1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * Copyright (C) 2016 Namjae Jeon <linkinjeon@kernel.org> 4 * Copyright (C) 2019 Samsung Electronics Co., Ltd. 5 */ 6 7 #include <linux/fs.h> 8 #include <linux/filelock.h> 9 #include <linux/slab.h> 10 #include <linux/vmalloc.h> 11 #include <linux/kthread.h> 12 #include <linux/freezer.h> 13 #include <linux/dcache.h> 14 15 #include "glob.h" 16 #include "vfs_cache.h" 17 #include "oplock.h" 18 #include "vfs.h" 19 #include "connection.h" 20 #include "misc.h" 21 #include "mgmt/tree_connect.h" 22 #include "mgmt/user_session.h" 23 #include "mgmt/user_config.h" 24 #include "smb_common.h" 25 #include "server.h" 26 #include "smb2pdu.h" 27 28 #define S_DEL_PENDING 1 29 #define S_DEL_ON_CLS 2 30 #define S_DEL_ON_CLS_STREAM 8 31 32 static unsigned int inode_hash_mask __read_mostly; 33 static unsigned int inode_hash_shift __read_mostly; 34 static struct hlist_head *inode_hashtable __read_mostly; 35 static DEFINE_RWLOCK(inode_hash_lock); 36 37 static struct ksmbd_file_table global_ft; 38 static atomic_long_t fd_limit; 39 static struct kmem_cache *filp_cache; 40 41 static int ksmbd_mark_fp_closed(struct ksmbd_file *fp); 42 43 #define OPLOCK_NONE 0 44 #define OPLOCK_EXCLUSIVE 1 45 #define OPLOCK_BATCH 2 46 #define OPLOCK_READ 3 /* level 2 oplock */ 47 48 #ifdef CONFIG_PROC_FS 49 50 static const struct ksmbd_const_name ksmbd_lease_const_names[] = { 51 {le32_to_cpu(SMB2_LEASE_NONE_LE), "LEASE_NONE"}, 52 {le32_to_cpu(SMB2_LEASE_READ_CACHING_LE), "LEASE_R"}, 53 {le32_to_cpu(SMB2_LEASE_HANDLE_CACHING_LE), "LEASE_H"}, 54 {le32_to_cpu(SMB2_LEASE_WRITE_CACHING_LE), "LEASE_W"}, 55 {le32_to_cpu(SMB2_LEASE_READ_CACHING_LE | 56 SMB2_LEASE_HANDLE_CACHING_LE), "LEASE_RH"}, 57 {le32_to_cpu(SMB2_LEASE_READ_CACHING_LE | 58 SMB2_LEASE_WRITE_CACHING_LE), "LEASE_RW"}, 59 {le32_to_cpu(SMB2_LEASE_HANDLE_CACHING_LE | 60 SMB2_LEASE_WRITE_CACHING_LE), "LEASE_WH"}, 61 {le32_to_cpu(SMB2_LEASE_READ_CACHING_LE | 62 SMB2_LEASE_HANDLE_CACHING_LE | 63 SMB2_LEASE_WRITE_CACHING_LE), "LEASE_RWH"}, 64 }; 65 66 static const struct ksmbd_const_name ksmbd_oplock_const_names[] = { 67 {SMB2_OPLOCK_LEVEL_NONE, "OPLOCK_NONE"}, 68 {SMB2_OPLOCK_LEVEL_II, "OPLOCK_II"}, 69 {SMB2_OPLOCK_LEVEL_EXCLUSIVE, "OPLOCK_EXECL"}, 70 {SMB2_OPLOCK_LEVEL_BATCH, "OPLOCK_BATCH"}, 71 }; 72 73 static int proc_show_files(struct seq_file *m, void *v) 74 { 75 struct ksmbd_file *fp = NULL; 76 unsigned int id; 77 struct oplock_info *opinfo; 78 79 seq_printf(m, "#%-10s %-10s %-10s %-10s %-15s %-10s %-10s %s\n", 80 "<tree id>", "<pid>", "<vid>", "<refcnt>", 81 "<oplock>", "<daccess>", "<saccess>", 82 "<name>"); 83 84 read_lock(&global_ft.lock); 85 idr_for_each_entry(global_ft.idr, fp, id) { 86 seq_printf(m, "%#-10x %#-10llx %#-10llx %#-10x", 87 fp->tcon ? fp->tcon->id : 0, 88 fp->persistent_id, 89 fp->volatile_id, 90 atomic_read(&fp->refcount)); 91 92 rcu_read_lock(); 93 opinfo = rcu_dereference(fp->f_opinfo); 94 if (opinfo) { 95 const struct ksmbd_const_name *const_names; 96 int count; 97 unsigned int level; 98 99 if (opinfo->is_lease) { 100 const_names = ksmbd_lease_const_names; 101 count = ARRAY_SIZE(ksmbd_lease_const_names); 102 level = le32_to_cpu(opinfo->o_lease->state); 103 } else { 104 const_names = ksmbd_oplock_const_names; 105 count = ARRAY_SIZE(ksmbd_oplock_const_names); 106 level = opinfo->level; 107 } 108 rcu_read_unlock(); 109 ksmbd_proc_show_const_name(m, " %-15s", 110 const_names, count, level); 111 } else { 112 rcu_read_unlock(); 113 seq_printf(m, " %-15s", " "); 114 } 115 116 seq_printf(m, " %#010x %#010x %s\n", 117 le32_to_cpu(fp->daccess), 118 le32_to_cpu(fp->saccess), 119 fp->filp->f_path.dentry->d_name.name); 120 } 121 read_unlock(&global_ft.lock); 122 return 0; 123 } 124 125 static int create_proc_files(void) 126 { 127 ksmbd_proc_create("files", proc_show_files, NULL); 128 return 0; 129 } 130 #else 131 static int create_proc_files(void) { return 0; } 132 #endif 133 134 static bool durable_scavenger_running; 135 static DEFINE_MUTEX(durable_scavenger_lock); 136 static wait_queue_head_t dh_wq; 137 138 void ksmbd_set_fd_limit(unsigned long limit) 139 { 140 limit = min(limit, get_max_files()); 141 atomic_long_set(&fd_limit, limit); 142 } 143 144 static bool fd_limit_depleted(void) 145 { 146 long v = atomic_long_dec_return(&fd_limit); 147 148 if (v >= 0) 149 return false; 150 atomic_long_inc(&fd_limit); 151 return true; 152 } 153 154 static void fd_limit_close(void) 155 { 156 atomic_long_inc(&fd_limit); 157 } 158 159 /* 160 * INODE hash 161 */ 162 163 static unsigned long inode_hash(struct super_block *sb, unsigned long hashval) 164 { 165 unsigned long tmp; 166 167 tmp = (hashval * (unsigned long)sb) ^ (GOLDEN_RATIO_PRIME + hashval) / 168 L1_CACHE_BYTES; 169 tmp = tmp ^ ((tmp ^ GOLDEN_RATIO_PRIME) >> inode_hash_shift); 170 return tmp & inode_hash_mask; 171 } 172 173 static struct ksmbd_inode *__ksmbd_inode_lookup(struct dentry *de) 174 { 175 struct hlist_head *head = inode_hashtable + 176 inode_hash(d_inode(de)->i_sb, (unsigned long)de); 177 struct ksmbd_inode *ci = NULL, *ret_ci = NULL; 178 179 hlist_for_each_entry(ci, head, m_hash) { 180 if (ci->m_de == de) { 181 if (atomic_inc_not_zero(&ci->m_count)) 182 ret_ci = ci; 183 break; 184 } 185 } 186 return ret_ci; 187 } 188 189 static struct ksmbd_inode *ksmbd_inode_lookup(struct ksmbd_file *fp) 190 { 191 return __ksmbd_inode_lookup(fp->filp->f_path.dentry); 192 } 193 194 struct ksmbd_inode *ksmbd_inode_lookup_lock(struct dentry *d) 195 { 196 struct ksmbd_inode *ci; 197 198 read_lock(&inode_hash_lock); 199 ci = __ksmbd_inode_lookup(d); 200 read_unlock(&inode_hash_lock); 201 202 return ci; 203 } 204 205 int ksmbd_query_inode_status(struct dentry *dentry) 206 { 207 struct ksmbd_inode *ci; 208 int ret = KSMBD_INODE_STATUS_UNKNOWN; 209 210 read_lock(&inode_hash_lock); 211 ci = __ksmbd_inode_lookup(dentry); 212 read_unlock(&inode_hash_lock); 213 if (!ci) 214 return ret; 215 216 down_read(&ci->m_lock); 217 if (ci->m_flags & S_DEL_PENDING) 218 ret = KSMBD_INODE_STATUS_PENDING_DELETE; 219 else 220 ret = KSMBD_INODE_STATUS_OK; 221 up_read(&ci->m_lock); 222 223 ksmbd_inode_put(ci); 224 return ret; 225 } 226 227 bool ksmbd_inode_pending_delete(struct ksmbd_file *fp) 228 { 229 struct ksmbd_inode *ci = fp->f_ci; 230 int ret; 231 232 down_read(&ci->m_lock); 233 ret = (ci->m_flags & S_DEL_PENDING); 234 up_read(&ci->m_lock); 235 236 return ret; 237 } 238 239 void ksmbd_set_inode_pending_delete(struct ksmbd_file *fp) 240 { 241 struct ksmbd_inode *ci = fp->f_ci; 242 243 down_write(&ci->m_lock); 244 ci->m_flags |= S_DEL_PENDING; 245 up_write(&ci->m_lock); 246 } 247 248 void ksmbd_clear_inode_pending_delete(struct ksmbd_file *fp) 249 { 250 struct ksmbd_inode *ci = fp->f_ci; 251 252 down_write(&ci->m_lock); 253 ci->m_flags &= ~S_DEL_PENDING; 254 up_write(&ci->m_lock); 255 } 256 257 bool ksmbd_has_stream_without_delete_share(struct ksmbd_file *fp) 258 { 259 struct ksmbd_file *prev_fp; 260 struct ksmbd_inode *ci = fp->f_ci; 261 bool ret = false; 262 263 if (ksmbd_stream_fd(fp)) 264 return false; 265 266 down_read(&ci->m_lock); 267 list_for_each_entry(prev_fp, &ci->m_fp_list, node) { 268 if (prev_fp == fp || !ksmbd_stream_fd(prev_fp)) 269 continue; 270 271 if (file_inode(fp->filp) != file_inode(prev_fp->filp)) 272 continue; 273 274 if (!(prev_fp->saccess & FILE_SHARE_DELETE_LE)) { 275 ret = true; 276 break; 277 } 278 } 279 up_read(&ci->m_lock); 280 281 return ret; 282 } 283 284 void ksmbd_fd_set_delete_on_close(struct ksmbd_file *fp, 285 int file_info) 286 { 287 struct ksmbd_inode *ci = fp->f_ci; 288 289 down_write(&ci->m_lock); 290 if (ksmbd_stream_fd(fp)) 291 ci->m_flags |= S_DEL_ON_CLS_STREAM; 292 else 293 ci->m_flags |= S_DEL_ON_CLS; 294 up_write(&ci->m_lock); 295 } 296 297 static void ksmbd_inode_hash(struct ksmbd_inode *ci) 298 { 299 struct hlist_head *b = inode_hashtable + 300 inode_hash(d_inode(ci->m_de)->i_sb, (unsigned long)ci->m_de); 301 302 hlist_add_head(&ci->m_hash, b); 303 } 304 305 static void ksmbd_inode_unhash(struct ksmbd_inode *ci) 306 { 307 write_lock(&inode_hash_lock); 308 hlist_del_init(&ci->m_hash); 309 write_unlock(&inode_hash_lock); 310 } 311 312 static int ksmbd_inode_init(struct ksmbd_inode *ci, struct ksmbd_file *fp) 313 { 314 atomic_set(&ci->m_count, 1); 315 atomic_set(&ci->op_count, 0); 316 atomic_set(&ci->sop_count, 0); 317 ci->m_flags = 0; 318 ci->m_fattr = 0; 319 INIT_LIST_HEAD(&ci->m_fp_list); 320 INIT_LIST_HEAD(&ci->m_op_list); 321 init_rwsem(&ci->m_lock); 322 ci->m_de = fp->filp->f_path.dentry; 323 return 0; 324 } 325 326 static struct ksmbd_inode *ksmbd_inode_get(struct ksmbd_file *fp) 327 { 328 struct ksmbd_inode *ci, *tmpci; 329 int rc; 330 331 read_lock(&inode_hash_lock); 332 ci = ksmbd_inode_lookup(fp); 333 read_unlock(&inode_hash_lock); 334 if (ci) 335 return ci; 336 337 ci = kmalloc_obj(struct ksmbd_inode, KSMBD_DEFAULT_GFP); 338 if (!ci) 339 return NULL; 340 341 rc = ksmbd_inode_init(ci, fp); 342 if (rc) { 343 pr_err("inode initialized failed\n"); 344 kfree(ci); 345 return NULL; 346 } 347 348 write_lock(&inode_hash_lock); 349 tmpci = ksmbd_inode_lookup(fp); 350 if (!tmpci) { 351 ksmbd_inode_hash(ci); 352 } else { 353 kfree(ci); 354 ci = tmpci; 355 } 356 write_unlock(&inode_hash_lock); 357 return ci; 358 } 359 360 static void ksmbd_inode_free(struct ksmbd_inode *ci) 361 { 362 ksmbd_inode_unhash(ci); 363 kfree(ci); 364 } 365 366 void ksmbd_inode_put(struct ksmbd_inode *ci) 367 { 368 if (atomic_dec_and_test(&ci->m_count)) 369 ksmbd_inode_free(ci); 370 } 371 372 int __init ksmbd_inode_hash_init(void) 373 { 374 unsigned int loop; 375 unsigned long numentries = 16384; 376 unsigned long bucketsize = sizeof(struct hlist_head); 377 unsigned long size; 378 379 inode_hash_shift = ilog2(numentries); 380 inode_hash_mask = (1 << inode_hash_shift) - 1; 381 382 size = bucketsize << inode_hash_shift; 383 384 /* init master fp hash table */ 385 inode_hashtable = vmalloc(size); 386 if (!inode_hashtable) 387 return -ENOMEM; 388 389 for (loop = 0; loop < (1U << inode_hash_shift); loop++) 390 INIT_HLIST_HEAD(&inode_hashtable[loop]); 391 return 0; 392 } 393 394 void ksmbd_release_inode_hash(void) 395 { 396 vfree(inode_hashtable); 397 } 398 399 static void __ksmbd_inode_close(struct ksmbd_file *fp) 400 { 401 struct ksmbd_inode *ci = fp->f_ci; 402 int err; 403 struct file *filp; 404 405 filp = fp->filp; 406 407 if (ksmbd_stream_fd(fp)) { 408 bool remove_stream_xattr = false; 409 410 down_write(&ci->m_lock); 411 if (ci->m_flags & S_DEL_ON_CLS_STREAM) { 412 ci->m_flags &= ~S_DEL_ON_CLS_STREAM; 413 remove_stream_xattr = true; 414 } 415 up_write(&ci->m_lock); 416 417 if (remove_stream_xattr) { 418 const struct cred *saved_cred; 419 420 saved_cred = override_creds(filp->f_cred); 421 err = ksmbd_vfs_remove_xattr(file_mnt_idmap(filp), 422 &filp->f_path, 423 fp->stream.name, 424 true); 425 revert_creds(saved_cred); 426 if (err) 427 pr_err("remove xattr failed : %s\n", 428 fp->stream.name); 429 } 430 } 431 432 down_write(&ci->m_lock); 433 /* Promote S_DEL_ON_CLS to S_DEL_PENDING when close */ 434 if (ci->m_flags & S_DEL_ON_CLS) { 435 ci->m_flags &= ~S_DEL_ON_CLS; 436 ci->m_flags |= S_DEL_PENDING; 437 } 438 up_write(&ci->m_lock); 439 440 if (atomic_dec_and_test(&ci->m_count)) { 441 bool do_unlink = false; 442 443 down_write(&ci->m_lock); 444 if (ci->m_flags & S_DEL_PENDING) { 445 ci->m_flags &= ~S_DEL_PENDING; 446 do_unlink = true; 447 } 448 up_write(&ci->m_lock); 449 450 if (do_unlink) 451 ksmbd_vfs_unlink(filp); 452 453 ksmbd_inode_free(ci); 454 } 455 } 456 457 static void __ksmbd_remove_durable_fd(struct ksmbd_file *fp) 458 { 459 if (!has_file_id(fp->persistent_id)) 460 return; 461 462 idr_remove(global_ft.idr, fp->persistent_id); 463 /* 464 * Clear persistent_id so a later __ksmbd_close_fd() that runs from a 465 * delayed putter (e.g. when a concurrent ksmbd_lookup_fd_inode() 466 * walker held the final reference) does not re-issue idr_remove() on 467 * an id that idr_alloc_cyclic() may have already handed out to a new 468 * durable handle. 469 */ 470 fp->persistent_id = KSMBD_NO_FID; 471 } 472 473 static void ksmbd_remove_durable_fd(struct ksmbd_file *fp) 474 { 475 write_lock(&global_ft.lock); 476 __ksmbd_remove_durable_fd(fp); 477 write_unlock(&global_ft.lock); 478 if (waitqueue_active(&dh_wq)) 479 wake_up(&dh_wq); 480 } 481 482 static void __ksmbd_remove_fd(struct ksmbd_file_table *ft, struct ksmbd_file *fp) 483 { 484 down_write(&fp->f_ci->m_lock); 485 list_del_init(&fp->node); 486 up_write(&fp->f_ci->m_lock); 487 488 if (!has_file_id(fp->volatile_id)) 489 return; 490 491 write_lock(&ft->lock); 492 idr_remove(ft->idr, fp->volatile_id); 493 write_unlock(&ft->lock); 494 } 495 496 static void __ksmbd_close_fd(struct ksmbd_file_table *ft, struct ksmbd_file *fp) 497 { 498 struct file *filp; 499 struct ksmbd_lock *smb_lock, *tmp_lock; 500 501 fd_limit_close(); 502 ksmbd_remove_durable_fd(fp); 503 if (ft) 504 __ksmbd_remove_fd(ft, fp); 505 506 close_id_del_oplock(fp); 507 filp = fp->filp; 508 509 __ksmbd_inode_close(fp); 510 if (!IS_ERR_OR_NULL(filp)) 511 fput(filp); 512 513 /* because the reference count of fp is 0, it is guaranteed that 514 * there are not accesses to fp->lock_list. 515 */ 516 list_for_each_entry_safe(smb_lock, tmp_lock, &fp->lock_list, flist) { 517 struct ksmbd_conn *conn = smb_lock->conn; 518 519 if (conn) { 520 spin_lock(&conn->llist_lock); 521 list_del_init(&smb_lock->clist); 522 smb_lock->conn = NULL; 523 spin_unlock(&conn->llist_lock); 524 ksmbd_conn_put(conn); 525 } 526 527 list_del(&smb_lock->flist); 528 locks_free_lock(smb_lock->fl); 529 kfree(smb_lock); 530 } 531 532 /* 533 * Drop fp's strong reference on conn (taken in ksmbd_open_fd() / 534 * ksmbd_reopen_durable_fd()). Durable fps that reached the 535 * scavenger have already had fp->conn cleared by session_fd_check(), 536 * in which case there is nothing to drop here. 537 */ 538 if (fp->conn) { 539 ksmbd_conn_put(fp->conn); 540 fp->conn = NULL; 541 } 542 543 if (ksmbd_stream_fd(fp)) 544 kfree(fp->stream.name); 545 kfree(fp->owner.name); 546 547 kmem_cache_free(filp_cache, fp); 548 } 549 550 /** 551 * ksmbd_close_disconnected_durable_delete_on_close() - drop a delete-on-close 552 * file kept present only by disconnected durable handles 553 * @dentry: dentry of the file being opened 554 * 555 * A durable handle opened with delete-on-close is preserved across a 556 * disconnect so it can be reclaimed by a durable reconnect. When a new 557 * (non-reconnect) open arrives for the same name instead, the disconnected 558 * handle has to give way. Close such handles so their delete-on-close is 559 * applied and the file is removed once the last handle is gone, letting the 560 * new open create a fresh file. 561 * 562 * The caller's inode reference is dropped before closing so that the final 563 * close can promote S_DEL_ON_CLS to S_DEL_PENDING and unlink the file. 564 * 565 * Return: true if a disconnected durable handle was closed. 566 */ 567 bool ksmbd_close_disconnected_durable_delete_on_close(struct dentry *dentry) 568 { 569 struct ksmbd_inode *ci; 570 struct ksmbd_file *fp, *tmp; 571 LIST_HEAD(dispose); 572 bool closed = false; 573 574 ci = ksmbd_inode_lookup_lock(dentry); 575 if (!ci) 576 return false; 577 578 down_write(&ci->m_lock); 579 if (ci->m_flags & (S_DEL_ON_CLS | S_DEL_ON_CLS_STREAM | S_DEL_PENDING)) { 580 list_for_each_entry_safe(fp, tmp, &ci->m_fp_list, node) { 581 if (fp->conn || !fp->is_durable || 582 fp->f_state != FP_INITED) 583 continue; 584 list_move_tail(&fp->node, &dispose); 585 } 586 } 587 up_write(&ci->m_lock); 588 589 /* 590 * Drop our lookup reference before closing so the last __ksmbd_close_fd() 591 * can drop m_count to zero and unlink the delete-on-close file. The 592 * collected handles still hold references, so ci stays valid until they 593 * are closed below. 594 */ 595 ksmbd_inode_put(ci); 596 597 while (!list_empty(&dispose)) { 598 fp = list_first_entry(&dispose, struct ksmbd_file, node); 599 list_del_init(&fp->node); 600 __ksmbd_close_fd(NULL, fp); 601 closed = true; 602 } 603 604 return closed; 605 } 606 607 static struct ksmbd_file *ksmbd_fp_get(struct ksmbd_file *fp) 608 { 609 if (fp->f_state != FP_INITED) 610 return NULL; 611 612 if (!atomic_inc_not_zero(&fp->refcount)) 613 return NULL; 614 return fp; 615 } 616 617 static struct ksmbd_file *__ksmbd_lookup_fd(struct ksmbd_file_table *ft, 618 u64 id) 619 { 620 struct ksmbd_file *fp; 621 622 if (!has_file_id(id)) 623 return NULL; 624 625 read_lock(&ft->lock); 626 fp = idr_find(ft->idr, id); 627 if (fp) 628 fp = ksmbd_fp_get(fp); 629 read_unlock(&ft->lock); 630 return fp; 631 } 632 633 static void __put_fd_final(struct ksmbd_work *work, struct ksmbd_file *fp) 634 { 635 /* 636 * Detached durable fp -- session_fd_check() cleared fp->conn at 637 * preserve, so this fp is no longer tracked by any conn's 638 * stats.open_files_count. This happens when 639 * ksmbd_scavenger_dispose_dh() hands the final close off to an 640 * m_fp_list walker (e.g. ksmbd_lookup_fd_inode()) whose work->conn 641 * is unrelated to the conn that originally opened the handle; close 642 * via the NULL-ft path so we do not underflow that unrelated 643 * counter. 644 */ 645 if (!fp->conn) { 646 __ksmbd_close_fd(NULL, fp); 647 return; 648 } 649 __ksmbd_close_fd(&work->sess->file_table, fp); 650 atomic_dec(&work->conn->stats.open_files_count); 651 } 652 653 static void set_close_state_blocked_works(struct ksmbd_file *fp) 654 { 655 struct ksmbd_work *cancel_work; 656 657 spin_lock(&fp->f_lock); 658 list_for_each_entry(cancel_work, &fp->blocked_works, 659 fp_entry) { 660 cancel_work->state = KSMBD_WORK_CLOSED; 661 cancel_work->cancel_fn(cancel_work->cancel_argv); 662 } 663 spin_unlock(&fp->f_lock); 664 } 665 666 int ksmbd_close_fd(struct ksmbd_work *work, u64 id) 667 { 668 struct ksmbd_file *fp; 669 struct ksmbd_file_table *ft; 670 bool closed = false; 671 672 if (!has_file_id(id)) 673 return 0; 674 675 ft = &work->sess->file_table; 676 write_lock(&ft->lock); 677 fp = idr_find(ft->idr, id); 678 if (fp) { 679 set_close_state_blocked_works(fp); 680 681 if (fp->f_state != FP_INITED) 682 fp = NULL; 683 else { 684 fp->f_state = FP_CLOSED; 685 closed = true; 686 if (!atomic_dec_and_test(&fp->refcount)) 687 fp = NULL; 688 } 689 } 690 write_unlock(&ft->lock); 691 692 if (!fp) 693 return closed ? 0 : -EINVAL; 694 695 __put_fd_final(work, fp); 696 return 0; 697 } 698 699 void ksmbd_fd_put(struct ksmbd_work *work, struct ksmbd_file *fp) 700 { 701 if (!fp) 702 return; 703 704 if (!atomic_dec_and_test(&fp->refcount)) 705 return; 706 __put_fd_final(work, fp); 707 } 708 709 static bool __sanity_check(struct ksmbd_tree_connect *tcon, struct ksmbd_file *fp) 710 { 711 if (!fp) 712 return false; 713 if (fp->tcon != tcon) 714 return false; 715 return true; 716 } 717 718 struct ksmbd_file *ksmbd_lookup_foreign_fd(struct ksmbd_work *work, u64 id) 719 { 720 return __ksmbd_lookup_fd(&work->sess->file_table, id); 721 } 722 723 struct ksmbd_file *ksmbd_lookup_fd_fast(struct ksmbd_work *work, u64 id) 724 { 725 struct ksmbd_file *fp = __ksmbd_lookup_fd(&work->sess->file_table, id); 726 727 if (__sanity_check(work->tcon, fp)) 728 return fp; 729 730 ksmbd_fd_put(work, fp); 731 return NULL; 732 } 733 734 struct ksmbd_file *ksmbd_lookup_fd_slow(struct ksmbd_work *work, u64 id, 735 u64 pid) 736 { 737 struct ksmbd_file *fp; 738 739 if (!has_file_id(id)) { 740 id = work->compound_fid; 741 pid = work->compound_pfid; 742 } 743 744 fp = __ksmbd_lookup_fd(&work->sess->file_table, id); 745 if (!__sanity_check(work->tcon, fp)) { 746 ksmbd_fd_put(work, fp); 747 return NULL; 748 } 749 if (fp->persistent_id != pid) { 750 ksmbd_fd_put(work, fp); 751 return NULL; 752 } 753 return fp; 754 } 755 756 struct ksmbd_file *ksmbd_lookup_global_fd(unsigned long long id) 757 { 758 return __ksmbd_lookup_fd(&global_ft, id); 759 } 760 761 struct ksmbd_file *ksmbd_lookup_durable_fd(unsigned long long id) 762 { 763 struct ksmbd_file *fp; 764 765 fp = __ksmbd_lookup_fd(&global_ft, id); 766 if (fp && (fp->durable_reconnect_disabled || 767 fp->conn || 768 (fp->durable_scavenger_timeout && 769 (fp->durable_scavenger_timeout < 770 jiffies_to_msecs(jiffies))))) { 771 ksmbd_put_durable_fd(fp); 772 fp = NULL; 773 } 774 775 return fp; 776 } 777 778 void ksmbd_put_durable_fd(struct ksmbd_file *fp) 779 { 780 if (!atomic_dec_and_test(&fp->refcount)) 781 return; 782 783 __ksmbd_close_fd(NULL, fp); 784 } 785 786 bool ksmbd_has_other_active_fd(struct ksmbd_file *fp) 787 { 788 struct ksmbd_file *lfp; 789 struct ksmbd_inode *ci = fp->f_ci; 790 bool ret = false; 791 792 down_read(&ci->m_lock); 793 list_for_each_entry(lfp, &ci->m_fp_list, node) { 794 if (lfp == fp) 795 continue; 796 797 if (lfp->f_state == FP_INITED && 798 (READ_ONCE(lfp->conn) || READ_ONCE(lfp->tcon))) { 799 ret = true; 800 break; 801 } 802 } 803 up_read(&ci->m_lock); 804 805 return ret; 806 } 807 808 static struct ksmbd_file *ksmbd_lookup_fd_app_instance_id(char *app_instance_id) 809 { 810 struct ksmbd_file *fp = NULL; 811 unsigned int id; 812 813 if (!memchr_inv(app_instance_id, 0, SMB2_CREATE_GUID_SIZE)) 814 return NULL; 815 816 read_lock(&global_ft.lock); 817 idr_for_each_entry(global_ft.idr, fp, id) { 818 if (!memcmp(fp->app_instance_id, app_instance_id, 819 SMB2_CREATE_GUID_SIZE)) { 820 fp = ksmbd_fp_get(fp); 821 break; 822 } 823 } 824 read_unlock(&global_ft.lock); 825 826 return fp; 827 } 828 829 int ksmbd_close_fd_app_instance_id(char *app_instance_id) 830 { 831 struct ksmbd_file_table *ft; 832 struct ksmbd_file *fp; 833 struct oplock_info *opinfo; 834 int n_to_drop = 0; 835 836 fp = ksmbd_lookup_fd_app_instance_id(app_instance_id); 837 if (!fp) 838 return 0; 839 840 opinfo = opinfo_get(fp); 841 if (!opinfo || !opinfo->sess) 842 goto out; 843 844 ft = &opinfo->sess->file_table; 845 write_lock(&ft->lock); 846 if (fp->f_state == FP_INITED) { 847 if (has_file_id(fp->volatile_id)) { 848 idr_remove(ft->idr, fp->volatile_id); 849 fp->volatile_id = KSMBD_NO_FID; 850 } 851 n_to_drop = ksmbd_mark_fp_closed(fp); 852 } 853 write_unlock(&ft->lock); 854 opinfo_put(opinfo); 855 opinfo = NULL; 856 857 if (!n_to_drop) 858 goto out; 859 860 down_write(&fp->f_ci->m_lock); 861 list_del_init(&fp->node); 862 up_write(&fp->f_ci->m_lock); 863 864 if (atomic_sub_and_test(n_to_drop, &fp->refcount)) { 865 if (fp->conn) 866 atomic_dec(&fp->conn->stats.open_files_count); 867 __ksmbd_close_fd(NULL, fp); 868 } 869 return 0; 870 871 out: 872 if (opinfo) 873 opinfo_put(opinfo); 874 ksmbd_put_durable_fd(fp); 875 return 0; 876 } 877 878 int ksmbd_invalidate_durable_fd(unsigned long long id) 879 { 880 struct ksmbd_file *fp; 881 882 fp = ksmbd_lookup_global_fd(id); 883 if (!fp) 884 return -ENOENT; 885 886 fp->durable_reconnect_disabled = true; 887 888 if (fp->conn) { 889 ksmbd_put_durable_fd(fp); 890 return -ENOENT; 891 } 892 893 fp->durable_timeout = 1; 894 fp->durable_scavenger_timeout = jiffies_to_msecs(jiffies); 895 ksmbd_put_durable_fd(fp); 896 if (waitqueue_active(&dh_wq)) 897 wake_up(&dh_wq); 898 899 return -ENOENT; 900 } 901 902 struct ksmbd_file *ksmbd_lookup_fd_cguid(char *cguid) 903 { 904 struct ksmbd_file *fp = NULL; 905 unsigned int id; 906 907 read_lock(&global_ft.lock); 908 idr_for_each_entry(global_ft.idr, fp, id) { 909 if (!memcmp(fp->create_guid, 910 cguid, 911 SMB2_CREATE_GUID_SIZE)) { 912 fp = ksmbd_fp_get(fp); 913 break; 914 } 915 } 916 read_unlock(&global_ft.lock); 917 918 return fp; 919 } 920 921 struct ksmbd_file *ksmbd_lookup_fd_inode(struct dentry *dentry) 922 { 923 struct ksmbd_file *lfp; 924 struct ksmbd_inode *ci; 925 struct inode *inode = d_inode(dentry); 926 927 read_lock(&inode_hash_lock); 928 ci = __ksmbd_inode_lookup(dentry); 929 read_unlock(&inode_hash_lock); 930 if (!ci) 931 return NULL; 932 933 down_read(&ci->m_lock); 934 list_for_each_entry(lfp, &ci->m_fp_list, node) { 935 if (inode == file_inode(lfp->filp)) { 936 lfp = ksmbd_fp_get(lfp); 937 up_read(&ci->m_lock); 938 ksmbd_inode_put(ci); 939 return lfp; 940 } 941 } 942 up_read(&ci->m_lock); 943 ksmbd_inode_put(ci); 944 return NULL; 945 } 946 947 bool ksmbd_has_open_files(struct dentry *dentry) 948 { 949 struct ksmbd_file *fp; 950 unsigned int id; 951 bool ret = false; 952 953 read_lock(&global_ft.lock); 954 idr_for_each_entry(global_ft.idr, fp, id) { 955 struct dentry *fp_dentry = fp->filp->f_path.dentry; 956 957 if (fp->f_state != FP_INITED) 958 continue; 959 if (fp_dentry == dentry) 960 continue; 961 if (is_subdir(fp_dentry, dentry)) { 962 ret = true; 963 break; 964 } 965 } 966 read_unlock(&global_ft.lock); 967 968 return ret; 969 } 970 971 #define OPEN_ID_TYPE_VOLATILE_ID (0) 972 #define OPEN_ID_TYPE_PERSISTENT_ID (1) 973 974 static void __open_id_set(struct ksmbd_file *fp, u64 id, int type) 975 { 976 if (type == OPEN_ID_TYPE_VOLATILE_ID) 977 fp->volatile_id = id; 978 if (type == OPEN_ID_TYPE_PERSISTENT_ID) 979 fp->persistent_id = id; 980 } 981 982 static int __open_id(struct ksmbd_file_table *ft, struct ksmbd_file *fp, 983 int type) 984 { 985 u64 id = 0; 986 int ret; 987 988 if (type == OPEN_ID_TYPE_VOLATILE_ID && fd_limit_depleted()) { 989 __open_id_set(fp, KSMBD_NO_FID, type); 990 return -EMFILE; 991 } 992 993 idr_preload(KSMBD_DEFAULT_GFP); 994 write_lock(&ft->lock); 995 ret = idr_alloc_cyclic(ft->idr, fp, KSMBD_START_FID, INT_MAX - 1, 996 GFP_NOWAIT); 997 if (ret >= 0) { 998 id = ret; 999 ret = 0; 1000 } else { 1001 id = KSMBD_NO_FID; 1002 fd_limit_close(); 1003 } 1004 1005 __open_id_set(fp, id, type); 1006 write_unlock(&ft->lock); 1007 idr_preload_end(); 1008 return ret; 1009 } 1010 1011 unsigned int ksmbd_open_durable_fd(struct ksmbd_file *fp) 1012 { 1013 __open_id(&global_ft, fp, OPEN_ID_TYPE_PERSISTENT_ID); 1014 return fp->persistent_id; 1015 } 1016 1017 struct ksmbd_file *ksmbd_open_fd(struct ksmbd_work *work, struct file *filp) 1018 { 1019 struct ksmbd_file *fp; 1020 int ret; 1021 1022 fp = kmem_cache_zalloc(filp_cache, KSMBD_DEFAULT_GFP); 1023 if (!fp) { 1024 pr_err("Failed to allocate memory\n"); 1025 return ERR_PTR(-ENOMEM); 1026 } 1027 1028 INIT_LIST_HEAD(&fp->blocked_works); 1029 INIT_LIST_HEAD(&fp->node); 1030 INIT_LIST_HEAD(&fp->lock_list); 1031 spin_lock_init(&fp->f_lock); 1032 mutex_init(&fp->readdir_lock); 1033 atomic_set(&fp->refcount, 1); 1034 1035 fp->filp = filp; 1036 /* 1037 * fp owns a strong reference on fp->conn for as long as fp->conn is 1038 * non-NULL, so session_fd_check() and __ksmbd_close_fd() never 1039 * dereference a dangling pointer. Paired with ksmbd_conn_put() in 1040 * session_fd_check() (durable preserve), in __ksmbd_close_fd() 1041 * (final close), and on the error paths below. 1042 */ 1043 fp->conn = ksmbd_conn_get(work->conn); 1044 fp->tcon = work->tcon; 1045 fp->volatile_id = KSMBD_NO_FID; 1046 fp->persistent_id = KSMBD_NO_FID; 1047 fp->f_state = FP_NEW; 1048 fp->f_ci = ksmbd_inode_get(fp); 1049 1050 if (!fp->f_ci) { 1051 ret = -ENOMEM; 1052 goto err_out; 1053 } 1054 1055 ret = __open_id(&work->sess->file_table, fp, OPEN_ID_TYPE_VOLATILE_ID); 1056 if (ret) { 1057 ksmbd_inode_put(fp->f_ci); 1058 goto err_out; 1059 } 1060 1061 atomic_inc(&work->conn->stats.open_files_count); 1062 return fp; 1063 1064 err_out: 1065 /* fp->conn was set and refcounted before every branch here. */ 1066 ksmbd_conn_put(fp->conn); 1067 kmem_cache_free(filp_cache, fp); 1068 return ERR_PTR(ret); 1069 } 1070 1071 /** 1072 * ksmbd_update_fstate() - update an fp state under the file-table lock 1073 * @ft: file table that publishes @fp's volatile id 1074 * @fp: file pointer to update 1075 * @state: new state 1076 * 1077 * Return: 0 on success. The FP_NEW -> FP_INITED transition is special: 1078 * -ENOENT if teardown already unpublished @fp by advancing the state or 1079 * clearing the volatile id. Other state updates preserve the historical 1080 * fire-and-forget behavior. 1081 */ 1082 int ksmbd_update_fstate(struct ksmbd_file_table *ft, struct ksmbd_file *fp, 1083 unsigned int state) 1084 { 1085 int ret; 1086 1087 if (!fp) 1088 return -ENOENT; 1089 1090 write_lock(&ft->lock); 1091 if (state == FP_INITED && 1092 (fp->f_state != FP_NEW || !has_file_id(fp->volatile_id))) { 1093 ret = -ENOENT; 1094 } else { 1095 fp->f_state = state; 1096 ret = 0; 1097 } 1098 write_unlock(&ft->lock); 1099 1100 return ret; 1101 } 1102 1103 /* 1104 * ksmbd_mark_fp_closed() - mark fp closed under ft->lock and return how many 1105 * refs the teardown path owns. 1106 * 1107 * FP_INITED has a normal idr-owned reference, so teardown owns both that 1108 * reference and the transient lookup reference. FP_NEW is still owned by the 1109 * in-flight opener/reopener, which will drop the original reference after 1110 * ksmbd_update_fstate(..., FP_INITED) observes the cleared volatile id. 1111 * FP_CLOSED on entry means an earlier ksmbd_close_fd() already consumed the 1112 * idr-owned ref. 1113 */ 1114 static int ksmbd_mark_fp_closed(struct ksmbd_file *fp) 1115 { 1116 if (fp->f_state == FP_INITED) { 1117 set_close_state_blocked_works(fp); 1118 fp->f_state = FP_CLOSED; 1119 return 2; 1120 } 1121 1122 return 1; 1123 } 1124 1125 static int 1126 __close_file_table_ids(struct ksmbd_session *sess, 1127 struct ksmbd_tree_connect *tcon, 1128 bool (*skip)(struct ksmbd_tree_connect *tcon, 1129 struct ksmbd_file *fp, 1130 struct ksmbd_user *user), 1131 bool skip_preserves_fp) 1132 { 1133 struct ksmbd_file_table *ft = &sess->file_table; 1134 struct ksmbd_file *fp; 1135 unsigned int id = 0; 1136 int num = 0; 1137 1138 while (1) { 1139 int n_to_drop; 1140 1141 write_lock(&ft->lock); 1142 fp = idr_get_next(ft->idr, &id); 1143 if (!fp) { 1144 write_unlock(&ft->lock); 1145 break; 1146 } 1147 if (!atomic_inc_not_zero(&fp->refcount)) { 1148 id++; 1149 write_unlock(&ft->lock); 1150 continue; 1151 } 1152 1153 if (skip_preserves_fp) { 1154 /* 1155 * Session teardown: skip() is session_fd_check(), 1156 * which may sleep and mutates fp->conn / fp->tcon / 1157 * fp->volatile_id when it chooses to preserve fp 1158 * for durable reconnect. Unpublish fp from the 1159 * session idr here, under ft->lock, so that 1160 * __ksmbd_lookup_fd() through this session cannot 1161 * grant a new ksmbd_fp_get() reference to an fp 1162 * whose fields are about to be rewritten outside 1163 * the lock. Durable reconnect still reaches fp via 1164 * global_ft. 1165 */ 1166 idr_remove(ft->idr, id); 1167 fp->durable_volatile_id = fp->volatile_id; 1168 fp->volatile_id = KSMBD_NO_FID; 1169 write_unlock(&ft->lock); 1170 1171 if (skip(tcon, fp, sess->user)) { 1172 /* 1173 * session_fd_check() has converted fp to 1174 * durable-preserve state and cleared its 1175 * per-conn fields. fp is already unpublished 1176 * above; the original idr-owned ref keeps it 1177 * alive for the durable scavenger. Drop only 1178 * the transient ref. atomic_dec() is safe -- 1179 * atomic_inc_not_zero() succeeded on a 1180 * positive value and we added one more, so 1181 * refcount cannot be zero here. 1182 */ 1183 atomic_dec(&fp->refcount); 1184 id++; 1185 continue; 1186 } 1187 1188 /* 1189 * Keep the close-state decision under the same lock 1190 * observed by ksmbd_update_fstate(), which is how an 1191 * in-flight FP_NEW opener learns that teardown has 1192 * cleared its volatile id. 1193 */ 1194 write_lock(&ft->lock); 1195 n_to_drop = ksmbd_mark_fp_closed(fp); 1196 write_unlock(&ft->lock); 1197 } else { 1198 /* 1199 * Tree teardown: skip() is tree_conn_fd_check(), a 1200 * cheap pointer compare that doesn't sleep and has 1201 * no side effects, so keep the skip decision plus 1202 * the unpublish-and-mark-closed sequence atomic 1203 * under ft->lock. fps belonging to other tree 1204 * connects (skip() == true) stay fully published in 1205 * the session idr with no lock window. 1206 */ 1207 if (skip(tcon, fp, sess->user)) { 1208 atomic_dec(&fp->refcount); 1209 write_unlock(&ft->lock); 1210 id++; 1211 continue; 1212 } 1213 idr_remove(ft->idr, id); 1214 fp->volatile_id = KSMBD_NO_FID; 1215 n_to_drop = ksmbd_mark_fp_closed(fp); 1216 write_unlock(&ft->lock); 1217 } 1218 1219 /* 1220 * fp->volatile_id is already cleared to prevent stale idr 1221 * removal from a deferred final close. Remove fp from 1222 * m_fp_list here because __ksmbd_remove_fd() will skip the 1223 * list unlink when volatile_id is KSMBD_NO_FID. 1224 */ 1225 down_write(&fp->f_ci->m_lock); 1226 list_del_init(&fp->node); 1227 up_write(&fp->f_ci->m_lock); 1228 1229 /* 1230 * Drop the references this iteration owns: 1231 * 1232 * n_to_drop == 2: we observed FP_INITED and committed 1233 * the FP_CLOSED transition ourselves, so we own the 1234 * transient (+1) and the still-intact idr-owned ref. 1235 * 1236 * n_to_drop == 1: either a prior ksmbd_close_fd() 1237 * already consumed the idr-owned ref, or fp was still 1238 * FP_NEW and the in-flight opener/reopener must keep 1239 * the original reference until ksmbd_update_fstate() 1240 * observes the cleared volatile id. 1241 * 1242 * If we end up as the final putter, finalize fp and 1243 * account the open_files_count decrement via the caller's 1244 * atomic_sub(num, ...). Otherwise the remaining user's 1245 * ksmbd_fd_put() reaches __put_fd_final(), which does its 1246 * own atomic_dec(&open_files_count), so we must not count 1247 * this fp here -- doing so would double-decrement the 1248 * connection-wide counter. 1249 */ 1250 if (atomic_sub_and_test(n_to_drop, &fp->refcount)) { 1251 __ksmbd_close_fd(NULL, fp); 1252 num++; 1253 } 1254 id++; 1255 } 1256 1257 return num; 1258 } 1259 1260 static inline bool is_reconnectable(struct ksmbd_file *fp) 1261 { 1262 struct oplock_info *opinfo = opinfo_get(fp); 1263 bool reconn = false; 1264 1265 if (!opinfo) 1266 return false; 1267 1268 if (opinfo->op_state != OPLOCK_STATE_NONE) { 1269 opinfo_put(opinfo); 1270 return false; 1271 } 1272 1273 if (fp->is_resilient || fp->is_persistent) 1274 reconn = true; 1275 else if (fp->is_durable && opinfo->is_lease && 1276 opinfo->o_lease->state & SMB2_LEASE_HANDLE_CACHING_LE) 1277 reconn = true; 1278 1279 else if (fp->is_durable && opinfo->level == SMB2_OPLOCK_LEVEL_BATCH) 1280 reconn = true; 1281 1282 opinfo_put(opinfo); 1283 return reconn; 1284 } 1285 1286 static bool tree_conn_fd_check(struct ksmbd_tree_connect *tcon, 1287 struct ksmbd_file *fp, 1288 struct ksmbd_user *user) 1289 { 1290 return fp->tcon != tcon; 1291 } 1292 1293 static bool ksmbd_durable_scavenger_alive(void) 1294 { 1295 if (!durable_scavenger_running) 1296 return false; 1297 1298 if (kthread_should_stop()) 1299 return false; 1300 1301 if (idr_is_empty(global_ft.idr)) 1302 return false; 1303 1304 return true; 1305 } 1306 1307 static void ksmbd_scavenger_dispose_dh(struct ksmbd_file *fp) 1308 { 1309 /* 1310 * Durable-preserved fp can remain linked on f_ci->m_fp_list for 1311 * share-mode checks. Unlink it before final close; fp->node is not 1312 * available as a scavenger-private list node because re-adding it to 1313 * another list corrupts m_fp_list. 1314 */ 1315 down_write(&fp->f_ci->m_lock); 1316 list_del_init(&fp->node); 1317 up_write(&fp->f_ci->m_lock); 1318 1319 /* 1320 * Drop both the durable lifetime reference and the transient reference 1321 * taken by the scavenger under global_ft.lock. If a concurrent 1322 * ksmbd_lookup_fd_inode() (or any other m_fp_list walker) snatched fp 1323 * before the unlink above, that holder owns the final close via 1324 * ksmbd_fd_put() -> __ksmbd_close_fd(). Otherwise the scavenger is 1325 * the last putter and finalises fp here. 1326 */ 1327 if (atomic_sub_and_test(2, &fp->refcount)) 1328 __ksmbd_close_fd(NULL, fp); 1329 } 1330 1331 static int ksmbd_durable_scavenger(void *dummy) 1332 { 1333 struct ksmbd_file *fp = NULL; 1334 struct ksmbd_file *expired_fp; 1335 unsigned int id; 1336 unsigned int min_timeout = 1; 1337 bool found_fp_timeout; 1338 unsigned long remaining_jiffies; 1339 1340 __module_get(THIS_MODULE); 1341 1342 set_freezable(); 1343 while (ksmbd_durable_scavenger_alive()) { 1344 if (try_to_freeze()) 1345 continue; 1346 1347 remaining_jiffies = wait_event_interruptible_timeout(dh_wq, 1348 ksmbd_durable_scavenger_alive() == false, 1349 __msecs_to_jiffies(min_timeout)); 1350 if ((long)remaining_jiffies > 0) 1351 min_timeout = jiffies_to_msecs(remaining_jiffies); 1352 else 1353 min_timeout = DURABLE_HANDLE_MAX_TIMEOUT; 1354 1355 do { 1356 expired_fp = NULL; 1357 found_fp_timeout = false; 1358 1359 write_lock(&global_ft.lock); 1360 idr_for_each_entry(global_ft.idr, fp, id) { 1361 unsigned long durable_timeout; 1362 1363 if (!fp->durable_timeout) 1364 continue; 1365 1366 if (atomic_read(&fp->refcount) > 1 || 1367 fp->conn) 1368 continue; 1369 1370 found_fp_timeout = true; 1371 if (fp->durable_scavenger_timeout <= 1372 jiffies_to_msecs(jiffies)) { 1373 __ksmbd_remove_durable_fd(fp); 1374 /* 1375 * Take a transient reference so fp 1376 * cannot be freed by an in-flight 1377 * ksmbd_lookup_fd_inode() that found 1378 * it through f_ci->m_fp_list while we 1379 * drop global_ft.lock and reach the 1380 * m_fp_list unlink in 1381 * ksmbd_scavenger_dispose_dh(). 1382 */ 1383 atomic_inc(&fp->refcount); 1384 expired_fp = fp; 1385 break; 1386 } 1387 1388 durable_timeout = 1389 fp->durable_scavenger_timeout - 1390 jiffies_to_msecs(jiffies); 1391 1392 if (min_timeout > durable_timeout) 1393 min_timeout = durable_timeout; 1394 } 1395 write_unlock(&global_ft.lock); 1396 1397 if (expired_fp) 1398 ksmbd_scavenger_dispose_dh(expired_fp); 1399 } while (expired_fp); 1400 1401 if (found_fp_timeout == false) 1402 break; 1403 } 1404 1405 durable_scavenger_running = false; 1406 1407 module_put(THIS_MODULE); 1408 1409 return 0; 1410 } 1411 1412 void ksmbd_launch_ksmbd_durable_scavenger(void) 1413 { 1414 if (!(server_conf.flags & KSMBD_GLOBAL_FLAG_DURABLE_HANDLE)) 1415 return; 1416 1417 mutex_lock(&durable_scavenger_lock); 1418 if (durable_scavenger_running == true) { 1419 mutex_unlock(&durable_scavenger_lock); 1420 return; 1421 } 1422 1423 durable_scavenger_running = true; 1424 1425 server_conf.dh_task = kthread_run(ksmbd_durable_scavenger, 1426 (void *)NULL, "ksmbd-durable-scavenger"); 1427 if (IS_ERR(server_conf.dh_task)) 1428 pr_err("cannot start conn thread, err : %ld\n", 1429 PTR_ERR(server_conf.dh_task)); 1430 mutex_unlock(&durable_scavenger_lock); 1431 } 1432 1433 void ksmbd_stop_durable_scavenger(void) 1434 { 1435 if (!(server_conf.flags & KSMBD_GLOBAL_FLAG_DURABLE_HANDLE)) 1436 return; 1437 1438 mutex_lock(&durable_scavenger_lock); 1439 if (!durable_scavenger_running) { 1440 mutex_unlock(&durable_scavenger_lock); 1441 return; 1442 } 1443 1444 durable_scavenger_running = false; 1445 if (waitqueue_active(&dh_wq)) 1446 wake_up(&dh_wq); 1447 mutex_unlock(&durable_scavenger_lock); 1448 kthread_stop(server_conf.dh_task); 1449 } 1450 1451 /* 1452 * ksmbd_vfs_copy_durable_owner - Copy owner info for durable reconnect 1453 * @fp: ksmbd file pointer to store owner info 1454 * @user: user pointer to copy from 1455 * 1456 * This function binds the current user's identity to the file handle 1457 * to satisfy MS-SMB2 Step 8 (SecurityContext matching) during reconnect. 1458 * 1459 * Return: 0 on success, or negative error code on failure 1460 */ 1461 static int ksmbd_vfs_copy_durable_owner(struct ksmbd_file *fp, 1462 struct ksmbd_user *user) 1463 { 1464 if (!user) 1465 return -EINVAL; 1466 1467 /* Duplicate the user name to ensure identity persistence */ 1468 fp->owner.name = kstrdup(user->name, GFP_KERNEL); 1469 if (!fp->owner.name) 1470 return -ENOMEM; 1471 1472 fp->owner.uid = user->uid; 1473 fp->owner.gid = user->gid; 1474 1475 return 0; 1476 } 1477 1478 /** 1479 * ksmbd_vfs_compare_durable_owner - Verify if the requester is original owner 1480 * @fp: existing ksmbd file pointer 1481 * @user: user pointer of the reconnect requester 1482 * 1483 * Compares the UID, GID, and name of the current requester against the 1484 * original owner stored in the file handle. 1485 * 1486 * Return: true if the user matches, false otherwise 1487 */ 1488 bool ksmbd_vfs_compare_durable_owner(struct ksmbd_file *fp, 1489 struct ksmbd_user *user) 1490 { 1491 if (!user || !fp->owner.name) 1492 return false; 1493 1494 /* Check if the UID and GID match first (fast path) */ 1495 if (fp->owner.uid != user->uid || fp->owner.gid != user->gid) 1496 return false; 1497 1498 /* Validate the account name to ensure the same SecurityContext */ 1499 if (strcmp(fp->owner.name, user->name)) 1500 return false; 1501 1502 return true; 1503 } 1504 1505 static bool session_fd_check(struct ksmbd_tree_connect *tcon, 1506 struct ksmbd_file *fp, struct ksmbd_user *user) 1507 { 1508 struct ksmbd_inode *ci; 1509 struct oplock_info *op; 1510 struct ksmbd_conn *conn; 1511 struct ksmbd_lock *smb_lock, *tmp_lock; 1512 1513 if (!is_reconnectable(fp)) 1514 return false; 1515 1516 if (fp->f_state != FP_INITED) 1517 return false; 1518 1519 if (WARN_ON_ONCE(!fp->conn)) 1520 return false; 1521 1522 if (ksmbd_vfs_copy_durable_owner(fp, user)) 1523 return false; 1524 1525 /* 1526 * fp owns a strong reference on fp->conn (taken in ksmbd_open_fd() 1527 * / ksmbd_reopen_durable_fd()), so conn stays valid for the whole 1528 * body of this function regardless of any op->conn puts below. 1529 */ 1530 conn = fp->conn; 1531 ci = fp->f_ci; 1532 down_write(&ci->m_lock); 1533 list_for_each_entry_rcu(op, &ci->m_op_list, op_entry) { 1534 if (op->conn != conn) 1535 continue; 1536 ksmbd_conn_put(op->conn); 1537 op->conn = NULL; 1538 } 1539 up_write(&ci->m_lock); 1540 1541 list_for_each_entry_safe(smb_lock, tmp_lock, &fp->lock_list, flist) { 1542 struct ksmbd_conn *lock_conn = smb_lock->conn; 1543 1544 if (!lock_conn) 1545 continue; 1546 spin_lock(&lock_conn->llist_lock); 1547 list_del_init(&smb_lock->clist); 1548 smb_lock->conn = NULL; 1549 spin_unlock(&lock_conn->llist_lock); 1550 ksmbd_conn_put(lock_conn); 1551 } 1552 1553 fp->conn = NULL; 1554 fp->tcon = NULL; 1555 fp->volatile_id = KSMBD_NO_FID; 1556 1557 if (fp->durable_timeout) 1558 fp->durable_scavenger_timeout = 1559 jiffies_to_msecs(jiffies) + fp->durable_timeout; 1560 1561 /* Drop fp's own reference on conn. */ 1562 ksmbd_conn_put(conn); 1563 return true; 1564 } 1565 1566 void ksmbd_close_tree_conn_fds(struct ksmbd_work *work) 1567 { 1568 int num = __close_file_table_ids(work->sess, 1569 work->tcon, 1570 tree_conn_fd_check, 1571 false); 1572 1573 atomic_sub(num, &work->conn->stats.open_files_count); 1574 } 1575 1576 void ksmbd_close_session_fds(struct ksmbd_work *work) 1577 { 1578 int num = __close_file_table_ids(work->sess, 1579 work->tcon, 1580 session_fd_check, 1581 true); 1582 1583 atomic_sub(num, &work->conn->stats.open_files_count); 1584 } 1585 1586 int ksmbd_init_global_file_table(void) 1587 { 1588 create_proc_files(); 1589 return ksmbd_init_file_table(&global_ft); 1590 } 1591 1592 void ksmbd_free_global_file_table(void) 1593 { 1594 struct ksmbd_file *fp = NULL; 1595 unsigned int id; 1596 1597 idr_for_each_entry(global_ft.idr, fp, id) { 1598 ksmbd_remove_durable_fd(fp); 1599 __ksmbd_close_fd(NULL, fp); 1600 } 1601 1602 idr_destroy(global_ft.idr); 1603 kfree(global_ft.idr); 1604 } 1605 1606 int ksmbd_validate_name_reconnect(struct ksmbd_share_config *share, 1607 struct ksmbd_file *fp, char *name) 1608 { 1609 char *pathname, *ab_pathname; 1610 int ret = 0; 1611 1612 pathname = kmalloc(PATH_MAX, KSMBD_DEFAULT_GFP); 1613 if (!pathname) 1614 return -EACCES; 1615 1616 ab_pathname = d_path(&fp->filp->f_path, pathname, PATH_MAX); 1617 if (IS_ERR(ab_pathname)) { 1618 kfree(pathname); 1619 return -EACCES; 1620 } 1621 1622 if (name && strcmp(&ab_pathname[share->path_sz + 1], name)) { 1623 ksmbd_debug(SMB, "invalid name reconnect %s\n", name); 1624 ret = -EINVAL; 1625 } 1626 1627 kfree(pathname); 1628 1629 return ret; 1630 } 1631 1632 int ksmbd_reopen_durable_fd(struct ksmbd_work *work, struct ksmbd_file *fp) 1633 { 1634 struct ksmbd_inode *ci; 1635 struct oplock_info *op; 1636 struct ksmbd_conn *conn = work->conn; 1637 struct ksmbd_lock *smb_lock; 1638 unsigned int old_f_state; 1639 1640 write_lock(&global_ft.lock); 1641 if (!fp->is_durable || fp->conn || fp->tcon) { 1642 write_unlock(&global_ft.lock); 1643 pr_err("Invalid durable fd [%p:%p]\n", fp->conn, fp->tcon); 1644 return -EBADF; 1645 } 1646 1647 if (has_file_id(fp->volatile_id)) { 1648 write_unlock(&global_ft.lock); 1649 pr_err("Still in use durable fd: %llu\n", fp->volatile_id); 1650 return -EBADF; 1651 } 1652 1653 /* 1654 * Initialize fp's connection binding before publishing fp into the 1655 * session's file table. If __open_id() is ordered first, a 1656 * concurrent teardown that iterates the table can observe a valid 1657 * volatile_id with fp->conn == NULL and preserve a 1658 * partially-initialized fp. fp owns a strong reference on the new 1659 * conn (see ksmbd_open_fd()); undo it on __open_id() failure. 1660 */ 1661 fp->conn = ksmbd_conn_get(conn); 1662 fp->tcon = work->tcon; 1663 write_unlock(&global_ft.lock); 1664 1665 old_f_state = fp->f_state; 1666 fp->f_state = FP_NEW; 1667 1668 __open_id(&work->sess->file_table, fp, OPEN_ID_TYPE_VOLATILE_ID); 1669 if (!has_file_id(fp->volatile_id)) { 1670 write_lock(&global_ft.lock); 1671 fp->conn = NULL; 1672 fp->tcon = NULL; 1673 write_unlock(&global_ft.lock); 1674 ksmbd_conn_put(conn); 1675 fp->f_state = old_f_state; 1676 return -EBADF; 1677 } 1678 1679 list_for_each_entry(smb_lock, &fp->lock_list, flist) { 1680 smb_lock->conn = ksmbd_conn_get(conn); 1681 spin_lock(&conn->llist_lock); 1682 list_add_tail(&smb_lock->clist, &conn->lock_list); 1683 spin_unlock(&conn->llist_lock); 1684 } 1685 1686 ci = fp->f_ci; 1687 down_write(&ci->m_lock); 1688 list_for_each_entry_rcu(op, &ci->m_op_list, op_entry) { 1689 if (op->conn) 1690 continue; 1691 op->conn = ksmbd_conn_get(fp->conn); 1692 } 1693 up_write(&ci->m_lock); 1694 1695 fp->owner.uid = fp->owner.gid = 0; 1696 kfree(fp->owner.name); 1697 fp->owner.name = NULL; 1698 1699 return 0; 1700 } 1701 1702 int ksmbd_init_file_table(struct ksmbd_file_table *ft) 1703 { 1704 ft->idr = kzalloc_obj(struct idr, KSMBD_DEFAULT_GFP); 1705 if (!ft->idr) 1706 return -ENOMEM; 1707 1708 idr_init(ft->idr); 1709 rwlock_init(&ft->lock); 1710 return 0; 1711 } 1712 1713 void ksmbd_destroy_file_table(struct ksmbd_session *sess) 1714 { 1715 struct ksmbd_file_table *ft = &sess->file_table; 1716 1717 if (!ft->idr) 1718 return; 1719 1720 __close_file_table_ids(sess, NULL, session_fd_check, true); 1721 idr_destroy(ft->idr); 1722 kfree(ft->idr); 1723 ft->idr = NULL; 1724 } 1725 1726 int ksmbd_init_file_cache(void) 1727 { 1728 filp_cache = kmem_cache_create("ksmbd_file_cache", 1729 sizeof(struct ksmbd_file), 0, 1730 SLAB_HWCACHE_ALIGN, NULL); 1731 if (!filp_cache) 1732 goto out; 1733 1734 init_waitqueue_head(&dh_wq); 1735 1736 return 0; 1737 1738 out: 1739 pr_err("failed to allocate file cache\n"); 1740 return -ENOMEM; 1741 } 1742 1743 void ksmbd_exit_file_cache(void) 1744 { 1745 kmem_cache_destroy(filp_cache); 1746 } 1747