1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * Copyright (C) 2016 Namjae Jeon <linkinjeon@kernel.org> 4 * Copyright (C) 2019 Samsung Electronics Co., Ltd. 5 */ 6 7 #include <linux/fs.h> 8 #include <linux/filelock.h> 9 #include <linux/slab.h> 10 #include <linux/vmalloc.h> 11 #include <linux/kthread.h> 12 #include <linux/freezer.h> 13 14 #include "glob.h" 15 #include "vfs_cache.h" 16 #include "oplock.h" 17 #include "vfs.h" 18 #include "connection.h" 19 #include "misc.h" 20 #include "mgmt/tree_connect.h" 21 #include "mgmt/user_session.h" 22 #include "mgmt/user_config.h" 23 #include "smb_common.h" 24 #include "server.h" 25 #include "smb2pdu.h" 26 27 #define S_DEL_PENDING 1 28 #define S_DEL_ON_CLS 2 29 #define S_DEL_ON_CLS_STREAM 8 30 31 static unsigned int inode_hash_mask __read_mostly; 32 static unsigned int inode_hash_shift __read_mostly; 33 static struct hlist_head *inode_hashtable __read_mostly; 34 static DEFINE_RWLOCK(inode_hash_lock); 35 36 static struct ksmbd_file_table global_ft; 37 static atomic_long_t fd_limit; 38 static struct kmem_cache *filp_cache; 39 40 #define OPLOCK_NONE 0 41 #define OPLOCK_EXCLUSIVE 1 42 #define OPLOCK_BATCH 2 43 #define OPLOCK_READ 3 /* level 2 oplock */ 44 45 #ifdef CONFIG_PROC_FS 46 47 static const struct ksmbd_const_name ksmbd_lease_const_names[] = { 48 {le32_to_cpu(SMB2_LEASE_NONE_LE), "LEASE_NONE"}, 49 {le32_to_cpu(SMB2_LEASE_READ_CACHING_LE), "LEASE_R"}, 50 {le32_to_cpu(SMB2_LEASE_HANDLE_CACHING_LE), "LEASE_H"}, 51 {le32_to_cpu(SMB2_LEASE_WRITE_CACHING_LE), "LEASE_W"}, 52 {le32_to_cpu(SMB2_LEASE_READ_CACHING_LE | 53 SMB2_LEASE_HANDLE_CACHING_LE), "LEASE_RH"}, 54 {le32_to_cpu(SMB2_LEASE_READ_CACHING_LE | 55 SMB2_LEASE_WRITE_CACHING_LE), "LEASE_RW"}, 56 {le32_to_cpu(SMB2_LEASE_HANDLE_CACHING_LE | 57 SMB2_LEASE_WRITE_CACHING_LE), "LEASE_WH"}, 58 {le32_to_cpu(SMB2_LEASE_READ_CACHING_LE | 59 SMB2_LEASE_HANDLE_CACHING_LE | 60 SMB2_LEASE_WRITE_CACHING_LE), "LEASE_RWH"}, 61 }; 62 63 static const struct ksmbd_const_name ksmbd_oplock_const_names[] = { 64 {SMB2_OPLOCK_LEVEL_NONE, "OPLOCK_NONE"}, 65 {SMB2_OPLOCK_LEVEL_II, "OPLOCK_II"}, 66 {SMB2_OPLOCK_LEVEL_EXCLUSIVE, "OPLOCK_EXECL"}, 67 {SMB2_OPLOCK_LEVEL_BATCH, "OPLOCK_BATCH"}, 68 }; 69 70 static int proc_show_files(struct seq_file *m, void *v) 71 { 72 struct ksmbd_file *fp = NULL; 73 unsigned int id; 74 struct oplock_info *opinfo; 75 76 seq_printf(m, "#%-10s %-10s %-10s %-10s %-15s %-10s %-10s %s\n", 77 "<tree id>", "<pid>", "<vid>", "<refcnt>", 78 "<oplock>", "<daccess>", "<saccess>", 79 "<name>"); 80 81 read_lock(&global_ft.lock); 82 idr_for_each_entry(global_ft.idr, fp, id) { 83 seq_printf(m, "%#-10x %#-10llx %#-10llx %#-10x", 84 fp->tcon ? fp->tcon->id : 0, 85 fp->persistent_id, 86 fp->volatile_id, 87 atomic_read(&fp->refcount)); 88 89 rcu_read_lock(); 90 opinfo = rcu_dereference(fp->f_opinfo); 91 if (opinfo) { 92 const struct ksmbd_const_name *const_names; 93 int count; 94 unsigned int level; 95 96 if (opinfo->is_lease) { 97 const_names = ksmbd_lease_const_names; 98 count = ARRAY_SIZE(ksmbd_lease_const_names); 99 level = le32_to_cpu(opinfo->o_lease->state); 100 } else { 101 const_names = ksmbd_oplock_const_names; 102 count = ARRAY_SIZE(ksmbd_oplock_const_names); 103 level = opinfo->level; 104 } 105 rcu_read_unlock(); 106 ksmbd_proc_show_const_name(m, " %-15s", 107 const_names, count, level); 108 } else { 109 rcu_read_unlock(); 110 seq_printf(m, " %-15s", " "); 111 } 112 113 seq_printf(m, " %#010x %#010x %s\n", 114 le32_to_cpu(fp->daccess), 115 le32_to_cpu(fp->saccess), 116 fp->filp->f_path.dentry->d_name.name); 117 } 118 read_unlock(&global_ft.lock); 119 return 0; 120 } 121 122 static int create_proc_files(void) 123 { 124 ksmbd_proc_create("files", proc_show_files, NULL); 125 return 0; 126 } 127 #else 128 static int create_proc_files(void) { return 0; } 129 #endif 130 131 static bool durable_scavenger_running; 132 static DEFINE_MUTEX(durable_scavenger_lock); 133 static wait_queue_head_t dh_wq; 134 135 void ksmbd_set_fd_limit(unsigned long limit) 136 { 137 limit = min(limit, get_max_files()); 138 atomic_long_set(&fd_limit, limit); 139 } 140 141 static bool fd_limit_depleted(void) 142 { 143 long v = atomic_long_dec_return(&fd_limit); 144 145 if (v >= 0) 146 return false; 147 atomic_long_inc(&fd_limit); 148 return true; 149 } 150 151 static void fd_limit_close(void) 152 { 153 atomic_long_inc(&fd_limit); 154 } 155 156 /* 157 * INODE hash 158 */ 159 160 static unsigned long inode_hash(struct super_block *sb, unsigned long hashval) 161 { 162 unsigned long tmp; 163 164 tmp = (hashval * (unsigned long)sb) ^ (GOLDEN_RATIO_PRIME + hashval) / 165 L1_CACHE_BYTES; 166 tmp = tmp ^ ((tmp ^ GOLDEN_RATIO_PRIME) >> inode_hash_shift); 167 return tmp & inode_hash_mask; 168 } 169 170 static struct ksmbd_inode *__ksmbd_inode_lookup(struct dentry *de) 171 { 172 struct hlist_head *head = inode_hashtable + 173 inode_hash(d_inode(de)->i_sb, (unsigned long)de); 174 struct ksmbd_inode *ci = NULL, *ret_ci = NULL; 175 176 hlist_for_each_entry(ci, head, m_hash) { 177 if (ci->m_de == de) { 178 if (atomic_inc_not_zero(&ci->m_count)) 179 ret_ci = ci; 180 break; 181 } 182 } 183 return ret_ci; 184 } 185 186 static struct ksmbd_inode *ksmbd_inode_lookup(struct ksmbd_file *fp) 187 { 188 return __ksmbd_inode_lookup(fp->filp->f_path.dentry); 189 } 190 191 struct ksmbd_inode *ksmbd_inode_lookup_lock(struct dentry *d) 192 { 193 struct ksmbd_inode *ci; 194 195 read_lock(&inode_hash_lock); 196 ci = __ksmbd_inode_lookup(d); 197 read_unlock(&inode_hash_lock); 198 199 return ci; 200 } 201 202 int ksmbd_query_inode_status(struct dentry *dentry) 203 { 204 struct ksmbd_inode *ci; 205 int ret = KSMBD_INODE_STATUS_UNKNOWN; 206 207 read_lock(&inode_hash_lock); 208 ci = __ksmbd_inode_lookup(dentry); 209 read_unlock(&inode_hash_lock); 210 if (!ci) 211 return ret; 212 213 down_read(&ci->m_lock); 214 if (ci->m_flags & S_DEL_PENDING) 215 ret = KSMBD_INODE_STATUS_PENDING_DELETE; 216 else 217 ret = KSMBD_INODE_STATUS_OK; 218 up_read(&ci->m_lock); 219 220 ksmbd_inode_put(ci); 221 return ret; 222 } 223 224 bool ksmbd_inode_pending_delete(struct ksmbd_file *fp) 225 { 226 struct ksmbd_inode *ci = fp->f_ci; 227 int ret; 228 229 down_read(&ci->m_lock); 230 ret = (ci->m_flags & S_DEL_PENDING); 231 up_read(&ci->m_lock); 232 233 return ret; 234 } 235 236 void ksmbd_set_inode_pending_delete(struct ksmbd_file *fp) 237 { 238 struct ksmbd_inode *ci = fp->f_ci; 239 240 down_write(&ci->m_lock); 241 ci->m_flags |= S_DEL_PENDING; 242 up_write(&ci->m_lock); 243 } 244 245 void ksmbd_clear_inode_pending_delete(struct ksmbd_file *fp) 246 { 247 struct ksmbd_inode *ci = fp->f_ci; 248 249 down_write(&ci->m_lock); 250 ci->m_flags &= ~S_DEL_PENDING; 251 up_write(&ci->m_lock); 252 } 253 254 void ksmbd_fd_set_delete_on_close(struct ksmbd_file *fp, 255 int file_info) 256 { 257 struct ksmbd_inode *ci = fp->f_ci; 258 259 down_write(&ci->m_lock); 260 if (ksmbd_stream_fd(fp)) 261 ci->m_flags |= S_DEL_ON_CLS_STREAM; 262 else 263 ci->m_flags |= S_DEL_ON_CLS; 264 up_write(&ci->m_lock); 265 } 266 267 static void ksmbd_inode_hash(struct ksmbd_inode *ci) 268 { 269 struct hlist_head *b = inode_hashtable + 270 inode_hash(d_inode(ci->m_de)->i_sb, (unsigned long)ci->m_de); 271 272 hlist_add_head(&ci->m_hash, b); 273 } 274 275 static void ksmbd_inode_unhash(struct ksmbd_inode *ci) 276 { 277 write_lock(&inode_hash_lock); 278 hlist_del_init(&ci->m_hash); 279 write_unlock(&inode_hash_lock); 280 } 281 282 static int ksmbd_inode_init(struct ksmbd_inode *ci, struct ksmbd_file *fp) 283 { 284 atomic_set(&ci->m_count, 1); 285 atomic_set(&ci->op_count, 0); 286 atomic_set(&ci->sop_count, 0); 287 ci->m_flags = 0; 288 ci->m_fattr = 0; 289 INIT_LIST_HEAD(&ci->m_fp_list); 290 INIT_LIST_HEAD(&ci->m_op_list); 291 init_rwsem(&ci->m_lock); 292 ci->m_de = fp->filp->f_path.dentry; 293 return 0; 294 } 295 296 static struct ksmbd_inode *ksmbd_inode_get(struct ksmbd_file *fp) 297 { 298 struct ksmbd_inode *ci, *tmpci; 299 int rc; 300 301 read_lock(&inode_hash_lock); 302 ci = ksmbd_inode_lookup(fp); 303 read_unlock(&inode_hash_lock); 304 if (ci) 305 return ci; 306 307 ci = kmalloc_obj(struct ksmbd_inode, KSMBD_DEFAULT_GFP); 308 if (!ci) 309 return NULL; 310 311 rc = ksmbd_inode_init(ci, fp); 312 if (rc) { 313 pr_err("inode initialized failed\n"); 314 kfree(ci); 315 return NULL; 316 } 317 318 write_lock(&inode_hash_lock); 319 tmpci = ksmbd_inode_lookup(fp); 320 if (!tmpci) { 321 ksmbd_inode_hash(ci); 322 } else { 323 kfree(ci); 324 ci = tmpci; 325 } 326 write_unlock(&inode_hash_lock); 327 return ci; 328 } 329 330 static void ksmbd_inode_free(struct ksmbd_inode *ci) 331 { 332 ksmbd_inode_unhash(ci); 333 kfree(ci); 334 } 335 336 void ksmbd_inode_put(struct ksmbd_inode *ci) 337 { 338 if (atomic_dec_and_test(&ci->m_count)) 339 ksmbd_inode_free(ci); 340 } 341 342 int __init ksmbd_inode_hash_init(void) 343 { 344 unsigned int loop; 345 unsigned long numentries = 16384; 346 unsigned long bucketsize = sizeof(struct hlist_head); 347 unsigned long size; 348 349 inode_hash_shift = ilog2(numentries); 350 inode_hash_mask = (1 << inode_hash_shift) - 1; 351 352 size = bucketsize << inode_hash_shift; 353 354 /* init master fp hash table */ 355 inode_hashtable = vmalloc(size); 356 if (!inode_hashtable) 357 return -ENOMEM; 358 359 for (loop = 0; loop < (1U << inode_hash_shift); loop++) 360 INIT_HLIST_HEAD(&inode_hashtable[loop]); 361 return 0; 362 } 363 364 void ksmbd_release_inode_hash(void) 365 { 366 vfree(inode_hashtable); 367 } 368 369 static void __ksmbd_inode_close(struct ksmbd_file *fp) 370 { 371 struct ksmbd_inode *ci = fp->f_ci; 372 int err; 373 struct file *filp; 374 375 filp = fp->filp; 376 377 if (ksmbd_stream_fd(fp)) { 378 bool remove_stream_xattr = false; 379 380 down_write(&ci->m_lock); 381 if (ci->m_flags & S_DEL_ON_CLS_STREAM) { 382 ci->m_flags &= ~S_DEL_ON_CLS_STREAM; 383 remove_stream_xattr = true; 384 } 385 up_write(&ci->m_lock); 386 387 if (remove_stream_xattr) { 388 const struct cred *saved_cred; 389 390 saved_cred = override_creds(filp->f_cred); 391 err = ksmbd_vfs_remove_xattr(file_mnt_idmap(filp), 392 &filp->f_path, 393 fp->stream.name, 394 true); 395 revert_creds(saved_cred); 396 if (err) 397 pr_err("remove xattr failed : %s\n", 398 fp->stream.name); 399 } 400 } 401 402 down_write(&ci->m_lock); 403 /* Promote S_DEL_ON_CLS to S_DEL_PENDING when close */ 404 if (ci->m_flags & S_DEL_ON_CLS) { 405 ci->m_flags &= ~S_DEL_ON_CLS; 406 ci->m_flags |= S_DEL_PENDING; 407 } 408 up_write(&ci->m_lock); 409 410 if (atomic_dec_and_test(&ci->m_count)) { 411 bool do_unlink = false; 412 413 down_write(&ci->m_lock); 414 if (ci->m_flags & S_DEL_PENDING) { 415 ci->m_flags &= ~S_DEL_PENDING; 416 do_unlink = true; 417 } 418 up_write(&ci->m_lock); 419 420 if (do_unlink) 421 ksmbd_vfs_unlink(filp); 422 423 ksmbd_inode_free(ci); 424 } 425 } 426 427 static void __ksmbd_remove_durable_fd(struct ksmbd_file *fp) 428 { 429 if (!has_file_id(fp->persistent_id)) 430 return; 431 432 idr_remove(global_ft.idr, fp->persistent_id); 433 /* 434 * Clear persistent_id so a later __ksmbd_close_fd() that runs from a 435 * delayed putter (e.g. when a concurrent ksmbd_lookup_fd_inode() 436 * walker held the final reference) does not re-issue idr_remove() on 437 * an id that idr_alloc_cyclic() may have already handed out to a new 438 * durable handle. 439 */ 440 fp->persistent_id = KSMBD_NO_FID; 441 } 442 443 static void ksmbd_remove_durable_fd(struct ksmbd_file *fp) 444 { 445 write_lock(&global_ft.lock); 446 __ksmbd_remove_durable_fd(fp); 447 write_unlock(&global_ft.lock); 448 if (waitqueue_active(&dh_wq)) 449 wake_up(&dh_wq); 450 } 451 452 static void __ksmbd_remove_fd(struct ksmbd_file_table *ft, struct ksmbd_file *fp) 453 { 454 down_write(&fp->f_ci->m_lock); 455 list_del_init(&fp->node); 456 up_write(&fp->f_ci->m_lock); 457 458 if (!has_file_id(fp->volatile_id)) 459 return; 460 461 write_lock(&ft->lock); 462 idr_remove(ft->idr, fp->volatile_id); 463 write_unlock(&ft->lock); 464 } 465 466 static void __ksmbd_close_fd(struct ksmbd_file_table *ft, struct ksmbd_file *fp) 467 { 468 struct file *filp; 469 struct ksmbd_lock *smb_lock, *tmp_lock; 470 471 fd_limit_close(); 472 ksmbd_remove_durable_fd(fp); 473 if (ft) 474 __ksmbd_remove_fd(ft, fp); 475 476 close_id_del_oplock(fp); 477 filp = fp->filp; 478 479 __ksmbd_inode_close(fp); 480 if (!IS_ERR_OR_NULL(filp)) 481 fput(filp); 482 483 /* because the reference count of fp is 0, it is guaranteed that 484 * there are not accesses to fp->lock_list. 485 */ 486 list_for_each_entry_safe(smb_lock, tmp_lock, &fp->lock_list, flist) { 487 if (!list_empty(&smb_lock->clist) && fp->conn) { 488 spin_lock(&fp->conn->llist_lock); 489 list_del(&smb_lock->clist); 490 spin_unlock(&fp->conn->llist_lock); 491 } 492 493 list_del(&smb_lock->flist); 494 locks_free_lock(smb_lock->fl); 495 kfree(smb_lock); 496 } 497 498 /* 499 * Drop fp's strong reference on conn (taken in ksmbd_open_fd() / 500 * ksmbd_reopen_durable_fd()). Durable fps that reached the 501 * scavenger have already had fp->conn cleared by session_fd_check(), 502 * in which case there is nothing to drop here. 503 */ 504 if (fp->conn) { 505 ksmbd_conn_put(fp->conn); 506 fp->conn = NULL; 507 } 508 509 if (ksmbd_stream_fd(fp)) 510 kfree(fp->stream.name); 511 kfree(fp->owner.name); 512 513 kmem_cache_free(filp_cache, fp); 514 } 515 516 static struct ksmbd_file *ksmbd_fp_get(struct ksmbd_file *fp) 517 { 518 if (fp->f_state != FP_INITED) 519 return NULL; 520 521 if (!atomic_inc_not_zero(&fp->refcount)) 522 return NULL; 523 return fp; 524 } 525 526 static struct ksmbd_file *__ksmbd_lookup_fd(struct ksmbd_file_table *ft, 527 u64 id) 528 { 529 struct ksmbd_file *fp; 530 531 if (!has_file_id(id)) 532 return NULL; 533 534 read_lock(&ft->lock); 535 fp = idr_find(ft->idr, id); 536 if (fp) 537 fp = ksmbd_fp_get(fp); 538 read_unlock(&ft->lock); 539 return fp; 540 } 541 542 static void __put_fd_final(struct ksmbd_work *work, struct ksmbd_file *fp) 543 { 544 /* 545 * Detached durable fp -- session_fd_check() cleared fp->conn at 546 * preserve, so this fp is no longer tracked by any conn's 547 * stats.open_files_count. This happens when 548 * ksmbd_scavenger_dispose_dh() hands the final close off to an 549 * m_fp_list walker (e.g. ksmbd_lookup_fd_inode()) whose work->conn 550 * is unrelated to the conn that originally opened the handle; close 551 * via the NULL-ft path so we do not underflow that unrelated 552 * counter. 553 */ 554 if (!fp->conn) { 555 __ksmbd_close_fd(NULL, fp); 556 return; 557 } 558 __ksmbd_close_fd(&work->sess->file_table, fp); 559 atomic_dec(&work->conn->stats.open_files_count); 560 } 561 562 static void set_close_state_blocked_works(struct ksmbd_file *fp) 563 { 564 struct ksmbd_work *cancel_work; 565 566 spin_lock(&fp->f_lock); 567 list_for_each_entry(cancel_work, &fp->blocked_works, 568 fp_entry) { 569 cancel_work->state = KSMBD_WORK_CLOSED; 570 cancel_work->cancel_fn(cancel_work->cancel_argv); 571 } 572 spin_unlock(&fp->f_lock); 573 } 574 575 int ksmbd_close_fd(struct ksmbd_work *work, u64 id) 576 { 577 struct ksmbd_file *fp; 578 struct ksmbd_file_table *ft; 579 580 if (!has_file_id(id)) 581 return 0; 582 583 ft = &work->sess->file_table; 584 write_lock(&ft->lock); 585 fp = idr_find(ft->idr, id); 586 if (fp) { 587 set_close_state_blocked_works(fp); 588 589 if (fp->f_state != FP_INITED) 590 fp = NULL; 591 else { 592 fp->f_state = FP_CLOSED; 593 if (!atomic_dec_and_test(&fp->refcount)) 594 fp = NULL; 595 } 596 } 597 write_unlock(&ft->lock); 598 599 if (!fp) 600 return -EINVAL; 601 602 __put_fd_final(work, fp); 603 return 0; 604 } 605 606 void ksmbd_fd_put(struct ksmbd_work *work, struct ksmbd_file *fp) 607 { 608 if (!fp) 609 return; 610 611 if (!atomic_dec_and_test(&fp->refcount)) 612 return; 613 __put_fd_final(work, fp); 614 } 615 616 static bool __sanity_check(struct ksmbd_tree_connect *tcon, struct ksmbd_file *fp) 617 { 618 if (!fp) 619 return false; 620 if (fp->tcon != tcon) 621 return false; 622 return true; 623 } 624 625 struct ksmbd_file *ksmbd_lookup_foreign_fd(struct ksmbd_work *work, u64 id) 626 { 627 return __ksmbd_lookup_fd(&work->sess->file_table, id); 628 } 629 630 struct ksmbd_file *ksmbd_lookup_fd_fast(struct ksmbd_work *work, u64 id) 631 { 632 struct ksmbd_file *fp = __ksmbd_lookup_fd(&work->sess->file_table, id); 633 634 if (__sanity_check(work->tcon, fp)) 635 return fp; 636 637 ksmbd_fd_put(work, fp); 638 return NULL; 639 } 640 641 struct ksmbd_file *ksmbd_lookup_fd_slow(struct ksmbd_work *work, u64 id, 642 u64 pid) 643 { 644 struct ksmbd_file *fp; 645 646 if (!has_file_id(id)) { 647 id = work->compound_fid; 648 pid = work->compound_pfid; 649 } 650 651 fp = __ksmbd_lookup_fd(&work->sess->file_table, id); 652 if (!__sanity_check(work->tcon, fp)) { 653 ksmbd_fd_put(work, fp); 654 return NULL; 655 } 656 if (fp->persistent_id != pid) { 657 ksmbd_fd_put(work, fp); 658 return NULL; 659 } 660 return fp; 661 } 662 663 struct ksmbd_file *ksmbd_lookup_global_fd(unsigned long long id) 664 { 665 return __ksmbd_lookup_fd(&global_ft, id); 666 } 667 668 struct ksmbd_file *ksmbd_lookup_durable_fd(unsigned long long id) 669 { 670 struct ksmbd_file *fp; 671 672 fp = __ksmbd_lookup_fd(&global_ft, id); 673 if (fp && (fp->conn || 674 (fp->durable_scavenger_timeout && 675 (fp->durable_scavenger_timeout < 676 jiffies_to_msecs(jiffies))))) { 677 ksmbd_put_durable_fd(fp); 678 fp = NULL; 679 } 680 681 return fp; 682 } 683 684 void ksmbd_put_durable_fd(struct ksmbd_file *fp) 685 { 686 if (!atomic_dec_and_test(&fp->refcount)) 687 return; 688 689 __ksmbd_close_fd(NULL, fp); 690 } 691 692 struct ksmbd_file *ksmbd_lookup_fd_cguid(char *cguid) 693 { 694 struct ksmbd_file *fp = NULL; 695 unsigned int id; 696 697 read_lock(&global_ft.lock); 698 idr_for_each_entry(global_ft.idr, fp, id) { 699 if (!memcmp(fp->create_guid, 700 cguid, 701 SMB2_CREATE_GUID_SIZE)) { 702 fp = ksmbd_fp_get(fp); 703 break; 704 } 705 } 706 read_unlock(&global_ft.lock); 707 708 return fp; 709 } 710 711 struct ksmbd_file *ksmbd_lookup_fd_inode(struct dentry *dentry) 712 { 713 struct ksmbd_file *lfp; 714 struct ksmbd_inode *ci; 715 struct inode *inode = d_inode(dentry); 716 717 read_lock(&inode_hash_lock); 718 ci = __ksmbd_inode_lookup(dentry); 719 read_unlock(&inode_hash_lock); 720 if (!ci) 721 return NULL; 722 723 down_read(&ci->m_lock); 724 list_for_each_entry(lfp, &ci->m_fp_list, node) { 725 if (inode == file_inode(lfp->filp)) { 726 lfp = ksmbd_fp_get(lfp); 727 up_read(&ci->m_lock); 728 ksmbd_inode_put(ci); 729 return lfp; 730 } 731 } 732 up_read(&ci->m_lock); 733 ksmbd_inode_put(ci); 734 return NULL; 735 } 736 737 #define OPEN_ID_TYPE_VOLATILE_ID (0) 738 #define OPEN_ID_TYPE_PERSISTENT_ID (1) 739 740 static void __open_id_set(struct ksmbd_file *fp, u64 id, int type) 741 { 742 if (type == OPEN_ID_TYPE_VOLATILE_ID) 743 fp->volatile_id = id; 744 if (type == OPEN_ID_TYPE_PERSISTENT_ID) 745 fp->persistent_id = id; 746 } 747 748 static int __open_id(struct ksmbd_file_table *ft, struct ksmbd_file *fp, 749 int type) 750 { 751 u64 id = 0; 752 int ret; 753 754 if (type == OPEN_ID_TYPE_VOLATILE_ID && fd_limit_depleted()) { 755 __open_id_set(fp, KSMBD_NO_FID, type); 756 return -EMFILE; 757 } 758 759 idr_preload(KSMBD_DEFAULT_GFP); 760 write_lock(&ft->lock); 761 ret = idr_alloc_cyclic(ft->idr, fp, 0, INT_MAX - 1, GFP_NOWAIT); 762 if (ret >= 0) { 763 id = ret; 764 ret = 0; 765 } else { 766 id = KSMBD_NO_FID; 767 fd_limit_close(); 768 } 769 770 __open_id_set(fp, id, type); 771 write_unlock(&ft->lock); 772 idr_preload_end(); 773 return ret; 774 } 775 776 unsigned int ksmbd_open_durable_fd(struct ksmbd_file *fp) 777 { 778 __open_id(&global_ft, fp, OPEN_ID_TYPE_PERSISTENT_ID); 779 return fp->persistent_id; 780 } 781 782 struct ksmbd_file *ksmbd_open_fd(struct ksmbd_work *work, struct file *filp) 783 { 784 struct ksmbd_file *fp; 785 int ret; 786 787 fp = kmem_cache_zalloc(filp_cache, KSMBD_DEFAULT_GFP); 788 if (!fp) { 789 pr_err("Failed to allocate memory\n"); 790 return ERR_PTR(-ENOMEM); 791 } 792 793 INIT_LIST_HEAD(&fp->blocked_works); 794 INIT_LIST_HEAD(&fp->node); 795 INIT_LIST_HEAD(&fp->lock_list); 796 spin_lock_init(&fp->f_lock); 797 mutex_init(&fp->readdir_lock); 798 atomic_set(&fp->refcount, 1); 799 800 fp->filp = filp; 801 /* 802 * fp owns a strong reference on fp->conn for as long as fp->conn is 803 * non-NULL, so session_fd_check() and __ksmbd_close_fd() never 804 * dereference a dangling pointer. Paired with ksmbd_conn_put() in 805 * session_fd_check() (durable preserve), in __ksmbd_close_fd() 806 * (final close), and on the error paths below. 807 */ 808 fp->conn = ksmbd_conn_get(work->conn); 809 fp->tcon = work->tcon; 810 fp->volatile_id = KSMBD_NO_FID; 811 fp->persistent_id = KSMBD_NO_FID; 812 fp->f_state = FP_NEW; 813 fp->f_ci = ksmbd_inode_get(fp); 814 815 if (!fp->f_ci) { 816 ret = -ENOMEM; 817 goto err_out; 818 } 819 820 ret = __open_id(&work->sess->file_table, fp, OPEN_ID_TYPE_VOLATILE_ID); 821 if (ret) { 822 ksmbd_inode_put(fp->f_ci); 823 goto err_out; 824 } 825 826 atomic_inc(&work->conn->stats.open_files_count); 827 return fp; 828 829 err_out: 830 /* fp->conn was set and refcounted before every branch here. */ 831 ksmbd_conn_put(fp->conn); 832 kmem_cache_free(filp_cache, fp); 833 return ERR_PTR(ret); 834 } 835 836 /** 837 * ksmbd_update_fstate() - update an fp state under the file-table lock 838 * @ft: file table that publishes @fp's volatile id 839 * @fp: file pointer to update 840 * @state: new state 841 * 842 * Return: 0 on success. The FP_NEW -> FP_INITED transition is special: 843 * -ENOENT if teardown already unpublished @fp by advancing the state or 844 * clearing the volatile id. Other state updates preserve the historical 845 * fire-and-forget behavior. 846 */ 847 int ksmbd_update_fstate(struct ksmbd_file_table *ft, struct ksmbd_file *fp, 848 unsigned int state) 849 { 850 int ret; 851 852 if (!fp) 853 return -ENOENT; 854 855 write_lock(&ft->lock); 856 if (state == FP_INITED && 857 (fp->f_state != FP_NEW || !has_file_id(fp->volatile_id))) { 858 ret = -ENOENT; 859 } else { 860 fp->f_state = state; 861 ret = 0; 862 } 863 write_unlock(&ft->lock); 864 865 return ret; 866 } 867 868 /* 869 * ksmbd_mark_fp_closed() - mark fp closed under ft->lock and return how many 870 * refs the teardown path owns. 871 * 872 * FP_INITED has a normal idr-owned reference, so teardown owns both that 873 * reference and the transient lookup reference. FP_NEW is still owned by the 874 * in-flight opener/reopener, which will drop the original reference after 875 * ksmbd_update_fstate(..., FP_INITED) observes the cleared volatile id. 876 * FP_CLOSED on entry means an earlier ksmbd_close_fd() already consumed the 877 * idr-owned ref. 878 */ 879 static int ksmbd_mark_fp_closed(struct ksmbd_file *fp) 880 { 881 if (fp->f_state == FP_INITED) { 882 set_close_state_blocked_works(fp); 883 fp->f_state = FP_CLOSED; 884 return 2; 885 } 886 887 return 1; 888 } 889 890 static int 891 __close_file_table_ids(struct ksmbd_session *sess, 892 struct ksmbd_tree_connect *tcon, 893 bool (*skip)(struct ksmbd_tree_connect *tcon, 894 struct ksmbd_file *fp, 895 struct ksmbd_user *user), 896 bool skip_preserves_fp) 897 { 898 struct ksmbd_file_table *ft = &sess->file_table; 899 struct ksmbd_file *fp; 900 unsigned int id = 0; 901 int num = 0; 902 903 while (1) { 904 int n_to_drop; 905 906 write_lock(&ft->lock); 907 fp = idr_get_next(ft->idr, &id); 908 if (!fp) { 909 write_unlock(&ft->lock); 910 break; 911 } 912 if (!atomic_inc_not_zero(&fp->refcount)) { 913 id++; 914 write_unlock(&ft->lock); 915 continue; 916 } 917 918 if (skip_preserves_fp) { 919 /* 920 * Session teardown: skip() is session_fd_check(), 921 * which may sleep and mutates fp->conn / fp->tcon / 922 * fp->volatile_id when it chooses to preserve fp 923 * for durable reconnect. Unpublish fp from the 924 * session idr here, under ft->lock, so that 925 * __ksmbd_lookup_fd() through this session cannot 926 * grant a new ksmbd_fp_get() reference to an fp 927 * whose fields are about to be rewritten outside 928 * the lock. Durable reconnect still reaches fp via 929 * global_ft. 930 */ 931 idr_remove(ft->idr, id); 932 fp->volatile_id = KSMBD_NO_FID; 933 write_unlock(&ft->lock); 934 935 if (skip(tcon, fp, sess->user)) { 936 /* 937 * session_fd_check() has converted fp to 938 * durable-preserve state and cleared its 939 * per-conn fields. fp is already unpublished 940 * above; the original idr-owned ref keeps it 941 * alive for the durable scavenger. Drop only 942 * the transient ref. atomic_dec() is safe -- 943 * atomic_inc_not_zero() succeeded on a 944 * positive value and we added one more, so 945 * refcount cannot be zero here. 946 */ 947 atomic_dec(&fp->refcount); 948 id++; 949 continue; 950 } 951 952 /* 953 * Keep the close-state decision under the same lock 954 * observed by ksmbd_update_fstate(), which is how an 955 * in-flight FP_NEW opener learns that teardown has 956 * cleared its volatile id. 957 */ 958 write_lock(&ft->lock); 959 n_to_drop = ksmbd_mark_fp_closed(fp); 960 write_unlock(&ft->lock); 961 } else { 962 /* 963 * Tree teardown: skip() is tree_conn_fd_check(), a 964 * cheap pointer compare that doesn't sleep and has 965 * no side effects, so keep the skip decision plus 966 * the unpublish-and-mark-closed sequence atomic 967 * under ft->lock. fps belonging to other tree 968 * connects (skip() == true) stay fully published in 969 * the session idr with no lock window. 970 */ 971 if (skip(tcon, fp, sess->user)) { 972 atomic_dec(&fp->refcount); 973 write_unlock(&ft->lock); 974 id++; 975 continue; 976 } 977 idr_remove(ft->idr, id); 978 fp->volatile_id = KSMBD_NO_FID; 979 n_to_drop = ksmbd_mark_fp_closed(fp); 980 write_unlock(&ft->lock); 981 } 982 983 /* 984 * fp->volatile_id is already cleared to prevent stale idr 985 * removal from a deferred final close. Remove fp from 986 * m_fp_list here because __ksmbd_remove_fd() will skip the 987 * list unlink when volatile_id is KSMBD_NO_FID. 988 */ 989 down_write(&fp->f_ci->m_lock); 990 list_del_init(&fp->node); 991 up_write(&fp->f_ci->m_lock); 992 993 /* 994 * Drop the references this iteration owns: 995 * 996 * n_to_drop == 2: we observed FP_INITED and committed 997 * the FP_CLOSED transition ourselves, so we own the 998 * transient (+1) and the still-intact idr-owned ref. 999 * 1000 * n_to_drop == 1: either a prior ksmbd_close_fd() 1001 * already consumed the idr-owned ref, or fp was still 1002 * FP_NEW and the in-flight opener/reopener must keep 1003 * the original reference until ksmbd_update_fstate() 1004 * observes the cleared volatile id. 1005 * 1006 * If we end up as the final putter, finalize fp and 1007 * account the open_files_count decrement via the caller's 1008 * atomic_sub(num, ...). Otherwise the remaining user's 1009 * ksmbd_fd_put() reaches __put_fd_final(), which does its 1010 * own atomic_dec(&open_files_count), so we must not count 1011 * this fp here -- doing so would double-decrement the 1012 * connection-wide counter. 1013 */ 1014 if (atomic_sub_and_test(n_to_drop, &fp->refcount)) { 1015 __ksmbd_close_fd(NULL, fp); 1016 num++; 1017 } 1018 id++; 1019 } 1020 1021 return num; 1022 } 1023 1024 static inline bool is_reconnectable(struct ksmbd_file *fp) 1025 { 1026 struct oplock_info *opinfo = opinfo_get(fp); 1027 bool reconn = false; 1028 1029 if (!opinfo) 1030 return false; 1031 1032 if (opinfo->op_state != OPLOCK_STATE_NONE) { 1033 opinfo_put(opinfo); 1034 return false; 1035 } 1036 1037 if (fp->is_resilient || fp->is_persistent) 1038 reconn = true; 1039 else if (fp->is_durable && opinfo->is_lease && 1040 opinfo->o_lease->state & SMB2_LEASE_HANDLE_CACHING_LE) 1041 reconn = true; 1042 1043 else if (fp->is_durable && opinfo->level == SMB2_OPLOCK_LEVEL_BATCH) 1044 reconn = true; 1045 1046 opinfo_put(opinfo); 1047 return reconn; 1048 } 1049 1050 static bool tree_conn_fd_check(struct ksmbd_tree_connect *tcon, 1051 struct ksmbd_file *fp, 1052 struct ksmbd_user *user) 1053 { 1054 return fp->tcon != tcon; 1055 } 1056 1057 static bool ksmbd_durable_scavenger_alive(void) 1058 { 1059 if (!durable_scavenger_running) 1060 return false; 1061 1062 if (kthread_should_stop()) 1063 return false; 1064 1065 if (idr_is_empty(global_ft.idr)) 1066 return false; 1067 1068 return true; 1069 } 1070 1071 static void ksmbd_scavenger_dispose_dh(struct ksmbd_file *fp) 1072 { 1073 /* 1074 * Durable-preserved fp can remain linked on f_ci->m_fp_list for 1075 * share-mode checks. Unlink it before final close; fp->node is not 1076 * available as a scavenger-private list node because re-adding it to 1077 * another list corrupts m_fp_list. 1078 */ 1079 down_write(&fp->f_ci->m_lock); 1080 list_del_init(&fp->node); 1081 up_write(&fp->f_ci->m_lock); 1082 1083 /* 1084 * Drop both the durable lifetime reference and the transient reference 1085 * taken by the scavenger under global_ft.lock. If a concurrent 1086 * ksmbd_lookup_fd_inode() (or any other m_fp_list walker) snatched fp 1087 * before the unlink above, that holder owns the final close via 1088 * ksmbd_fd_put() -> __ksmbd_close_fd(). Otherwise the scavenger is 1089 * the last putter and finalises fp here. 1090 */ 1091 if (atomic_sub_and_test(2, &fp->refcount)) 1092 __ksmbd_close_fd(NULL, fp); 1093 } 1094 1095 static int ksmbd_durable_scavenger(void *dummy) 1096 { 1097 struct ksmbd_file *fp = NULL; 1098 struct ksmbd_file *expired_fp; 1099 unsigned int id; 1100 unsigned int min_timeout = 1; 1101 bool found_fp_timeout; 1102 unsigned long remaining_jiffies; 1103 1104 __module_get(THIS_MODULE); 1105 1106 set_freezable(); 1107 while (ksmbd_durable_scavenger_alive()) { 1108 if (try_to_freeze()) 1109 continue; 1110 1111 remaining_jiffies = wait_event_timeout(dh_wq, 1112 ksmbd_durable_scavenger_alive() == false, 1113 __msecs_to_jiffies(min_timeout)); 1114 if (remaining_jiffies) 1115 min_timeout = jiffies_to_msecs(remaining_jiffies); 1116 else 1117 min_timeout = DURABLE_HANDLE_MAX_TIMEOUT; 1118 1119 do { 1120 expired_fp = NULL; 1121 found_fp_timeout = false; 1122 1123 write_lock(&global_ft.lock); 1124 idr_for_each_entry(global_ft.idr, fp, id) { 1125 unsigned long durable_timeout; 1126 1127 if (!fp->durable_timeout) 1128 continue; 1129 1130 if (atomic_read(&fp->refcount) > 1 || 1131 fp->conn) 1132 continue; 1133 1134 found_fp_timeout = true; 1135 if (fp->durable_scavenger_timeout <= 1136 jiffies_to_msecs(jiffies)) { 1137 __ksmbd_remove_durable_fd(fp); 1138 /* 1139 * Take a transient reference so fp 1140 * cannot be freed by an in-flight 1141 * ksmbd_lookup_fd_inode() that found 1142 * it through f_ci->m_fp_list while we 1143 * drop global_ft.lock and reach the 1144 * m_fp_list unlink in 1145 * ksmbd_scavenger_dispose_dh(). 1146 */ 1147 atomic_inc(&fp->refcount); 1148 expired_fp = fp; 1149 break; 1150 } 1151 1152 durable_timeout = 1153 fp->durable_scavenger_timeout - 1154 jiffies_to_msecs(jiffies); 1155 1156 if (min_timeout > durable_timeout) 1157 min_timeout = durable_timeout; 1158 } 1159 write_unlock(&global_ft.lock); 1160 1161 if (expired_fp) 1162 ksmbd_scavenger_dispose_dh(expired_fp); 1163 } while (expired_fp); 1164 1165 if (found_fp_timeout == false) 1166 break; 1167 } 1168 1169 durable_scavenger_running = false; 1170 1171 module_put(THIS_MODULE); 1172 1173 return 0; 1174 } 1175 1176 void ksmbd_launch_ksmbd_durable_scavenger(void) 1177 { 1178 if (!(server_conf.flags & KSMBD_GLOBAL_FLAG_DURABLE_HANDLE)) 1179 return; 1180 1181 mutex_lock(&durable_scavenger_lock); 1182 if (durable_scavenger_running == true) { 1183 mutex_unlock(&durable_scavenger_lock); 1184 return; 1185 } 1186 1187 durable_scavenger_running = true; 1188 1189 server_conf.dh_task = kthread_run(ksmbd_durable_scavenger, 1190 (void *)NULL, "ksmbd-durable-scavenger"); 1191 if (IS_ERR(server_conf.dh_task)) 1192 pr_err("cannot start conn thread, err : %ld\n", 1193 PTR_ERR(server_conf.dh_task)); 1194 mutex_unlock(&durable_scavenger_lock); 1195 } 1196 1197 void ksmbd_stop_durable_scavenger(void) 1198 { 1199 if (!(server_conf.flags & KSMBD_GLOBAL_FLAG_DURABLE_HANDLE)) 1200 return; 1201 1202 mutex_lock(&durable_scavenger_lock); 1203 if (!durable_scavenger_running) { 1204 mutex_unlock(&durable_scavenger_lock); 1205 return; 1206 } 1207 1208 durable_scavenger_running = false; 1209 if (waitqueue_active(&dh_wq)) 1210 wake_up(&dh_wq); 1211 mutex_unlock(&durable_scavenger_lock); 1212 kthread_stop(server_conf.dh_task); 1213 } 1214 1215 /* 1216 * ksmbd_vfs_copy_durable_owner - Copy owner info for durable reconnect 1217 * @fp: ksmbd file pointer to store owner info 1218 * @user: user pointer to copy from 1219 * 1220 * This function binds the current user's identity to the file handle 1221 * to satisfy MS-SMB2 Step 8 (SecurityContext matching) during reconnect. 1222 * 1223 * Return: 0 on success, or negative error code on failure 1224 */ 1225 static int ksmbd_vfs_copy_durable_owner(struct ksmbd_file *fp, 1226 struct ksmbd_user *user) 1227 { 1228 if (!user) 1229 return -EINVAL; 1230 1231 /* Duplicate the user name to ensure identity persistence */ 1232 fp->owner.name = kstrdup(user->name, GFP_KERNEL); 1233 if (!fp->owner.name) 1234 return -ENOMEM; 1235 1236 fp->owner.uid = user->uid; 1237 fp->owner.gid = user->gid; 1238 1239 return 0; 1240 } 1241 1242 /** 1243 * ksmbd_vfs_compare_durable_owner - Verify if the requester is original owner 1244 * @fp: existing ksmbd file pointer 1245 * @user: user pointer of the reconnect requester 1246 * 1247 * Compares the UID, GID, and name of the current requester against the 1248 * original owner stored in the file handle. 1249 * 1250 * Return: true if the user matches, false otherwise 1251 */ 1252 bool ksmbd_vfs_compare_durable_owner(struct ksmbd_file *fp, 1253 struct ksmbd_user *user) 1254 { 1255 if (!user || !fp->owner.name) 1256 return false; 1257 1258 /* Check if the UID and GID match first (fast path) */ 1259 if (fp->owner.uid != user->uid || fp->owner.gid != user->gid) 1260 return false; 1261 1262 /* Validate the account name to ensure the same SecurityContext */ 1263 if (strcmp(fp->owner.name, user->name)) 1264 return false; 1265 1266 return true; 1267 } 1268 1269 static bool session_fd_check(struct ksmbd_tree_connect *tcon, 1270 struct ksmbd_file *fp, struct ksmbd_user *user) 1271 { 1272 struct ksmbd_inode *ci; 1273 struct oplock_info *op; 1274 struct ksmbd_conn *conn; 1275 struct ksmbd_lock *smb_lock, *tmp_lock; 1276 1277 if (!is_reconnectable(fp)) 1278 return false; 1279 1280 if (fp->f_state != FP_INITED) 1281 return false; 1282 1283 if (WARN_ON_ONCE(!fp->conn)) 1284 return false; 1285 1286 if (ksmbd_vfs_copy_durable_owner(fp, user)) 1287 return false; 1288 1289 /* 1290 * fp owns a strong reference on fp->conn (taken in ksmbd_open_fd() 1291 * / ksmbd_reopen_durable_fd()), so conn stays valid for the whole 1292 * body of this function regardless of any op->conn puts below. 1293 */ 1294 conn = fp->conn; 1295 ci = fp->f_ci; 1296 down_write(&ci->m_lock); 1297 list_for_each_entry_rcu(op, &ci->m_op_list, op_entry) { 1298 if (op->conn != conn) 1299 continue; 1300 ksmbd_conn_put(op->conn); 1301 op->conn = NULL; 1302 } 1303 up_write(&ci->m_lock); 1304 1305 list_for_each_entry_safe(smb_lock, tmp_lock, &fp->lock_list, flist) { 1306 spin_lock(&conn->llist_lock); 1307 list_del_init(&smb_lock->clist); 1308 spin_unlock(&conn->llist_lock); 1309 } 1310 1311 fp->conn = NULL; 1312 fp->tcon = NULL; 1313 fp->volatile_id = KSMBD_NO_FID; 1314 1315 if (fp->durable_timeout) 1316 fp->durable_scavenger_timeout = 1317 jiffies_to_msecs(jiffies) + fp->durable_timeout; 1318 1319 /* Drop fp's own reference on conn. */ 1320 ksmbd_conn_put(conn); 1321 return true; 1322 } 1323 1324 void ksmbd_close_tree_conn_fds(struct ksmbd_work *work) 1325 { 1326 int num = __close_file_table_ids(work->sess, 1327 work->tcon, 1328 tree_conn_fd_check, 1329 false); 1330 1331 atomic_sub(num, &work->conn->stats.open_files_count); 1332 } 1333 1334 void ksmbd_close_session_fds(struct ksmbd_work *work) 1335 { 1336 int num = __close_file_table_ids(work->sess, 1337 work->tcon, 1338 session_fd_check, 1339 true); 1340 1341 atomic_sub(num, &work->conn->stats.open_files_count); 1342 } 1343 1344 int ksmbd_init_global_file_table(void) 1345 { 1346 create_proc_files(); 1347 return ksmbd_init_file_table(&global_ft); 1348 } 1349 1350 void ksmbd_free_global_file_table(void) 1351 { 1352 struct ksmbd_file *fp = NULL; 1353 unsigned int id; 1354 1355 idr_for_each_entry(global_ft.idr, fp, id) { 1356 ksmbd_remove_durable_fd(fp); 1357 __ksmbd_close_fd(NULL, fp); 1358 } 1359 1360 idr_destroy(global_ft.idr); 1361 kfree(global_ft.idr); 1362 } 1363 1364 int ksmbd_validate_name_reconnect(struct ksmbd_share_config *share, 1365 struct ksmbd_file *fp, char *name) 1366 { 1367 char *pathname, *ab_pathname; 1368 int ret = 0; 1369 1370 pathname = kmalloc(PATH_MAX, KSMBD_DEFAULT_GFP); 1371 if (!pathname) 1372 return -EACCES; 1373 1374 ab_pathname = d_path(&fp->filp->f_path, pathname, PATH_MAX); 1375 if (IS_ERR(ab_pathname)) { 1376 kfree(pathname); 1377 return -EACCES; 1378 } 1379 1380 if (name && strcmp(&ab_pathname[share->path_sz + 1], name)) { 1381 ksmbd_debug(SMB, "invalid name reconnect %s\n", name); 1382 ret = -EINVAL; 1383 } 1384 1385 kfree(pathname); 1386 1387 return ret; 1388 } 1389 1390 int ksmbd_reopen_durable_fd(struct ksmbd_work *work, struct ksmbd_file *fp) 1391 { 1392 struct ksmbd_inode *ci; 1393 struct oplock_info *op; 1394 struct ksmbd_conn *conn = work->conn; 1395 struct ksmbd_lock *smb_lock; 1396 unsigned int old_f_state; 1397 1398 write_lock(&global_ft.lock); 1399 if (!fp->is_durable || fp->conn || fp->tcon) { 1400 write_unlock(&global_ft.lock); 1401 pr_err("Invalid durable fd [%p:%p]\n", fp->conn, fp->tcon); 1402 return -EBADF; 1403 } 1404 1405 if (has_file_id(fp->volatile_id)) { 1406 write_unlock(&global_ft.lock); 1407 pr_err("Still in use durable fd: %llu\n", fp->volatile_id); 1408 return -EBADF; 1409 } 1410 1411 /* 1412 * Initialize fp's connection binding before publishing fp into the 1413 * session's file table. If __open_id() is ordered first, a 1414 * concurrent teardown that iterates the table can observe a valid 1415 * volatile_id with fp->conn == NULL and preserve a 1416 * partially-initialized fp. fp owns a strong reference on the new 1417 * conn (see ksmbd_open_fd()); undo it on __open_id() failure. 1418 */ 1419 fp->conn = ksmbd_conn_get(conn); 1420 fp->tcon = work->tcon; 1421 write_unlock(&global_ft.lock); 1422 1423 old_f_state = fp->f_state; 1424 fp->f_state = FP_NEW; 1425 1426 __open_id(&work->sess->file_table, fp, OPEN_ID_TYPE_VOLATILE_ID); 1427 if (!has_file_id(fp->volatile_id)) { 1428 write_lock(&global_ft.lock); 1429 fp->conn = NULL; 1430 fp->tcon = NULL; 1431 write_unlock(&global_ft.lock); 1432 ksmbd_conn_put(conn); 1433 fp->f_state = old_f_state; 1434 return -EBADF; 1435 } 1436 1437 list_for_each_entry(smb_lock, &fp->lock_list, flist) { 1438 spin_lock(&conn->llist_lock); 1439 list_add_tail(&smb_lock->clist, &conn->lock_list); 1440 spin_unlock(&conn->llist_lock); 1441 } 1442 1443 ci = fp->f_ci; 1444 down_write(&ci->m_lock); 1445 list_for_each_entry_rcu(op, &ci->m_op_list, op_entry) { 1446 if (op->conn) 1447 continue; 1448 op->conn = ksmbd_conn_get(fp->conn); 1449 } 1450 up_write(&ci->m_lock); 1451 1452 fp->owner.uid = fp->owner.gid = 0; 1453 kfree(fp->owner.name); 1454 fp->owner.name = NULL; 1455 1456 return 0; 1457 } 1458 1459 int ksmbd_init_file_table(struct ksmbd_file_table *ft) 1460 { 1461 ft->idr = kzalloc_obj(struct idr, KSMBD_DEFAULT_GFP); 1462 if (!ft->idr) 1463 return -ENOMEM; 1464 1465 idr_init(ft->idr); 1466 rwlock_init(&ft->lock); 1467 return 0; 1468 } 1469 1470 void ksmbd_destroy_file_table(struct ksmbd_session *sess) 1471 { 1472 struct ksmbd_file_table *ft = &sess->file_table; 1473 1474 if (!ft->idr) 1475 return; 1476 1477 __close_file_table_ids(sess, NULL, session_fd_check, true); 1478 idr_destroy(ft->idr); 1479 kfree(ft->idr); 1480 ft->idr = NULL; 1481 } 1482 1483 int ksmbd_init_file_cache(void) 1484 { 1485 filp_cache = kmem_cache_create("ksmbd_file_cache", 1486 sizeof(struct ksmbd_file), 0, 1487 SLAB_HWCACHE_ALIGN, NULL); 1488 if (!filp_cache) 1489 goto out; 1490 1491 init_waitqueue_head(&dh_wq); 1492 1493 return 0; 1494 1495 out: 1496 pr_err("failed to allocate file cache\n"); 1497 return -ENOMEM; 1498 } 1499 1500 void ksmbd_exit_file_cache(void) 1501 { 1502 kmem_cache_destroy(filp_cache); 1503 } 1504