From 1b8eb90a4fb6436cb4be9a575e27aa6e6b4658fa Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum Date: Tue, 31 Jan 2012 13:42:23 -0500 Subject: [PATCH] add upstream lookaside cache fix RT#7082 --- krb5-1.10-lookaside.patch | 101 ++++++++++++++++++++++++++++++++++++++ krb5.spec | 7 ++- 2 files changed, 107 insertions(+), 1 deletion(-) create mode 100644 krb5-1.10-lookaside.patch diff --git a/krb5-1.10-lookaside.patch b/krb5-1.10-lookaside.patch new file mode 100644 index 0000000..1afdd82 --- /dev/null +++ b/krb5-1.10-lookaside.patch @@ -0,0 +1,101 @@ +From 4b9eb1f3dc538f7b29e50b6852983f5b4ddc7536 Mon Sep 17 00:00:00 2001 +From: ghudson +Date: Thu, 26 Jan 2012 21:56:16 +0000 +Subject: [PATCH 1/3] ticket: 7082 subject: Various lookaside cache fixes + target_version: 1.10 tags: pullup + +Don't touch the lookaside cache if we're responding with a lookaside +cache entry. Also, leave the null entry behind if we're deliberately +dropping a request (a rare case) so that we don't have to process it +again. Fixes several lookaside problems in 1.10: + +* When dropping a request because it was already being processed, we + were erroneously removing the null entry, causing us to process the + request again upon a second retransmit. + +* When responding to a finished request with a lookaside entry, we + were removing and re-adding the entry to the cache, resetting its + time and performing unnecessary work. + +* We were not caching responses we couldn't deliver because they were + too big for UDP, causing us to re-process the request when it came + in again via TCP instead of simply delivering the cached response. + +git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25660 dc483132-0cff-0310-8789-dd5450dbe970 +--- + src/kdc/dispatch.c | 40 ++++++++++++++++++++++------------------ + 1 files changed, 22 insertions(+), 18 deletions(-) + +diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c +index b4c02f3..efe7098 100644 +--- a/src/kdc/dispatch.c ++++ b/src/kdc/dispatch.c +@@ -44,20 +44,11 @@ struct dispatch_state { + }; + + static void +-finish_dispatch(void *arg, krb5_error_code code, krb5_data *response) ++finish_dispatch(struct dispatch_state *state, krb5_error_code code, ++ krb5_data *response) + { +- struct dispatch_state *state = arg; +- loop_respond_fn oldrespond; +- void *oldarg; +- +- assert(state); +- oldrespond = state->respond; +- oldarg = state->arg; +- +-#ifndef NOCACHE +- /* Remove our NULL cache entry to indicate request completion. */ +- kdc_remove_lookaside(kdc_context, state->request); +-#endif ++ loop_respond_fn oldrespond = state->respond; ++ void *oldarg = state->arg; + + if (state->is_tcp == 0 && response && + response->length > max_dgram_reply_size) { +@@ -70,14 +61,27 @@ finish_dispatch(void *arg, krb5_error_code code, krb5_data *response) + error_message(code)); + } + ++ free(state); ++ (*oldrespond)(oldarg, code, response); ++} ++ ++static void ++finish_dispatch_cache(void *arg, krb5_error_code code, krb5_data *response) ++{ ++ struct dispatch_state *state = arg; ++ + #ifndef NOCACHE +- /* put the response into the lookaside buffer */ +- else if (!code && response) ++ /* Remove the null cache entry unless we actually want to discard this ++ * request. */ ++ if (code != KRB5KDC_ERR_DISCARD) ++ kdc_remove_lookaside(kdc_context, state->request); ++ ++ /* Put the response into the lookaside buffer (if we produced one). */ ++ if (code == 0 && response != NULL) + kdc_insert_lookaside(state->request, response); + #endif + +- free(state); +- (*oldrespond)(oldarg, code, response); ++ finish_dispatch(state, code, response); + } + + void +@@ -167,7 +171,7 @@ dispatch(void *cb, struct sockaddr *local_saddr, + * process_as_req frees the request if it is called + */ + if (!(retval = setup_server_realm(as_req->server))) { +- process_as_req(as_req, pkt, from, vctx, finish_dispatch, ++ process_as_req(as_req, pkt, from, vctx, finish_dispatch_cache, + state); + return; + } +-- +1.7.7.5 + diff --git a/krb5.spec b/krb5.spec index 22f154d..1180d82 100644 --- a/krb5.spec +++ b/krb5.spec @@ -15,7 +15,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.10 -Release: 2%{?dist} +Release: 3%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10-signed.tar Source0: krb5-%{version}.tar.gz @@ -63,6 +63,7 @@ Patch102: krb5-trunk-7048.patch Patch103: krb5-1.10-gcc47.patch Patch104: krb5-1.10-crashfix.patch Patch105: krb5-kvno-230379.patch +Patch106: krb5-1.10-lookaside.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -234,6 +235,7 @@ ln -s NOTICE LICENSE %patch103 -p0 -b .gcc47 %patch104 -p1 -b .crashfix %patch105 -p1 -b .kvno +%patch106 -p1 -b .7082 rm src/lib/krb5/krb/deltat.c gzip doc/*.ps @@ -745,6 +747,9 @@ exit 0 %{_sbindir}/uuserver %changelog +* Tue Jan 31 2012 Nathaniel McCallum - 1.10-3 +- Add upstream lookaside cache behavior fix (RT#7082) + * Mon Jan 30 2012 Nalin Dahyabhai 1.10-2 - add patch to accept keytab entries with vno==0 as matches when we're searching for an entry with a specific name/kvno (#230382/#782211,RT#3349)