git.openafs.org Git - openafs.git/log

vlserver: Remove 'register' argument

Commit 4a531cb7 (death to register) removed the 'register' declaration
from variables/arguments. But commit 3bf03502 (vlserver: Add a struct
for trans-specific data) accidentally added one back in at around the
same time, probably due to a rebase/merge mistake.

Take the 'register' declaration back out.

Change-Id: I73f206a57ab6b97195771e39556d2b0064be4cf3
Reviewed-on: https://gerrit.openafs.org/13346
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

CellServDB update 14 May 2018

Update all three copies in the tree, and the rpm specfile.

Change-Id: I572ff4e39ab757128f0082a4f447565e94b8dee5
Reviewed-on: https://gerrit.openafs.org/13134
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>

Log binding ip address and port during startup

Many daemons currently have the ability to bind to a specific ip
address using the -rxbind parameter. The behavior can be a little
unintuitive, however, since we only bind to the ip address we find via
NetInfo/NetRestrict processing, and only if we end up with a single ip
address. Since that processing involves examining the set of ip
addresses available, this can have confusing results if, for instance,
a daemon starts up while an administrator is changing the local ip
configuration.

If a daemon binds to a different ip address than the administrator
expects, this can be very confusing, especially since for most daemons
we don't log our bound ip anywhere. To help alleviate this, change the
startup code for all of our daemons to log what ip we are trying to
bind to (or "0.0.0.0" if none), along with our local port.

Change-Id: I18d3647c4d134177a0a17c6a64583d444558a9f6
Reviewed-on: https://gerrit.openafs.org/13272
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

fsprobe: add fsprobe_Wait function

Move the lwp code to wait in the fsprobe applications down to the
fsprobe library.

This is a non-functional change in anticipation of converting the
fsprobe library and programs to pthreads.

Change-Id: I2972b13e2e3eeb691c64c91b0640bbc97e7d0b21
Reviewed-on: https://gerrit.openafs.org/12747
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>

xstat: add xstat_*_Wait functions

Add the xstat_cm_Wait and xstat_fs_Wait functions and move the code to
wait for the xstat data collection to complete from the applications
down to the xstat library.

This is a non-functional change in anticipation of converting the xstat
library and programs to pthreads.

Change-Id: Ifd1d6bcda618c89b4ce46e1e64f33b0b30a89a72
Reviewed-on: https://gerrit.openafs.org/12746
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

rx: Convert rxinit_status to rx_IsRunning()

Currently, all rx code examines the atomic rxinit_status to determine
if rx is running (that is, if rx_InitHost has been called, and
rx_Finalize/shutdown_rx hasn't been called). This is used in rx.c to
see if we're redundantly calling our setup/teardown functions, and
outside of rx.c in a couple of places to see if rx-related resources
have been initialized.

The usage of rxinit_status is a little confusing, since setting bit 0
indicates that rx is not running, and clearing bit 0 indicates rx is
running. Since using rxinit_status requires atomic functions, this
makes code checking or setting rxinit_status a little verbose, and it
can be hard to see what it is checking for. (For example, does
'if (!rx_atomic_test_and_clear_bit(&rxinit_status, 0))' succeed when
rx running, or when rx is not running?)

The current usage of rxinit_status in rx_InitHost also does not handle
initialization errors correctly. rx_InitHost clears rxinit_status near
the beginning of the function, but does not set rxinit_status if an
error is encountered. This means that any code that checks
rxinit_status (such as another rx_InitHost call) will think that rx
was initialized successfully, but various resources aren't actually
setup. This can cause segfaults and other errors as the code tries to
actually use rx.

This can easily be seen in bosserver, if bosserver is started up while
the local host/port is in use by someone else. bosserver will try to
rx_InitHost, which will fail, and then we'll try to rx_InitHost again,
which will immediately succeed without doing any init. We then
segfault quickly afterwards as we try to use unitialized rx resources.

To fix all of this, refactor code using rxinit_status to use a new
function, called rx_IsRunning(), to make it a little clearer what
we're checking for. We also re-introduce the LOCK_RX_INIT locks to
prevent functions like rx_InitHost and rx_Finalize from running in
parallel.

Note that non-init/shutdown code (such as rx_upcall or rx_GetIFInfo)
does not need to wait for LOCK_RX_INIT to check if rx is running or
not. These functions only care if rx is currently setup enough to be
used, so we can immediately return a 'yes' or 'no' answer. That is, if
rx_InitHost is in the middle of running, rx_IsRunning returns 0, since
some resouces may not be fully initialized.

Change-Id: Ia14a6a725c9662b9db0adef48c33b48a93ffe051
Reviewed-on: https://gerrit.openafs.org/12761
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>

SOLARIS: Fix libafs $(KOBJ) parallel make race

Currently, our COMPDIRS make rule for SOLARIS libafs builds looks like
this:

    ${COMPDIRS} ${INSTDIRS} ${DESTDIRS}:
        for t in $(KOBJ) ; do
            # set some variables ; \
            cd $$t ; \
            $(MAKE) $@_libafs || exit $$? ; \
            cd ../ ;\
        done

And Makefile.common has this:

    all: setup $(COMPDIRS)

Where the 'setup' rule creates the $(KOBJ) dirs and sets up some
symlinks.

For parallel builds, this means that our commands in the ${COMPDIRS}
target can be running in parallel with the 'setup' target, and so our
$(KOBJ) dirs may not exist by the time we try to 'cd $$t'.

For single-KOBJ platforms this actually largely works, since the 'cd'
will fail, but then the subsequent 'make' will run (just in the wrong
dir), but this can cause us to wastefully re-compile the same source
files (and cause some possibly confusing error messages). For
platforms with multiple KOBJs, this causes obvious problems, since we
don't cd into each KOBJ dir.

To solve this, just have the ${COMPDIRS}/etc rule depend on setup, so
we know that 'setup' has finished running. Also change our way of
'cd'ing into each KOBJ dir to actually cause the rule to fail, to make
any errors here more obvious and consistent.

Change-Id: Id2e662f36ef47a6182716728167b2da4713893c6
Reviewed-on: https://gerrit.openafs.org/13344
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

SOLARIS: Fix platforms for KOBJ definition

Currently, we define KOBJ to "MODLOAD32 MODLOAD64" for the following
platforms:

<all -sun4x_510 sun4x_511 sunx86_511>

Which doesn't make any sense, since "all" includes sun4x_511 and
sunx86_511. The previous commits that modified this line, e4c2810f
(Remove support for Solaris pre-8) and c6a22d67 (SOLARIS: Do not build
x86 kernel module on 5.11), clearly meant to change the platforms
sun4x_511 and sunx86_511 to use the KOBJ on the next line, but omitted
the leading "-" for the platform.

This doesn't break anything, since the Makefile on these platforms
expands to:

KOBJ = MODLOAD32 MODLOAD64
KOBJ = MODLOAD64

So the first KOBJ line is effectively ignored. It's confusing, though,
so fix this line so these platforms only get one KOBJ definition.

Change-Id: Idea9fdee4ac5883428748c2a5fdfa9707406436a
Reviewed-on: https://gerrit.openafs.org/13343
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

Run ctfconvert/ctfmerge for all objects

Commit 88cb536f (autoconf: detect ctf-tools and add ctf to libafs)
introduced running ctfconvert and ctfmerge for libafs on Solaris, but
didn't add any CTF data for userspace code. This commit causes the
same commands to be run for every binary that we build (if the ctf
tools are available).

To accomplish this, also refactor how we run ctfconvert and ctfmerge.
The approach in commit 88cb536f would require us to modify the
makefile rule for every executable to run RUN_CTFCONVERT and
RUN_CTFMERGE, which is somewhat impractical. So instead in this
commit, we modify all of our *_CCRULE and *_LDRULE variables to wrap
the compiler invocation with the new CC_WRAPPER script. This means our
*RULE variables change from something like this:

FOO_CCRULE = $(RUN_CC) $(CC) $(XXX_FLAGS) -o $@

to something like this:

FOO_CCRULE = $(RUN_CC) $(CC_WRAPPER) $(CC) $(XXX_FLAGS) -o $@

CC_WRAPPER expands to the script src/config/cc-wrapper, which just
runs ctfconvert or ctfmerge on the relevant files after the
compiler/linker runs. If the CTF tools are not configured, CC_WRAPPER
expands to nothing, to limit our impact on other platforms.

This commit was developed in collaboration with
mbarbosa@sinenomine.net.

Change-Id: Id19ba9d739edc68f01c2db7d5caa20758ec8144a
Reviewed-on: https://gerrit.openafs.org/13308
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

Call rx_InitHost once during daemon startup

Currently, a few daemons calls rx_InitHost in different places, and
under different conditions. For example, vlserver calls rx_InitHost
only when we -rxbind to a specific ip address, and then also makes an
additional rx_Init call. Other daemons always call rx_InitHost, or
just call rx_InitHost sometimes and don't make an extra rx_Init call.

To try to make the various daemons behave a little more consistently,
change the startup code to always call rx_InitHost, and to only call
it once. Note that rx_InitHost is the same as calling rx_Init with
INADDR_ANY as the ip address, and calling rx_Init* after a previous
rx_Init* call is effectively a no-op.

Change-Id: Ifd15175349a7b4695e684ca82deb8a8af5063073
Reviewed-on: https://gerrit.openafs.org/13271
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

pthread.m4: Add missing 'test' to conditional

Commit c5def62d (autoconf: update pthread checks) accidentally omitted
a 'test' in one of the conditionals. This causes an ugly error message
during configure:

checking for pthread_attr_init in -lpthread... yes
./configure[31043]: x-lpthread: not found [No such file or directory]

Replace the missing 'test'.

Change-Id: I28b82594e43a4ab42a5eb9fcc78e0ce8c5517d8b
Reviewed-on: https://gerrit.openafs.org/13342
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

ubik: remove unused code

ubik_GetVersion and ubik_WaitVersion have been unused since at least
OpenAFS 1.0. Remove them.

No functional change should be incurred by this commit.

Change-Id: Iee6952f35d8c34e9f05a4e6011f5795f7222fb08
Reviewed-on: https://gerrit.openafs.org/13325
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

Remove alpha_dux/alpha_osf references

Several files were still referencing the alpha_dux* and alpha_osf*
sysnames. The code for these platforms has been removed, so get rid of
this cruft.

Change-Id: I042fcc29be322bf557829974242553bb6d5b2be4
Reviewed-on: https://gerrit.openafs.org/13339
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

libafs: Remove .i Makefile rules

Makefile.common.in defines a suffix rule to generate .i files from .c
files, but we never actually need to do this. The rule originates from
before OpenAFS 1.0, which also did not use the rule. Remove the
unused definitions.

Change-Id: I057b2aca7d17e3e85e93d886a65c954e8d9d708f
Reviewed-on: https://gerrit.openafs.org/13338
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

volser: ensure GCTrans transaction walk remains valid

Commit bc56f5cc97a982ee29219e6f258b372dbfe1a020 ("volser: Delete
timed-out temporary volumes") introduced new logic to GCTrans().
Unfortunately, part of this logic temporarily drops VTRANS_LOCK in order
to call VPurgeVolume().  While this lock is dropped, other volser_trans
may be added or deleted from the allTrans list.  Therefore, GCTrans
should not trust the next pointer (nt = tt->next) which was obtained
before the lock was dropped.

One symptom observed in the field was a segfault while examining
tt->volume.  Neither tt nor volume were valid any longer, since tt had
been set from a stale nt at the top of the loop.

To repair, improve, and clarify this logic:
- Refactor so nt is assigned correctly and as late as possible.
- Add comments to explain the placement of the assigns to future
maintainers.

Change-Id: Ibd3a504bddd3622730aa349576341e20f2f27836
Reviewed-on: https://gerrit.openafs.org/13286
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>

volser: add more logs for failures during restore

In the current version of the volserver, some failures during volume
restores are not logged. In order to help debugging, this commit
introduces extra logs for possible failures during this process, so we
guarantee that an error at any point during the restore causes a
message to be logged.

Change-Id: I3647155aeb3f10316d9d7fecb5b126efc909f7b4
Reviewed-on: https://gerrit.openafs.org/13252
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>

afsmonitor: remove unused LWP_WaitProcess

Remove the unimplemented once-only flag and the unused LWP_WaitProcess
call.

Change-Id: Idec5815f6f20019b9be4b973794d8b05cea7f6c9
Reviewed-on: https://gerrit.openafs.org/12745
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

volser: combine GCTrans conditional clauses

In preparation for a future commit, combine two conditional clauses in
GCTrans().

No functional change should be incurred by this commit.

Change-Id: Ib08d5b83dd26327124fe0119e6e5f459adc5f78a
Reviewed-on: https://gerrit.openafs.org/13303
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

ubik: positional io for db reads and writes

The ubik library was written before positional i/o was available and
issues an lseek system call for each database file read and write. This
change converts the ubik database accesses to use positional i/o on
platforms where pread and pwrite are available, in order to reduce
system call load.

The new inline uphys_pread and uphys_pwrite functions are supplied on
platforms which do not supply pread and pwrite. These functions fall
back to non-positional i/o. If these symbols are present in the database
server binary then the server process will continue to call lseek before
each read and write access of the database file.

This change does not affect the whole-file database synchronization done
by ubik during database recovery (via the DISK_SendFile and DISK_GetFile
RPCs), which still uses non-positional i/o. However, that code does not
share file descriptors with the phys.c code, so there is no possibility
of mixing positional and non-positional i/o on the same FDs.

Change-Id: I28accd24f7f27b5e8a4f1dd0e3e08bab033c16e0
Reviewed-on: https://gerrit.openafs.org/12272
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>

volser: warn if older version of volume is restored

Volume restores work by overwriting vnodes with the data in the given
volume dump. If we restore a partial incremental dump from an older
version of the volume, this generally results in a partly-corrupted
volume, since directory vnodes may contain references that don't exist
in the current version of the volume (or are supposed to be in a
different directory).

Currently, the volserver does not prevent restoring older volume data
to a volume, and this doesn't necessarily always result in corrupted
data (for instance, if we are restoring a full volume dump over an
existing volume). But restoring old volume data seems more likely to
be a mistake, since reverting a volume back to an old version, even
without corrupting data, is a strange thing to do and may cause
problems with our methods of cache consistency.

So, log a warning when this happens, so if this is a mistake, it
doesn't happen silently. But we still do not prevent this action, since
it's possible something could be doing this intentionally. We detect
this just by checking if the updateDate in the given header is older
than the current updateDate for the volume on disk.

Note: Restoring a full dump file (-overwrite f) will not result in
corrupted data. In this scenario, the restore operation removes the
volume on disk first (if present). After that, the dump file is
restored. In this case, we do not log anything (the volume is not
corrupted).

Change-Id: Iac55cc8bb1406ca6af9a5e43e7d37c6bfa889e91
Reviewed-on: https://gerrit.openafs.org/13251
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

update: convert upserver and client from LWP to pthreads

Build the upserver and the upclient with phreads instead of LWP
and convert the IOMRG sleeps in the client to regular sleeps.

Change-Id: I183765ef180f34d38b87a13ec49f16f4a60afcc8
Reviewed-on: https://gerrit.openafs.org/12754
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

Correct some redundant if() clauses

A few if() conditions currently contain redundant syntax, due to typos.
Fix the conditions to actually check different things, according to what
the author probably originally intended. (via cppcheck)

Change-Id: I7e46217e1f84fe65677ada345d227f31f1988fe6
Reviewed-on: https://gerrit.openafs.org/13157
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

ubik: remove unnecessary lseeks in uphys_open

The ubik database file access layer has a file descriptor cache to avoid
reopening the database file on each file access. However, the file
offset is reset with lseek on each and every use of the cached file
descriptor, and the file offset is set twice when reading or writing
data records.

This change removes unnecessary and duplicate lseek system calls to
reduce the system call load.

Change-Id: I460b226d81e4eb64dc87918175acab495aa698cd
Reviewed-on: https://gerrit.openafs.org/12271
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>

klog.krb5 -lifetime is not implemented

The klog.krb5 -lifetime option was copied from earlier versions of log
and klog, which had the ability to set the krb4 token lifetime. However,
the -lifetime option is not feasible the krb5 version, and so is not
implemented in klog.krb5.

Update the klog.krb5 man page to document the -lifetime option has no
effect. Remove the code which unnecessarily checks the unused klog.krb5
-lifetime command line argument.

The unused lifetime variable was discovered by Pat Riehecky using the
clang scan-build static analyzer.

Change-Id: I5f459ec46eaff87a69ccdf7de386a671d0944a5a
Reviewed-on: https://gerrit.openafs.org/13309
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: PatRiehecky <jcpunk@gmail.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

util: add defines for ktime never and now values

Add preprocessor symbolic names for ktime values representing never and
right now. The names are intended to be consistent with the ktime date
never value definition. This commit does not make any functional
change.

Change-Id: Ia6735b585e50aeb018481f76552fbb4f607b8529
Reviewed-on: https://gerrit.openafs.org/13310
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

ubik: Buffer log writes with stdio

Currently, when we write ubik i/o operations to the db log, we tend to
issue several syscalls involving small writes and fstat()s. This is
because each "log" operation involves at least one write, and each log
operation tends to be pretty small.

Each logged operation hitting disk separately is unnecessary, since
the db log does not need to hit the disk at all until we are ready to
commit the transaction. So to reduce the number of syscalls when
writing to the db, change our log writes to be buffered in memory
(using stdio calls). This also avoids needing to fstat() the
underlying log file, since we open the underlying file in append-only
mode, since we only ever append to (and truncate) the log file.

To implement this, we introduce a new 'buffered_append' phys
operation, to explicitly separate our buffered and non-buffered
operations, to try to avoid any bugs from mixing buffered and
non-buffered i/o. This new operation is only used for the db log.

Change-Id: I5596117c6c71ab7c2d552f71b0ef038f387e358a
Reviewed-on: https://gerrit.openafs.org/13070
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Joe Gorse <jhgorse@gmail.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>

autoconf: Use `uname -p` instead of $HOST_CPU for ctf tools

Currently, we check if the ctf tools are present searching for them in
a few directories. One of these directories (/opt/onbld/bin/$HOST_CPU) looks at
the $HOST_CPU variable, which on x86 can be 'x86_64' or 'i386', but the only
valid directories for the onbld tools are 'i386' and 'sparc'. So instead of
$HOST_CPU, just use $(uname -p), which is only ever 'i386' on x86, and 'sparc'
on sparc.

[adeason@sinenomine.net: reword commit message]

Change-Id: I972cf1cc0dda81f5ee454b14ddbe2830c82c838d
Reviewed-on: https://gerrit.openafs.org/13275
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

doc: the last partition name is /vicepiu

The last valid partition name supported by OpenAFS is /vicepiu, not
/vicepiv. Update the docs and man pages to say so.

Change-Id: I6e1cce775d332d76f605a26f16502c651461994b
Reviewed-on: https://gerrit.openafs.org/13177
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

tests: partition name to id function tests

Add unit tests for the utility functions to convert between partition
names and partition ids.

Change-Id: I4b12f9d611cb9f3ce49909cda5cbcedd3e6c3d10
Reviewed-on: https://gerrit.openafs.org/13176
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: Benjamin Kaduk <kaduk@mit.edu>

Add rxgk_crypto_rfc3961.c

rxgk wrappers around an external crypto library, in this case, our
in-tree rfc3961 library. Primitives for encryption/decryption and
MIC/VerifyMIC, ways to generate and free rxgk_key objects, etc..

Change-Id: I7525086043baf54f5c3019b3f5ab3495760c4236
Reviewed-on: https://gerrit.openafs.org/10565
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: Benjamin Kaduk <kaduk@mit.edu>

Remove DUX/OSF code

Remove code for DUX/OSF platforms. DUX code was removed from the
libafs client in commit 392dcf67 ("Complete removal of DUX client
code") and the alpha_dux* param files were removed in dc4d9d64 ("afs:
Remove AFS_BOZONLOCK_ENV"). This code has always been disabled since
those commits, so remove any code referencing AFS_DUX*_ENV,
AFS_OSF_ENV, and related symbols.

Change-Id: I3787b83c80a48e53fe214fdecf9a9ac0b63d390c
Reviewed-on: https://gerrit.openafs.org/13260
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: Benjamin Kaduk <kaduk@mit.edu>

venus: fix memory leak

In GetPrefCmd, when we request server prefs from the kernel and our
output buffer is not big enough, pioctl() will return E2BIG and we
allocate more memory and try again. However, if the size of the output
buffer reaches 16k bytes and this space is still not enough (or if
pioctl fails and errno != E2BIG), we return without releasing the
memory that was previously allocated.

To fix this problem, free our output buffer when this happens.

Change-Id: Ib34cb12629528ddf2a763386f0ac5494eb8be695
Reviewed-on: https://gerrit.openafs.org/12293
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

rx: reset packet header userStatus field on reuse

OpenAFS Rx fails to set the rx packet header userStatus field for most
packets sent other than type RX_PACKET_TYPE_ACK.  If the userStatus
field is not set, its value will be random garbage based upon the
prior use of the memory allocated to the rx_packet.

This change explicitly sets the userStatus field to zero for all
DATA and Special packet types.

Background
----------

OpenAFS Rx allocates a pool of rx_packet structures that are reused
for both incoming and outgoing Rx packets throughout the lifetime
of the process (or kernel module).

The rx packet header field userStatus is set by rxi_Send() to
rx_call.localStatus.  rxi_Send() is called from both rxi_SendAck()
when sending RX_PACKET_TYPE_ACK packets and from rxi_SendSpecial()
when called with a non-NULL call structure (RX_PACKET_TYPE_BUSY,
RX_PACKET_TYPE_ACKALL, or RX_PACKET_TYPE_ABORT).  rx_call.localStatus
defaults to zero and can be modified by the application calling
rx_SetLocalStatus().

The userStatus field is neither set nor reset when sending
RX_PACKET_TYPE_DATA packets and all packets sent without a call
structure.  When allocated packets are reused in these cases, the
value of the userStatus leaks from the prior packet use.  The
userStatus field is expected to be zero unless intentionally set by
the application protocol to another value.

The AFS3 suite of rx services uses the rx_header.userStatus field
only in the RXAFS service and only as part of the definition
for RXAFS_StoreData and RXAFS_StoreData64 RPCs.  The StoreData RPCs
use the rx_header.userStatus field as an out-of-band communication
mechanism that permits the fileserver to signal to the cache manager
when the RXAFS_StoreData[64] has been assigned to an application
worker (thread) and the worker has acquired all of the required locks
and other resources necessary to complete the RPC.  This signal can be
sent before all of the application data has been received.  The cache
manager reads the userStatus value via rx_GetRemoteStatus().  When
bit-0 of the remote status value equals one and CSafeStore mode is
disabled, the cache manager can wakeup any threads blocked waiting for
the store operation to complete.

Cache managers that perform a workload heavy in RXAFS_StoreData[64] RPCs
will end up with an increasing percentage of packets in which the
userStatus field is one instead of zero.

Fileservers processing a workload heavy in RXAFS_StoreData[64] RPCs
will likewise end up with an increasing percentage of packets in which
the userStatus field is one instead of zero.

Cache managers and Fileservers will therefore send DATA and call free
special packets with a non-zero userStatus field to peer services
(RXAFS, RXAFSCB, VL, PR).

The failure to reset the userStatus field has not been a problem in
the past because only the OpenAFS cache manager has ever queried the
userStatus via rx_GetRemoteStatus() and only when issuing
RXAFS_StoreData[64] RPCs.

Failure to correct this flaw interferes with future use of the userStatus
field in yet to be registered AFS3 RPCs and existing non-AFS3 services
that make use of the userStatus when sending data to a service.

Change-Id: I32c0bba93b8e5197036d92168956b6e2a95406fb
FIXES: 134554
Reviewed-on: https://gerrit.openafs.org/13165
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

budb: SBUDB_FindLatestDump should check result of FillDumpEntry

FillDumpEntry may return an error, but FindLatestDump doesn't check its
result. Therefore, SBUDB_FindLatestDump may return invalid results.

Instead, check the return code from FillDumpEntry and abort the call if
it fails.

Change-Id: If0b44ba2a12a76511129d77110ef669b00780ff0
Reviewed-on: https://gerrit.openafs.org/13312
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

butc: repair build error

Commit c43169fd36348783b1a5a55c5bb05317e86eef82 introduced a build error
by invoking TLog with an extraneous set of internal parentheses.

Remove the offending parentheses.

Change-Id: Ibc52501b01ecbe9f86262566446d63e66486272f
Reviewed-on: https://gerrit.openafs.org/13311
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

Fix typos in audit format strings

Commit 9ebff4c6caa8b499d999cfd515d4d45eb3179769 introduced audit
framework support for several butc-related data types, but had
a typo ('$d' for '%d') in a couple of places, that was not reported
by compiler format-string checking. Fix the typo to properly print
all the auditable data.

Change-Id: Ibefa9f8f1c0567bc6fe606327af26fcb0dbeadba

OPENAFS-SA-2018-001 backup: use authenticated connection to butc

Use the standard routine to pick a client security object, instead of
always assuming rxnull. Respect -localauth as well as being able to
use the current user's tokens, but also provide a -nobutcauth argument
to fall back to the historical rxnull behavior (but only for the connections
to butc; vldb and budb connections are not affected).

Change-Id: Ibf8ebe5521bee8d0f7162527e26bc5541d07910d

OPENAFS-SA-2018-001 butc: require authenticated connections with -localauth

The butc -localauth option is available to use the cell-wide key to
authenticate to the vlserver and buserver, which in normal deployments
will require incoming connections to be authenticated as a superuser.
In such cases, the cell-wide key is also available for use in
authenticating incoming connections to the butc, which would otherwise
have been completely unauthenticated.

Because of the security hazards of allowing unauthenticaed inbound
RPCs, especially ones that manipulate backup information and are allowed
to initiate outboud RPCs authenticated as the superuser, default to
not allowing unauthenticated inbound RPCs at all. Provide an opt-out
command-line argument for deployments that require this functionality
and have configured their network environment (firewall/etc.) appropriately.

Change-Id: Ia6349757a4c6d59d1853df1a844e210d32c14feb

OPENAFS-SA-2018-001 Add auditing to butc server RPC implementations

Make the actual implementations into helper functions, with the RPC
stubs calling the helpers and doing the auditing on the results, akin
to most other server programs in the tree. This relies on support for
some additional types having been added to the audit framework.

Change-Id: Ic872d6dfc7854fa28bd3dc2277e92c7919d0d0c0

OPENAFS-SA-2018-001 audit: support butc types

Add support for several complex butc types to enable butc auditing.

Change-Id: I6aedd933cf5330cda40aae6f33827ae65409df32

OPENAFS-SA-2018-001 butc: remove dummy osi_audit() routine

This local stub was present in the original IBM import and is unused.
It will conflict with the real audit code once we start adding auditing
to the TC_ RPCs, so remove it now.

Change-Id: I3e74e01464af122f245c3b0fe8f3985e422d13b4

OPENAFS-SA-2018-003 rxgen: prevent unbounded input arrays

RPCs with unbounded arrays as inputs are susceptible to remote
denial-of-service (DOS) attacks. A malicious client may submit an RPC
request with an arbitrarily large array, forcing the server to expend
large amounts of network bandwidth, cpu cycles, and heap memory to
unmarshal the input.

Instead, issue an error message and stop rxgen when it detects an RPC
defined with an unbounded input array. Thus we will detect the problem
at build time and prevent any future unbounded input arrays.

Change-Id: Ib110f817ed1c8132ea2549025876a5200c728fab

OPENAFS-SA-2018-003 volser: prevent unbounded input to various AFSVol* RPCs

Several AFSVol* RPCs are defined with an unbounded XDR "string" as
input.

RPCs with unbounded arrays as inputs are susceptible to remote
denial-of-service (DOS) attacks. A malicious client may submit an
AFSVol* request with an arbitrarily large string, forcing the volserver
to expend large amounts of network bandwidth, cpu cycles, and heap
memory to unmarshal the input.

Instead, give each input "string" an appropriate size.
Volume names are inherently capped to 32 octets (including trailing NUL)
by the protocol, but there is less clearly a hard limit on partition names.
The Vol_PartitionInfo{,64} functions accept a partition name as input and
also return a partition name in the output structure; the output values
have wire-protocol limits, so larger values could not be retrieved by clients,
but for denial-of-service purposes, a more generic PATH_MAX-like value seems
appropriate. We have several varying sources of such a limit in the tree, but
pick 4k as the least-restrictive.

[kaduk@mit.edu: use a larger limit for pathnames and expand on PATH_MAX in
commit message]

Change-Id: Iea4b24d1bb3570d4c422dd0c3247cd38cdbf4bab

OPENAFS-SA-2018-003 volser: prevent unbounded input to AFSVolForwardMultiple

AFSVolForwardMultiple is defined with an input parameter that is defined
to XDR as an unbounded array of replica structs:
typedef replica manyDests<>;

RPCs with unbounded arrays as inputs are susceptible to remote
denial-of-service (DOS) attacks. A malicious client may submit an
AFSVolForwardMultiple request with an arbitrarily large array, forcing
the volserver to expend large amounts of network bandwidth, cpu cycles,
and heap memory to unmarshal the input.

Even though AFSVolForwardMultiple requires superuser authorization, this
attack is exploitable by non-authorized actors because XDR unmarshalling
happens long before any authorization checks can occur.

Add a bounding constant (NMAXNSERVERS 13) to the manyDests input array.
This constant is derived from the current OpenAFS vldb implementation, which
is limited to 13 replica sites for a given volume by the layout (size) of the
serverNumber, serverPartition, and serverFlags fields.

[kaduk@mit.edu: explain why this constant is used]

Change-Id: Id12c6a7da4894ec490691eb8791dcd3574baa416

OPENAFS-SA-2018-003 budb: prevent unbounded input to BUDB_SaveText

BUDB_SaveText is defined with an input parameter that is defined to XDR
as an unbounded array of chars:
   typedef char charListT<>;

RPCs with unbounded arrays as inputs are susceptible to remote
denial-of-service (DOS) attacks.  A malicious client may submit a
BUDB_SaveText request with an arbitrarily large array, forcing the budb
server to expend large amounts of network bandwidth, cpu cycles, and
heap memory to unmarshal the input.

Modify the XDR definition of charListT so it is bounded.  This typedef
is shared (as an OUT parameter) by BUDB_GetText and BUDB_DumpDB, but
fortunately all in-tree callers of the client routines specify the same
maximum length of 1024.

Note: However, SBUDB_SaveText server implementation seems to allow for up to
BLOCK_DATA_SIZE (2040) = BLOCKSIZE (2048) - sizeof(struct blockHeader)
(8), and it's unknown if any out-of-tree callers exist.  Since we do not need a
tight bound in order to avoid the DoS, use a somewhat higher maximum of
4096 bytes to leave a safety margin.

[kaduk@mit.edu: bump the margin to 4096; adjust commit message to match]

Change-Id: Ic3fe2758a9c97ed02c6e6d05f0de0865959b5b04

OPENAFS-SA-2018-003 vlserver: prevent unbounded input to VL_RegisterAddrs

VL_RegisterAddrs is defined with an input argument of type bulkaddrs,
which is defined to XDR as an unbounded array of afs_uint32 (IPv4 addresses):
  typedef afs_uint32 bulkaddrs<>

The <> with no value instructs rxgen to build client and server stubs
that allow for a maximum size of "~0u" or 0xFFFFFFFF.

Ostensibly the bulkaddrs array is unbounded to allow it to be shared
among VL_RegisterAddrs, VL_GetAddrs, and VL_GetAddrsU.  The VL_GetAddrs*
RPCs use bulkaddrs as an output array with a maximum size of MAXSERVERID
(254). VL_RegisterAddrss uses bulkaddrs as an input array, with a
nominal size of VL_MAXIPADDRS_PERMH (16).

However, RPCs with unbounded array inputs are susceptible to remote
denial-of-service attacks.  That is, a malicious client may send a
VL_RegisterAddrs request with an arbitrarily long array, forcing the
vlserver to expend large amounts of network bandwidth, cpu cycles, and
heap memory to unmarshal the argument.  Even though VL_RegisterAddrs
requires superuser authorization, this attack is exploitable by
non-authorized actors because XDR unmarshalling happens long before any
authorization checks can occur.

Because all uses of the type that our implementation support have fixed
bounds on valid data (whether input or output), apply an arbitrary
implementation limit (larger than any valid structure would be), to
prevent this class of attacks in the XDR decoder.

[kaduk@mit.edu: limit the bulkaddrs type instead of introducing a new type]

Change-Id: Ibcc962ccc46aec7552b86d1d9fda7cc14310bc03

OPENAFS-SA-2018-002 butc: Initialize OUT scalar value

In STC_ReadLabel, the interaction with the tape device is
synchronous, so there is no need to allocate a task ID for status
monitoring. However, we do need to initialize the output value,
to avoid writing stack garbage on the wire.

Change-Id: Id2066e1fe95fa1de02577dfd844697b1ae770f30

OPENAFS-SA-2018-002 ubik: prevent VOTE_Debug, VOTE_XDebug information leak

VOTE_Debug and VOTE_XDebug (udebug) both leave a single field
uninitialized if there is no current transaction. This leaks the memory
contents of the ubik server over the wire.

struct ubik_debug
- 4 bytes in member writeTrans

In common code to both RPCs, ensure that writeTrans is always
initialized.

[kaduk@mit.edu: switch to memset]

Change-Id: I91184b4ed0c159982a883ebaa9634406400eae93

OPENAFS-SA-2018-002 kaserver: prevent KAM_ListEntry information leak

KAM_ListEntry (kas list) does not initialize its output correctly. It
leaks kaserver memory contents over the wire:

struct kaindex
- up to 64 bytes for member name
- up to 64 bytes for member instance

Initialize the buffer.

[kaduk@mit.edu: move initialization to top of server routine]

Change-Id: I5cc430fc996e7e89d38a384d092b9d4fad248fa4

OPENAFS-SA-2018-002 butc: prevent TC_DumpStatus, TC_ScanStatus information leaks

TC_ScanStatus (backup status) and TC_GetStatus (internal backup status
watcher) do not initialize their output buffers. They leak memory
contents over the wire:

struct tciStatusS
- up to 64 bytes in member taskName (TC_MAXNAMELEN 64)
- up to 64 bytes in member volumeName "

Initialize the buffers.

[kaduk@mit.edu: move initialization to top of server routines]

Change-Id: I0337d233e1dced56e351ed00471c9738fcd3b9db

OPENAFS-SA-2018-002 butc: prevent TC_ReadLabel information leak

TC_ReadLabel (backup readlabel) does not initialize its output buffer
completely. It leaks butc memory contents over the wire:

struct tc_tapeLabel
- up to 32 bytes from member afsname (TC_MAXTAPELEN 32)
- up to 32 bytes from member pname (TC_MAXTAPELEN 32)

Initialize the buffer.

[kaduk@mit.edu: move initialization to the RPC stub]

Change-Id: I30f4aa32801791913b397a58c36c86c019dc51ef

OPENAFS-SA-2018-002 budb: prevent BUDB_* information leaks

The following budb RPCs do not initialize their output correctly.
This leaks buserver memory contents over the wire:

BUDB_FindLatestDump (backup dump)
BUDB_FindDump (backup volrestore, diskrestore, volsetrestore)
BUDB_GetDumps (backup dumpinfo)
BUDB_FindLastTape (backup dump)

struct budb_dumpEntry
- up to 32 bytes in member volumeSetName
- up to 256 bytes in member dumpPath
- up to 32 bytes in member name
- up to 32 bytes in member tape.tapeServer
- up to 32 bytes in member tape.format
- up to 256 bytes in member dumper.name
- up to 128 bytes in member dumper.instance
- up to 256 bytes in member dumper.cell

Initialize the buffer in common routine FillDumpEntry.

Change-Id: Ic057a6c906ce2acd39e0e4ea0a0ba1e100bba3e9

OPENAFS-SA-2018-002 afs: prevent RXAFSCB_TellMeAboutYourself information leak

RXAFSCB_TellMeAboutYourself does not completely initialize its output
buffers. This leaks kernel memory over the wire:

struct interfaceAddr
Unix cache manager (libafs)
- up to 124 bytes in array addr_in ((AFS_MAX_INTERFACE_ADDR 32 * 4) - 4))
- up to 124 bytes in array subnetmask "
- up to 124 bytes in array mtu "

Windows cache manager
- 64 bytes in array addr_in ((AFS_MAX_INTERFACE_ADDR 32 - CM_MAXINTERFACE_ADDR 16)* 4)
- 64 bytes in array subnetmask "
- 64 bytes in array mtu "

The following implementations of SRXAFSCB_TellMeAboutYourself are not susceptible:
- fsprobe
- libafscp
- xstat_fs_test

Initialize the buffer.

Change-Id: I2ef868dd9269db7004a21cf913b6787948357d10

OPENAFS-SA-2018-002 afs: prevent RXAFSCB_GetLock information leak

RXAFSCB_GetLock (cmdebug) does not correctly initialize its output.
This leaks kernel memory over the wire:

struct AFSDBLock
- up to 14 bytes for member name (16 - '<cellname>\0')

Initialize the buffer.

Change-Id: I4c5c8d67816c51645c0db44dc8f19b1b27c02757

OPENAFS-SA-2018-002 ptserver: prevent PR_ListEntries information leak

PR_ListEntries (pts listentries) does not properly initialize its output
buffers. This leaks ptserver memory over the wire:

struct prlistentries
- up to 62 bytes for each entry name (PR_MAXNAMELEN 64 - 'a\0')

Initialize the buffer, and remove the now redundant memset for the
reserved fields.

Change-Id: I29d70c7e4dd567b8b046037f29f71911b8a0593f

OPENAFS-SA-2018-002 volser: prevent AFSVolMonitor information leak

AFSVolMonitor (vos status) does not properly initialize its output
buffers.  This leaks information from volserver memory:

struct transDebugInfo
- up to 29 bytes in member lastProcName (30-'\0')
- 16 bytes in members readNext, tranmitNext, lastSendTime,
  lastReceiveTime

Initialize the buffers.  This must be done on a per-buffer basis inside
the loop, since realloc is used to expand the storage if needed,
and there is not a standard realloc API to zero the newly allocated storage.

[kaduk@mit.edu: update commit message]

Change-Id: I79091fc63435ed2a795955f95bb867bc625ad398

OPENAFS-SA-2018-002 volser: prevent AFSVolPartitionInfo(64) information leak

AFSVolPartitionInfo and AFSVolPartitionInfo64 (vos partinfo) do not
properly initialize their reply buffers. This leaks the contents of
volserver memory over the wire:

AFSVolPartitionInfo (struct diskPartition)
- up to 24 bytes in member name (32-'/vicepa\0'))
- up to 12 bytes in member devName (32-'/vicepa/Lock/vicepa\0'))

AFSVolPartitionInfo64 (struct diskPartition64)
- up to 248 bytes in member name (256-'/vicepa\0'))
- up to 236 bytes in member devName (256-'/vicepa/Lock/vicepa\0')

Initialize the output buffers.

[kaduk@mit.edu: move memset to top-level function scope of RPC handlers]

Change-Id: If64c02f36f10f52bfbab4b21ad1f60032c223c82

OPENAFS-SA-2018-002 ptserver: prevent PR_IDToName information leak

SPR_IDToName does not completely initialize the return array of names,
and thus leaks information from ptserver memory:

- up to 62 bytes per requested id (PR_MAXNAMELEN 64 - 'a\0')

Use calloc to ensure that all memory sent on the wire is initialized,
preventing the information leak.

[kaduk@mit.edu: switch to calloc; update commit message]

Change-Id: Iad623f2cc4c54b79f14a64b8714ba12579d05447

Configure glue for rxgk

Add an --enable-rxgk switch to control whether the feature is used.
For the sake of buildbot coverage, we still attempt to build the core
subdirectory provided that a sufficiently usable GSS-API library
is available, but do not install anything when rxgk is disabled at
configure time. Future commits will use the configure argument to
control the behavior of other rxgk-aware code in the tree.

We provide a few new symbols to conditionally compile code for rxgk.
The two new high-level symbols are:

- AFS_RXGK_ENV: when defined, rxgk is available
- AFS_RXGK_GSS_ENV: when defined, we can use GSS-API calls

AFS_RXGK_GSS_ENV is turned on only for userspace pthread builds. For
now, AFS_RXGK_ENV is only turned on for userspace pthread builds, and
non-ukernel kernel builds. This effectively disables rxgk integration
in any ukernel or LWP code, but this can be changed in the future by
changing when AFS_RXGK_ENV is defined.

Change-Id: Iab661d47aac77c1a238e809362015b869752df18
Reviewed-on: https://gerrit.openafs.org/10564
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>

Suppress statement not reached warnings after noreturn functions

Use the AFS_UNREACHED macro to suppress statement not reached warnings while
building under Solaris Studio. These warnings are emitted for statements
following functions declared with the noreturn function attribute.

Change-Id: Ic18cbb3ea78124acbe69edc0eccb2473b46648fe
Reviewed-on: https://gerrit.openafs.org/13010
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

lwp: add missing lwp prototypes for solaris

Add missing lwp function prototypes for Solaris. This fixes the compile time
warning messages:

warning: implicit function declaration: LWP_NoYieldSignal

Change-Id: I69c3660bb2631215cd296c08729c8e84d60660fd
Reviewed-on: https://gerrit.openafs.org/13008
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>

rx: fix rx_atomic warnings under Solaris

The Solaris implementation of the rx_atomic functions generate numerous
complile time warnings due to an integer type mismatch.

"rx_atomic.h", line xxx: warning: argument #1 is incompatible with prototype:

The rx_atomic_t is an unsigned int under Solaris, however the Solaris
atomic_set_long_excl and atomic_clear_long_excl functions take a ulong_t type
Solaris does not provide 'unsigned int' variants of these two functions.

Fortunately, ulong_t variants of all the atomic we need for rx are available,
in current as well as older versions of Solaris, so convert the Solaris
rx_atomic_t type to be a ulong_t and convert all of the Solaris atomic calls to
the ulong_t variants to avoid integer type mismatches.

Change-Id: Ib54ca4bb8b9f044684301f0fb7971aec223e5993
Reviewed-on: https://gerrit.openafs.org/12991
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>

afs: declare nfs translator dispatch functions static

Declare the nfs translator dispatch functions to be static to enforce
they are not to be called from outside of the translator.

Change-Id: I1c3d8917c080409424e21e377405472094941da0
Reviewed-on: https://gerrit.openafs.org/13277
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

afs: use void * for generic pointers in the nfs translator dispatcher

Replace the use of char * and char ** with void * for representing
generic pointers in the nfs dispatcher functions. This was done to fix
a large number of compile time warnings, and allows us to remove a
number of explicit casts.

Also, remove the unnecessary char * casts of memset and memcpy arguments in the
nfs translator dispatcher.

This commit fixes a large number of Solaris Studio warning messages in the
form:

... warning: argument #X is incompatible with prototype:

Change-Id: I42e2d40b8112ada9417724282c0230f48a40324f
Reviewed-on: https://gerrit.openafs.org/12989
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

afs: change afs_nfs{2,3}_dispatcher signature

The fourth argument of the afs_nfs{2,3}_dispatcher functions is a pointer to a
pointer to a exportinfo structure. However, this argument is not an output
argument, so the extra level of indirection is unnecessary. A separate local
variable is used as an output argument to the afs_nfsclient_reqhandler call
within the dispatchers, which is not passed back to the afs_nfs{2,3}_dispatcher
caller.

In anticipation of other changes to fix warning messages, simplify the
signature of the afs_nfs{2,3}_dispatcher functions to avoid taking the address
of the exportinfo structure when calling afs_nfs{2,3}_dispatcher.

Change-Id: I6fb1a190e6aab286bfac41df783688a0be46a21f
Reviewed-on: https://gerrit.openafs.org/12988
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

afs: fix missing afs_nfs3_dispatcher return value

Fix a missing early return value in the function afs_nfs3_dispatcher. All
callers check the return code of afs_nfs3_dispatcher and interpret values
greater that 1 to be errors. Return 3 as an error code for this code path,
which is the next available error code in afs_nfs3_dispatcher.

This commit fixes the following Solaris Studio warning message:

... warning: function expects to return value: afs_nfs3_dispatcher

Change-Id: I47b545bd57a46c03006b9f031da3647c8a530377
Reviewed-on: https://gerrit.openafs.org/12987
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>

roken: do not clobber __attribute__

The roken-common.h header defines an empty macro called __attribute__
when HAVE___ATTRIBUTE__ is not defined. This macro conditionally removes
the `format' function attributes in the roken headers at compile time.
Unfortunately, the empty __attribute__ macro will also clobber other
attribute types encountered after the roken.h header inclusion.

This is not an issue when building under gcc or clang, since the empty
attribute macro will not be defined. However Solaris Studio supports a
subset of the function attribute types, with `format' not currently
supported. This means roken will define an empty __attribute__ macro,
which prevents the use of other attribute types.

This commit does not change the roken files directly because they are
external. Instead, the processing of the roken.h.in file has been
updated to undefine the __attribute__ macro at the end of the generated
roken.h header.

Change-Id: Iea5622ae175e7f82a60780838948178bd7f8b56f
Reviewed-on: https://gerrit.openafs.org/12961
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>

autoconf: Split out krb5/gss tests

Move our krb5 and GSS-related autoconf tests into their own separate
files, in src/cf/krb5.m4 and src/cf/gss.m4.

Change-Id: I4202df5d810f2d3942fc4ffb3fd406869f68029b
Reviewed-on: https://gerrit.openafs.org/13237
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>

autoconf: do not reference the missing script

Currently, OpenAFS does not use automake. As a result, the missing script
is not copied to the build-tools directory. Since this script is not
present in the tree, am_missing_run is not initialized. Unfortunately,
the current version still has a few references to this variable. In order
to preserve a similar behavior, this commit replaces these references by
AC_ERROR.

While we are changing these, remove the AC_CHECK_PROGS calls for AR and
STRIP, since libtool already checks these for us.

Change-Id: I833dc6e8611dc7227db4ec77b0160dfa47b7e531
Reviewed-on: https://gerrit.openafs.org/12982
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

Remove obsolete retsigtype

Only relevent for pre-c89 K&R compilers.

[mmeffie@sinenomine.net: avoid changes to src/external]

Change-Id: I1b3bf14ddd50f1a6b3d50e0376abffffdb64fb81
Reviewed-on: https://gerrit.openafs.org/12203
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

autoconf: reformat long lines

The autoupdate tool was run to modernize the autoconf macros but
generates very long lines. Manually reformat the long lines to make them
more reasonable.

Change-Id: I6f08138aa7134d8110da885ea4375cebbe903575
Reviewed-on: https://gerrit.openafs.org/13125
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

autoconf: autoupdate macros

Run autoupdate on macros.

[mmeffie@sinenomine.net: re-run autoupdate, no other edits]

Change-Id: I8b45edea97cf2e065f23f02d2d7f6a0e7adcb8a5
Reviewed-on: https://gerrit.openafs.org/12202
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

autoconf: update curses.m4

Replace the obsolete AC_TRY_COMPILE with AC_COMPILE_IFELSE/AC_LANG_PROGRAM
in the curses check for the getmaxyx macro.

This change was done manually instead of using autoupdate because the
program prologue argument for this particular check is an m4 macro,
which will not expand to code when autoupdate adds m4 quotes to the
AC_LANG_PROGRAM arguments.

Change-Id: I85b65fb9b59b45d31286436a9f15110cec31bec8
Reviewed-on: https://gerrit.openafs.org/13021
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>

autoconf: update pthread checks

Replace obsolete AC_TRY_COMPILE with AC_COMPILE_IFELSE. Replace shell
if/then conditionals with AS_IF macros. Reformat indentation and
quoting.

This change was done manually, since autoupdate copes poorly with the
old, nested AC_TRY_COMPILE macros.

Change-Id: I2c34d1426f154daff65999076821f49ddaa16a24
Reviewed-on: https://gerrit.openafs.org/13018
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net>

autoconf: updates and cleanup

Update autoconf macros to their modern equivalents, according to what
the 'autoupdate' tool does. While we're here, remove automake references
that aren't being used, and remove the obsolete AC_PROG_LIBTOOL in favor
of AFS_LT_INIT.

Change-Id: I71066d6d72f8b1d8663e26fec83ae23d7f73f059
Reviewed-on: https://gerrit.openafs.org/12199
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>

SOLARIS: suppress -xarch=amd64 is deprecated warnings

The -m64 flag to specify 64bit builds was introduced in Sun Studio 10, circa
2005. The old flag -xarch=amd64 was deprecated as of Sun Studio 12, circa 2007.
Ever since Sun Studio 12, the compiler complains with a warning message when
the old -xarch=amd64 flag is given:

cc: Warning: -xarch=amd64 is deprecated, use -m64 to create 64-bit programs

Update the cflags when building the Solaris kernel module for x86 to use the
modern -m64 under Solaris 11 or later. Since Solaris 11 has been available
since 2010, it is very unlikely a compiler on Solaris 11 would not support the
modern -m64 flag.

Change-Id: Ib13c00f1c69f34ab1905a8dd4a46c90895046f25
Reviewed-on: https://gerrit.openafs.org/12959
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>

afsd: Improve syscall tracing

When afsd is started with the -debug flag, extensive debug output is
generated including tracing for each syscall.  Unfortunately the
existing syscall tracing is not especially helpful.  It dumps out two
constants that we already knew at compile time, the first parameter of
the syscall along with the syscall's return code.  Specifically it does
not tell you which syscall is currently being traced.  Here's a current
example of afsd -debug:

    afsd: cacheFiles autotuned to 581250
    afsd: dCacheSize autotuned to 10000
    afsd: cacheStatEntries autotuned to 15000
    SScall(183, 28, 6860800)=0
    SScall(183, 28, -847416368)=0
    SScall(183, 28, 1)=0
    afsd: Forking rx listener daemon.
    afsd: Forking rx callback listener.
    afsd: Forking rxevent daemon.
    SScall(183, 28, 0)=0
    SScall(183, 28, 1)=0
    ...

This patch drops the compile time constants (183 and 28 in the above
sample output) and replaces them with the name of the syscall being
traced.  Additionally the first parameter to a syscall is as likely to
be an address as a decimal value so display it in hex. Here's an example
of afsd -debug with these changes:

    afsd: cacheFiles autotuned to 581250
    afsd: dCacheSize autotuned to 10000
    afsd: cacheStatEntries autotuned to 15000
    os_syscall(AFSOP_SET_THISCELL, 0x68bf80)=0
    os_syscall(AFSOP_SEED_ENTROPY, 0x7fff9ce40c10)=0
    os_syscall(AFSOP_ADVISEADDR, 0x1)=0
    afsd: Forking rx listener daemon.
    afsd: Forking rx callback listener.
    afsd: Forking rxevent daemon.
    os_syscall(AFSOP_RXEVENT_DAEMON, 0x0)=0
    os_syscall(AFSOP_BASIC_INIT, 0x1)=0
    ...

[mmeffie@sinenomine.net: avoid c99 array initialization.]

Change-Id: I4f3d46d420d19abeddbf719efa04aef7e553d51f
Reviewed-on: https://gerrit.openafs.org/11858
Tested-by: Mark Vitale <mvitale@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

autoconf: attribute type checks

Check for function attributes by type and update src/afs/stds.h to
conditionally include the attributes detected, instead of checking for
specific compilers and compiler versions.

This allows attributes to be used when building under Solaris Studio.

Change-Id: I8a4dbc1b2cb6032d28176349481085bf6deb309c
Reviewed-on: https://gerrit.openafs.org/12963
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>

opr: avoid empty nonnull argument index lists

Commit 71dc077831d339fc5822f2c2c79b65afe14b12f8 changed the AFS_NONULL
macro in opr.h to fix a build error on windows by adding an empty
argument index list.

However, Solaris compilers do not support empty parameter lists.
Specify the argument index to allow so nonnull function attributes can
be supported on Solaris.

Change-Id: I3e629868374eb6484923c253da2cdd1d8eacdb2f
Reviewed-on: https://gerrit.openafs.org/13276
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>

autoconf: check for format __attribute__ to avoid warnings

Building with Solaris Studio generates a ludicrous number of warnings
in the form:

roken.h, line ...: warning: attribute "format" is unknown, ignored

Modern Solaris Studio supports several GCC-style function attributes,
including the `noreturn' attribute, however does not support the
`format' attribute.

Currently, configure defines HAVE___ATTRIBUTE__ when the `noreturn'
attribute is available. roken headers conditionally declare printf-like
functions with the `format' function attribute when HAVE___ATTRIBUTE__
is defined, leading to the warning messages when building under Solaris
Studio. Unsupported function attributes generate warnings, not errors.

Fix these warnings by defining HAVE___ATTRIBUTE__ if and only if the
`format' attribute is supported by the compiler, instead of checking for
`noreturn'. Note that the `format' type is currently the only attribute
used by roken at this time.

Change-Id: I569167333d65df2583befc19befa8d719b93d75a
Reviewed-on: https://gerrit.openafs.org/12956
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

autoconf: import gcc function attribute check macro

Import Gabriele Svelto's AC_GCC_FUNC_ATTRIBUTE autoconf macro to check for
GCC-style function attributes. This macro is part of the GNU Autoconf
Archive[1]. The imported file is distributed under an all-permissive license.

[1] https://www.gnu.org/software/autoconf-archive/

Change-Id: I64ccd00717fa9606a26aeeeea9030f4fb4877cf8
Reviewed-on: https://gerrit.openafs.org/12962
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

afs: Return memcache allocation errors

During cache initialization, we can fail to allocate our dcache
entries for memcache. Currently when this happens, we just log a
message and try to disable dcache access. However, this results in at
least one code path that causes a panic anyway during startup, since
afs_CacheTruncateDaemon will try to trim the cache, and afs_GetDownD
will call afs_MemGetDSlot, and we cannot find the given dslot.

To avoid this, change our cache initialization to return an error,
instead of trying to continue without a functional dcache. This causes
afs_dcacheInit to return an error in this case, and by extension
afs_CacheInit and the AFSOP_CACHEINIT syscall. Also change afsd to
actually detect errors from AFSOP_CACHEINIT, and to bail out when it
does.

Thanks to gsgatlin@ncsu.edu for reporting the relevant panic.

Change-Id: Ic89ff9638201faae6c4399a2344d4da3e251d537
Reviewed-on: https://gerrit.openafs.org/13273
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

LINUX: Update to Linux struct iattr->ia_ctime to timespec64 with 4.18

With 4.18+ Linux kernels we see a transition to 64-bit time stamps by
default.

current_kernel_time() returns the 32-bit struct timespec.
current_kernel_time64() returns the 64-bit struct timespec64.

struct iattr->ia_ctime expects struct timespec64 as of 4.18+.

Timestamps greater than 31-bit rollover after 2147483647 or
January 19, 2038 03:14:07 UTC. This is the same approach taken by
the Linux developers for converting between timepsec64 and timespec.

Change-Id: Icc1cf5d1a6679f5c749f8720f225a9b293f675fd
Reviewed-on: https://gerrit.openafs.org/13241
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

libuafs: Stop clobbering CFLAGS

Currently, in the libuafs MakefileProto for every platform, CFLAGS is
set to a bunch of flags, ignoring any CFLAGS set by the 'make'
command-line provided by the user. Since most of the rest of the tree
honors CFLAGS, it is confusing and can cause errors when src/libuafs
ignore the user-set CFLAGS.

One example of this breaking the build is when building RHEL RPMs for
certain sub-architectures of the current machine. If you try to
'rpmbuild --target=i686' on 32-bit x86 RHEL 5, we will build with
-march=i686 in the CFLAGS, which will be used to build most objects
and is used in our configure tests. As a result, our configure tests
will say that gcc atomic intrinsics are available. But when we go to
build libuafs objects, we will not have -march=i686 in our CFLAGS,
which causes (on RHEL 5) gcc to default to building for i386, which
does not have gcc atomic intrinsics available. This causes build
errors like this:

libuafs.a(rx.o): In function `rx_atomic_test_and_clear_bit':
[...]/BUILD/openafs-1.8.0/src/rx/rx_atomic.h:462: undefined reference to `__sync_fetch_and_and_4'

To fix this, change the libuafs MakefileProtos to not set CFLAGS
directly; instead, set them in a new variable UAFS_CFLAGS.
Makefile.common then pulls those flags into MODULE_CFLAGS, which is
used in our *_CCRULE build rules.

While we are here, also move the common set of CFLAGS set by each
platform's MakefileProto into Makefile.common. Now, each MakefileProto
only needs to set CFLAGS that are specific to that platform, which
ends up being very few (since most platforms were using the exact same
set of CFLAGS).

Relevant issue identified and analyzed by mbarbosa@sinenomine.net.

Change-Id: I1bd21a6e7669137be3e5edee86227fd37f841d62
Reviewed-on: https://gerrit.openafs.org/13262
Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

redhat: actually remove unused AFS::ukernel man page

Commit 278581c24a802834719e0d57f27978321556c9bb (redhat: package libuafs
perl bindings) added swig as a build dependency on RHEL 6+/Fedora 15+ to
build and package AFS::ukernel perl bindings for libuafs.  The man page
for AFS::ukernel is generated from the pod files unconditionally, so
needs to be removed from the staging directories when AFS::ukernel is
not packaged.

Unfortunately, the full path to the staged AFS::ukernel manpage was
not given in that commit, so the rpmbuild will fail on RHEL 5 with
the error:

        RPM build errors:
        Installed (but unpackaged) file(s) found:
        /usr/share/man/man3/AFS::ukernel.3.gz

Fix this error by specifying the full path to the AFS::ukernel man page
to actually remove it when we are not packaging AFS::ukernel files.

[mmeffie: updated commit message]

Change-Id: If43f083a1014216e2f9a2669bf9e834149a40944
Reviewed-on: https://gerrit.openafs.org/13257
Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

ubik: Save errno before logging

The value of errno can change after a syscall, and ViceLog may issue
syscalls (such as write()). So, make sure we save errno here before
calling ViceLog().

Issue spotted by kaduk@mit.edu.

Change-Id: I0f3308d64cd779bd97c97834ec2b270f5edd7ba6
Reviewed-on: https://gerrit.openafs.org/13263
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>

ubik: improve logging for database synchonizations

As an aid for debugging database synchronization issues, ensure that the
logging is consistent and unambiguous for both the client and server
sides of DISK_GetFile and DISK_SendFile.  Add new error messages as
required.

In addition, rework the "recovery sending version to <IP>" message in
urecovery_Interact.  This message is misleading because the new version
database is only sent to a DB server if its version is not up to date.
Instead, move this message into the version check block immediately
below it.  Also reword it for clarity and promote its log level from 5
to 0.  Finally, remove the now-superfluous "recovery stating local
database" log message.

Change-Id: If8bbaa1215cab9fd24b157a0ee57759b34e77e9c
Reviewed-on: https://gerrit.openafs.org/13079
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

ubik: urecovery_AbortAll diagnostic msgs

As a troubleshooting aid for developers, add a few counters and a log
msg so we know when transactions are being aborted (if any) by
urecovery_AbortAll.

Change-Id: I528df6d51acd5d10bb2de30f43b8d4415adc7f8a
Reviewed-on: https://gerrit.openafs.org/12618
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>

ubik: log important messages at default log level

Many important ubik messages (e.g., errors, warnings, sync state
changes) are logged at log level 5 (-d 5) or higher. Many sites are
reluctant to run ubik servers at a logging level higher than the default
due to the large number of extremely noisy informational messages at log
level 5. Therefore, many important log messages are never seen.

Instead, issue critical errors, warnings, and other important messages
at log level 0 so that they are always seen, even at the default logging
level.

In addition, disambiguate the two "I am no longer sync-site" messages by
adding a unique reason text to each.

Change-Id: I057edf01e2502e39c5135836f1d0081d03559270
Reviewed-on: https://gerrit.openafs.org/12617
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>

vldb_check: write mh entry header flags in network order

Commit 6b93ad695e53a86dbe9eea13bd0ff651e1d8c9b7 fixed a false error
reported when the vldb contained more than one mh extent blocks. That
fix changed the readMH() function to convert the flags field to host
byte order of all the mh blocks, not just the first block, in order to
check the value of those flags.

Unfortunately, that commit missed converting non-zero blocks back to
network byte order in the complementary writeMH() function, which is
used to write the data back to disk when vldb_check is run with the -fix
option.

FIXES 134589

Change-Id: I4cdbd57b3336e78a9eb1e543ee6d09b33f5e6153
Reviewed-on: https://gerrit.openafs.org/13245
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

afs: Make afs_osi_Free(NULL) a no-op

In userspace, we assume that free(NULL) does nothing, which makes
certain cleanup code paths simpler. This may or may not be true for
our free() abstractions that can run in the kernel (like afs_osi_Free,
rxi_Free, etc), which is confusing. To make the higher-level free()
abstractions more consistent, change afs_osi_Free to guarantee that
passing a NULL pointer does nothing.

Change-Id: If7c7011795f66464eeb578eacfc943475b4d59f8
Reviewed-on: https://gerrit.openafs.org/13236
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

redhat: parallel builds

Parallel builds can be an order of magnitude faster. Add the
_smp_mflags macro to all invocations of make in the rpm spec,
to make use of all available cores and SMT threads on the build
system. This should also help noticing new dependency issues
early. Note the macro can be overridden on the rpmbuild command
line.

Change-Id: Idddf8b867500d1ee73ff51de9d8a173bb4cc8c68
Reviewed-on: https://gerrit.openafs.org/13240
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

redhat: speed up userland-only rpm builds

When building with --define "build_modules 0", have configure
skip the Linux kernel tests, which are slow and many.

Change-Id: Ie318bf4939776c9a3f8594dcdd5be54b446f33dd
Reviewed-on: https://gerrit.openafs.org/13239
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

redhat: package new file include/opr/lock.h

Commit 792dd44ac57032a3f2a4743c83c8a0208a08ecec added the
installation of include/opr/lock.h, but the rpm spec fails
to pick it up, making rpm builds fail. Add the new file
to the files list for the -devel package.

FIXES 134579

Change-Id: I998f48bd88308d81779dd775b322590eda75d5c8
Reviewed-on: https://gerrit.openafs.org/13238
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

LINUX: Detect NULL page during write_begin

In afs_linux_write_begin, we call grab_cache_page_write_begin to get a
page to use for writing data when servicing a write into AFS. Under
low-memory conditions, this can return NULL if Linux cannot find a
free page to use. Currently, we always try to reference the page
returned, and so this causes a BUG.

To avoid this, check if grab_cache_page_write_begin returns NULL, and
just return -ENOMEM, like other callers of grab_cache_page_write_begin
do.

Linux's fault injection framework is useful for testing code paths
like these. The following settings made it possible to
somewhat-reliably exercise the relevant code path on a test RHEL7
system:

    # grep ^ /sys/kernel/debug/fail_page_alloc/*
    /sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem:Y
    /sys/kernel/debug/fail_page_alloc/ignore-gfp-wait:N
    /sys/kernel/debug/fail_page_alloc/interval:1
    /sys/kernel/debug/fail_page_alloc/min-order:0
    /sys/kernel/debug/fail_page_alloc/probability:100
    /sys/kernel/debug/fail_page_alloc/space:90
    /sys/kernel/debug/fail_page_alloc/task-filter:Y
    /sys/kernel/debug/fail_page_alloc/times:-1
    [...]

Change-Id: I00908658ae43aa3c8e12f2a0b956016d4441016c
Reviewed-on: https://gerrit.openafs.org/13242
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

rxevent: prevent negative rx_connection refCount

rxi_ChallengeEvent is called directly from rxi_ChallengeOn to start the
first challenge; subsequent calls to rxi_ChallengeEvent are from the
event handler.  When called as an event, we must putConnection the
reference held by the event.  But when called directly for the first
time, the event has not been scheduled yet and so has not taken a
reference on the connection.  For this case, we must not putConnection
or the rx_connection refCount will go negative.

One reported symptom of this bug is a fileserver crash with:
  'Assertion failed! file rx.c, line 1327.'

Introduced by commit 304d758983b499dc568d6ca57b6e92df24b69de8
('Standardize rx_event usage').

Change-Id: I67122ff84ac9b1b6445ad4005e76e5f8482fd7be
Reviewed-on: https://gerrit.openafs.org/13228
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>

volser: DoVolDelete returning VNOVOL is success

When moving, copying or releasing volumes, do not treat a failure
to delete a volume because the volume no longer exists as an error.
The volume clone has flags

VTDeleteOnSalvage | VTOutOfService

assigned to it which means that the fileserver won't attach the volume
and volume has its deleteMe field assigned the value of DESTROY_ME.
Such a volume will be deleted the next time the salvager scans the
partition. Once the transaction is complete the volume might be
removed.

Change-Id: I0bd38906e3836e0c96f3784a8bd9ad63f5b857c6
Reviewed-on: https://gerrit.openafs.org/12976
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>

afs: Change afs_AllocDCache to return error codes

Currently, afs_AllocDCache can fail in 2 different situations:

- When we are out of dslots on the free/discard lists
- When we encounter an i/o error when trying to traverse the dslot
  lists

But afs_AllocDCache cannot distinguish between these two cases to its
caller in any way, since all we have to return is a struct dcache (and
so we return NULL on any error).

Currently, the caller of afs_AllocDCache in afs_GetDCache is
determining which of these cases happened by looking at
afs_discardDCList and afs_freeDCList, to see if they look empty. This
is not great for at least a couple of reasons:

- We are examining afs_discardDCList/afs_freeDCList after we drop
  afs_xdcache (but while still holding GLOCK)

- If afs_discardDCList/afs_freeDCList are somehow changed while
  afs_AllocDCache is running, we may infer the wrong reason why
  afs_AllocDCache failed. (currently impossible, but this seems
  fragile)

And in general, this check against afs_discardDCList/afs_freeDCList is
rather indirect. It may be easier to follow if afs_AllocDCache just
directly returned the reason why it failed.

So do that, by changing afs_AllocDCache to return an error code, and
providing the struct dcache in an output argument. This involves
similiarly changing several called functions in the same way, to
return error codes. We only define 2 such error codes with this
commit:

- ENOSPC, when we are out of free/discrad dslots
- EIO, when we encounter a disk i/o error when trying to examine the
  dslot list

Note that this commit should not change any real logic; we're mostly
just changing how errors are returned from these various functions.

Change-Id: I07cc3d7befdcc98360889f4a2ba01fdc9de50848
Reviewed-on: https://gerrit.openafs.org/13227
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

afs: Make afs_AllocDCache static

Nothing using afs_AllocDCache outside of afs_dcache.c. Declare the
function static, to ensure that nobody else uses it, and to maybe
allow for more compiler optimization.

Change-Id: I4e4d1e77e20e853fc20b3d5c5289a5f4124de7a4
Reviewed-on: https://gerrit.openafs.org/13226
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

ubik: log when a server is marked down, and why

In order to better manage voting and recovery, each ubik server tracks
(in array ubik_servers) which of its fellow quorum members are 'up' or
not. However, ubik currently logs only when a server is "back up"; that
is, ubik_server->up transitions from 0 to 1.

Add new log messages to identify the time and reason when a server is
"marked down" (i.e., ubik_server->up transitions from 1 to 0).

Also modify two existing messages to have consistent wording with the
new "marked down" messages. Also change them to ViceLog (log level
0) so they will always be logged.

Change-Id: I29ee93e96cb7b28b943171d1477671c540a10d78
Reviewed-on: https://gerrit.openafs.org/12616
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>