1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * NFS exporting and validation. 4 * 5 * We maintain a list of clients, each of which has a list of 6 * exports. To export an fs to a given client, you first have 7 * to create the client entry with NFSCTL_ADDCLIENT, which 8 * creates a client control block and adds it to the hash 9 * table. Then, you call NFSCTL_EXPORT for each fs. 10 * 11 * 12 * Copyright (C) 1995, 1996 Olaf Kirch, <okir@monad.swb.de> 13 */ 14 15 #include <linux/slab.h> 16 #include <linux/namei.h> 17 #include <linux/module.h> 18 #include <linux/exportfs.h> 19 #include <linux/sunrpc/svc_xprt.h> 20 21 #include "nfsd.h" 22 #include "nfsfh.h" 23 #include "netns.h" 24 #include "pnfs.h" 25 #include "filecache.h" 26 #include "trace.h" 27 28 #define NFSDDBG_FACILITY NFSDDBG_EXPORT 29 30 /* 31 * We have two caches. 32 * One maps client+vfsmnt+dentry to export options - the export map 33 * The other maps client+filehandle-fragment to export options. - the expkey map 34 * 35 * The export options are actually stored in the first map, and the 36 * second map contains a reference to the entry in the first map. 37 */ 38 39 static struct workqueue_struct *nfsd_export_wq; 40 41 #define EXPKEY_HASHBITS 8 42 #define EXPKEY_HASHMAX (1 << EXPKEY_HASHBITS) 43 #define EXPKEY_HASHMASK (EXPKEY_HASHMAX -1) 44 45 static void expkey_release(struct work_struct *work) 46 { 47 struct svc_expkey *key = container_of(to_rcu_work(work), 48 struct svc_expkey, ek_rwork); 49 50 if (test_bit(CACHE_VALID, &key->h.flags) && 51 !test_bit(CACHE_NEGATIVE, &key->h.flags)) 52 path_put(&key->ek_path); 53 auth_domain_put(key->ek_client); 54 kfree(key); 55 } 56 57 static void expkey_put(struct kref *ref) 58 { 59 struct svc_expkey *key = container_of(ref, struct svc_expkey, h.ref); 60 61 INIT_RCU_WORK(&key->ek_rwork, expkey_release); 62 queue_rcu_work(nfsd_export_wq, &key->ek_rwork); 63 } 64 65 static int expkey_upcall(struct cache_detail *cd, struct cache_head *h) 66 { 67 return sunrpc_cache_pipe_upcall(cd, h); 68 } 69 70 static void expkey_request(struct cache_detail *cd, 71 struct cache_head *h, 72 char **bpp, int *blen) 73 { 74 /* client fsidtype \xfsid */ 75 struct svc_expkey *ek = container_of(h, struct svc_expkey, h); 76 char type[5]; 77 78 qword_add(bpp, blen, ek->ek_client->name); 79 snprintf(type, 5, "%d", ek->ek_fsidtype); 80 qword_add(bpp, blen, type); 81 qword_addhex(bpp, blen, (char*)ek->ek_fsid, key_len(ek->ek_fsidtype)); 82 (*bpp)[-1] = '\n'; 83 } 84 85 static struct svc_expkey *svc_expkey_update(struct cache_detail *cd, struct svc_expkey *new, 86 struct svc_expkey *old); 87 static struct svc_expkey *svc_expkey_lookup(struct cache_detail *cd, struct svc_expkey *); 88 89 static int expkey_parse(struct cache_detail *cd, char *mesg, int mlen) 90 { 91 /* client fsidtype fsid expiry [path] */ 92 char *buf; 93 int len; 94 struct auth_domain *dom = NULL; 95 int err; 96 u8 fsidtype; 97 struct svc_expkey key; 98 struct svc_expkey *ek = NULL; 99 100 if (mesg[mlen - 1] != '\n') 101 return -EINVAL; 102 mesg[mlen-1] = 0; 103 104 buf = kmalloc(PAGE_SIZE, GFP_KERNEL); 105 err = -ENOMEM; 106 if (!buf) 107 goto out; 108 109 err = -EINVAL; 110 if (qword_get(&mesg, buf, PAGE_SIZE) <= 0) 111 goto out; 112 113 err = -ENOENT; 114 dom = auth_domain_find(buf); 115 if (!dom) 116 goto out; 117 dprintk("found domain %s\n", buf); 118 119 err = -EINVAL; 120 if (qword_get(&mesg, buf, PAGE_SIZE) <= 0) 121 goto out; 122 if (kstrtou8(buf, 10, &fsidtype)) 123 goto out; 124 dprintk("found fsidtype %u\n", fsidtype); 125 if (key_len(fsidtype)==0) /* invalid type */ 126 goto out; 127 if ((len=qword_get(&mesg, buf, PAGE_SIZE)) <= 0) 128 goto out; 129 dprintk("found fsid length %d\n", len); 130 if (len != key_len(fsidtype)) 131 goto out; 132 133 /* OK, we seem to have a valid key */ 134 key.h.flags = 0; 135 err = get_expiry(&mesg, &key.h.expiry_time); 136 if (err) 137 goto out; 138 139 key.ek_client = dom; 140 key.ek_fsidtype = fsidtype; 141 memcpy(key.ek_fsid, buf, len); 142 143 ek = svc_expkey_lookup(cd, &key); 144 err = -ENOMEM; 145 if (!ek) 146 goto out; 147 148 /* now we want a pathname, or empty meaning NEGATIVE */ 149 err = -EINVAL; 150 len = qword_get(&mesg, buf, PAGE_SIZE); 151 if (len < 0) 152 goto out; 153 dprintk("Path seems to be <%s>\n", buf); 154 err = 0; 155 if (len == 0) { 156 set_bit(CACHE_NEGATIVE, &key.h.flags); 157 ek = svc_expkey_update(cd, &key, ek); 158 if (ek) 159 trace_nfsd_expkey_update(ek, NULL); 160 else 161 err = -ENOMEM; 162 } else { 163 err = kern_path(buf, 0, &key.ek_path); 164 if (err) 165 goto out; 166 167 dprintk("Found the path %s\n", buf); 168 169 ek = svc_expkey_update(cd, &key, ek); 170 if (ek) 171 trace_nfsd_expkey_update(ek, buf); 172 else 173 err = -ENOMEM; 174 path_put(&key.ek_path); 175 } 176 cache_flush(); 177 out: 178 if (ek) 179 cache_put(&ek->h, cd); 180 if (dom) 181 auth_domain_put(dom); 182 kfree(buf); 183 return err; 184 } 185 186 static int expkey_show(struct seq_file *m, 187 struct cache_detail *cd, 188 struct cache_head *h) 189 { 190 struct svc_expkey *ek ; 191 int i; 192 193 if (h ==NULL) { 194 seq_puts(m, "#domain fsidtype fsid [path]\n"); 195 return 0; 196 } 197 ek = container_of(h, struct svc_expkey, h); 198 seq_printf(m, "%s %d 0x", ek->ek_client->name, 199 ek->ek_fsidtype); 200 for (i=0; i < key_len(ek->ek_fsidtype)/4; i++) 201 seq_printf(m, "%08x", ek->ek_fsid[i]); 202 if (test_bit(CACHE_VALID, &h->flags) && 203 !test_bit(CACHE_NEGATIVE, &h->flags)) { 204 seq_printf(m, " "); 205 seq_path(m, &ek->ek_path, "\\ \t\n"); 206 } 207 seq_printf(m, "\n"); 208 return 0; 209 } 210 211 static inline int expkey_match (struct cache_head *a, struct cache_head *b) 212 { 213 struct svc_expkey *orig = container_of(a, struct svc_expkey, h); 214 struct svc_expkey *new = container_of(b, struct svc_expkey, h); 215 216 if (orig->ek_fsidtype != new->ek_fsidtype || 217 orig->ek_client != new->ek_client || 218 memcmp(orig->ek_fsid, new->ek_fsid, key_len(orig->ek_fsidtype)) != 0) 219 return 0; 220 return 1; 221 } 222 223 static inline void expkey_init(struct cache_head *cnew, 224 struct cache_head *citem) 225 { 226 struct svc_expkey *new = container_of(cnew, struct svc_expkey, h); 227 struct svc_expkey *item = container_of(citem, struct svc_expkey, h); 228 229 kref_get(&item->ek_client->ref); 230 new->ek_client = item->ek_client; 231 new->ek_fsidtype = item->ek_fsidtype; 232 233 memcpy(new->ek_fsid, item->ek_fsid, sizeof(new->ek_fsid)); 234 } 235 236 static inline void expkey_update(struct cache_head *cnew, 237 struct cache_head *citem) 238 { 239 struct svc_expkey *new = container_of(cnew, struct svc_expkey, h); 240 struct svc_expkey *item = container_of(citem, struct svc_expkey, h); 241 242 new->ek_path = item->ek_path; 243 path_get(&item->ek_path); 244 } 245 246 static struct cache_head *expkey_alloc(void) 247 { 248 struct svc_expkey *i = kmalloc_obj(*i); 249 if (i) 250 return &i->h; 251 else 252 return NULL; 253 } 254 255 static void expkey_flush(void) 256 { 257 /* 258 * Take the nfsd_mutex here to ensure that the file cache is not 259 * destroyed while we're in the middle of flushing. 260 */ 261 mutex_lock(&nfsd_mutex); 262 nfsd_file_cache_purge(current->nsproxy->net_ns); 263 mutex_unlock(&nfsd_mutex); 264 } 265 266 static const struct cache_detail svc_expkey_cache_template = { 267 .owner = THIS_MODULE, 268 .hash_size = EXPKEY_HASHMAX, 269 .name = "nfsd.fh", 270 .cache_put = expkey_put, 271 .cache_upcall = expkey_upcall, 272 .cache_request = expkey_request, 273 .cache_parse = expkey_parse, 274 .cache_show = expkey_show, 275 .match = expkey_match, 276 .init = expkey_init, 277 .update = expkey_update, 278 .alloc = expkey_alloc, 279 .flush = expkey_flush, 280 }; 281 282 static int 283 svc_expkey_hash(struct svc_expkey *item) 284 { 285 int hash = item->ek_fsidtype; 286 char * cp = (char*)item->ek_fsid; 287 int len = key_len(item->ek_fsidtype); 288 289 hash ^= hash_mem(cp, len, EXPKEY_HASHBITS); 290 hash ^= hash_ptr(item->ek_client, EXPKEY_HASHBITS); 291 hash &= EXPKEY_HASHMASK; 292 return hash; 293 } 294 295 static struct svc_expkey * 296 svc_expkey_lookup(struct cache_detail *cd, struct svc_expkey *item) 297 { 298 struct cache_head *ch; 299 int hash = svc_expkey_hash(item); 300 301 ch = sunrpc_cache_lookup_rcu(cd, &item->h, hash); 302 if (ch) 303 return container_of(ch, struct svc_expkey, h); 304 else 305 return NULL; 306 } 307 308 static struct svc_expkey * 309 svc_expkey_update(struct cache_detail *cd, struct svc_expkey *new, 310 struct svc_expkey *old) 311 { 312 struct cache_head *ch; 313 int hash = svc_expkey_hash(new); 314 315 ch = sunrpc_cache_update(cd, &new->h, &old->h, hash); 316 if (ch) 317 return container_of(ch, struct svc_expkey, h); 318 else 319 return NULL; 320 } 321 322 323 #define EXPORT_HASHBITS 8 324 #define EXPORT_HASHMAX (1<< EXPORT_HASHBITS) 325 326 static void nfsd4_fslocs_free(struct nfsd4_fs_locations *fsloc) 327 { 328 struct nfsd4_fs_location *locations = fsloc->locations; 329 int i; 330 331 if (!locations) 332 return; 333 334 for (i = 0; i < fsloc->locations_count; i++) { 335 kfree(locations[i].path); 336 kfree(locations[i].hosts); 337 } 338 339 kfree(locations); 340 fsloc->locations = NULL; 341 } 342 343 static int export_stats_init(struct export_stats *stats) 344 { 345 stats->start_time = ktime_get_seconds(); 346 return percpu_counter_init_many(stats->counter, 0, GFP_KERNEL, 347 EXP_STATS_COUNTERS_NUM); 348 } 349 350 static void export_stats_reset(struct export_stats *stats) 351 { 352 if (stats) { 353 int i; 354 355 for (i = 0; i < EXP_STATS_COUNTERS_NUM; i++) 356 percpu_counter_set(&stats->counter[i], 0); 357 } 358 } 359 360 static void export_stats_destroy(struct export_stats *stats) 361 { 362 if (stats) 363 percpu_counter_destroy_many(stats->counter, 364 EXP_STATS_COUNTERS_NUM); 365 } 366 367 static void svc_export_release(struct work_struct *work) 368 { 369 struct svc_export *exp = container_of(to_rcu_work(work), 370 struct svc_export, ex_rwork); 371 372 path_put(&exp->ex_path); 373 auth_domain_put(exp->ex_client); 374 nfsd4_fslocs_free(&exp->ex_fslocs); 375 export_stats_destroy(exp->ex_stats); 376 kfree(exp->ex_stats); 377 kfree(exp->ex_uuid); 378 kfree(exp); 379 } 380 381 static void svc_export_put(struct kref *ref) 382 { 383 struct svc_export *exp = container_of(ref, struct svc_export, h.ref); 384 385 INIT_RCU_WORK(&exp->ex_rwork, svc_export_release); 386 queue_rcu_work(nfsd_export_wq, &exp->ex_rwork); 387 } 388 389 static int svc_export_upcall(struct cache_detail *cd, struct cache_head *h) 390 { 391 return sunrpc_cache_pipe_upcall(cd, h); 392 } 393 394 static void svc_export_request(struct cache_detail *cd, 395 struct cache_head *h, 396 char **bpp, int *blen) 397 { 398 /* client path */ 399 struct svc_export *exp = container_of(h, struct svc_export, h); 400 char *pth; 401 402 qword_add(bpp, blen, exp->ex_client->name); 403 pth = d_path(&exp->ex_path, *bpp, *blen); 404 if (IS_ERR(pth)) { 405 /* is this correct? */ 406 (*bpp)[0] = '\n'; 407 return; 408 } 409 qword_add(bpp, blen, pth); 410 (*bpp)[-1] = '\n'; 411 } 412 413 static struct svc_export *svc_export_update(struct svc_export *new, 414 struct svc_export *old); 415 static struct svc_export *svc_export_lookup(struct svc_export *); 416 417 static int check_export(const struct path *path, int *flags, unsigned char *uuid) 418 { 419 struct inode *inode = d_inode(path->dentry); 420 421 /* 422 * We currently export only dirs, regular files, and (for v4 423 * pseudoroot) symlinks. 424 */ 425 if (!S_ISDIR(inode->i_mode) && 426 !S_ISLNK(inode->i_mode) && 427 !S_ISREG(inode->i_mode)) 428 return -ENOTDIR; 429 430 /* 431 * Mountd should never pass down a writeable V4ROOT export, but, 432 * just to make sure: 433 */ 434 if (*flags & NFSEXP_V4ROOT) 435 *flags |= NFSEXP_READONLY; 436 437 /* There are two requirements on a filesystem to be exportable. 438 * 1: We must be able to identify the filesystem from a number. 439 * either a device number (so FS_REQUIRES_DEV needed) 440 * or an FSID number (so NFSEXP_FSID or ->uuid is needed). 441 * 2: We must be able to find an inode from a filehandle. 442 * This means that s_export_op must be set and comply with 443 * the requirements for remote filesystem export. 444 * 3: We must not currently be on an idmapped mount. 445 */ 446 if (!(inode->i_sb->s_type->fs_flags & FS_REQUIRES_DEV) && 447 !(*flags & NFSEXP_FSID) && 448 uuid == NULL) { 449 dprintk("exp_export: export of non-dev fs without fsid\n"); 450 return -EINVAL; 451 } 452 453 if (!exportfs_may_export(inode->i_sb->s_export_op)) { 454 dprintk("exp_export: export of invalid fs type (%s).\n", 455 inode->i_sb->s_type->name); 456 return -EINVAL; 457 } 458 459 if (is_idmapped_mnt(path->mnt)) { 460 dprintk("exp_export: export of idmapped mounts not yet supported.\n"); 461 return -EINVAL; 462 } 463 464 if (inode->i_sb->s_export_op->flags & EXPORT_OP_NOSUBTREECHK && 465 !(*flags & NFSEXP_NOSUBTREECHECK)) { 466 dprintk("%s: %s does not support subtree checking!\n", 467 __func__, inode->i_sb->s_type->name); 468 return -EINVAL; 469 } 470 return 0; 471 } 472 473 #ifdef CONFIG_NFSD_V4 474 475 static int 476 fsloc_parse(char **mesg, char *buf, struct nfsd4_fs_locations *fsloc) 477 { 478 int len; 479 int migrated, i, err; 480 481 /* more than one fsloc */ 482 if (fsloc->locations) 483 return -EINVAL; 484 485 /* listsize */ 486 err = get_uint(mesg, &fsloc->locations_count); 487 if (err) 488 return err; 489 if (fsloc->locations_count > MAX_FS_LOCATIONS) 490 return -EINVAL; 491 if (fsloc->locations_count == 0) 492 return 0; 493 494 fsloc->locations = kzalloc_objs(struct nfsd4_fs_location, 495 fsloc->locations_count); 496 if (!fsloc->locations) 497 return -ENOMEM; 498 for (i=0; i < fsloc->locations_count; i++) { 499 /* colon separated host list */ 500 err = -EINVAL; 501 len = qword_get(mesg, buf, PAGE_SIZE); 502 if (len <= 0) 503 goto out_free_all; 504 err = -ENOMEM; 505 fsloc->locations[i].hosts = kstrdup(buf, GFP_KERNEL); 506 if (!fsloc->locations[i].hosts) 507 goto out_free_all; 508 err = -EINVAL; 509 /* slash separated path component list */ 510 len = qword_get(mesg, buf, PAGE_SIZE); 511 if (len <= 0) 512 goto out_free_all; 513 err = -ENOMEM; 514 fsloc->locations[i].path = kstrdup(buf, GFP_KERNEL); 515 if (!fsloc->locations[i].path) 516 goto out_free_all; 517 } 518 /* migrated */ 519 err = get_int(mesg, &migrated); 520 if (err) 521 goto out_free_all; 522 err = -EINVAL; 523 if (migrated < 0 || migrated > 1) 524 goto out_free_all; 525 fsloc->migrated = migrated; 526 return 0; 527 out_free_all: 528 nfsd4_fslocs_free(fsloc); 529 return err; 530 } 531 532 static int secinfo_parse(char **mesg, char *buf, struct svc_export *exp) 533 { 534 struct exp_flavor_info *f; 535 u32 listsize; 536 int err; 537 538 /* more than one secinfo */ 539 if (exp->ex_nflavors) 540 return -EINVAL; 541 542 err = get_uint(mesg, &listsize); 543 if (err) 544 return err; 545 if (listsize > MAX_SECINFO_LIST) 546 return -EINVAL; 547 548 for (f = exp->ex_flavors; f < exp->ex_flavors + listsize; f++) { 549 err = get_uint(mesg, &f->pseudoflavor); 550 if (err) 551 return err; 552 /* 553 * XXX: It would be nice to also check whether this 554 * pseudoflavor is supported, so we can discover the 555 * problem at export time instead of when a client fails 556 * to authenticate. 557 */ 558 err = get_uint(mesg, &f->flags); 559 if (err) 560 return err; 561 /* Only some flags are allowed to differ between flavors: */ 562 if (~NFSEXP_SECINFO_FLAGS & (f->flags ^ exp->ex_flags)) 563 return -EINVAL; 564 } 565 exp->ex_nflavors = listsize; 566 return 0; 567 } 568 569 #else /* CONFIG_NFSD_V4 */ 570 static inline int 571 fsloc_parse(char **mesg, char *buf, struct nfsd4_fs_locations *fsloc){return 0;} 572 static inline int 573 secinfo_parse(char **mesg, char *buf, struct svc_export *exp) { return 0; } 574 #endif 575 576 static int xprtsec_parse(char **mesg, char *buf, struct svc_export *exp) 577 { 578 unsigned int i, mode, listsize; 579 int err; 580 581 err = get_uint(mesg, &listsize); 582 if (err) 583 return err; 584 if (listsize > NFSEXP_XPRTSEC_NUM) 585 return -EINVAL; 586 587 exp->ex_xprtsec_modes = 0; 588 for (i = 0; i < listsize; i++) { 589 err = get_uint(mesg, &mode); 590 if (err) 591 return err; 592 if (mode > NFSEXP_XPRTSEC_MTLS) 593 return -EINVAL; 594 exp->ex_xprtsec_modes |= mode; 595 } 596 return 0; 597 } 598 599 static inline int 600 nfsd_uuid_parse(char **mesg, char *buf, unsigned char **puuid) 601 { 602 int len; 603 604 /* more than one uuid */ 605 if (*puuid) 606 return -EINVAL; 607 608 /* expect a 16 byte uuid encoded as \xXXXX... */ 609 len = qword_get(mesg, buf, PAGE_SIZE); 610 if (len != EX_UUID_LEN) 611 return -EINVAL; 612 613 *puuid = kmemdup(buf, EX_UUID_LEN, GFP_KERNEL); 614 if (*puuid == NULL) 615 return -ENOMEM; 616 617 return 0; 618 } 619 620 static int svc_export_parse(struct cache_detail *cd, char *mesg, int mlen) 621 { 622 /* client path expiry [flags anonuid anongid fsid] */ 623 char *buf; 624 int err; 625 struct auth_domain *dom = NULL; 626 struct svc_export exp = {}, *expp; 627 int an_int; 628 629 if (mesg[mlen-1] != '\n') 630 return -EINVAL; 631 mesg[mlen-1] = 0; 632 633 buf = kmalloc(PAGE_SIZE, GFP_KERNEL); 634 if (!buf) 635 return -ENOMEM; 636 637 /* client */ 638 err = -EINVAL; 639 if (qword_get(&mesg, buf, PAGE_SIZE) <= 0) 640 goto out; 641 642 err = -ENOENT; 643 dom = auth_domain_find(buf); 644 if (!dom) 645 goto out; 646 647 /* path */ 648 err = -EINVAL; 649 if (qword_get(&mesg, buf, PAGE_SIZE) <= 0) 650 goto out1; 651 652 err = kern_path(buf, 0, &exp.ex_path); 653 if (err) 654 goto out1; 655 656 exp.ex_client = dom; 657 exp.cd = cd; 658 exp.ex_devid_map = NULL; 659 exp.ex_xprtsec_modes = NFSEXP_XPRTSEC_ALL; 660 661 /* expiry */ 662 err = get_expiry(&mesg, &exp.h.expiry_time); 663 if (err) 664 goto out3; 665 666 /* flags */ 667 err = get_int(&mesg, &an_int); 668 if (err == -ENOENT) { 669 err = 0; 670 set_bit(CACHE_NEGATIVE, &exp.h.flags); 671 } else { 672 if (err || an_int < 0) 673 goto out3; 674 exp.ex_flags= an_int; 675 676 /* anon uid */ 677 err = get_int(&mesg, &an_int); 678 if (err) 679 goto out3; 680 exp.ex_anon_uid= make_kuid(current_user_ns(), an_int); 681 682 /* anon gid */ 683 err = get_int(&mesg, &an_int); 684 if (err) 685 goto out3; 686 exp.ex_anon_gid= make_kgid(current_user_ns(), an_int); 687 688 /* fsid */ 689 err = get_int(&mesg, &an_int); 690 if (err) 691 goto out3; 692 exp.ex_fsid = an_int; 693 694 while (qword_get(&mesg, buf, PAGE_SIZE) > 0) { 695 if (strcmp(buf, "fsloc") == 0) 696 err = fsloc_parse(&mesg, buf, &exp.ex_fslocs); 697 else if (strcmp(buf, "uuid") == 0) 698 err = nfsd_uuid_parse(&mesg, buf, &exp.ex_uuid); 699 else if (strcmp(buf, "secinfo") == 0) 700 err = secinfo_parse(&mesg, buf, &exp); 701 else if (strcmp(buf, "xprtsec") == 0) 702 err = xprtsec_parse(&mesg, buf, &exp); 703 else 704 /* quietly ignore unknown words and anything 705 * following. Newer user-space can try to set 706 * new values, then see what the result was. 707 */ 708 break; 709 if (err) 710 goto out4; 711 } 712 713 err = check_export(&exp.ex_path, &exp.ex_flags, exp.ex_uuid); 714 if (err) 715 goto out4; 716 717 /* 718 * No point caching this if it would immediately expire. 719 * Also, this protects exportfs's dummy export from the 720 * anon_uid/anon_gid checks: 721 */ 722 if (exp.h.expiry_time < seconds_since_boot()) 723 goto out4; 724 /* 725 * For some reason exportfs has been passing down an 726 * invalid (-1) uid & gid on the "dummy" export which it 727 * uses to test export support. To make sure exportfs 728 * sees errors from check_export we therefore need to 729 * delay these checks till after check_export: 730 */ 731 err = -EINVAL; 732 if (!uid_valid(exp.ex_anon_uid)) 733 goto out4; 734 if (!gid_valid(exp.ex_anon_gid)) 735 goto out4; 736 err = 0; 737 738 nfsd4_setup_layout_type(&exp); 739 } 740 741 expp = svc_export_lookup(&exp); 742 if (!expp) { 743 err = -ENOMEM; 744 goto out4; 745 } 746 expp = svc_export_update(&exp, expp); 747 if (expp) { 748 trace_nfsd_export_update(expp); 749 cache_flush(); 750 exp_put(expp); 751 } else 752 err = -ENOMEM; 753 out4: 754 nfsd4_fslocs_free(&exp.ex_fslocs); 755 kfree(exp.ex_uuid); 756 out3: 757 path_put(&exp.ex_path); 758 out1: 759 auth_domain_put(dom); 760 out: 761 kfree(buf); 762 return err; 763 } 764 765 static void exp_flags(struct seq_file *m, int flag, int fsid, 766 kuid_t anonu, kgid_t anong, struct nfsd4_fs_locations *fslocs); 767 static void show_secinfo(struct seq_file *m, struct svc_export *exp); 768 769 static int is_export_stats_file(struct seq_file *m) 770 { 771 /* 772 * The export_stats file uses the same ops as the exports file. 773 * We use the file's name to determine the reported info per export. 774 * There is no rename in nsfdfs, so d_name.name is stable. 775 */ 776 return !strcmp(m->file->f_path.dentry->d_name.name, "export_stats"); 777 } 778 779 static int svc_export_show(struct seq_file *m, 780 struct cache_detail *cd, 781 struct cache_head *h) 782 { 783 struct svc_export *exp; 784 bool export_stats = is_export_stats_file(m); 785 786 if (h == NULL) { 787 if (export_stats) 788 seq_puts(m, "#path domain start-time\n#\tstats\n"); 789 else 790 seq_puts(m, "#path domain(flags)\n"); 791 return 0; 792 } 793 exp = container_of(h, struct svc_export, h); 794 seq_path(m, &exp->ex_path, " \t\n\\"); 795 seq_putc(m, '\t'); 796 seq_escape(m, exp->ex_client->name, " \t\n\\"); 797 if (export_stats) { 798 struct percpu_counter *counter = exp->ex_stats->counter; 799 800 seq_printf(m, "\t%lld\n", exp->ex_stats->start_time); 801 seq_printf(m, "\tfh_stale: %lld\n", 802 percpu_counter_sum_positive(&counter[EXP_STATS_FH_STALE])); 803 seq_printf(m, "\tio_read: %lld\n", 804 percpu_counter_sum_positive(&counter[EXP_STATS_IO_READ])); 805 seq_printf(m, "\tio_write: %lld\n", 806 percpu_counter_sum_positive(&counter[EXP_STATS_IO_WRITE])); 807 seq_putc(m, '\n'); 808 return 0; 809 } 810 seq_putc(m, '('); 811 if (test_bit(CACHE_VALID, &h->flags) && 812 !test_bit(CACHE_NEGATIVE, &h->flags)) { 813 exp_flags(m, exp->ex_flags, exp->ex_fsid, 814 exp->ex_anon_uid, exp->ex_anon_gid, &exp->ex_fslocs); 815 if (exp->ex_uuid) { 816 int i; 817 seq_puts(m, ",uuid="); 818 for (i = 0; i < EX_UUID_LEN; i++) { 819 if ((i&3) == 0 && i) 820 seq_putc(m, ':'); 821 seq_printf(m, "%02x", exp->ex_uuid[i]); 822 } 823 } 824 show_secinfo(m, exp); 825 } 826 seq_puts(m, ")\n"); 827 return 0; 828 } 829 static int svc_export_match(struct cache_head *a, struct cache_head *b) 830 { 831 struct svc_export *orig = container_of(a, struct svc_export, h); 832 struct svc_export *new = container_of(b, struct svc_export, h); 833 return orig->ex_client == new->ex_client && 834 path_equal(&orig->ex_path, &new->ex_path); 835 } 836 837 static void svc_export_init(struct cache_head *cnew, struct cache_head *citem) 838 { 839 struct svc_export *new = container_of(cnew, struct svc_export, h); 840 struct svc_export *item = container_of(citem, struct svc_export, h); 841 842 kref_get(&item->ex_client->ref); 843 new->ex_client = item->ex_client; 844 new->ex_path = item->ex_path; 845 path_get(&item->ex_path); 846 new->ex_fslocs.locations = NULL; 847 new->ex_fslocs.locations_count = 0; 848 new->ex_fslocs.migrated = 0; 849 new->ex_layout_types = 0; 850 new->ex_uuid = NULL; 851 new->cd = item->cd; 852 export_stats_reset(new->ex_stats); 853 } 854 855 static void export_update(struct cache_head *cnew, struct cache_head *citem) 856 { 857 struct svc_export *new = container_of(cnew, struct svc_export, h); 858 struct svc_export *item = container_of(citem, struct svc_export, h); 859 int i; 860 861 new->ex_flags = item->ex_flags; 862 new->ex_anon_uid = item->ex_anon_uid; 863 new->ex_anon_gid = item->ex_anon_gid; 864 new->ex_fsid = item->ex_fsid; 865 new->ex_devid_map = item->ex_devid_map; 866 item->ex_devid_map = NULL; 867 new->ex_uuid = item->ex_uuid; 868 item->ex_uuid = NULL; 869 new->ex_fslocs.locations = item->ex_fslocs.locations; 870 item->ex_fslocs.locations = NULL; 871 new->ex_fslocs.locations_count = item->ex_fslocs.locations_count; 872 item->ex_fslocs.locations_count = 0; 873 new->ex_fslocs.migrated = item->ex_fslocs.migrated; 874 item->ex_fslocs.migrated = 0; 875 new->ex_layout_types = item->ex_layout_types; 876 new->ex_nflavors = item->ex_nflavors; 877 for (i = 0; i < MAX_SECINFO_LIST; i++) { 878 new->ex_flavors[i] = item->ex_flavors[i]; 879 } 880 new->ex_xprtsec_modes = item->ex_xprtsec_modes; 881 } 882 883 static struct cache_head *svc_export_alloc(void) 884 { 885 struct svc_export *i = kmalloc_obj(*i); 886 if (!i) 887 return NULL; 888 889 i->ex_stats = kmalloc_obj(*(i->ex_stats)); 890 if (!i->ex_stats) { 891 kfree(i); 892 return NULL; 893 } 894 895 if (export_stats_init(i->ex_stats)) { 896 kfree(i->ex_stats); 897 kfree(i); 898 return NULL; 899 } 900 901 return &i->h; 902 } 903 904 static const struct cache_detail svc_export_cache_template = { 905 .owner = THIS_MODULE, 906 .hash_size = EXPORT_HASHMAX, 907 .name = "nfsd.export", 908 .cache_put = svc_export_put, 909 .cache_upcall = svc_export_upcall, 910 .cache_request = svc_export_request, 911 .cache_parse = svc_export_parse, 912 .cache_show = svc_export_show, 913 .match = svc_export_match, 914 .init = svc_export_init, 915 .update = export_update, 916 .alloc = svc_export_alloc, 917 }; 918 919 static int 920 svc_export_hash(struct svc_export *exp) 921 { 922 int hash; 923 924 hash = hash_ptr(exp->ex_client, EXPORT_HASHBITS); 925 hash ^= hash_ptr(exp->ex_path.dentry, EXPORT_HASHBITS); 926 hash ^= hash_ptr(exp->ex_path.mnt, EXPORT_HASHBITS); 927 return hash; 928 } 929 930 static struct svc_export * 931 svc_export_lookup(struct svc_export *exp) 932 { 933 struct cache_head *ch; 934 int hash = svc_export_hash(exp); 935 936 ch = sunrpc_cache_lookup_rcu(exp->cd, &exp->h, hash); 937 if (ch) 938 return container_of(ch, struct svc_export, h); 939 else 940 return NULL; 941 } 942 943 static struct svc_export * 944 svc_export_update(struct svc_export *new, struct svc_export *old) 945 { 946 struct cache_head *ch; 947 int hash = svc_export_hash(old); 948 949 ch = sunrpc_cache_update(old->cd, &new->h, &old->h, hash); 950 if (ch) 951 return container_of(ch, struct svc_export, h); 952 else 953 return NULL; 954 } 955 956 957 static struct svc_expkey * 958 exp_find_key(struct cache_detail *cd, struct auth_domain *clp, int fsid_type, 959 u32 *fsidv, struct cache_req *reqp) 960 { 961 struct svc_expkey key, *ek; 962 int err; 963 964 if (!clp) 965 return ERR_PTR(-ENOENT); 966 967 key.ek_client = clp; 968 key.ek_fsidtype = fsid_type; 969 memcpy(key.ek_fsid, fsidv, key_len(fsid_type)); 970 971 ek = svc_expkey_lookup(cd, &key); 972 if (ek == NULL) 973 return ERR_PTR(-ENOMEM); 974 err = cache_check(cd, &ek->h, reqp); 975 if (err) { 976 trace_nfsd_exp_find_key(&key, err); 977 return ERR_PTR(err); 978 } 979 return ek; 980 } 981 982 static struct svc_export * 983 exp_get_by_name(struct cache_detail *cd, struct auth_domain *clp, 984 const struct path *path, struct cache_req *reqp) 985 { 986 struct svc_export *exp, key; 987 int err; 988 989 if (!clp) 990 return ERR_PTR(-ENOENT); 991 992 key.ex_client = clp; 993 key.ex_path = *path; 994 key.cd = cd; 995 996 exp = svc_export_lookup(&key); 997 if (exp == NULL) 998 return ERR_PTR(-ENOMEM); 999 err = cache_check(cd, &exp->h, reqp); 1000 if (err) { 1001 trace_nfsd_exp_get_by_name(&key, err); 1002 return ERR_PTR(err); 1003 } 1004 return exp; 1005 } 1006 1007 /* 1008 * Find the export entry for a given dentry. 1009 */ 1010 static struct svc_export * 1011 exp_parent(struct cache_detail *cd, struct auth_domain *clp, struct path *path) 1012 { 1013 struct dentry *saved = dget(path->dentry); 1014 struct svc_export *exp = exp_get_by_name(cd, clp, path, NULL); 1015 1016 while (PTR_ERR(exp) == -ENOENT && !IS_ROOT(path->dentry)) { 1017 struct dentry *parent = dget_parent(path->dentry); 1018 dput(path->dentry); 1019 path->dentry = parent; 1020 exp = exp_get_by_name(cd, clp, path, NULL); 1021 } 1022 dput(path->dentry); 1023 path->dentry = saved; 1024 return exp; 1025 } 1026 1027 1028 1029 /* 1030 * Obtain the root fh on behalf of a client. 1031 * This could be done in user space, but I feel that it adds some safety 1032 * since its harder to fool a kernel module than a user space program. 1033 */ 1034 int 1035 exp_rootfh(struct net *net, struct auth_domain *clp, char *name, 1036 struct knfsd_fh *f, int maxsize) 1037 { 1038 struct svc_export *exp; 1039 struct path path; 1040 struct inode *inode __maybe_unused; 1041 struct svc_fh fh; 1042 int err; 1043 struct nfsd_net *nn = net_generic(net, nfsd_net_id); 1044 struct cache_detail *cd = nn->svc_export_cache; 1045 1046 err = -EPERM; 1047 /* NB: we probably ought to check that it's NUL-terminated */ 1048 if (kern_path(name, 0, &path)) { 1049 printk("nfsd: exp_rootfh path not found %s", name); 1050 return err; 1051 } 1052 inode = d_inode(path.dentry); 1053 1054 dprintk("nfsd: exp_rootfh(%s [%p] %s:%s/%llu)\n", 1055 name, path.dentry, clp->name, 1056 inode->i_sb->s_id, inode->i_ino); 1057 exp = exp_parent(cd, clp, &path); 1058 if (IS_ERR(exp)) { 1059 err = PTR_ERR(exp); 1060 goto out; 1061 } 1062 1063 /* 1064 * fh must be initialized before calling fh_compose 1065 */ 1066 fh_init(&fh, maxsize); 1067 if (fh_compose(&fh, exp, path.dentry, NULL)) 1068 err = -EINVAL; 1069 else 1070 err = 0; 1071 memcpy(f, &fh.fh_handle, sizeof(struct knfsd_fh)); 1072 fh_put(&fh); 1073 exp_put(exp); 1074 out: 1075 path_put(&path); 1076 return err; 1077 } 1078 1079 static struct svc_export *exp_find(struct cache_detail *cd, 1080 struct auth_domain *clp, int fsid_type, 1081 u32 *fsidv, struct cache_req *reqp) 1082 { 1083 struct svc_export *exp; 1084 struct nfsd_net *nn = net_generic(cd->net, nfsd_net_id); 1085 struct svc_expkey *ek = exp_find_key(nn->svc_expkey_cache, clp, fsid_type, fsidv, reqp); 1086 if (IS_ERR(ek)) 1087 return ERR_CAST(ek); 1088 1089 exp = exp_get_by_name(cd, clp, &ek->ek_path, reqp); 1090 cache_put(&ek->h, nn->svc_expkey_cache); 1091 1092 if (IS_ERR(exp)) 1093 return ERR_CAST(exp); 1094 return exp; 1095 } 1096 1097 /** 1098 * check_xprtsec_policy - check if access to export is allowed by the 1099 * xprtsec policy 1100 * @exp: svc_export that is being accessed. 1101 * @rqstp: svc_rqst attempting to access @exp. 1102 * 1103 * Helper function for check_nfsd_access(). Note that callers should be 1104 * using check_nfsd_access() instead of calling this function directly. The 1105 * one exception is __fh_verify() since it has logic that may result in one 1106 * or both of the helpers being skipped. 1107 * 1108 * Return values: 1109 * %nfs_ok if access is granted, or 1110 * %nfserr_wrongsec if access is denied 1111 */ 1112 __be32 check_xprtsec_policy(struct svc_export *exp, struct svc_rqst *rqstp) 1113 { 1114 struct svc_xprt *xprt = rqstp->rq_xprt; 1115 1116 if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_NONE) { 1117 if (!test_bit(XPT_TLS_SESSION, &xprt->xpt_flags)) 1118 return nfs_ok; 1119 } 1120 if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_TLS) { 1121 if (test_bit(XPT_TLS_SESSION, &xprt->xpt_flags) && 1122 !test_bit(XPT_PEER_AUTH, &xprt->xpt_flags)) 1123 return nfs_ok; 1124 } 1125 if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_MTLS) { 1126 if (test_bit(XPT_TLS_SESSION, &xprt->xpt_flags) && 1127 test_bit(XPT_PEER_AUTH, &xprt->xpt_flags)) 1128 return nfs_ok; 1129 } 1130 return nfserr_wrongsec; 1131 } 1132 1133 /** 1134 * check_security_flavor - check if access to export is allowed by the 1135 * security flavor 1136 * @exp: svc_export that is being accessed. 1137 * @rqstp: svc_rqst attempting to access @exp. 1138 * @may_bypass_gss: reduce strictness of authorization check 1139 * 1140 * Helper function for check_nfsd_access(). Note that callers should be 1141 * using check_nfsd_access() instead of calling this function directly. The 1142 * one exception is __fh_verify() since it has logic that may result in one 1143 * or both of the helpers being skipped. 1144 * 1145 * Return values: 1146 * %nfs_ok if access is granted, or 1147 * %nfserr_wrongsec if access is denied 1148 */ 1149 __be32 check_security_flavor(struct svc_export *exp, struct svc_rqst *rqstp, 1150 bool may_bypass_gss) 1151 { 1152 struct exp_flavor_info *f, *end = exp->ex_flavors + exp->ex_nflavors; 1153 1154 /* legacy gss-only clients are always OK: */ 1155 if (exp->ex_client == rqstp->rq_gssclient) 1156 return nfs_ok; 1157 /* ip-address based client; check sec= export option: */ 1158 for (f = exp->ex_flavors; f < end; f++) { 1159 if (f->pseudoflavor == rqstp->rq_cred.cr_flavor) 1160 return nfs_ok; 1161 } 1162 /* defaults in absence of sec= options: */ 1163 if (exp->ex_nflavors == 0) { 1164 if (rqstp->rq_cred.cr_flavor == RPC_AUTH_NULL || 1165 rqstp->rq_cred.cr_flavor == RPC_AUTH_UNIX) 1166 return nfs_ok; 1167 } 1168 1169 /* If the compound op contains a spo_must_allowed op, 1170 * it will be sent with integrity/protection which 1171 * will have to be expressly allowed on mounts that 1172 * don't support it 1173 */ 1174 1175 if (nfsd4_spo_must_allow(rqstp)) 1176 return nfs_ok; 1177 1178 /* Some calls may be processed without authentication 1179 * on GSS exports. For example NFS2/3 calls on root 1180 * directory, see section 2.3.2 of rfc 2623. 1181 * For "may_bypass_gss" check that export has really 1182 * enabled some flavor with authentication (GSS or any 1183 * other) and also check that the used auth flavor is 1184 * without authentication (none or sys). 1185 */ 1186 if (may_bypass_gss && ( 1187 rqstp->rq_cred.cr_flavor == RPC_AUTH_NULL || 1188 rqstp->rq_cred.cr_flavor == RPC_AUTH_UNIX)) { 1189 for (f = exp->ex_flavors; f < end; f++) { 1190 if (f->pseudoflavor >= RPC_AUTH_DES) 1191 return 0; 1192 } 1193 } 1194 1195 return nfserr_wrongsec; 1196 } 1197 1198 /** 1199 * check_nfsd_access - check if access to export is allowed. 1200 * @exp: svc_export that is being accessed. 1201 * @rqstp: svc_rqst attempting to access @exp. 1202 * @may_bypass_gss: reduce strictness of authorization check 1203 * 1204 * Return values: 1205 * %nfs_ok if access is granted, or 1206 * %nfserr_wrongsec if access is denied 1207 */ 1208 __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp, 1209 bool may_bypass_gss) 1210 { 1211 __be32 status; 1212 1213 status = check_xprtsec_policy(exp, rqstp); 1214 if (status != nfs_ok) 1215 return status; 1216 return check_security_flavor(exp, rqstp, may_bypass_gss); 1217 } 1218 1219 /* 1220 * Uses rq_client and rq_gssclient to find an export; uses rq_client (an 1221 * auth_unix client) if it's available and has secinfo information; 1222 * otherwise, will try to use rq_gssclient. 1223 * 1224 * Called from functions that handle requests; functions that do work on 1225 * behalf of mountd are passed a single client name to use, and should 1226 * use exp_get_by_name() or exp_find(). 1227 */ 1228 struct svc_export * 1229 rqst_exp_get_by_name(struct svc_rqst *rqstp, const struct path *path) 1230 { 1231 struct svc_export *gssexp, *exp = ERR_PTR(-ENOENT); 1232 struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id); 1233 struct cache_detail *cd = nn->svc_export_cache; 1234 1235 if (rqstp->rq_client == NULL) 1236 goto gss; 1237 1238 /* First try the auth_unix client: */ 1239 exp = exp_get_by_name(cd, rqstp->rq_client, path, &rqstp->rq_chandle); 1240 if (PTR_ERR(exp) == -ENOENT) 1241 goto gss; 1242 if (IS_ERR(exp)) 1243 return exp; 1244 /* If it has secinfo, assume there are no gss/... clients */ 1245 if (exp->ex_nflavors > 0) 1246 return exp; 1247 gss: 1248 /* Otherwise, try falling back on gss client */ 1249 if (rqstp->rq_gssclient == NULL) 1250 return exp; 1251 gssexp = exp_get_by_name(cd, rqstp->rq_gssclient, path, &rqstp->rq_chandle); 1252 if (PTR_ERR(gssexp) == -ENOENT) 1253 return exp; 1254 if (!IS_ERR(exp)) 1255 exp_put(exp); 1256 return gssexp; 1257 } 1258 1259 /** 1260 * rqst_exp_find - Find an svc_export in the context of a rqst or similar 1261 * @reqp: The handle to be used to suspend the request if a cache-upcall is needed 1262 * If NULL, missing in-cache information will result in failure. 1263 * @net: The network namespace in which the request exists 1264 * @cl: default auth_domain to use for looking up the export 1265 * @gsscl: an alternate auth_domain defined using deprecated gss/krb5 format. 1266 * @fsid_type: The type of fsid to look for 1267 * @fsidv: The actual fsid to look up in the context of either client. 1268 * 1269 * Perform a lookup for @cl/@fsidv in the given @net for an export. If 1270 * none found and @gsscl specified, repeat the lookup. 1271 * 1272 * Returns an export, or an error pointer. 1273 */ 1274 struct svc_export * 1275 rqst_exp_find(struct cache_req *reqp, struct net *net, 1276 struct auth_domain *cl, struct auth_domain *gsscl, 1277 int fsid_type, u32 *fsidv) 1278 { 1279 struct nfsd_net *nn = net_generic(net, nfsd_net_id); 1280 struct svc_export *gssexp, *exp = ERR_PTR(-ENOENT); 1281 struct cache_detail *cd = nn->svc_export_cache; 1282 1283 if (!cl) 1284 goto gss; 1285 1286 /* First try the auth_unix client: */ 1287 exp = exp_find(cd, cl, fsid_type, fsidv, reqp); 1288 if (PTR_ERR(exp) == -ENOENT) 1289 goto gss; 1290 if (IS_ERR(exp)) 1291 return exp; 1292 /* If it has secinfo, assume there are no gss/... clients */ 1293 if (exp->ex_nflavors > 0) 1294 return exp; 1295 gss: 1296 /* Otherwise, try falling back on gss client */ 1297 if (!gsscl) 1298 return exp; 1299 gssexp = exp_find(cd, gsscl, fsid_type, fsidv, reqp); 1300 if (PTR_ERR(gssexp) == -ENOENT) 1301 return exp; 1302 if (!IS_ERR(exp)) 1303 exp_put(exp); 1304 return gssexp; 1305 } 1306 1307 struct svc_export * 1308 rqst_exp_parent(struct svc_rqst *rqstp, struct path *path) 1309 { 1310 struct dentry *saved = dget(path->dentry); 1311 struct svc_export *exp = rqst_exp_get_by_name(rqstp, path); 1312 1313 while (PTR_ERR(exp) == -ENOENT && !IS_ROOT(path->dentry)) { 1314 struct dentry *parent = dget_parent(path->dentry); 1315 dput(path->dentry); 1316 path->dentry = parent; 1317 exp = rqst_exp_get_by_name(rqstp, path); 1318 } 1319 dput(path->dentry); 1320 path->dentry = saved; 1321 return exp; 1322 } 1323 1324 struct svc_export *rqst_find_fsidzero_export(struct svc_rqst *rqstp) 1325 { 1326 u32 fsidv[2]; 1327 1328 mk_fsid(FSID_NUM, fsidv, 0, 0, 0, NULL); 1329 1330 return rqst_exp_find(&rqstp->rq_chandle, SVC_NET(rqstp), 1331 rqstp->rq_client, rqstp->rq_gssclient, 1332 FSID_NUM, fsidv); 1333 } 1334 1335 /* 1336 * Called when we need the filehandle for the root of the pseudofs, 1337 * for a given NFSv4 client. The root is defined to be the 1338 * export point with fsid==0 1339 */ 1340 __be32 1341 exp_pseudoroot(struct svc_rqst *rqstp, struct svc_fh *fhp) 1342 { 1343 struct svc_export *exp; 1344 __be32 rv; 1345 1346 exp = rqst_find_fsidzero_export(rqstp); 1347 if (IS_ERR(exp)) 1348 return nfserrno(PTR_ERR(exp)); 1349 rv = fh_compose(fhp, exp, exp->ex_path.dentry, NULL); 1350 exp_put(exp); 1351 return rv; 1352 } 1353 1354 static struct flags { 1355 int flag; 1356 char *name[2]; 1357 } expflags[] = { 1358 { NFSEXP_READONLY, {"ro", "rw"}}, 1359 { NFSEXP_INSECURE_PORT, {"insecure", ""}}, 1360 { NFSEXP_ROOTSQUASH, {"root_squash", "no_root_squash"}}, 1361 { NFSEXP_ALLSQUASH, {"all_squash", ""}}, 1362 { NFSEXP_ASYNC, {"async", "sync"}}, 1363 { NFSEXP_GATHERED_WRITES, {"wdelay", "no_wdelay"}}, 1364 { NFSEXP_NOREADDIRPLUS, {"nordirplus", ""}}, 1365 { NFSEXP_NOHIDE, {"nohide", ""}}, 1366 { NFSEXP_CROSSMOUNT, {"crossmnt", ""}}, 1367 { NFSEXP_NOSUBTREECHECK, {"no_subtree_check", ""}}, 1368 { NFSEXP_NOAUTHNLM, {"insecure_locks", ""}}, 1369 { NFSEXP_V4ROOT, {"v4root", ""}}, 1370 { NFSEXP_PNFS, {"pnfs", ""}}, 1371 { NFSEXP_SECURITY_LABEL, {"security_label", ""}}, 1372 { 0, {"", ""}} 1373 }; 1374 1375 static void show_expflags(struct seq_file *m, int flags, int mask) 1376 { 1377 struct flags *flg; 1378 int state, first = 0; 1379 1380 for (flg = expflags; flg->flag; flg++) { 1381 if (flg->flag & ~mask) 1382 continue; 1383 state = (flg->flag & flags) ? 0 : 1; 1384 if (*flg->name[state]) 1385 seq_printf(m, "%s%s", first++?",":"", flg->name[state]); 1386 } 1387 } 1388 1389 static void show_secinfo_flags(struct seq_file *m, int flags) 1390 { 1391 seq_printf(m, ","); 1392 show_expflags(m, flags, NFSEXP_SECINFO_FLAGS); 1393 } 1394 1395 static bool secinfo_flags_equal(int f, int g) 1396 { 1397 f &= NFSEXP_SECINFO_FLAGS; 1398 g &= NFSEXP_SECINFO_FLAGS; 1399 return f == g; 1400 } 1401 1402 static int show_secinfo_run(struct seq_file *m, struct exp_flavor_info **fp, struct exp_flavor_info *end) 1403 { 1404 int flags; 1405 1406 flags = (*fp)->flags; 1407 seq_printf(m, ",sec=%d", (*fp)->pseudoflavor); 1408 (*fp)++; 1409 while (*fp != end && secinfo_flags_equal(flags, (*fp)->flags)) { 1410 seq_printf(m, ":%d", (*fp)->pseudoflavor); 1411 (*fp)++; 1412 } 1413 return flags; 1414 } 1415 1416 static void show_secinfo(struct seq_file *m, struct svc_export *exp) 1417 { 1418 struct exp_flavor_info *f; 1419 struct exp_flavor_info *end = exp->ex_flavors + exp->ex_nflavors; 1420 int flags; 1421 1422 if (exp->ex_nflavors == 0) 1423 return; 1424 f = exp->ex_flavors; 1425 flags = show_secinfo_run(m, &f, end); 1426 if (!secinfo_flags_equal(flags, exp->ex_flags)) 1427 show_secinfo_flags(m, flags); 1428 while (f != end) { 1429 flags = show_secinfo_run(m, &f, end); 1430 show_secinfo_flags(m, flags); 1431 } 1432 } 1433 1434 static void exp_flags(struct seq_file *m, int flag, int fsid, 1435 kuid_t anonu, kgid_t anong, struct nfsd4_fs_locations *fsloc) 1436 { 1437 struct user_namespace *userns = m->file->f_cred->user_ns; 1438 1439 show_expflags(m, flag, NFSEXP_ALLFLAGS); 1440 if (flag & NFSEXP_FSID) 1441 seq_printf(m, ",fsid=%d", fsid); 1442 if (!uid_eq(anonu, make_kuid(userns, (uid_t)-2)) && 1443 !uid_eq(anonu, make_kuid(userns, 0x10000-2))) 1444 seq_printf(m, ",anonuid=%u", from_kuid_munged(userns, anonu)); 1445 if (!gid_eq(anong, make_kgid(userns, (gid_t)-2)) && 1446 !gid_eq(anong, make_kgid(userns, 0x10000-2))) 1447 seq_printf(m, ",anongid=%u", from_kgid_munged(userns, anong)); 1448 if (fsloc && fsloc->locations_count > 0) { 1449 char *loctype = (fsloc->migrated) ? "refer" : "replicas"; 1450 int i; 1451 1452 seq_printf(m, ",%s=", loctype); 1453 seq_escape(m, fsloc->locations[0].path, ",;@ \t\n\\"); 1454 seq_putc(m, '@'); 1455 seq_escape(m, fsloc->locations[0].hosts, ",;@ \t\n\\"); 1456 for (i = 1; i < fsloc->locations_count; i++) { 1457 seq_putc(m, ';'); 1458 seq_escape(m, fsloc->locations[i].path, ",;@ \t\n\\"); 1459 seq_putc(m, '@'); 1460 seq_escape(m, fsloc->locations[i].hosts, ",;@ \t\n\\"); 1461 } 1462 } 1463 } 1464 1465 static int e_show(struct seq_file *m, void *p) 1466 { 1467 struct cache_head *cp = p; 1468 struct svc_export *exp = container_of(cp, struct svc_export, h); 1469 struct cache_detail *cd = m->private; 1470 bool export_stats = is_export_stats_file(m); 1471 1472 if (p == SEQ_START_TOKEN) { 1473 seq_puts(m, "# Version 1.1\n"); 1474 if (export_stats) 1475 seq_puts(m, "# Path Client Start-time\n#\tStats\n"); 1476 else 1477 seq_puts(m, "# Path Client(Flags) # IPs\n"); 1478 return 0; 1479 } 1480 1481 if (cache_check_rcu(cd, &exp->h, NULL)) 1482 return 0; 1483 1484 return svc_export_show(m, cd, cp); 1485 } 1486 1487 const struct seq_operations nfs_exports_op = { 1488 .start = cache_seq_start_rcu, 1489 .next = cache_seq_next_rcu, 1490 .stop = cache_seq_stop_rcu, 1491 .show = e_show, 1492 }; 1493 1494 /** 1495 * nfsd_export_wq_init - allocate the export release workqueue 1496 * 1497 * Called once at module load. The workqueue runs deferred svc_export and 1498 * svc_expkey release work scheduled by queue_rcu_work() in the cache put 1499 * callbacks. 1500 * 1501 * Return values: 1502 * %0: workqueue allocated 1503 * %-ENOMEM: allocation failed 1504 */ 1505 int nfsd_export_wq_init(void) 1506 { 1507 nfsd_export_wq = alloc_workqueue("nfsd_export", WQ_UNBOUND, 0); 1508 if (!nfsd_export_wq) 1509 return -ENOMEM; 1510 return 0; 1511 } 1512 1513 /** 1514 * nfsd_export_wq_shutdown - drain and free the export release workqueue 1515 * 1516 * Called once at module unload. Per-namespace teardown in 1517 * nfsd_export_shutdown() has already drained all deferred work. 1518 */ 1519 void nfsd_export_wq_shutdown(void) 1520 { 1521 destroy_workqueue(nfsd_export_wq); 1522 } 1523 1524 /* 1525 * Initialize the exports module. 1526 */ 1527 int 1528 nfsd_export_init(struct net *net) 1529 { 1530 int rv; 1531 struct nfsd_net *nn = net_generic(net, nfsd_net_id); 1532 1533 dprintk("nfsd: initializing export module (net: %x).\n", net->ns.inum); 1534 1535 nn->svc_export_cache = cache_create_net(&svc_export_cache_template, net); 1536 if (IS_ERR(nn->svc_export_cache)) 1537 return PTR_ERR(nn->svc_export_cache); 1538 rv = cache_register_net(nn->svc_export_cache, net); 1539 if (rv) 1540 goto destroy_export_cache; 1541 1542 nn->svc_expkey_cache = cache_create_net(&svc_expkey_cache_template, net); 1543 if (IS_ERR(nn->svc_expkey_cache)) { 1544 rv = PTR_ERR(nn->svc_expkey_cache); 1545 goto unregister_export_cache; 1546 } 1547 rv = cache_register_net(nn->svc_expkey_cache, net); 1548 if (rv) 1549 goto destroy_expkey_cache; 1550 return 0; 1551 1552 destroy_expkey_cache: 1553 cache_destroy_net(nn->svc_expkey_cache, net); 1554 unregister_export_cache: 1555 cache_unregister_net(nn->svc_export_cache, net); 1556 destroy_export_cache: 1557 cache_destroy_net(nn->svc_export_cache, net); 1558 return rv; 1559 } 1560 1561 /* 1562 * Flush exports table - called when last nfsd thread is killed 1563 */ 1564 void 1565 nfsd_export_flush(struct net *net) 1566 { 1567 struct nfsd_net *nn = net_generic(net, nfsd_net_id); 1568 1569 cache_purge(nn->svc_expkey_cache); 1570 cache_purge(nn->svc_export_cache); 1571 } 1572 1573 /* 1574 * Shutdown the exports module. 1575 */ 1576 void 1577 nfsd_export_shutdown(struct net *net) 1578 { 1579 struct nfsd_net *nn = net_generic(net, nfsd_net_id); 1580 1581 dprintk("nfsd: shutting down export module (net: %x).\n", net->ns.inum); 1582 1583 cache_unregister_net(nn->svc_expkey_cache, net); 1584 cache_unregister_net(nn->svc_export_cache, net); 1585 /* Drain deferred export and expkey release work. */ 1586 rcu_barrier(); 1587 flush_workqueue(nfsd_export_wq); 1588 cache_destroy_net(nn->svc_expkey_cache, net); 1589 cache_destroy_net(nn->svc_export_cache, net); 1590 svcauth_unix_purge(net); 1591 1592 dprintk("nfsd: export shutdown complete (net: %x).\n", net->ns.inum); 1593 } 1594