[1/1] SUNRPC: do not retry on EKEYEXPIRED when user TGT ticket expired

Commit Message

Dai Ngo Jan. 8, 2025, 8:48 p.m. UTC

When a user TGT ticket expired, gssd returns EKEYEXPIRED to the RPC
layer for the upcall to create the security context. The RPC layer
then retries the upcall twice before returning the EKEYEXPIRED to
the NFS layer.

This results in three separate TCP connections to the NFS server being
created by gssd for each RPC request. These connections are not used
and left in TIME_WAIT state.

Note that for RPC call that uses machine credential, gssd automatically
renews the ticket. But for a regular user the ticket needs to be
renewed by the user before access to the krb5 share is allowed.

This patch removes the retries by RPC on EKEYEXPIRED so that these
unused TCP connections are not created.

Reproducer:

$ kinit -l 1m
$ sleep 65
$ cd /mnt/krb5share
$ netstat -na |grep TIME_WAIT

Signed-off-by: Dai Ngo <dai.ngo@oracle.com>
---
 net/sunrpc/clnt.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Patch

diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
index 0090162ee8c3..cd5c84a07005 100644
--- a/net/sunrpc/clnt.c
+++ b/net/sunrpc/clnt.c
@@ -1854,13 +1854,13 @@  call_refreshresult(struct rpc_task *task)
 		fallthrough;
 	case -EAGAIN:
 		status = -EACCES;
-		fallthrough;
-	case -EKEYEXPIRED:
 		if (!task->tk_cred_retry)
 			break;
 		task->tk_cred_retry--;
 		trace_rpc_retry_refresh_status(task);
 		return;
+	case -EKEYEXPIRED:
+		break;
 	case -ENOMEM:
 		rpc_delay(task, HZ >> 4);
 		return;