1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * NFS server file handle treatment.
4 *
5 * Copyright (C) 1995, 1996 Olaf Kirch <okir@monad.swb.de>
6 * Portions Copyright (C) 1999 G. Allen Morris III <gam3@acm.org>
7 * Extensive rewrite by Neil Brown <neilb@cse.unsw.edu.au> Southern-Spring 1999
8 * ... and again Southern-Winter 2001 to support export_operations
9 */
10
11 #include <linux/exportfs.h>
12
13 #include <linux/sunrpc/svcauth_gss.h>
14 #include "nfsd.h"
15 #include "vfs.h"
16 #include "auth.h"
17 #include "trace.h"
18
19 #define NFSDDBG_FACILITY NFSDDBG_FH
20
21
22 /*
23 * our acceptability function.
24 * if NOSUBTREECHECK, accept anything
25 * if not, require that we can walk up to exp->ex_dentry
26 * doing some checks on the 'x' bits
27 */
nfsd_acceptable(void * expv,struct dentry * dentry)28 static int nfsd_acceptable(void *expv, struct dentry *dentry)
29 {
30 struct svc_export *exp = expv;
31 int rv;
32 struct dentry *tdentry;
33 struct dentry *parent;
34
35 if (exp->ex_flags & NFSEXP_NOSUBTREECHECK)
36 return 1;
37
38 tdentry = dget(dentry);
39 while (tdentry != exp->ex_path.dentry && !IS_ROOT(tdentry)) {
40 /* make sure parents give x permission to user */
41 int err;
42 parent = dget_parent(tdentry);
43 err = inode_permission(&nop_mnt_idmap,
44 d_inode(parent), MAY_EXEC);
45 if (err < 0) {
46 dput(parent);
47 break;
48 }
49 dput(tdentry);
50 tdentry = parent;
51 }
52 if (tdentry != exp->ex_path.dentry)
53 dprintk("nfsd_acceptable failed at %p %pd\n", tdentry, tdentry);
54 rv = (tdentry == exp->ex_path.dentry);
55 dput(tdentry);
56 return rv;
57 }
58
59 /* Type check. The correct error return for type mismatches does not seem to be
60 * generally agreed upon. SunOS seems to use EISDIR if file isn't S_IFREG; a
61 * comment in the NFSv3 spec says this is incorrect (implementation notes for
62 * the write call).
63 */
64 static inline __be32
nfsd_mode_check(struct dentry * dentry,umode_t requested)65 nfsd_mode_check(struct dentry *dentry, umode_t requested)
66 {
67 umode_t mode = d_inode(dentry)->i_mode & S_IFMT;
68
69 if (requested == 0) /* the caller doesn't care */
70 return nfs_ok;
71 if (mode == requested) {
72 if (mode == S_IFDIR && !d_can_lookup(dentry)) {
73 WARN_ON_ONCE(1);
74 return nfserr_notdir;
75 }
76 return nfs_ok;
77 }
78 if (mode == S_IFLNK) {
79 if (requested == S_IFDIR)
80 return nfserr_symlink_not_dir;
81 return nfserr_symlink;
82 }
83 if (requested == S_IFDIR)
84 return nfserr_notdir;
85 if (mode == S_IFDIR)
86 return nfserr_isdir;
87 return nfserr_wrong_type;
88 }
89
nfsd_originating_port_ok(struct svc_rqst * rqstp,struct svc_cred * cred,struct svc_export * exp)90 static bool nfsd_originating_port_ok(struct svc_rqst *rqstp,
91 struct svc_cred *cred,
92 struct svc_export *exp)
93 {
94 if (nfsexp_flags(cred, exp) & NFSEXP_INSECURE_PORT)
95 return true;
96 /* We don't require gss requests to use low ports: */
97 if (cred->cr_flavor >= RPC_AUTH_GSS)
98 return true;
99 return test_bit(RQ_SECURE, &rqstp->rq_flags);
100 }
101
nfsd_setuser_and_check_port(struct svc_rqst * rqstp,struct svc_cred * cred,struct svc_export * exp)102 static __be32 nfsd_setuser_and_check_port(struct svc_rqst *rqstp,
103 struct svc_cred *cred,
104 struct svc_export *exp)
105 {
106 /* Check if the request originated from a secure port. */
107 if (rqstp && !nfsd_originating_port_ok(rqstp, cred, exp)) {
108 RPC_IFDEBUG(char buf[RPC_MAX_ADDRBUFLEN]);
109 dprintk("nfsd: request from insecure port %s!\n",
110 svc_print_addr(rqstp, buf, sizeof(buf)));
111 return nfserr_perm;
112 }
113
114 /* Set user creds for this exportpoint */
115 return nfserrno(nfsd_setuser(cred, exp));
116 }
117
check_pseudo_root(struct dentry * dentry,struct svc_export * exp)118 static inline __be32 check_pseudo_root(struct dentry *dentry,
119 struct svc_export *exp)
120 {
121 if (!(exp->ex_flags & NFSEXP_V4ROOT))
122 return nfs_ok;
123 /*
124 * We're exposing only the directories and symlinks that have to be
125 * traversed on the way to real exports:
126 */
127 if (unlikely(!d_is_dir(dentry) &&
128 !d_is_symlink(dentry)))
129 return nfserr_stale;
130 /*
131 * A pseudoroot export gives permission to access only one
132 * single directory; the kernel has to make another upcall
133 * before granting access to anything else under it:
134 */
135 if (unlikely(dentry != exp->ex_path.dentry))
136 return nfserr_stale;
137 return nfs_ok;
138 }
139
140 /*
141 * Use the given filehandle to look up the corresponding export and
142 * dentry. On success, the results are used to set fh_export and
143 * fh_dentry.
144 */
nfsd_set_fh_dentry(struct svc_rqst * rqstp,struct net * net,struct svc_cred * cred,struct auth_domain * client,struct auth_domain * gssclient,struct svc_fh * fhp)145 static __be32 nfsd_set_fh_dentry(struct svc_rqst *rqstp, struct net *net,
146 struct svc_cred *cred,
147 struct auth_domain *client,
148 struct auth_domain *gssclient,
149 struct svc_fh *fhp)
150 {
151 struct knfsd_fh *fh = &fhp->fh_handle;
152 struct fid *fid = NULL;
153 struct svc_export *exp;
154 struct dentry *dentry;
155 int fileid_type;
156 int data_left = fh->fh_size/4;
157 int len;
158 __be32 error;
159
160 error = nfserr_badhandle;
161 if (fh->fh_size == 0)
162 return nfserr_nofilehandle;
163
164 if (fh->fh_version != 1)
165 return error;
166
167 if (--data_left < 0)
168 return error;
169 if (fh->fh_auth_type != 0)
170 return error;
171 len = key_len(fh->fh_fsid_type) / 4;
172 if (len == 0)
173 return error;
174 if (fh->fh_fsid_type == FSID_MAJOR_MINOR) {
175 u32 *fsid = fh_fsid(fh);
176
177 /* deprecated, convert to type 3 */
178 len = key_len(FSID_ENCODE_DEV)/4;
179 fh->fh_fsid_type = FSID_ENCODE_DEV;
180 /*
181 * struct knfsd_fh uses host-endian fields, which are
182 * sometimes used to hold net-endian values. This
183 * confuses sparse, so we must use __force here to
184 * keep it from complaining.
185 */
186 fsid[0] = new_encode_dev(MKDEV(ntohl((__force __be32)fsid[0]),
187 ntohl((__force __be32)fsid[1])));
188 fsid[1] = fsid[2];
189 }
190 data_left -= len;
191 if (data_left < 0)
192 return error;
193 exp = rqst_exp_find(rqstp ? &rqstp->rq_chandle : NULL,
194 net, client, gssclient,
195 fh->fh_fsid_type, fh_fsid(fh));
196 fid = (struct fid *)(fh_fsid(fh) + len);
197
198 error = nfserr_stale;
199 if (IS_ERR(exp)) {
200 trace_nfsd_set_fh_dentry_badexport(rqstp, fhp, PTR_ERR(exp));
201
202 if (PTR_ERR(exp) == -ENOENT)
203 return error;
204
205 return nfserrno(PTR_ERR(exp));
206 }
207
208 if (exp->ex_flags & NFSEXP_NOSUBTREECHECK) {
209 /* Elevate privileges so that the lack of 'r' or 'x'
210 * permission on some parent directory will
211 * not stop exportfs_decode_fh from being able
212 * to reconnect a directory into the dentry cache.
213 * The same problem can affect "SUBTREECHECK" exports,
214 * but as nfsd_acceptable depends on correct
215 * access control settings being in effect, we cannot
216 * fix that case easily.
217 */
218 struct cred *new = prepare_creds();
219 if (!new) {
220 error = nfserrno(-ENOMEM);
221 goto out;
222 }
223 new->cap_effective =
224 cap_raise_nfsd_set(new->cap_effective,
225 new->cap_permitted);
226 put_cred(override_creds(new));
227 } else {
228 error = nfsd_setuser_and_check_port(rqstp, cred, exp);
229 if (error)
230 goto out;
231 }
232
233 /*
234 * Look up the dentry using the NFS file handle.
235 */
236 error = nfserr_badhandle;
237
238 fileid_type = fh->fh_fileid_type;
239
240 if (fileid_type == FILEID_ROOT)
241 dentry = dget(exp->ex_path.dentry);
242 else {
243 dentry = exportfs_decode_fh_raw(exp->ex_path.mnt, fid,
244 data_left, fileid_type, 0,
245 nfsd_acceptable, exp);
246 if (IS_ERR_OR_NULL(dentry)) {
247 trace_nfsd_set_fh_dentry_badhandle(rqstp, fhp,
248 dentry ? PTR_ERR(dentry) : -ESTALE);
249 switch (PTR_ERR(dentry)) {
250 case -ENOMEM:
251 case -ETIMEDOUT:
252 break;
253 default:
254 dentry = ERR_PTR(-ESTALE);
255 }
256 }
257 }
258 if (dentry == NULL)
259 goto out;
260 if (IS_ERR(dentry)) {
261 if (PTR_ERR(dentry) != -EINVAL)
262 error = nfserrno(PTR_ERR(dentry));
263 goto out;
264 }
265
266 if (d_is_dir(dentry) &&
267 (dentry->d_flags & DCACHE_DISCONNECTED)) {
268 printk("nfsd: find_fh_dentry returned a DISCONNECTED directory: %pd2\n",
269 dentry);
270 }
271
272 fhp->fh_dentry = dentry;
273 fhp->fh_export = exp;
274
275 switch (fhp->fh_maxsize) {
276 case NFS4_FHSIZE:
277 if (dentry->d_sb->s_export_op->flags & EXPORT_OP_NOATOMIC_ATTR)
278 fhp->fh_no_atomic_attr = true;
279 fhp->fh_64bit_cookies = true;
280 break;
281 case NFS3_FHSIZE:
282 if (dentry->d_sb->s_export_op->flags & EXPORT_OP_NOWCC)
283 fhp->fh_no_wcc = true;
284 fhp->fh_64bit_cookies = true;
285 if (exp->ex_flags & NFSEXP_V4ROOT)
286 goto out;
287 break;
288 case NFS_FHSIZE:
289 fhp->fh_no_wcc = true;
290 if (EX_WGATHER(exp))
291 fhp->fh_use_wgather = true;
292 if (exp->ex_flags & NFSEXP_V4ROOT)
293 goto out;
294 }
295
296 return 0;
297 out:
298 exp_put(exp);
299 return error;
300 }
301
302 /**
303 * __fh_verify - filehandle lookup and access checking
304 * @rqstp: RPC transaction context, or NULL
305 * @net: net namespace in which to perform the export lookup
306 * @cred: RPC user credential
307 * @client: RPC auth domain
308 * @gssclient: RPC GSS auth domain, or NULL
309 * @fhp: filehandle to be verified
310 * @type: expected type of object pointed to by filehandle
311 * @access: type of access needed to object
312 *
313 * See fh_verify() for further descriptions of @fhp, @type, and @access.
314 */
315 static __be32
__fh_verify(struct svc_rqst * rqstp,struct net * net,struct svc_cred * cred,struct auth_domain * client,struct auth_domain * gssclient,struct svc_fh * fhp,umode_t type,int access)316 __fh_verify(struct svc_rqst *rqstp,
317 struct net *net, struct svc_cred *cred,
318 struct auth_domain *client,
319 struct auth_domain *gssclient,
320 struct svc_fh *fhp, umode_t type, int access)
321 {
322 struct nfsd_net *nn = net_generic(net, nfsd_net_id);
323 struct svc_export *exp = NULL;
324 bool may_bypass_gss = false;
325 struct dentry *dentry;
326 __be32 error;
327
328 if (!fhp->fh_dentry) {
329 error = nfsd_set_fh_dentry(rqstp, net, cred, client,
330 gssclient, fhp);
331 if (error)
332 goto out;
333 }
334 dentry = fhp->fh_dentry;
335 exp = fhp->fh_export;
336
337 trace_nfsd_fh_verify(rqstp, fhp, type, access);
338
339 /*
340 * We still have to do all these permission checks, even when
341 * fh_dentry is already set:
342 * - fh_verify may be called multiple times with different
343 * "access" arguments (e.g. nfsd_proc_create calls
344 * fh_verify(...,NFSD_MAY_EXEC) first, then later (in
345 * nfsd_create) calls fh_verify(...,NFSD_MAY_CREATE).
346 * - in the NFSv4 case, the filehandle may have been filled
347 * in by fh_compose, and given a dentry, but further
348 * compound operations performed with that filehandle
349 * still need permissions checks. In the worst case, a
350 * mountpoint crossing may have changed the export
351 * options, and we may now need to use a different uid
352 * (for example, if different id-squashing options are in
353 * effect on the new filesystem).
354 */
355 error = check_pseudo_root(dentry, exp);
356 if (error)
357 goto out;
358
359 error = nfsd_setuser_and_check_port(rqstp, cred, exp);
360 if (error)
361 goto out;
362
363 error = nfsd_mode_check(dentry, type);
364 if (error)
365 goto out;
366
367 /*
368 * If rqstp is NULL, this is a LOCALIO request which will only
369 * ever use a filehandle/credential pair for which access has
370 * been affirmed (by ACCESS or OPEN NFS requests) over the
371 * wire. Skip both the xprtsec policy and the security flavor
372 * checks.
373 */
374 if (!rqstp)
375 goto check_permissions;
376
377 if ((access & NFSD_MAY_NLM) && (exp->ex_flags & NFSEXP_NOAUTHNLM))
378 /* NLM is allowed to fully bypass authentication */
379 goto out;
380
381 /*
382 * NLM is allowed to bypass the xprtsec policy check because lockd
383 * doesn't support xprtsec.
384 */
385 if (!(access & NFSD_MAY_NLM)) {
386 error = check_xprtsec_policy(exp, rqstp);
387 if (error)
388 goto out;
389 }
390
391 if (access & NFSD_MAY_BYPASS_GSS)
392 may_bypass_gss = true;
393 /*
394 * Clients may expect to be able to use auth_sys during mount,
395 * even if they use gss for everything else; see section 2.3.2
396 * of rfc 2623.
397 */
398 if (access & NFSD_MAY_BYPASS_GSS_ON_ROOT
399 && exp->ex_path.dentry == dentry)
400 may_bypass_gss = true;
401
402 error = check_security_flavor(exp, rqstp, may_bypass_gss);
403 if (error)
404 goto out;
405
406 svc_xprt_set_valid(rqstp->rq_xprt);
407
408 check_permissions:
409 /* Finally, check access permissions. */
410 error = nfsd_permission(cred, exp, dentry, access);
411 out:
412 trace_nfsd_fh_verify_err(rqstp, fhp, type, access, error);
413 if (error == nfserr_stale)
414 nfsd_stats_fh_stale_inc(nn, exp);
415 return error;
416 }
417
418 /**
419 * fh_verify_local - filehandle lookup and access checking
420 * @net: net namespace in which to perform the export lookup
421 * @cred: RPC user credential
422 * @client: RPC auth domain
423 * @fhp: filehandle to be verified
424 * @type: expected type of object pointed to by filehandle
425 * @access: type of access needed to object
426 *
427 * This API can be used by callers who do not have an RPC
428 * transaction context (ie are not running in an nfsd thread).
429 *
430 * See fh_verify() for further descriptions of @fhp, @type, and @access.
431 */
432 __be32
fh_verify_local(struct net * net,struct svc_cred * cred,struct auth_domain * client,struct svc_fh * fhp,umode_t type,int access)433 fh_verify_local(struct net *net, struct svc_cred *cred,
434 struct auth_domain *client, struct svc_fh *fhp,
435 umode_t type, int access)
436 {
437 return __fh_verify(NULL, net, cred, client, NULL,
438 fhp, type, access);
439 }
440
441 /**
442 * fh_verify - filehandle lookup and access checking
443 * @rqstp: pointer to current rpc request
444 * @fhp: filehandle to be verified
445 * @type: expected type of object pointed to by filehandle
446 * @access: type of access needed to object
447 *
448 * Look up a dentry from the on-the-wire filehandle, check the client's
449 * access to the export, and set the current task's credentials.
450 *
451 * Regardless of success or failure of fh_verify(), fh_put() should be
452 * called on @fhp when the caller is finished with the filehandle.
453 *
454 * fh_verify() may be called multiple times on a given filehandle, for
455 * example, when processing an NFSv4 compound. The first call will look
456 * up a dentry using the on-the-wire filehandle. Subsequent calls will
457 * skip the lookup and just perform the other checks and possibly change
458 * the current task's credentials.
459 *
460 * @type specifies the type of object expected using one of the S_IF*
461 * constants defined in include/linux/stat.h. The caller may use zero
462 * to indicate that it doesn't care, or a negative integer to indicate
463 * that it expects something not of the given type.
464 *
465 * @access is formed from the NFSD_MAY_* constants defined in
466 * fs/nfsd/vfs.h.
467 */
468 __be32
fh_verify(struct svc_rqst * rqstp,struct svc_fh * fhp,umode_t type,int access)469 fh_verify(struct svc_rqst *rqstp, struct svc_fh *fhp, umode_t type, int access)
470 {
471 return __fh_verify(rqstp, SVC_NET(rqstp), &rqstp->rq_cred,
472 rqstp->rq_client, rqstp->rq_gssclient,
473 fhp, type, access);
474 }
475
476 /*
477 * Compose a file handle for an NFS reply.
478 *
479 * Note that when first composed, the dentry may not yet have
480 * an inode. In this case a call to fh_update should be made
481 * before the fh goes out on the wire ...
482 */
_fh_update(struct svc_fh * fhp,struct svc_export * exp,struct dentry * dentry)483 static void _fh_update(struct svc_fh *fhp, struct svc_export *exp,
484 struct dentry *dentry)
485 {
486 if (dentry != exp->ex_path.dentry) {
487 struct fid *fid = (struct fid *)
488 (fh_fsid(&fhp->fh_handle) + fhp->fh_handle.fh_size/4 - 1);
489 int maxsize = (fhp->fh_maxsize - fhp->fh_handle.fh_size)/4;
490 int fh_flags = (exp->ex_flags & NFSEXP_NOSUBTREECHECK) ? 0 :
491 EXPORT_FH_CONNECTABLE;
492 int fileid_type =
493 exportfs_encode_fh(dentry, fid, &maxsize, fh_flags);
494
495 fhp->fh_handle.fh_fileid_type =
496 fileid_type > 0 ? fileid_type : FILEID_INVALID;
497 fhp->fh_handle.fh_size += maxsize * 4;
498 } else {
499 fhp->fh_handle.fh_fileid_type = FILEID_ROOT;
500 }
501 }
502
is_root_export(struct svc_export * exp)503 static bool is_root_export(struct svc_export *exp)
504 {
505 return exp->ex_path.dentry == exp->ex_path.dentry->d_sb->s_root;
506 }
507
exp_sb(struct svc_export * exp)508 static struct super_block *exp_sb(struct svc_export *exp)
509 {
510 return exp->ex_path.dentry->d_sb;
511 }
512
fsid_type_ok_for_exp(u8 fsid_type,struct svc_export * exp)513 static bool fsid_type_ok_for_exp(u8 fsid_type, struct svc_export *exp)
514 {
515 switch (fsid_type) {
516 case FSID_DEV:
517 if (!old_valid_dev(exp_sb(exp)->s_dev))
518 return false;
519 fallthrough;
520 case FSID_MAJOR_MINOR:
521 case FSID_ENCODE_DEV:
522 return exp_sb(exp)->s_type->fs_flags & FS_REQUIRES_DEV;
523 case FSID_NUM:
524 return exp->ex_flags & NFSEXP_FSID;
525 case FSID_UUID8:
526 case FSID_UUID16:
527 if (!is_root_export(exp))
528 return false;
529 fallthrough;
530 case FSID_UUID4_INUM:
531 case FSID_UUID16_INUM:
532 return exp->ex_uuid != NULL;
533 }
534 return true;
535 }
536
537
set_version_and_fsid_type(struct svc_fh * fhp,struct svc_export * exp,struct svc_fh * ref_fh)538 static void set_version_and_fsid_type(struct svc_fh *fhp, struct svc_export *exp, struct svc_fh *ref_fh)
539 {
540 u8 version;
541 u8 fsid_type;
542 retry:
543 version = 1;
544 if (ref_fh && ref_fh->fh_export == exp) {
545 version = ref_fh->fh_handle.fh_version;
546 fsid_type = ref_fh->fh_handle.fh_fsid_type;
547
548 ref_fh = NULL;
549
550 switch (version) {
551 case 0xca:
552 fsid_type = FSID_DEV;
553 break;
554 case 1:
555 break;
556 default:
557 goto retry;
558 }
559
560 /*
561 * As the fsid -> filesystem mapping was guided by
562 * user-space, there is no guarantee that the filesystem
563 * actually supports that fsid type. If it doesn't we
564 * loop around again without ref_fh set.
565 */
566 if (!fsid_type_ok_for_exp(fsid_type, exp))
567 goto retry;
568 } else if (exp->ex_flags & NFSEXP_FSID) {
569 fsid_type = FSID_NUM;
570 } else if (exp->ex_uuid) {
571 if (fhp->fh_maxsize >= 64) {
572 if (is_root_export(exp))
573 fsid_type = FSID_UUID16;
574 else
575 fsid_type = FSID_UUID16_INUM;
576 } else {
577 if (is_root_export(exp))
578 fsid_type = FSID_UUID8;
579 else
580 fsid_type = FSID_UUID4_INUM;
581 }
582 } else if (!old_valid_dev(exp_sb(exp)->s_dev))
583 /* for newer device numbers, we must use a newer fsid format */
584 fsid_type = FSID_ENCODE_DEV;
585 else
586 fsid_type = FSID_DEV;
587 fhp->fh_handle.fh_version = version;
588 if (version)
589 fhp->fh_handle.fh_fsid_type = fsid_type;
590 }
591
592 __be32
fh_compose(struct svc_fh * fhp,struct svc_export * exp,struct dentry * dentry,struct svc_fh * ref_fh)593 fh_compose(struct svc_fh *fhp, struct svc_export *exp, struct dentry *dentry,
594 struct svc_fh *ref_fh)
595 {
596 /* ref_fh is a reference file handle.
597 * if it is non-null and for the same filesystem, then we should compose
598 * a filehandle which is of the same version, where possible.
599 */
600
601 struct inode * inode = d_inode(dentry);
602 dev_t ex_dev = exp_sb(exp)->s_dev;
603
604 dprintk("nfsd: fh_compose(exp %02x:%02x/%ld %pd2, ino=%ld)\n",
605 MAJOR(ex_dev), MINOR(ex_dev),
606 (long) d_inode(exp->ex_path.dentry)->i_ino,
607 dentry,
608 (inode ? inode->i_ino : 0));
609
610 /* Choose filehandle version and fsid type based on
611 * the reference filehandle (if it is in the same export)
612 * or the export options.
613 */
614 set_version_and_fsid_type(fhp, exp, ref_fh);
615
616 /* If we have a ref_fh, then copy the fh_no_wcc setting from it. */
617 fhp->fh_no_wcc = ref_fh ? ref_fh->fh_no_wcc : false;
618
619 if (ref_fh == fhp)
620 fh_put(ref_fh);
621
622 if (fhp->fh_dentry) {
623 printk(KERN_ERR "fh_compose: fh %pd2 not initialized!\n",
624 dentry);
625 }
626 if (fhp->fh_maxsize < NFS_FHSIZE)
627 printk(KERN_ERR "fh_compose: called with maxsize %d! %pd2\n",
628 fhp->fh_maxsize,
629 dentry);
630
631 fhp->fh_dentry = dget(dentry); /* our internal copy */
632 fhp->fh_export = exp_get(exp);
633
634 fhp->fh_handle.fh_size =
635 key_len(fhp->fh_handle.fh_fsid_type) + 4;
636 fhp->fh_handle.fh_auth_type = 0;
637
638 mk_fsid(fhp->fh_handle.fh_fsid_type,
639 fh_fsid(&fhp->fh_handle),
640 ex_dev,
641 d_inode(exp->ex_path.dentry)->i_ino,
642 exp->ex_fsid, exp->ex_uuid);
643
644 if (inode)
645 _fh_update(fhp, exp, dentry);
646 if (fhp->fh_handle.fh_fileid_type == FILEID_INVALID) {
647 fh_put(fhp);
648 return nfserr_stale;
649 }
650
651 return 0;
652 }
653
654 /*
655 * Update file handle information after changing a dentry.
656 * This is only called by nfsd_create, nfsd_create_v3 and nfsd_proc_create
657 */
658 __be32
fh_update(struct svc_fh * fhp)659 fh_update(struct svc_fh *fhp)
660 {
661 struct dentry *dentry;
662
663 if (!fhp->fh_dentry)
664 goto out_bad;
665
666 dentry = fhp->fh_dentry;
667 if (d_really_is_negative(dentry))
668 goto out_negative;
669 if (fhp->fh_handle.fh_fileid_type != FILEID_ROOT)
670 return 0;
671
672 _fh_update(fhp, fhp->fh_export, dentry);
673 if (fhp->fh_handle.fh_fileid_type == FILEID_INVALID)
674 return nfserr_stale;
675 return 0;
676 out_bad:
677 printk(KERN_ERR "fh_update: fh not verified!\n");
678 return nfserr_serverfault;
679 out_negative:
680 printk(KERN_ERR "fh_update: %pd2 still negative!\n",
681 dentry);
682 return nfserr_serverfault;
683 }
684
685 /**
686 * fh_getattr - Retrieve attributes on a local file
687 * @fhp: File handle of target file
688 * @stat: Caller-supplied kstat buffer to be filled in
689 *
690 * Returns nfs_ok on success, otherwise an NFS status code is
691 * returned.
692 */
fh_getattr(const struct svc_fh * fhp,struct kstat * stat)693 __be32 fh_getattr(const struct svc_fh *fhp, struct kstat *stat)
694 {
695 struct path p = {
696 .mnt = fhp->fh_export->ex_path.mnt,
697 .dentry = fhp->fh_dentry,
698 };
699 struct inode *inode = d_inode(p.dentry);
700 u32 request_mask = STATX_BASIC_STATS;
701
702 if (S_ISREG(inode->i_mode))
703 request_mask |= (STATX_DIOALIGN | STATX_DIO_READ_ALIGN);
704
705 if (fhp->fh_maxsize == NFS4_FHSIZE)
706 request_mask |= (STATX_BTIME | STATX_CHANGE_COOKIE);
707
708 return nfserrno(vfs_getattr(&p, stat, request_mask,
709 AT_STATX_SYNC_AS_STAT));
710 }
711
712 /**
713 * fh_fill_pre_attrs - Fill in pre-op attributes
714 * @fhp: file handle to be updated
715 *
716 */
fh_fill_pre_attrs(struct svc_fh * fhp)717 __be32 __must_check fh_fill_pre_attrs(struct svc_fh *fhp)
718 {
719 bool v4 = (fhp->fh_maxsize == NFS4_FHSIZE);
720 struct kstat stat;
721 __be32 err;
722
723 if (fhp->fh_no_wcc || fhp->fh_pre_saved)
724 return nfs_ok;
725
726 err = fh_getattr(fhp, &stat);
727 if (err)
728 return err;
729
730 if (v4)
731 fhp->fh_pre_change = nfsd4_change_attribute(&stat);
732
733 fhp->fh_pre_mtime = stat.mtime;
734 fhp->fh_pre_ctime = stat.ctime;
735 fhp->fh_pre_size = stat.size;
736 fhp->fh_pre_saved = true;
737 return nfs_ok;
738 }
739
740 /**
741 * fh_fill_post_attrs - Fill in post-op attributes
742 * @fhp: file handle to be updated
743 *
744 */
fh_fill_post_attrs(struct svc_fh * fhp)745 __be32 fh_fill_post_attrs(struct svc_fh *fhp)
746 {
747 bool v4 = (fhp->fh_maxsize == NFS4_FHSIZE);
748 __be32 err;
749
750 if (fhp->fh_no_wcc)
751 return nfs_ok;
752
753 if (fhp->fh_post_saved)
754 printk("nfsd: inode locked twice during operation.\n");
755
756 err = fh_getattr(fhp, &fhp->fh_post_attr);
757 if (err)
758 return err;
759
760 fhp->fh_post_saved = true;
761 if (v4)
762 fhp->fh_post_change =
763 nfsd4_change_attribute(&fhp->fh_post_attr);
764 return nfs_ok;
765 }
766
767 /**
768 * fh_fill_both_attrs - Fill pre-op and post-op attributes
769 * @fhp: file handle to be updated
770 *
771 * This is used when the directory wasn't changed, but wcc attributes
772 * are needed anyway.
773 */
fh_fill_both_attrs(struct svc_fh * fhp)774 __be32 __must_check fh_fill_both_attrs(struct svc_fh *fhp)
775 {
776 __be32 err;
777
778 err = fh_fill_post_attrs(fhp);
779 if (err)
780 return err;
781
782 fhp->fh_pre_change = fhp->fh_post_change;
783 fhp->fh_pre_mtime = fhp->fh_post_attr.mtime;
784 fhp->fh_pre_ctime = fhp->fh_post_attr.ctime;
785 fhp->fh_pre_size = fhp->fh_post_attr.size;
786 fhp->fh_pre_saved = true;
787 return nfs_ok;
788 }
789
790 /*
791 * Release a file handle.
792 */
793 void
fh_put(struct svc_fh * fhp)794 fh_put(struct svc_fh *fhp)
795 {
796 struct dentry * dentry = fhp->fh_dentry;
797 struct svc_export * exp = fhp->fh_export;
798 if (dentry) {
799 fhp->fh_dentry = NULL;
800 dput(dentry);
801 fh_clear_pre_post_attrs(fhp);
802 }
803 fh_drop_write(fhp);
804 if (exp) {
805 exp_put(exp);
806 fhp->fh_export = NULL;
807 }
808 fhp->fh_no_wcc = false;
809 return;
810 }
811
812 /*
813 * Shorthand for dprintk()'s
814 */
SVCFH_fmt(struct svc_fh * fhp)815 char * SVCFH_fmt(struct svc_fh *fhp)
816 {
817 struct knfsd_fh *fh = &fhp->fh_handle;
818 static char buf[2+1+1+64*3+1];
819
820 if (fh->fh_size > 64)
821 return "bad-fh";
822 sprintf(buf, "%d: %*ph", fh->fh_size, fh->fh_size, fh->fh_raw);
823 return buf;
824 }
825
fsid_source(const struct svc_fh * fhp)826 enum fsid_source fsid_source(const struct svc_fh *fhp)
827 {
828 if (fhp->fh_handle.fh_version != 1)
829 return FSIDSOURCE_DEV;
830 switch(fhp->fh_handle.fh_fsid_type) {
831 case FSID_DEV:
832 case FSID_ENCODE_DEV:
833 case FSID_MAJOR_MINOR:
834 if (exp_sb(fhp->fh_export)->s_type->fs_flags & FS_REQUIRES_DEV)
835 return FSIDSOURCE_DEV;
836 break;
837 case FSID_NUM:
838 if (fhp->fh_export->ex_flags & NFSEXP_FSID)
839 return FSIDSOURCE_FSID;
840 break;
841 default:
842 break;
843 }
844 /* either a UUID type filehandle, or the filehandle doesn't
845 * match the export.
846 */
847 if (fhp->fh_export->ex_flags & NFSEXP_FSID)
848 return FSIDSOURCE_FSID;
849 if (fhp->fh_export->ex_uuid)
850 return FSIDSOURCE_UUID;
851 return FSIDSOURCE_DEV;
852 }
853
854 /**
855 * nfsd4_change_attribute - Generate an NFSv4 change_attribute value
856 * @stat: inode attributes
857 *
858 * Caller must fill in @stat before calling, typically by invoking
859 * vfs_getattr() with STATX_MODE, STATX_CTIME, and STATX_CHANGE_COOKIE.
860 * Returns an unsigned 64-bit changeid4 value (RFC 8881 Section 3.2).
861 *
862 * We could use i_version alone as the change attribute. However, i_version
863 * can go backwards on a regular file after an unclean shutdown. On its own
864 * that doesn't necessarily cause a problem, but if i_version goes backwards
865 * and then is incremented again it could reuse a value that was previously
866 * used before boot, and a client who queried the two values might incorrectly
867 * assume nothing changed.
868 *
869 * By using both ctime and the i_version counter we guarantee that as long as
870 * time doesn't go backwards we never reuse an old value. If the filesystem
871 * advertises STATX_ATTR_CHANGE_MONOTONIC, then this mitigation is not
872 * needed.
873 *
874 * We only need to do this for regular files as well. For directories, we
875 * assume that the new change attr is always logged to stable storage in some
876 * fashion before the results can be seen.
877 */
nfsd4_change_attribute(const struct kstat * stat)878 u64 nfsd4_change_attribute(const struct kstat *stat)
879 {
880 u64 chattr;
881
882 if (stat->result_mask & STATX_CHANGE_COOKIE) {
883 chattr = stat->change_cookie;
884 if (S_ISREG(stat->mode) &&
885 !(stat->attributes & STATX_ATTR_CHANGE_MONOTONIC)) {
886 chattr += (u64)stat->ctime.tv_sec << 30;
887 chattr += stat->ctime.tv_nsec;
888 }
889 } else {
890 chattr = time_to_chattr(&stat->ctime);
891 }
892 return chattr;
893 }
894