1. 04 9月, 2009 1 次提交
  2. 03 9月, 2009 2 次提交
  3. 28 5月, 2009 1 次提交
    • G
      knfsd: remove unreported filehandle stats counters · 1dbd0d53
      Greg Banks 提交于
      The file nfsfh.c contains two static variables nfsd_nr_verified and
      nfsd_nr_put.  These are counters which are incremented as a side
      effect of the fh_verify() fh_compose() and fh_put() operations,
      i.e. at least twice per NFS call for any non-trivial workload.
      Needless to say this makes the cacheline that contains them (and any
      other innocent victims) a very hot contention point indeed under high
      call-rate workloads on multiprocessor NFS server.  It also turns out
      that these counters are not used anywhere.  They're not reported to
      userspace, they're not used in logic, they're not even exported from
      the object file (let alone the module).  All they do is waste CPU time.
      
      So this patch removes them.
      
      Tests on a 16 CPU Altix A4700 with 2 10gige Myricom cards, configured
      separately (no bonding).  Workload is 640 client threads doing directory
      traverals with random small reads, from server RAM.
      
      Before
      ======
      
      Kernel profile:
      
        %   cumulative   self              self     total
       time   samples   samples    calls   1/call   1/call  name
        6.05   2716.00  2716.00    30406     0.09     1.02  svc_process
        4.44   4706.00  1990.00     1975     1.01     1.01  spin_unlock_irqrestore
        3.72   6376.00  1670.00     1666     1.00     1.00  svc_export_put
        3.41   7907.00  1531.00     1786     0.86     1.02  nfsd_ofcache_lookup
        3.25   9363.00  1456.00    10965     0.13     1.01  nfsd_dispatch
        3.10  10752.00  1389.00     1376     1.01     1.01  nfsd_cache_lookup
        2.57  11907.00  1155.00     4517     0.26     1.03  svc_tcp_recvfrom
        ...
        2.21  15352.00  1003.00     1081     0.93     1.00  nfsd_choose_ofc  <----
        ^^^^
      
      Here the function nfsd_choose_ofc() reads a global variable
      which by accident happened to be located in the same cacheline as
      nfsd_nr_verified.
      
      Call rate:
      
      nullarbor:~ # pmdumptext nfs3.server.calls
      ...
      Thu Dec 13 00:15:27     184780.663
      Thu Dec 13 00:15:28     184885.881
      Thu Dec 13 00:15:29     184449.215
      Thu Dec 13 00:15:30     184971.058
      Thu Dec 13 00:15:31     185036.052
      Thu Dec 13 00:15:32     185250.475
      Thu Dec 13 00:15:33     184481.319
      Thu Dec 13 00:15:34     185225.737
      Thu Dec 13 00:15:35     185408.018
      Thu Dec 13 00:15:36     185335.764
      
      After
      =====
      
      kernel profile:
      
        %   cumulative   self              self     total
       time   samples   samples    calls   1/call   1/call  name
        6.33   2813.00  2813.00    29979     0.09     1.01  svc_process
        4.66   4883.00  2070.00     2065     1.00     1.00  spin_unlock_irqrestore
        4.06   6687.00  1804.00     2182     0.83     1.00  nfsd_ofcache_lookup
        3.20   8110.00  1423.00    10932     0.13     1.00  nfsd_dispatch
        3.03   9456.00  1346.00     1343     1.00     1.00  nfsd_cache_lookup
        2.62  10622.00  1166.00     4645     0.25     1.01  svc_tcp_recvfrom
      [...]
        0.10  42586.00    44.00       74     0.59     1.00  nfsd_choose_ofc  <--- HA!!
        ^^^^
      
      Call rate:
      
      nullarbor:~ # pmdumptext nfs3.server.calls
      ...
      Thu Dec 13 01:45:28     194677.118
      Thu Dec 13 01:45:29     193932.692
      Thu Dec 13 01:45:30     194294.364
      Thu Dec 13 01:45:31     194971.276
      Thu Dec 13 01:45:32     194111.207
      Thu Dec 13 01:45:33     194999.635
      Thu Dec 13 01:45:34     195312.594
      Thu Dec 13 01:45:35     195707.293
      Thu Dec 13 01:45:36     194610.353
      Thu Dec 13 01:45:37     195913.662
      Thu Dec 13 01:45:38     194808.675
      
      i.e. about a 5.3% improvement in call rate.
      Signed-off-by: NGreg Banks <gnb@melbourne.sgi.com>
      Reviewed-by: NDavid Chinner <dgc@sgi.com>
      Signed-off-by: NJ. Bruce Fields <bfields@citi.umich.edu>
      1dbd0d53
  4. 08 1月, 2009 1 次提交
  5. 07 1月, 2009 1 次提交
  6. 14 11月, 2008 2 次提交
    • D
      CRED: Inaugurate COW credentials · d84f4f99
      David Howells 提交于
      Inaugurate copy-on-write credentials management.  This uses RCU to manage the
      credentials pointer in the task_struct with respect to accesses by other tasks.
      A process may only modify its own credentials, and so does not need locking to
      access or modify its own credentials.
      
      A mutex (cred_replace_mutex) is added to the task_struct to control the effect
      of PTRACE_ATTACHED on credential calculations, particularly with respect to
      execve().
      
      With this patch, the contents of an active credentials struct may not be
      changed directly; rather a new set of credentials must be prepared, modified
      and committed using something like the following sequence of events:
      
      	struct cred *new = prepare_creds();
      	int ret = blah(new);
      	if (ret < 0) {
      		abort_creds(new);
      		return ret;
      	}
      	return commit_creds(new);
      
      There are some exceptions to this rule: the keyrings pointed to by the active
      credentials may be instantiated - keyrings violate the COW rule as managing
      COW keyrings is tricky, given that it is possible for a task to directly alter
      the keys in a keyring in use by another task.
      
      To help enforce this, various pointers to sets of credentials, such as those in
      the task_struct, are declared const.  The purpose of this is compile-time
      discouragement of altering credentials through those pointers.  Once a set of
      credentials has been made public through one of these pointers, it may not be
      modified, except under special circumstances:
      
        (1) Its reference count may incremented and decremented.
      
        (2) The keyrings to which it points may be modified, but not replaced.
      
      The only safe way to modify anything else is to create a replacement and commit
      using the functions described in Documentation/credentials.txt (which will be
      added by a later patch).
      
      This patch and the preceding patches have been tested with the LTP SELinux
      testsuite.
      
      This patch makes several logical sets of alteration:
      
       (1) execve().
      
           This now prepares and commits credentials in various places in the
           security code rather than altering the current creds directly.
      
       (2) Temporary credential overrides.
      
           do_coredump() and sys_faccessat() now prepare their own credentials and
           temporarily override the ones currently on the acting thread, whilst
           preventing interference from other threads by holding cred_replace_mutex
           on the thread being dumped.
      
           This will be replaced in a future patch by something that hands down the
           credentials directly to the functions being called, rather than altering
           the task's objective credentials.
      
       (3) LSM interface.
      
           A number of functions have been changed, added or removed:
      
           (*) security_capset_check(), ->capset_check()
           (*) security_capset_set(), ->capset_set()
      
           	 Removed in favour of security_capset().
      
           (*) security_capset(), ->capset()
      
           	 New.  This is passed a pointer to the new creds, a pointer to the old
           	 creds and the proposed capability sets.  It should fill in the new
           	 creds or return an error.  All pointers, barring the pointer to the
           	 new creds, are now const.
      
           (*) security_bprm_apply_creds(), ->bprm_apply_creds()
      
           	 Changed; now returns a value, which will cause the process to be
           	 killed if it's an error.
      
           (*) security_task_alloc(), ->task_alloc_security()
      
           	 Removed in favour of security_prepare_creds().
      
           (*) security_cred_free(), ->cred_free()
      
           	 New.  Free security data attached to cred->security.
      
           (*) security_prepare_creds(), ->cred_prepare()
      
           	 New. Duplicate any security data attached to cred->security.
      
           (*) security_commit_creds(), ->cred_commit()
      
           	 New. Apply any security effects for the upcoming installation of new
           	 security by commit_creds().
      
           (*) security_task_post_setuid(), ->task_post_setuid()
      
           	 Removed in favour of security_task_fix_setuid().
      
           (*) security_task_fix_setuid(), ->task_fix_setuid()
      
           	 Fix up the proposed new credentials for setuid().  This is used by
           	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
           	 setuid() changes.  Changes are made to the new credentials, rather
           	 than the task itself as in security_task_post_setuid().
      
           (*) security_task_reparent_to_init(), ->task_reparent_to_init()
      
           	 Removed.  Instead the task being reparented to init is referred
           	 directly to init's credentials.
      
      	 NOTE!  This results in the loss of some state: SELinux's osid no
      	 longer records the sid of the thread that forked it.
      
           (*) security_key_alloc(), ->key_alloc()
           (*) security_key_permission(), ->key_permission()
      
           	 Changed.  These now take cred pointers rather than task pointers to
           	 refer to the security context.
      
       (4) sys_capset().
      
           This has been simplified and uses less locking.  The LSM functions it
           calls have been merged.
      
       (5) reparent_to_kthreadd().
      
           This gives the current thread the same credentials as init by simply using
           commit_thread() to point that way.
      
       (6) __sigqueue_alloc() and switch_uid()
      
           __sigqueue_alloc() can't stop the target task from changing its creds
           beneath it, so this function gets a reference to the currently applicable
           user_struct which it then passes into the sigqueue struct it returns if
           successful.
      
           switch_uid() is now called from commit_creds(), and possibly should be
           folded into that.  commit_creds() should take care of protecting
           __sigqueue_alloc().
      
       (7) [sg]et[ug]id() and co and [sg]et_current_groups.
      
           The set functions now all use prepare_creds(), commit_creds() and
           abort_creds() to build and check a new set of credentials before applying
           it.
      
           security_task_set[ug]id() is called inside the prepared section.  This
           guarantees that nothing else will affect the creds until we've finished.
      
           The calling of set_dumpable() has been moved into commit_creds().
      
           Much of the functionality of set_user() has been moved into
           commit_creds().
      
           The get functions all simply access the data directly.
      
       (8) security_task_prctl() and cap_task_prctl().
      
           security_task_prctl() has been modified to return -ENOSYS if it doesn't
           want to handle a function, or otherwise return the return value directly
           rather than through an argument.
      
           Additionally, cap_task_prctl() now prepares a new set of credentials, even
           if it doesn't end up using it.
      
       (9) Keyrings.
      
           A number of changes have been made to the keyrings code:
      
           (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
           	 all been dropped and built in to the credentials functions directly.
           	 They may want separating out again later.
      
           (b) key_alloc() and search_process_keyrings() now take a cred pointer
           	 rather than a task pointer to specify the security context.
      
           (c) copy_creds() gives a new thread within the same thread group a new
           	 thread keyring if its parent had one, otherwise it discards the thread
           	 keyring.
      
           (d) The authorisation key now points directly to the credentials to extend
           	 the search into rather pointing to the task that carries them.
      
           (e) Installing thread, process or session keyrings causes a new set of
           	 credentials to be created, even though it's not strictly necessary for
           	 process or session keyrings (they're shared).
      
      (10) Usermode helper.
      
           The usermode helper code now carries a cred struct pointer in its
           subprocess_info struct instead of a new session keyring pointer.  This set
           of credentials is derived from init_cred and installed on the new process
           after it has been cloned.
      
           call_usermodehelper_setup() allocates the new credentials and
           call_usermodehelper_freeinfo() discards them if they haven't been used.  A
           special cred function (prepare_usermodeinfo_creds()) is provided
           specifically for call_usermodehelper_setup() to call.
      
           call_usermodehelper_setkeys() adjusts the credentials to sport the
           supplied keyring as the new session keyring.
      
      (11) SELinux.
      
           SELinux has a number of changes, in addition to those to support the LSM
           interface changes mentioned above:
      
           (a) selinux_setprocattr() no longer does its check for whether the
           	 current ptracer can access processes with the new SID inside the lock
           	 that covers getting the ptracer's SID.  Whilst this lock ensures that
           	 the check is done with the ptracer pinned, the result is only valid
           	 until the lock is released, so there's no point doing it inside the
           	 lock.
      
      (12) is_single_threaded().
      
           This function has been extracted from selinux_setprocattr() and put into
           a file of its own in the lib/ directory as join_session_keyring() now
           wants to use it too.
      
           The code in SELinux just checked to see whether a task shared mm_structs
           with other tasks (CLONE_VM), but that isn't good enough.  We really want
           to know if they're part of the same thread group (CLONE_THREAD).
      
      (13) nfsd.
      
           The NFS server daemon now has to use the COW credentials to set the
           credentials it is going to use.  It really needs to pass the credentials
           down to the functions it calls, but it can't do that until other patches
           in this series have been applied.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Acked-by: NJames Morris <jmorris@namei.org>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      d84f4f99
    • D
      CRED: Separate task security context from task_struct · b6dff3ec
      David Howells 提交于
      Separate the task security context from task_struct.  At this point, the
      security data is temporarily embedded in the task_struct with two pointers
      pointing to it.
      
      Note that the Alpha arch is altered as it refers to (E)UID and (E)GID in
      entry.S via asm-offsets.
      
      With comment fixes Signed-off-by: Marc Dionne <marc.c.dionne@gmail.com>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Acked-by: NJames Morris <jmorris@namei.org>
      Acked-by: NSerge Hallyn <serue@us.ibm.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      b6dff3ec
  7. 30 9月, 2008 1 次提交
    • J
      nfsd: permit unauthenticated stat of export root · 04716e66
      J. Bruce Fields 提交于
      RFC 2623 section 2.3.2 permits the server to bypass gss authentication
      checks for certain operations that a client may perform when mounting.
      In the case of a client that doesn't have some form of credentials
      available to it on boot, this allows it to perform the mount unattended.
      (Presumably real file access won't be needed until a user with
      credentials logs in.)
      
      Being slightly more lenient allows lots of old clients to access
      krb5-only exports, with the only loss being a small amount of
      information leaked about the root directory of the export.
      
      This affects only v2 and v3; v4 still requires authentication for all
      access.
      
      Thanks to Peter Staubach testing against a Solaris client, which
      suggesting addition of v3 getattr, to the list, and to Trond for noting
      that doing so exposes no additional information.
      Signed-off-by: NJ. Bruce Fields <bfields@citi.umich.edu>
      Cc: Peter Staubach <staubach@redhat.com>
      Cc: Trond Myklebust <trond.myklebust@fys.uio.no>
      04716e66
  8. 27 7月, 2008 1 次提交
  9. 01 7月, 2008 1 次提交
    • N
      nfsd: fix spurious EACCESS in reconnect_path() · 496d6c32
      Neil Brown 提交于
      Thanks to Frank Van Maarseveen for the original problem report: "A
      privileged process on an NFS client which drops privileges after using
      them to change the current working directory, will experience incorrect
      EACCES after an NFS server reboot. This problem can also occur after
      memory pressure on the server, particularly when the client side is
      quiet for some time."
      
      This occurs because the filehandle points to a directory whose parents
      are no longer in the dentry cache, and we're attempting to reconnect the
      directory to its parents without adequate permissions to perform lookups
      in the parent directories.
      
      We can therefore fix the problem by acquiring the necessary capabilities
      before attempting the reconnection.  We do this only in the
      no_subtree_check case, since the documented behavior of the
      subtree_check export option requires the server to check that the user
      has lookup permissions on all parents.
      
      The subtree_check case still has a problem, since reconnect_path()
      unnecessarily requires both read and lookup permissions on all parent
      directories.  However, a fix in that case would be more delicate, and
      use of subtree_check is already discouraged for other reasons.
      Signed-off-by: NNeil Brown <neilb@suse.de>
      Cc: Frank van Maarseveen <frankvm@frankvm.com>
      Signed-off-by: NJ. Bruce Fields <bfields@citi.umich.edu>
      496d6c32
  10. 24 6月, 2008 1 次提交
  11. 24 4月, 2008 1 次提交
    • J
      nfsd: move most of fh_verify to separate function · 03550fac
      J. Bruce Fields 提交于
      Move the code that actually parses the filehandle and looks up the
      dentry and export to a separate function.  This simplifies the reference
      counting a little and moves fh_verify() a little closer to the kernel
      ideal of small, minimally-indentended functions.  Clean up a few other
      minor style sins along the way.
      Signed-off-by: NJ. Bruce Fields <bfields@citi.umich.edu>
      Cc: Neil Brown <neilb@suse.de>
      03550fac
  12. 15 3月, 2008 1 次提交
    • J
      nfsd: fix oops on access from high-numbered ports · b663c6fd
      J. Bruce Fields 提交于
      This bug was always here, but before my commit 6fa02839
      ("recheck for secure ports in fh_verify"), it could only be triggered by
      failure of a kmalloc().  After that commit it could be triggered by a
      client making a request from a non-reserved port for access to an export
      marked "secure".  (Exports are "secure" by default.)
      
      The result is a struct svc_export with a reference count one too low,
      resulting in likely oopses next time the export is accessed.
      
      The reference counting here is not straightforward; a later patch will
      clean up fh_verify().
      
      Thanks to Lukas Hejtmanek for the bug report and followup.
      Signed-off-by: NJ. Bruce Fields <bfields@citi.umich.edu>
      Cc: Lukas Hejtmanek <xhejtman@ics.muni.cz>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      b663c6fd
  13. 22 2月, 2008 1 次提交
  14. 15 2月, 2008 1 次提交
  15. 02 2月, 2008 1 次提交
  16. 13 11月, 2007 1 次提交
    • J
      nfsd4: recheck for secure ports in fh_verify · 6fa02839
      J. Bruce Fields 提交于
      As with commit 7fc90ec9 ("knfsd: nfsd:
      call nfsd_setuser() on fh_compose(), fix nfsd4 permissions problem")
      this is a case where we need to redo a security check in fh_verify()
      even though the filehandle already has an associated dentry--if the
      filehandle was created by fh_compose() in an earlier operation of the
      nfsv4 compound, then we may not have done these checks yet.
      
      Without this fix it is possible, for example, to traverse from an export
      without the secure ports requirement to one with it in a single
      compound, and bypass the secure port check on the new export.
      
      While we're here, fix up some minor style problems and change a printk()
      to a dprintk(), to make it harder for random unprivileged users to spam
      the logs.
      Signed-off-by: NJ. Bruce Fields <bfields@citi.umich.edu>
      Reviewed-By: NNeilBrown <neilb@suse.de>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      6fa02839
  17. 22 10月, 2007 1 次提交
    • C
      exportfs: add fid type · 6e91ea2b
      Christoph Hellwig 提交于
      This patchset is a medium scale rewrite of the export operations interface.
      The goal is to make the interface less complex, and easier to understand from
      the filesystem side, aswell as preparing generic support for exporting of
      64bit inode numbers.
      
      This touches all nfs exporting filesystems, and I've done testing on all of
      the filesystems I have here locally (xfs, ext2, ext3, reiserfs, jfs)
      
      This patch:
      
      Add a structured fid type so that we don't have to pass an array of u32 values
      around everywhere.  It's a union of possible layouts.
      
      As a start there's only the u32 array and the traditional 32bit inode format,
      but there will be more in one of my next patchset when I start to document the
      various filehandle formats we have in lowlevel filesystems better.
      
      Also add an enum that gives the various filehandle types human- readable
      names.
      
      Note: Some people might think the struct containing an anonymous union is
      ugly, but I didn't want to pass around a raw union type.
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      Cc: Neil Brown <neilb@suse.de>
      Cc: "J. Bruce Fields" <bfields@fieldses.org>
      Cc: <linux-ext4@vger.kernel.org>
      Cc: Dave Kleikamp <shaggy@austin.ibm.com>
      Cc: Anton Altaparmakov <aia21@cantab.net>
      Cc: David Chinner <dgc@sgi.com>
      Cc: Timothy Shimmin <tes@sgi.com>
      Cc: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
      Cc: Hugh Dickins <hugh@veritas.com>
      Cc: Chris Mason <mason@suse.com>
      Cc: Jeff Mahoney <jeffm@suse.com>
      Cc: "Vladimir V. Saveliev" <vs@namesys.com>
      Cc: Steven Whitehouse <swhiteho@redhat.com>
      Cc: Mark Fasheh <mark.fasheh@oracle.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      6e91ea2b
  18. 11 9月, 2007 1 次提交
  19. 18 7月, 2007 8 次提交
  20. 10 5月, 2007 1 次提交
  21. 09 5月, 2007 1 次提交
  22. 15 3月, 2007 1 次提交
  23. 15 2月, 2007 3 次提交
  24. 13 2月, 2007 1 次提交
  25. 02 2月, 2007 1 次提交
  26. 31 1月, 2007 1 次提交
  27. 14 12月, 2006 1 次提交
    • J
      [PATCH] knfsd: nfsd: don't drop silently on upcall deferral · e0bb89ef
      J.Bruce Fields 提交于
      To avoid tying up server threads when nfsd makes an upcall (to mountd, to get
      export options, to idmapd, for nfsv4 name<->id mapping, etc.), we temporarily
      "drop" the request and save enough information so that we can revisit it
      later.
      
      Certain failures during the deferral process can cause us to really drop the
      request and never revisit it.
      
      This is often less than ideal, and is unacceptable in the NFSv4 case--rfc 3530
      forbids the server from dropping a request without also closing the
      connection.
      
      As a first step, we modify the deferral code to return -ETIMEDOUT (which is
      translated to nfserr_jukebox in the v3 and v4 cases, and remains a drop in the
      v2 case).
      Signed-off-by: NJ. Bruce Fields <bfields@citi.umich.edu>
      Signed-off-by: NNeil Brown <neilb@suse.de>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      e0bb89ef
  28. 21 10月, 2006 1 次提交
  29. 01 8月, 2006 1 次提交