On Wed, Jun 04, 2014 at 10:19:40AM -0400, Dave Wysochanski wrote:
> The logic inside cache_listeners_exist contains heuristics to
> determine whether there is a userspace process listening to the cache
> file. If there is a listener, the kernel will send a request to service
> the cache to userspace, and wait for a response.
>
> The logic is a bit hard to read, here's some comments which explain the
> existing logic:
> /*
> * If at least one process has the channel file open currently,
> * someone is listening
> */
> if (atomic_read(&detail->readers))
> return true;
> /*
> * If no process has ever opened the channel file,
> * no one is listening
> */
> if (detail->last_close == 0)
> /* This cache was never opened */
> return false;
> /*
> * If the last time we closed the file was more than 30 seconds
> * ago, no one is listening.
> */
> if (detail->last_close < seconds_since_boot() - 30)
> /*
> * We allow for the possibility that someone might
> * restart a userspace daemon without restarting the
> * server; but after 30 seconds, we give up.
> */
> return false;
> /*
> * In all other cases, assume someone is listening
> */
> return true;
>
> The logic is unduly complicated and unfortunately can be 'fooled' into
> thinking some userspace listener daemon exists when it does not. For
> example, we've seen where a simple diagnostic process reading all files
> in /proc/net/rpc (for example, tarring the files up into an archive) can
> fool the kernel due to this logic. Once fooled, the kernel will then
> send requests to validate the cache to userspace thinking some 'cache listener'
> exists, and will timeout. In the case of the nfs server, this leads to
> silently dropped NFS requests due to failing RPC authentication.
> A simple while loop as follows is enough to DoS the NFS server indefinitely:
> while true; do
> cat /proc/net/rpc/auth.unix.gid/channel>/dev/null
> sleep 3
> done
>
> While a better userspace / kernel registration mechanism for cache listeners
> would be the best solution, for now let's just simplify this logic by requiring
> that there actually be someone holding the 'channel' file open for the kernel
> to consider there's someone actually listening and servicing the cache.
>
> The only downside is that now userspace daemons which restart will be noticed
> by the kernel during the restart, but I think this makes sense since there's
> no guarantee the listener will come back.
I think this makes sense, thanks, applying.
--b.
>
> Signed-off-by: Dave Wysochanski <dwysocha@xxxxxxxxxx>
> ---
> net/sunrpc/cache.c | 14 +-------------
> 1 file changed, 1 insertion(+), 13 deletions(-)
>
> diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
> index ae333c1..d5adefc 100644
> --- a/net/sunrpc/cache.c
> +++ b/net/sunrpc/cache.c
> @@ -1137,19 +1137,7 @@ static void warn_no_listener(struct cache_detail *detail)
>
> static bool cache_listeners_exist(struct cache_detail *detail)
> {
> - if (atomic_read(&detail->readers))
> - return true;
> - if (detail->last_close == 0)
> - /* This cache was never opened */
> - return false;
> - if (detail->last_close < seconds_since_boot() - 30)
> - /*
> - * We allow for the possibility that someone might
> - * restart a userspace daemon without restarting the
> - * server; but after 30 seconds, we give up.
> - */
> - return false;
> - return true;
> + return atomic_read(&detail->readers);
> }
>
> /*
> --
> 1.9.3
>
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
