[kernel] r13209 - in dists/lenny/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Mon Mar 23 01:44:54 UTC 2009 

Author: dannf
Date: Mon Mar 23 01:44:52 2009
New Revision: 13209

Log:
Make the max number of lockd connections configurable and increase
the default from 80 to the more reasonable 1024 (Closes: #520379)

Added:
   dists/lenny/linux-2.6/debian/patches/bugfix/all/lockd-increase-sv_maxconn.patch
   dists/lenny/linux-2.6/debian/patches/bugfix/all/sunrpc-add-sv_maxconn-field-to-svc_serv.patch
Modified:
   dists/lenny/linux-2.6/debian/changelog
   dists/lenny/linux-2.6/debian/patches/series/14

Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog	(original)
+++ dists/lenny/linux-2.6/debian/changelog	Mon Mar 23 01:44:52 2009
@@ -36,6 +36,8 @@
     wrap tests. (Closes: #520548)
   * Bump ABI to 2.
   * [parisc] Fix the loading of large kernel modules (Closes: #401439)
+  * Make the max number of lockd connections configurable and increase
+    the default from 80 to the more reasonable 1024 (Closes: #520379)
 
   [ Martin Michlmayr ]
   * rt2x00: Fix VGC lower bound initialization. (Closes: #510607)

Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/lockd-increase-sv_maxconn.patch
==============================================================================
--- (empty file)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/lockd-increase-sv_maxconn.patch	Mon Mar 23 01:44:52 2009
@@ -0,0 +1,60 @@
+commit c72a476b4b7ecadb80185de31236edb303c1a5d0
+Author: Jeff Layton <jlayton at redhat.com>
+Date:   Mon Oct 20 11:51:58 2008 -0400
+
+    lockd: set svc_serv->sv_maxconn to a more reasonable value (try #3)
+    
+    The default method for calculating the number of connections allowed
+    per RPC service arbitrarily limits single-threaded services to 80
+    connections. This is too low for services like lockd and artificially
+    limits the number of TCP clients that it can support.
+    
+    Have lockd set a default sv_maxconn value to 1024 (which is the typical
+    default value for RLIMIT_NOFILE. Also add a module parameter to allow an
+    admin to set this to an arbitrary value.
+    
+    Signed-off-by: Jeff Layton <jlayton at redhat.com>
+    Acked-by: Neil Brown <neilb at suse.de>
+    Signed-off-by: J. Bruce Fields <bfields at citi.umich.edu>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN a/fs/lockd/svc.c b/fs/lockd/svc.c
+--- a/fs/lockd/svc.c	2008-07-13 15:51:29.000000000 -0600
++++ b/fs/lockd/svc.c	2009-03-22 14:55:51.000000000 -0600
+@@ -63,6 +63,9 @@ static unsigned long		nlm_timeout = LOCK
+ static int			nlm_udpport, nlm_tcpport;
+ int				nsm_use_hostnames = 0;
+ 
++/* RLIM_NOFILE defaults to 1024. That seems like a reasonable default here. */
++static unsigned int		nlm_max_connections = 1024;
++
+ /*
+  * Constants needed for the sysctl interface.
+  */
+@@ -149,6 +152,9 @@ lockd(void *vrqstp)
+ 		long timeout = MAX_SCHEDULE_TIMEOUT;
+ 		RPC_IFDEBUG(char buf[RPC_MAX_ADDRBUFLEN]);
+ 
++		/* update sv_maxconn if it has changed */
++		rqstp->rq_server->sv_maxconn = nlm_max_connections;
++
+ 		if (signalled()) {
+ 			flush_signals(current);
+ 			if (nlmsvc_ops) {
+@@ -298,6 +304,7 @@ lockd_up(int proto) /* Maybe add a 'fami
+ 	}
+ 
+ 	svc_sock_update_bufs(serv);
++	serv->sv_maxconn = nlm_max_connections;
+ 	nlmsvc_serv = rqstp->rq_server;
+ 
+ 	nlmsvc_task = kthread_run(lockd, rqstp, serv->sv_name);
+@@ -505,6 +512,7 @@ module_param_call(nlm_udpport, param_set
+ module_param_call(nlm_tcpport, param_set_port, param_get_int,
+ 		  &nlm_tcpport, 0644);
+ module_param(nsm_use_hostnames, bool, 0644);
++module_param(nlm_max_connections, uint, 0644);
+ 
+ /*
+  * Initialising and terminating the module.

Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/sunrpc-add-sv_maxconn-field-to-svc_serv.patch
==============================================================================
--- (empty file)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/sunrpc-add-sv_maxconn-field-to-svc_serv.patch	Mon Mar 23 01:44:52 2009
@@ -0,0 +1,96 @@
+commit c9233eb7b0b11ef176d4bf68da2ce85464b6ec39
+Author: Jeff Layton <jlayton at redhat.com>
+Date:   Mon Oct 20 11:51:57 2008 -0400
+
+    sunrpc: add sv_maxconn field to svc_serv (try #3)
+    
+    svc_check_conn_limits() attempts to prevent denial of service attacks
+    by having the service close old connections once it reaches a
+    threshold. This threshold is based on the number of threads in the
+    service:
+    
+    	(serv->sv_nrthreads + 3) * 20
+    
+    Once we reach this, we drop the oldest connections and a printk pops
+    to warn the admin that they should increase the number of threads.
+    
+    Increasing the number of threads isn't an option however for services
+    like lockd. We don't want to eliminate this check entirely for such
+    services but we need some way to increase this limit.
+    
+    This patch adds a sv_maxconn field to the svc_serv struct. When it's
+    set to 0, we use the current method to calculate the max number of
+    connections. RPC services can then set this on an as-needed basis.
+    
+    Signed-off-by: Jeff Layton <jlayton at redhat.com>
+    Acked-by: Neil Brown <neilb at suse.de>
+    Signed-off-by: J. Bruce Fields <bfields at citi.umich.edu>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h
+--- a/include/linux/sunrpc/svc.h	2008-07-13 15:51:29.000000000 -0600
++++ b/include/linux/sunrpc/svc.h	2009-03-22 14:48:06.000000000 -0600
+@@ -58,10 +58,13 @@ struct svc_serv {
+ 	struct svc_stat *	sv_stats;	/* RPC statistics */
+ 	spinlock_t		sv_lock;
+ 	unsigned int		sv_nrthreads;	/* # of server threads */
++	unsigned int		sv_maxconn;	/* max connections allowed or
++						 * '0' causing max to be based
++						 * on number of threads. */
++
+ 	unsigned int		sv_max_payload;	/* datagram payload size */
+ 	unsigned int		sv_max_mesg;	/* max_payload + 1 page for overheads */
+ 	unsigned int		sv_xdrsize;	/* XDR buffer size */
+-
+ 	struct list_head	sv_permsocks;	/* all permanent sockets */
+ 	struct list_head	sv_tempsocks;	/* all temporary sockets */
+ 	int			sv_tmpcnt;	/* count of temporary sockets */
+diff -urpN a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
+--- a/net/sunrpc/svc_xprt.c	2009-03-22 14:15:29.000000000 -0600
++++ b/net/sunrpc/svc_xprt.c	2009-03-22 14:48:06.000000000 -0600
+@@ -488,8 +488,10 @@ int svc_port_is_privileged(struct sockad
+ }
+ 
+ /*
+- * Make sure that we don't have too many active connections.  If we
+- * have, something must be dropped.
++ * Make sure that we don't have too many active connections. If we have,
++ * something must be dropped. It's not clear what will happen if we allow
++ * "too many" connections, but when dealing with network-facing software,
++ * we have to code defensively. Here we do that by imposing hard limits.
+  *
+  * There's no point in trying to do random drop here for DoS
+  * prevention. The NFS clients does 1 reconnect in 15 seconds. An
+@@ -498,19 +500,27 @@ int svc_port_is_privileged(struct sockad
+  * The only somewhat efficient mechanism would be if drop old
+  * connections from the same IP first. But right now we don't even
+  * record the client IP in svc_sock.
++ *
++ * single-threaded services that expect a lot of clients will probably
++ * need to set sv_maxconn to override the default value which is based
++ * on the number of threads
+  */
+ static void svc_check_conn_limits(struct svc_serv *serv)
+ {
+-	if (serv->sv_tmpcnt > (serv->sv_nrthreads+3)*20) {
++	unsigned int limit = serv->sv_maxconn ? serv->sv_maxconn :
++				(serv->sv_nrthreads+3) * 20;
++
++	if (serv->sv_tmpcnt > limit) {
+ 		struct svc_xprt *xprt = NULL;
+ 		spin_lock_bh(&serv->sv_lock);
+ 		if (!list_empty(&serv->sv_tempsocks)) {
+ 			if (net_ratelimit()) {
+ 				/* Try to help the admin */
+ 				printk(KERN_NOTICE "%s: too many open  "
+-				       "connections, consider increasing the "
+-				       "number of nfsd threads\n",
+-				       serv->sv_name);
++				       "connections, consider increasing %s\n",
++				       serv->sv_name, serv->sv_maxconn ?
++				       "the max number of connections." :
++				       "the number of threads.");
+ 			}
+ 			/*
+ 			 * Always select the oldest connection. It's not fair,

Modified: dists/lenny/linux-2.6/debian/patches/series/14
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/14	(original)
+++ dists/lenny/linux-2.6/debian/patches/series/14	Mon Mar 23 01:44:52 2009
@@ -30,3 +30,5 @@
 - bugfix/all/stable/2.6.26.8-abi-1.patch
 - bugfix/all/CVE-2009-0029/mips-enable-syscall-wrappers-no-abi-change.patch
 + bugfix/parisc/fix-loading-large-kmods.patch
++ bugfix/all/sunrpc-add-sv_maxconn-field-to-svc_serv.patch
++ bugfix/all/lockd-increase-sv_maxconn.patch

More information about the Kernel-svn-changes mailing list