From nobody Tue Jan 02 01:44:47 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4T3wdW2ZRbz55s3h; Tue, 2 Jan 2024 01:44:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4T3wdW24fqz4HWY; Tue, 2 Jan 2024 01:44:47 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1704159887; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=bhu+Sjdvj/eAMaS/F/ZLuCj3ypRNsj7Zrjb/H4S/ItY=; b=fFNYTjPsv7isKe0CYO9D2wwjWNB5+1re6WTTWnuQQPG3rLCJKwC3n37A0W3HHFfxBHuLvR TSCbNSr3A27KpAvhaWbMYvNhKF5RG+AYsjUFCv8/M42aHOTYoDjVt8B0sUitaUny+nqOvF UjriG5qyUXbil5x5RKDnnTMHsKJxdLGR5H/0TEr/SLnXoAEd9cz4P3FQQaEs6zlREV9Gp5 mvMui/usoebwTvhEOvDxtrttNc/YyfQPFMYNyE00TPefJ6izbYe38kuryV6fMI2uYVDdMM F12YxGcmXpKH2Up6aQdlYskd3cygpqL1YE3sRJ3i9TgUwI+Iex2beu5aF9z//A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1704159887; a=rsa-sha256; cv=none; b=ruaqkkUzCr20WymRsKcoc64kJjeBh6z1Jh0T1siUtHMFr3yA5bEKig63ryPOqI47CEZatB udDhczEUX8BQARkUzhoeIcaL56myW4BnIVm6VOUKmfvHsYvkPOvjUP/UKm4yAMK1r76mx5 iEvpsqshBw40hB24PxQpXFf3u//amruXUim1bdjTA33sGXuXk+jO1N48HER+StCwy5uFnG 1uo8LLrYKPwlLesiycPMQA17iDyFJKAZ3YEsSvA0euQ+CYINLvQ+RDXYueCR89oLGVuKTO 6GOBn5KIz3g41eIfDebiF6+c9D91nuBSfDlMQyrEc1C92jaFkZBr1P9/CLoVWQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1704159887; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=bhu+Sjdvj/eAMaS/F/ZLuCj3ypRNsj7Zrjb/H4S/ItY=; b=jcIDeIb6pBrzxQ3ZnQLy2TdxDbEUUHKbnFHZJXHsNZYnwucFLiBYn/Qk3310MBrA/qyWYh 4BX9pFwfQYs+C20vmOYAtiYdlSgawyF724AgUZ785TYaWMWcjficjOPon17qhGpWtM9BzF eshgcMEPN8gZl86BP71x7TWOOyLowzacqsA/RuwRx5juyWGCvyGkDrWrWRbepWJccwxETx lZpFBE3Bewe8utjOxvnu3rZjAc4moXSB66qklHDT10bKj2QXJwRfL/k21ZJ8dcywlpE40k Cy/oERo55slZtpFU2iFvdS/QTqk7mtee7ydHyNdB5zJpFkZzJ7SbizejJxodfg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4T3wdW18Jwzgnq; Tue, 2 Jan 2024 01:44:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 4021il0N005464; Tue, 2 Jan 2024 01:44:47 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 4021ilBm005461; Tue, 2 Jan 2024 01:44:47 GMT (envelope-from git) Date: Tue, 2 Jan 2024 01:44:47 GMT Message-Id: <202401020144.4021ilBm005461@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Rick Macklem Subject: git: c85ff48a092e - stable/13 - nfscl: Fix handling of expired Kerberos credentials (NFSv4.1/4.2) List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: rmacklem X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: c85ff48a092e4c5989f91a4a1ccf99441ffb3170 Auto-Submitted: auto-generated The branch stable/13 has been updated by rmacklem: URL: https://cgit.FreeBSD.org/src/commit/?id=c85ff48a092e4c5989f91a4a1ccf99441ffb3170 commit c85ff48a092e4c5989f91a4a1ccf99441ffb3170 Author: Rick Macklem AuthorDate: 2023-12-26 22:33:39 +0000 Commit: Rick Macklem CommitDate: 2024-01-02 01:41:19 +0000 nfscl: Fix handling of expired Kerberos credentials (NFSv4.1/4.2) If the NFS server detects that the Kerberos credentials provided by a NFSv4.1/4.2 mount using sec=krb5[ip] have expired, the NFS server replies with a krpc layer error of RPC_AUTHERROR. When this happened, the client erroneously left the NFSv4.1/4.2 session slot busy, so that it could not be used by other RPCs. If this happened for all session slots, the mount point would hang. This patch fixes the problem by releasing the session slot and resetting its sequence# upon receiving a RPC_AUTHERROR reply. This bug only affects NFSv4.1/4.2 mounts using sec=krb5[ip], but has existed since NFSv4.1 client support was added to FreeBSD. So, why has the bug remained undetected for so long? I cannot be sure, but I suspect that, often, the client detected the Kerberos credential expiration before attempting the RPC. For this case, the client would not do the RPC and, as such, there would be no busy session slot. Also, no hang would occur until all session slots are busied (64 for a FreeBSD client/server), so many cases of the bug probably went undetected? Also, use of sec=krb5[ip] mounts are not that common. PR: 275905 (cherry picked from commit a558130881e9d574dc5f37827fe2284667d5aba8) --- sys/fs/nfs/nfs_commonkrpc.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/sys/fs/nfs/nfs_commonkrpc.c b/sys/fs/nfs/nfs_commonkrpc.c index 29fbb8dc4351..3aa3129ad67f 100644 --- a/sys/fs/nfs/nfs_commonkrpc.c +++ b/sys/fs/nfs/nfs_commonkrpc.c @@ -1040,6 +1040,22 @@ tryagain: NFSINCRGLOBAL(nfsstatsv1.rpcinvalid); error = ENXIO; } + } else if (stat == RPC_AUTHERROR) { + /* Check for a session slot that needs to be free'd. */ + if ((nd->nd_flag & (ND_NFSV41 | ND_HASSLOTID)) == + (ND_NFSV41 | ND_HASSLOTID) && nmp != NULL && + nd->nd_procnum != NFSPROC_NULL) { + /* + * This can occur when a Kerberos/RPCSEC_GSS session + * expires, due to TGT expiration. + * Free the slot, resetting the slot's sequence#. + */ + if (sep == NULL) + sep = nfsmnt_mdssession(nmp); + nfsv4_freeslot(sep, nd->nd_slotid, true); + } + NFSINCRGLOBAL(nfsstatsv1.rpcinvalid); + error = EACCES; } else { NFSINCRGLOBAL(nfsstatsv1.rpcinvalid); error = EACCES;