1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1989, 1993 5 * The Regents of the University of California. All rights reserved. 6 * 7 * This code is derived from software contributed to Berkeley by 8 * Rick Macklem at The University of Guelph. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. Neither the name of the University nor the names of its contributors 19 * may be used to endorse or promote products derived from this software 20 * without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 */ 35 36 #include <sys/cdefs.h> 37 #include "opt_inet6.h" 38 #include "opt_kgssapi.h" 39 #include "opt_kern_tls.h" 40 41 #include <fs/nfs/nfsport.h> 42 43 #include <rpc/rpc.h> 44 #include <rpc/rpcsec_gss.h> 45 #include <rpc/rpcsec_tls.h> 46 47 #include <fs/nfsserver/nfs_fha_new.h> 48 49 #include <security/mac/mac_framework.h> 50 51 NFSDLOCKMUTEX; 52 NFSV4ROOTLOCKMUTEX; 53 char *nfsrv_zeropnfsdat = NULL; 54 55 /* 56 * Mapping of old NFS Version 2 RPC numbers to generic numbers. 57 */ 58 int newnfs_nfsv3_procid[NFS_V3NPROCS] = { 59 NFSPROC_NULL, 60 NFSPROC_GETATTR, 61 NFSPROC_SETATTR, 62 NFSPROC_NOOP, 63 NFSPROC_LOOKUP, 64 NFSPROC_READLINK, 65 NFSPROC_READ, 66 NFSPROC_NOOP, 67 NFSPROC_WRITE, 68 NFSPROC_CREATE, 69 NFSPROC_REMOVE, 70 NFSPROC_RENAME, 71 NFSPROC_LINK, 72 NFSPROC_SYMLINK, 73 NFSPROC_MKDIR, 74 NFSPROC_RMDIR, 75 NFSPROC_READDIR, 76 NFSPROC_FSSTAT, 77 NFSPROC_NOOP, 78 NFSPROC_NOOP, 79 NFSPROC_NOOP, 80 NFSPROC_NOOP, 81 }; 82 83 SYSCTL_DECL(_vfs_nfsd); 84 85 NFSD_VNET_DEFINE_STATIC(int, nfs_privport) = 0; 86 SYSCTL_INT(_vfs_nfsd, OID_AUTO, nfs_privport, CTLFLAG_NFSD_VNET | CTLFLAG_RWTUN, 87 &NFSD_VNET_NAME(nfs_privport), 0, 88 "Only allow clients using a privileged port for NFSv2, 3 and 4"); 89 90 NFSD_VNET_DEFINE_STATIC(int, nfs_minvers) = NFS_VER2; 91 SYSCTL_INT(_vfs_nfsd, OID_AUTO, server_min_nfsvers, 92 CTLFLAG_NFSD_VNET | CTLFLAG_RWTUN, &NFSD_VNET_NAME(nfs_minvers), 0, 93 "The lowest version of NFS handled by the server"); 94 95 NFSD_VNET_DEFINE_STATIC(int, nfs_maxvers) = NFS_VER4; 96 SYSCTL_INT(_vfs_nfsd, OID_AUTO, server_max_nfsvers, 97 CTLFLAG_NFSD_VNET | CTLFLAG_RWTUN, &NFSD_VNET_NAME(nfs_maxvers), 0, 98 "The highest version of NFS handled by the server"); 99 100 static int nfs_proc(struct nfsrv_descript *, u_int32_t, SVCXPRT *xprt, 101 struct nfsrvcache **); 102 103 extern u_long sb_max_adj; 104 extern int newnfs_numnfsd; 105 extern time_t nfsdev_time; 106 extern int nfsrv_writerpc[NFS_NPROCS]; 107 extern volatile int nfsrv_devidcnt; 108 extern struct nfsv4_opflag nfsv4_opflag[NFSV42_NOPS]; 109 extern int nfsd_debuglevel; 110 111 NFSD_VNET_DECLARE(struct proc *, nfsd_master_proc); 112 113 NFSD_VNET_DEFINE(SVCPOOL *, nfsrvd_pool); 114 NFSD_VNET_DEFINE(int, nfsrv_numnfsd) = 0; 115 NFSD_VNET_DEFINE(struct nfsv4lock, nfsd_suspend_lock); 116 117 NFSD_VNET_DEFINE_STATIC(bool, nfsrvd_inited) = false; 118 119 /* 120 * NFS server system calls 121 */ 122 123 static void 124 nfssvc_program(struct svc_req *rqst, SVCXPRT *xprt) 125 { 126 struct nfsrv_descript nd; 127 struct nfsrvcache *rp = NULL; 128 rpc_gss_rawcred_t *rcredp; 129 int cacherep, credflavor, i, j; 130 u_char *p; 131 #ifdef KERN_TLS 132 u_int maxlen; 133 #endif 134 135 NFSD_CURVNET_SET_QUIET(NFSD_TD_TO_VNET(curthread)); 136 memset(&nd, 0, sizeof(nd)); 137 if (rqst->rq_vers == NFS_VER2) { 138 if (rqst->rq_proc > NFSV2PROC_STATFS || 139 newnfs_nfsv3_procid[rqst->rq_proc] == NFSPROC_NOOP) { 140 svcerr_noproc(rqst); 141 svc_freereq(rqst); 142 goto out; 143 } 144 nd.nd_procnum = newnfs_nfsv3_procid[rqst->rq_proc]; 145 nd.nd_flag = ND_NFSV2; 146 } else if (rqst->rq_vers == NFS_VER3) { 147 if (rqst->rq_proc >= NFS_V3NPROCS) { 148 svcerr_noproc(rqst); 149 svc_freereq(rqst); 150 goto out; 151 } 152 nd.nd_procnum = rqst->rq_proc; 153 nd.nd_flag = ND_NFSV3; 154 } else { 155 if (rqst->rq_proc != NFSPROC_NULL && 156 rqst->rq_proc != NFSV4PROC_COMPOUND) { 157 svcerr_noproc(rqst); 158 svc_freereq(rqst); 159 goto out; 160 } 161 nd.nd_procnum = rqst->rq_proc; 162 nd.nd_flag = ND_NFSV4; 163 } 164 165 /* 166 * Note: we want rq_addr, not svc_getrpccaller for nd_nam2 - 167 * NFS_SRVMAXDATA uses a NULL value for nd_nam2 to detect TCP 168 * mounts. 169 */ 170 nd.nd_mrep = rqst->rq_args; 171 rqst->rq_args = NULL; 172 newnfs_realign(&nd.nd_mrep, M_WAITOK); 173 nd.nd_md = nd.nd_mrep; 174 nd.nd_dpos = mtod(nd.nd_md, caddr_t); 175 nd.nd_nam = svc_getrpccaller(rqst); 176 nd.nd_nam2 = rqst->rq_addr; 177 nd.nd_mreq = NULL; 178 nd.nd_cred = NULL; 179 180 if (NFSD_VNET(nfs_privport) != 0) { 181 /* Check if source port is privileged */ 182 u_short port; 183 struct sockaddr *nam = nd.nd_nam; 184 struct sockaddr_in *sin; 185 186 sin = (struct sockaddr_in *)nam; 187 /* 188 * INET/INET6 - same code: 189 * sin_port and sin6_port are at same offset 190 */ 191 port = ntohs(sin->sin_port); 192 if (port >= IPPORT_RESERVED && 193 nd.nd_procnum != NFSPROC_NULL) { 194 #ifdef INET6 195 char buf[INET6_ADDRSTRLEN]; 196 #else 197 char buf[INET_ADDRSTRLEN]; 198 #endif 199 #ifdef INET6 200 #if defined(KLD_MODULE) 201 /* Do not use ip6_sprintf: the nfs module should work without INET6. */ 202 #define ip6_sprintf(buf, a) \ 203 (sprintf((buf), "%x:%x:%x:%x:%x:%x:%x:%x", \ 204 (a)->s6_addr16[0], (a)->s6_addr16[1], \ 205 (a)->s6_addr16[2], (a)->s6_addr16[3], \ 206 (a)->s6_addr16[4], (a)->s6_addr16[5], \ 207 (a)->s6_addr16[6], (a)->s6_addr16[7]), \ 208 (buf)) 209 #endif 210 #endif 211 printf("NFS request from unprivileged port (%s:%d)\n", 212 #ifdef INET6 213 sin->sin_family == AF_INET6 ? 214 ip6_sprintf(buf, &satosin6(sin)->sin6_addr) : 215 #if defined(KLD_MODULE) 216 #undef ip6_sprintf 217 #endif 218 #endif 219 inet_ntoa_r(sin->sin_addr, buf), port); 220 svcerr_weakauth(rqst); 221 svc_freereq(rqst); 222 m_freem(nd.nd_mrep); 223 goto out; 224 } 225 } 226 227 if (nd.nd_procnum != NFSPROC_NULL) { 228 if (!svc_getcred(rqst, &nd.nd_cred, &credflavor)) { 229 svcerr_weakauth(rqst); 230 svc_freereq(rqst); 231 m_freem(nd.nd_mrep); 232 goto out; 233 } 234 235 /* Set the flag based on credflavor */ 236 if (credflavor == RPCSEC_GSS_KRB5) { 237 nd.nd_flag |= ND_GSS; 238 } else if (credflavor == RPCSEC_GSS_KRB5I) { 239 nd.nd_flag |= (ND_GSS | ND_GSSINTEGRITY); 240 } else if (credflavor == RPCSEC_GSS_KRB5P) { 241 nd.nd_flag |= (ND_GSS | ND_GSSPRIVACY); 242 } else if (credflavor != AUTH_SYS) { 243 svcerr_weakauth(rqst); 244 svc_freereq(rqst); 245 m_freem(nd.nd_mrep); 246 goto out; 247 } 248 249 /* Acquire the principal name for the RPCSEC_GSS cases. */ 250 if ((nd.nd_flag & (ND_NFSV4 | ND_GSS)) == (ND_NFSV4 | ND_GSS)) { 251 rcredp = NULL; 252 rpc_gss_getcred_call(rqst, &rcredp, NULL, NULL); 253 /* 254 * The exported principal name consists of: 255 * - TOK_ID bytes with value of 4 and 1. 256 * - 2 byte mech length 257 * - mech 258 * - 4 byte principal name length 259 * - principal name 260 * A call to gss_import_name() would be an 261 * upcall to the gssd, so parse it here. 262 * See lib/libgssapi/gss_import_name.c for the 263 * above format. 264 */ 265 if (rcredp != NULL && 266 rcredp->client_principal->len > 4 && 267 rcredp->client_principal->name[0] == 4 && 268 rcredp->client_principal->name[1] == 1) { 269 /* Skip over the mech. */ 270 p = &rcredp->client_principal->name[2]; 271 i = (p[0] << 8) | p[1]; 272 p += i + 2; 273 i += 4; 274 /* 275 * Set "j" to a bogus length so that the 276 * "i + j" check will fail unless the below 277 * code sets "j" correctly. 278 */ 279 j = rcredp->client_principal->len; 280 if (rcredp->client_principal->len > i + 4) { 281 j = (p[0] << 24) | (p[1] << 16) | 282 (p[2] << 8) | p[3]; 283 i += 4; 284 p += 4; 285 } 286 if (i + j == rcredp->client_principal->len) { 287 nd.nd_principal = malloc(j + 1, M_TEMP, 288 M_WAITOK); 289 nd.nd_princlen = j; 290 memcpy(nd.nd_principal, p, j); 291 nd.nd_principal[j] = '\0'; 292 NFSD_DEBUG(1, "nfssvc_program: " 293 "principal=%s\n", nd.nd_principal); 294 } 295 } 296 if (nd.nd_princlen == 0) 297 printf("nfssvc_program: cannot get RPCSEC_GSS " 298 "principal name\n"); 299 } 300 301 if ((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0) { 302 nd.nd_flag |= ND_TLS; 303 if ((xprt->xp_tls & RPCTLS_FLAGS_VERIFIED) != 0) 304 nd.nd_flag |= ND_TLSCERT; 305 if ((xprt->xp_tls & RPCTLS_FLAGS_CERTUSER) != 0) 306 nd.nd_flag |= ND_TLSCERTUSER; 307 } 308 nd.nd_maxextsiz = 16384; 309 #ifdef MAC 310 mac_cred_associate_nfsd(nd.nd_cred); 311 #endif 312 /* 313 * Get a refcnt (shared lock) on nfsd_suspend_lock. 314 * NFSSVC_SUSPENDNFSD will take an exclusive lock on 315 * nfsd_suspend_lock to suspend these threads. 316 * The call to nfsv4_lock() that precedes nfsv4_getref() 317 * ensures that the acquisition of the exclusive lock 318 * takes priority over acquisition of the shared lock by 319 * waiting for any exclusive lock request to complete. 320 * This must be done here, before the check of 321 * nfsv4root exports by nfsvno_v4rootexport(). 322 */ 323 NFSLOCKV4ROOTMUTEX(); 324 nfsv4_lock(&NFSD_VNET(nfsd_suspend_lock), 0, NULL, 325 NFSV4ROOTLOCKMUTEXPTR, NULL); 326 nfsv4_getref(&NFSD_VNET(nfsd_suspend_lock), NULL, 327 NFSV4ROOTLOCKMUTEXPTR, NULL); 328 NFSUNLOCKV4ROOTMUTEX(); 329 330 if ((nd.nd_flag & ND_NFSV4) != 0) { 331 nd.nd_repstat = nfsvno_v4rootexport(&nd); 332 if (nd.nd_repstat != 0) { 333 NFSLOCKV4ROOTMUTEX(); 334 nfsv4_relref(&NFSD_VNET(nfsd_suspend_lock)); 335 NFSUNLOCKV4ROOTMUTEX(); 336 svcerr_weakauth(rqst); 337 svc_freereq(rqst); 338 m_freem(nd.nd_mrep); 339 goto out; 340 } 341 } 342 343 #ifdef KERN_TLS 344 if ((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0 && 345 rpctls_getinfo(&maxlen, false, false)) 346 nd.nd_maxextsiz = maxlen; 347 #endif 348 cacherep = nfs_proc(&nd, rqst->rq_xid, xprt, &rp); 349 NFSLOCKV4ROOTMUTEX(); 350 nfsv4_relref(&NFSD_VNET(nfsd_suspend_lock)); 351 NFSUNLOCKV4ROOTMUTEX(); 352 } else { 353 NFSMGET(nd.nd_mreq); 354 nd.nd_mreq->m_len = 0; 355 cacherep = RC_REPLY; 356 } 357 if (nd.nd_mrep != NULL) 358 m_freem(nd.nd_mrep); 359 360 if (nd.nd_cred != NULL) 361 crfree(nd.nd_cred); 362 363 if (cacherep == RC_DROPIT) { 364 if (nd.nd_mreq != NULL) 365 m_freem(nd.nd_mreq); 366 svc_freereq(rqst); 367 goto out; 368 } 369 370 if (nd.nd_mreq == NULL) { 371 svcerr_decode(rqst); 372 svc_freereq(rqst); 373 goto out; 374 } 375 376 if (nd.nd_repstat & NFSERR_AUTHERR) { 377 svcerr_auth(rqst, nd.nd_repstat & ~NFSERR_AUTHERR); 378 if (nd.nd_mreq != NULL) 379 m_freem(nd.nd_mreq); 380 } else if (!svc_sendreply_mbuf(rqst, nd.nd_mreq)) { 381 svcerr_systemerr(rqst); 382 } 383 if (rp != NULL) { 384 nfsrvd_sentcache(rp, (rqst->rq_reply_seq != 0 || 385 SVC_ACK(xprt, NULL)), rqst->rq_reply_seq); 386 } 387 svc_freereq(rqst); 388 389 out: 390 free(nd.nd_principal, M_TEMP); 391 NFSD_CURVNET_RESTORE(); 392 ast_kclear(curthread); 393 NFSEXITCODE(0); 394 } 395 396 /* 397 * Check the cache and, optionally, do the RPC. 398 * Return the appropriate cache response. 399 */ 400 static int 401 nfs_proc(struct nfsrv_descript *nd, u_int32_t xid, SVCXPRT *xprt, 402 struct nfsrvcache **rpp) 403 { 404 int cacherep = RC_DOIT, isdgram, taglen = -1; 405 struct mbuf *m; 406 u_char tag[NFSV4_SMALLSTR + 1], *tagstr = NULL; 407 u_int32_t minorvers = 0; 408 uint32_t ack; 409 410 *rpp = NULL; 411 if (nd->nd_nam2 == NULL) { 412 nd->nd_flag |= ND_STREAMSOCK; 413 isdgram = 0; 414 } else { 415 isdgram = 1; 416 } 417 418 /* 419 * Two cases: 420 * 1 - For NFSv2 over UDP, if we are near our malloc/mget 421 * limit, just drop the request. There is no 422 * NFSERR_RESOURCE or NFSERR_DELAY for NFSv2 and the 423 * client will timeout/retry over UDP in a little while. 424 * 2 - nd_repstat == 0 && nd_mreq == NULL, which 425 * means a normal nfs rpc, so check the cache 426 */ 427 if ((nd->nd_flag & ND_NFSV2) && nd->nd_nam2 != NULL && 428 nfsrv_mallocmget_limit()) { 429 cacherep = RC_DROPIT; 430 } else { 431 /* 432 * For NFSv3, play it safe and assume that the client is 433 * doing retries on the same TCP connection. 434 */ 435 if ((nd->nd_flag & (ND_NFSV4 | ND_STREAMSOCK)) == 436 ND_STREAMSOCK) 437 nd->nd_flag |= ND_SAMETCPCONN; 438 nd->nd_retxid = xid; 439 nd->nd_tcpconntime = NFSD_MONOSEC; 440 nd->nd_sockref = xprt->xp_sockref; 441 if ((nd->nd_flag & ND_NFSV4) != 0) 442 nfsd_getminorvers(nd, tag, &tagstr, &taglen, 443 &minorvers); 444 if ((nd->nd_flag & ND_NFSV41) != 0) 445 /* NFSv4.1 caches replies in the session slots. */ 446 cacherep = RC_DOIT; 447 else { 448 cacherep = nfsrvd_getcache(nd); 449 ack = 0; 450 SVC_ACK(xprt, &ack); 451 nfsrc_trimcache(xprt->xp_sockref, ack, 0); 452 } 453 } 454 455 /* 456 * Handle the request. There are three cases. 457 * RC_DOIT - do the RPC 458 * RC_REPLY - return the reply already created 459 * RC_DROPIT - just throw the request away 460 */ 461 if (cacherep == RC_DOIT) { 462 if ((nd->nd_flag & ND_NFSV41) != 0) 463 nd->nd_xprt = xprt; 464 nfsrvd_dorpc(nd, isdgram, tagstr, taglen, minorvers); 465 if ((nd->nd_flag & ND_NFSV41) != 0) { 466 if (nd->nd_repstat != NFSERR_REPLYFROMCACHE && 467 (nd->nd_flag & ND_SAVEREPLY) != 0) { 468 /* Cache a copy of the reply. */ 469 m = m_copym(nd->nd_mreq, 0, M_COPYALL, 470 M_WAITOK); 471 } else 472 m = NULL; 473 if ((nd->nd_flag & ND_HASSEQUENCE) != 0) 474 nfsrv_cache_session(nd, &m); 475 if (nd->nd_repstat == NFSERR_REPLYFROMCACHE) { 476 nd->nd_repstat = 0; 477 if (m != NULL) { 478 m_freem(nd->nd_mreq); 479 nd->nd_mreq = m; 480 } 481 } 482 cacherep = RC_REPLY; 483 } else { 484 if (nd->nd_repstat == NFSERR_DONTREPLY) 485 cacherep = RC_DROPIT; 486 else 487 cacherep = RC_REPLY; 488 *rpp = nfsrvd_updatecache(nd); 489 } 490 } 491 if (tagstr != NULL && taglen > NFSV4_SMALLSTR) 492 free(tagstr, M_TEMP); 493 494 NFSEXITCODE2(0, nd); 495 return (cacherep); 496 } 497 498 static void 499 nfssvc_loss(SVCXPRT *xprt) 500 { 501 uint32_t ack; 502 503 ack = 0; 504 SVC_ACK(xprt, &ack); 505 NFSD_CURVNET_SET(NFSD_TD_TO_VNET(curthread)); 506 nfsrc_trimcache(xprt->xp_sockref, ack, 1); 507 NFSD_CURVNET_RESTORE(); 508 } 509 510 /* 511 * Adds a socket to the list for servicing by nfsds. 512 */ 513 int 514 nfsrvd_addsock(struct file *fp) 515 { 516 int siz; 517 struct socket *so; 518 int error = 0; 519 SVCXPRT *xprt; 520 static u_int64_t sockref = 0; 521 522 so = fp->f_data; 523 524 siz = sb_max_adj; 525 error = soreserve(so, siz, siz); 526 if (error) 527 goto out; 528 529 /* 530 * Steal the socket from userland so that it doesn't close 531 * unexpectedly. 532 */ 533 if (so->so_type == SOCK_DGRAM) 534 xprt = svc_dg_create(NFSD_VNET(nfsrvd_pool), so, 0, 0); 535 else 536 xprt = svc_vc_create(NFSD_VNET(nfsrvd_pool), so, 0, 0); 537 if (xprt) { 538 fp->f_ops = &badfileops; 539 fp->f_data = NULL; 540 xprt->xp_sockref = ++sockref; 541 if (NFSD_VNET(nfs_minvers) == NFS_VER2) 542 svc_reg(xprt, NFS_PROG, NFS_VER2, nfssvc_program, 543 NULL); 544 if (NFSD_VNET(nfs_minvers) <= NFS_VER3 && 545 NFSD_VNET(nfs_maxvers) >= NFS_VER3) 546 svc_reg(xprt, NFS_PROG, NFS_VER3, nfssvc_program, 547 NULL); 548 if (NFSD_VNET(nfs_maxvers) >= NFS_VER4) 549 svc_reg(xprt, NFS_PROG, NFS_VER4, nfssvc_program, 550 NULL); 551 if (so->so_type == SOCK_STREAM) 552 svc_loss_reg(xprt, nfssvc_loss); 553 SVC_RELEASE(xprt); 554 } else 555 error = EPERM; 556 557 out: 558 NFSEXITCODE(error); 559 return (error); 560 } 561 562 /* 563 * Called by nfssvc() for nfsds. Just loops around servicing rpc requests 564 * until it is killed by a signal. 565 */ 566 int 567 nfsrvd_nfsd(struct thread *td, struct nfsd_nfsd_args *args) 568 { 569 char principal[MAXHOSTNAMELEN + 5]; 570 struct proc *p; 571 int error = 0; 572 bool_t ret2, ret3, ret4; 573 574 error = copyinstr(args->principal, principal, sizeof (principal), 575 NULL); 576 if (error) 577 goto out; 578 579 /* 580 * Only the first nfsd actually does any work. The RPC code 581 * adds threads to it as needed. Any extra processes offered 582 * by nfsd just exit. If nfsd is new enough, it will call us 583 * once with a structure that specifies how many threads to 584 * use. 585 */ 586 NFSD_LOCK(); 587 if (NFSD_VNET(nfsrv_numnfsd) == 0) { 588 nfsdev_time = time_second; 589 p = td->td_proc; 590 PROC_LOCK(p); 591 p->p_flag2 |= P2_AST_SU; 592 PROC_UNLOCK(p); 593 newnfs_numnfsd++; /* Total num for all vnets. */ 594 NFSD_VNET(nfsrv_numnfsd)++; /* Num for this vnet. */ 595 596 NFSD_UNLOCK(); 597 error = nfsrv_createdevids(args, td); 598 if (error == 0) { 599 /* An empty string implies AUTH_SYS only. */ 600 if (principal[0] != '\0') { 601 ret2 = rpc_gss_set_svc_name_call(principal, 602 "kerberosv5", GSS_C_INDEFINITE, NFS_PROG, 603 NFS_VER2); 604 ret3 = rpc_gss_set_svc_name_call(principal, 605 "kerberosv5", GSS_C_INDEFINITE, NFS_PROG, 606 NFS_VER3); 607 ret4 = rpc_gss_set_svc_name_call(principal, 608 "kerberosv5", GSS_C_INDEFINITE, NFS_PROG, 609 NFS_VER4); 610 611 if (!ret2 || !ret3 || !ret4) 612 printf("nfsd: can't register svc " 613 "name %s jid:%d\n", principal, 614 td->td_ucred->cr_prison->pr_id); 615 } 616 617 NFSD_VNET(nfsrvd_pool)->sp_minthreads = 618 args->minthreads; 619 NFSD_VNET(nfsrvd_pool)->sp_maxthreads = 620 args->maxthreads; 621 622 /* 623 * If this is a pNFS service, make Getattr do a 624 * vn_start_write(), so it can do a vn_set_extattr(). 625 */ 626 if (nfsrv_devidcnt > 0) { 627 nfsrv_writerpc[NFSPROC_GETATTR] = 1; 628 nfsv4_opflag[NFSV4OP_GETATTR].modifyfs = 1; 629 } 630 631 svc_run(NFSD_VNET(nfsrvd_pool)); 632 633 /* Reset Getattr to not do a vn_start_write(). */ 634 nfsrv_writerpc[NFSPROC_GETATTR] = 0; 635 nfsv4_opflag[NFSV4OP_GETATTR].modifyfs = 0; 636 637 if (principal[0] != '\0') { 638 rpc_gss_clear_svc_name_call(NFS_PROG, NFS_VER2); 639 rpc_gss_clear_svc_name_call(NFS_PROG, NFS_VER3); 640 rpc_gss_clear_svc_name_call(NFS_PROG, NFS_VER4); 641 } 642 } 643 NFSD_LOCK(); 644 newnfs_numnfsd--; 645 NFSD_VNET(nfsrv_numnfsd)--; 646 nfsrvd_init(1); 647 PROC_LOCK(p); 648 p->p_flag2 &= ~P2_AST_SU; 649 PROC_UNLOCK(p); 650 } 651 NFSD_UNLOCK(); 652 653 out: 654 NFSEXITCODE(error); 655 return (error); 656 } 657 658 /* 659 * Initialize the data structures for the server. 660 * Handshake with any new nfsds starting up to avoid any chance of 661 * corruption. 662 */ 663 void 664 nfsrvd_init(int terminating) 665 { 666 667 NFSD_LOCK_ASSERT(); 668 669 if (terminating) { 670 NFSD_VNET(nfsd_master_proc) = NULL; 671 NFSD_UNLOCK(); 672 nfsrv_freealllayoutsanddevids(); 673 nfsrv_freeallbackchannel_xprts(); 674 svcpool_close(NFSD_VNET(nfsrvd_pool)); 675 free(nfsrv_zeropnfsdat, M_TEMP); 676 nfsrv_zeropnfsdat = NULL; 677 NFSD_LOCK(); 678 } else { 679 /* Initialize per-vnet globals once per vnet. */ 680 if (NFSD_VNET(nfsrvd_inited)) 681 return; 682 NFSD_VNET(nfsrvd_inited) = true; 683 NFSD_UNLOCK(); 684 NFSD_VNET(nfsrvd_pool) = svcpool_create("nfsd", 685 SYSCTL_STATIC_CHILDREN(_vfs_nfsd)); 686 NFSD_VNET(nfsrvd_pool)->sp_rcache = NULL; 687 NFSD_VNET(nfsrvd_pool)->sp_assign = fhanew_assign; 688 NFSD_VNET(nfsrvd_pool)->sp_done = fhanew_nd_complete; 689 NFSD_LOCK(); 690 } 691 } 692