xref: /titanic_41/usr/src/uts/common/fs/nfs/nfs_auth.c (revision 5203bc321053fb87d7073c7640548fab73634793)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 1995, 2010, Oracle and/or its affiliates. All rights reserved.
23  */
24 
25 #include <sys/param.h>
26 #include <sys/errno.h>
27 #include <sys/vfs.h>
28 #include <sys/vnode.h>
29 #include <sys/cred.h>
30 #include <sys/cmn_err.h>
31 #include <sys/systm.h>
32 #include <sys/kmem.h>
33 #include <sys/pathname.h>
34 #include <sys/utsname.h>
35 #include <sys/debug.h>
36 #include <sys/door.h>
37 #include <sys/sdt.h>
38 #include <sys/thread.h>
39 
40 #include <rpc/types.h>
41 #include <rpc/auth.h>
42 #include <rpc/clnt.h>
43 
44 #include <nfs/nfs.h>
45 #include <nfs/export.h>
46 #include <nfs/nfs_clnt.h>
47 #include <nfs/auth.h>
48 
49 #define	EQADDR(a1, a2)  \
50 	(bcmp((char *)(a1)->buf, (char *)(a2)->buf, (a1)->len) == 0 && \
51 	(a1)->len == (a2)->len)
52 
53 static struct knetconfig auth_knconf;
54 static servinfo_t svp;
55 static clinfo_t ci;
56 
57 static struct kmem_cache *exi_cache_handle;
58 static void exi_cache_reclaim(void *);
59 static void exi_cache_trim(struct exportinfo *exi);
60 
61 extern pri_t minclsyspri;
62 
63 int nfsauth_cache_hit;
64 int nfsauth_cache_miss;
65 int nfsauth_cache_refresh;
66 int nfsauth_cache_reclaim;
67 
68 /*
69  * The lifetime of an auth cache entry:
70  * ------------------------------------
71  *
72  * An auth cache entry is created with both the auth_time
73  * and auth_freshness times set to the current time.
74  *
75  * Upon every client access which results in a hit, the
76  * auth_time will be updated.
77  *
78  * If a client access determines that the auth_freshness
79  * indicates that the entry is STALE, then it will be
80  * refreshed. Note that this will explicitly reset
81  * auth_time.
82  *
83  * When the REFRESH successfully occurs, then the
84  * auth_freshness is updated.
85  *
86  * There are two ways for an entry to leave the cache:
87  *
88  * 1) Purged by an action on the export (remove or changed)
89  * 2) Memory backpressure from the kernel (check against NFSAUTH_CACHE_TRIM)
90  *
91  * For 2) we check the timeout value against auth_time.
92  */
93 
94 /*
95  * Number of seconds until we mark for refresh an auth cache entry.
96  */
97 #define	NFSAUTH_CACHE_REFRESH 600
98 
99 /*
100  * Number of idle seconds until we yield to backpressure
101  * to trim a cache entry.
102  */
103 #define	NFSAUTH_CACHE_TRIM 3600
104 
105 /*
106  * While we could encapuslate the exi_list inside the
107  * exi structure, we can't do that for the auth_list.
108  * So, to keep things looking clean, we keep them both
109  * in these external lists.
110  */
111 typedef struct refreshq_exi_node {
112 	struct exportinfo	*ren_exi;
113 	list_t			ren_authlist;
114 	list_node_t		ren_node;
115 } refreshq_exi_node_t;
116 
117 typedef struct refreshq_auth_node {
118 	struct auth_cache	*ran_auth;
119 	list_node_t		ran_node;
120 } refreshq_auth_node_t;
121 
122 /*
123  * Used to manipulate things on the refreshq_queue.
124  * Note that the refresh thread will effectively
125  * pop a node off of the queue, at which point it
126  * will no longer need to hold the mutex.
127  */
128 static kmutex_t refreshq_lock;
129 static list_t refreshq_queue;
130 static kcondvar_t refreshq_cv;
131 
132 /*
133  * A list_t would be overkill. These are auth_cache
134  * entries which are no longer linked to an exi.
135  * It should be the case that all of their states
136  * are NFS_AUTH_INVALID.
137  *
138  * I.e., the only way to be put on this list is
139  * iff their state indicated that they had been placed
140  * on the refreshq_queue.
141  *
142  * Note that while there is no link from the exi or
143  * back to the exi, the exi can not go away until
144  * these entries are harvested.
145  */
146 static struct auth_cache	*refreshq_dead_entries;
147 
148 /*
149  * If there is ever a problem with loading the
150  * module, then nfsauth_fini() needs to be called
151  * to remove state. In that event, since the
152  * refreshq thread has been started, they need to
153  * work together to get rid of state.
154  */
155 typedef enum nfsauth_refreshq_thread_state {
156 	REFRESHQ_THREAD_RUNNING,
157 	REFRESHQ_THREAD_FINI_REQ,
158 	REFRESHQ_THREAD_HALTED
159 } nfsauth_refreshq_thread_state_t;
160 
161 nfsauth_refreshq_thread_state_t
162 refreshq_thread_state = REFRESHQ_THREAD_HALTED;
163 
164 static void nfsauth_free_node(struct auth_cache *);
165 static void nfsauth_remove_dead_entry(struct auth_cache *);
166 static void nfsauth_refresh_thread(void);
167 
168 /*
169  * mountd is a server-side only daemon. This will need to be
170  * revisited if the NFS server is ever made zones-aware.
171  */
172 kmutex_t	mountd_lock;
173 door_handle_t   mountd_dh;
174 
175 void
176 mountd_args(uint_t did)
177 {
178 	mutex_enter(&mountd_lock);
179 	if (mountd_dh)
180 		door_ki_rele(mountd_dh);
181 	mountd_dh = door_ki_lookup(did);
182 	mutex_exit(&mountd_lock);
183 }
184 
185 void
186 nfsauth_init(void)
187 {
188 	/*
189 	 * mountd can be restarted by smf(5). We need to make sure
190 	 * the updated door handle will safely make it to mountd_dh
191 	 */
192 	mutex_init(&mountd_lock, NULL, MUTEX_DEFAULT, NULL);
193 
194 	mutex_init(&refreshq_lock, NULL, MUTEX_DEFAULT, NULL);
195 	list_create(&refreshq_queue, sizeof (refreshq_exi_node_t),
196 	    offsetof(refreshq_exi_node_t, ren_node));
197 	refreshq_dead_entries = NULL;
198 
199 	cv_init(&refreshq_cv, NULL, CV_DEFAULT, NULL);
200 
201 	/*
202 	 * Allocate nfsauth cache handle
203 	 */
204 	exi_cache_handle = kmem_cache_create("exi_cache_handle",
205 	    sizeof (struct auth_cache), 0, NULL, NULL,
206 	    exi_cache_reclaim, NULL, NULL, 0);
207 
208 	refreshq_thread_state = REFRESHQ_THREAD_RUNNING;
209 	(void) zthread_create(NULL, 0, nfsauth_refresh_thread,
210 	    NULL, 0, minclsyspri);
211 }
212 
213 /*
214  * Finalization routine for nfsauth. It is important to call this routine
215  * before destroying the exported_lock.
216  */
217 void
218 nfsauth_fini(void)
219 {
220 	refreshq_exi_node_t	*ren;
221 	refreshq_auth_node_t	*ran;
222 	struct auth_cache	*p;
223 	struct auth_cache	*auth_next;
224 
225 	/*
226 	 * Prevent the refreshq_thread from getting new
227 	 * work.
228 	 */
229 	mutex_enter(&refreshq_lock);
230 	if (refreshq_thread_state != REFRESHQ_THREAD_HALTED) {
231 		refreshq_thread_state = REFRESHQ_THREAD_FINI_REQ;
232 		cv_broadcast(&refreshq_cv);
233 
234 		/*
235 		 * Also, wait for nfsauth_refresh_thread() to exit.
236 		 */
237 		while (refreshq_thread_state != REFRESHQ_THREAD_HALTED) {
238 			cv_wait(&refreshq_cv, &refreshq_lock);
239 		}
240 	}
241 
242 	/*
243 	 * Walk the exi_list and in turn, walk the
244 	 * auth_lists.
245 	 */
246 	while ((ren = list_remove_head(&refreshq_queue))) {
247 		while ((ran = list_remove_head(&ren->ren_authlist))) {
248 			kmem_free(ran, sizeof (refreshq_auth_node_t));
249 		}
250 
251 		list_destroy(&ren->ren_authlist);
252 		exi_rele(ren->ren_exi);
253 		kmem_free(ren, sizeof (refreshq_exi_node_t));
254 	}
255 
256 	/*
257 	 * Okay, now that the lists are deleted, we
258 	 * need to see if there are any dead entries
259 	 * to harvest.
260 	 */
261 	for (p = refreshq_dead_entries; p != NULL; p = auth_next) {
262 		auth_next = p->auth_next;
263 		nfsauth_free_node(p);
264 	}
265 
266 	mutex_exit(&refreshq_lock);
267 
268 	list_destroy(&refreshq_queue);
269 
270 	cv_destroy(&refreshq_cv);
271 	mutex_destroy(&refreshq_lock);
272 
273 	mutex_destroy(&mountd_lock);
274 
275 	/*
276 	 * Deallocate nfsauth cache handle
277 	 */
278 	kmem_cache_destroy(exi_cache_handle);
279 }
280 
281 /*
282  * Convert the address in a netbuf to
283  * a hash index for the auth_cache table.
284  */
285 static int
286 hash(struct netbuf *a)
287 {
288 	int i, h = 0;
289 
290 	for (i = 0; i < a->len; i++)
291 		h ^= a->buf[i];
292 
293 	return (h & (AUTH_TABLESIZE - 1));
294 }
295 
296 /*
297  * Mask out the components of an
298  * address that do not identify
299  * a host. For socket addresses the
300  * masking gets rid of the port number.
301  */
302 static void
303 addrmask(struct netbuf *addr, struct netbuf *mask)
304 {
305 	int i;
306 
307 	for (i = 0; i < addr->len; i++)
308 		addr->buf[i] &= mask->buf[i];
309 }
310 
311 /*
312  * nfsauth4_access is used for NFS V4 auth checking. Besides doing
313  * the common nfsauth_access(), it will check if the client can
314  * have a limited access to this vnode even if the security flavor
315  * used does not meet the policy.
316  */
317 int
318 nfsauth4_access(struct exportinfo *exi, vnode_t *vp, struct svc_req *req)
319 {
320 	int access;
321 
322 	access = nfsauth_access(exi, req);
323 
324 	/*
325 	 * There are cases that the server needs to allow the client
326 	 * to have a limited view.
327 	 *
328 	 * e.g.
329 	 * /export is shared as "sec=sys,rw=dfs-test-4,sec=krb5,rw"
330 	 * /export/home is shared as "sec=sys,rw"
331 	 *
332 	 * When the client mounts /export with sec=sys, the client
333 	 * would get a limited view with RO access on /export to see
334 	 * "home" only because the client is allowed to access
335 	 * /export/home with auth_sys.
336 	 */
337 	if (access & NFSAUTH_DENIED || access & NFSAUTH_WRONGSEC) {
338 		/*
339 		 * Allow ro permission with LIMITED view if there is a
340 		 * sub-dir exported under vp.
341 		 */
342 		if (has_visible(exi, vp))
343 			return (NFSAUTH_LIMITED);
344 	}
345 
346 	return (access);
347 }
348 
349 static void
350 sys_log(const char *msg)
351 {
352 	static time_t	tstamp = 0;
353 	time_t		now;
354 
355 	/*
356 	 * msg is shown (at most) once per minute
357 	 */
358 	now = gethrestime_sec();
359 	if ((tstamp + 60) < now) {
360 		tstamp = now;
361 		cmn_err(CE_WARN, msg);
362 	}
363 }
364 
365 /*
366  * Callup to the mountd to get access information in the kernel.
367  */
368 static bool_t
369 nfsauth_retrieve(struct exportinfo *exi, char *req_netid, int flavor,
370     struct netbuf *addr, int *access)
371 {
372 	varg_t			  varg = {0};
373 	nfsauth_res_t		  res = {0};
374 	XDR			  xdrs_a;
375 	XDR			  xdrs_r;
376 	size_t			  absz;
377 	caddr_t			  abuf;
378 	size_t			  rbsz = (size_t)(BYTES_PER_XDR_UNIT * 2);
379 	char			  result[BYTES_PER_XDR_UNIT * 2] = {0};
380 	caddr_t			  rbuf = (caddr_t)&result;
381 	int			  last = 0;
382 	door_arg_t		  da;
383 	door_info_t		  di;
384 	door_handle_t		  dh;
385 	uint_t			  ntries = 0;
386 
387 	/*
388 	 * No entry in the cache for this client/flavor
389 	 * so we need to call the nfsauth service in the
390 	 * mount daemon.
391 	 */
392 retry:
393 	mutex_enter(&mountd_lock);
394 	dh = mountd_dh;
395 	if (dh)
396 		door_ki_hold(dh);
397 	mutex_exit(&mountd_lock);
398 
399 	if (dh == NULL) {
400 		/*
401 		 * The rendezvous point has not been established yet !
402 		 * This could mean that either mountd(1m) has not yet
403 		 * been started or that _this_ routine nuked the door
404 		 * handle after receiving an EINTR for a REVOKED door.
405 		 *
406 		 * Returning NFSAUTH_DROP will cause the NFS client
407 		 * to retransmit the request, so let's try to be more
408 		 * rescillient and attempt for ntries before we bail.
409 		 */
410 		if (++ntries % NFSAUTH_DR_TRYCNT) {
411 			delay(hz);
412 			goto retry;
413 		}
414 
415 		sys_log("nfsauth: mountd has not established door");
416 		*access = NFSAUTH_DROP;
417 		return (FALSE);
418 	}
419 
420 	ntries = 0;
421 	varg.vers = V_PROTO;
422 	varg.arg_u.arg.cmd = NFSAUTH_ACCESS;
423 	varg.arg_u.arg.areq.req_client.n_len = addr->len;
424 	varg.arg_u.arg.areq.req_client.n_bytes = addr->buf;
425 	varg.arg_u.arg.areq.req_netid = req_netid;
426 	varg.arg_u.arg.areq.req_path = exi->exi_export.ex_path;
427 	varg.arg_u.arg.areq.req_flavor = flavor;
428 
429 	/*
430 	 * Setup the XDR stream for encoding the arguments. Notice that
431 	 * in addition to the args having variable fields (req_netid and
432 	 * req_path), the argument data structure is itself versioned,
433 	 * so we need to make sure we can size the arguments buffer
434 	 * appropriately to encode all the args. If we can't get sizing
435 	 * info _or_ properly encode the arguments, there's really no
436 	 * point in continuting, so we fail the request.
437 	 */
438 	DTRACE_PROBE1(nfsserv__func__nfsauth__varg, varg_t *, &varg);
439 	if ((absz = xdr_sizeof(xdr_varg, (void *)&varg)) == 0) {
440 		door_ki_rele(dh);
441 		*access = NFSAUTH_DENIED;
442 		return (FALSE);
443 	}
444 
445 	abuf = (caddr_t)kmem_alloc(absz, KM_SLEEP);
446 	xdrmem_create(&xdrs_a, abuf, absz, XDR_ENCODE);
447 	if (!xdr_varg(&xdrs_a, &varg)) {
448 		door_ki_rele(dh);
449 		goto fail;
450 	}
451 	XDR_DESTROY(&xdrs_a);
452 
453 	/*
454 	 * The result (nfsauth_res_t) is always two int's, so we don't
455 	 * have to dynamically size (or allocate) the results buffer.
456 	 * Now that we've got what we need, we prep the door arguments
457 	 * and place the call.
458 	 */
459 	da.data_ptr = (char *)abuf;
460 	da.data_size = absz;
461 	da.desc_ptr = NULL;
462 	da.desc_num = 0;
463 	da.rbuf = (char *)rbuf;
464 	da.rsize = rbsz;
465 
466 	switch (door_ki_upcall_limited(dh, &da, NULL, SIZE_MAX, 0)) {
467 		case 0:				/* Success */
468 			if (da.data_ptr != da.rbuf && da.data_size == 0) {
469 				/*
470 				 * The door_return that contained the data
471 				 * failed ! We're here because of the 2nd
472 				 * door_return (w/o data) such that we can
473 				 * get control of the thread (and exit
474 				 * gracefully).
475 				 */
476 				DTRACE_PROBE1(nfsserv__func__nfsauth__door__nil,
477 				    door_arg_t *, &da);
478 				door_ki_rele(dh);
479 				goto fail;
480 
481 			} else if (rbuf != da.rbuf) {
482 				/*
483 				 * The only time this should be true
484 				 * is iff userland wanted to hand us
485 				 * a bigger response than what we
486 				 * expect; that should not happen
487 				 * (nfsauth_res_t is only 2 int's),
488 				 * but we check nevertheless.
489 				 */
490 				rbuf = da.rbuf;
491 				rbsz = da.rsize;
492 
493 			} else if (rbsz > da.data_size) {
494 				/*
495 				 * We were expecting two int's; but if
496 				 * userland fails in encoding the XDR
497 				 * stream, we detect that here, since
498 				 * the mountd forces down only one byte
499 				 * in such scenario.
500 				 */
501 				door_ki_rele(dh);
502 				goto fail;
503 			}
504 			door_ki_rele(dh);
505 			break;
506 
507 		case EAGAIN:
508 			/*
509 			 * Server out of resources; back off for a bit
510 			 */
511 			door_ki_rele(dh);
512 			kmem_free(abuf, absz);
513 			delay(hz);
514 			goto retry;
515 			/* NOTREACHED */
516 
517 		case EINTR:
518 			if (!door_ki_info(dh, &di)) {
519 				if (di.di_attributes & DOOR_REVOKED) {
520 					/*
521 					 * The server barfed and revoked
522 					 * the (existing) door on us; we
523 					 * want to wait to give smf(5) a
524 					 * chance to restart mountd(1m)
525 					 * and establish a new door handle.
526 					 */
527 					mutex_enter(&mountd_lock);
528 					if (dh == mountd_dh)
529 						mountd_dh = NULL;
530 					mutex_exit(&mountd_lock);
531 					door_ki_rele(dh);
532 					kmem_free(abuf, absz);
533 					delay(hz);
534 					goto retry;
535 				}
536 				/*
537 				 * If the door was _not_ revoked on us,
538 				 * then more than likely we took an INTR,
539 				 * so we need to fail the operation.
540 				 */
541 				door_ki_rele(dh);
542 				goto fail;
543 			}
544 			/*
545 			 * The only failure that can occur from getting
546 			 * the door info is EINVAL, so we let the code
547 			 * below handle it.
548 			 */
549 			/* FALLTHROUGH */
550 
551 		case EBADF:
552 		case EINVAL:
553 		default:
554 			/*
555 			 * If we have a stale door handle, give smf a last
556 			 * chance to start it by sleeping for a little bit.
557 			 * If we're still hosed, we'll fail the call.
558 			 *
559 			 * Since we're going to reacquire the door handle
560 			 * upon the retry, we opt to sleep for a bit and
561 			 * _not_ to clear mountd_dh. If mountd restarted
562 			 * and was able to set mountd_dh, we should see
563 			 * the new instance; if not, we won't get caught
564 			 * up in the retry/DELAY loop.
565 			 */
566 			door_ki_rele(dh);
567 			if (!last) {
568 				delay(hz);
569 				last++;
570 				goto retry;
571 			}
572 			sys_log("nfsauth: stale mountd door handle");
573 			goto fail;
574 	}
575 
576 	/*
577 	 * No door errors encountered; setup the XDR stream for decoding
578 	 * the results. If we fail to decode the results, we've got no
579 	 * other recourse than to fail the request.
580 	 */
581 	xdrmem_create(&xdrs_r, rbuf, rbsz, XDR_DECODE);
582 	if (!xdr_nfsauth_res(&xdrs_r, &res))
583 		goto fail;
584 	XDR_DESTROY(&xdrs_r);
585 
586 	DTRACE_PROBE1(nfsserv__func__nfsauth__results, nfsauth_res_t *, &res);
587 	switch (res.stat) {
588 		case NFSAUTH_DR_OKAY:
589 			*access = res.ares.auth_perm;
590 			kmem_free(abuf, absz);
591 			break;
592 
593 		case NFSAUTH_DR_EFAIL:
594 		case NFSAUTH_DR_DECERR:
595 		case NFSAUTH_DR_BADCMD:
596 		default:
597 fail:
598 			*access = NFSAUTH_DENIED;
599 			kmem_free(abuf, absz);
600 			return (FALSE);
601 			/* NOTREACHED */
602 	}
603 
604 	return (TRUE);
605 }
606 
607 static void
608 nfsauth_refresh_thread(void)
609 {
610 	refreshq_exi_node_t	*ren;
611 	refreshq_auth_node_t	*ran;
612 
613 	struct exportinfo	*exi;
614 	struct auth_cache	*p;
615 
616 	int			access;
617 	bool_t			retrieval;
618 
619 	callb_cpr_t		cprinfo;
620 
621 	CALLB_CPR_INIT(&cprinfo, &refreshq_lock, callb_generic_cpr,
622 	    "nfsauth_refresh");
623 
624 	for (;;) {
625 		mutex_enter(&refreshq_lock);
626 		if (refreshq_thread_state != REFRESHQ_THREAD_RUNNING) {
627 			/* Keep the hold on the lock! */
628 			break;
629 		}
630 
631 		ren = list_remove_head(&refreshq_queue);
632 		if (ren == NULL) {
633 			CALLB_CPR_SAFE_BEGIN(&cprinfo);
634 			cv_wait(&refreshq_cv, &refreshq_lock);
635 			CALLB_CPR_SAFE_END(&cprinfo, &refreshq_lock);
636 			mutex_exit(&refreshq_lock);
637 			continue;
638 		}
639 		mutex_exit(&refreshq_lock);
640 
641 		exi = ren->ren_exi;
642 		ASSERT(exi != NULL);
643 		rw_enter(&exi->exi_cache_lock, RW_READER);
644 
645 		while ((ran = list_remove_head(&ren->ren_authlist))) {
646 			/*
647 			 * We are shutting down. No need to refresh
648 			 * entries which are about to be nuked.
649 			 *
650 			 * So just throw them away until we are done
651 			 * with this exi node...
652 			 */
653 			if (refreshq_thread_state !=
654 			    REFRESHQ_THREAD_RUNNING) {
655 				kmem_free(ran, sizeof (refreshq_auth_node_t));
656 				continue;
657 			}
658 
659 			p = ran->ran_auth;
660 			ASSERT(p != NULL);
661 
662 			mutex_enter(&p->auth_lock);
663 
664 			/*
665 			 * Make sure the state is valid now that
666 			 * we have the lock. Note that once we
667 			 * change the state to NFS_AUTH_REFRESHING,
668 			 * no other thread will be able to work on
669 			 * this entry.
670 			 */
671 			if (p->auth_state != NFS_AUTH_STALE) {
672 				/*
673 				 * Once it goes INVALID, it can not
674 				 * change state.
675 				 */
676 				if (p->auth_state == NFS_AUTH_INVALID) {
677 					mutex_exit(&p->auth_lock);
678 					nfsauth_remove_dead_entry(p);
679 				} else
680 					mutex_exit(&p->auth_lock);
681 
682 				kmem_free(ran, sizeof (refreshq_auth_node_t));
683 				continue;
684 			}
685 
686 			p->auth_state = NFS_AUTH_REFRESHING;
687 			mutex_exit(&p->auth_lock);
688 
689 			DTRACE_PROBE2(nfsauth__debug__cache__refresh,
690 			    struct exportinfo *, exi,
691 			    struct auth_cache *, p);
692 
693 			/*
694 			 * The first caching of the access rights
695 			 * is done with the netid pulled out of the
696 			 * request from the client. All subsequent
697 			 * users of the cache may or may not have
698 			 * the same netid. It doesn't matter. So
699 			 * when we refresh, we simply use the netid
700 			 * of the request which triggered the
701 			 * refresh attempt.
702 			 */
703 			ASSERT(p->auth_netid != NULL);
704 
705 			retrieval = nfsauth_retrieve(exi, p->auth_netid,
706 			    p->auth_flavor, &p->auth_addr, &access);
707 
708 			/*
709 			 * This can only be set in one other place
710 			 * and the state has to be NFS_AUTH_FRESH.
711 			 */
712 			kmem_free(p->auth_netid, strlen(p->auth_netid) + 1);
713 			p->auth_netid = NULL;
714 
715 			/*
716 			 * We got an error, so do not reset the
717 			 * time. This will cause the next access
718 			 * check for the client to reschedule this
719 			 * node.
720 			 */
721 			if (retrieval == FALSE) {
722 				mutex_enter(&p->auth_lock);
723 				if (p->auth_state == NFS_AUTH_INVALID) {
724 					mutex_exit(&p->auth_lock);
725 					nfsauth_remove_dead_entry(p);
726 				} else {
727 					p->auth_state = NFS_AUTH_FRESH;
728 					mutex_exit(&p->auth_lock);
729 				}
730 
731 				kmem_free(ran, sizeof (refreshq_auth_node_t));
732 				continue;
733 			}
734 
735 			mutex_enter(&p->auth_lock);
736 			if (p->auth_state == NFS_AUTH_INVALID) {
737 				mutex_exit(&p->auth_lock);
738 				nfsauth_remove_dead_entry(p);
739 			} else {
740 				p->auth_access = access;
741 				p->auth_freshness = gethrestime_sec();
742 				p->auth_state = NFS_AUTH_FRESH;
743 				mutex_exit(&p->auth_lock);
744 			}
745 
746 			kmem_free(ran, sizeof (refreshq_auth_node_t));
747 		}
748 
749 		rw_exit(&exi->exi_cache_lock);
750 
751 		list_destroy(&ren->ren_authlist);
752 		exi_rele(ren->ren_exi);
753 		kmem_free(ren, sizeof (refreshq_exi_node_t));
754 	}
755 
756 	refreshq_thread_state = REFRESHQ_THREAD_HALTED;
757 	cv_broadcast(&refreshq_cv);
758 	CALLB_CPR_EXIT(&cprinfo);
759 	zthread_exit();
760 }
761 
762 /*
763  * Get the access information from the cache or callup to the mountd
764  * to get and cache the access information in the kernel.
765  */
766 int
767 nfsauth_cache_get(struct exportinfo *exi, struct svc_req *req, int flavor)
768 {
769 	struct netbuf		*taddrmask;
770 	struct netbuf		addr;
771 	struct netbuf		*claddr;
772 	struct auth_cache	**head;
773 	struct auth_cache	*p;
774 	int			access;
775 	time_t			refresh;
776 
777 	refreshq_exi_node_t	*ren;
778 	refreshq_auth_node_t	*ran;
779 
780 	/*
781 	 * Now check whether this client already
782 	 * has an entry for this flavor in the cache
783 	 * for this export.
784 	 * Get the caller's address, mask off the
785 	 * parts of the address that do not identify
786 	 * the host (port number, etc), and then hash
787 	 * it to find the chain of cache entries.
788 	 */
789 
790 	claddr = svc_getrpccaller(req->rq_xprt);
791 	addr = *claddr;
792 	addr.buf = kmem_alloc(addr.len, KM_SLEEP);
793 	bcopy(claddr->buf, addr.buf, claddr->len);
794 	SVC_GETADDRMASK(req->rq_xprt, SVC_TATTR_ADDRMASK, (void **)&taddrmask);
795 	ASSERT(taddrmask != NULL);
796 	if (taddrmask)
797 		addrmask(&addr, taddrmask);
798 
799 	rw_enter(&exi->exi_cache_lock, RW_READER);
800 	head = &exi->exi_cache[hash(&addr)];
801 	for (p = *head; p; p = p->auth_next) {
802 		if (EQADDR(&addr, &p->auth_addr) && flavor == p->auth_flavor)
803 			break;
804 	}
805 
806 	if (p != NULL) {
807 		nfsauth_cache_hit++;
808 
809 		refresh = gethrestime_sec() - p->auth_freshness;
810 		DTRACE_PROBE2(nfsauth__debug__cache__hit,
811 		    int, nfsauth_cache_hit,
812 		    time_t, refresh);
813 
814 		mutex_enter(&p->auth_lock);
815 		if ((refresh > NFSAUTH_CACHE_REFRESH) &&
816 		    p->auth_state == NFS_AUTH_FRESH) {
817 			p->auth_state = NFS_AUTH_STALE;
818 			mutex_exit(&p->auth_lock);
819 
820 			ASSERT(p->auth_netid == NULL);
821 			p->auth_netid =
822 			    strdup(svc_getnetid(req->rq_xprt));
823 
824 			nfsauth_cache_refresh++;
825 
826 			DTRACE_PROBE3(nfsauth__debug__cache__stale,
827 			    struct exportinfo *, exi,
828 			    struct auth_cache *, p,
829 			    int, nfsauth_cache_refresh);
830 
831 			ran = kmem_alloc(sizeof (refreshq_auth_node_t),
832 			    KM_SLEEP);
833 			ran->ran_auth = p;
834 
835 			mutex_enter(&refreshq_lock);
836 			/*
837 			 * We should not add a work queue
838 			 * item if the thread is not
839 			 * accepting them.
840 			 */
841 			if (refreshq_thread_state == REFRESHQ_THREAD_RUNNING) {
842 				/*
843 				 * Is there an existing exi_list?
844 				 */
845 				for (ren = list_head(&refreshq_queue);
846 				    ren != NULL;
847 				    ren = list_next(&refreshq_queue, ren)) {
848 					if (ren->ren_exi == exi) {
849 						list_insert_tail(
850 						    &ren->ren_authlist, ran);
851 						break;
852 					}
853 				}
854 
855 				if (ren == NULL) {
856 					ren = kmem_alloc(
857 					    sizeof (refreshq_exi_node_t),
858 					    KM_SLEEP);
859 
860 					exi_hold(exi);
861 					ren->ren_exi = exi;
862 
863 					list_create(&ren->ren_authlist,
864 					    sizeof (refreshq_auth_node_t),
865 					    offsetof(refreshq_auth_node_t,
866 					    ran_node));
867 
868 					list_insert_tail(&ren->ren_authlist,
869 					    ran);
870 					list_insert_tail(&refreshq_queue, ren);
871 				}
872 
873 				cv_broadcast(&refreshq_cv);
874 			} else {
875 				kmem_free(ran, sizeof (refreshq_auth_node_t));
876 			}
877 
878 			mutex_exit(&refreshq_lock);
879 		} else {
880 			mutex_exit(&p->auth_lock);
881 		}
882 
883 		access = p->auth_access;
884 		p->auth_time = gethrestime_sec();
885 
886 		rw_exit(&exi->exi_cache_lock);
887 		kmem_free(addr.buf, addr.len);
888 
889 		return (access);
890 	}
891 
892 	rw_exit(&exi->exi_cache_lock);
893 
894 	nfsauth_cache_miss++;
895 
896 	if (!nfsauth_retrieve(exi, svc_getnetid(req->rq_xprt), flavor,
897 	    &addr, &access)) {
898 		kmem_free(addr.buf, addr.len);
899 		return (access);
900 	}
901 
902 	/*
903 	 * Now cache the result on the cache chain
904 	 * for this export (if there's enough memory)
905 	 */
906 	p = kmem_cache_alloc(exi_cache_handle, KM_NOSLEEP);
907 	if (p != NULL) {
908 		p->auth_addr = addr;
909 		p->auth_flavor = flavor;
910 		p->auth_access = access;
911 		p->auth_time = p->auth_freshness = gethrestime_sec();
912 		p->auth_state = NFS_AUTH_FRESH;
913 		p->auth_netid = NULL;
914 		mutex_init(&p->auth_lock, NULL, MUTEX_DEFAULT, NULL);
915 
916 		rw_enter(&exi->exi_cache_lock, RW_WRITER);
917 		p->auth_next = *head;
918 		*head = p;
919 		rw_exit(&exi->exi_cache_lock);
920 	} else {
921 		kmem_free(addr.buf, addr.len);
922 	}
923 
924 	return (access);
925 }
926 
927 /*
928  * Check if the requesting client has access to the filesystem with
929  * a given nfs flavor number which is an explicitly shared flavor.
930  */
931 int
932 nfsauth4_secinfo_access(struct exportinfo *exi, struct svc_req *req,
933 			int flavor, int perm)
934 {
935 	int access;
936 
937 	if (! (perm & M_4SEC_EXPORTED)) {
938 		return (NFSAUTH_DENIED);
939 	}
940 
941 	/*
942 	 * Optimize if there are no lists
943 	 */
944 	if ((perm & (M_ROOT|M_NONE)) == 0) {
945 		perm &= ~M_4SEC_EXPORTED;
946 		if (perm == M_RO)
947 			return (NFSAUTH_RO);
948 		if (perm == M_RW)
949 			return (NFSAUTH_RW);
950 	}
951 
952 	access = nfsauth_cache_get(exi, req, flavor);
953 
954 	return (access);
955 }
956 
957 int
958 nfsauth_access(struct exportinfo *exi, struct svc_req *req)
959 {
960 	int access, mapaccess;
961 	struct secinfo *sp;
962 	int i, flavor, perm;
963 	int authnone_entry = -1;
964 
965 	/*
966 	 *  Get the nfs flavor number from xprt.
967 	 */
968 	flavor = (int)(uintptr_t)req->rq_xprt->xp_cookie;
969 
970 	/*
971 	 * First check the access restrictions on the filesystem.  If
972 	 * there are no lists associated with this flavor then there's no
973 	 * need to make an expensive call to the nfsauth service or to
974 	 * cache anything.
975 	 */
976 
977 	sp = exi->exi_export.ex_secinfo;
978 	for (i = 0; i < exi->exi_export.ex_seccnt; i++) {
979 		if (flavor != sp[i].s_secinfo.sc_nfsnum) {
980 			if (sp[i].s_secinfo.sc_nfsnum == AUTH_NONE)
981 				authnone_entry = i;
982 			continue;
983 		}
984 		break;
985 	}
986 
987 	mapaccess = 0;
988 
989 	if (i >= exi->exi_export.ex_seccnt) {
990 		/*
991 		 * Flavor not found, but use AUTH_NONE if it exists
992 		 */
993 		if (authnone_entry == -1)
994 			return (NFSAUTH_DENIED);
995 		flavor = AUTH_NONE;
996 		mapaccess = NFSAUTH_MAPNONE;
997 		i = authnone_entry;
998 	}
999 
1000 	/*
1001 	 * If the flavor is in the ex_secinfo list, but not an explicitly
1002 	 * shared flavor by the user, it is a result of the nfsv4 server
1003 	 * namespace setup. We will grant an RO permission similar for
1004 	 * a pseudo node except that this node is a shared one.
1005 	 *
1006 	 * e.g. flavor in (flavor) indicates that it is not explictly
1007 	 *	shared by the user:
1008 	 *
1009 	 *		/	(sys, krb5)
1010 	 *		|
1011 	 *		export  #share -o sec=sys (krb5)
1012 	 *		|
1013 	 *		secure  #share -o sec=krb5
1014 	 *
1015 	 *	In this case, when a krb5 request coming in to access
1016 	 *	/export, RO permission is granted.
1017 	 */
1018 	if (!(sp[i].s_flags & M_4SEC_EXPORTED))
1019 		return (mapaccess | NFSAUTH_RO);
1020 
1021 	/*
1022 	 * Optimize if there are no lists
1023 	 */
1024 	perm = sp[i].s_flags;
1025 	if ((perm & (M_ROOT|M_NONE)) == 0) {
1026 		perm &= ~M_4SEC_EXPORTED;
1027 		if (perm == M_RO)
1028 			return (mapaccess | NFSAUTH_RO);
1029 		if (perm == M_RW)
1030 			return (mapaccess | NFSAUTH_RW);
1031 	}
1032 
1033 	access = nfsauth_cache_get(exi, req, flavor);
1034 
1035 	/*
1036 	 * Client's security flavor doesn't match with "ro" or
1037 	 * "rw" list. Try again using AUTH_NONE if present.
1038 	 */
1039 	if ((access & NFSAUTH_WRONGSEC) && (flavor != AUTH_NONE)) {
1040 		/*
1041 		 * Have we already encountered AUTH_NONE ?
1042 		 */
1043 		if (authnone_entry != -1) {
1044 			mapaccess = NFSAUTH_MAPNONE;
1045 			access = nfsauth_cache_get(exi, req, AUTH_NONE);
1046 		} else {
1047 			/*
1048 			 * Check for AUTH_NONE presence.
1049 			 */
1050 			for (; i < exi->exi_export.ex_seccnt; i++) {
1051 				if (sp[i].s_secinfo.sc_nfsnum == AUTH_NONE) {
1052 					mapaccess = NFSAUTH_MAPNONE;
1053 					access = nfsauth_cache_get(exi, req,
1054 					    AUTH_NONE);
1055 					break;
1056 				}
1057 			}
1058 		}
1059 	}
1060 
1061 	if (access & NFSAUTH_DENIED)
1062 		access = NFSAUTH_DENIED;
1063 
1064 	return (access | mapaccess);
1065 }
1066 
1067 static void
1068 nfsauth_free_node(struct auth_cache *p)
1069 {
1070 	if (p->auth_netid != NULL)
1071 		kmem_free(p->auth_netid, strlen(p->auth_netid) + 1);
1072 	kmem_free(p->auth_addr.buf, p->auth_addr.len);
1073 	mutex_destroy(&p->auth_lock);
1074 	kmem_cache_free(exi_cache_handle, (void *)p);
1075 }
1076 
1077 /*
1078  * Remove the dead entry from the refreshq_dead_entries
1079  * list.
1080  */
1081 static void
1082 nfsauth_remove_dead_entry(struct auth_cache *dead)
1083 {
1084 	struct auth_cache	*p;
1085 	struct auth_cache	*prev;
1086 	struct auth_cache	*next;
1087 
1088 	mutex_enter(&refreshq_lock);
1089 	prev = NULL;
1090 	for (p = refreshq_dead_entries; p != NULL; p = next) {
1091 		next = p->auth_next;
1092 
1093 		if (p == dead) {
1094 			if (prev == NULL)
1095 				refreshq_dead_entries = next;
1096 			else
1097 				prev->auth_next = next;
1098 
1099 			nfsauth_free_node(dead);
1100 			break;
1101 		}
1102 
1103 		prev = p;
1104 	}
1105 	mutex_exit(&refreshq_lock);
1106 }
1107 
1108 /*
1109  * Free the nfsauth cache for a given export
1110  */
1111 void
1112 nfsauth_cache_free(struct exportinfo *exi)
1113 {
1114 	int i;
1115 	struct auth_cache *p, *next;
1116 
1117 	for (i = 0; i < AUTH_TABLESIZE; i++) {
1118 		for (p = exi->exi_cache[i]; p; p = next) {
1119 			next = p->auth_next;
1120 
1121 			/*
1122 			 * The only way we got here
1123 			 * was with an exi_rele, which
1124 			 * means that no auth cache entry
1125 			 * is being refreshed.
1126 			 */
1127 			nfsauth_free_node(p);
1128 		}
1129 	}
1130 }
1131 
1132 /*
1133  * Called by the kernel memory allocator when
1134  * memory is low. Free unused cache entries.
1135  * If that's not enough, the VM system will
1136  * call again for some more.
1137  */
1138 /*ARGSUSED*/
1139 void
1140 exi_cache_reclaim(void *cdrarg)
1141 {
1142 	int i;
1143 	struct exportinfo *exi;
1144 
1145 	rw_enter(&exported_lock, RW_READER);
1146 
1147 	for (i = 0; i < EXPTABLESIZE; i++) {
1148 		for (exi = exptable[i]; exi; exi = exi->fid_hash.next) {
1149 			exi_cache_trim(exi);
1150 		}
1151 	}
1152 	nfsauth_cache_reclaim++;
1153 
1154 	rw_exit(&exported_lock);
1155 }
1156 
1157 void
1158 exi_cache_trim(struct exportinfo *exi)
1159 {
1160 	struct auth_cache *p;
1161 	struct auth_cache *prev, *next;
1162 	int i;
1163 	time_t stale_time;
1164 
1165 	stale_time = gethrestime_sec() - NFSAUTH_CACHE_TRIM;
1166 
1167 	rw_enter(&exi->exi_cache_lock, RW_WRITER);
1168 
1169 	for (i = 0; i < AUTH_TABLESIZE; i++) {
1170 
1171 		/*
1172 		 * Free entries that have not been
1173 		 * used for NFSAUTH_CACHE_TRIM seconds.
1174 		 */
1175 		prev = NULL;
1176 		for (p = exi->exi_cache[i]; p; p = next) {
1177 			next = p->auth_next;
1178 			if (p->auth_time > stale_time) {
1179 				prev = p;
1180 				continue;
1181 			}
1182 
1183 			mutex_enter(&p->auth_lock);
1184 			DTRACE_PROBE1(nfsauth__debug__trim__state,
1185 			    auth_state_t, p->auth_state);
1186 
1187 			if (p->auth_state != NFS_AUTH_FRESH) {
1188 				p->auth_state = NFS_AUTH_INVALID;
1189 				mutex_exit(&p->auth_lock);
1190 
1191 				mutex_enter(&refreshq_lock);
1192 				p->auth_next = refreshq_dead_entries;
1193 				refreshq_dead_entries = p;
1194 				mutex_exit(&refreshq_lock);
1195 			} else {
1196 				mutex_exit(&p->auth_lock);
1197 				nfsauth_free_node(p);
1198 			}
1199 
1200 			if (prev == NULL)
1201 				exi->exi_cache[i] = next;
1202 			else
1203 				prev->auth_next = next;
1204 		}
1205 	}
1206 
1207 	rw_exit(&exi->exi_cache_lock);
1208 }
1209