Often, ‘afsd -shutdown’ is called right after ‘umount’.
Both commands hold the glock before calling ‘afs_shutdown’.
However, one of the functions called by 'afs_shutdown', namely,
‘afs_FlushVCBs’, might drop the glock when the global
'afs_shuttingdown' is still equal to 0. As a result, a scenario
with two shutdown sequences proceeding in parallel is possible.
To fix the problem, the global ‘afs_shuttingdown’ is used as an
enumerated type to make sure that the second thread will not run
‘afs_shutdown’ while the first one is stuck inside ‘afs_FlushVCBs’.
Reviewed-on: http://gerrit.openafs.org/12016
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Chas Williams <3chas3@gmail.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit 70fd9bc6dcc79cb25e98cdcfd0f085c4bf4f310a)
Change-Id: I073d1914a7daa858a78305ff154074f2a51a9f5f
Reviewed-on: https://gerrit.openafs.org/12179
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
"local" links to section heads inside the same pod page should be written
L</OPTIONS> instead of L<OPTIONS>. the other broken links are assorted
typos and capitalization changes.
Reviewed-on: http://gerrit.openafs.org/4831
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Reviewed-by: Ken Dreyer <kdreyer@usgs.gov>
Reviewed-by: Jeffrey Altman <jaltman@openafs.org>
(cherry picked from commit 6770c6c411f2766471b4dc07bd7c66794f95ba63)
Change-Id: Id53b3ad6c2f8e0ec00fabf733b2b2052495b3f27
Reviewed-on: https://gerrit.openafs.org/11675
Reviewed-by: Chas Williams <3chas3@gmail.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
Any DAFS fileserver operation that allocates a new vnode but fails
to update the vnode index will crash:
"Fatal Rx error: assertion failed: --vp->nWaiters >= 0,
file: ../vol/volume.c, line: nnnn"
Note: This crash was exposed by other bugs (to be addressed in future
commits) in OpenAFS large volume support. However, there may
be other failure paths (unrelated to large volumes) that expose
this error as well.
When VAllocVnode() must allocate a new vnode but fails while
updating the vnode index file (e.g. an "addled bitmap" due to other
bugs in working with a vnode index larger than 2^31 bytes), it branches
to common recovery logic at label error_encountered:.
Part of this recovery is to call VFreeBitmapEntry_r(). Commit
08ffe3e81d875b58ae5fe4c5733845d5132913a0 added a VOL_FREE_BITMAP_WAIT
flag to VFreeBitmapEntry() in order to prevent races with VAllocBitmapEntry().
If the caller specifies VOL_FREE_BITMAP_WAIT, VFreeBitmapEntry_r will
call VCreateReservation_r() and VWaitExclusiveState_r(). However, the
exit from VFreeBitmapEntry_r() calls VCancelReservation_r() unconditionally.
This works correctly with the majority of callers to VFreeBitmapEntry_r,
which do specify the VOL_FREE_BITMAP_WAIT flag.
However, the VAllocVnode() error_encountered logic must specify 0 for
this flag because the thread is already in an exclusive state
(VOL_STATE_VNODE_ALLOC). This correctly causes VFreeBitmapEntry_r() to
forgo both the reservation and wait-for-exclusive-state. However, before
exit it erroneously calls VCancelReservation_r(). We now have unbalanced
reservations (nWaiters); this causes an assert when the VAllocVnode()
error_encountered recovery code later calls VCancelReservation_r()
for what it believes is its own prior reservation.
Modify VFreeBitmapEntry_r() to make its final VCancelReservation_r()
conditional on flag VOL_FREE_BITMAP_WAIT.
Reviewed-on: http://gerrit.openafs.org/11983
Reviewed-by: Perry Ruiter <pruiter@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
(cherry picked from commit d833ba768064a32a19c6b0b94ffb0d8a3a40a089)
Change-Id: Ia146ca55b1c0497d475357e61eaeb061a11bd597
Reviewed-on: https://gerrit.openafs.org/12209
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
Commit a14e791541bf19c6c377e68bc2f978fba34f94b1
refactored and corrected the counting of requests and aborts.
However, it inadvertently introduced a new undercount for
VL_GetEntryByName* requests, counting them only if
NameIsId(volname), e.g. volname="536870911".
Ensure that the normal case of a non-"numeric" volname is
also counted.
Discovered during review of pullup to 1.6.x.
Reviewed-on: http://gerrit.openafs.org/12106
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit 670381aa5d3a7bc91ad74c7499605cca2c33d612)
Change-Id: Ic41f8775e4897efe5f6280b56d06d733865556a2
Reviewed-on: https://gerrit.openafs.org/12113
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
The audit code for object AUD_FIDS is off by one - we list the
first FID twice and skip the last FID.
Repair so all FIDs are properly audited.
Reviewed-on: http://gerrit.openafs.org/12191
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Chas Williams <3chas3@gmail.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit 44349d0694c7a185fae4c55c75cb01196d109a26)
Change-Id: I7f662fd54aaab8182fedc5ebd607db37e501b423
Reviewed-on: https://gerrit.openafs.org/12211
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
Tidy up the counting of requests and aborts in the vlserver. Don't
hide a variable allocation within a macro, convert macros to inline
functions, and make it possible to not count particular operations
by passing in an opcode of 0.
Reviewed-on: http://gerrit.openafs.org/4769
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Derrick Brashear <shadow@dementia.org>
(cherry picked from commit a14e791541bf19c6c377e68bc2f978fba34f94b1)
Change-Id: I1dcea218fbd3097511a93c9a825d6e76e9c8cf59
Reviewed-on: https://gerrit.openafs.org/12085
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
Detect an EOF condition while reading the ACL in a dump stream
and return a restore error, instead of filling the ACL with
0xFF and then failing the restore due to an invalid tag.
Reviewed-on: http://gerrit.openafs.org/11703
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
(cherry picked from commit ed52d65fe98549e13023e0a8997da479b626085a)
Change-Id: I9aacd635b8bbf89923db0121639d5112ab775c19
Reviewed-on: https://gerrit.openafs.org/12185
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
IP addresses entered into the CellServDB with components larger
than 255 would silently be trucated down to 8-bit unsigned integer
representations. This could cause confusing behavior with
occasional hangs.
FIXES 131794
Reviewed-on: http://gerrit.openafs.org/12109
Reviewed-by: Chas Williams <3chas3@gmail.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
(cherry picked from commit 97150150e6d12cbbc0c4a5af3424c9bf1e56918c)
Change-Id: I4e628ab7e12e33b23cc513a268879de115ddec2e
Reviewed-on: https://gerrit.openafs.org/12210
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
Perform range checks on the acl header fields when reading an
acl from a dump stream and when writing an acl to a dump
stream.
Before this change, a bogus value in the total, positive, or
negative acl fields from a dump stream could cause an out of
bounds access of the acl entries table, crashing the volume
server.
Reviewed-on: http://gerrit.openafs.org/11702
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit 0bf9fba458b39035a09f45c1b63f1e65672d4c00)
Change-Id: Icebeb1d62900a7978f02177627a30e41de49a182
Reviewed-on: https://gerrit.openafs.org/12127
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Tested-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
ifconfig is deprecated and is no longer installed by default on RHEL 7 and
Centos 7. Use the replacement ip command in the init script for linux.
Fallback to ifconfig in the event the ip command is not available.
Thanks to Ben Kaduk for pointing out the hash built-in command.
Reviewed-on: http://gerrit.openafs.org/12192
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Chas Williams <3chas3@gmail.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit b702ab5da216976ed01ad3b1c474ecd4cc522ff2)
Change-Id: I9ffdfee233555f1e06bc4f980e2905851224ecc9
Reviewed-on: https://gerrit.openafs.org/12193
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
afsd -shutdown takes only a single dash, as with all cmd-style
options.
Improve the grammar a bit while we're here.
Reviewed-on: http://gerrit.openafs.org/12133
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Chas Williams <3chas3@gmail.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
(cherry picked from commit 6db49a841784459cf583e914b3f2433ce1e70f4c)
Change-Id: Id3b12157c9d5ac3b9aeeba0c2af22fac33a2630f
Reviewed-on: https://gerrit.openafs.org/12197
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
The rfail cleanup handler overwrites 'code' ~unconditionally, but
does use an existing 'error' value if present. Since the intent
is to return failure to the caller, preserve the code in the error
variable and do so.
FIXES 131897
Reviewed-on: http://gerrit.openafs.org/12108
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
(cherry picked from commit 888fc16db5f0063464bf219a6cf6fee0faea4705)
Change-Id: Ic8aab7cbe9bac6c0677b1e3bc2ca2b59a76bd621
Reviewed-on: https://gerrit.openafs.org/12126
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
Print a warning message if -settime is given and update the afsd man
page to declare that -settime is deprecated.
Thanks to Stephan Wiesand for suggesting this change. This is a 1.6.x
specific change.
Change-Id: Iab3f9aa602552e88d74b04e4628c7af13e0439e3
Reviewed-on: https://gerrit.openafs.org/12207
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
Commit 9f94892f8d996a522e7801ef6088a13769bee7c2 (from 2006)
introduced per-file CFLAGS, using $(CFLAGS-$@); this construct
is not parsed well by IRIX make, which ends up attempting to
expand '$@)' and finding mismatched parentheses.
Commit 5987e2923a2670a27a801461dc9668ec88ed7d2a (from 2007) followed,
fixing the IRIX build but only for the NOOPT case. This left the
problematic expression in CFLAGS_OPT until 2013, when another RT
ticket was filed reporting the continued breakage. That ticket
was then ignored until 2015 (now) with no particular cries of
outrage on the mailing lists. Perhaps this gives some indication
of the size and/or mindset of the IRIX userbase. (There have
been successful IRIX installations during this time period, so
presumably it was discovered that disabling optimizations helped
the build along.)
FIXES 131621
Reviewed-on: http://gerrit.openafs.org/12111
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Chas Williams <3chas3@gmail.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit 767694d9ec86fc9451f5a4ba2ec7405c29986a21)
Change-Id: Ie5d349b1e9f8a768efcb461d7367d2d7deac31f6
Reviewed-on: https://gerrit.openafs.org/12198
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
The server logger requires an explicit new line.
Reviewed-on: http://gerrit.openafs.org/11841
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit 634ca4fdc206884afe0826bc682aa7d5208cdc8b)
Change-Id: Ic04d98d15b92a86303a38000d5738c038b83d68f
Reviewed-on: https://gerrit.openafs.org/12129
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
Mainly new El Capitan specific config files and defitions of
Darwin 15 variables and config tests/etc.
Reviewed-on: http://gerrit.openafs.org/12072
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit bf3707ccbf98f44103171f4a5c6fb5bcd0744bfc)
Change-Id: I96c6c451841081d26a101507f35ff86fc8c54771
Reviewed-on: https://gerrit.openafs.org/12212
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
splice() may return -ERESTARTSYS if there are pending signals, and
it's not even clear how this should be dealt with. This potential
problem has been present for a long time, but as of Linux 4.4
(commit c725bfce7968009756ed2836a8cd7ba4dc163011) seems much more
likely to happen.
Until resources are available to fix the code to handle such errors,
avoid the riskier uses of splice().
If there is a default implementation of file_splice_{write,read},
use that; on somewhat older kernels where it is not available,
use the generic version instead.
[kaduk@mit.edu: add test for default_file_splice_write]
Reviewed-on: https://gerrit.openafs.org/12217
Reviewed-by: Chas Williams <3chas3@gmail.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
(cherry picked from commit ae5f411c3b374367ab8ae69488f78f8e0484ce48)
Change-Id: I40dd0d60caece6379a62674defb8d46a2bfadad6
Reviewed-on: https://gerrit.openafs.org/12228
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
The locks API was changed in Linux 4.4, introducing locks_lock_file_wait
(e55c34a66f87e78fb1fc6b623b78c5ad74b475af) and removing
flock_lock_file_wait (616fb38fa7a9599293e05ae1fa9acfaf73922434).
locks_lock_file_wait can be used as a drop-in replacement so define
flock_lock_file_wait as an alias for it.
Reviewed-on: https://gerrit.openafs.org/12170
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
(cherry picked from commit 58d82226a555d3781a5cb45e5cc177727628ebd8)
Change-Id: Icceae3906c1a612fb9104b860e519bb7f94d25d3
Reviewed-on: https://gerrit.openafs.org/12227
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
In Linux 4.4 (146aa8b1453bd8f1ff2304ffb71b4ee0eb9acdcc) type-specific and
payload data have been merged. The payload is now accessed directly and has
no 'value' member anymore.
FIXES 132677
Reviewed-on: https://gerrit.openafs.org/12169
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Tested-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit 5067ee3ae11932a3f1c972c8f88b20afbd9e1d88)
Change-Id: I5a3e89b2676b463935e9a77042cbcd8ab812dc68
Reviewed-on: https://gerrit.openafs.org/12226
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Tested-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
Update the man page to reflect the current access rights required for fs
examine. Historically, fs examine required read access on the root
vnode of the volume housing the directory or file being examined. This
access check was relaxed in commit d2d591caf2c9b4cf2ebae708cc9b4c8b78ca5a5a,
since the information returned by the file server is already available
anonymously by other means.
Reviewed-on: https://gerrit.openafs.org/12223
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit f99c1ec32bb6e8d31ac517173ff7502dbd85aa05)
Change-Id: I580d1e0cab7f823ac1932f99066495cef9e2410a
Reviewed-on: https://gerrit.openafs.org/12224
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
FreeBSD 10.3 is in the beta stage now; better get ready for it.
Reviewed-on: https://gerrit.openafs.org/12222
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit 02a393de6b30a500b77f276011c70d41eff363b5)
[updated to match the FreeBSD param.h files on openafs-stable-1_6_x]
Change-Id: Iae290edd29b34aa849f7422b48c765f81eb802fe
Reviewed-on: https://gerrit.openafs.org/12232
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
The ListAddrByAttributes structure is used as an input to the GetAddrsU
RPC; it contains a Mask field that controls which of the other fields
will actually be read by the server during the RPC processing.
Unfortunately, the client only wrote to the fields indicated by the
mask, leaving the other fields uninitialized for transmission on the
wire, leaking some contents of client memory.
Plug the information leak by zeroing the entire structure before use.
FIXES 132847
Change-Id: Ia7aaccd53db56c7359552b70113f9ae5edbd833e
The VldbListByAttributes structure is used as an input to several
RPCs; it contains a Mask field that controls
which of the other fields will actually be read by the server
during the RPC processing. Unfortunately, the client only
wrote to the fields indicated by the mask, leaving the other
fields uninitialized for transmission on the wire, leaking
some contents of client memory.
Plug the information leak by zeroing the entire structure before use.
FIXES 132847
Change-Id: Ia7aaccd53db56c7359552b70113f9ae5edbd833e
The AFSStoreVolumeStatus structure is used as an input to the
RXAFS_SetVolumeStatus RPC; it contains a Mask field that controls
which of the other fields will actually be read by the server
during the RPC processing. Unfortunately, the client only
wrote to the fields indicated by the mask, leaving the other
fields uninitialized for transmission on the wire, leaking
some contents of kernel memory.
Plug the information leak by zeroing the entire structure before use.
FIXES 132847
Change-Id: Ia7aaccd53db56c7359552b70113f9ae5edbd833e
Marc Dionne reported that portions of the AFSStoreStatus structure
were not written to before being sent over the network for
operations such as create, symlink, etc., leaking the contents
of the kernel stack to observers. Which fields in the request
are used are controlled by a flags field, and so if a field was
not going to be used by the server, it was sometimes left
uninitialized.
Fix the information leak by zeroing out the structure before use.
FIXES 132847
Change-Id: Iebcac04d1ff70df06d054ddb3b886ab422fb2a14
CVE-2016-2860:
The ptserver permits foreign-cell users to create groups as if they were
system:administrators. In particular, groups in the user namespace
(with no colon) and the system: namespace can be created. No group
quota is enforced for the creation of these groups, but they will be
owned by system:administrators and cannot be changed by the user that
created them. When processing requests from foreign users, the
creator ID is overwritten with the ID of system:administrators, and
that field is later used for access control checks in
CorrectGroupName(), called from CreateEntry().
The access-control bypass is not possible for creating user entries,
since there is an early check in CreateOK() that only permits
administrators to create users, using a correct test for whether
the call is being made by an administrator.
FIXES 132822
[Based on a patch by Jeffrey Altman.]
Change-Id: I77dcf4a2f7d9c770c805a649f2ddc6bee5f83389
Change the systemd unit file permissions created via
openafs.spec to be 0644 instead of 0755. Having the
systemd unit files be executable will trigger a systemd
warning.
FIXES 132662
Reviewed-on: http://gerrit.openafs.org/12174
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit a4c4b786059ac7d5f9ecc5ec07727f000b62c13f)
Change-Id: I0ad33a93c963b7a2d242b43b7d94e2e3f5041e8d
Reviewed-on: http://gerrit.openafs.org/12196
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
Update all remaining copies of CellServDB in the tree, and make the
Red Hat packaging use it by default too.
[mmeffie@sinenomine.net: 1.6.x specific change; also update the debian
packaging.]
Reviewed-on: http://gerrit.openafs.org/12187
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit 378eae1d534d61d357a0ad681b57b5e203f814ad)
Change-Id: I5f3c8a03fac30e4da6d26ce7f65529e9f048f6b8
Reviewed-on: http://gerrit.openafs.org/12188
Reviewed-by: Chas Williams <3chas3@gmail.com>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
By default the spec defines that both userland and kernel module
packages should be built. This results in a dependency of the form
"kernel-devel-`uname -m` = `uname -r`" being added to the source
package created by makesrpm.pl, which is bogus because the uname
values are from the system on which the srpm is built and needn't
apply to the system where it is used. While rpm and rpmbuild ignore
such dependencies of source packages, other tools don't and may fail.
Some versions of rpmbuild will also enforce those requirements when
building the srpm itself, which is pointless too.
Avoid both problems by pretending not to attempt building modules
and ignoring any dependencies when makesrpm.pl invokes rpmbuild -bs.
Reviewed-on: http://gerrit.openafs.org/11903
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
Tested-by: Stephan Wiesand <stephan.wiesand@desy.de>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit 9ee5fa152b7b7de6a6ddc6ed87bbf9f76da6e3e4)
Change-Id: I76aac20b8dcad2105f8d20a3e169b2f5526ef956
Reviewed-on: http://gerrit.openafs.org/12195
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
Tested-by: Stephan Wiesand <stephan.wiesand@desy.de>
Commit b9fb9c62a6779aa997259ddf2a83a90b08e04d5f refactored lpioctl()
so that LINUX would have its own implementation. This also simplified
the other lpioctl() implementations by removing superfluous variable
'rval'.
Unfortunately, 'rval' was actually required for both DARWIN and SUN511.
On both of these platforms, the address of 'errcode' is passed
to the respective ioctl_*() routine so its value may be passed back
to lpioctl(). Therefore, 'errcode' must not also be used for the
return value from these functions; doing so results in the return
value from the function overwriting the intended value of 'errcode' upon
return to lpioctl().
In the case of Solaris 11, ioctl_sun_afs_syscall() always returns zero
(as long as the ioctl device 'dev/afs' opened successfully).
So 'errcode' was always being set to zero, even if the pioctl had
actually failed. For example, without this fix, 'fs listcells'
loops forever on Solaris 11, listing an infinite number of "cells",
because it will never "see" the EDOM that informs it of the last defined
cell.
Partially revert b9fb9c62a6779aa997259ddf2a83a90b08e04d5f by restoring
the 'rval' variable and logic for DARWIN and SUN511.
Reviewed-on: http://gerrit.openafs.org/11734
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Chas Williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
(cherry picked from commit 7ae8e64d1ee79c23da96c326111fdc40015ed5a6)
Change-Id: I6a4b8817f02522144b3adbbae06b3737e6c62585
Reviewed-on: http://gerrit.openafs.org/11795
Reviewed-by: Daria Phoebe Brashear <shadow@your-file-system.com>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
The 'rval' variable is only actually used in the LINUX20 case;
adding another conditional block is making the LINUX20 case
different enough that it should get split out entirely.
Doing so lets the 'else' clause be simpler.
Found by clang on FreeBSD 10.0.
Reviewed-on: http://gerrit.openafs.org/10819
Tested-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: Perry Ruiter <pruiter@sinenomine.net>
Reviewed-by: D Brashear <shadow@your-file-system.com>
(cherry picked from commit b9fb9c62a6779aa997259ddf2a83a90b08e04d5f)
Change-Id: I47f781bc13d54ad5a1b34365fcb9680793b206d1
Reviewed-on: http://gerrit.openafs.org/11778
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
The mount(2) API takes a void*, but 'rn' is const char*, which
is const-incorrect. Our vfs_cmount implementation ignores the 'data'
parameter, but upstream's kernel mount(2) implementation did
have a NULL check until r158611 (in the 6.1 or 7.0 timeframe),
so leave that comment for now.
Arguably we should be using nmount(2) instead of mount(2) anyway,
but leave that for a separate patch.
Reviewed-on: http://gerrit.openafs.org/10821
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
(cherry picked from commit 53d7145416c0a6bafa7ecccd113178fc4af04f8f)
Change-Id: Id8ab9ec946a8eee7c73cf234f35e7d12a65f6d84
Reviewed-on: http://gerrit.openafs.org/11776
Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
This file is deprecated on FreeBSD, and is not used anywhere.
Reviewed-on: http://gerrit.openafs.org/10817
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
(cherry picked from commit add4b8100e9b9624b6e03fa7d471367720ab062e)
Change-Id: I06dfd8f90f2e8e4b2ca38692cbc4aa90dcdffe13
Reviewed-on: http://gerrit.openafs.org/11775
Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
Commit 602130f1de65eefeb4e31e114070d544eb9edd40 changed the allocation of the
backing device info to directly use the kernel memory allocator. Unfortunately,
one of the deallocations was not converted to the kernel memory deallocator
in the backport to the 1.6.x branch.
The code path is triggered when the afs root volume is not found (for example,
not -dynroot and the root.afs volume is not available.) This causes the system
to crash instead of just failing to mount /afs.
This is a 1.6.x change only. This bug was introduced in version 1.6.14.1.
FIXES 132653
Change-Id: Ifc991be5f914b4a4e1a797b7e2178dc03436b8e6
Reviewed-on: http://gerrit.openafs.org/12166
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: Chas Williams <3chas3@gmail.com>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
Release notes for OpenAFS 1.6.16
Change-Id: I5c1676b2bad4e94039691fb17f33fb5e278fadbf
Reviewed-on: http://gerrit.openafs.org/12131
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
CVE-2015-8312:
Any pioctl with an input buffer size (ViceIoctl->in_size)
exactly equal to AFS_LRALLOCSIZE (4096 bytes) will cause
a one-byte overwrite of its kernel memory working buffer.
This may crash the operating system or cause other
undefined behavior.
The attacking pioctl must be a valid AFS pioctl code.
However, it need not specify valid arguments (in the ViceIoctl),
since only rudimentary checking is done in afs_HandlePioctl.
Most argument validation occurs later in the individual
pioctl handlers.
Nor does the issuer need to be authenticated or authorized
in any way, since authorization checks also occur much later,
in the individual pioctl handlers. An unauthorized user
may therefore trigger the overrun by either crafting his
own malicious pioctl, or by issuing a privileged
command, e.g. 'fs newalias', with appropriately sized but
otherwise arbitrary arguments. In the latter case, the
attacker will see the expected error message:
"fs: You do not have the required rights to do this operation"
but in either case the damage has been done.
Pioctls are not logged or audited in any way (except those
that cause loggable or auditable events as side effects).
root cause:
afs_HandlePioctli() calls afs_pd_alloc() to allocate two
two afs_pdata structs, one for input and one for output.
The memory for these buffers is based on the requested
size, plus at least one extra byte for the null terminator
to be set later:
requested size allocated
================= =================================
> AFS_LRALLOCSIZ osi_Alloc(size+1)
<= AFS_LRALLOCSIZ afs_AllocLargeSize(AFS_LRALLOCSIZ)
afs_HandlePioctl then adds a null terminator to each buffer,
one byte past the requested size. This is safe in all cases
except one: if the requested in_size was _exactly_
AFS_LRALLOCSIZ (4096 bytes), this null is one byte beyond
the allocated storage, zeroing a byte of kernel memory.
Commit 6260cbecd0795c4795341bdcf98671de6b9a43fb introduced
the null terminators and they were correct at that time.
But the commit message warns:
"note that this works because PIGGYSIZE is always less than
AFS_LRALLOCSIZ"
Commit f8ed1111d76bbf36a466036ff74b44e1425be8bd introduced
the bug by increasing the maximum size of the buffers but
failing to account correctly for the null terminator in
the case of input buffer size == AFS_LRALLOCSIZ.
Commit 592a99d6e693bc640e2bdfc2e7e5243fcedc8f93 (master
version of one of the fixes in the recent 1.6.13 security
release) is the fix that drew my attention to this new
bug. Ironically, 592a99 (combined with this commit), will
make it possible to eliminate the "offending" null termination
line altogether since it will now be performed automatically by
afs_pd_alloc().
[kaduk@mit.edu: adjust commit message for CVE number assignment,
reduce unneeded churn in the diff.]
Change-Id: I0299274c6d879f95c9b40cc85859294c26c410d7
As reported on the -info mailing list, docker is now exporting the
/proc filesystem as read only. ioctl() doesn't need write permissions
to do its work, so change O_RDWR to O_RDONLY.
Reviewed-on: http://gerrit.openafs.org/12122
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit 359e1f2a25d242984229edfb378c0b95c3ee8570)
Change-Id: I5ec9262a30c1aa40604e1265b4da00f4597c1cc8
Reviewed-on: http://gerrit.openafs.org/12124
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
configure now checks for the standard getmaxyx() macro; failing that,
it looks for the older but pre-standardization getmaxx() and getmaxy(),
then falls back to the 4.2BSD curses _maxx and _maxy fields; if all
else fails, gtx building is disabled.
gtx now defines getmaxyx() itself if necessary, based on the above.
This also fixes a bug in gtx with all ncurses versions > 1.8.0 on
platforms other than NetBSD and OS X: gtx was using the _maxx and
_maxy fields, which starting with ncurses 1.8.1 were off by 1 from
the expected values. As such, behavior of scout and/or afsmonitor
may change on most ncurses-using platforms.
Reviewed-on: http://gerrit.openafs.org/12107
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Chas Williams <3chas3@gmail.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit b800f7d9bd5ea390ab330c1c0c38ac8277eb9998)
Change-Id: Ia42eb33a963aa15131511c07ef4823f3f061a762
Reviewed-on: http://gerrit.openafs.org/12125
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Chas Williams <3chas3@gmail.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
While kpasswd was in the separate openafs-kpasswd package to avoid
clashing with the krb5 executable, openafs-debuginfo still conflicted
with krb5-debuginfo. Remove the x-bits from kpasswd in %install to
make debuginfo processing ignore it, and add them back in the %files
list. Make kapasswd a copy rather than a hard link to have it processed
in the usual way.
This is a 1.6-only change. On the master branch, this issue is fixed
by commit 4e3ceaccd9dc2b6e6a20e938d82af1ebaa2c43c8 which however
removes kpasswd altogether and is thus considered inapproriate for the
stable release series.
FIXES 131771
Change-Id: Icd940e3f5da133a98401c7a28ed6ee0c637bf602
Reviewed-on: http://gerrit.openafs.org/12128
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: Stephan Wiesand <stephan.wiesand@desy.de>
Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
These options were copied from the salvager man page and are not implemented by
the salvageserver.
Reviewed-on: http://gerrit.openafs.org/11817
Reviewed-by: Perry Ruiter <pruiter@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
(cherry picked from commit fb91be7759605bb4ea5b4dd3ce089df1141c431a)
Change-Id: I615a9a972d5a4a798ba9caae2ee7fd1562081a56
Reviewed-on: http://gerrit.openafs.org/12120
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Chas Williams <3chas3@gmail.com>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
Add the missing -syslog and -syslogfacility options to
the salvageserver man page.
Reviewed-on: http://gerrit.openafs.org/11816
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit e4bae29efc3d370d1eaf6d954c63c324094c48e5)
Change-Id: I7501b801a49219a1a47d98516426661ad32a8102
Reviewed-on: http://gerrit.openafs.org/12112
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
A first stab at 1.6.16 release notes
Change-Id: I32c8c583a6a3122ab4d4774803246cae0a372d18
Reviewed-on: http://gerrit.openafs.org/12099
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
A continuation entry (struct contentry) contains 39 id elements, however
a regular entry (struct prentry) contains only 10 id elements.
Attempting to access more than 10 elements of a regular entry is
undefined behavior.
Use a stuct contentry when when processing continuation entries in
prdb_check. This is done to safely traverse the id arrays of the
continuation entries. Use the new pr_PrintContEntry to print
continuation entries.
The undefined behavior manfests as a segmentation violation in
WalkNextChain() when built with GCC 4.8 with optimization enabled.
Reviewed-on: http://gerrit.openafs.org/11742
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit 15e8678661ec49f5eac3954defad84c06b3e0164)
Change-Id: Ifc0682cd2b6b1590b10c44ccdda181fd4227c1c2
Reviewed-on: http://gerrit.openafs.org/12104
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
Continuation entries may not be in owner chains. Fix the
comments in WalkOwnerChain (which were probably copied from
WalkNextChain) and add a check and error message for
continuation entries found on owner chains.
Reviewed-on: http://gerrit.openafs.org/11751
Reviewed-by: Daria Phoebe Brashear <shadow@your-file-system.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
(cherry picked from commit 3e9e244d1004972f202490faa0375768959f7690)
Change-Id: I8da044e32e6ade0d8d3050ccebf46d1e735e333a
Reviewed-on: http://gerrit.openafs.org/12103
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
