1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * NFS exporting and validation.
4 *
5 * We maintain a list of clients, each of which has a list of
6 * exports. To export an fs to a given client, you first have
7 * to create the client entry with NFSCTL_ADDCLIENT, which
8 * creates a client control block and adds it to the hash
9 * table. Then, you call NFSCTL_EXPORT for each fs.
10 *
11 *
12 * Copyright (C) 1995, 1996 Olaf Kirch, <okir@monad.swb.de>
13 */
14
15 #include <linux/slab.h>
16 #include <linux/namei.h>
17 #include <linux/module.h>
18 #include <linux/exportfs.h>
19 #include <linux/sunrpc/svc_xprt.h>
20
21 #include "nfsd.h"
22 #include "nfsfh.h"
23 #include "netns.h"
24 #include "pnfs.h"
25 #include "filecache.h"
26 #include "trace.h"
27
28 #define NFSDDBG_FACILITY NFSDDBG_EXPORT
29
30 /*
31 * We have two caches.
32 * One maps client+vfsmnt+dentry to export options - the export map
33 * The other maps client+filehandle-fragment to export options. - the expkey map
34 *
35 * The export options are actually stored in the first map, and the
36 * second map contains a reference to the entry in the first map.
37 */
38
39 #define EXPKEY_HASHBITS 8
40 #define EXPKEY_HASHMAX (1 << EXPKEY_HASHBITS)
41 #define EXPKEY_HASHMASK (EXPKEY_HASHMAX -1)
42
expkey_put(struct kref * ref)43 static void expkey_put(struct kref *ref)
44 {
45 struct svc_expkey *key = container_of(ref, struct svc_expkey, h.ref);
46
47 if (test_bit(CACHE_VALID, &key->h.flags) &&
48 !test_bit(CACHE_NEGATIVE, &key->h.flags))
49 path_put(&key->ek_path);
50 auth_domain_put(key->ek_client);
51 kfree_rcu(key, ek_rcu);
52 }
53
expkey_upcall(struct cache_detail * cd,struct cache_head * h)54 static int expkey_upcall(struct cache_detail *cd, struct cache_head *h)
55 {
56 return sunrpc_cache_pipe_upcall(cd, h);
57 }
58
expkey_request(struct cache_detail * cd,struct cache_head * h,char ** bpp,int * blen)59 static void expkey_request(struct cache_detail *cd,
60 struct cache_head *h,
61 char **bpp, int *blen)
62 {
63 /* client fsidtype \xfsid */
64 struct svc_expkey *ek = container_of(h, struct svc_expkey, h);
65 char type[5];
66
67 qword_add(bpp, blen, ek->ek_client->name);
68 snprintf(type, 5, "%d", ek->ek_fsidtype);
69 qword_add(bpp, blen, type);
70 qword_addhex(bpp, blen, (char*)ek->ek_fsid, key_len(ek->ek_fsidtype));
71 (*bpp)[-1] = '\n';
72 }
73
74 static struct svc_expkey *svc_expkey_update(struct cache_detail *cd, struct svc_expkey *new,
75 struct svc_expkey *old);
76 static struct svc_expkey *svc_expkey_lookup(struct cache_detail *cd, struct svc_expkey *);
77
expkey_parse(struct cache_detail * cd,char * mesg,int mlen)78 static int expkey_parse(struct cache_detail *cd, char *mesg, int mlen)
79 {
80 /* client fsidtype fsid expiry [path] */
81 char *buf;
82 int len;
83 struct auth_domain *dom = NULL;
84 int err;
85 u8 fsidtype;
86 struct svc_expkey key;
87 struct svc_expkey *ek = NULL;
88
89 if (mesg[mlen - 1] != '\n')
90 return -EINVAL;
91 mesg[mlen-1] = 0;
92
93 buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
94 err = -ENOMEM;
95 if (!buf)
96 goto out;
97
98 err = -EINVAL;
99 if (qword_get(&mesg, buf, PAGE_SIZE) <= 0)
100 goto out;
101
102 err = -ENOENT;
103 dom = auth_domain_find(buf);
104 if (!dom)
105 goto out;
106 dprintk("found domain %s\n", buf);
107
108 err = -EINVAL;
109 if (qword_get(&mesg, buf, PAGE_SIZE) <= 0)
110 goto out;
111 if (kstrtou8(buf, 10, &fsidtype))
112 goto out;
113 dprintk("found fsidtype %u\n", fsidtype);
114 if (key_len(fsidtype)==0) /* invalid type */
115 goto out;
116 if ((len=qword_get(&mesg, buf, PAGE_SIZE)) <= 0)
117 goto out;
118 dprintk("found fsid length %d\n", len);
119 if (len != key_len(fsidtype))
120 goto out;
121
122 /* OK, we seem to have a valid key */
123 key.h.flags = 0;
124 err = get_expiry(&mesg, &key.h.expiry_time);
125 if (err)
126 goto out;
127
128 key.ek_client = dom;
129 key.ek_fsidtype = fsidtype;
130 memcpy(key.ek_fsid, buf, len);
131
132 ek = svc_expkey_lookup(cd, &key);
133 err = -ENOMEM;
134 if (!ek)
135 goto out;
136
137 /* now we want a pathname, or empty meaning NEGATIVE */
138 err = -EINVAL;
139 len = qword_get(&mesg, buf, PAGE_SIZE);
140 if (len < 0)
141 goto out;
142 dprintk("Path seems to be <%s>\n", buf);
143 err = 0;
144 if (len == 0) {
145 set_bit(CACHE_NEGATIVE, &key.h.flags);
146 ek = svc_expkey_update(cd, &key, ek);
147 if (ek)
148 trace_nfsd_expkey_update(ek, NULL);
149 else
150 err = -ENOMEM;
151 } else {
152 err = kern_path(buf, 0, &key.ek_path);
153 if (err)
154 goto out;
155
156 dprintk("Found the path %s\n", buf);
157
158 ek = svc_expkey_update(cd, &key, ek);
159 if (ek)
160 trace_nfsd_expkey_update(ek, buf);
161 else
162 err = -ENOMEM;
163 path_put(&key.ek_path);
164 }
165 cache_flush();
166 out:
167 if (ek)
168 cache_put(&ek->h, cd);
169 if (dom)
170 auth_domain_put(dom);
171 kfree(buf);
172 return err;
173 }
174
expkey_show(struct seq_file * m,struct cache_detail * cd,struct cache_head * h)175 static int expkey_show(struct seq_file *m,
176 struct cache_detail *cd,
177 struct cache_head *h)
178 {
179 struct svc_expkey *ek ;
180 int i;
181
182 if (h ==NULL) {
183 seq_puts(m, "#domain fsidtype fsid [path]\n");
184 return 0;
185 }
186 ek = container_of(h, struct svc_expkey, h);
187 seq_printf(m, "%s %d 0x", ek->ek_client->name,
188 ek->ek_fsidtype);
189 for (i=0; i < key_len(ek->ek_fsidtype)/4; i++)
190 seq_printf(m, "%08x", ek->ek_fsid[i]);
191 if (test_bit(CACHE_VALID, &h->flags) &&
192 !test_bit(CACHE_NEGATIVE, &h->flags)) {
193 seq_printf(m, " ");
194 seq_path(m, &ek->ek_path, "\\ \t\n");
195 }
196 seq_printf(m, "\n");
197 return 0;
198 }
199
expkey_match(struct cache_head * a,struct cache_head * b)200 static inline int expkey_match (struct cache_head *a, struct cache_head *b)
201 {
202 struct svc_expkey *orig = container_of(a, struct svc_expkey, h);
203 struct svc_expkey *new = container_of(b, struct svc_expkey, h);
204
205 if (orig->ek_fsidtype != new->ek_fsidtype ||
206 orig->ek_client != new->ek_client ||
207 memcmp(orig->ek_fsid, new->ek_fsid, key_len(orig->ek_fsidtype)) != 0)
208 return 0;
209 return 1;
210 }
211
expkey_init(struct cache_head * cnew,struct cache_head * citem)212 static inline void expkey_init(struct cache_head *cnew,
213 struct cache_head *citem)
214 {
215 struct svc_expkey *new = container_of(cnew, struct svc_expkey, h);
216 struct svc_expkey *item = container_of(citem, struct svc_expkey, h);
217
218 kref_get(&item->ek_client->ref);
219 new->ek_client = item->ek_client;
220 new->ek_fsidtype = item->ek_fsidtype;
221
222 memcpy(new->ek_fsid, item->ek_fsid, sizeof(new->ek_fsid));
223 }
224
expkey_update(struct cache_head * cnew,struct cache_head * citem)225 static inline void expkey_update(struct cache_head *cnew,
226 struct cache_head *citem)
227 {
228 struct svc_expkey *new = container_of(cnew, struct svc_expkey, h);
229 struct svc_expkey *item = container_of(citem, struct svc_expkey, h);
230
231 new->ek_path = item->ek_path;
232 path_get(&item->ek_path);
233 }
234
expkey_alloc(void)235 static struct cache_head *expkey_alloc(void)
236 {
237 struct svc_expkey *i = kmalloc_obj(*i);
238 if (i)
239 return &i->h;
240 else
241 return NULL;
242 }
243
expkey_flush(void)244 static void expkey_flush(void)
245 {
246 /*
247 * Take the nfsd_mutex here to ensure that the file cache is not
248 * destroyed while we're in the middle of flushing.
249 */
250 mutex_lock(&nfsd_mutex);
251 nfsd_file_cache_purge(current->nsproxy->net_ns);
252 mutex_unlock(&nfsd_mutex);
253 }
254
255 static const struct cache_detail svc_expkey_cache_template = {
256 .owner = THIS_MODULE,
257 .hash_size = EXPKEY_HASHMAX,
258 .name = "nfsd.fh",
259 .cache_put = expkey_put,
260 .cache_upcall = expkey_upcall,
261 .cache_request = expkey_request,
262 .cache_parse = expkey_parse,
263 .cache_show = expkey_show,
264 .match = expkey_match,
265 .init = expkey_init,
266 .update = expkey_update,
267 .alloc = expkey_alloc,
268 .flush = expkey_flush,
269 };
270
271 static int
svc_expkey_hash(struct svc_expkey * item)272 svc_expkey_hash(struct svc_expkey *item)
273 {
274 int hash = item->ek_fsidtype;
275 char * cp = (char*)item->ek_fsid;
276 int len = key_len(item->ek_fsidtype);
277
278 hash ^= hash_mem(cp, len, EXPKEY_HASHBITS);
279 hash ^= hash_ptr(item->ek_client, EXPKEY_HASHBITS);
280 hash &= EXPKEY_HASHMASK;
281 return hash;
282 }
283
284 static struct svc_expkey *
svc_expkey_lookup(struct cache_detail * cd,struct svc_expkey * item)285 svc_expkey_lookup(struct cache_detail *cd, struct svc_expkey *item)
286 {
287 struct cache_head *ch;
288 int hash = svc_expkey_hash(item);
289
290 ch = sunrpc_cache_lookup_rcu(cd, &item->h, hash);
291 if (ch)
292 return container_of(ch, struct svc_expkey, h);
293 else
294 return NULL;
295 }
296
297 static struct svc_expkey *
svc_expkey_update(struct cache_detail * cd,struct svc_expkey * new,struct svc_expkey * old)298 svc_expkey_update(struct cache_detail *cd, struct svc_expkey *new,
299 struct svc_expkey *old)
300 {
301 struct cache_head *ch;
302 int hash = svc_expkey_hash(new);
303
304 ch = sunrpc_cache_update(cd, &new->h, &old->h, hash);
305 if (ch)
306 return container_of(ch, struct svc_expkey, h);
307 else
308 return NULL;
309 }
310
311
312 #define EXPORT_HASHBITS 8
313 #define EXPORT_HASHMAX (1<< EXPORT_HASHBITS)
314
nfsd4_fslocs_free(struct nfsd4_fs_locations * fsloc)315 static void nfsd4_fslocs_free(struct nfsd4_fs_locations *fsloc)
316 {
317 struct nfsd4_fs_location *locations = fsloc->locations;
318 int i;
319
320 if (!locations)
321 return;
322
323 for (i = 0; i < fsloc->locations_count; i++) {
324 kfree(locations[i].path);
325 kfree(locations[i].hosts);
326 }
327
328 kfree(locations);
329 fsloc->locations = NULL;
330 }
331
export_stats_init(struct export_stats * stats)332 static int export_stats_init(struct export_stats *stats)
333 {
334 stats->start_time = ktime_get_seconds();
335 return percpu_counter_init_many(stats->counter, 0, GFP_KERNEL,
336 EXP_STATS_COUNTERS_NUM);
337 }
338
export_stats_reset(struct export_stats * stats)339 static void export_stats_reset(struct export_stats *stats)
340 {
341 if (stats) {
342 int i;
343
344 for (i = 0; i < EXP_STATS_COUNTERS_NUM; i++)
345 percpu_counter_set(&stats->counter[i], 0);
346 }
347 }
348
export_stats_destroy(struct export_stats * stats)349 static void export_stats_destroy(struct export_stats *stats)
350 {
351 if (stats)
352 percpu_counter_destroy_many(stats->counter,
353 EXP_STATS_COUNTERS_NUM);
354 }
355
svc_export_release(struct rcu_head * rcu_head)356 static void svc_export_release(struct rcu_head *rcu_head)
357 {
358 struct svc_export *exp = container_of(rcu_head, struct svc_export,
359 ex_rcu);
360
361 nfsd4_fslocs_free(&exp->ex_fslocs);
362 export_stats_destroy(exp->ex_stats);
363 kfree(exp->ex_stats);
364 kfree(exp->ex_uuid);
365 kfree(exp);
366 }
367
svc_export_put(struct kref * ref)368 static void svc_export_put(struct kref *ref)
369 {
370 struct svc_export *exp = container_of(ref, struct svc_export, h.ref);
371
372 path_put(&exp->ex_path);
373 auth_domain_put(exp->ex_client);
374 call_rcu(&exp->ex_rcu, svc_export_release);
375 }
376
svc_export_upcall(struct cache_detail * cd,struct cache_head * h)377 static int svc_export_upcall(struct cache_detail *cd, struct cache_head *h)
378 {
379 return sunrpc_cache_pipe_upcall(cd, h);
380 }
381
svc_export_request(struct cache_detail * cd,struct cache_head * h,char ** bpp,int * blen)382 static void svc_export_request(struct cache_detail *cd,
383 struct cache_head *h,
384 char **bpp, int *blen)
385 {
386 /* client path */
387 struct svc_export *exp = container_of(h, struct svc_export, h);
388 char *pth;
389
390 qword_add(bpp, blen, exp->ex_client->name);
391 pth = d_path(&exp->ex_path, *bpp, *blen);
392 if (IS_ERR(pth)) {
393 /* is this correct? */
394 (*bpp)[0] = '\n';
395 return;
396 }
397 qword_add(bpp, blen, pth);
398 (*bpp)[-1] = '\n';
399 }
400
401 static struct svc_export *svc_export_update(struct svc_export *new,
402 struct svc_export *old);
403 static struct svc_export *svc_export_lookup(struct svc_export *);
404
check_export(const struct path * path,int * flags,unsigned char * uuid)405 static int check_export(const struct path *path, int *flags, unsigned char *uuid)
406 {
407 struct inode *inode = d_inode(path->dentry);
408
409 /*
410 * We currently export only dirs, regular files, and (for v4
411 * pseudoroot) symlinks.
412 */
413 if (!S_ISDIR(inode->i_mode) &&
414 !S_ISLNK(inode->i_mode) &&
415 !S_ISREG(inode->i_mode))
416 return -ENOTDIR;
417
418 /*
419 * Mountd should never pass down a writeable V4ROOT export, but,
420 * just to make sure:
421 */
422 if (*flags & NFSEXP_V4ROOT)
423 *flags |= NFSEXP_READONLY;
424
425 /* There are two requirements on a filesystem to be exportable.
426 * 1: We must be able to identify the filesystem from a number.
427 * either a device number (so FS_REQUIRES_DEV needed)
428 * or an FSID number (so NFSEXP_FSID or ->uuid is needed).
429 * 2: We must be able to find an inode from a filehandle.
430 * This means that s_export_op must be set and comply with
431 * the requirements for remote filesystem export.
432 * 3: We must not currently be on an idmapped mount.
433 */
434 if (!(inode->i_sb->s_type->fs_flags & FS_REQUIRES_DEV) &&
435 !(*flags & NFSEXP_FSID) &&
436 uuid == NULL) {
437 dprintk("exp_export: export of non-dev fs without fsid\n");
438 return -EINVAL;
439 }
440
441 if (!exportfs_may_export(inode->i_sb->s_export_op)) {
442 dprintk("exp_export: export of invalid fs type (%s).\n",
443 inode->i_sb->s_type->name);
444 return -EINVAL;
445 }
446
447 if (is_idmapped_mnt(path->mnt)) {
448 dprintk("exp_export: export of idmapped mounts not yet supported.\n");
449 return -EINVAL;
450 }
451
452 if (inode->i_sb->s_export_op->flags & EXPORT_OP_NOSUBTREECHK &&
453 !(*flags & NFSEXP_NOSUBTREECHECK)) {
454 dprintk("%s: %s does not support subtree checking!\n",
455 __func__, inode->i_sb->s_type->name);
456 return -EINVAL;
457 }
458 return 0;
459 }
460
461 #ifdef CONFIG_NFSD_V4
462
463 static int
fsloc_parse(char ** mesg,char * buf,struct nfsd4_fs_locations * fsloc)464 fsloc_parse(char **mesg, char *buf, struct nfsd4_fs_locations *fsloc)
465 {
466 int len;
467 int migrated, i, err;
468
469 /* more than one fsloc */
470 if (fsloc->locations)
471 return -EINVAL;
472
473 /* listsize */
474 err = get_uint(mesg, &fsloc->locations_count);
475 if (err)
476 return err;
477 if (fsloc->locations_count > MAX_FS_LOCATIONS)
478 return -EINVAL;
479 if (fsloc->locations_count == 0)
480 return 0;
481
482 fsloc->locations = kzalloc_objs(struct nfsd4_fs_location,
483 fsloc->locations_count);
484 if (!fsloc->locations)
485 return -ENOMEM;
486 for (i=0; i < fsloc->locations_count; i++) {
487 /* colon separated host list */
488 err = -EINVAL;
489 len = qword_get(mesg, buf, PAGE_SIZE);
490 if (len <= 0)
491 goto out_free_all;
492 err = -ENOMEM;
493 fsloc->locations[i].hosts = kstrdup(buf, GFP_KERNEL);
494 if (!fsloc->locations[i].hosts)
495 goto out_free_all;
496 err = -EINVAL;
497 /* slash separated path component list */
498 len = qword_get(mesg, buf, PAGE_SIZE);
499 if (len <= 0)
500 goto out_free_all;
501 err = -ENOMEM;
502 fsloc->locations[i].path = kstrdup(buf, GFP_KERNEL);
503 if (!fsloc->locations[i].path)
504 goto out_free_all;
505 }
506 /* migrated */
507 err = get_int(mesg, &migrated);
508 if (err)
509 goto out_free_all;
510 err = -EINVAL;
511 if (migrated < 0 || migrated > 1)
512 goto out_free_all;
513 fsloc->migrated = migrated;
514 return 0;
515 out_free_all:
516 nfsd4_fslocs_free(fsloc);
517 return err;
518 }
519
secinfo_parse(char ** mesg,char * buf,struct svc_export * exp)520 static int secinfo_parse(char **mesg, char *buf, struct svc_export *exp)
521 {
522 struct exp_flavor_info *f;
523 u32 listsize;
524 int err;
525
526 /* more than one secinfo */
527 if (exp->ex_nflavors)
528 return -EINVAL;
529
530 err = get_uint(mesg, &listsize);
531 if (err)
532 return err;
533 if (listsize > MAX_SECINFO_LIST)
534 return -EINVAL;
535
536 for (f = exp->ex_flavors; f < exp->ex_flavors + listsize; f++) {
537 err = get_uint(mesg, &f->pseudoflavor);
538 if (err)
539 return err;
540 /*
541 * XXX: It would be nice to also check whether this
542 * pseudoflavor is supported, so we can discover the
543 * problem at export time instead of when a client fails
544 * to authenticate.
545 */
546 err = get_uint(mesg, &f->flags);
547 if (err)
548 return err;
549 /* Only some flags are allowed to differ between flavors: */
550 if (~NFSEXP_SECINFO_FLAGS & (f->flags ^ exp->ex_flags))
551 return -EINVAL;
552 }
553 exp->ex_nflavors = listsize;
554 return 0;
555 }
556
557 #else /* CONFIG_NFSD_V4 */
558 static inline int
fsloc_parse(char ** mesg,char * buf,struct nfsd4_fs_locations * fsloc)559 fsloc_parse(char **mesg, char *buf, struct nfsd4_fs_locations *fsloc){return 0;}
560 static inline int
secinfo_parse(char ** mesg,char * buf,struct svc_export * exp)561 secinfo_parse(char **mesg, char *buf, struct svc_export *exp) { return 0; }
562 #endif
563
xprtsec_parse(char ** mesg,char * buf,struct svc_export * exp)564 static int xprtsec_parse(char **mesg, char *buf, struct svc_export *exp)
565 {
566 unsigned int i, mode, listsize;
567 int err;
568
569 err = get_uint(mesg, &listsize);
570 if (err)
571 return err;
572 if (listsize > NFSEXP_XPRTSEC_NUM)
573 return -EINVAL;
574
575 exp->ex_xprtsec_modes = 0;
576 for (i = 0; i < listsize; i++) {
577 err = get_uint(mesg, &mode);
578 if (err)
579 return err;
580 if (mode > NFSEXP_XPRTSEC_MTLS)
581 return -EINVAL;
582 exp->ex_xprtsec_modes |= mode;
583 }
584 return 0;
585 }
586
587 static inline int
nfsd_uuid_parse(char ** mesg,char * buf,unsigned char ** puuid)588 nfsd_uuid_parse(char **mesg, char *buf, unsigned char **puuid)
589 {
590 int len;
591
592 /* more than one uuid */
593 if (*puuid)
594 return -EINVAL;
595
596 /* expect a 16 byte uuid encoded as \xXXXX... */
597 len = qword_get(mesg, buf, PAGE_SIZE);
598 if (len != EX_UUID_LEN)
599 return -EINVAL;
600
601 *puuid = kmemdup(buf, EX_UUID_LEN, GFP_KERNEL);
602 if (*puuid == NULL)
603 return -ENOMEM;
604
605 return 0;
606 }
607
svc_export_parse(struct cache_detail * cd,char * mesg,int mlen)608 static int svc_export_parse(struct cache_detail *cd, char *mesg, int mlen)
609 {
610 /* client path expiry [flags anonuid anongid fsid] */
611 char *buf;
612 int err;
613 struct auth_domain *dom = NULL;
614 struct svc_export exp = {}, *expp;
615 int an_int;
616
617 if (mesg[mlen-1] != '\n')
618 return -EINVAL;
619 mesg[mlen-1] = 0;
620
621 buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
622 if (!buf)
623 return -ENOMEM;
624
625 /* client */
626 err = -EINVAL;
627 if (qword_get(&mesg, buf, PAGE_SIZE) <= 0)
628 goto out;
629
630 err = -ENOENT;
631 dom = auth_domain_find(buf);
632 if (!dom)
633 goto out;
634
635 /* path */
636 err = -EINVAL;
637 if (qword_get(&mesg, buf, PAGE_SIZE) <= 0)
638 goto out1;
639
640 err = kern_path(buf, 0, &exp.ex_path);
641 if (err)
642 goto out1;
643
644 exp.ex_client = dom;
645 exp.cd = cd;
646 exp.ex_devid_map = NULL;
647 exp.ex_xprtsec_modes = NFSEXP_XPRTSEC_ALL;
648
649 /* expiry */
650 err = get_expiry(&mesg, &exp.h.expiry_time);
651 if (err)
652 goto out3;
653
654 /* flags */
655 err = get_int(&mesg, &an_int);
656 if (err == -ENOENT) {
657 err = 0;
658 set_bit(CACHE_NEGATIVE, &exp.h.flags);
659 } else {
660 if (err || an_int < 0)
661 goto out3;
662 exp.ex_flags= an_int;
663
664 /* anon uid */
665 err = get_int(&mesg, &an_int);
666 if (err)
667 goto out3;
668 exp.ex_anon_uid= make_kuid(current_user_ns(), an_int);
669
670 /* anon gid */
671 err = get_int(&mesg, &an_int);
672 if (err)
673 goto out3;
674 exp.ex_anon_gid= make_kgid(current_user_ns(), an_int);
675
676 /* fsid */
677 err = get_int(&mesg, &an_int);
678 if (err)
679 goto out3;
680 exp.ex_fsid = an_int;
681
682 while (qword_get(&mesg, buf, PAGE_SIZE) > 0) {
683 if (strcmp(buf, "fsloc") == 0)
684 err = fsloc_parse(&mesg, buf, &exp.ex_fslocs);
685 else if (strcmp(buf, "uuid") == 0)
686 err = nfsd_uuid_parse(&mesg, buf, &exp.ex_uuid);
687 else if (strcmp(buf, "secinfo") == 0)
688 err = secinfo_parse(&mesg, buf, &exp);
689 else if (strcmp(buf, "xprtsec") == 0)
690 err = xprtsec_parse(&mesg, buf, &exp);
691 else
692 /* quietly ignore unknown words and anything
693 * following. Newer user-space can try to set
694 * new values, then see what the result was.
695 */
696 break;
697 if (err)
698 goto out4;
699 }
700
701 err = check_export(&exp.ex_path, &exp.ex_flags, exp.ex_uuid);
702 if (err)
703 goto out4;
704
705 /*
706 * No point caching this if it would immediately expire.
707 * Also, this protects exportfs's dummy export from the
708 * anon_uid/anon_gid checks:
709 */
710 if (exp.h.expiry_time < seconds_since_boot())
711 goto out4;
712 /*
713 * For some reason exportfs has been passing down an
714 * invalid (-1) uid & gid on the "dummy" export which it
715 * uses to test export support. To make sure exportfs
716 * sees errors from check_export we therefore need to
717 * delay these checks till after check_export:
718 */
719 err = -EINVAL;
720 if (!uid_valid(exp.ex_anon_uid))
721 goto out4;
722 if (!gid_valid(exp.ex_anon_gid))
723 goto out4;
724 err = 0;
725
726 nfsd4_setup_layout_type(&exp);
727 }
728
729 expp = svc_export_lookup(&exp);
730 if (!expp) {
731 err = -ENOMEM;
732 goto out4;
733 }
734 expp = svc_export_update(&exp, expp);
735 if (expp) {
736 trace_nfsd_export_update(expp);
737 cache_flush();
738 exp_put(expp);
739 } else
740 err = -ENOMEM;
741 out4:
742 nfsd4_fslocs_free(&exp.ex_fslocs);
743 kfree(exp.ex_uuid);
744 out3:
745 path_put(&exp.ex_path);
746 out1:
747 auth_domain_put(dom);
748 out:
749 kfree(buf);
750 return err;
751 }
752
753 static void exp_flags(struct seq_file *m, int flag, int fsid,
754 kuid_t anonu, kgid_t anong, struct nfsd4_fs_locations *fslocs);
755 static void show_secinfo(struct seq_file *m, struct svc_export *exp);
756
is_export_stats_file(struct seq_file * m)757 static int is_export_stats_file(struct seq_file *m)
758 {
759 /*
760 * The export_stats file uses the same ops as the exports file.
761 * We use the file's name to determine the reported info per export.
762 * There is no rename in nsfdfs, so d_name.name is stable.
763 */
764 return !strcmp(m->file->f_path.dentry->d_name.name, "export_stats");
765 }
766
svc_export_show(struct seq_file * m,struct cache_detail * cd,struct cache_head * h)767 static int svc_export_show(struct seq_file *m,
768 struct cache_detail *cd,
769 struct cache_head *h)
770 {
771 struct svc_export *exp;
772 bool export_stats = is_export_stats_file(m);
773
774 if (h == NULL) {
775 if (export_stats)
776 seq_puts(m, "#path domain start-time\n#\tstats\n");
777 else
778 seq_puts(m, "#path domain(flags)\n");
779 return 0;
780 }
781 exp = container_of(h, struct svc_export, h);
782 seq_path(m, &exp->ex_path, " \t\n\\");
783 seq_putc(m, '\t');
784 seq_escape(m, exp->ex_client->name, " \t\n\\");
785 if (export_stats) {
786 struct percpu_counter *counter = exp->ex_stats->counter;
787
788 seq_printf(m, "\t%lld\n", exp->ex_stats->start_time);
789 seq_printf(m, "\tfh_stale: %lld\n",
790 percpu_counter_sum_positive(&counter[EXP_STATS_FH_STALE]));
791 seq_printf(m, "\tio_read: %lld\n",
792 percpu_counter_sum_positive(&counter[EXP_STATS_IO_READ]));
793 seq_printf(m, "\tio_write: %lld\n",
794 percpu_counter_sum_positive(&counter[EXP_STATS_IO_WRITE]));
795 seq_putc(m, '\n');
796 return 0;
797 }
798 seq_putc(m, '(');
799 if (test_bit(CACHE_VALID, &h->flags) &&
800 !test_bit(CACHE_NEGATIVE, &h->flags)) {
801 exp_flags(m, exp->ex_flags, exp->ex_fsid,
802 exp->ex_anon_uid, exp->ex_anon_gid, &exp->ex_fslocs);
803 if (exp->ex_uuid) {
804 int i;
805 seq_puts(m, ",uuid=");
806 for (i = 0; i < EX_UUID_LEN; i++) {
807 if ((i&3) == 0 && i)
808 seq_putc(m, ':');
809 seq_printf(m, "%02x", exp->ex_uuid[i]);
810 }
811 }
812 show_secinfo(m, exp);
813 }
814 seq_puts(m, ")\n");
815 return 0;
816 }
svc_export_match(struct cache_head * a,struct cache_head * b)817 static int svc_export_match(struct cache_head *a, struct cache_head *b)
818 {
819 struct svc_export *orig = container_of(a, struct svc_export, h);
820 struct svc_export *new = container_of(b, struct svc_export, h);
821 return orig->ex_client == new->ex_client &&
822 path_equal(&orig->ex_path, &new->ex_path);
823 }
824
svc_export_init(struct cache_head * cnew,struct cache_head * citem)825 static void svc_export_init(struct cache_head *cnew, struct cache_head *citem)
826 {
827 struct svc_export *new = container_of(cnew, struct svc_export, h);
828 struct svc_export *item = container_of(citem, struct svc_export, h);
829
830 kref_get(&item->ex_client->ref);
831 new->ex_client = item->ex_client;
832 new->ex_path = item->ex_path;
833 path_get(&item->ex_path);
834 new->ex_fslocs.locations = NULL;
835 new->ex_fslocs.locations_count = 0;
836 new->ex_fslocs.migrated = 0;
837 new->ex_layout_types = 0;
838 new->ex_uuid = NULL;
839 new->cd = item->cd;
840 export_stats_reset(new->ex_stats);
841 }
842
export_update(struct cache_head * cnew,struct cache_head * citem)843 static void export_update(struct cache_head *cnew, struct cache_head *citem)
844 {
845 struct svc_export *new = container_of(cnew, struct svc_export, h);
846 struct svc_export *item = container_of(citem, struct svc_export, h);
847 int i;
848
849 new->ex_flags = item->ex_flags;
850 new->ex_anon_uid = item->ex_anon_uid;
851 new->ex_anon_gid = item->ex_anon_gid;
852 new->ex_fsid = item->ex_fsid;
853 new->ex_devid_map = item->ex_devid_map;
854 item->ex_devid_map = NULL;
855 new->ex_uuid = item->ex_uuid;
856 item->ex_uuid = NULL;
857 new->ex_fslocs.locations = item->ex_fslocs.locations;
858 item->ex_fslocs.locations = NULL;
859 new->ex_fslocs.locations_count = item->ex_fslocs.locations_count;
860 item->ex_fslocs.locations_count = 0;
861 new->ex_fslocs.migrated = item->ex_fslocs.migrated;
862 item->ex_fslocs.migrated = 0;
863 new->ex_layout_types = item->ex_layout_types;
864 new->ex_nflavors = item->ex_nflavors;
865 for (i = 0; i < MAX_SECINFO_LIST; i++) {
866 new->ex_flavors[i] = item->ex_flavors[i];
867 }
868 new->ex_xprtsec_modes = item->ex_xprtsec_modes;
869 }
870
svc_export_alloc(void)871 static struct cache_head *svc_export_alloc(void)
872 {
873 struct svc_export *i = kmalloc_obj(*i);
874 if (!i)
875 return NULL;
876
877 i->ex_stats = kmalloc_obj(*(i->ex_stats));
878 if (!i->ex_stats) {
879 kfree(i);
880 return NULL;
881 }
882
883 if (export_stats_init(i->ex_stats)) {
884 kfree(i->ex_stats);
885 kfree(i);
886 return NULL;
887 }
888
889 return &i->h;
890 }
891
892 static const struct cache_detail svc_export_cache_template = {
893 .owner = THIS_MODULE,
894 .hash_size = EXPORT_HASHMAX,
895 .name = "nfsd.export",
896 .cache_put = svc_export_put,
897 .cache_upcall = svc_export_upcall,
898 .cache_request = svc_export_request,
899 .cache_parse = svc_export_parse,
900 .cache_show = svc_export_show,
901 .match = svc_export_match,
902 .init = svc_export_init,
903 .update = export_update,
904 .alloc = svc_export_alloc,
905 };
906
907 static int
svc_export_hash(struct svc_export * exp)908 svc_export_hash(struct svc_export *exp)
909 {
910 int hash;
911
912 hash = hash_ptr(exp->ex_client, EXPORT_HASHBITS);
913 hash ^= hash_ptr(exp->ex_path.dentry, EXPORT_HASHBITS);
914 hash ^= hash_ptr(exp->ex_path.mnt, EXPORT_HASHBITS);
915 return hash;
916 }
917
918 static struct svc_export *
svc_export_lookup(struct svc_export * exp)919 svc_export_lookup(struct svc_export *exp)
920 {
921 struct cache_head *ch;
922 int hash = svc_export_hash(exp);
923
924 ch = sunrpc_cache_lookup_rcu(exp->cd, &exp->h, hash);
925 if (ch)
926 return container_of(ch, struct svc_export, h);
927 else
928 return NULL;
929 }
930
931 static struct svc_export *
svc_export_update(struct svc_export * new,struct svc_export * old)932 svc_export_update(struct svc_export *new, struct svc_export *old)
933 {
934 struct cache_head *ch;
935 int hash = svc_export_hash(old);
936
937 ch = sunrpc_cache_update(old->cd, &new->h, &old->h, hash);
938 if (ch)
939 return container_of(ch, struct svc_export, h);
940 else
941 return NULL;
942 }
943
944
945 static struct svc_expkey *
exp_find_key(struct cache_detail * cd,struct auth_domain * clp,int fsid_type,u32 * fsidv,struct cache_req * reqp)946 exp_find_key(struct cache_detail *cd, struct auth_domain *clp, int fsid_type,
947 u32 *fsidv, struct cache_req *reqp)
948 {
949 struct svc_expkey key, *ek;
950 int err;
951
952 if (!clp)
953 return ERR_PTR(-ENOENT);
954
955 key.ek_client = clp;
956 key.ek_fsidtype = fsid_type;
957 memcpy(key.ek_fsid, fsidv, key_len(fsid_type));
958
959 ek = svc_expkey_lookup(cd, &key);
960 if (ek == NULL)
961 return ERR_PTR(-ENOMEM);
962 err = cache_check(cd, &ek->h, reqp);
963 if (err) {
964 trace_nfsd_exp_find_key(&key, err);
965 return ERR_PTR(err);
966 }
967 return ek;
968 }
969
970 static struct svc_export *
exp_get_by_name(struct cache_detail * cd,struct auth_domain * clp,const struct path * path,struct cache_req * reqp)971 exp_get_by_name(struct cache_detail *cd, struct auth_domain *clp,
972 const struct path *path, struct cache_req *reqp)
973 {
974 struct svc_export *exp, key;
975 int err;
976
977 if (!clp)
978 return ERR_PTR(-ENOENT);
979
980 key.ex_client = clp;
981 key.ex_path = *path;
982 key.cd = cd;
983
984 exp = svc_export_lookup(&key);
985 if (exp == NULL)
986 return ERR_PTR(-ENOMEM);
987 err = cache_check(cd, &exp->h, reqp);
988 if (err) {
989 trace_nfsd_exp_get_by_name(&key, err);
990 return ERR_PTR(err);
991 }
992 return exp;
993 }
994
995 /*
996 * Find the export entry for a given dentry.
997 */
998 static struct svc_export *
exp_parent(struct cache_detail * cd,struct auth_domain * clp,struct path * path)999 exp_parent(struct cache_detail *cd, struct auth_domain *clp, struct path *path)
1000 {
1001 struct dentry *saved = dget(path->dentry);
1002 struct svc_export *exp = exp_get_by_name(cd, clp, path, NULL);
1003
1004 while (PTR_ERR(exp) == -ENOENT && !IS_ROOT(path->dentry)) {
1005 struct dentry *parent = dget_parent(path->dentry);
1006 dput(path->dentry);
1007 path->dentry = parent;
1008 exp = exp_get_by_name(cd, clp, path, NULL);
1009 }
1010 dput(path->dentry);
1011 path->dentry = saved;
1012 return exp;
1013 }
1014
1015
1016
1017 /*
1018 * Obtain the root fh on behalf of a client.
1019 * This could be done in user space, but I feel that it adds some safety
1020 * since its harder to fool a kernel module than a user space program.
1021 */
1022 int
exp_rootfh(struct net * net,struct auth_domain * clp,char * name,struct knfsd_fh * f,int maxsize)1023 exp_rootfh(struct net *net, struct auth_domain *clp, char *name,
1024 struct knfsd_fh *f, int maxsize)
1025 {
1026 struct svc_export *exp;
1027 struct path path;
1028 struct inode *inode __maybe_unused;
1029 struct svc_fh fh;
1030 int err;
1031 struct nfsd_net *nn = net_generic(net, nfsd_net_id);
1032 struct cache_detail *cd = nn->svc_export_cache;
1033
1034 err = -EPERM;
1035 /* NB: we probably ought to check that it's NUL-terminated */
1036 if (kern_path(name, 0, &path)) {
1037 printk("nfsd: exp_rootfh path not found %s", name);
1038 return err;
1039 }
1040 inode = d_inode(path.dentry);
1041
1042 dprintk("nfsd: exp_rootfh(%s [%p] %s:%s/%ld)\n",
1043 name, path.dentry, clp->name,
1044 inode->i_sb->s_id, inode->i_ino);
1045 exp = exp_parent(cd, clp, &path);
1046 if (IS_ERR(exp)) {
1047 err = PTR_ERR(exp);
1048 goto out;
1049 }
1050
1051 /*
1052 * fh must be initialized before calling fh_compose
1053 */
1054 fh_init(&fh, maxsize);
1055 if (fh_compose(&fh, exp, path.dentry, NULL))
1056 err = -EINVAL;
1057 else
1058 err = 0;
1059 memcpy(f, &fh.fh_handle, sizeof(struct knfsd_fh));
1060 fh_put(&fh);
1061 exp_put(exp);
1062 out:
1063 path_put(&path);
1064 return err;
1065 }
1066
exp_find(struct cache_detail * cd,struct auth_domain * clp,int fsid_type,u32 * fsidv,struct cache_req * reqp)1067 static struct svc_export *exp_find(struct cache_detail *cd,
1068 struct auth_domain *clp, int fsid_type,
1069 u32 *fsidv, struct cache_req *reqp)
1070 {
1071 struct svc_export *exp;
1072 struct nfsd_net *nn = net_generic(cd->net, nfsd_net_id);
1073 struct svc_expkey *ek = exp_find_key(nn->svc_expkey_cache, clp, fsid_type, fsidv, reqp);
1074 if (IS_ERR(ek))
1075 return ERR_CAST(ek);
1076
1077 exp = exp_get_by_name(cd, clp, &ek->ek_path, reqp);
1078 cache_put(&ek->h, nn->svc_expkey_cache);
1079
1080 if (IS_ERR(exp))
1081 return ERR_CAST(exp);
1082 return exp;
1083 }
1084
1085 /**
1086 * check_xprtsec_policy - check if access to export is allowed by the
1087 * xprtsec policy
1088 * @exp: svc_export that is being accessed.
1089 * @rqstp: svc_rqst attempting to access @exp.
1090 *
1091 * Helper function for check_nfsd_access(). Note that callers should be
1092 * using check_nfsd_access() instead of calling this function directly. The
1093 * one exception is __fh_verify() since it has logic that may result in one
1094 * or both of the helpers being skipped.
1095 *
1096 * Return values:
1097 * %nfs_ok if access is granted, or
1098 * %nfserr_wrongsec if access is denied
1099 */
check_xprtsec_policy(struct svc_export * exp,struct svc_rqst * rqstp)1100 __be32 check_xprtsec_policy(struct svc_export *exp, struct svc_rqst *rqstp)
1101 {
1102 struct svc_xprt *xprt = rqstp->rq_xprt;
1103
1104 if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_NONE) {
1105 if (!test_bit(XPT_TLS_SESSION, &xprt->xpt_flags))
1106 return nfs_ok;
1107 }
1108 if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_TLS) {
1109 if (test_bit(XPT_TLS_SESSION, &xprt->xpt_flags) &&
1110 !test_bit(XPT_PEER_AUTH, &xprt->xpt_flags))
1111 return nfs_ok;
1112 }
1113 if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_MTLS) {
1114 if (test_bit(XPT_TLS_SESSION, &xprt->xpt_flags) &&
1115 test_bit(XPT_PEER_AUTH, &xprt->xpt_flags))
1116 return nfs_ok;
1117 }
1118 return nfserr_wrongsec;
1119 }
1120
1121 /**
1122 * check_security_flavor - check if access to export is allowed by the
1123 * security flavor
1124 * @exp: svc_export that is being accessed.
1125 * @rqstp: svc_rqst attempting to access @exp.
1126 * @may_bypass_gss: reduce strictness of authorization check
1127 *
1128 * Helper function for check_nfsd_access(). Note that callers should be
1129 * using check_nfsd_access() instead of calling this function directly. The
1130 * one exception is __fh_verify() since it has logic that may result in one
1131 * or both of the helpers being skipped.
1132 *
1133 * Return values:
1134 * %nfs_ok if access is granted, or
1135 * %nfserr_wrongsec if access is denied
1136 */
check_security_flavor(struct svc_export * exp,struct svc_rqst * rqstp,bool may_bypass_gss)1137 __be32 check_security_flavor(struct svc_export *exp, struct svc_rqst *rqstp,
1138 bool may_bypass_gss)
1139 {
1140 struct exp_flavor_info *f, *end = exp->ex_flavors + exp->ex_nflavors;
1141
1142 /* legacy gss-only clients are always OK: */
1143 if (exp->ex_client == rqstp->rq_gssclient)
1144 return nfs_ok;
1145 /* ip-address based client; check sec= export option: */
1146 for (f = exp->ex_flavors; f < end; f++) {
1147 if (f->pseudoflavor == rqstp->rq_cred.cr_flavor)
1148 return nfs_ok;
1149 }
1150 /* defaults in absence of sec= options: */
1151 if (exp->ex_nflavors == 0) {
1152 if (rqstp->rq_cred.cr_flavor == RPC_AUTH_NULL ||
1153 rqstp->rq_cred.cr_flavor == RPC_AUTH_UNIX)
1154 return nfs_ok;
1155 }
1156
1157 /* If the compound op contains a spo_must_allowed op,
1158 * it will be sent with integrity/protection which
1159 * will have to be expressly allowed on mounts that
1160 * don't support it
1161 */
1162
1163 if (nfsd4_spo_must_allow(rqstp))
1164 return nfs_ok;
1165
1166 /* Some calls may be processed without authentication
1167 * on GSS exports. For example NFS2/3 calls on root
1168 * directory, see section 2.3.2 of rfc 2623.
1169 * For "may_bypass_gss" check that export has really
1170 * enabled some flavor with authentication (GSS or any
1171 * other) and also check that the used auth flavor is
1172 * without authentication (none or sys).
1173 */
1174 if (may_bypass_gss && (
1175 rqstp->rq_cred.cr_flavor == RPC_AUTH_NULL ||
1176 rqstp->rq_cred.cr_flavor == RPC_AUTH_UNIX)) {
1177 for (f = exp->ex_flavors; f < end; f++) {
1178 if (f->pseudoflavor >= RPC_AUTH_DES)
1179 return 0;
1180 }
1181 }
1182
1183 return nfserr_wrongsec;
1184 }
1185
1186 /**
1187 * check_nfsd_access - check if access to export is allowed.
1188 * @exp: svc_export that is being accessed.
1189 * @rqstp: svc_rqst attempting to access @exp.
1190 * @may_bypass_gss: reduce strictness of authorization check
1191 *
1192 * Return values:
1193 * %nfs_ok if access is granted, or
1194 * %nfserr_wrongsec if access is denied
1195 */
check_nfsd_access(struct svc_export * exp,struct svc_rqst * rqstp,bool may_bypass_gss)1196 __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp,
1197 bool may_bypass_gss)
1198 {
1199 __be32 status;
1200
1201 status = check_xprtsec_policy(exp, rqstp);
1202 if (status != nfs_ok)
1203 return status;
1204 return check_security_flavor(exp, rqstp, may_bypass_gss);
1205 }
1206
1207 /*
1208 * Uses rq_client and rq_gssclient to find an export; uses rq_client (an
1209 * auth_unix client) if it's available and has secinfo information;
1210 * otherwise, will try to use rq_gssclient.
1211 *
1212 * Called from functions that handle requests; functions that do work on
1213 * behalf of mountd are passed a single client name to use, and should
1214 * use exp_get_by_name() or exp_find().
1215 */
1216 struct svc_export *
rqst_exp_get_by_name(struct svc_rqst * rqstp,const struct path * path)1217 rqst_exp_get_by_name(struct svc_rqst *rqstp, const struct path *path)
1218 {
1219 struct svc_export *gssexp, *exp = ERR_PTR(-ENOENT);
1220 struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id);
1221 struct cache_detail *cd = nn->svc_export_cache;
1222
1223 if (rqstp->rq_client == NULL)
1224 goto gss;
1225
1226 /* First try the auth_unix client: */
1227 exp = exp_get_by_name(cd, rqstp->rq_client, path, &rqstp->rq_chandle);
1228 if (PTR_ERR(exp) == -ENOENT)
1229 goto gss;
1230 if (IS_ERR(exp))
1231 return exp;
1232 /* If it has secinfo, assume there are no gss/... clients */
1233 if (exp->ex_nflavors > 0)
1234 return exp;
1235 gss:
1236 /* Otherwise, try falling back on gss client */
1237 if (rqstp->rq_gssclient == NULL)
1238 return exp;
1239 gssexp = exp_get_by_name(cd, rqstp->rq_gssclient, path, &rqstp->rq_chandle);
1240 if (PTR_ERR(gssexp) == -ENOENT)
1241 return exp;
1242 if (!IS_ERR(exp))
1243 exp_put(exp);
1244 return gssexp;
1245 }
1246
1247 /**
1248 * rqst_exp_find - Find an svc_export in the context of a rqst or similar
1249 * @reqp: The handle to be used to suspend the request if a cache-upcall is needed
1250 * If NULL, missing in-cache information will result in failure.
1251 * @net: The network namespace in which the request exists
1252 * @cl: default auth_domain to use for looking up the export
1253 * @gsscl: an alternate auth_domain defined using deprecated gss/krb5 format.
1254 * @fsid_type: The type of fsid to look for
1255 * @fsidv: The actual fsid to look up in the context of either client.
1256 *
1257 * Perform a lookup for @cl/@fsidv in the given @net for an export. If
1258 * none found and @gsscl specified, repeat the lookup.
1259 *
1260 * Returns an export, or an error pointer.
1261 */
1262 struct svc_export *
rqst_exp_find(struct cache_req * reqp,struct net * net,struct auth_domain * cl,struct auth_domain * gsscl,int fsid_type,u32 * fsidv)1263 rqst_exp_find(struct cache_req *reqp, struct net *net,
1264 struct auth_domain *cl, struct auth_domain *gsscl,
1265 int fsid_type, u32 *fsidv)
1266 {
1267 struct nfsd_net *nn = net_generic(net, nfsd_net_id);
1268 struct svc_export *gssexp, *exp = ERR_PTR(-ENOENT);
1269 struct cache_detail *cd = nn->svc_export_cache;
1270
1271 if (!cl)
1272 goto gss;
1273
1274 /* First try the auth_unix client: */
1275 exp = exp_find(cd, cl, fsid_type, fsidv, reqp);
1276 if (PTR_ERR(exp) == -ENOENT)
1277 goto gss;
1278 if (IS_ERR(exp))
1279 return exp;
1280 /* If it has secinfo, assume there are no gss/... clients */
1281 if (exp->ex_nflavors > 0)
1282 return exp;
1283 gss:
1284 /* Otherwise, try falling back on gss client */
1285 if (!gsscl)
1286 return exp;
1287 gssexp = exp_find(cd, gsscl, fsid_type, fsidv, reqp);
1288 if (PTR_ERR(gssexp) == -ENOENT)
1289 return exp;
1290 if (!IS_ERR(exp))
1291 exp_put(exp);
1292 return gssexp;
1293 }
1294
1295 struct svc_export *
rqst_exp_parent(struct svc_rqst * rqstp,struct path * path)1296 rqst_exp_parent(struct svc_rqst *rqstp, struct path *path)
1297 {
1298 struct dentry *saved = dget(path->dentry);
1299 struct svc_export *exp = rqst_exp_get_by_name(rqstp, path);
1300
1301 while (PTR_ERR(exp) == -ENOENT && !IS_ROOT(path->dentry)) {
1302 struct dentry *parent = dget_parent(path->dentry);
1303 dput(path->dentry);
1304 path->dentry = parent;
1305 exp = rqst_exp_get_by_name(rqstp, path);
1306 }
1307 dput(path->dentry);
1308 path->dentry = saved;
1309 return exp;
1310 }
1311
rqst_find_fsidzero_export(struct svc_rqst * rqstp)1312 struct svc_export *rqst_find_fsidzero_export(struct svc_rqst *rqstp)
1313 {
1314 u32 fsidv[2];
1315
1316 mk_fsid(FSID_NUM, fsidv, 0, 0, 0, NULL);
1317
1318 return rqst_exp_find(&rqstp->rq_chandle, SVC_NET(rqstp),
1319 rqstp->rq_client, rqstp->rq_gssclient,
1320 FSID_NUM, fsidv);
1321 }
1322
1323 /*
1324 * Called when we need the filehandle for the root of the pseudofs,
1325 * for a given NFSv4 client. The root is defined to be the
1326 * export point with fsid==0
1327 */
1328 __be32
exp_pseudoroot(struct svc_rqst * rqstp,struct svc_fh * fhp)1329 exp_pseudoroot(struct svc_rqst *rqstp, struct svc_fh *fhp)
1330 {
1331 struct svc_export *exp;
1332 __be32 rv;
1333
1334 exp = rqst_find_fsidzero_export(rqstp);
1335 if (IS_ERR(exp))
1336 return nfserrno(PTR_ERR(exp));
1337 rv = fh_compose(fhp, exp, exp->ex_path.dentry, NULL);
1338 exp_put(exp);
1339 return rv;
1340 }
1341
1342 static struct flags {
1343 int flag;
1344 char *name[2];
1345 } expflags[] = {
1346 { NFSEXP_READONLY, {"ro", "rw"}},
1347 { NFSEXP_INSECURE_PORT, {"insecure", ""}},
1348 { NFSEXP_ROOTSQUASH, {"root_squash", "no_root_squash"}},
1349 { NFSEXP_ALLSQUASH, {"all_squash", ""}},
1350 { NFSEXP_ASYNC, {"async", "sync"}},
1351 { NFSEXP_GATHERED_WRITES, {"wdelay", "no_wdelay"}},
1352 { NFSEXP_NOREADDIRPLUS, {"nordirplus", ""}},
1353 { NFSEXP_NOHIDE, {"nohide", ""}},
1354 { NFSEXP_CROSSMOUNT, {"crossmnt", ""}},
1355 { NFSEXP_NOSUBTREECHECK, {"no_subtree_check", ""}},
1356 { NFSEXP_NOAUTHNLM, {"insecure_locks", ""}},
1357 { NFSEXP_V4ROOT, {"v4root", ""}},
1358 { NFSEXP_PNFS, {"pnfs", ""}},
1359 { NFSEXP_SECURITY_LABEL, {"security_label", ""}},
1360 { 0, {"", ""}}
1361 };
1362
show_expflags(struct seq_file * m,int flags,int mask)1363 static void show_expflags(struct seq_file *m, int flags, int mask)
1364 {
1365 struct flags *flg;
1366 int state, first = 0;
1367
1368 for (flg = expflags; flg->flag; flg++) {
1369 if (flg->flag & ~mask)
1370 continue;
1371 state = (flg->flag & flags) ? 0 : 1;
1372 if (*flg->name[state])
1373 seq_printf(m, "%s%s", first++?",":"", flg->name[state]);
1374 }
1375 }
1376
show_secinfo_flags(struct seq_file * m,int flags)1377 static void show_secinfo_flags(struct seq_file *m, int flags)
1378 {
1379 seq_printf(m, ",");
1380 show_expflags(m, flags, NFSEXP_SECINFO_FLAGS);
1381 }
1382
secinfo_flags_equal(int f,int g)1383 static bool secinfo_flags_equal(int f, int g)
1384 {
1385 f &= NFSEXP_SECINFO_FLAGS;
1386 g &= NFSEXP_SECINFO_FLAGS;
1387 return f == g;
1388 }
1389
show_secinfo_run(struct seq_file * m,struct exp_flavor_info ** fp,struct exp_flavor_info * end)1390 static int show_secinfo_run(struct seq_file *m, struct exp_flavor_info **fp, struct exp_flavor_info *end)
1391 {
1392 int flags;
1393
1394 flags = (*fp)->flags;
1395 seq_printf(m, ",sec=%d", (*fp)->pseudoflavor);
1396 (*fp)++;
1397 while (*fp != end && secinfo_flags_equal(flags, (*fp)->flags)) {
1398 seq_printf(m, ":%d", (*fp)->pseudoflavor);
1399 (*fp)++;
1400 }
1401 return flags;
1402 }
1403
show_secinfo(struct seq_file * m,struct svc_export * exp)1404 static void show_secinfo(struct seq_file *m, struct svc_export *exp)
1405 {
1406 struct exp_flavor_info *f;
1407 struct exp_flavor_info *end = exp->ex_flavors + exp->ex_nflavors;
1408 int flags;
1409
1410 if (exp->ex_nflavors == 0)
1411 return;
1412 f = exp->ex_flavors;
1413 flags = show_secinfo_run(m, &f, end);
1414 if (!secinfo_flags_equal(flags, exp->ex_flags))
1415 show_secinfo_flags(m, flags);
1416 while (f != end) {
1417 flags = show_secinfo_run(m, &f, end);
1418 show_secinfo_flags(m, flags);
1419 }
1420 }
1421
exp_flags(struct seq_file * m,int flag,int fsid,kuid_t anonu,kgid_t anong,struct nfsd4_fs_locations * fsloc)1422 static void exp_flags(struct seq_file *m, int flag, int fsid,
1423 kuid_t anonu, kgid_t anong, struct nfsd4_fs_locations *fsloc)
1424 {
1425 struct user_namespace *userns = m->file->f_cred->user_ns;
1426
1427 show_expflags(m, flag, NFSEXP_ALLFLAGS);
1428 if (flag & NFSEXP_FSID)
1429 seq_printf(m, ",fsid=%d", fsid);
1430 if (!uid_eq(anonu, make_kuid(userns, (uid_t)-2)) &&
1431 !uid_eq(anonu, make_kuid(userns, 0x10000-2)))
1432 seq_printf(m, ",anonuid=%u", from_kuid_munged(userns, anonu));
1433 if (!gid_eq(anong, make_kgid(userns, (gid_t)-2)) &&
1434 !gid_eq(anong, make_kgid(userns, 0x10000-2)))
1435 seq_printf(m, ",anongid=%u", from_kgid_munged(userns, anong));
1436 if (fsloc && fsloc->locations_count > 0) {
1437 char *loctype = (fsloc->migrated) ? "refer" : "replicas";
1438 int i;
1439
1440 seq_printf(m, ",%s=", loctype);
1441 seq_escape(m, fsloc->locations[0].path, ",;@ \t\n\\");
1442 seq_putc(m, '@');
1443 seq_escape(m, fsloc->locations[0].hosts, ",;@ \t\n\\");
1444 for (i = 1; i < fsloc->locations_count; i++) {
1445 seq_putc(m, ';');
1446 seq_escape(m, fsloc->locations[i].path, ",;@ \t\n\\");
1447 seq_putc(m, '@');
1448 seq_escape(m, fsloc->locations[i].hosts, ",;@ \t\n\\");
1449 }
1450 }
1451 }
1452
e_show(struct seq_file * m,void * p)1453 static int e_show(struct seq_file *m, void *p)
1454 {
1455 struct cache_head *cp = p;
1456 struct svc_export *exp = container_of(cp, struct svc_export, h);
1457 struct cache_detail *cd = m->private;
1458 bool export_stats = is_export_stats_file(m);
1459
1460 if (p == SEQ_START_TOKEN) {
1461 seq_puts(m, "# Version 1.1\n");
1462 if (export_stats)
1463 seq_puts(m, "# Path Client Start-time\n#\tStats\n");
1464 else
1465 seq_puts(m, "# Path Client(Flags) # IPs\n");
1466 return 0;
1467 }
1468
1469 if (cache_check_rcu(cd, &exp->h, NULL))
1470 return 0;
1471
1472 return svc_export_show(m, cd, cp);
1473 }
1474
1475 const struct seq_operations nfs_exports_op = {
1476 .start = cache_seq_start_rcu,
1477 .next = cache_seq_next_rcu,
1478 .stop = cache_seq_stop_rcu,
1479 .show = e_show,
1480 };
1481
1482 /*
1483 * Initialize the exports module.
1484 */
1485 int
nfsd_export_init(struct net * net)1486 nfsd_export_init(struct net *net)
1487 {
1488 int rv;
1489 struct nfsd_net *nn = net_generic(net, nfsd_net_id);
1490
1491 dprintk("nfsd: initializing export module (net: %x).\n", net->ns.inum);
1492
1493 nn->svc_export_cache = cache_create_net(&svc_export_cache_template, net);
1494 if (IS_ERR(nn->svc_export_cache))
1495 return PTR_ERR(nn->svc_export_cache);
1496 rv = cache_register_net(nn->svc_export_cache, net);
1497 if (rv)
1498 goto destroy_export_cache;
1499
1500 nn->svc_expkey_cache = cache_create_net(&svc_expkey_cache_template, net);
1501 if (IS_ERR(nn->svc_expkey_cache)) {
1502 rv = PTR_ERR(nn->svc_expkey_cache);
1503 goto unregister_export_cache;
1504 }
1505 rv = cache_register_net(nn->svc_expkey_cache, net);
1506 if (rv)
1507 goto destroy_expkey_cache;
1508 return 0;
1509
1510 destroy_expkey_cache:
1511 cache_destroy_net(nn->svc_expkey_cache, net);
1512 unregister_export_cache:
1513 cache_unregister_net(nn->svc_export_cache, net);
1514 destroy_export_cache:
1515 cache_destroy_net(nn->svc_export_cache, net);
1516 return rv;
1517 }
1518
1519 /*
1520 * Flush exports table - called when last nfsd thread is killed
1521 */
1522 void
nfsd_export_flush(struct net * net)1523 nfsd_export_flush(struct net *net)
1524 {
1525 struct nfsd_net *nn = net_generic(net, nfsd_net_id);
1526
1527 cache_purge(nn->svc_expkey_cache);
1528 cache_purge(nn->svc_export_cache);
1529 }
1530
1531 /*
1532 * Shutdown the exports module.
1533 */
1534 void
nfsd_export_shutdown(struct net * net)1535 nfsd_export_shutdown(struct net *net)
1536 {
1537 struct nfsd_net *nn = net_generic(net, nfsd_net_id);
1538
1539 dprintk("nfsd: shutting down export module (net: %x).\n", net->ns.inum);
1540
1541 cache_unregister_net(nn->svc_expkey_cache, net);
1542 cache_unregister_net(nn->svc_export_cache, net);
1543 cache_destroy_net(nn->svc_expkey_cache, net);
1544 cache_destroy_net(nn->svc_export_cache, net);
1545 svcauth_unix_purge(net);
1546
1547 dprintk("nfsd: export shutdown complete (net: %x).\n", net->ns.inum);
1548 }
1549