Pandora Sourcecodes - pandora-kernel.git/commit

author	Andy Adamson <andros@netapp.com>
	Tue, 27 Nov 2012 15:34:19 +0000 (10:34 -0500)
committer	Trond Myklebust <Trond.Myklebust@netapp.com>
	Wed, 12 Dec 2012 20:36:02 +0000 (15:36 -0500)
commit	eb96d5c97b0825d542e9c4ba5e0a22b519355166
tree	62c98e2bdbcc7334a7043725d1fd81a589a75177	tree \| snapshot
parent	620038f6d2304475dce800dc5c75fc335a19613a	commit \| diff

SUNRPC handle EKEYEXPIRED in call_refreshresult

Currently, when an RPCSEC_GSS context has expired or is non-existent
and the users (Kerberos) credentials have also expired or are non-existent,
the client receives the -EKEYEXPIRED error and tries to refresh the context
forever. If an application is performing I/O, or other work against the share,
the application hangs, and the user is not prompted to refresh/establish their
credentials. This can result in a denial of service for other users.

Users are expected to manage their Kerberos credential lifetimes to mitigate
this issue.

Move the -EKEYEXPIRED handling into the RPC layer. Try tk_cred_retry number
of times to refresh the gss_context, and then return -EACCES to the application.

Signed-off-by: Andy Adamson <andros@netapp.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

fs/nfs/nfs3proc.c		diff \| blob \| history
fs/nfs/nfs4filelayout.c		diff \| blob \| history
fs/nfs/nfs4proc.c		diff \| blob \| history
fs/nfs/nfs4state.c		diff \| blob \| history
fs/nfs/proc.c		diff \| blob \| history
net/sunrpc/clnt.c		diff \| blob \| history