git: 9d35b4b38e1a - stable/12 - kgssapi: Increase timeout for kernel to gssd(8) upcalls

From: Rick Macklem <rmacklem_at_FreeBSD.org>
Date: Thu, 26 Jan 2023 03:08:32 UTC
The branch stable/12 has been updated by rmacklem:

URL: https://cgit.FreeBSD.org/src/commit/?id=9d35b4b38e1a466371c551568538488b6f873d07

commit 9d35b4b38e1a466371c551568538488b6f873d07
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2023-01-11 21:20:31 +0000
Commit:     Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2023-01-26 03:07:41 +0000

    kgssapi: Increase timeout for kernel to gssd(8) upcalls
    
    It turns out that the underlying problem that caused
    a Kerberized NFS mount with the "gssname" option to
    fail was that the kernel upcall to the gssd(8) daemon
    would time out prematurely after 25 seconds.  The
    gss_acquire_cred() GSSAPI library call
    takes about 27 seconds for the case where a desired_name
    argument is specified.  A similarly long delay occurs
    when the gss_init_sec_context() call is made and the
    user principal's TGT has expired.
    
    Once the upcall timed out, the kernel code assumed that
    the gssd(8) daemon had died and closed the socket.
    Ironically, closing the socket did cause the gssd(8)
    daemon to terminate via a SIGPIPE signal.
    
    This patch increases the timeout to 5 minutes.  Since
    a timeout should only occur when the gssd(8) daemon
    has died, a long timeout should be ok and seems to fix this
    problem.
    
    I still think that commit c33509d49a should remain in the
    system, since it allows the mount to complete quickly
    and not take nearly 30 seconds.
    
    PR:     268823
    
    (cherry picked from commit e3c26ce5cb410e4e58e131dfea7054e0bf11e3ca)
---
 sys/kgssapi/gss_impl.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/sys/kgssapi/gss_impl.c b/sys/kgssapi/gss_impl.c
index 07e10d0999c4..9b1277298e32 100644
--- a/sys/kgssapi/gss_impl.c
+++ b/sys/kgssapi/gss_impl.c
@@ -119,7 +119,17 @@ sys_gssd_syscall(struct thread *td, struct gssd_syscall_args *uap)
 		 */
 		if (cl != NULL) {
 			int retry_count = 5;
+			struct timeval timo;
 			CLNT_CONTROL(cl, CLSET_RETRIES, &retry_count);
+
+			/*
+			 * Set the timeout for an upcall to 5 minutes.  The
+			 * default of 25 seconds is not long enough for some
+			 * gss_XXX() calls done by the gssd(8) daemon.
+			 */
+			timo.tv_sec = 5 * 60;
+			timo.tv_usec = 0;
+			CLNT_CONTROL(cl, CLSET_TIMEOUT, &timo);
 		}
 	} else
 		cl = NULL;