From nobody Sat Feb 01 09:02:30 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YlRbp5wpKz5mbJ9; Sat, 01 Feb 2025 09:02:30 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YlRbp2Rv7z41qg; Sat, 01 Feb 2025 09:02:30 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1738400550; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=L7TBAC2pcVDZUAXB/lXkZIGMnHMA61yotCW3FugdZH0=; b=GL/8Uszrmm/Sl2c1fDRAuQxKLPgmCPZ6CyhaC6OaYbRPRsZEGpU6s2f0Ig7CkW5IIlzgNp 2c48U1u8I+YwvqGEGZvA1J/gaKdfSh0to7z15gk2KcyF2O18y3yQiRUrD6iNX4EI2AfUFU Xg/stTtXY4e9sQy8cX01jE5T2YB9hv3UxYxx3DPrKxi6bvNvK1Sl+GIIyizV9zAfJDycY0 pe8v4TP012dVXLZIBeRYkP4IHm0ujao3EThJLnUKAsPpDZJx2JlX/+B7D5L+pqK7aoCgzE +w8egpVzhcXWH8P+ZKSBn/+S+teyFu9QBb5nv7OM/QmY7Gu/+oOfqkmRYksdxQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1738400550; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=L7TBAC2pcVDZUAXB/lXkZIGMnHMA61yotCW3FugdZH0=; b=t/Ph3IjUFysoPhqldjCUcN4KsmDK3/8emk9+knaFAAAOYZTIPifj2HR5J86YdxXYTJ2Dzv QNprdpUURqXg61xobdwc9v9e2ncIm/nr5W3C0m4ROfg/jMMRYL1W7hfA25ZUn5RXPbbead oHwvQSHa2L0Cf5NfibjEOnDsi69ynvouzn+sZjb8b4dLOK/r4w3kJ8qmWDZCga8EI2Xqte G/9XKjLfogXv2JLk6dmSzY1niVe7NJYUmudU0NyQHI6dDHfiU5joISv+pGTFl7/G6Xq0UW xfP+qnj7qX37nR7jo0c23rcM3iwSUWbRNaXxqdy/ppS3gSKgAoOkptclP8rGTA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1738400550; a=rsa-sha256; cv=none; b=Xp74wZwZCALYy+TtRsVXGQk6AiAyAHX992hWxDOyWXGsI+n22qREADl8Lpiu1UvsV94Vd6 vbNCCSuUF6QkM9G2/T9z4rTAVbuVSIPFmS6S//x7w992jEhmfftMjUv1OIqn1UDlZtR4oF H4WXkkKoPAaa/rovEENFsX356DRNEdUmC6ePlZsDTFjMbd+7z4jrup/ci2yjbVJy1jv+hn Om9MDU3wxqF1iBJ0LPh1uuGBCCqU1Q/kod4rdGYoxt4T3zG5eDZM4x2ecKbH9/fRV8gvHU UVUFsbR1opwPnRnqGTGorhue0UbpPkeeGN9iHeZojaw2cG/YCWsQH5Ith+TAZw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YlRbp1yyKzy3j; Sat, 01 Feb 2025 09:02:30 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 51192UVX048551; Sat, 1 Feb 2025 09:02:30 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 51192U8F048548; Sat, 1 Feb 2025 09:02:30 GMT (envelope-from git) Date: Sat, 1 Feb 2025 09:02:30 GMT Message-Id: <202502010902.51192U8F048548@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Gleb Smirnoff Subject: git: 765ad4f03937 - main - rpcsec_tls: cleanup the rpctls_syscall() List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: glebius X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 765ad4f03937cb90ea3cc138535bab872e30b0c4 Auto-Submitted: auto-generated The branch main has been updated by glebius: URL: https://cgit.FreeBSD.org/src/commit/?id=765ad4f03937cb90ea3cc138535bab872e30b0c4 commit 765ad4f03937cb90ea3cc138535bab872e30b0c4 Author: Gleb Smirnoff AuthorDate: 2025-02-01 01:03:27 +0000 Commit: Gleb Smirnoff CommitDate: 2025-02-01 09:00:28 +0000 rpcsec_tls: cleanup the rpctls_syscall() With all the recent changes we don't need extra argument that specifies what exactly the syscalls does, neither we need a copyout-able pointer, just a pointer sized integer. Reviewed by: rmacklem Differential Revision: https://reviews.freebsd.org/D48649 --- sys/kern/syscalls.master | 3 +- sys/rpc/rpcsec_tls.h | 8 +-- sys/rpc/rpcsec_tls/rpctls_impl.c | 94 ++++++++++++++++++------------------ usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c | 2 +- usr.sbin/rpc.tlsservd/rpc.tlsservd.c | 2 +- 5 files changed, 53 insertions(+), 56 deletions(-) diff --git a/sys/kern/syscalls.master b/sys/kern/syscalls.master index 9628745da304..52502fc662be 100644 --- a/sys/kern/syscalls.master +++ b/sys/kern/syscalls.master @@ -3249,8 +3249,7 @@ ; 576 is initialised by the krpc code, if present. 576 AUE_NULL NOSTD { int rpctls_syscall( - int op, - _In_z_ const char *path + uint64_t socookie ); } 577 AUE_SPECIALFD STD|CAPENABLED { diff --git a/sys/rpc/rpcsec_tls.h b/sys/rpc/rpcsec_tls.h index 024fb2fe68ee..97c49dc32245 100644 --- a/sys/rpc/rpcsec_tls.h +++ b/sys/rpc/rpcsec_tls.h @@ -28,12 +28,8 @@ #ifndef _RPC_RPCSEC_TLS_H_ #define _RPC_RPCSEC_TLS_H_ -/* Operation values for rpctls syscall. */ -#define RPCTLS_SYSC_CLSOCKET 2 -#define RPCTLS_SYSC_SRVSOCKET 5 - -/* System call used by the rpctlscd, rpctlssd daemons. */ -int rpctls_syscall(int, const char *); +/* System call used by the rpc.tlsclntd(8), rpc.tlsservd(8) daemons. */ +int rpctls_syscall(uint64_t); /* Flag bits to indicate certificate results. */ #define RPCTLS_FLAGS_HANDSHAKE 0x01 diff --git a/sys/rpc/rpcsec_tls/rpctls_impl.c b/sys/rpc/rpcsec_tls/rpctls_impl.c index 49464495ad58..adca24c3e3d5 100644 --- a/sys/rpc/rpcsec_tls/rpctls_impl.c +++ b/sys/rpc/rpcsec_tls/rpctls_impl.c @@ -88,6 +88,7 @@ struct upsock { CLIENT *cl; SVCXPRT *xp; }; + bool server; }; static RB_HEAD(upsock_t, upsock) upcall_sockets; @@ -169,7 +170,7 @@ int sys_rpctls_syscall(struct thread *td, struct rpctls_syscall_args *uap) { struct file *fp; - struct upsock *ups; + struct upsock *upsp, ups; int fd = -1, error; error = priv_check(td, PRIV_NFS_DAEMON); @@ -177,52 +178,51 @@ sys_rpctls_syscall(struct thread *td, struct rpctls_syscall_args *uap) return (error); KRPC_CURVNET_SET(KRPC_TD_TO_VNET(td)); - switch (uap->op) { - case RPCTLS_SYSC_CLSOCKET: - case RPCTLS_SYSC_SRVSOCKET: - mtx_lock(&rpctls_lock); - ups = RB_FIND(upsock_t, &upcall_sockets, - &(struct upsock){ - .so = __DECONST(struct socket *, uap->path) }); - if (__predict_true(ups != NULL)) - RB_REMOVE(upsock_t, &upcall_sockets, ups); - mtx_unlock(&rpctls_lock); - if (ups == NULL) { - printf("%s: socket lookup failed\n", __func__); - error = EPERM; - break; - } - if ((error = falloc(td, &fp, &fd, 0)) != 0) - break; - soref(ups->so); - switch (uap->op) { - case RPCTLS_SYSC_CLSOCKET: - /* - * Initialize TLS state so that clnt_vc_destroy() will - * not close the socket and will leave that for the - * daemon to do. - */ - CLNT_CONTROL(ups->cl, CLSET_TLS, - &(int){RPCTLS_INHANDSHAKE}); - break; - case RPCTLS_SYSC_SRVSOCKET: - /* - * Once this file descriptor is associated - * with the socket, it cannot be closed by - * the server side krpc code (svc_vc.c). - */ - sx_xlock(&ups->xp->xp_lock); - ups->xp->xp_tls = RPCTLS_FLAGS_HANDSHFAIL; - sx_xunlock(&ups->xp->xp_lock); - break; - } - finit(fp, FREAD | FWRITE, DTYPE_SOCKET, ups->so, &socketops); - fdrop(fp, td); /* Drop fp reference. */ - td->td_retval[0] = fd; - break; - default: - error = EINVAL; + mtx_lock(&rpctls_lock); + upsp = RB_FIND(upsock_t, &upcall_sockets, + &(struct upsock){ + .so = __DECONST(struct socket *, uap->socookie) }); + if (__predict_true(upsp != NULL)) { + RB_REMOVE(upsock_t, &upcall_sockets, upsp); + /* + * The upsp points to stack of NFS mounting thread. Even + * though we removed it from the tree, we still don't own it. + * Make a copy before releasing the lock. The mounting thread + * may timeout the RPC and unroll its stack. + */ + ups = *upsp; + } + mtx_unlock(&rpctls_lock); + if (upsp == NULL) { + KRPC_CURVNET_RESTORE(); + printf("%s: socket lookup failed\n", __func__); + return (EPERM); + } + if ((error = falloc(td, &fp, &fd, 0)) != 0) { + KRPC_CURVNET_RESTORE(); + return (error); + } + soref(ups.so); + if (ups.server) { + /* + * Once this file descriptor is associated + * with the socket, it cannot be closed by + * the server side krpc code (svc_vc.c). + */ + sx_xlock(&ups.xp->xp_lock); + ups.xp->xp_tls = RPCTLS_FLAGS_HANDSHFAIL; + sx_xunlock(&ups.xp->xp_lock); + } else { + /* + * Initialize TLS state so that clnt_vc_destroy() will + * not close the socket and will leave that for the + * daemon to do. + */ + CLNT_CONTROL(ups.cl, CLSET_TLS, &(int){RPCTLS_INHANDSHAKE}); } + finit(fp, FREAD | FWRITE, DTYPE_SOCKET, ups.so, &socketops); + fdrop(fp, td); /* Drop fp reference. */ + td->td_retval[0] = fd; KRPC_CURVNET_RESTORE(); return (error); @@ -269,6 +269,7 @@ rpctls_connect(CLIENT *newclient, char *certname, struct socket *so, struct upsock ups = { .so = so, .cl = newclient, + .server = false, }; CLIENT *cl = KRPC_VNET(rpctls_connect_handle); @@ -390,6 +391,7 @@ rpctls_server(SVCXPRT *xprt, uint32_t *flags, uid_t *uid, int *ngrps, struct upsock ups = { .so = xprt->xp_socket, .xp = xprt, + .server = true, }; CLIENT *cl = KRPC_VNET(rpctls_server_handle); struct rpctlssd_connect_arg arg; diff --git a/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c b/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c index e8df84a382b5..37e0c2013ef1 100644 --- a/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c +++ b/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c @@ -258,7 +258,7 @@ rpctlscd_connect_2_svc(struct rpctlscd_connect_arg *argp, rpctls_verbose_out("rpctlsd_connect: started\n"); /* Get the socket fd from the kernel. */ - s = rpctls_syscall(RPCTLS_SYSC_CLSOCKET, (char *)argp->socookie); + s = rpctls_syscall(argp->socookie); if (s < 0) { result->reterr = RPCTLSERR_NOSOCKET; return (TRUE); diff --git a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c index 61f8601c36f5..438b745fb5de 100644 --- a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c +++ b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c @@ -403,7 +403,7 @@ rpctlssd_connect_thread(void *v) } /* Get the socket fd from the kernel. */ - s = rpctls_syscall(RPCTLS_SYSC_SRVSOCKET, (char *)socookie); + s = rpctls_syscall(socookie); if (s < 0) { rpctls_verbose_out("rpctlssd_connect_svc: rpctls_syscall " "accept failed\n");