Commit Graph

103 Commits

Author SHA1 Message Date
Konstantin Belousov
730b63b0c2 Remove prtactive variable and related printf()s in the vop_inactive
and vop_reclaim() methods. They seems to be unused, and the reported
situation is normal for the forced unmount.

MFC after:   1 week
X-MFC-note:  keep prtactive symbol in vfs_subr.c
2010-11-19 21:17:34 +00:00
Robert Watson
be80264279 Properly bounds check ioctl/pioctl data arguments for Coda:
1. Use unsigned rather than signed lengths
2. Bound messages to/from Venus to VC_MAXMSGSIZE
3. Bound messages to/from general user processes to VC_MAXDATASIZE
4. Update comment regarding data limits for pioctl

Without (1) and (3), it may be possible for unprivileged user processes to
read sensitive portions of kernel memory.  This issue is only present if
the Coda kernel module is loaded and venus (the userspace Coda daemon) is
running and has /coda mounted.

As Coda is considered experimental and production use is warned against in
the coda(4) man page, and because Coda must be explicitly configured for a
configuration to be vulnerable, we won't be issuing a security advisory.
However, if you are using Coda, then you are advised to apply these fixes.

Reported by:	Dan J. Rosenberg <drosenberg at vsecurity.com>
Obtained from:	NetBSD (Christos Zoulas)
Security:	Kernel memory disclosure; no advisory as feature experimental
MFC after:	3 days
2010-08-07 08:08:14 +00:00
Robert Watson
f1853d0fc2 Synchronize Coda kernel module definitions in our coda.h to Coda 6's
coda.h:

- CodaFid typdef -> struct CodaFid throughout.
- Use unsigned int instead of unsigned long for venus_dirent and other
  cosmetic fixes.
- Introduce cuid_t and cgid_t and use instead of uid_t and gid_t in RPCs.
- Synchronize comments and macros.
- Use u_int32_t instead of unsigned long for coda_out_hdr.

With these changes, a 64-bit Coda kernel module now works with
coda6_client, whereas previous userspace and kernel versions of RPCs
differed sufficiently to prevent using the file system.  This has been
verified only with casual testing, but /coda is now usable for at least
basic operations on amd64.

MFC after:	1 week
2010-04-05 20:12:54 +00:00
Konstantin Belousov
9f80ce043d Change the type of uio_resid member of struct uio from int to ssize_t.
Note that this does not actually enable full-range i/o requests for
64 architectures, and is done now to update KBI only.

Tested by:	pho
Reviewed by:	jhb, bde (as part of the review of the bigger patch)
2009-06-25 18:46:30 +00:00
John Baldwin
ea77ff0a15 Use shared vnode locks when invoking VOP_READDIR().
MFC after:	1 month
2009-02-13 18:18:14 +00:00
Edward Tomasz Napierala
15bc6b2bd8 Introduce accmode_t. This is required for NFSv4 ACLs - it will be neccessary
to add more V* constants, and the variables changed by this patch were often
being assigned to mode_t variables, which is 16 bit.

Approved by:	rwatson (mentor)
2008-10-28 13:44:11 +00:00
Attilio Rao
0359a12ead Decontextualize the couplet VOP_GETATTR / VOP_SETATTR as the passed thread
was always curthread and totally unuseful.

Tested by: Giovanni Trematerra <giovanni dot trematerra at gmail dot com>
2008-08-28 15:23:18 +00:00
Robert Watson
93b510870f Reorder and clean up make_coda_node(), annotate weaknesses in the
implementation.

MFC after:	1 month
2008-02-15 11:58:11 +00:00
Robert Watson
c0964f549b Remove debugging code under OLD_DIAGNOSTIC; this is all >10 years old and
hasn't been used in that time.

MFC after:	1 month
2008-02-14 00:55:03 +00:00
Robert Watson
38ab9a906a Implement a rudimentary access cache for the Coda kernel module,
modeled on the access cache found in NFS, smbfs, and the Linux coda
module.  This is a positive access cache of a single entry per file,
tracking recently granted rights, but unlike NFS and smbfs,
supporting explicit invalidation by the distributed file system.

For each cnode, maintain a C_ACCCACHE flag indicating the validity
of the cache, and a cached uid and mode tracking recently granted
positive access control decisions.

Prefer the cache to venus_access() in VOP_ACCESS() if it is valid,
and when we must fall back to venus_access(), update the cache.

Allow Venus to clear the access cache, either the whole cache on
CODA_FLUSH, or just entries for a specific uid on CODA_PURGEUSER.
Unlike the Coda module on Linux, we don't flush all entries on a
user purge using a generation number, we instead walk present
cnodes and clear only entries for the specific user, meaning it is
somewhat more expensive but won't hit all users.

Since the Coda module is agressive about not keeping around
unopened cnodes, the utility of the cache is somewhat limited for
files, but works will for directories.  We should make Coda less
agressive about GCing cnodes in VOP_INACTIVE() in order to improve
the effectiveness of in-kernel caching of attributes and access
rights.

MFC after:	1 month
2008-02-13 15:45:12 +00:00
Robert Watson
44abffb44b Rather than having the Coda module use its own namecache, use the global
VFS namecache, as is done by the Coda module on Linux.  Unlike the Coda
namecache, the global VFS namecache isn't tagged by credential, so use
ore conservative flushing behavior (for now) when CODA_PURGEUSER is
issued by Venus.

This improves overall integration with the FreeBSD VFS, including
allowing __getcwd() to work better, procfs/procstat monitoring, and so
on.  This improves shell behavior in many cases, and improves ".."
handling.  It may lead to some slowdown until we've implemented a
specific access cache, which should net improve performance, but in the
mean time, lookup access control now always goes to Venus, whereas
previously it didn't.

MFC after:	1 month
2008-02-13 13:06:22 +00:00
Robert Watson
4f52b754df Clean up coda_pathconf() slightly while debugging a problem there.
MFC after:	1 month
2008-02-11 00:01:45 +00:00
Robert Watson
21bb029533 Since we're now actively maintaining the Coda module in the FreeBSD source
tree, restyle everything but coda.h (which is more explicitly shared
across systems) into a closer approximation to style(9).

Remove a few more unused function prototypes.

Add or clarify some comments.

MFC after:	1 month
2008-02-10 11:18:12 +00:00
Robert Watson
d57786ec68 Various further non-functional cleanups to coda:
- Rename print_vattr to coda_print_vattr and make static, rename
  print_cred to coda_print_cred.
- Remove unused coda_vop_nop.
- Add XXX comment because coda_readdir forwards to the cache vnode's
  readdir rather than venus_readdir, and annotate venus_readdir as
  unused.
- Rename vc_nb_* to vc_*.
- Use d_open_t, d_close_t, d_read_t, d_write_t, d_ioctl_t and d_poll_t
  for prototyping vc_* as that is the intent, don't use our own
  definitions.
- Rename coda_nb_statfs to coda_statfs, rename NB_SFS_SIZ to
  CODA_SFS_SIZ.
- Replace one more OBE reference to NetBSD with a reference to FreeBSD.
- Tidy up a little vertical whitespace here and there.
- Annotate coda_nc_zapvnode as unused.
- Remove unused vcodattach.
- Annotate VM_INTR as unused.
- Annotate that coda_fhtovp is unused and doesn't match the FreeBSD
  prototype, so isn't hooked up to vfs_fhtovp.  If we want NFS export of
  Coda to work someday, this needs to be fixed.
- Remove unused getNewVnode.
- Remove unused coda_vget, coda_init, coda_quotactl prototypes.

MFC after:	1 month
2008-02-09 12:49:18 +00:00
Robert Watson
82e4904ffb Since Coda is effectively a stacked file system, use VOP_EOPNOTSUPP
for vop_bmap; delete the existing stub that returned either EINVAL
or EOPNOTSUPP, and had unreachable calls to VOP_BMAP on the cache
vnode.

MFC after:	1 month
2008-02-09 09:33:19 +00:00
Robert Watson
37245e3742 Lock cache vnode when VOP_FSYNC() is called on a Coda vnode.
MFC after:	1 month
2008-02-09 00:12:22 +00:00
Robert Watson
6dc70a9dec Make all calls to vn_lock() in Coda, including recently added ones,
use LK_RETRY, since failure is undesirable (and not handled).

MFC after:	1 month
Pointed out by:	kib
2008-02-09 00:03:22 +00:00
Robert Watson
7a246a6314 The Coda module was originally ported to NetBSD from Mach by rvb, and
then later to FreeBSD.  Update various NetBSD-related comments: in some
cases delete them because they don't appply, in others update to say
FreeBSD as they still apply but in FreeBSD (and might for that matter
no longer apply on NetBSD), and flag one case where I'm not sure
whether it applies.

MFC after:	1 month
2008-02-08 23:15:36 +00:00
Robert Watson
efeac2fb25 Before invoking vnode operations on cache vnodes, acquire the vnode
locks of those vnodes.  Probably, Coda should do the same lock sharing/
pass-through that is done for nullfs, but in the mean time this ensures
that locks are adequately held to prevent corruption of data structures
in the cache file system.

Assuming most operations came from the top layer of Coda and weren't
performed directly on the cache vnodes, in practice this corruption was
relatively unlikely as the Coda vnode locks were ensuring exclusive
access for most consumers.

This causes WITNESS to squeal like a pig immediately when Coda is used,
rather than waiting until file close; I noticed these problems because
of the lack of said squealing.

MFC after:	1 month
2008-02-08 23:01:40 +00:00
Robert Watson
9d3e5c0e2b Put "coda_rdwr: Internally Opening" printf generated by in-kernel writes
to files, such as ktrace output, under CODA_VERBOSE.  Otherwise, each
such call to VOP_WRITE() results in a kernel printf.

MFC after:	3 days
Obtained from:	NetBSD
2008-01-21 21:39:08 +00:00
Robert Watson
e866951b59 Replace references to VOP_LOCK() w/o LK_RETRY to vn_lock() with LK_RETRY,
avoiding extra error handling, or in some cases, missing error handling.

MFC after:	3 days
Discussed with:	kib
2008-01-21 21:19:07 +00:00
Robert Watson
de5910460a Improve default vnode operation handling for Coda:
- Don't specify vnode operations for mknod, lease, and advlock--let them
  fall through to vop_default.

- Implement vop_default with &default_vnodeops, rather than with VOP_PANIC,
  so that unimplemented vnode operations are handled in more sensible ways
  than panicking, such as EOPNOTSUPP on ACL queries generated by bsdtar,
  or mknod.

MFC after:	3 days
2008-01-19 17:12:44 +00:00
Robert Watson
96b1e9b015 Don't acquire an additional vnode reference to a vnode when it is opened
and then release it when it is closed: we rely on the caller to keep the
vnode around with a valid reference.  This avoids vrele() destroying the
vnode vop_close() is being called from during a call to vop_close(), and
a crash due to lockmgr recursing the vnode lock when a Coda unmount
occurs.

MFC after:	3 days
2008-01-19 15:39:10 +00:00
Robert Watson
11cc4ab95a Use VOP_NULL rather than VOP_PANIC for Coda's vop_print routine, so as
to avoid panicking in DDB show lockedvnods.

MFC after:	3 days
2008-01-19 13:41:56 +00:00
Robert Watson
d883e8e720 Lock the new directory vnode returned by coda_mkdir(), as this is required
by FreeBSD's vnode locking protocol.

MFC after:	3 days
2008-01-19 13:29:14 +00:00
Robert Watson
6885d70dfe Borrow the VM object associated with an underlying cache vnode with the
Coda vnode derived from it, in the style of nullfs.  This allows files
in the Coda file system to be memory-mapped, such as with execve(2) or
mmap(2).

MFC after:	3 days
Reported by:	Rune <u+openafsdev-sr55 at chalmers dot se>
2008-01-19 13:27:14 +00:00
Attilio Rao
22db15c06f VOP_LOCK1() (and so VOP_LOCK()) and VOP_UNLOCK() are only used in
conjuction with 'thread' argument passing which is always curthread.
Remove the unuseful extra-argument and pass explicitly curthread to lower
layer functions, when necessary.

KPI results broken by this change, which should affect several ports, so
version bumping and manpage update will be further committed.

Tested by: kris, pho, Diego Sardina <siarodx at gmail dot com>
2008-01-13 14:44:15 +00:00
Attilio Rao
cb05b60a89 vn_lock() is currently only used with the 'curthread' passed as argument.
Remove this argument and pass curthread directly to underlying
VOP_LOCK1() VFS method. This modify makes the code cleaner and in
particular remove an annoying dependence helping next lockmgr() cleanup.
KPI results, obviously, changed.

Manpage and FreeBSD_version will be updated through further commits.

As a side note, would be valuable to say that next commits will address
a similar cleanup about VFS methods, in particular vop_lock1 and
vop_unlock.

Tested by:	Diego Sardina <siarodx at gmail dot com>,
		Andrea Di Pasquale <whyx dot it at gmail dot com>
2008-01-10 01:10:58 +00:00
Robert Watson
825eaf3470 Make sure we release the control vnode in Coda:
We allocate coda_ctlvp when /coda is mounted, but never release it.
During the unmount this vnode was marked as UNMOUNTING and when venus
is started a second time the system would hang, possibly waiting for
the old vnode to disappear.

So now we call vrele on the control vnode when file system is unmounted
to drop the reference we got during the mount. I'm pretty sure it is
also necessary to not skip the handling in coda_inactive for the control
vnode, it seems like that is the place we actually get rid of the vnode
once the refcount has dropped to 0.

Submitted by:	Jan Harkes <jaharkes at cs dot cmu dot edu>
Approved by:	re (kensmith)
2007-07-20 11:14:51 +00:00
Robert Watson
00f05dc847 Complete repo-copy and move of Coda from src/sys/coda to src/sys/fs/coda
by removing files from src/sys/coda, and updating include paths in the
new location, kernel configuration, and  Makefiles.  In one case add
$FreeBSD$.

Discussed with:		anderson, Jan Harkes <jaharkes@cs.cmu.edu>
Approved by:		re (kensmith)
Repo-copy madness:	simon
2007-07-12 21:04:58 +00:00
Robert Watson
74d326ada8 Replace CODA_OPEN with CODA_OPEN_BY_FD: coda_open was disabled because
we can't open container files by device/inode number pair anymore.
Replace the CODA_OPEN upcall with CODA_OPEN_BY_FD, where venus returns
an open file descriptor for the container file.  We can then grab a
reference on the vnode coda_psdev.c:vc_nb_write and use this vnode for
further accesses to the container file.

Submitted by:	Jan Harkes <jaharkes@cs.cmu.edu>
Approved by:	re (kensmith)
2007-07-11 21:32:08 +00:00
Konstantin Belousov
9e223287c0 Revert UF_OPENING workaround for CURRENT.
Change the VOP_OPEN(), vn_open() vnode operation and d_fdopen() cdev operation
argument from being file descriptor index into the pointer to struct file.

Proposed and reviewed by:	jhb
Reviewed by:	daichi (unionfs)
Approved by:	re (kensmith)
2007-05-31 11:51:53 +00:00
Konstantin Belousov
d413d21071 Since renaming of vop_lock to _vop_lock, pre- and post-condition
function calls are no more generated for vop_lock.
Rename _vop_lock to vop_lock1 to satisfy tools/vnode_if.awk assumption
about vop naming conventions. This restores pre/post-condition calls.
2007-05-18 13:02:13 +00:00
Tor Egge
61b9d89ff0 Make insmntque() externally visibile and allow it to fail (e.g. during
late stages of unmount).  On failure, the vnode is recycled.

Add insmntque1(), to allow for file system specific cleanup when
recycling vnode on failure.

Change getnewvnode() to no longer call insmntque().  Previously,
embryonic vnodes were put onto the list of vnode belonging to a file
system, which is unsafe for a file system marked MPSAFE.

Change vfs_hash_insert() to no longer lock the vnode.  The caller now
has that responsibility.

Change most file systems to lock the vnode and call insmntque() or
insmntque1() after a new vnode has been sufficiently setup.  Handle
failed insmntque*() calls by propagating errors to callers, possibly
after some file system specific cleanup.

Approved by:	re (kensmith)
Reviewed by:	kib
In collaboration with:	kib
2007-03-13 01:50:27 +00:00
Kip Macy
2f6a774be4 change vop_lock handling to allowing tracking of callers' file and line for
acquisition of lockmgr locks

Approved by: scottl (standing in for mentor rwatson)
2006-11-13 05:51:22 +00:00
Jeff Roberson
89b0e10910 - Reorder calls to vrele() after calls to vput() when the vrele is a
directory.  vrele() may lock the passed vnode, which in these cases would
   give an invalid lock order of child -> parent.  These situations are
   deadlock prone although do not typically deadlock because the vrele
   is typically not releasing the last reference to the vnode.  Users of
   vrele must consider it as a call to vn_lock() and order it appropriately.

MFC After: 	1 week
Sponsored by:	Isilon Systems, Inc.
Tested by:	kkenn
2006-02-01 00:25:26 +00:00
Robert Watson
0bdfeca765 Convert last four functions in coda_vnops.c to ANSI C function
declarations.  I knew I would get to fix something in Coda
eventually.

MFC after:	1 week
2006-01-21 19:51:47 +00:00
Jeff Roberson
4585e3ac5a - Change all filesystems and vfs_cache to relock the dvp once the child is
locked in the ISDOTDOT case.  Se vfs_lookup.c r1.79 for details.

Sponsored by:	Isilon Systems, Inc.
2005-04-13 10:59:09 +00:00
Jeff Roberson
b2255473fb - Don't panic if we can't lock a child in lookup, return an error instead.
- Only unlock the directory if this is a DOTDOT lookup.  Previously this
   code could have deadlocked if there was a DOTDOT lookup with LOCKPARENT
   set and another thread was locking the other way up the tree.

Sponsored by:	Isilon Systems, Inc.
2005-03-28 13:39:16 +00:00
Jeff Roberson
172ffe319a - The c_lock in the coda node does not offer any features over the standard
vnode lock.  Remove the c_lock and use the vn lock in its place.
 - Keep the coda lock functions so that the debugging information is
   preserved, but call directly to the vop_std*lock routines for the real
   functionality.

Sponsored by:	Isilon Systems, Inc.
2005-03-13 12:09:34 +00:00
Poul-Henning Kamp
49829f2ec5 Remove vop_destroyvobject() initialization. 2005-02-07 08:04:24 +00:00
Poul-Henning Kamp
a369f34d76 Make filesystems get rid of their own vnodes vnode_pager object in
VOP_RECLAIM().
2005-01-28 14:42:17 +00:00
Poul-Henning Kamp
729fcf7efb Take VOP_GETVOBJECT() out to pasture. We use the direct pointer now. 2005-01-25 00:42:16 +00:00
Poul-Henning Kamp
69816ea35e Kill VOP_CREATEVOBJECT(), it is now the responsibility of the filesystem
for a given vnode to create a vnode_pager object if one is needed.
2005-01-25 00:12:24 +00:00
Poul-Henning Kamp
dcff5b1440 Don't call VOP_CREATEVOBJECT(), it's the responsibility of the
filesystem which owns the vnode.
2005-01-24 23:53:54 +00:00
Poul-Henning Kamp
e39db32ab0 Ditch vfs_object_create() and make the callers call VOP_CREATEVOBJECT()
directly.
2005-01-13 12:25:19 +00:00
Poul-Henning Kamp
8df6bac4c7 Remove the unused credential argument from VOP_FSYNC() and VFS_SYNC().
I'm not sure why a credential was added to these in the first place, it is
not used anywhere and it doesn't make much sense:

	The credentials for syncing a file (ability to write to the
	file) should be checked at the system call level.

	Credentials for syncing one or more filesystems ("none")
	should be checked at the system call level as well.

	If the filesystem implementation needs a particular credential
	to carry out the syncing it would logically have to the
	cached mount credential, or a credential cached along with
	any delayed write data.

Discussed with:	rwatson
2005-01-11 07:36:22 +00:00
Warner Losh
5de2b5750c Start each of the license/copyright comments with /*- 2005-01-05 23:35:00 +00:00
Poul-Henning Kamp
aec0fb7b40 Back when VOP_* was introduced, we did not have new-style struct
initializations but we did have lofty goals and big ideals.

Adjust to more contemporary circumstances and gain type checking.

	Replace the entire vop_t frobbing thing with properly typed
	structures.  The only casualty is that we can not add a new
	VOP_ method with a loadable module.  History has not given
	us reason to belive this would ever be feasible in the the
	first place.

	Eliminate in toto VOCALL(), vop_t, VNODEOP_SET() etc.

	Give coda correct prototypes and function definitions for
	all vop_()s.

	Generate a bit more data from the vnode_if.src file:  a
	struct vop_vector and protype typedefs for all vop methods.

	Add a new vop_bypass() and make vop_default be a pointer
	to another struct vop_vector.

	Remove a lot of vfs_init since vop_vector is ready to use
	from the compiler.

	Cast various vop_mumble() to void * with uppercase name,
	for instance VOP_PANIC, VOP_NULL etc.

	Implement VCALL() by making vdesc_offset the offsetof() the
	relevant function pointer in vop_vector.  This is disgusting
	but since the code is generated by a script comparatively
	safe.  The alternative for nullfs etc. would be much worse.

	Fix up all vnode method vectors to remove casts so they
	become typesafe.  (The bulk of this is generated by scripts)
2004-12-01 23:16:38 +00:00
Poul-Henning Kamp
9c83534dd8 Make VOP_BMAP return a struct bufobj for the underlying storage device
instead of a vnode for it.

The vnode_pager does not and should not have any interest in what
the filesystem uses for backend.

(vfs_cluster doesn't use the backing store argument.)
2004-11-15 09:18:27 +00:00