Benjamin Kaduk [Thu, 14 Jan 2021 18:50:13 +0000 (10:50 -0800)]
Pull in upstream patches for unixtime 0x60000000 CID fix
A combination of bugs led to a static CID value being used for all
outbound connections when a process was started after unix epoch time
0x60000000. That essentially means failure to communicate on all
connections.
Fix the bugs, and also make sure that we always use a random initial
CID instead of getting a static one half the time.
Benjamin Kaduk [Tue, 11 Sep 2018 15:51:01 +0000 (10:51 -0500)]
Fix typos in audit format strings
Commit 9ebff4c6caa8b499d999cfd515d4d45eb3179769 introduced audit
framework support for several butc-related data types, but had
a typo ('$d' for '%d') in a couple of places, that was not reported
by compiler format-string checking. Fix the typo to properly print
all the auditable data.
Benjamin Kaduk [Sun, 9 Sep 2018 15:44:38 +0000 (10:44 -0500)]
OPENAFS-SA-2018-001 backup: use authenticated connection to butc
Use the standard routine to pick a client security object, instead of
always assuming rxnull. Respect -localauth as well as being able to
use the current user's tokens, but also provide a -nobutcauth argument
to fall back to the historical rxnull behavior (but only for the connections
to butc; vldb and budb connections are not affected).
Benjamin Kaduk [Thu, 6 Sep 2018 23:50:39 +0000 (18:50 -0500)]
OPENAFS-SA-2018-001 butc: require authenticated connections with -localauth
The butc -localauth option is available to use the cell-wide key to
authenticate to the vlserver and buserver, which in normal deployments
will require incoming connections to be authenticated as a superuser.
In such cases, the cell-wide key is also available for use in
authenticating incoming connections to the butc, which would otherwise
have been completely unauthenticated.
Because of the security hazards of allowing unauthenticaed inbound
RPCs, especially ones that manipulate backup information and are allowed
to initiate outboud RPCs authenticated as the superuser, default to
not allowing unauthenticated inbound RPCs at all. Provide an opt-out
command-line argument for deployments that require this functionality
and have configured their network environment (firewall/etc.) appropriately.
Benjamin Kaduk [Sun, 9 Sep 2018 16:49:03 +0000 (11:49 -0500)]
OPENAFS-SA-2018-001 Add auditing to butc server RPC implementations
Make the actual implementations into helper functions, with the RPC
stubs calling the helpers and doing the auditing on the results, akin
to most other server programs in the tree. This relies on support for
some additional types having been added to the audit framework.
This local stub was present in the original IBM import and is unused.
It will conflict with the real audit code once we start adding auditing
to the TC_ RPCs, so remove it now.
RPCs with unbounded arrays as inputs are susceptible to remote
denial-of-service (DOS) attacks. A malicious client may submit an RPC
request with an arbitrarily large array, forcing the server to expend
large amounts of network bandwidth, cpu cycles, and heap memory to
unmarshal the input.
Instead, issue an error message and stop rxgen when it detects an RPC
defined with an unbounded input array. Thus we will detect the problem
at build time and prevent any future unbounded input arrays.
Mark Vitale [Fri, 6 Jul 2018 07:21:26 +0000 (03:21 -0400)]
OPENAFS-SA-2018-003 volser: prevent unbounded input to various AFSVol* RPCs
Several AFSVol* RPCs are defined with an unbounded XDR "string" as
input.
RPCs with unbounded arrays as inputs are susceptible to remote
denial-of-service (DOS) attacks. A malicious client may submit an
AFSVol* request with an arbitrarily large string, forcing the volserver
to expend large amounts of network bandwidth, cpu cycles, and heap
memory to unmarshal the input.
Instead, give each input "string" an appropriate size.
Volume names are inherently capped to 32 octets (including trailing NUL)
by the protocol, but there is less clearly a hard limit on partition names.
The Vol_PartitionInfo{,64} functions accept a partition name as input and
also return a partition name in the output structure; the output values
have wire-protocol limits, so larger values could not be retrieved by clients,
but for denial-of-service purposes, a more generic PATH_MAX-like value seems
appropriate. We have several varying sources of such a limit in the tree, but
pick 4k as the least-restrictive.
[kaduk@mit.edu: use a larger limit for pathnames and expand on PATH_MAX in
commit message]
Mark Vitale [Fri, 6 Jul 2018 05:09:53 +0000 (01:09 -0400)]
OPENAFS-SA-2018-003 volser: prevent unbounded input to AFSVolForwardMultiple
AFSVolForwardMultiple is defined with an input parameter that is defined
to XDR as an unbounded array of replica structs:
typedef replica manyDests<>;
RPCs with unbounded arrays as inputs are susceptible to remote
denial-of-service (DOS) attacks. A malicious client may submit an
AFSVolForwardMultiple request with an arbitrarily large array, forcing
the volserver to expend large amounts of network bandwidth, cpu cycles,
and heap memory to unmarshal the input.
Even though AFSVolForwardMultiple requires superuser authorization, this
attack is exploitable by non-authorized actors because XDR unmarshalling
happens long before any authorization checks can occur.
Add a bounding constant (NMAXNSERVERS 13) to the manyDests input array.
This constant is derived from the current OpenAFS vldb implementation, which
is limited to 13 replica sites for a given volume by the layout (size) of the
serverNumber, serverPartition, and serverFlags fields.
[kaduk@mit.edu: explain why this constant is used]
Mark Vitale [Fri, 6 Jul 2018 03:51:37 +0000 (23:51 -0400)]
OPENAFS-SA-2018-003 budb: prevent unbounded input to BUDB_SaveText
BUDB_SaveText is defined with an input parameter that is defined to XDR
as an unbounded array of chars:
typedef char charListT<>;
RPCs with unbounded arrays as inputs are susceptible to remote
denial-of-service (DOS) attacks. A malicious client may submit a
BUDB_SaveText request with an arbitrarily large array, forcing the budb
server to expend large amounts of network bandwidth, cpu cycles, and
heap memory to unmarshal the input.
Modify the XDR definition of charListT so it is bounded. This typedef
is shared (as an OUT parameter) by BUDB_GetText and BUDB_DumpDB, but
fortunately all in-tree callers of the client routines specify the same
maximum length of 1024.
Note: However, SBUDB_SaveText server implementation seems to allow for up to
BLOCK_DATA_SIZE (2040) = BLOCKSIZE (2048) - sizeof(struct blockHeader)
(8), and it's unknown if any out-of-tree callers exist. Since we do not need a
tight bound in order to avoid the DoS, use a somewhat higher maximum of
4096 bytes to leave a safety margin.
[kaduk@mit.edu: bump the margin to 4096; adjust commit message to match]
Mark Vitale [Fri, 6 Jul 2018 01:11:30 +0000 (21:11 -0400)]
OPENAFS-SA-2018-003 vlserver: prevent unbounded input to VL_RegisterAddrs
VL_RegisterAddrs is defined with an input argument of type bulkaddrs,
which is defined to XDR as an unbounded array of afs_uint32 (IPv4 addresses):
typedef afs_uint32 bulkaddrs<>
The <> with no value instructs rxgen to build client and server stubs
that allow for a maximum size of "~0u" or 0xFFFFFFFF.
Ostensibly the bulkaddrs array is unbounded to allow it to be shared
among VL_RegisterAddrs, VL_GetAddrs, and VL_GetAddrsU. The VL_GetAddrs*
RPCs use bulkaddrs as an output array with a maximum size of MAXSERVERID
(254). VL_RegisterAddrss uses bulkaddrs as an input array, with a
nominal size of VL_MAXIPADDRS_PERMH (16).
However, RPCs with unbounded array inputs are susceptible to remote
denial-of-service attacks. That is, a malicious client may send a
VL_RegisterAddrs request with an arbitrarily long array, forcing the
vlserver to expend large amounts of network bandwidth, cpu cycles, and
heap memory to unmarshal the argument. Even though VL_RegisterAddrs
requires superuser authorization, this attack is exploitable by
non-authorized actors because XDR unmarshalling happens long before any
authorization checks can occur.
Because all uses of the type that our implementation support have fixed
bounds on valid data (whether input or output), apply an arbitrary
implementation limit (larger than any valid structure would be), to
prevent this class of attacks in the XDR decoder.
[kaduk@mit.edu: limit the bulkaddrs type instead of introducing a new type]
Benjamin Kaduk [Thu, 30 Aug 2018 15:38:56 +0000 (10:38 -0500)]
OPENAFS-SA-2018-002 butc: Initialize OUT scalar value
In STC_ReadLabel, the interaction with the tape device is
synchronous, so there is no need to allocate a task ID for status
monitoring. However, we do need to initialize the output value,
to avoid writing stack garbage on the wire.
Mark Vitale [Tue, 26 Jun 2018 10:01:16 +0000 (06:01 -0400)]
OPENAFS-SA-2018-002 ubik: prevent VOTE_Debug, VOTE_XDebug information leak
VOTE_Debug and VOTE_XDebug (udebug) both leave a single field
uninitialized if there is no current transaction. This leaks the memory
contents of the ubik server over the wire.
struct ubik_debug
- 4 bytes in member writeTrans
In common code to both RPCs, ensure that writeTrans is always
initialized.
Mark Vitale [Tue, 26 Jun 2018 09:12:32 +0000 (05:12 -0400)]
OPENAFS-SA-2018-002 butc: prevent TC_DumpStatus, TC_ScanStatus information leaks
TC_ScanStatus (backup status) and TC_GetStatus (internal backup status
watcher) do not initialize their output buffers. They leak memory
contents over the wire:
struct tciStatusS
- up to 64 bytes in member taskName (TC_MAXNAMELEN 64)
- up to 64 bytes in member volumeName "
Initialize the buffers.
[kaduk@mit.edu: move initialization to top of server routines]
struct budb_dumpEntry
- up to 32 bytes in member volumeSetName
- up to 256 bytes in member dumpPath
- up to 32 bytes in member name
- up to 32 bytes in member tape.tapeServer
- up to 32 bytes in member tape.format
- up to 256 bytes in member dumper.name
- up to 128 bytes in member dumper.instance
- up to 256 bytes in member dumper.cell
Initialize the buffer in common routine FillDumpEntry.
Mark Vitale [Tue, 26 Jun 2018 07:56:24 +0000 (03:56 -0400)]
OPENAFS-SA-2018-002 afs: prevent RXAFSCB_TellMeAboutYourself information leak
RXAFSCB_TellMeAboutYourself does not completely initialize its output
buffers. This leaks kernel memory over the wire:
struct interfaceAddr
Unix cache manager (libafs)
- up to 124 bytes in array addr_in ((AFS_MAX_INTERFACE_ADDR 32 * 4) - 4))
- up to 124 bytes in array subnetmask "
- up to 124 bytes in array mtu "
Windows cache manager
- 64 bytes in array addr_in ((AFS_MAX_INTERFACE_ADDR 32 - CM_MAXINTERFACE_ADDR 16)* 4)
- 64 bytes in array subnetmask "
- 64 bytes in array mtu "
The following implementations of SRXAFSCB_TellMeAboutYourself are not susceptible:
- fsprobe
- libafscp
- xstat_fs_test
Mark Vitale [Tue, 26 Jun 2018 07:00:02 +0000 (03:00 -0400)]
OPENAFS-SA-2018-002 volser: prevent AFSVolMonitor information leak
AFSVolMonitor (vos status) does not properly initialize its output
buffers. This leaks information from volserver memory:
struct transDebugInfo
- up to 29 bytes in member lastProcName (30-'\0')
- 16 bytes in members readNext, tranmitNext, lastSendTime,
lastReceiveTime
Initialize the buffers. This must be done on a per-buffer basis inside
the loop, since realloc is used to expand the storage if needed,
and there is not a standard realloc API to zero the newly allocated storage.
Mark Vitale [Tue, 26 Jun 2018 06:33:05 +0000 (02:33 -0400)]
OPENAFS-SA-2018-002 volser: prevent AFSVolPartitionInfo(64) information leak
AFSVolPartitionInfo and AFSVolPartitionInfo64 (vos partinfo) do not
properly initialize their reply buffers. This leaks the contents of
volserver memory over the wire:
AFSVolPartitionInfo (struct diskPartition)
- up to 24 bytes in member name (32-'/vicepa\0'))
- up to 12 bytes in member devName (32-'/vicepa/Lock/vicepa\0'))
AFSVolPartitionInfo64 (struct diskPartition64)
- up to 248 bytes in member name (256-'/vicepa\0'))
- up to 236 bytes in member devName (256-'/vicepa/Lock/vicepa\0')
Initialize the output buffers.
[kaduk@mit.edu: move memset to top-level function scope of RPC handlers]
Stephan Wiesand [Fri, 24 Aug 2018 14:19:07 +0000 (16:19 +0200)]
Make OpenAFS 1.8.1.1
Update configure version strings for 1.8.1.1. Note that macos kext
can be of form XXXX.YY[.ZZ[(d|a|b|fc)NNN]] where d dev, a alpha,
b beta, f final candidate so we have no way to represent 1.8.1.1.
Switch to 1.8.2 dev 1 for macOS.
Change-Id: I9a8e9a2f0e2c70599d4c9c95eb8828f31aa35731
Reviewed-on: https://gerrit.openafs.org/13298 Tested-by: Michael Meffie <mmeffie@sinenomine.net> Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net> Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
Joe Gorse [Mon, 2 Jul 2018 20:36:04 +0000 (20:36 +0000)]
LINUX: Update to Linux struct iattr->ia_ctime to timespec64 with 4.18
With 4.18+ Linux kernels we see a transition to 64-bit time stamps by
default.
current_kernel_time() returns the 32-bit struct timespec.
current_kernel_time64() returns the 64-bit struct timespec64.
struct iattr->ia_ctime expects struct timespec64 as of 4.18+.
Timestamps greater than 31-bit rollover after 2147483647 or
January 19, 2038 03:14:07 UTC. This is the same approach taken by
the Linux developers for converting between timepsec64 and timespec.
Reviewed-on: https://gerrit.openafs.org/13241 Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de> Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit 0bc5c15029cf7e720731f1415fcf9dc972d57ef4)
Change-Id: I16f93fd54dd45fe64f0c6fd499bf3adca978e9b1
Reviewed-on: https://gerrit.openafs.org/13268 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Mark Vitale <mvitale@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Benjamin Kaduk [Sat, 28 Jul 2018 15:16:37 +0000 (10:16 -0500)]
Make OpenAFS 1.8.1
Update version strings for the 1.8.1 release.
(Note that the version number for Windows for the 1.8.1 prereleases was
erroneously 1.8.99xx, when it should have been 1.8.00xx to reflect
"next after 1.8.0-final".)
Change-Id: I2ce32aeae50d80b88cbc3f73f6787e3a15747085
Reviewed-on: https://gerrit.openafs.org/13266 Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de> Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
redhat: actually remove unused AFS::ukernel man page
Commit 278581c24a802834719e0d57f27978321556c9bb (redhat: package libuafs
perl bindings) added swig as a build dependency on RHEL 6+/Fedora 15+ to
build and package AFS::ukernel perl bindings for libuafs. The man page
for AFS::ukernel is generated from the pod files unconditionally, so
needs to be removed from the staging directories when AFS::ukernel is
not packaged.
Unfortunately, the full path to the staged AFS::ukernel manpage was
not given in that commit, so the rpmbuild will fail on RHEL 5 with
the error:
Andrew Deason [Thu, 26 Apr 2018 17:27:12 +0000 (12:27 -0500)]
afs: Stop looking for dcaches on Get*DSlot errors
In various places in the code, we'll be looking for a dslot, calling
afs_GetValidDSlot (or afs_GetUnusedDSlot) in a loop. In a few places,
we currently keep looking for the dslot when we get an error back,
since afs_GetValidDSlot may return successfully for other slots, and
we might find the dslot we're looking for.
This behavior was introduced in a few commits, including:
- commit 2679af76 (afs: Traverse discard/free dslot list if errors)
- commit 00fd34a6 (afs: Handle easy GetValidDSlot errors)
- commit 9a558660 (afs: Cope with afs_GetValidDSlot errors)
This behavior means that if afs_GetValidDSlot/afs_GetUnusedDSlot
returns an error for a particular dcache slot, but other slots are
okay, then we may still find the dcache we're looking for.
However, by far the most common reason that
afs_GetValidDSlot/afs_GetUnusedDSlot fails is because our disk cache
is completely unusable; it is very rare that only a few slots cannot
be used, but others are fine (this would mean that the disk cache was
corrupted in oddly specific ways, or there are small isolated errors
in the underlying disk). So continuing the dcache search in these
situations is not very useful.
On Linux, this is most commonly seen by the underlying disk cache i/o
calls returning -EINTR, which can happen if a SIGKILL signal is
pending for the current process when we try to do the i/o. In this
situation, all attempts to read in a dslot from disk will fail; trying
other slots or waiting will not improve the situation. Depending on
which specific code path encounters an afs_Get*DSlot error, we can
then flood the log with "disk cache read error in CacheItems" messages
emitted from afs_UFSGetDSlot, since we keep calling afs_Get*DSlot in
our loop.
The worst offender of this is usually afs_GetDSlotFromList via
afs_AllocDCache, since we end up calling afs_GetUnusedDSlot for every
single dslot in the free and discard lists. However, our other call
sites that are looking for dcaches for a specific file can still
generate quite a few of these messages, since we'll end up calling
afs_GetValidDSlot for every slot in a dcache hash chain.
So to avoid flooding the log in these situations, change most callers
of afs_GetValidDSlot and afs_GetUnusedDSlot to stop on the first
error, and act like we never found a dcache that we were looking for.
This commit also adjusts one caller in afs_ProcessOpCreate, which was
not handling errors from afs_GetValidDSlot at all, and changes
FlushVolumeData to be able to return error codes.
Reviewed-on: https://gerrit.openafs.org/13034 Reviewed-by: Benjamin Kaduk <kaduk@mit.edu> Tested-by: BuildBot <buildbot@rampaginggeek.com>
(cherry picked from commit 12f4fd2901fee8bf27c2cec97efd3d242c6ff025)
Change-Id: I2a9865e510be39d1b5bcb9280419630036c00bef
Reviewed-on: https://gerrit.openafs.org/13191 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Andrew Deason <adeason@sinenomine.net> Reviewed-by: Joe Gorse <jhgorse@gmail.com> Reviewed-by: Mark Vitale <mvitale@sinenomine.net> Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Andrew Deason [Fri, 29 Jun 2018 20:25:48 +0000 (15:25 -0500)]
afs: Make afs_osi_Free(NULL) a no-op
In userspace, we assume that free(NULL) does nothing, which makes
certain cleanup code paths simpler. This may or may not be true for
our free() abstractions that can run in the kernel (like afs_osi_Free,
rxi_Free, etc), which is confusing. To make the higher-level free()
abstractions more consistent, change afs_osi_Free to guarantee that
passing a NULL pointer does nothing.
Reviewed-on: https://gerrit.openafs.org/13236 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit 7523397333c0f8c6a08312434968d84b8ff56306)
Change-Id: Ifda1bd8c99f128fe01d38fd64dc19afee4c5158f
Reviewed-on: https://gerrit.openafs.org/13250 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Mark Vitale <mvitale@sinenomine.net> Reviewed-by: Andrew Deason <adeason@sinenomine.net> Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Andrew Deason [Thu, 5 Jul 2018 22:16:48 +0000 (17:16 -0500)]
LINUX: Detect NULL page during write_begin
In afs_linux_write_begin, we call grab_cache_page_write_begin to get a
page to use for writing data when servicing a write into AFS. Under
low-memory conditions, this can return NULL if Linux cannot find a
free page to use. Currently, we always try to reference the page
returned, and so this causes a BUG.
To avoid this, check if grab_cache_page_write_begin returns NULL, and
just return -ENOMEM, like other callers of grab_cache_page_write_begin
do.
Linux's fault injection framework is useful for testing code paths
like these. The following settings made it possible to
somewhat-reliably exercise the relevant code path on a test RHEL7
system:
Michael Meffie [Fri, 6 Jul 2018 19:22:36 +0000 (15:22 -0400)]
vldb_check: write mh entry header flags in network order
Commit 6b93ad695e53a86dbe9eea13bd0ff651e1d8c9b7 fixed a false error
reported when the vldb contained more than one mh extent blocks. That
fix changed the readMH() function to convert the flags field to host
byte order of all the mh blocks, not just the first block, in order to
check the value of those flags.
Unfortunately, that commit missed converting non-zero blocks back to
network byte order in the complementary writeMH() function, which is
used to write the data back to disk when vldb_check is run with the -fix
option.
FIXES 134589
Reviewed-on: https://gerrit.openafs.org/13245 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit 483cad0121d848836b4155817b86231ef21be27a)
Change-Id: I28afa243c78d0a8a53e13f302d69c17a779837d9
Reviewed-on: https://gerrit.openafs.org/13246 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Mark Vitale <mvitale@sinenomine.net> Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Andrew Deason <adeason@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Stephan Wiesand [Mon, 2 Jul 2018 12:05:47 +0000 (14:05 +0200)]
redhat: parallel builds
Parallel builds can be an order of magnitude faster. Add the
_smp_mflags macro to all invocations of make in the rpm spec,
to make use of all available cores and SMT threads on the build
system. This should also help noticing new dependency issues
early. Note the macro can be overridden on the rpmbuild command
line.
Reviewed-on: https://gerrit.openafs.org/13240 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit e60766286b7a581dcdd14466884ea7fdcae10918)
Change-Id: I3428e5acc7114a5bf1a1090352055041ef099fbd
Reviewed-on: https://gerrit.openafs.org/13249 Reviewed-by: Mark Vitale <mvitale@sinenomine.net> Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu> Tested-by: Benjamin Kaduk <kaduk@mit.edu>
Stephan Wiesand [Mon, 2 Jul 2018 11:33:20 +0000 (13:33 +0200)]
redhat: speed up userland-only rpm builds
When building with --define "build_modules 0", have configure
skip the Linux kernel tests, which are slow and many.
Reviewed-on: https://gerrit.openafs.org/13239 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit ab61bcffefdd0a431a435def193cd9a46e3b8ab6)
Change-Id: I030c4fab62bc8973dd4d914374865569d878090d
Reviewed-on: https://gerrit.openafs.org/13248 Reviewed-by: Mark Vitale <mvitale@sinenomine.net> Reviewed-by: Andrew Deason <adeason@sinenomine.net> Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu> Tested-by: Benjamin Kaduk <kaduk@mit.edu>
Stephan Wiesand [Mon, 2 Jul 2018 11:28:07 +0000 (13:28 +0200)]
redhat: package new file include/opr/lock.h
Commit 792dd44ac57032a3f2a4743c83c8a0208a08ecec added the
installation of include/opr/lock.h, but the rpm spec fails
to pick it up, making rpm builds fail. Add the new file
to the files list for the -devel package.
FIXES 134579
Reviewed-on: https://gerrit.openafs.org/13238 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit babf419886d687f8359159f35e8b89aff5e166f8)
Change-Id: I32b6737a6868239c56a604030a49cc45f0379707
Reviewed-on: https://gerrit.openafs.org/13247 Reviewed-by: Mark Vitale <mvitale@sinenomine.net> Tested-by: Stephan Wiesand <stephan.wiesand@desy.de> Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Andrew Deason <adeason@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Mark Vitale [Sat, 30 Jun 2018 21:35:09 +0000 (17:35 -0400)]
rxevent: prevent negative rx_connection refCount
rxi_ChallengeEvent is called directly from rxi_ChallengeOn to start the
first challenge; subsequent calls to rxi_ChallengeEvent are from the
event handler. When called as an event, we must putConnection the
reference held by the event. But when called directly for the first
time, the event has not been scheduled yet and so has not taken a
reference on the connection. For this case, we must not putConnection
or the rx_connection refCount will go negative.
One reported symptom of this bug is a fileserver crash with:
'Assertion failed! file rx.c, line 1327.'
Benjamin Kaduk [Fri, 15 Jun 2018 14:07:04 +0000 (09:07 -0500)]
Comment out missing comerr functions from afsauthent.def
Apparently commit 70c4922980d1596155b4021cd72d6895c2371e23 was overzealous
in making Windows match Unix, as these functions are not available
in the Windows build.
Reviewed-on: https://gerrit.openafs.org/13219 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit 9d0b2698ac7ab8bb689f30d819bbef08c05a8bf7)
Benjamin Kaduk [Fri, 15 Jun 2018 13:16:26 +0000 (08:16 -0500)]
Comment out (again!) xdr_Capabilities from afsrpc.def
This shows up as an "unresolved external" when linking (though apparently
this error does not cause a buildbot failure), noticed when viewing
a related windows build log.
Reviewed-on: https://gerrit.openafs.org/13215 Reviewed-by: Benjamin Kaduk <kaduk@mit.edu> Tested-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit 94f1c1e2a7125e93ed49de31522be806af28626b)
Benjamin Kaduk [Fri, 1 Jun 2018 00:02:18 +0000 (19:02 -0500)]
libafsrpc: export more xdr functions
Most of the xdr functions in the library text are to support RXAFS and
RXAFSCB RPCs, which we explicitly do not expose from libafsrpc.
As such, they do not need to be in the export list, but a couple of
generic ones probably should be exported.
Do so, for both Unix and Windows.
Reviewed-on: https://gerrit.openafs.org/13139 Reviewed-by: Benjamin Kaduk <kaduk@mit.edu> Tested-by: BuildBot <buildbot@rampaginggeek.com>
(cherry picked from commit 6e7db633efad1c88bb300089e3bd4c9feaea5f23)
Change-Id: I42ae33f5fdb36401d052cfb200a22aff423ac0a9
Reviewed-on: https://gerrit.openafs.org/13195 Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Joe Gorse <jhgorse@gmail.com> Reviewed-by: Andrew Deason <adeason@sinenomine.net> Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu> Tested-by: BuildBot <buildbot@rampaginggeek.com>
Benjamin Kaduk [Thu, 31 May 2018 23:40:21 +0000 (18:40 -0500)]
Export missing opr functions from libafsrpc
Our assertion macros expand to function calls, and we have assertions
included in macros in installed headers, so the public needs to be
able to link against them.
Export for both Unix and Windows.
Reviewed-on: https://gerrit.openafs.org/13137 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit f01ee714152a0a6247f2f456aa1f0a728d74373c)
Change-Id: I1d983d352f4838619d0b8a833e6be90207dffa87
Reviewed-on: https://gerrit.openafs.org/13193 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Joe Gorse <jhgorse@gmail.com> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Andrew Deason [Thu, 26 Apr 2018 17:01:57 +0000 (12:01 -0500)]
afs: Avoid GetDCache delays on screwy cache
Currently, if our afs_AllocDCache call fails in afs_GetDCache, we
retry once per second for 5 minutes. The reasoning is that we're out
of dcache slots, and so if we wait a little while, maybe something
will become freeable and we can continue.
However, afs_AllocDCache can also fail if we have plenty of free
dslots, but we are unable to successfully call afs_GetUnusedDSlot() on
any of them. This can happen if our disk cache is screwed up, and so
waiting and retrying will not make things better (but we'll spew a ton
of "disk cache read error in CacheItems slot" errors in the log each
time, and do so 300 times).
So instead, only do our sleep/retry loop if we actually appear to be
out of free or discarded dslots. Otherwise, just return an error
immediately, since sleeping and retrying will not make anything
better.
Reviewed-on: https://gerrit.openafs.org/13033 Reviewed-by: Mark Vitale <mvitale@sinenomine.net> Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu> Tested-by: BuildBot <buildbot@rampaginggeek.com>
(cherry picked from commit bec329c1c81d96b5933527f7cdb3638f24833087)
Change-Id: Iaee53eca133985ad5964b61b3641cd8ad2802014
Reviewed-on: https://gerrit.openafs.org/13190 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Andrew Deason <adeason@sinenomine.net> Reviewed-by: Joe Gorse <jhgorse@gmail.com> Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Andrew Deason [Thu, 26 Apr 2018 17:02:18 +0000 (12:02 -0500)]
afs: Avoid GetDCache panic on AllocDCache failure
Currently, in afs_GetDCache, if afs_AllocDCache fails, we retry for 5
minutes and then panic. Panicing in this situation is completely
unnecessary; afs_GetDCache can fail for a variety of other mundane
reasons (such as, if we can't fetch the requested data from the
relevant fileserver).
It may seem unusual for afs_AllocDCache to fail for over 5 minutes
(this is supposed to mean that we're out of dslots, and our attempts
to free up dslots have failed). However, afs_AllocDCache can also fail
if we are having issues in accessing the disk cache, and so we may not
be out of cache space or dslots at all; we just can't access the
cache. In this case, afs_AllocDCache can easily fail forever; waiting
longer or trying to free up cache space isn't going to help.
So, to avoid panicing in such situations, just make afs_GetDCache
return an error. We just need to make sure afs_xdcache is unlocked,
and then we can just jump to 'done', like plenty of other codepaths
do; no extra cleanup is required.
Also since we are removing a panic, add a log message when this
situation happens, so EIO errors don't suddenly pop up silently.
Reviewed-on: https://gerrit.openafs.org/13032 Reviewed-by: Mark Vitale <mvitale@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu> Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net> Tested-by: BuildBot <buildbot@rampaginggeek.com>
(cherry picked from commit 0ff2364bd5e68c0a7587f8fbc552bf20b99d7039)
Change-Id: Ie29eed271b490edc943929710a87550e2d67b735
Reviewed-on: https://gerrit.openafs.org/13189 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Andrew Deason <adeason@sinenomine.net> Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Joe Gorse <jhgorse@gmail.com> Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Mark Vitale [Tue, 5 Jun 2018 18:12:20 +0000 (14:12 -0400)]
xdr: remove dead code, whitespace from xdr_enum
The 'enum sizecheck' declaration has been unused since openafs-ibm-1_0; it is
apparently vestigial from the original XDR code. Remove it, along with some
extraneous whitespace.
No functional change is incurred by this commit.
Reviewed-on: https://gerrit.openafs.org/13076 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Andrew Deason <adeason@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit fdc8adbf0904cbbc0590379c5cb702a15273b40c)
Change-Id: Ie586f210d17169a03143d1bdebb8430e3881e58c
Reviewed-on: https://gerrit.openafs.org/13184 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Joe Gorse <jhgorse@gmail.com> Reviewed-by: Andrew Deason <adeason@sinenomine.net> Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Mark Vitale [Wed, 6 Jun 2018 19:23:26 +0000 (15:23 -0400)]
xdr: avoid xdr_enum memory overrun
Since openafs-ibm-1_0, xdr_enum has used xdr_long to read and write, even
though enum_t is defined as int. For systems where sizeof(int) ==
sizeof(long), this works by accident. But other systems (e.g., DARWIN
ARCHFLAGS=x86_64) xdr_enum will overrun its int-sized second parameter. For
XDR_DECODE, this results in memory corruption.
This was first noticed with OpenAFS 1.8.0 on macOS 10.13; if aklog is issued
while already holding a token, it will fail in token_SetsEquivalent with a
segfault in decodeToken. The root cause is that the address passed to
decodeToken had been overwritten by a previous call to tokenType -> xdr_enum ->
xdr_long.
Instead, modify xdr_enum to use xdr_int for its work.
Reviewed-on: https://gerrit.openafs.org/13075 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Andrew Deason <adeason@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit eb1d2ef203a2a99c908b3b89d9ea8337a91b944b)
Change-Id: I548ab43fe4513262b6be0608be45bfd8580e6ed8
Reviewed-on: https://gerrit.openafs.org/13183 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Joe Gorse <jhgorse@gmail.com> Reviewed-by: Andrew Deason <adeason@sinenomine.net> Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net> Reviewed-by: Mark Vitale <mvitale@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Michael Meffie [Sat, 28 Apr 2018 03:08:34 +0000 (23:08 -0400)]
util: check for trailing characters in partition names
The function which maps partition names to partition ids currently
ignores trailing characters in the partition names. For example, the
partition name "/vicepbogus" is currently considered a valid partition
name ("/vicepbogus" maps to "bo" which is id 66). Although this is not a
regression, it is problematic for several reasons.
Firstly, this can lead to duplicate partition ids on the server, for
example "/vicepbad" and "/vicepbar" both map to the same partition id
("ba" is id 52).
Second, partitions are internally tracked by numeric id. The partition
names are generated from numeric ids when reporting partition names.
This means the trailing characters are lost when reporting the partition
names. For example, vos reports the attached partition "/vicepbad" as
"/vicepba".
Third, it could be possible (but perhaps unlikely) in the future to
extend the range of partition ids, so the trailing characters could
become significant at that time.
Finally, it could be confusing to admins that such partition names are
attached by the fileserver. For example, "/vicepaa-backup" is attached
and is used by the fileserver as partition id 26.
This change adds a check for trailing characters in partition names in
the volutil_GetPartitionID function, so it is more strict in what it
accepts as a valid partition name. That function will now return -1
(illegal partition name) when trailing characters are found in
partition names.
Reviewed-on: https://gerrit.openafs.org/13039 Reviewed-by: Benjamin Kaduk <kaduk@mit.edu> Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Andrew Deason <adeason@sinenomine.net>
(cherry picked from commit 850c7c50dccbdebb8e0a44da4fc7840760d9e02d)
Change-Id: I1244630f3b31408f9f723b97956dca6987dd9747
Reviewed-on: https://gerrit.openafs.org/13121 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Joe Gorse <jhgorse@gmail.com> Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net> Reviewed-by: Andrew Deason <adeason@sinenomine.net> Reviewed-by: Mark Vitale <mvitale@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Benjamin Kaduk [Mon, 28 May 2018 03:54:01 +0000 (22:54 -0500)]
libafsauthent: export additional xdr_ functions
Formally, we need to use xdr_free to deallocate storage for RPC output
variables, in case the XDR stack uses a different allocator than the
standard application allocator. Some types have non-autogenerated
wrappers exposed already (e.g., token_FreeSet()), but for a handful of
the base ptint types we need to expose the xdr routines in order for a
safe way to deallocate their storage to be available.
Reviewed-on: https://gerrit.openafs.org/13131 Reviewed-by: Benjamin Kaduk <kaduk@mit.edu> Tested-by: BuildBot <buildbot@rampaginggeek.com>
(cherry picked from commit c12cfd7331727142cb928e08ec32a708d0cfd1e9)
Change-Id: Iea3b0bd9fdb373020b41c2bcbf1ebbde222114a8
Reviewed-on: https://gerrit.openafs.org/13192 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Joe Gorse <jhgorse@gmail.com> Reviewed-by: Andrew Deason <adeason@sinenomine.net> Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Benjamin Kaduk [Sun, 27 May 2018 21:23:16 +0000 (16:23 -0500)]
libafsauthent: export ugen_ClientInit*
Windows was only exporting the bare version and not the Cell/Flags/Server
versions; Unix was exporting none of them.
These routines for obtaining a ubik client are more generic than the
historical (and already exported) ubik_ClientInit routine, allowing for
the use of an alternative configuration directory, additional flags,
and the like.
Reviewed-on: https://gerrit.openafs.org/13130 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit ef6a1e8118a25b885889179739a3539a598068bc)
Change-Id: I04c6565cc4b9c3366bf15b86cd5f70402609c5c5
Reviewed-on: https://gerrit.openafs.org/13182 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Joe Gorse <jhgorse@gmail.com> Reviewed-by: Andrew Deason <adeason@sinenomine.net> Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Benjamin Kaduk [Sun, 27 May 2018 19:18:07 +0000 (14:18 -0500)]
libafsauthent: export more afsconf_ functions
We have new functions for (among other things) typed keys, and generic
rx identity management; expose them as well as the legacy key- and user-
management functions, on both Unix and Windows.
Reviewed-on: https://gerrit.openafs.org/13127 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit cdd1f16f5ef52093a8f7d3f87a45775d3c87b780)
Change-Id: Ia9ab364fcac10822ba50eb7f418a2228ac0fd935
Reviewed-on: https://gerrit.openafs.org/13179 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Andrew Deason <adeason@sinenomine.net> Reviewed-by: Joe Gorse <jhgorse@gmail.com> Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Michael Meffie [Mon, 9 Apr 2018 23:50:28 +0000 (19:50 -0400)]
autoconf: remove uss from configure summary
Commit 00a33b26d74aa067086ddc340efb82184715857f (uss: always build uss)
made the uss build unconditional. Remove it from the list of optional
items in the configure summary.
Reviewed-on: https://gerrit.openafs.org/13004 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit 85e9db22b265f9bb3745246fea3a07158b8a8c0e)
Change-Id: I345752f0739edc3d621b39a50157adb23923e256
Reviewed-on: https://gerrit.openafs.org/13111 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Andrew Deason <adeason@sinenomine.net> Reviewed-by: Joe Gorse <jhgorse@gmail.com> Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Pat Riehecky [Wed, 23 May 2018 20:50:45 +0000 (15:50 -0500)]
Add braces to empty conditional blocks
GCC 7+ is able to quickly optimize away empty if/else blocks if the braces are
provided. While this adds some additional syntax, it should also result
in faster optimization, so change our empty blocks after conditionals to use
braces.
FIXES 134377
Reviewed-on: https://gerrit.openafs.org/13081 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Andrew Deason <adeason@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit a411366f57dcf39cc17b6d61d8332e520dff57d1)
Michael Meffie [Mon, 25 Apr 2016 15:19:10 +0000 (11:19 -0400)]
Windows: define AFS_IHANDLE_PIO_ENV for ihandle pio
Support for positional i/o in the ihandle package was added to the
windows platform in commit 50b6a116a1c412d0e6d7442d13d6e92c9dbb35ee
using native windows functions. That commit also defined HAVE_PIO in
the windows version of the afsconfig.h file. Unfortunately, that
definition of HAVE_PIO is not limited to the ihandle package.
Remove the project-wide HAVE_PIO definition from the windows afsconfig.h
file and define the new AFS_IHANDLE_PIO_ENV symbol when position i/o
support is available in the ihandle package.
Build the fallback ih_pread and ih_pwrite functions (which use lseek)
only when positional i/o is not available in the ihandle package for the
current platform.
Use AFS_IHANDLE_PIO_ENV instead of HAVE_PIO in ih_open() to determine
when it is is safe to share ihandles among threads.
Reviewed-on: https://gerrit.openafs.org/12270 Reviewed-by: Andrew Deason <adeason@sinenomine.net> Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Mark Vitale <mvitale@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit 759f29cfdfabed4dc5c1b96a0b2b79a3f83c08e3)
Michael Meffie [Sat, 28 Apr 2018 02:59:57 +0000 (22:59 -0400)]
vol: check for bad partition names
Currently, servers attempt to attach any partition name starting with
"/vicep", even partition names which map to out of range partition ids.
Examples of such misnamed partitions are "/vicepzz", "/vicep0", and
others.
The presence of these misnamed partitions cause the server processes to
crash on startup, since the out of range partition ids are used as an
index.
Add a check for the bad partition names in VCheckPartitions to avoid
attaching them. Log a warning for such partitions to let the admins know
why the partitions are not attached.
Reviewed-on: https://gerrit.openafs.org/13038 Reviewed-by: Benjamin Kaduk <kaduk@mit.edu> Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net> Reviewed-by: Andrew Deason <adeason@sinenomine.net> Reviewed-by: Mark Vitale <mvitale@sinenomine.net> Tested-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit c0f2c26e9298d12209fbb5e523ea3173202316e5)
Change-Id: Id7dcbd80402b7c8ec1f0e2e5fa2ea0123a2da898
Reviewed-on: https://gerrit.openafs.org/13120 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Jeffrey Altman [Fri, 11 May 2018 19:44:24 +0000 (15:44 -0400)]
viced: SRXAFS_InlineBulkStatus set InterfaceVersion on error
AFSFetchStatus.InterfaceVersion is required to be "1" for any
of the fields in the structure to be considered valid. Therefore,
InterfaceVersion must be set to one when returning an 'errorCode'
value.
When RXAFS_InlineBulkStatus was introduced by OpenAFS in 362d26c733b086d26f013bd229af979a112098f5 not only wasn't
InterfaceVersion set but neither was the memory allocated
to OutStats initialized. As a result the InterfaceVersion field
value could be not only zero but random. The OutStats memory
was initialized to zeros beginning with 726e1e13ff93e2cc1ac21964dc8d906869e64406.
Reviewed-on: https://gerrit.openafs.org/13067 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit f045de21a45fcc8f71e2b30e826c22c8a7b4d0f2)
Change-Id: I0d15147081f6e8744680c16e43b22075070647e4
Reviewed-on: https://gerrit.openafs.org/13117 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Marcio Barbosa [Tue, 15 May 2018 21:10:45 +0000 (17:10 -0400)]
ubik: clones should not request votes
Clones should not be able to become the sync-site. To make it possible,
regular sites do not vote for a site tagged as clone. In other words,
the clones ask for votes but they cannot be the sync-site. Knowing that
their requests for votes should be refused by the regular sites, they
should never have enough votes to win the election.
In addition to the unnecessary network traffic created by these
unnecessary requests, this current approach can be problematic in some
specific situations. As an example, consider the following scenario:
The user wants to turn a regular site, called host1, into a clone.
To do so, he runs the following commands on every single server:
After that, he restarts the servers, one by one. Depending on the delay
between the restarts, a clone can become the sync-site. This is possible
because the clones request votes from the other sites. If enough regular
sites are not aware (yet) that the request for vote came from a clone,
the clone in question can get enough votes to win the election.
To fix the problems mentioned above, do not request votes if you cannot
be the sync-site.
Reviewed-on: https://gerrit.openafs.org/12654 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit 3cc22a442e1dad628f0b11a32c4037fc7174dde4)
Change-Id: Ifa748546aec6928eb4ca988a036d0bf8fb70f6f8
Reviewed-on: https://gerrit.openafs.org/13116 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net> Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Marcio Barbosa [Thu, 10 May 2018 03:46:01 +0000 (00:46 -0300)]
afs: alloc openafs_lck_grp before osi_Init() on darwin
Commit a27bed59cae1a4244429c752edfde0a8363c8a3b moved init_hckernel_init
to osi_Init. On Darwin (AFS_DARWIN80_ENV), MUTEX_INIT
(called by init_hckernel_init) uses openafs_lck_grp as the argument of
one of the functions called during the initialization of the mutex in
question. Since openafs_lck_grp was not allocated yet, we crash.
To fix this problem, call MUTEX_SETUP() before osi_Init() on Darwin.
Reviewed-on: https://gerrit.openafs.org/13065 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit 8e740aed774d4507e656e6ae743f6c6fe6c0e356)
Change-Id: Ic1c58b5e2baeedd1cd24c364dd2907761064c8a9
Reviewed-on: https://gerrit.openafs.org/13115 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Benjamin Kaduk [Sat, 5 May 2018 20:42:51 +0000 (15:42 -0500)]
Rename getDirPath to afs_getDirPath in preparation for export
The symbol name getDirPath is rather generic and we probably shouldn't
squat on it in the application's namespace. In preparation for exporting
this functionality from the Unix shared libraries, rename it to
afs_getDirPath.
Retain a Windows-only wrapper getDirPath that can continue to be
exported from libafsauthent on Windows, for ABI compatibility.
New consumers should use afs_getDirPath.
Reviewed-on: https://gerrit.openafs.org/13058 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Anders Kaseorg <andersk@mit.edu> Tested-by: Anders Kaseorg <andersk@mit.edu> Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit 554c38473d1465af4c4613209229c274807fffd8)
projects / packages / o / openafs.git / log