1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * NFS server file handle treatment. 4 * 5 * Copyright (C) 1995, 1996 Olaf Kirch <okir@monad.swb.de> 6 * Portions Copyright (C) 1999 G. Allen Morris III <gam3@acm.org> 7 * Extensive rewrite by Neil Brown <neilb@cse.unsw.edu.au> Southern-Spring 1999 8 * ... and again Southern-Winter 2001 to support export_operations 9 */ 10 11 #include <linux/exportfs.h> 12 13 #include <linux/sunrpc/svcauth_gss.h> 14 #include <crypto/utils.h> 15 #include "nfsd.h" 16 #include "vfs.h" 17 #include "auth.h" 18 #include "trace.h" 19 20 #define NFSDDBG_FACILITY NFSDDBG_FH 21 22 23 /* 24 * our acceptability function. 25 * if NOSUBTREECHECK, accept anything 26 * if not, require that we can walk up to exp->ex_dentry 27 * doing some checks on the 'x' bits 28 */ 29 static int nfsd_acceptable(void *expv, struct dentry *dentry) 30 { 31 struct svc_export *exp = expv; 32 int rv; 33 struct dentry *tdentry; 34 struct dentry *parent; 35 36 if (exp->ex_flags & NFSEXP_NOSUBTREECHECK) 37 return 1; 38 39 tdentry = dget(dentry); 40 while (tdentry != exp->ex_path.dentry && !IS_ROOT(tdentry)) { 41 /* make sure parents give x permission to user */ 42 int err; 43 parent = dget_parent(tdentry); 44 err = inode_permission(&nop_mnt_idmap, 45 d_inode(parent), MAY_EXEC); 46 if (err < 0) { 47 dput(parent); 48 break; 49 } 50 dput(tdentry); 51 tdentry = parent; 52 } 53 if (tdentry != exp->ex_path.dentry) 54 dprintk("nfsd_acceptable failed at %p %pd\n", tdentry, tdentry); 55 rv = (tdentry == exp->ex_path.dentry); 56 dput(tdentry); 57 return rv; 58 } 59 60 /* Type check. The correct error return for type mismatches does not seem to be 61 * generally agreed upon. SunOS seems to use EISDIR if file isn't S_IFREG; a 62 * comment in the NFSv3 spec says this is incorrect (implementation notes for 63 * the write call). 64 */ 65 static inline __be32 66 nfsd_mode_check(struct dentry *dentry, umode_t requested) 67 { 68 umode_t mode = d_inode(dentry)->i_mode & S_IFMT; 69 70 if (requested == 0) /* the caller doesn't care */ 71 return nfs_ok; 72 if (mode == requested) { 73 if (mode == S_IFDIR && !d_can_lookup(dentry)) { 74 WARN_ON_ONCE(1); 75 return nfserr_notdir; 76 } 77 return nfs_ok; 78 } 79 if (mode == S_IFLNK) { 80 if (requested == S_IFDIR) 81 return nfserr_symlink_not_dir; 82 return nfserr_symlink; 83 } 84 if (requested == S_IFDIR) 85 return nfserr_notdir; 86 if (mode == S_IFDIR) 87 return nfserr_isdir; 88 return nfserr_wrong_type; 89 } 90 91 static bool nfsd_originating_port_ok(struct svc_rqst *rqstp, 92 struct svc_cred *cred, 93 struct svc_export *exp) 94 { 95 if (nfsexp_flags(cred, exp) & NFSEXP_INSECURE_PORT) 96 return true; 97 /* We don't require gss requests to use low ports: */ 98 if (cred->cr_flavor >= RPC_AUTH_GSS) 99 return true; 100 return test_bit(RQ_SECURE, &rqstp->rq_flags); 101 } 102 103 static __be32 nfsd_setuser_and_check_port(struct svc_rqst *rqstp, 104 struct svc_cred *cred, 105 struct svc_export *exp) 106 { 107 /* Check if the request originated from a secure port. */ 108 if (rqstp && !nfsd_originating_port_ok(rqstp, cred, exp)) { 109 if (IS_ENABLED(CONFIG_SUNRPC_DEBUG)) { 110 char buf[RPC_MAX_ADDRBUFLEN]; 111 112 dprintk("nfsd: request from insecure port %s!\n", 113 svc_print_addr(rqstp, buf, sizeof(buf))); 114 } 115 return nfserr_perm; 116 } 117 118 /* Set user creds for this exportpoint */ 119 return nfserrno(nfsd_setuser(cred, exp)); 120 } 121 122 static inline __be32 check_pseudo_root(struct dentry *dentry, 123 struct svc_export *exp) 124 { 125 if (!(exp->ex_flags & NFSEXP_V4ROOT)) 126 return nfs_ok; 127 /* 128 * We're exposing only the directories and symlinks that have to be 129 * traversed on the way to real exports: 130 */ 131 if (unlikely(!d_is_dir(dentry) && 132 !d_is_symlink(dentry))) 133 return nfserr_stale; 134 /* 135 * A pseudoroot export gives permission to access only one 136 * single directory; the kernel has to make another upcall 137 * before granting access to anything else under it: 138 */ 139 if (unlikely(dentry != exp->ex_path.dentry)) 140 return nfserr_stale; 141 return nfs_ok; 142 } 143 144 /* Size of a file handle MAC, in 4-octet words */ 145 #define FH_MAC_WORDS (sizeof(__le64) / 4) 146 147 static bool fh_append_mac(struct svc_fh *fhp, struct net *net) 148 { 149 struct nfsd_net *nn = net_generic(net, nfsd_net_id); 150 struct knfsd_fh *fh = &fhp->fh_handle; 151 siphash_key_t *fh_key = nn->fh_key; 152 __le64 hash; 153 154 if (!fh_key) 155 goto out_no_key; 156 if (fh->fh_size + sizeof(hash) > fhp->fh_maxsize) 157 goto out_no_space; 158 159 hash = cpu_to_le64(siphash(&fh->fh_raw, fh->fh_size, fh_key)); 160 memcpy(&fh->fh_raw[fh->fh_size], &hash, sizeof(hash)); 161 fh->fh_size += sizeof(hash); 162 return true; 163 164 out_no_key: 165 pr_warn_ratelimited("NFSD: unable to sign filehandles, fh_key not set.\n"); 166 return false; 167 168 out_no_space: 169 pr_warn_ratelimited("NFSD: unable to sign filehandles, fh_size %zu would be greater than fh_maxsize %d.\n", 170 fh->fh_size + sizeof(hash), fhp->fh_maxsize); 171 return false; 172 } 173 174 /* 175 * Verify that the filehandle's MAC was hashed from this filehandle 176 * given the server's fh_key: 177 */ 178 static bool fh_verify_mac(struct svc_fh *fhp, struct net *net) 179 { 180 struct nfsd_net *nn = net_generic(net, nfsd_net_id); 181 struct knfsd_fh *fh = &fhp->fh_handle; 182 siphash_key_t *fh_key = nn->fh_key; 183 __le64 hash; 184 185 if (!fh_key) { 186 pr_warn_ratelimited("NFSD: unable to verify signed filehandles, fh_key not set.\n"); 187 return false; 188 } 189 190 hash = cpu_to_le64(siphash(&fh->fh_raw, fh->fh_size - sizeof(hash), fh_key)); 191 return crypto_memneq(&fh->fh_raw[fh->fh_size - sizeof(hash)], 192 &hash, sizeof(hash)) == 0; 193 } 194 195 /* 196 * Use the given filehandle to look up the corresponding export and 197 * dentry. On success, the results are used to set fh_export and 198 * fh_dentry. 199 */ 200 static __be32 nfsd_set_fh_dentry(struct svc_rqst *rqstp, struct net *net, 201 struct svc_cred *cred, 202 struct auth_domain *client, 203 struct auth_domain *gssclient, 204 struct svc_fh *fhp) 205 { 206 struct knfsd_fh *fh = &fhp->fh_handle; 207 struct fid *fid = NULL; 208 struct svc_export *exp; 209 struct dentry *dentry; 210 int fileid_type; 211 int data_left = fh->fh_size/4; 212 int len; 213 __be32 error; 214 215 error = nfserr_badhandle; 216 if (fh->fh_size == 0) 217 return nfserr_nofilehandle; 218 219 if (fh->fh_version != 1) 220 return error; 221 222 if (--data_left < 0) 223 return error; 224 if (fh->fh_auth_type != 0) 225 return error; 226 len = key_len(fh->fh_fsid_type) / 4; 227 if (len == 0) 228 return error; 229 if (fh->fh_fsid_type == FSID_MAJOR_MINOR) { 230 u32 *fsid = fh_fsid(fh); 231 232 /* deprecated, convert to type 3 */ 233 len = key_len(FSID_ENCODE_DEV)/4; 234 fh->fh_fsid_type = FSID_ENCODE_DEV; 235 /* 236 * struct knfsd_fh uses host-endian fields, which are 237 * sometimes used to hold net-endian values. This 238 * confuses sparse, so we must use __force here to 239 * keep it from complaining. 240 */ 241 fsid[0] = new_encode_dev(MKDEV(ntohl((__force __be32)fsid[0]), 242 ntohl((__force __be32)fsid[1]))); 243 fsid[1] = fsid[2]; 244 } 245 data_left -= len; 246 if (data_left < 0) 247 return error; 248 exp = rqst_exp_find(rqstp ? &rqstp->rq_chandle : NULL, 249 net, client, gssclient, 250 fh->fh_fsid_type, fh_fsid(fh)); 251 fid = (struct fid *)(fh_fsid(fh) + len); 252 253 error = nfserr_stale; 254 if (IS_ERR(exp)) { 255 trace_nfsd_set_fh_dentry_badexport(rqstp, fhp, PTR_ERR(exp)); 256 257 if (PTR_ERR(exp) == -ENOENT) 258 return error; 259 260 return nfserrno(PTR_ERR(exp)); 261 } 262 263 if (exp->ex_flags & NFSEXP_NOSUBTREECHECK) { 264 /* Elevate privileges so that the lack of 'r' or 'x' 265 * permission on some parent directory will 266 * not stop exportfs_decode_fh from being able 267 * to reconnect a directory into the dentry cache. 268 * The same problem can affect "SUBTREECHECK" exports, 269 * but as nfsd_acceptable depends on correct 270 * access control settings being in effect, we cannot 271 * fix that case easily. 272 */ 273 struct cred *new = prepare_creds(); 274 if (!new) { 275 error = nfserrno(-ENOMEM); 276 goto out; 277 } 278 new->cap_effective = 279 cap_raise_nfsd_set(new->cap_effective, 280 new->cap_permitted); 281 put_cred(override_creds(new)); 282 } else { 283 error = nfsd_setuser_and_check_port(rqstp, cred, exp); 284 if (error) 285 goto out; 286 } 287 288 /* 289 * Look up the dentry using the NFS file handle. 290 */ 291 fileid_type = fh->fh_fileid_type; 292 error = nfserr_stale; 293 294 if (fileid_type == FILEID_ROOT) { 295 /* We don't sign or verify the root, no per-file identity */ 296 dentry = dget(exp->ex_path.dentry); 297 } else { 298 if (exp->ex_flags & NFSEXP_SIGN_FH) { 299 if (!fh_verify_mac(fhp, net)) { 300 trace_nfsd_set_fh_dentry_badmac(rqstp, fhp, -ESTALE); 301 goto out; 302 } 303 data_left -= FH_MAC_WORDS; 304 } 305 306 dentry = exportfs_decode_fh_raw(exp->ex_path.mnt, fid, 307 data_left, fileid_type, 0, 308 nfsd_acceptable, exp); 309 if (IS_ERR_OR_NULL(dentry)) { 310 trace_nfsd_set_fh_dentry_badhandle(rqstp, fhp, 311 dentry ? PTR_ERR(dentry) : -ESTALE); 312 switch (PTR_ERR(dentry)) { 313 case -ENOMEM: 314 case -ETIMEDOUT: 315 break; 316 default: 317 dentry = ERR_PTR(-ESTALE); 318 } 319 } 320 } 321 322 error = nfserr_badhandle; 323 if (dentry == NULL) 324 goto out; 325 if (IS_ERR(dentry)) { 326 if (PTR_ERR(dentry) != -EINVAL) 327 error = nfserrno(PTR_ERR(dentry)); 328 goto out; 329 } 330 331 if (d_is_dir(dentry) && 332 (dentry->d_flags & DCACHE_DISCONNECTED)) { 333 printk("nfsd: find_fh_dentry returned a DISCONNECTED directory: %pd2\n", 334 dentry); 335 } 336 337 switch (fhp->fh_maxsize) { 338 case NFS4_FHSIZE: 339 if (dentry->d_sb->s_export_op->flags & EXPORT_OP_NOATOMIC_ATTR) 340 fhp->fh_no_atomic_attr = true; 341 fhp->fh_64bit_cookies = true; 342 break; 343 case NFS3_FHSIZE: 344 if (dentry->d_sb->s_export_op->flags & EXPORT_OP_NOWCC) 345 fhp->fh_no_wcc = true; 346 fhp->fh_64bit_cookies = true; 347 if (exp->ex_flags & NFSEXP_V4ROOT) 348 goto out; 349 break; 350 case NFS_FHSIZE: 351 fhp->fh_no_wcc = true; 352 if (EX_WGATHER(exp)) 353 fhp->fh_use_wgather = true; 354 if (exp->ex_flags & NFSEXP_V4ROOT) 355 goto out; 356 } 357 358 fhp->fh_dentry = dentry; 359 fhp->fh_export = exp; 360 361 return 0; 362 out: 363 exp_put(exp); 364 return error; 365 } 366 367 /** 368 * __fh_verify - filehandle lookup and access checking 369 * @rqstp: RPC transaction context, or NULL 370 * @net: net namespace in which to perform the export lookup 371 * @cred: RPC user credential 372 * @client: RPC auth domain 373 * @gssclient: RPC GSS auth domain, or NULL 374 * @fhp: filehandle to be verified 375 * @type: expected type of object pointed to by filehandle 376 * @access: type of access needed to object 377 * 378 * See fh_verify() for further descriptions of @fhp, @type, and @access. 379 */ 380 static __be32 381 __fh_verify(struct svc_rqst *rqstp, 382 struct net *net, struct svc_cred *cred, 383 struct auth_domain *client, 384 struct auth_domain *gssclient, 385 struct svc_fh *fhp, umode_t type, int access) 386 { 387 struct nfsd_net *nn = net_generic(net, nfsd_net_id); 388 struct svc_export *exp = NULL; 389 bool may_bypass_gss = false; 390 struct dentry *dentry; 391 __be32 error; 392 393 if (!fhp->fh_dentry) { 394 error = nfsd_set_fh_dentry(rqstp, net, cred, client, 395 gssclient, fhp); 396 if (error) 397 goto out; 398 } 399 dentry = fhp->fh_dentry; 400 exp = fhp->fh_export; 401 402 trace_nfsd_fh_verify(rqstp, fhp, type, access); 403 404 /* 405 * We still have to do all these permission checks, even when 406 * fh_dentry is already set: 407 * - fh_verify may be called multiple times with different 408 * "access" arguments (e.g. nfsd_proc_create calls 409 * fh_verify(...,NFSD_MAY_EXEC) first, then later (in 410 * nfsd_create) calls fh_verify(...,NFSD_MAY_CREATE). 411 * - in the NFSv4 case, the filehandle may have been filled 412 * in by fh_compose, and given a dentry, but further 413 * compound operations performed with that filehandle 414 * still need permissions checks. In the worst case, a 415 * mountpoint crossing may have changed the export 416 * options, and we may now need to use a different uid 417 * (for example, if different id-squashing options are in 418 * effect on the new filesystem). 419 */ 420 error = check_pseudo_root(dentry, exp); 421 if (error) 422 goto out; 423 424 error = nfsd_setuser_and_check_port(rqstp, cred, exp); 425 if (error) 426 goto out; 427 428 error = nfsd_mode_check(dentry, type); 429 if (error) 430 goto out; 431 432 /* 433 * If rqstp is NULL, this is a LOCALIO request which will only 434 * ever use a filehandle/credential pair for which access has 435 * been affirmed (by ACCESS or OPEN NFS requests) over the 436 * wire. Skip both the xprtsec policy and the security flavor 437 * checks. 438 */ 439 if (!rqstp) 440 goto check_permissions; 441 442 if ((access & NFSD_MAY_NLM) && (exp->ex_flags & NFSEXP_NOAUTHNLM)) 443 /* NLM is allowed to fully bypass authentication */ 444 goto out; 445 446 /* 447 * NLM is allowed to bypass the xprtsec policy check because lockd 448 * doesn't support xprtsec. 449 */ 450 if (!(access & NFSD_MAY_NLM)) { 451 error = check_xprtsec_policy(exp, rqstp); 452 if (error) 453 goto out; 454 } 455 456 if (access & NFSD_MAY_BYPASS_GSS) 457 may_bypass_gss = true; 458 /* 459 * Clients may expect to be able to use auth_sys during mount, 460 * even if they use gss for everything else; see section 2.3.2 461 * of rfc 2623. 462 */ 463 if (access & NFSD_MAY_BYPASS_GSS_ON_ROOT 464 && exp->ex_path.dentry == dentry) 465 may_bypass_gss = true; 466 467 error = check_security_flavor(exp, rqstp, may_bypass_gss); 468 if (error) 469 goto out; 470 471 svc_xprt_set_valid(rqstp->rq_xprt); 472 473 check_permissions: 474 /* Finally, check access permissions. */ 475 error = nfsd_permission(cred, exp, dentry, access); 476 out: 477 trace_nfsd_fh_verify_err(rqstp, fhp, type, access, error); 478 if (error == nfserr_stale) 479 nfsd_stats_fh_stale_inc(nn, exp); 480 return error; 481 } 482 483 /** 484 * fh_verify_local - filehandle lookup and access checking 485 * @net: net namespace in which to perform the export lookup 486 * @cred: RPC user credential 487 * @client: RPC auth domain 488 * @fhp: filehandle to be verified 489 * @type: expected type of object pointed to by filehandle 490 * @access: type of access needed to object 491 * 492 * This API can be used by callers who do not have an RPC 493 * transaction context (ie are not running in an nfsd thread). 494 * 495 * See fh_verify() for further descriptions of @fhp, @type, and @access. 496 */ 497 __be32 498 fh_verify_local(struct net *net, struct svc_cred *cred, 499 struct auth_domain *client, struct svc_fh *fhp, 500 umode_t type, int access) 501 { 502 return __fh_verify(NULL, net, cred, client, NULL, 503 fhp, type, access); 504 } 505 506 /** 507 * fh_verify - filehandle lookup and access checking 508 * @rqstp: pointer to current rpc request 509 * @fhp: filehandle to be verified 510 * @type: expected type of object pointed to by filehandle 511 * @access: type of access needed to object 512 * 513 * Look up a dentry from the on-the-wire filehandle, check the client's 514 * access to the export, and set the current task's credentials. 515 * 516 * Regardless of success or failure of fh_verify(), fh_put() should be 517 * called on @fhp when the caller is finished with the filehandle. 518 * 519 * fh_verify() may be called multiple times on a given filehandle, for 520 * example, when processing an NFSv4 compound. The first call will look 521 * up a dentry using the on-the-wire filehandle. Subsequent calls will 522 * skip the lookup and just perform the other checks and possibly change 523 * the current task's credentials. 524 * 525 * @type specifies the type of object expected using one of the S_IF* 526 * constants defined in include/linux/stat.h. The caller may use zero 527 * to indicate that it doesn't care, or a negative integer to indicate 528 * that it expects something not of the given type. 529 * 530 * @access is formed from the NFSD_MAY_* constants defined in 531 * fs/nfsd/vfs.h. 532 */ 533 __be32 534 fh_verify(struct svc_rqst *rqstp, struct svc_fh *fhp, umode_t type, int access) 535 { 536 return __fh_verify(rqstp, SVC_NET(rqstp), &rqstp->rq_cred, 537 rqstp->rq_client, rqstp->rq_gssclient, 538 fhp, type, access); 539 } 540 541 /* 542 * Compose a file handle for an NFS reply. 543 * 544 * Note that when first composed, the dentry may not yet have 545 * an inode. In this case a call to fh_update should be made 546 * before the fh goes out on the wire ... 547 */ 548 static void _fh_update(struct svc_fh *fhp, struct svc_export *exp, 549 struct dentry *dentry) 550 { 551 if (dentry != exp->ex_path.dentry) { 552 struct fid *fid = (struct fid *) 553 (fh_fsid(&fhp->fh_handle) + fhp->fh_handle.fh_size/4 - 1); 554 int maxsize = (fhp->fh_maxsize - fhp->fh_handle.fh_size)/4; 555 int fh_flags = (exp->ex_flags & NFSEXP_NOSUBTREECHECK) ? 0 : 556 EXPORT_FH_CONNECTABLE; 557 int fileid_type = 558 exportfs_encode_fh(dentry, fid, &maxsize, fh_flags); 559 560 fhp->fh_handle.fh_fileid_type = 561 fileid_type > 0 ? fileid_type : FILEID_INVALID; 562 fhp->fh_handle.fh_size += maxsize * 4; 563 564 if (exp->ex_flags & NFSEXP_SIGN_FH) 565 if (!fh_append_mac(fhp, exp->cd->net)) 566 fhp->fh_handle.fh_fileid_type = FILEID_INVALID; 567 } else { 568 fhp->fh_handle.fh_fileid_type = FILEID_ROOT; 569 } 570 } 571 572 static bool is_root_export(struct svc_export *exp) 573 { 574 return exp->ex_path.dentry == exp->ex_path.dentry->d_sb->s_root; 575 } 576 577 static struct super_block *exp_sb(struct svc_export *exp) 578 { 579 return exp->ex_path.dentry->d_sb; 580 } 581 582 static bool fsid_type_ok_for_exp(u8 fsid_type, struct svc_export *exp) 583 { 584 switch (fsid_type) { 585 case FSID_DEV: 586 if (!old_valid_dev(exp_sb(exp)->s_dev)) 587 return false; 588 fallthrough; 589 case FSID_MAJOR_MINOR: 590 case FSID_ENCODE_DEV: 591 return exp_sb(exp)->s_type->fs_flags & FS_REQUIRES_DEV; 592 case FSID_NUM: 593 return exp->ex_flags & NFSEXP_FSID; 594 case FSID_UUID8: 595 case FSID_UUID16: 596 if (!is_root_export(exp)) 597 return false; 598 fallthrough; 599 case FSID_UUID4_INUM: 600 case FSID_UUID16_INUM: 601 return exp->ex_uuid != NULL; 602 } 603 return true; 604 } 605 606 607 static void set_version_and_fsid_type(struct svc_fh *fhp, struct svc_export *exp, struct svc_fh *ref_fh) 608 { 609 u8 version; 610 u8 fsid_type; 611 retry: 612 version = 1; 613 if (ref_fh && ref_fh->fh_export == exp) { 614 version = ref_fh->fh_handle.fh_version; 615 fsid_type = ref_fh->fh_handle.fh_fsid_type; 616 617 ref_fh = NULL; 618 619 switch (version) { 620 case 0xca: 621 fsid_type = FSID_DEV; 622 break; 623 case 1: 624 break; 625 default: 626 goto retry; 627 } 628 629 /* 630 * As the fsid -> filesystem mapping was guided by 631 * user-space, there is no guarantee that the filesystem 632 * actually supports that fsid type. If it doesn't we 633 * loop around again without ref_fh set. 634 */ 635 if (!fsid_type_ok_for_exp(fsid_type, exp)) 636 goto retry; 637 } else if (exp->ex_flags & NFSEXP_FSID) { 638 fsid_type = FSID_NUM; 639 } else if (exp->ex_uuid) { 640 if (fhp->fh_maxsize >= 64) { 641 if (is_root_export(exp)) 642 fsid_type = FSID_UUID16; 643 else 644 fsid_type = FSID_UUID16_INUM; 645 } else { 646 if (is_root_export(exp)) 647 fsid_type = FSID_UUID8; 648 else 649 fsid_type = FSID_UUID4_INUM; 650 } 651 } else if (!old_valid_dev(exp_sb(exp)->s_dev)) 652 /* for newer device numbers, we must use a newer fsid format */ 653 fsid_type = FSID_ENCODE_DEV; 654 else 655 fsid_type = FSID_DEV; 656 fhp->fh_handle.fh_version = version; 657 if (version) 658 fhp->fh_handle.fh_fsid_type = fsid_type; 659 } 660 661 __be32 662 fh_compose(struct svc_fh *fhp, struct svc_export *exp, struct dentry *dentry, 663 struct svc_fh *ref_fh) 664 { 665 /* ref_fh is a reference file handle. 666 * if it is non-null and for the same filesystem, then we should compose 667 * a filehandle which is of the same version, where possible. 668 */ 669 670 struct inode * inode = d_inode(dentry); 671 dev_t ex_dev = exp_sb(exp)->s_dev; 672 673 dprintk("nfsd: fh_compose(exp %02x:%02x/%llu %pd2, ino=%llu)\n", 674 MAJOR(ex_dev), MINOR(ex_dev), 675 d_inode(exp->ex_path.dentry)->i_ino, 676 dentry, 677 (inode ? inode->i_ino : 0)); 678 679 /* Choose filehandle version and fsid type based on 680 * the reference filehandle (if it is in the same export) 681 * or the export options. 682 */ 683 set_version_and_fsid_type(fhp, exp, ref_fh); 684 685 /* If we have a ref_fh, then copy the fh_no_wcc setting from it. */ 686 fhp->fh_no_wcc = ref_fh ? ref_fh->fh_no_wcc : false; 687 688 if (ref_fh == fhp) 689 fh_put(ref_fh); 690 691 if (fhp->fh_dentry) { 692 printk(KERN_ERR "fh_compose: fh %pd2 not initialized!\n", 693 dentry); 694 } 695 if (fhp->fh_maxsize < NFS_FHSIZE) 696 printk(KERN_ERR "fh_compose: called with maxsize %d! %pd2\n", 697 fhp->fh_maxsize, 698 dentry); 699 700 fhp->fh_dentry = dget(dentry); /* our internal copy */ 701 fhp->fh_export = exp_get(exp); 702 703 fhp->fh_handle.fh_size = 704 key_len(fhp->fh_handle.fh_fsid_type) + 4; 705 fhp->fh_handle.fh_auth_type = 0; 706 707 mk_fsid(fhp->fh_handle.fh_fsid_type, 708 fh_fsid(&fhp->fh_handle), 709 ex_dev, 710 d_inode(exp->ex_path.dentry)->i_ino, 711 exp->ex_fsid, exp->ex_uuid); 712 713 if (inode) 714 _fh_update(fhp, exp, dentry); 715 if (fhp->fh_handle.fh_fileid_type == FILEID_INVALID) { 716 fh_put(fhp); 717 return nfserr_stale; 718 } 719 720 return 0; 721 } 722 723 /* 724 * Update file handle information after changing a dentry. 725 * This is only called by nfsd_create, nfsd_create_v3 and nfsd_proc_create 726 */ 727 __be32 728 fh_update(struct svc_fh *fhp) 729 { 730 struct dentry *dentry; 731 732 if (!fhp->fh_dentry) 733 goto out_bad; 734 735 dentry = fhp->fh_dentry; 736 if (d_really_is_negative(dentry)) 737 goto out_negative; 738 if (fhp->fh_handle.fh_fileid_type != FILEID_ROOT) 739 return 0; 740 741 _fh_update(fhp, fhp->fh_export, dentry); 742 if (fhp->fh_handle.fh_fileid_type == FILEID_INVALID) 743 return nfserr_stale; 744 return 0; 745 out_bad: 746 printk(KERN_ERR "fh_update: fh not verified!\n"); 747 return nfserr_serverfault; 748 out_negative: 749 printk(KERN_ERR "fh_update: %pd2 still negative!\n", 750 dentry); 751 return nfserr_serverfault; 752 } 753 754 /** 755 * fh_getattr - Retrieve attributes on a local file 756 * @fhp: File handle of target file 757 * @stat: Caller-supplied kstat buffer to be filled in 758 * 759 * Returns nfs_ok on success, otherwise an NFS status code is 760 * returned. 761 */ 762 __be32 fh_getattr(const struct svc_fh *fhp, struct kstat *stat) 763 { 764 struct path p = { 765 .mnt = fhp->fh_export->ex_path.mnt, 766 .dentry = fhp->fh_dentry, 767 }; 768 struct inode *inode = d_inode(p.dentry); 769 u32 request_mask = STATX_BASIC_STATS; 770 771 if (S_ISREG(inode->i_mode)) 772 request_mask |= (STATX_DIOALIGN | STATX_DIO_READ_ALIGN); 773 774 if (fhp->fh_maxsize == NFS4_FHSIZE) 775 request_mask |= (STATX_BTIME | STATX_CHANGE_COOKIE); 776 777 return nfserrno(vfs_getattr(&p, stat, request_mask, 778 AT_STATX_SYNC_AS_STAT)); 779 } 780 781 /** 782 * fh_fill_pre_attrs - Fill in pre-op attributes 783 * @fhp: file handle to be updated 784 * 785 */ 786 __be32 __must_check fh_fill_pre_attrs(struct svc_fh *fhp) 787 { 788 bool v4 = (fhp->fh_maxsize == NFS4_FHSIZE); 789 struct kstat stat; 790 __be32 err; 791 792 if (fhp->fh_no_wcc || fhp->fh_pre_saved) 793 return nfs_ok; 794 795 err = fh_getattr(fhp, &stat); 796 if (err) 797 return err; 798 799 if (v4) 800 fhp->fh_pre_change = nfsd4_change_attribute(&stat); 801 802 fhp->fh_pre_mtime = stat.mtime; 803 fhp->fh_pre_ctime = stat.ctime; 804 fhp->fh_pre_size = stat.size; 805 fhp->fh_pre_saved = true; 806 return nfs_ok; 807 } 808 809 /** 810 * fh_fill_post_attrs - Fill in post-op attributes 811 * @fhp: file handle to be updated 812 * 813 */ 814 __be32 fh_fill_post_attrs(struct svc_fh *fhp) 815 { 816 bool v4 = (fhp->fh_maxsize == NFS4_FHSIZE); 817 __be32 err; 818 819 if (fhp->fh_no_wcc) 820 return nfs_ok; 821 822 if (fhp->fh_post_saved) 823 printk("nfsd: inode locked twice during operation.\n"); 824 825 err = fh_getattr(fhp, &fhp->fh_post_attr); 826 if (err) 827 return err; 828 829 fhp->fh_post_saved = true; 830 if (v4) 831 fhp->fh_post_change = 832 nfsd4_change_attribute(&fhp->fh_post_attr); 833 return nfs_ok; 834 } 835 836 /** 837 * fh_fill_both_attrs - Fill pre-op and post-op attributes 838 * @fhp: file handle to be updated 839 * 840 * This is used when the directory wasn't changed, but wcc attributes 841 * are needed anyway. 842 */ 843 __be32 __must_check fh_fill_both_attrs(struct svc_fh *fhp) 844 { 845 __be32 err; 846 847 err = fh_fill_post_attrs(fhp); 848 if (err) 849 return err; 850 851 fhp->fh_pre_change = fhp->fh_post_change; 852 fhp->fh_pre_mtime = fhp->fh_post_attr.mtime; 853 fhp->fh_pre_ctime = fhp->fh_post_attr.ctime; 854 fhp->fh_pre_size = fhp->fh_post_attr.size; 855 fhp->fh_pre_saved = true; 856 return nfs_ok; 857 } 858 859 /* 860 * Release a file handle. 861 */ 862 void 863 fh_put(struct svc_fh *fhp) 864 { 865 struct dentry * dentry = fhp->fh_dentry; 866 struct svc_export * exp = fhp->fh_export; 867 if (dentry) { 868 fhp->fh_dentry = NULL; 869 dput(dentry); 870 fh_clear_pre_post_attrs(fhp); 871 } 872 fh_drop_write(fhp); 873 if (exp) { 874 exp_put(exp); 875 fhp->fh_export = NULL; 876 } 877 fhp->fh_no_wcc = false; 878 return; 879 } 880 881 /* 882 * Shorthand for dprintk()'s 883 */ 884 char * SVCFH_fmt(struct svc_fh *fhp) 885 { 886 struct knfsd_fh *fh = &fhp->fh_handle; 887 static char buf[2+1+1+64*3+1]; 888 889 if (fh->fh_size > 64) 890 return "bad-fh"; 891 sprintf(buf, "%d: %*ph", fh->fh_size, fh->fh_size, fh->fh_raw); 892 return buf; 893 } 894 895 enum fsid_source fsid_source(const struct svc_fh *fhp) 896 { 897 if (fhp->fh_handle.fh_version != 1) 898 return FSIDSOURCE_DEV; 899 switch(fhp->fh_handle.fh_fsid_type) { 900 case FSID_DEV: 901 case FSID_ENCODE_DEV: 902 case FSID_MAJOR_MINOR: 903 if (exp_sb(fhp->fh_export)->s_type->fs_flags & FS_REQUIRES_DEV) 904 return FSIDSOURCE_DEV; 905 break; 906 case FSID_NUM: 907 if (fhp->fh_export->ex_flags & NFSEXP_FSID) 908 return FSIDSOURCE_FSID; 909 break; 910 default: 911 break; 912 } 913 /* either a UUID type filehandle, or the filehandle doesn't 914 * match the export. 915 */ 916 if (fhp->fh_export->ex_flags & NFSEXP_FSID) 917 return FSIDSOURCE_FSID; 918 if (fhp->fh_export->ex_uuid) 919 return FSIDSOURCE_UUID; 920 return FSIDSOURCE_DEV; 921 } 922 923 /** 924 * nfsd4_change_attribute - Generate an NFSv4 change_attribute value 925 * @stat: inode attributes 926 * 927 * Caller must fill in @stat before calling, typically by invoking 928 * vfs_getattr() with STATX_MODE, STATX_CTIME, and STATX_CHANGE_COOKIE. 929 * Returns an unsigned 64-bit changeid4 value (RFC 8881 Section 3.2). 930 * 931 * We could use i_version alone as the change attribute. However, i_version 932 * can go backwards on a regular file after an unclean shutdown. On its own 933 * that doesn't necessarily cause a problem, but if i_version goes backwards 934 * and then is incremented again it could reuse a value that was previously 935 * used before boot, and a client who queried the two values might incorrectly 936 * assume nothing changed. 937 * 938 * By using both ctime and the i_version counter we guarantee that as long as 939 * time doesn't go backwards we never reuse an old value. If the filesystem 940 * advertises STATX_ATTR_CHANGE_MONOTONIC, then this mitigation is not 941 * needed. 942 * 943 * We only need to do this for regular files as well. For directories, we 944 * assume that the new change attr is always logged to stable storage in some 945 * fashion before the results can be seen. 946 */ 947 u64 nfsd4_change_attribute(const struct kstat *stat) 948 { 949 u64 chattr; 950 951 if (stat->result_mask & STATX_CHANGE_COOKIE) { 952 chattr = stat->change_cookie; 953 if (S_ISREG(stat->mode) && 954 !(stat->attributes & STATX_ATTR_CHANGE_MONOTONIC)) { 955 chattr += (u64)stat->ctime.tv_sec << 30; 956 chattr += stat->ctime.tv_nsec; 957 } 958 } else { 959 chattr = time_to_chattr(&stat->ctime); 960 } 961 return chattr; 962 } 963