24 +0100)]
ptserver: Remove redundant braces
Doing if ((a==b)) is unecessary. It's also potentially dangerous, as
that's the syntax required to do assignment within an if statement.
clang now issues warnings (errors in -Werror mode) when it encounters
these.
Remove pointless braces from ptserver to make clang happy.
Simon Wilkinson [Fri, 30 Mar 2012 18:21:41 +0000 (19:21 +0100)]
pam: Use &, not && for bitwise operations
All of the LOG_MASK() checks are performing bitwise operations, and so
should be using '&', not && (which will always be true, providing
logmask is non-zero)
Simon Wilkinson [Sat, 7 Apr 2012 12:26:25 +0000 (13:26 +0100)]
tools: Add roken.h to afsdump
On AIX, building afsdump currently produces the following warnings:
"afsdump_scan.c", line 34.10: 1506-296 (S) #include file <sys/fcntl.h> not found.
"afsdump_scan.c", line 275.32: 1506-045 (S) Undeclared identifier O_RDWR.
"afsdump_scan.c", line 275.41: 1506-045 (S) Undeclared identifier O_CREAT.
"afsdump_scan.c", line 275.51: 1506-045 (S) Undeclared identifier O_TRUNC.
"afsdump_scan.c", line 305.29: 1506-045 (S) Undeclared identifier O_RDONLY.
Rather than including more platform specific goo, just add a roken.h
include to the various files to pull in the necessary headers.
Simon Wilkinson [Fri, 30 Mar 2012 18:16:50 +0000 (19:16 +0100)]
libadmin: Clear structures according to their size.
memset(a, 0, sizeof(a)) is rarely correct, unless a is an error. Use the
size of the destination structure, rather than the size of a pointer to it
when deciding how much memory to clear.
Simon Wilkinson [Fri, 30 Mar 2012 18:14:38 +0000 (19:14 +0100)]
libadmin: read returns an ssize_t, not a size_t
size_t is unsigned, and therefore can never be less than 0. Using it as
a return code from read() means that we never catch read errors. read()
is defined as returning ssize_t, so just use this to capture its return
code.
Simon Wilkinson [Fri, 30 Mar 2012 18:12:37 +0000 (19:12 +0100)]
Unix CM: Purge needless brackets
Doing if ((a==b)) is unecessary. It's also potentially dangerous, as
that's the syntax required to do assignment within an if statement.
clang now issues warnings (errors in -Werror mode) when it encounters
these.
Remove pointless braces from the Unix CM to make clang happy.
Simon Wilkinson [Tue, 15 Jun 2010 18:20:50 +0000 (19:20 +0100)]
Salvager: Don't use garbage vnodes when Testing
If Testing is true, and the salvage wants to repair the '.' file,
then it will end up using a garbage value as the location of the
repaired file (vnodeNumber gets set to fid.Vnode, but fid.Vnode is
uninitialised)
Fix this by making it behave as if no repair is necessary when running
in Testing mode. It's unclear that this is entirely the correct answer,
but it's definitely better than the current behaviour.
Therefore, cm_FindACLCache() must be called with the cm_scache_t
write-locked and therefore cm_HaveAccessRights() must obtain a
write-lock and not a read-lock on 'aclScp'.
Windows: Name Array store mount point and volume root
Modify the Name Array processing to store both the mount point
object and the volume root directory object in the array. This
is necessary for proper operation of
AFSPopulateNameArrayFromRelatedArray when the DirectoryCB parameter
is a mount point object.
Modify AFSBackupEntry to remove two entries if a volume root
directory entry is being removed.
Remove AFSReplaceCurrentElement() as it is no longer used.
If a cache manager is told by a file server that the user does
not have permission to fetch status for an object, the cache
manager must avoid requesting a fetch status a second time for
that object for the same user. Doing so risks triggering the
rx call abort throttling which can have a significant impact on
end user usability of the Explorer Shell and other applications.
The cache manager cannot make a decision on whether or not to
issue an RXAFS_FetchStatus RPC based upon the type of the object
because the type is unknown to the cache manager. A file server
will succeed a FetchStatus request when the parent directory ACL
grants lookup permission if the object in question is the directory
or is a symlink/mountpoint. Only file objects require read/write
permissions to obtain status information.
The rx call abort throttling is broken is many ways and must be
avoided. Call aborts are tracked by call channel and occur whenever
ten call aborts are issued on the same call channel in a row
regardless of the amount of time that has elapsed.
The EACCES cache works by storing EACCES events by the FID and User
for which the event occurred, when it occurred and the FID of the
parent directory. By definition, the parent FID of a volume root
directory is itself.
Entries are removed from the cache under the following circumstances:
1. When the parent FID's callback expires or is replaced.
2. When the parent FID's cm_scache object is recycled.
3. When the user's tokens expire or are replaced.
Entries are not removed when the FID's cm_scache object is recycled.
This patchset also implements correct behavior if the VLF_DFSFILESET
flag is set on a volume.
Windows: Fail recursive path evaluation with access denied
Matching the behavior of the AFS SMB server, the afs redirector
should return STATUS_ACCESS_DENIED if File ID recursion is detected
in the Name Array for any given path.
Windows: Check Avail Space on extending SetEndOfFile
When cm_SetLength() is called with an extending file length,
check the available free space in the volume to see if the
new length will fit. If not, return CM_ERROR_SPACE.
This permits applications to discover that there is insufficient
space prior to writing all of the data into the windows page
cache at which point it will be too late.
There is still the possibility of a race that can result in
data loss if two applications are writing into the same volume
at the same time and there is insufficient room.
Andrew Deason [Thu, 5 Apr 2012 22:55:17 +0000 (17:55 -0500)]
viced: Do not offline volume on successful IH_DEC
If we fail to CoW a file due to ENOSPC, we try to IH_DEC the new file
copy, and if IH_DEC fails, we take the volume offline for salvaging.
But IH_DEC returns 0 on success, not on error. So take the salvaging
path when we get non-zero.
Windows: Redirector must query volume size when asked
The volume size and free space cannot be obtained at volume
initialization and then re-used for all FileFsSizeInformation
and FileFsFullSizeInformation queries. Doing so prevents Windows
from being able to see changes in the available free space.
The maximum size of the volume is not the size of the partition
and the available space on the partition unless there is no quota
applied to the volume. If there is a quota, then the free space
is the smaller of the available quota and the available partition
space.
Add a new ioctl request to permit the redirector to query the
current Volume Size Information details.
Windows: AFSVerifyEntry purge file data on DV change
If the data version change is detected during AFSVerifyEntry(),
treat it the same as if the AFS_OBJECT_FLAGS_VERIFY_DATA flag
had been previous set. Purge the old data from the Windows
file cache. Be sure to set the new metadata after the purge
so that if the file length was truncated the old data beyond
the truncation point will still be purged.
Andrew Deason [Tue, 3 Apr 2012 23:13:17 +0000 (18:13 -0500)]
xstat_cm_test: Print all call info stats
For CM xstat collecton 0 (function call statistics), there are many
more stats given to us on the wire than we currently print. Change
this so we print out everything in the afs_CMCallStats struct.
Simon Wilkinson [Sun, 8 Jan 2012 11:49:53 +0000 (11:49 +0000)]
rx: Get rid of some uneccessary temporary vars
rx_ReadProc and rx_ReadProc32 originally used temporary variables
(which were, at one time, declared as "register") to hand optimise
a couple of routines. With the removal of register throughout our
code, this is no longer helpful.
An enumerated directory was not validated properly if
AFSValidateEntry() was called with PurgeData == FALSE even
when a data version change was detected. Now it does.
Derrick Brashear [Thu, 29 Mar 2012 14:44:53 +0000 (10:44 -0400)]
linux: update spec requirements
don't require things which don't exist on el5. do require them
in el6. require kernel-devel if building modules
don't do anything involving the kernel if not building modules
if we can figure out that we don't have 2.4 based on the version,
avoiding the need to depend on kernel-devel just to build an srpm.
Derrick Brashear [Fri, 30 Mar 2012 20:15:52 +0000 (16:15 -0400)]
linux: make mockbuild more reliable
previously, a "cached" repo which was assumed to be of the same
releasever and arch of the host was created in /var/tmp,
which would screw up repoquery across a multiple-OS-build.
well, you can tell repoquery what you really mean. so now we do.
Andrew Deason [Mon, 2 Apr 2012 21:16:37 +0000 (16:16 -0500)]
SOLARIS: Correct misplaced osi_machdep.h #endif
Commit 64778fd7bece52360482f9a51f19b34dac1d2678 removed some '#ifdef
KERNEL' blocks, but for one block in SOLARIS/osi_machdep.h, the wrong
trailing #endif was removed. This effectively makes the last part of
the file Solaris 10+ only, and bypasses the header guard. On systems
before Solaris 10, this causes us to lose the osi_procname definition,
which eventually shows up as an undefined symbol.
So, reinstate the original #endif, and remove the correct #endif
instead.
Jeffrey Altman [Sun, 29 Jan 2012 18:52:17 +0000 (13:52 -0500)]
rx: conn->callNumber protected by conn_call_lock
The conn->callNumber array should be protected by the conn_call_lock
since the conn_call_lock is what protects the binding of calls to
connection channels.
Jeffrey Altman [Fri, 20 Jan 2012 06:50:01 +0000 (01:50 -0500)]
Rx: rxi_FreeCall conn_call_lock vs call->lock deadlock
The conn->conn_call_lock is held before call->lock in the lock
hierarchy which is violated within rxi_FreeCall(). While the
deadlock is rare, it is possible and has been experienced on
both Windows and Linux.
Change the signature of rxi_FreeCall to return 1 if it frees
the call and 0 if it does not.
Due to the lock hierarchy violation use MUTEX_TRYENTER()
to attempt to obtain the conn->conn_call_lock. If the lock
cannot be obtained set the call state to dally and
return. If the conn_call_lock can be obtained, behave as
we did before this patchset.
Only increment the callNumber if the original call->state
was dally or hold and the conn_call_lock could be obtained.
We must not increment the callNumber otherwise. Doing so can
result in call numbers being skipped when the conn->call slot
is reused.
Windows: Pass name array to AFSRetrieveFileInformation
AFSRetrieveFileInformation does not parse the complete path.
That information is available in the Ccb->NameArray. If the
object on which AFSRetrieveFileInformation is called is a
relative symlink containing ".." references, the full contents
of the evaluated path is required for context. Pass the
Ccb->NameArray so that it is available.
Jeffrey Altman [Fri, 30 Mar 2012 19:13:55 +0000 (15:13 -0400)]
Windows: Record callback issued time
Save the time at which a callback was issued. This can be
used in a later patchset to determine if a callback was issued
after a negative access entry for a {fid,user} pair.
Jeffrey Altman [Fri, 30 Mar 2012 18:58:11 +0000 (14:58 -0400)]
Windows: Implement cm_TGTLifeTime()
cm_aclent.h defined cm_TGTLifeTime() as a macro that always
returned 0x7fffffff. Implement cm_TGTLifeTime() as a function
that returns the actual token lifetime.
Jeffrey Altman [Fri, 30 Mar 2012 16:24:43 +0000 (12:24 -0400)]
Windows: add parent FID to cm_GetSCache
When a cm_scache_t object is created in 98% of the time, the
parent FID is known to the cache manager. Normally the cache
manager will obtain the parent info from the AFSFetchStatus
structure but if the user credentials do not permit status info
to be obtained from the file server the parent info will be unavailable.
Having the parent directory FID is useful for debugging but can
also be used to check the user's access rights on the parent directory.
The AFSDisk and AFSFetchVolumeStatus structures use signed
32-bit integers for representation partition size and
available blocks. RoundInt64ToInt31() should be used instead
of RoundInt64ToInt32() when assigning their values.
Jeffrey Altman [Fri, 23 Mar 2012 17:41:10 +0000 (13:41 -0400)]
rx: handle clock reversals for call timeouts
If the clock is set backwards, call timeouts will not trigger
until the clock regains its original value plus the timeout period.
In rxi_CheckCall(), look for a backward clock shift and if one is
noticed, fail the call with RX_CALL_TIMEOUT.
Simon Wilkinson [Sat, 31 Mar 2012 23:21:04 +0000 (19:21 -0400)]
viced: Do error translation for InlineBulkStatus
When a host has requested universal errors, error code conversion
is performed in the CallPostamble. However, the InlineBulkStatus
errorcodes are passed as part of the data set, not as RX errors,
so this translation is not performed.
Fix this so that we also translate error codes that are part of
the InlineBulkStatus response.
Jeffrey Altman [Fri, 30 Mar 2012 03:49:43 +0000 (23:49 -0400)]
Windows: avoid deadlock with Trend Micro
Trend Micro's anti-virus driver attempts to open the file in
response to CcPurgeCacheSection(). While processing
AFSSetDispositionInfo() the Fcb->NPFcb->Resource is held which is
also required if a status verification is required during the
CreateFile operation. That results in a deadlock.
Avoid the deadlock by setting the PENDING_DELETE flag prior to
calling CcPurgeCacheSection().
Jeffrey Altman [Mon, 26 Mar 2012 15:10:36 +0000 (11:10 -0400)]
Windows: AFSInvalidateObject can overwrite input param
AFSInvalidateObject() must not be called with an AFSObjectInformationCB
pointer variable that it is not safe to overwrite as the function sets
the input value to NULL if the invalidation is going to be performed
asynchronously in a worker thread.
In AFSEnumerateDirectory(), the following call took place:
which requires a worker thread to process. As a result, the
ObjectInformation pointer was being set to NULL which detached the
AFSObjectInformationCB from the AFSDirectoryCB. That in turn produced
an execption in AFSLocateName() which resulted in a resource not being
freed that in turn produced a deadlock.
Jeffrey Altman [Mon, 26 Mar 2012 01:29:40 +0000 (21:29 -0400)]
windows: ObjectInformationCB.ObjectReferenceCount
The ObjectInformationCB.ObjectReferenceCount is protected by
the VolumeCB->ObjectInfoTree.TreeLock. When the TreeLock is
dropped the reference count can change. Hold the TreeLock across
both ObjectReferenceCount == 0 tests and the associated tear down
or repeat the ObjectReferenceCount == 0 test after the TreeLock
is reacquired.
Jeffrey Altman [Tue, 27 Mar 2012 00:49:03 +0000 (20:49 -0400)]
Windows: CreateProcessNotify verify changes
PsSetCreateProcessNotifyRoutineEx will fail with STATUS_ACCESS_DENIED
if the driver does not have the IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
bit set in the image header.
Do not include the ParentProcessId in the AFSProceSSDestroy
parameter list. It isn't available to use and isn't used for
anything in any case.
Assign AFSProcessCB blocks to processes that were created before
AFSRedirector registered the CreateProcessNotify callback and
access the file system.
Andrew Deason [Fri, 2 Mar 2012 23:22:12 +0000 (17:22 -0600)]
afs: Do not limit fetches based on vcache length
Currently, when we go to the fileserver to fetch some data, we try to
make sure that we do not ask for data beyond the end of the file. For
example, if our chunk size is 1M, and we need to get the first chunk
for a file that is 4 bytes long, we will only ask the fileserver for 4
bytes.
This can cause issues when the file is being extended at the same time
as when we are trying to read the file. Consider the following
example. There is a file named X that has contents "abcd" at dv 1, and
we issue a FetchData64 request for X, only requesting 4 bytes. Right
before the fileserver gets the FetchData64 request, another client
writes the contents "12345" to file X.
The client will then fetch the contents "1234" for that file, at dv 2,
and store that as the contents of the first chunk for file X. On
subsequent reads for file X, applications will now get "1234<NUL>" as
the contents, since the size of the file will be updated to 5, but the
cache manager thinks that "1234" is the correct contents for the first
chunk of X at dv 2. The cache manager will continue to think so until
the cache entry is evicted or invalidated for whatever reason.
To avoid this scenario, always request a full chunk of data if we have
any data to fetch and the file has not been locally truncated. We can
still avoid the fetch at all if it looks like we're fetching beyond
end-of-file, since we know that at least at some point that was
correct information about the file. If this results in us trying to
fetch beyond end-of-file, the fileserver will respond with the correct
length anyway.
We still need to restrict the fetch request length based on
avc->f.truncPos, since the dcache data after avc->f.truncPos needs to
stay empty, since we don't track truncated data any other way. If we
also avoided this restriction, extending a file via truncation after
reducing a file's length via truncation could cause the old file data
to appear again, instead of filling the new file range with NULs.
Note that on at least Linux, with this fix an application can still
read the contents "1234" on the first read in the above example, and
"12345" on subsequent reads. This is just due to when we give the VFS
updates about file metadata, and could be remedied by updating file
metadata immediately from the FetchStatus information from the
FetchData64 call. However, just reading the contents "1234" in the
above example seems like a somewhat plausible outcome; at the very
least, it is an improvement.
Andrew Deason [Thu, 22 Mar 2012 15:42:38 +0000 (10:42 -0500)]
afs: Set DWriting when truncating a dcache entry
When we truncate a file, we truncate the contents of the relevant
dcache entry chunks, and prevent future FetchData operations from
fetching data beyond the truncation offset. If we never write anything
to that chunk, we never set DWriting, and so on disk it looks like
that dcache entry has valid data for the specified DV. However, since
the data is truncated, this is not true.
If a process holds a file open, truncates it without writing to it,
and then the client crashes (or we have trouble contacting the
fileserver when we close the file), the dcache entry will appear valid
on disk. So the next time we read the dcache entry, we will use the
incorrect cache contents as if they were accurate for the specified
DV.
To avoid this, set DWriting when we truncate a chunk. Normally we only
clear DWriting when we actually send data to the fileserver, so to
clear DWriting in this case, add an additional line to clear it in
afs_StoreAllSegments, after the StoreMini has completed.
Andrew Deason [Fri, 2 Mar 2012 23:18:25 +0000 (17:18 -0600)]
afs: Log a message on invalid FetchStatus receipt
If we get an invalid AFSFetchStatus structure from a server, log a
message to indicate as such. This serves as a warning to urge people
to fix their fileservers, and to explain what is doing.
Andrew Deason [Fri, 2 Mar 2012 23:06:48 +0000 (17:06 -0600)]
afs: Sanity-check some AFSFetchStatus structures
We currently do not do any sanity checking on the AFSFetchStatus
structures returned from fileservers. Add some sanity checking for
BulkStatus and FetchStatus calls, so we do not screw up our cache if a
fileserver gives us bogus data.
If we do get an invalid AFSFetchStatus structure, act as if the server
gave us a VBUSY error code, so we will retry the request. For OpenAFS
fileservers prior to 1.6.1 that yield this situation, VBUSY is likely
the error code the fileserver should have responded anyway.
Andrew Deason [Fri, 2 Mar 2012 20:55:04 +0000 (14:55 -0600)]
viced: Do not ignore all InlineBulkStatus errors
InlineBulkStatus currently returns 0 unconditionally, no matter what
errors are encountered. If we encounter an error early enough, from
CallPreamble for example, we do not fill in the OutStats nor CallBacks
structures at all. Since we return success anyway, this results in the
client getting AFSFetchStatus structures full of zeroes (or garbage,
before commit 726e1e13ff93e2cc1ac21964dc8d906869e64406).
Since current OpenAFS clients do not perform any sanity checks on the
information received, this can result in cache corruption of files
being seen incorrectly as empty, and, before commit 726e1e, more
arbitrary corruption.
So instead, return an error if we encounter an error before we iterate
over the given FIDs. We still of course do not return an error for any
errors encountered during the actual metadata retrieval, as those are
reflected in the individual per-fid status structures.
Jeffrey Altman [Tue, 20 Mar 2012 02:38:06 +0000 (22:38 -0400)]
Windows: Assign AuthGroup during Process Create
As the process is being created, assign the AuthGroup so that
the must up to date information is used to assign AuthGroup
inheritance from Impersonation states and to prevent the parent
process from being destroyed before the AuthGroup is determined.
Change-Id: I176360a589d7f2bcf4b1ededad069424e3ce5393
Reviewed-on: http://gerrit.openafs.org/6927 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Peter Scott <pscott@kerneldrivers.com> Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com> Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
OpenAFS changed the behavior of implicit administrator permission
for directory ownership. In OpenAFS only the volume root directory
owner has implicit administrator permissions and they apply to all
directories in the volume not just those with matching ownership.
Jeffrey Altman [Thu, 22 Mar 2012 19:55:47 +0000 (15:55 -0400)]
Windows: Client handling of VNOSERVICE
VNOSERVICE should not be grouped together with the volume status
error codes. It is used to indicate that the RPC was not serviced.
The file server issues it when its idle dead timeout period is reached
while receiving rx call data. The client's existing status information
is still valid and the client can retry the call.
projects / packages / o / openafs.git / log