Index: sys/nfs/nfs.h =================================================================== RCS file: /cvsroot/src/sys/nfs/nfs.h,v retrieving revision 1.76 diff -p -u -r1.76 nfs.h --- sys/nfs/nfs.h 21 Jan 2018 20:36:49 -0000 1.76 +++ sys/nfs/nfs.h 25 Jan 2018 00:16:11 -0000 @@ -41,6 +41,7 @@ #include #include #include +#include #endif /* @@ -486,7 +487,7 @@ extern int nfssvc_sockhead_flag; * One of these structures is allocated for each nfsd. */ struct nfsd { - TAILQ_ENTRY(nfsd) nfsd_chain; /* List of all nfsd's */ + struct rb_node nfsd_node; /* Tree of all nfsd's */ SLIST_ENTRY(nfsd) nfsd_idle; /* List of idle nfsd's */ kcondvar_t nfsd_cv; int nfsd_flag; /* NFSD_ flags */ @@ -497,6 +498,7 @@ struct nfsd { u_char nfsd_verfstr[RPCVERF_MAXSIZ]; struct proc *nfsd_procp; /* Proc ptr */ struct nfsrv_descript *nfsd_nd; /* Associated nfsrv_descript */ + uint32_t nfsd_cookie; /* Userland cookie, fits 32bit ptr */ }; /* Bits for "nfsd_flag" */ @@ -557,7 +559,6 @@ struct nfsrv_descript { extern kmutex_t nfsd_lock; extern kcondvar_t nfsd_initcv; -extern TAILQ_HEAD(nfsdhead, nfsd) nfsd_head; extern SLIST_HEAD(nfsdidlehead, nfsd) nfsd_idle_head; extern int nfsd_head_flag; #define NFSD_CHECKSLP 0x01 Index: sys/nfs/nfs_syscalls.c =================================================================== RCS file: /cvsroot/src/sys/nfs/nfs_syscalls.c,v retrieving revision 1.158 diff -p -u -r1.158 nfs_syscalls.c --- sys/nfs/nfs_syscalls.c 12 Feb 2017 18:24:31 -0000 1.158 +++ sys/nfs/nfs_syscalls.c 25 Jan 2018 00:16:11 -0000 @@ -61,6 +61,8 @@ __KERNEL_RCSID(0, "$NetBSD: nfs_syscalls #include #include #include +#include +#include #include #include @@ -87,9 +89,11 @@ kmutex_t nfsd_lock; struct nfssvc_sockhead nfssvc_sockhead; kcondvar_t nfsd_initcv; struct nfssvc_sockhead nfssvc_sockpending; -struct nfsdhead nfsd_head; struct nfsdidlehead nfsd_idle_head; +static rb_tree_t nfsd_tree; +static const rb_tree_ops_t nfsd_tree_ops; + int nfssvc_sockhead_flag; int nfsd_head_flag; @@ -102,12 +106,118 @@ static void nfsd_rt(int, struct nfsrv_de static int nfssvc_nfsd(struct nfssvc_copy_ops *, struct nfsd_srvargs *, void *, struct lwp *); +static int nfsd_compare_nodes(void *, const void *, const void *); +static int nfsd_compare_key(void *, const void *, const void *); + +static struct nfsd *nfsd_bake_cookie(struct nfsd *); +static void nfsd_toss_cookie(struct nfsd *); +static struct nfsd *nfsd_get(struct nfsd *); + static int nfssvc_addsock_in(struct nfsd_args *, const void *); static int nfssvc_setexports_in(struct mountd_exports_list *, const void *); static int nfssvc_nsd_in(struct nfsd_srvargs *, const void *); static int nfssvc_nsd_out(void *, const struct nfsd_srvargs *); static int nfssvc_exp_in(struct export_args *, const void *, size_t); +static const rb_tree_ops_t nfsd_tree_ops = { + .rbto_compare_nodes = nfsd_compare_nodes, + .rbto_compare_key = nfsd_compare_key, + .rbto_node_offset = offsetof(struct nfsd, nfsd_node), +}; + +static int +nfsd_compare_nodes(void *cookie, const void *va, const void *vb) +{ + const struct nfsd *na = va; + const struct nfsd *nb = vb; + + if (na->nfsd_cookie < nb->nfsd_cookie) + return -1; + if (na->nfsd_cookie > nb->nfsd_cookie) + return +1; + return 0; +} + +static int +nfsd_compare_key(void *cookie, const void *vn, const void *vk) +{ + const struct nfsd *n = vn; + const uint32_t *k = vk; + + if (n->nfsd_cookie < *k) + return -1; + if (n->nfsd_cookie > *k) + return +1; + return 0; +} + +/* + * nfsd_bake_cookie(nfsd) + * + * Bake a cookie for nfsd, hang it on the tree of nfsds, and + * return a userland-safe pointer nfsdu neatly packed for + * transport in struct nfsd_srvargs::nsd_nfsd. + */ +static struct nfsd * +nfsd_bake_cookie(struct nfsd *nfsd) +{ + + KASSERT(mutex_owned(&nfsd_lock)); + + do { + nfsd->nfsd_cookie = cprng_fast32(); + } while (nfsd->nfsd_cookie == 0 || + rb_tree_insert_node(&nfsd_tree, nfsd) != nfsd); + + return (struct nfsd *)(uintptr_t)nfsd->nfsd_cookie; +} + +/* + * nfsd_toss_cookie(nfsd) + * + * Toss nfsd's cookie. + */ +static void +nfsd_toss_cookie(struct nfsd *nfsd) +{ + + KASSERT(mutex_owned(&nfsd_lock)); + KASSERT(nfsd->nfsd_cookie != 0); + + rb_tree_remove_node(&nfsd_tree, nfsd); + nfsd->nfsd_cookie = 0; /* paranoia */ +} + +/* + * nfsd_get(nfsdu) + * + * Return the struct nfsd pointer for the userland nfsdu cookie, + * as stored in struct nfsd_srvargs::nsd_nfsd, or NULL if nfsdu is + * not a current valid nfsd cookie. + * + * Caller MUST NOT hold nfsd_lock. Caller MUST NOT pass (struct + * nfsd *)(uintptr_t)0, which is the sentinel value for no nfsd + * cookie, for which the caller should check first. + */ +static struct nfsd * +nfsd_get(struct nfsd *nfsdu) +{ + uintptr_t cookie = (uintptr_t)nfsdu; + uint32_t key; + struct nfsd *nfsd; + + KASSERT(cookie != 0); + if (cookie > UINT32_MAX) + return NULL; + key = cookie; + + mutex_enter(&nfsd_lock); + nfsd = rb_tree_find_node(&nfsd_tree, &key); + mutex_exit(&nfsd_lock); + + return nfsd; +} + static int nfssvc_addsock_in(struct nfsd_args *nfsdarg, const void *argp) { @@ -184,7 +294,7 @@ do_nfssvc(struct nfssvc_copy_ops *ops, s struct mbuf *nam; struct nfsd_args nfsdarg; struct nfsd_srvargs nfsd_srvargs, *nsd = &nfsd_srvargs; - struct nfsd *nfsd; + struct nfsd *nfsd = NULL; struct nfssvc_sock *slp; struct nfsuid *nuidp; @@ -254,8 +364,11 @@ do_nfssvc(struct nfssvc_copy_ops *ops, s error = ops->nsd_in(nsd, argp); if (error) return (error); + if ((uintptr_t)nsd->nsd_nfsd != 0 && + (nfsd = nfsd_get(nsd->nsd_nfsd)) == NULL) + return (EINVAL); if ((flag & NFSSVC_AUTHIN) && - ((nfsd = nsd->nsd_nfsd)) != NULL && + nfsd != NULL && (nfsd->nfsd_slp->ns_flags & SLP_VALID)) { slp = nfsd->nfsd_slp; @@ -340,7 +453,7 @@ do_nfssvc(struct nfssvc_copy_ops *ops, s } } if ((flag & NFSSVC_AUTHINFAIL) && - (nfsd = nsd->nsd_nfsd)) + nfsd != NULL) nfsd->nfsd_flag |= NFSD_AUTHFAIL; error = nfssvc_nfsd(ops, nsd, argp, l); } @@ -481,7 +594,7 @@ nfssvc_nfsd(struct nfssvc_copy_ops *ops, struct timeval tv; struct mbuf *m; struct nfssvc_sock *slp; - struct nfsd *nfsd = nsd->nsd_nfsd; + struct nfsd *nfsd; struct nfsrv_descript *nd = NULL; struct mbuf *mreq; u_quad_t cur_usec; @@ -493,8 +606,12 @@ nfssvc_nfsd(struct nfssvc_copy_ops *ops, cacherep = RC_DOIT; writes_todo = 0; #endif - if (nfsd == NULL) { - nsd->nsd_nfsd = nfsd = kmem_alloc(sizeof(*nfsd), KM_SLEEP); + /* + * If userland didn't provide an nfsd cookie, bake a fresh one; + * if they did provide one, look it up. + */ + if ((uintptr_t)nsd->nsd_nfsd == 0) { + nfsd = kmem_alloc(sizeof(*nfsd), KM_SLEEP); memset(nfsd, 0, sizeof (struct nfsd)); cv_init(&nfsd->nfsd_cv, "nfsd"); nfsd->nfsd_procp = p; @@ -503,10 +620,15 @@ nfssvc_nfsd(struct nfssvc_copy_ops *ops, KASSERT(nfs_numnfsd == 0); cv_wait(&nfsd_initcv, &nfsd_lock); } - TAILQ_INSERT_TAIL(&nfsd_head, nfsd, nfsd_chain); + nsd->nsd_nfsd = nfsd_bake_cookie(nfsd); nfs_numnfsd++; mutex_exit(&nfsd_lock); + } else if ((nfsd = nfsd_get(nsd->nsd_nfsd)) == NULL) { + return (EINVAL); } + KASSERT(nfsd != NULL); + KASSERT(nsd->nsd_nfsd != (struct nfsd *)(uintptr_t)0); + /* * Loop getting rpc requests until SIGKILL. */ @@ -759,14 +881,15 @@ nfssvc_nfsd(struct nfssvc_copy_ops *ops, } done: mutex_enter(&nfsd_lock); - TAILQ_REMOVE(&nfsd_head, nfsd, nfsd_chain); + nfsd_toss_cookie(nfsd); doreinit = --nfs_numnfsd == 0; if (doreinit) nfssvc_sockhead_flag |= SLP_INIT; mutex_exit(&nfsd_lock); cv_destroy(&nfsd->nfsd_cv); kmem_free(nfsd, sizeof(*nfsd)); - nsd->nsd_nfsd = NULL; + KASSERT(nsd->nsd_nfsd != (struct nfsd *)(uintptr_t)0); + nsd->nsd_nfsd = (struct nfsd *)(uintptr_t)0; if (doreinit) nfsrv_init(true); /* Reinitialize everything */ return (error); @@ -895,7 +1018,7 @@ nfsrv_init(int terminating) if (terminating) { KASSERT(SLIST_EMPTY(&nfsd_idle_head)); - KASSERT(TAILQ_EMPTY(&nfsd_head)); + KASSERT(RB_TREE_MIN(&nfsd_tree) == NULL); while ((slp = TAILQ_FIRST(&nfssvc_sockhead)) != NULL) { mutex_exit(&nfsd_lock); KASSERT(slp->ns_sref == 0); @@ -915,7 +1038,7 @@ nfsrv_init(int terminating) TAILQ_INIT(&nfssvc_sockhead); TAILQ_INIT(&nfssvc_sockpending); - TAILQ_INIT(&nfsd_head); + rb_tree_init(&nfsd_tree, &nfsd_tree_ops); SLIST_INIT(&nfsd_idle_head); nfsd_head_flag &= ~NFSD_CHECKSLP;