1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (C) 2016 Namjae Jeon <linkinjeon@kernel.org>
4 * Copyright (C) 2019 Samsung Electronics Co., Ltd.
5 */
6
7 #include <linux/fs.h>
8 #include <linux/filelock.h>
9 #include <linux/slab.h>
10 #include <linux/vmalloc.h>
11 #include <linux/kthread.h>
12 #include <linux/freezer.h>
13
14 #include "glob.h"
15 #include "vfs_cache.h"
16 #include "oplock.h"
17 #include "vfs.h"
18 #include "connection.h"
19 #include "misc.h"
20 #include "mgmt/tree_connect.h"
21 #include "mgmt/user_session.h"
22 #include "mgmt/user_config.h"
23 #include "smb_common.h"
24 #include "server.h"
25 #include "smb2pdu.h"
26
27 #define S_DEL_PENDING 1
28 #define S_DEL_ON_CLS 2
29 #define S_DEL_ON_CLS_STREAM 8
30
31 static unsigned int inode_hash_mask __read_mostly;
32 static unsigned int inode_hash_shift __read_mostly;
33 static struct hlist_head *inode_hashtable __read_mostly;
34 static DEFINE_RWLOCK(inode_hash_lock);
35
36 static struct ksmbd_file_table global_ft;
37 static atomic_long_t fd_limit;
38 static struct kmem_cache *filp_cache;
39
40 #define OPLOCK_NONE 0
41 #define OPLOCK_EXCLUSIVE 1
42 #define OPLOCK_BATCH 2
43 #define OPLOCK_READ 3 /* level 2 oplock */
44
45 #ifdef CONFIG_PROC_FS
46
47 static const struct ksmbd_const_name ksmbd_lease_const_names[] = {
48 {le32_to_cpu(SMB2_LEASE_NONE_LE), "LEASE_NONE"},
49 {le32_to_cpu(SMB2_LEASE_READ_CACHING_LE), "LEASE_R"},
50 {le32_to_cpu(SMB2_LEASE_HANDLE_CACHING_LE), "LEASE_H"},
51 {le32_to_cpu(SMB2_LEASE_WRITE_CACHING_LE), "LEASE_W"},
52 {le32_to_cpu(SMB2_LEASE_READ_CACHING_LE |
53 SMB2_LEASE_HANDLE_CACHING_LE), "LEASE_RH"},
54 {le32_to_cpu(SMB2_LEASE_READ_CACHING_LE |
55 SMB2_LEASE_WRITE_CACHING_LE), "LEASE_RW"},
56 {le32_to_cpu(SMB2_LEASE_HANDLE_CACHING_LE |
57 SMB2_LEASE_WRITE_CACHING_LE), "LEASE_WH"},
58 {le32_to_cpu(SMB2_LEASE_READ_CACHING_LE |
59 SMB2_LEASE_HANDLE_CACHING_LE |
60 SMB2_LEASE_WRITE_CACHING_LE), "LEASE_RWH"},
61 };
62
63 static const struct ksmbd_const_name ksmbd_oplock_const_names[] = {
64 {SMB2_OPLOCK_LEVEL_NONE, "OPLOCK_NONE"},
65 {SMB2_OPLOCK_LEVEL_II, "OPLOCK_II"},
66 {SMB2_OPLOCK_LEVEL_EXCLUSIVE, "OPLOCK_EXECL"},
67 {SMB2_OPLOCK_LEVEL_BATCH, "OPLOCK_BATCH"},
68 };
69
proc_show_files(struct seq_file * m,void * v)70 static int proc_show_files(struct seq_file *m, void *v)
71 {
72 struct ksmbd_file *fp = NULL;
73 unsigned int id;
74 struct oplock_info *opinfo;
75
76 seq_printf(m, "#%-10s %-10s %-10s %-10s %-15s %-10s %-10s %s\n",
77 "<tree id>", "<pid>", "<vid>", "<refcnt>",
78 "<oplock>", "<daccess>", "<saccess>",
79 "<name>");
80
81 read_lock(&global_ft.lock);
82 idr_for_each_entry(global_ft.idr, fp, id) {
83 seq_printf(m, "%#-10x %#-10llx %#-10llx %#-10x",
84 fp->tcon ? fp->tcon->id : 0,
85 fp->persistent_id,
86 fp->volatile_id,
87 atomic_read(&fp->refcount));
88
89 rcu_read_lock();
90 opinfo = rcu_dereference(fp->f_opinfo);
91 if (opinfo) {
92 const struct ksmbd_const_name *const_names;
93 int count;
94 unsigned int level;
95
96 if (opinfo->is_lease) {
97 const_names = ksmbd_lease_const_names;
98 count = ARRAY_SIZE(ksmbd_lease_const_names);
99 level = le32_to_cpu(opinfo->o_lease->state);
100 } else {
101 const_names = ksmbd_oplock_const_names;
102 count = ARRAY_SIZE(ksmbd_oplock_const_names);
103 level = opinfo->level;
104 }
105 rcu_read_unlock();
106 ksmbd_proc_show_const_name(m, " %-15s",
107 const_names, count, level);
108 } else {
109 rcu_read_unlock();
110 seq_printf(m, " %-15s", " ");
111 }
112
113 seq_printf(m, " %#010x %#010x %s\n",
114 le32_to_cpu(fp->daccess),
115 le32_to_cpu(fp->saccess),
116 fp->filp->f_path.dentry->d_name.name);
117 }
118 read_unlock(&global_ft.lock);
119 return 0;
120 }
121
create_proc_files(void)122 static int create_proc_files(void)
123 {
124 ksmbd_proc_create("files", proc_show_files, NULL);
125 return 0;
126 }
127 #else
create_proc_files(void)128 static int create_proc_files(void) { return 0; }
129 #endif
130
131 static bool durable_scavenger_running;
132 static DEFINE_MUTEX(durable_scavenger_lock);
133 static wait_queue_head_t dh_wq;
134
ksmbd_set_fd_limit(unsigned long limit)135 void ksmbd_set_fd_limit(unsigned long limit)
136 {
137 limit = min(limit, get_max_files());
138 atomic_long_set(&fd_limit, limit);
139 }
140
fd_limit_depleted(void)141 static bool fd_limit_depleted(void)
142 {
143 long v = atomic_long_dec_return(&fd_limit);
144
145 if (v >= 0)
146 return false;
147 atomic_long_inc(&fd_limit);
148 return true;
149 }
150
fd_limit_close(void)151 static void fd_limit_close(void)
152 {
153 atomic_long_inc(&fd_limit);
154 }
155
156 /*
157 * INODE hash
158 */
159
inode_hash(struct super_block * sb,unsigned long hashval)160 static unsigned long inode_hash(struct super_block *sb, unsigned long hashval)
161 {
162 unsigned long tmp;
163
164 tmp = (hashval * (unsigned long)sb) ^ (GOLDEN_RATIO_PRIME + hashval) /
165 L1_CACHE_BYTES;
166 tmp = tmp ^ ((tmp ^ GOLDEN_RATIO_PRIME) >> inode_hash_shift);
167 return tmp & inode_hash_mask;
168 }
169
__ksmbd_inode_lookup(struct dentry * de)170 static struct ksmbd_inode *__ksmbd_inode_lookup(struct dentry *de)
171 {
172 struct hlist_head *head = inode_hashtable +
173 inode_hash(d_inode(de)->i_sb, (unsigned long)de);
174 struct ksmbd_inode *ci = NULL, *ret_ci = NULL;
175
176 hlist_for_each_entry(ci, head, m_hash) {
177 if (ci->m_de == de) {
178 if (atomic_inc_not_zero(&ci->m_count))
179 ret_ci = ci;
180 break;
181 }
182 }
183 return ret_ci;
184 }
185
ksmbd_inode_lookup(struct ksmbd_file * fp)186 static struct ksmbd_inode *ksmbd_inode_lookup(struct ksmbd_file *fp)
187 {
188 return __ksmbd_inode_lookup(fp->filp->f_path.dentry);
189 }
190
ksmbd_inode_lookup_lock(struct dentry * d)191 struct ksmbd_inode *ksmbd_inode_lookup_lock(struct dentry *d)
192 {
193 struct ksmbd_inode *ci;
194
195 read_lock(&inode_hash_lock);
196 ci = __ksmbd_inode_lookup(d);
197 read_unlock(&inode_hash_lock);
198
199 return ci;
200 }
201
ksmbd_query_inode_status(struct dentry * dentry)202 int ksmbd_query_inode_status(struct dentry *dentry)
203 {
204 struct ksmbd_inode *ci;
205 int ret = KSMBD_INODE_STATUS_UNKNOWN;
206
207 read_lock(&inode_hash_lock);
208 ci = __ksmbd_inode_lookup(dentry);
209 read_unlock(&inode_hash_lock);
210 if (!ci)
211 return ret;
212
213 down_read(&ci->m_lock);
214 if (ci->m_flags & S_DEL_PENDING)
215 ret = KSMBD_INODE_STATUS_PENDING_DELETE;
216 else
217 ret = KSMBD_INODE_STATUS_OK;
218 up_read(&ci->m_lock);
219
220 atomic_dec(&ci->m_count);
221 return ret;
222 }
223
ksmbd_inode_pending_delete(struct ksmbd_file * fp)224 bool ksmbd_inode_pending_delete(struct ksmbd_file *fp)
225 {
226 struct ksmbd_inode *ci = fp->f_ci;
227 int ret;
228
229 down_read(&ci->m_lock);
230 ret = (ci->m_flags & S_DEL_PENDING);
231 up_read(&ci->m_lock);
232
233 return ret;
234 }
235
ksmbd_set_inode_pending_delete(struct ksmbd_file * fp)236 void ksmbd_set_inode_pending_delete(struct ksmbd_file *fp)
237 {
238 struct ksmbd_inode *ci = fp->f_ci;
239
240 down_write(&ci->m_lock);
241 ci->m_flags |= S_DEL_PENDING;
242 up_write(&ci->m_lock);
243 }
244
ksmbd_clear_inode_pending_delete(struct ksmbd_file * fp)245 void ksmbd_clear_inode_pending_delete(struct ksmbd_file *fp)
246 {
247 struct ksmbd_inode *ci = fp->f_ci;
248
249 down_write(&ci->m_lock);
250 ci->m_flags &= ~S_DEL_PENDING;
251 up_write(&ci->m_lock);
252 }
253
ksmbd_fd_set_delete_on_close(struct ksmbd_file * fp,int file_info)254 void ksmbd_fd_set_delete_on_close(struct ksmbd_file *fp,
255 int file_info)
256 {
257 struct ksmbd_inode *ci = fp->f_ci;
258
259 down_write(&ci->m_lock);
260 if (ksmbd_stream_fd(fp))
261 ci->m_flags |= S_DEL_ON_CLS_STREAM;
262 else
263 ci->m_flags |= S_DEL_ON_CLS;
264 up_write(&ci->m_lock);
265 }
266
ksmbd_inode_hash(struct ksmbd_inode * ci)267 static void ksmbd_inode_hash(struct ksmbd_inode *ci)
268 {
269 struct hlist_head *b = inode_hashtable +
270 inode_hash(d_inode(ci->m_de)->i_sb, (unsigned long)ci->m_de);
271
272 hlist_add_head(&ci->m_hash, b);
273 }
274
ksmbd_inode_unhash(struct ksmbd_inode * ci)275 static void ksmbd_inode_unhash(struct ksmbd_inode *ci)
276 {
277 write_lock(&inode_hash_lock);
278 hlist_del_init(&ci->m_hash);
279 write_unlock(&inode_hash_lock);
280 }
281
ksmbd_inode_init(struct ksmbd_inode * ci,struct ksmbd_file * fp)282 static int ksmbd_inode_init(struct ksmbd_inode *ci, struct ksmbd_file *fp)
283 {
284 atomic_set(&ci->m_count, 1);
285 atomic_set(&ci->op_count, 0);
286 atomic_set(&ci->sop_count, 0);
287 ci->m_flags = 0;
288 ci->m_fattr = 0;
289 INIT_LIST_HEAD(&ci->m_fp_list);
290 INIT_LIST_HEAD(&ci->m_op_list);
291 init_rwsem(&ci->m_lock);
292 ci->m_de = fp->filp->f_path.dentry;
293 return 0;
294 }
295
ksmbd_inode_get(struct ksmbd_file * fp)296 static struct ksmbd_inode *ksmbd_inode_get(struct ksmbd_file *fp)
297 {
298 struct ksmbd_inode *ci, *tmpci;
299 int rc;
300
301 read_lock(&inode_hash_lock);
302 ci = ksmbd_inode_lookup(fp);
303 read_unlock(&inode_hash_lock);
304 if (ci)
305 return ci;
306
307 ci = kmalloc_obj(struct ksmbd_inode, KSMBD_DEFAULT_GFP);
308 if (!ci)
309 return NULL;
310
311 rc = ksmbd_inode_init(ci, fp);
312 if (rc) {
313 pr_err("inode initialized failed\n");
314 kfree(ci);
315 return NULL;
316 }
317
318 write_lock(&inode_hash_lock);
319 tmpci = ksmbd_inode_lookup(fp);
320 if (!tmpci) {
321 ksmbd_inode_hash(ci);
322 } else {
323 kfree(ci);
324 ci = tmpci;
325 }
326 write_unlock(&inode_hash_lock);
327 return ci;
328 }
329
ksmbd_inode_free(struct ksmbd_inode * ci)330 static void ksmbd_inode_free(struct ksmbd_inode *ci)
331 {
332 ksmbd_inode_unhash(ci);
333 kfree(ci);
334 }
335
ksmbd_inode_put(struct ksmbd_inode * ci)336 void ksmbd_inode_put(struct ksmbd_inode *ci)
337 {
338 if (atomic_dec_and_test(&ci->m_count))
339 ksmbd_inode_free(ci);
340 }
341
ksmbd_inode_hash_init(void)342 int __init ksmbd_inode_hash_init(void)
343 {
344 unsigned int loop;
345 unsigned long numentries = 16384;
346 unsigned long bucketsize = sizeof(struct hlist_head);
347 unsigned long size;
348
349 inode_hash_shift = ilog2(numentries);
350 inode_hash_mask = (1 << inode_hash_shift) - 1;
351
352 size = bucketsize << inode_hash_shift;
353
354 /* init master fp hash table */
355 inode_hashtable = vmalloc(size);
356 if (!inode_hashtable)
357 return -ENOMEM;
358
359 for (loop = 0; loop < (1U << inode_hash_shift); loop++)
360 INIT_HLIST_HEAD(&inode_hashtable[loop]);
361 return 0;
362 }
363
ksmbd_release_inode_hash(void)364 void ksmbd_release_inode_hash(void)
365 {
366 vfree(inode_hashtable);
367 }
368
__ksmbd_inode_close(struct ksmbd_file * fp)369 static void __ksmbd_inode_close(struct ksmbd_file *fp)
370 {
371 struct ksmbd_inode *ci = fp->f_ci;
372 int err;
373 struct file *filp;
374
375 filp = fp->filp;
376
377 if (ksmbd_stream_fd(fp)) {
378 bool remove_stream_xattr = false;
379
380 down_write(&ci->m_lock);
381 if (ci->m_flags & S_DEL_ON_CLS_STREAM) {
382 ci->m_flags &= ~S_DEL_ON_CLS_STREAM;
383 remove_stream_xattr = true;
384 }
385 up_write(&ci->m_lock);
386
387 if (remove_stream_xattr) {
388 err = ksmbd_vfs_remove_xattr(file_mnt_idmap(filp),
389 &filp->f_path,
390 fp->stream.name,
391 true);
392 if (err)
393 pr_err("remove xattr failed : %s\n",
394 fp->stream.name);
395 }
396 }
397
398 down_write(&ci->m_lock);
399 /* Promote S_DEL_ON_CLS to S_DEL_PENDING when close */
400 if (ci->m_flags & S_DEL_ON_CLS) {
401 ci->m_flags &= ~S_DEL_ON_CLS;
402 ci->m_flags |= S_DEL_PENDING;
403 }
404 up_write(&ci->m_lock);
405
406 if (atomic_dec_and_test(&ci->m_count)) {
407 bool do_unlink = false;
408
409 down_write(&ci->m_lock);
410 if (ci->m_flags & S_DEL_PENDING) {
411 ci->m_flags &= ~S_DEL_PENDING;
412 do_unlink = true;
413 }
414 up_write(&ci->m_lock);
415
416 if (do_unlink)
417 ksmbd_vfs_unlink(filp);
418
419 ksmbd_inode_free(ci);
420 }
421 }
422
__ksmbd_remove_durable_fd(struct ksmbd_file * fp)423 static void __ksmbd_remove_durable_fd(struct ksmbd_file *fp)
424 {
425 if (!has_file_id(fp->persistent_id))
426 return;
427
428 idr_remove(global_ft.idr, fp->persistent_id);
429 /*
430 * Clear persistent_id so a later __ksmbd_close_fd() that runs from a
431 * delayed putter (e.g. when a concurrent ksmbd_lookup_fd_inode()
432 * walker held the final reference) does not re-issue idr_remove() on
433 * an id that idr_alloc_cyclic() may have already handed out to a new
434 * durable handle.
435 */
436 fp->persistent_id = KSMBD_NO_FID;
437 }
438
ksmbd_remove_durable_fd(struct ksmbd_file * fp)439 static void ksmbd_remove_durable_fd(struct ksmbd_file *fp)
440 {
441 write_lock(&global_ft.lock);
442 __ksmbd_remove_durable_fd(fp);
443 write_unlock(&global_ft.lock);
444 if (waitqueue_active(&dh_wq))
445 wake_up(&dh_wq);
446 }
447
__ksmbd_remove_fd(struct ksmbd_file_table * ft,struct ksmbd_file * fp)448 static void __ksmbd_remove_fd(struct ksmbd_file_table *ft, struct ksmbd_file *fp)
449 {
450 down_write(&fp->f_ci->m_lock);
451 list_del_init(&fp->node);
452 up_write(&fp->f_ci->m_lock);
453
454 if (!has_file_id(fp->volatile_id))
455 return;
456
457 write_lock(&ft->lock);
458 idr_remove(ft->idr, fp->volatile_id);
459 write_unlock(&ft->lock);
460 }
461
__ksmbd_close_fd(struct ksmbd_file_table * ft,struct ksmbd_file * fp)462 static void __ksmbd_close_fd(struct ksmbd_file_table *ft, struct ksmbd_file *fp)
463 {
464 struct file *filp;
465 struct ksmbd_lock *smb_lock, *tmp_lock;
466
467 fd_limit_close();
468 ksmbd_remove_durable_fd(fp);
469 if (ft)
470 __ksmbd_remove_fd(ft, fp);
471
472 close_id_del_oplock(fp);
473 filp = fp->filp;
474
475 __ksmbd_inode_close(fp);
476 if (!IS_ERR_OR_NULL(filp))
477 fput(filp);
478
479 /* because the reference count of fp is 0, it is guaranteed that
480 * there are not accesses to fp->lock_list.
481 */
482 list_for_each_entry_safe(smb_lock, tmp_lock, &fp->lock_list, flist) {
483 if (!list_empty(&smb_lock->clist) && fp->conn) {
484 spin_lock(&fp->conn->llist_lock);
485 list_del(&smb_lock->clist);
486 spin_unlock(&fp->conn->llist_lock);
487 }
488
489 list_del(&smb_lock->flist);
490 locks_free_lock(smb_lock->fl);
491 kfree(smb_lock);
492 }
493
494 /*
495 * Drop fp's strong reference on conn (taken in ksmbd_open_fd() /
496 * ksmbd_reopen_durable_fd()). Durable fps that reached the
497 * scavenger have already had fp->conn cleared by session_fd_check(),
498 * in which case there is nothing to drop here.
499 */
500 if (fp->conn) {
501 ksmbd_conn_put(fp->conn);
502 fp->conn = NULL;
503 }
504
505 if (ksmbd_stream_fd(fp))
506 kfree(fp->stream.name);
507 kfree(fp->owner.name);
508
509 kmem_cache_free(filp_cache, fp);
510 }
511
ksmbd_fp_get(struct ksmbd_file * fp)512 static struct ksmbd_file *ksmbd_fp_get(struct ksmbd_file *fp)
513 {
514 if (fp->f_state != FP_INITED)
515 return NULL;
516
517 if (!atomic_inc_not_zero(&fp->refcount))
518 return NULL;
519 return fp;
520 }
521
__ksmbd_lookup_fd(struct ksmbd_file_table * ft,u64 id)522 static struct ksmbd_file *__ksmbd_lookup_fd(struct ksmbd_file_table *ft,
523 u64 id)
524 {
525 struct ksmbd_file *fp;
526
527 if (!has_file_id(id))
528 return NULL;
529
530 read_lock(&ft->lock);
531 fp = idr_find(ft->idr, id);
532 if (fp)
533 fp = ksmbd_fp_get(fp);
534 read_unlock(&ft->lock);
535 return fp;
536 }
537
__put_fd_final(struct ksmbd_work * work,struct ksmbd_file * fp)538 static void __put_fd_final(struct ksmbd_work *work, struct ksmbd_file *fp)
539 {
540 /*
541 * Detached durable fp -- session_fd_check() cleared fp->conn at
542 * preserve, so this fp is no longer tracked by any conn's
543 * stats.open_files_count. This happens when
544 * ksmbd_scavenger_dispose_dh() hands the final close off to an
545 * m_fp_list walker (e.g. ksmbd_lookup_fd_inode()) whose work->conn
546 * is unrelated to the conn that originally opened the handle; close
547 * via the NULL-ft path so we do not underflow that unrelated
548 * counter.
549 */
550 if (!fp->conn) {
551 __ksmbd_close_fd(NULL, fp);
552 return;
553 }
554 __ksmbd_close_fd(&work->sess->file_table, fp);
555 atomic_dec(&work->conn->stats.open_files_count);
556 }
557
set_close_state_blocked_works(struct ksmbd_file * fp)558 static void set_close_state_blocked_works(struct ksmbd_file *fp)
559 {
560 struct ksmbd_work *cancel_work;
561
562 spin_lock(&fp->f_lock);
563 list_for_each_entry(cancel_work, &fp->blocked_works,
564 fp_entry) {
565 cancel_work->state = KSMBD_WORK_CLOSED;
566 cancel_work->cancel_fn(cancel_work->cancel_argv);
567 }
568 spin_unlock(&fp->f_lock);
569 }
570
ksmbd_close_fd(struct ksmbd_work * work,u64 id)571 int ksmbd_close_fd(struct ksmbd_work *work, u64 id)
572 {
573 struct ksmbd_file *fp;
574 struct ksmbd_file_table *ft;
575
576 if (!has_file_id(id))
577 return 0;
578
579 ft = &work->sess->file_table;
580 write_lock(&ft->lock);
581 fp = idr_find(ft->idr, id);
582 if (fp) {
583 set_close_state_blocked_works(fp);
584
585 if (fp->f_state != FP_INITED)
586 fp = NULL;
587 else {
588 fp->f_state = FP_CLOSED;
589 if (!atomic_dec_and_test(&fp->refcount))
590 fp = NULL;
591 }
592 }
593 write_unlock(&ft->lock);
594
595 if (!fp)
596 return -EINVAL;
597
598 __put_fd_final(work, fp);
599 return 0;
600 }
601
ksmbd_fd_put(struct ksmbd_work * work,struct ksmbd_file * fp)602 void ksmbd_fd_put(struct ksmbd_work *work, struct ksmbd_file *fp)
603 {
604 if (!fp)
605 return;
606
607 if (!atomic_dec_and_test(&fp->refcount))
608 return;
609 __put_fd_final(work, fp);
610 }
611
__sanity_check(struct ksmbd_tree_connect * tcon,struct ksmbd_file * fp)612 static bool __sanity_check(struct ksmbd_tree_connect *tcon, struct ksmbd_file *fp)
613 {
614 if (!fp)
615 return false;
616 if (fp->tcon != tcon)
617 return false;
618 return true;
619 }
620
ksmbd_lookup_foreign_fd(struct ksmbd_work * work,u64 id)621 struct ksmbd_file *ksmbd_lookup_foreign_fd(struct ksmbd_work *work, u64 id)
622 {
623 return __ksmbd_lookup_fd(&work->sess->file_table, id);
624 }
625
ksmbd_lookup_fd_fast(struct ksmbd_work * work,u64 id)626 struct ksmbd_file *ksmbd_lookup_fd_fast(struct ksmbd_work *work, u64 id)
627 {
628 struct ksmbd_file *fp = __ksmbd_lookup_fd(&work->sess->file_table, id);
629
630 if (__sanity_check(work->tcon, fp))
631 return fp;
632
633 ksmbd_fd_put(work, fp);
634 return NULL;
635 }
636
ksmbd_lookup_fd_slow(struct ksmbd_work * work,u64 id,u64 pid)637 struct ksmbd_file *ksmbd_lookup_fd_slow(struct ksmbd_work *work, u64 id,
638 u64 pid)
639 {
640 struct ksmbd_file *fp;
641
642 if (!has_file_id(id)) {
643 id = work->compound_fid;
644 pid = work->compound_pfid;
645 }
646
647 fp = __ksmbd_lookup_fd(&work->sess->file_table, id);
648 if (!__sanity_check(work->tcon, fp)) {
649 ksmbd_fd_put(work, fp);
650 return NULL;
651 }
652 if (fp->persistent_id != pid) {
653 ksmbd_fd_put(work, fp);
654 return NULL;
655 }
656 return fp;
657 }
658
ksmbd_lookup_global_fd(unsigned long long id)659 struct ksmbd_file *ksmbd_lookup_global_fd(unsigned long long id)
660 {
661 return __ksmbd_lookup_fd(&global_ft, id);
662 }
663
ksmbd_lookup_durable_fd(unsigned long long id)664 struct ksmbd_file *ksmbd_lookup_durable_fd(unsigned long long id)
665 {
666 struct ksmbd_file *fp;
667
668 fp = __ksmbd_lookup_fd(&global_ft, id);
669 if (fp && (fp->conn ||
670 (fp->durable_scavenger_timeout &&
671 (fp->durable_scavenger_timeout <
672 jiffies_to_msecs(jiffies))))) {
673 ksmbd_put_durable_fd(fp);
674 fp = NULL;
675 }
676
677 return fp;
678 }
679
ksmbd_put_durable_fd(struct ksmbd_file * fp)680 void ksmbd_put_durable_fd(struct ksmbd_file *fp)
681 {
682 if (!atomic_dec_and_test(&fp->refcount))
683 return;
684
685 __ksmbd_close_fd(NULL, fp);
686 }
687
ksmbd_lookup_fd_cguid(char * cguid)688 struct ksmbd_file *ksmbd_lookup_fd_cguid(char *cguid)
689 {
690 struct ksmbd_file *fp = NULL;
691 unsigned int id;
692
693 read_lock(&global_ft.lock);
694 idr_for_each_entry(global_ft.idr, fp, id) {
695 if (!memcmp(fp->create_guid,
696 cguid,
697 SMB2_CREATE_GUID_SIZE)) {
698 fp = ksmbd_fp_get(fp);
699 break;
700 }
701 }
702 read_unlock(&global_ft.lock);
703
704 return fp;
705 }
706
ksmbd_lookup_fd_inode(struct dentry * dentry)707 struct ksmbd_file *ksmbd_lookup_fd_inode(struct dentry *dentry)
708 {
709 struct ksmbd_file *lfp;
710 struct ksmbd_inode *ci;
711 struct inode *inode = d_inode(dentry);
712
713 read_lock(&inode_hash_lock);
714 ci = __ksmbd_inode_lookup(dentry);
715 read_unlock(&inode_hash_lock);
716 if (!ci)
717 return NULL;
718
719 down_read(&ci->m_lock);
720 list_for_each_entry(lfp, &ci->m_fp_list, node) {
721 if (inode == file_inode(lfp->filp)) {
722 atomic_dec(&ci->m_count);
723 lfp = ksmbd_fp_get(lfp);
724 up_read(&ci->m_lock);
725 return lfp;
726 }
727 }
728 atomic_dec(&ci->m_count);
729 up_read(&ci->m_lock);
730 return NULL;
731 }
732
733 #define OPEN_ID_TYPE_VOLATILE_ID (0)
734 #define OPEN_ID_TYPE_PERSISTENT_ID (1)
735
__open_id_set(struct ksmbd_file * fp,u64 id,int type)736 static void __open_id_set(struct ksmbd_file *fp, u64 id, int type)
737 {
738 if (type == OPEN_ID_TYPE_VOLATILE_ID)
739 fp->volatile_id = id;
740 if (type == OPEN_ID_TYPE_PERSISTENT_ID)
741 fp->persistent_id = id;
742 }
743
__open_id(struct ksmbd_file_table * ft,struct ksmbd_file * fp,int type)744 static int __open_id(struct ksmbd_file_table *ft, struct ksmbd_file *fp,
745 int type)
746 {
747 u64 id = 0;
748 int ret;
749
750 if (type == OPEN_ID_TYPE_VOLATILE_ID && fd_limit_depleted()) {
751 __open_id_set(fp, KSMBD_NO_FID, type);
752 return -EMFILE;
753 }
754
755 idr_preload(KSMBD_DEFAULT_GFP);
756 write_lock(&ft->lock);
757 ret = idr_alloc_cyclic(ft->idr, fp, 0, INT_MAX - 1, GFP_NOWAIT);
758 if (ret >= 0) {
759 id = ret;
760 ret = 0;
761 } else {
762 id = KSMBD_NO_FID;
763 fd_limit_close();
764 }
765
766 __open_id_set(fp, id, type);
767 write_unlock(&ft->lock);
768 idr_preload_end();
769 return ret;
770 }
771
ksmbd_open_durable_fd(struct ksmbd_file * fp)772 unsigned int ksmbd_open_durable_fd(struct ksmbd_file *fp)
773 {
774 __open_id(&global_ft, fp, OPEN_ID_TYPE_PERSISTENT_ID);
775 return fp->persistent_id;
776 }
777
ksmbd_open_fd(struct ksmbd_work * work,struct file * filp)778 struct ksmbd_file *ksmbd_open_fd(struct ksmbd_work *work, struct file *filp)
779 {
780 struct ksmbd_file *fp;
781 int ret;
782
783 fp = kmem_cache_zalloc(filp_cache, KSMBD_DEFAULT_GFP);
784 if (!fp) {
785 pr_err("Failed to allocate memory\n");
786 return ERR_PTR(-ENOMEM);
787 }
788
789 INIT_LIST_HEAD(&fp->blocked_works);
790 INIT_LIST_HEAD(&fp->node);
791 INIT_LIST_HEAD(&fp->lock_list);
792 spin_lock_init(&fp->f_lock);
793 atomic_set(&fp->refcount, 1);
794
795 fp->filp = filp;
796 /*
797 * fp owns a strong reference on fp->conn for as long as fp->conn is
798 * non-NULL, so session_fd_check() and __ksmbd_close_fd() never
799 * dereference a dangling pointer. Paired with ksmbd_conn_put() in
800 * session_fd_check() (durable preserve), in __ksmbd_close_fd()
801 * (final close), and on the error paths below.
802 */
803 fp->conn = ksmbd_conn_get(work->conn);
804 fp->tcon = work->tcon;
805 fp->volatile_id = KSMBD_NO_FID;
806 fp->persistent_id = KSMBD_NO_FID;
807 fp->f_state = FP_NEW;
808 fp->f_ci = ksmbd_inode_get(fp);
809
810 if (!fp->f_ci) {
811 ret = -ENOMEM;
812 goto err_out;
813 }
814
815 ret = __open_id(&work->sess->file_table, fp, OPEN_ID_TYPE_VOLATILE_ID);
816 if (ret) {
817 ksmbd_inode_put(fp->f_ci);
818 goto err_out;
819 }
820
821 atomic_inc(&work->conn->stats.open_files_count);
822 return fp;
823
824 err_out:
825 /* fp->conn was set and refcounted before every branch here. */
826 ksmbd_conn_put(fp->conn);
827 kmem_cache_free(filp_cache, fp);
828 return ERR_PTR(ret);
829 }
830
831 /**
832 * ksmbd_update_fstate() - update an fp state under the file-table lock
833 * @ft: file table that publishes @fp's volatile id
834 * @fp: file pointer to update
835 * @state: new state
836 *
837 * Return: 0 on success. The FP_NEW -> FP_INITED transition is special:
838 * -ENOENT if teardown already unpublished @fp by advancing the state or
839 * clearing the volatile id. Other state updates preserve the historical
840 * fire-and-forget behavior.
841 */
ksmbd_update_fstate(struct ksmbd_file_table * ft,struct ksmbd_file * fp,unsigned int state)842 int ksmbd_update_fstate(struct ksmbd_file_table *ft, struct ksmbd_file *fp,
843 unsigned int state)
844 {
845 int ret;
846
847 if (!fp)
848 return -ENOENT;
849
850 write_lock(&ft->lock);
851 if (state == FP_INITED &&
852 (fp->f_state != FP_NEW || !has_file_id(fp->volatile_id))) {
853 ret = -ENOENT;
854 } else {
855 fp->f_state = state;
856 ret = 0;
857 }
858 write_unlock(&ft->lock);
859
860 return ret;
861 }
862
863 /*
864 * ksmbd_mark_fp_closed() - mark fp closed under ft->lock and return how many
865 * refs the teardown path owns.
866 *
867 * FP_INITED has a normal idr-owned reference, so teardown owns both that
868 * reference and the transient lookup reference. FP_NEW is still owned by the
869 * in-flight opener/reopener, which will drop the original reference after
870 * ksmbd_update_fstate(..., FP_INITED) observes the cleared volatile id.
871 * FP_CLOSED on entry means an earlier ksmbd_close_fd() already consumed the
872 * idr-owned ref.
873 */
ksmbd_mark_fp_closed(struct ksmbd_file * fp)874 static int ksmbd_mark_fp_closed(struct ksmbd_file *fp)
875 {
876 if (fp->f_state == FP_INITED) {
877 set_close_state_blocked_works(fp);
878 fp->f_state = FP_CLOSED;
879 return 2;
880 }
881
882 return 1;
883 }
884
885 static int
__close_file_table_ids(struct ksmbd_session * sess,struct ksmbd_tree_connect * tcon,bool (* skip)(struct ksmbd_tree_connect * tcon,struct ksmbd_file * fp,struct ksmbd_user * user),bool skip_preserves_fp)886 __close_file_table_ids(struct ksmbd_session *sess,
887 struct ksmbd_tree_connect *tcon,
888 bool (*skip)(struct ksmbd_tree_connect *tcon,
889 struct ksmbd_file *fp,
890 struct ksmbd_user *user),
891 bool skip_preserves_fp)
892 {
893 struct ksmbd_file_table *ft = &sess->file_table;
894 struct ksmbd_file *fp;
895 unsigned int id = 0;
896 int num = 0;
897
898 while (1) {
899 int n_to_drop;
900
901 write_lock(&ft->lock);
902 fp = idr_get_next(ft->idr, &id);
903 if (!fp) {
904 write_unlock(&ft->lock);
905 break;
906 }
907 if (!atomic_inc_not_zero(&fp->refcount)) {
908 id++;
909 write_unlock(&ft->lock);
910 continue;
911 }
912
913 if (skip_preserves_fp) {
914 /*
915 * Session teardown: skip() is session_fd_check(),
916 * which may sleep and mutates fp->conn / fp->tcon /
917 * fp->volatile_id when it chooses to preserve fp
918 * for durable reconnect. Unpublish fp from the
919 * session idr here, under ft->lock, so that
920 * __ksmbd_lookup_fd() through this session cannot
921 * grant a new ksmbd_fp_get() reference to an fp
922 * whose fields are about to be rewritten outside
923 * the lock. Durable reconnect still reaches fp via
924 * global_ft.
925 */
926 idr_remove(ft->idr, id);
927 fp->volatile_id = KSMBD_NO_FID;
928 write_unlock(&ft->lock);
929
930 if (skip(tcon, fp, sess->user)) {
931 /*
932 * session_fd_check() has converted fp to
933 * durable-preserve state and cleared its
934 * per-conn fields. fp is already unpublished
935 * above; the original idr-owned ref keeps it
936 * alive for the durable scavenger. Drop only
937 * the transient ref. atomic_dec() is safe --
938 * atomic_inc_not_zero() succeeded on a
939 * positive value and we added one more, so
940 * refcount cannot be zero here.
941 */
942 atomic_dec(&fp->refcount);
943 id++;
944 continue;
945 }
946
947 /*
948 * Keep the close-state decision under the same lock
949 * observed by ksmbd_update_fstate(), which is how an
950 * in-flight FP_NEW opener learns that teardown has
951 * cleared its volatile id.
952 */
953 write_lock(&ft->lock);
954 n_to_drop = ksmbd_mark_fp_closed(fp);
955 write_unlock(&ft->lock);
956 } else {
957 /*
958 * Tree teardown: skip() is tree_conn_fd_check(), a
959 * cheap pointer compare that doesn't sleep and has
960 * no side effects, so keep the skip decision plus
961 * the unpublish-and-mark-closed sequence atomic
962 * under ft->lock. fps belonging to other tree
963 * connects (skip() == true) stay fully published in
964 * the session idr with no lock window.
965 */
966 if (skip(tcon, fp, sess->user)) {
967 atomic_dec(&fp->refcount);
968 write_unlock(&ft->lock);
969 id++;
970 continue;
971 }
972 idr_remove(ft->idr, id);
973 fp->volatile_id = KSMBD_NO_FID;
974 n_to_drop = ksmbd_mark_fp_closed(fp);
975 write_unlock(&ft->lock);
976 }
977
978 /*
979 * fp->volatile_id is already cleared to prevent stale idr
980 * removal from a deferred final close. Remove fp from
981 * m_fp_list here because __ksmbd_remove_fd() will skip the
982 * list unlink when volatile_id is KSMBD_NO_FID.
983 */
984 down_write(&fp->f_ci->m_lock);
985 list_del_init(&fp->node);
986 up_write(&fp->f_ci->m_lock);
987
988 /*
989 * Drop the references this iteration owns:
990 *
991 * n_to_drop == 2: we observed FP_INITED and committed
992 * the FP_CLOSED transition ourselves, so we own the
993 * transient (+1) and the still-intact idr-owned ref.
994 *
995 * n_to_drop == 1: either a prior ksmbd_close_fd()
996 * already consumed the idr-owned ref, or fp was still
997 * FP_NEW and the in-flight opener/reopener must keep
998 * the original reference until ksmbd_update_fstate()
999 * observes the cleared volatile id.
1000 *
1001 * If we end up as the final putter, finalize fp and
1002 * account the open_files_count decrement via the caller's
1003 * atomic_sub(num, ...). Otherwise the remaining user's
1004 * ksmbd_fd_put() reaches __put_fd_final(), which does its
1005 * own atomic_dec(&open_files_count), so we must not count
1006 * this fp here -- doing so would double-decrement the
1007 * connection-wide counter.
1008 */
1009 if (atomic_sub_and_test(n_to_drop, &fp->refcount)) {
1010 __ksmbd_close_fd(NULL, fp);
1011 num++;
1012 }
1013 id++;
1014 }
1015
1016 return num;
1017 }
1018
is_reconnectable(struct ksmbd_file * fp)1019 static inline bool is_reconnectable(struct ksmbd_file *fp)
1020 {
1021 struct oplock_info *opinfo = opinfo_get(fp);
1022 bool reconn = false;
1023
1024 if (!opinfo)
1025 return false;
1026
1027 if (opinfo->op_state != OPLOCK_STATE_NONE) {
1028 opinfo_put(opinfo);
1029 return false;
1030 }
1031
1032 if (fp->is_resilient || fp->is_persistent)
1033 reconn = true;
1034 else if (fp->is_durable && opinfo->is_lease &&
1035 opinfo->o_lease->state & SMB2_LEASE_HANDLE_CACHING_LE)
1036 reconn = true;
1037
1038 else if (fp->is_durable && opinfo->level == SMB2_OPLOCK_LEVEL_BATCH)
1039 reconn = true;
1040
1041 opinfo_put(opinfo);
1042 return reconn;
1043 }
1044
tree_conn_fd_check(struct ksmbd_tree_connect * tcon,struct ksmbd_file * fp,struct ksmbd_user * user)1045 static bool tree_conn_fd_check(struct ksmbd_tree_connect *tcon,
1046 struct ksmbd_file *fp,
1047 struct ksmbd_user *user)
1048 {
1049 return fp->tcon != tcon;
1050 }
1051
ksmbd_durable_scavenger_alive(void)1052 static bool ksmbd_durable_scavenger_alive(void)
1053 {
1054 if (!durable_scavenger_running)
1055 return false;
1056
1057 if (kthread_should_stop())
1058 return false;
1059
1060 if (idr_is_empty(global_ft.idr))
1061 return false;
1062
1063 return true;
1064 }
1065
ksmbd_scavenger_dispose_dh(struct ksmbd_file * fp)1066 static void ksmbd_scavenger_dispose_dh(struct ksmbd_file *fp)
1067 {
1068 /*
1069 * Durable-preserved fp can remain linked on f_ci->m_fp_list for
1070 * share-mode checks. Unlink it before final close; fp->node is not
1071 * available as a scavenger-private list node because re-adding it to
1072 * another list corrupts m_fp_list.
1073 */
1074 down_write(&fp->f_ci->m_lock);
1075 list_del_init(&fp->node);
1076 up_write(&fp->f_ci->m_lock);
1077
1078 /*
1079 * Drop both the durable lifetime reference and the transient reference
1080 * taken by the scavenger under global_ft.lock. If a concurrent
1081 * ksmbd_lookup_fd_inode() (or any other m_fp_list walker) snatched fp
1082 * before the unlink above, that holder owns the final close via
1083 * ksmbd_fd_put() -> __ksmbd_close_fd(). Otherwise the scavenger is
1084 * the last putter and finalises fp here.
1085 */
1086 if (atomic_sub_and_test(2, &fp->refcount))
1087 __ksmbd_close_fd(NULL, fp);
1088 }
1089
ksmbd_durable_scavenger(void * dummy)1090 static int ksmbd_durable_scavenger(void *dummy)
1091 {
1092 struct ksmbd_file *fp = NULL;
1093 struct ksmbd_file *expired_fp;
1094 unsigned int id;
1095 unsigned int min_timeout = 1;
1096 bool found_fp_timeout;
1097 unsigned long remaining_jiffies;
1098
1099 __module_get(THIS_MODULE);
1100
1101 set_freezable();
1102 while (ksmbd_durable_scavenger_alive()) {
1103 if (try_to_freeze())
1104 continue;
1105
1106 remaining_jiffies = wait_event_timeout(dh_wq,
1107 ksmbd_durable_scavenger_alive() == false,
1108 __msecs_to_jiffies(min_timeout));
1109 if (remaining_jiffies)
1110 min_timeout = jiffies_to_msecs(remaining_jiffies);
1111 else
1112 min_timeout = DURABLE_HANDLE_MAX_TIMEOUT;
1113
1114 do {
1115 expired_fp = NULL;
1116 found_fp_timeout = false;
1117
1118 write_lock(&global_ft.lock);
1119 idr_for_each_entry(global_ft.idr, fp, id) {
1120 unsigned long durable_timeout;
1121
1122 if (!fp->durable_timeout)
1123 continue;
1124
1125 if (atomic_read(&fp->refcount) > 1 ||
1126 fp->conn)
1127 continue;
1128
1129 found_fp_timeout = true;
1130 if (fp->durable_scavenger_timeout <=
1131 jiffies_to_msecs(jiffies)) {
1132 __ksmbd_remove_durable_fd(fp);
1133 /*
1134 * Take a transient reference so fp
1135 * cannot be freed by an in-flight
1136 * ksmbd_lookup_fd_inode() that found
1137 * it through f_ci->m_fp_list while we
1138 * drop global_ft.lock and reach the
1139 * m_fp_list unlink in
1140 * ksmbd_scavenger_dispose_dh().
1141 */
1142 atomic_inc(&fp->refcount);
1143 expired_fp = fp;
1144 break;
1145 }
1146
1147 durable_timeout =
1148 fp->durable_scavenger_timeout -
1149 jiffies_to_msecs(jiffies);
1150
1151 if (min_timeout > durable_timeout)
1152 min_timeout = durable_timeout;
1153 }
1154 write_unlock(&global_ft.lock);
1155
1156 if (expired_fp)
1157 ksmbd_scavenger_dispose_dh(expired_fp);
1158 } while (expired_fp);
1159
1160 if (found_fp_timeout == false)
1161 break;
1162 }
1163
1164 durable_scavenger_running = false;
1165
1166 module_put(THIS_MODULE);
1167
1168 return 0;
1169 }
1170
ksmbd_launch_ksmbd_durable_scavenger(void)1171 void ksmbd_launch_ksmbd_durable_scavenger(void)
1172 {
1173 if (!(server_conf.flags & KSMBD_GLOBAL_FLAG_DURABLE_HANDLE))
1174 return;
1175
1176 mutex_lock(&durable_scavenger_lock);
1177 if (durable_scavenger_running == true) {
1178 mutex_unlock(&durable_scavenger_lock);
1179 return;
1180 }
1181
1182 durable_scavenger_running = true;
1183
1184 server_conf.dh_task = kthread_run(ksmbd_durable_scavenger,
1185 (void *)NULL, "ksmbd-durable-scavenger");
1186 if (IS_ERR(server_conf.dh_task))
1187 pr_err("cannot start conn thread, err : %ld\n",
1188 PTR_ERR(server_conf.dh_task));
1189 mutex_unlock(&durable_scavenger_lock);
1190 }
1191
ksmbd_stop_durable_scavenger(void)1192 void ksmbd_stop_durable_scavenger(void)
1193 {
1194 if (!(server_conf.flags & KSMBD_GLOBAL_FLAG_DURABLE_HANDLE))
1195 return;
1196
1197 mutex_lock(&durable_scavenger_lock);
1198 if (!durable_scavenger_running) {
1199 mutex_unlock(&durable_scavenger_lock);
1200 return;
1201 }
1202
1203 durable_scavenger_running = false;
1204 if (waitqueue_active(&dh_wq))
1205 wake_up(&dh_wq);
1206 mutex_unlock(&durable_scavenger_lock);
1207 kthread_stop(server_conf.dh_task);
1208 }
1209
1210 /*
1211 * ksmbd_vfs_copy_durable_owner - Copy owner info for durable reconnect
1212 * @fp: ksmbd file pointer to store owner info
1213 * @user: user pointer to copy from
1214 *
1215 * This function binds the current user's identity to the file handle
1216 * to satisfy MS-SMB2 Step 8 (SecurityContext matching) during reconnect.
1217 *
1218 * Return: 0 on success, or negative error code on failure
1219 */
ksmbd_vfs_copy_durable_owner(struct ksmbd_file * fp,struct ksmbd_user * user)1220 static int ksmbd_vfs_copy_durable_owner(struct ksmbd_file *fp,
1221 struct ksmbd_user *user)
1222 {
1223 if (!user)
1224 return -EINVAL;
1225
1226 /* Duplicate the user name to ensure identity persistence */
1227 fp->owner.name = kstrdup(user->name, GFP_KERNEL);
1228 if (!fp->owner.name)
1229 return -ENOMEM;
1230
1231 fp->owner.uid = user->uid;
1232 fp->owner.gid = user->gid;
1233
1234 return 0;
1235 }
1236
1237 /**
1238 * ksmbd_vfs_compare_durable_owner - Verify if the requester is original owner
1239 * @fp: existing ksmbd file pointer
1240 * @user: user pointer of the reconnect requester
1241 *
1242 * Compares the UID, GID, and name of the current requester against the
1243 * original owner stored in the file handle.
1244 *
1245 * Return: true if the user matches, false otherwise
1246 */
ksmbd_vfs_compare_durable_owner(struct ksmbd_file * fp,struct ksmbd_user * user)1247 bool ksmbd_vfs_compare_durable_owner(struct ksmbd_file *fp,
1248 struct ksmbd_user *user)
1249 {
1250 if (!user || !fp->owner.name)
1251 return false;
1252
1253 /* Check if the UID and GID match first (fast path) */
1254 if (fp->owner.uid != user->uid || fp->owner.gid != user->gid)
1255 return false;
1256
1257 /* Validate the account name to ensure the same SecurityContext */
1258 if (strcmp(fp->owner.name, user->name))
1259 return false;
1260
1261 return true;
1262 }
1263
session_fd_check(struct ksmbd_tree_connect * tcon,struct ksmbd_file * fp,struct ksmbd_user * user)1264 static bool session_fd_check(struct ksmbd_tree_connect *tcon,
1265 struct ksmbd_file *fp, struct ksmbd_user *user)
1266 {
1267 struct ksmbd_inode *ci;
1268 struct oplock_info *op;
1269 struct ksmbd_conn *conn;
1270 struct ksmbd_lock *smb_lock, *tmp_lock;
1271
1272 if (!is_reconnectable(fp))
1273 return false;
1274
1275 if (fp->f_state != FP_INITED)
1276 return false;
1277
1278 if (WARN_ON_ONCE(!fp->conn))
1279 return false;
1280
1281 if (ksmbd_vfs_copy_durable_owner(fp, user))
1282 return false;
1283
1284 /*
1285 * fp owns a strong reference on fp->conn (taken in ksmbd_open_fd()
1286 * / ksmbd_reopen_durable_fd()), so conn stays valid for the whole
1287 * body of this function regardless of any op->conn puts below.
1288 */
1289 conn = fp->conn;
1290 ci = fp->f_ci;
1291 down_write(&ci->m_lock);
1292 list_for_each_entry_rcu(op, &ci->m_op_list, op_entry) {
1293 if (op->conn != conn)
1294 continue;
1295 ksmbd_conn_put(op->conn);
1296 op->conn = NULL;
1297 }
1298 up_write(&ci->m_lock);
1299
1300 list_for_each_entry_safe(smb_lock, tmp_lock, &fp->lock_list, flist) {
1301 spin_lock(&conn->llist_lock);
1302 list_del_init(&smb_lock->clist);
1303 spin_unlock(&conn->llist_lock);
1304 }
1305
1306 fp->conn = NULL;
1307 fp->tcon = NULL;
1308 fp->volatile_id = KSMBD_NO_FID;
1309
1310 if (fp->durable_timeout)
1311 fp->durable_scavenger_timeout =
1312 jiffies_to_msecs(jiffies) + fp->durable_timeout;
1313
1314 /* Drop fp's own reference on conn. */
1315 ksmbd_conn_put(conn);
1316 return true;
1317 }
1318
ksmbd_close_tree_conn_fds(struct ksmbd_work * work)1319 void ksmbd_close_tree_conn_fds(struct ksmbd_work *work)
1320 {
1321 int num = __close_file_table_ids(work->sess,
1322 work->tcon,
1323 tree_conn_fd_check,
1324 false);
1325
1326 atomic_sub(num, &work->conn->stats.open_files_count);
1327 }
1328
ksmbd_close_session_fds(struct ksmbd_work * work)1329 void ksmbd_close_session_fds(struct ksmbd_work *work)
1330 {
1331 int num = __close_file_table_ids(work->sess,
1332 work->tcon,
1333 session_fd_check,
1334 true);
1335
1336 atomic_sub(num, &work->conn->stats.open_files_count);
1337 }
1338
ksmbd_init_global_file_table(void)1339 int ksmbd_init_global_file_table(void)
1340 {
1341 create_proc_files();
1342 return ksmbd_init_file_table(&global_ft);
1343 }
1344
ksmbd_free_global_file_table(void)1345 void ksmbd_free_global_file_table(void)
1346 {
1347 struct ksmbd_file *fp = NULL;
1348 unsigned int id;
1349
1350 idr_for_each_entry(global_ft.idr, fp, id) {
1351 ksmbd_remove_durable_fd(fp);
1352 __ksmbd_close_fd(NULL, fp);
1353 }
1354
1355 idr_destroy(global_ft.idr);
1356 kfree(global_ft.idr);
1357 }
1358
ksmbd_validate_name_reconnect(struct ksmbd_share_config * share,struct ksmbd_file * fp,char * name)1359 int ksmbd_validate_name_reconnect(struct ksmbd_share_config *share,
1360 struct ksmbd_file *fp, char *name)
1361 {
1362 char *pathname, *ab_pathname;
1363 int ret = 0;
1364
1365 pathname = kmalloc(PATH_MAX, KSMBD_DEFAULT_GFP);
1366 if (!pathname)
1367 return -EACCES;
1368
1369 ab_pathname = d_path(&fp->filp->f_path, pathname, PATH_MAX);
1370 if (IS_ERR(ab_pathname)) {
1371 kfree(pathname);
1372 return -EACCES;
1373 }
1374
1375 if (name && strcmp(&ab_pathname[share->path_sz + 1], name)) {
1376 ksmbd_debug(SMB, "invalid name reconnect %s\n", name);
1377 ret = -EINVAL;
1378 }
1379
1380 kfree(pathname);
1381
1382 return ret;
1383 }
1384
ksmbd_reopen_durable_fd(struct ksmbd_work * work,struct ksmbd_file * fp)1385 int ksmbd_reopen_durable_fd(struct ksmbd_work *work, struct ksmbd_file *fp)
1386 {
1387 struct ksmbd_inode *ci;
1388 struct oplock_info *op;
1389 struct ksmbd_conn *conn = work->conn;
1390 struct ksmbd_lock *smb_lock;
1391 unsigned int old_f_state;
1392
1393 if (!fp->is_durable || fp->conn || fp->tcon) {
1394 pr_err("Invalid durable fd [%p:%p]\n", fp->conn, fp->tcon);
1395 return -EBADF;
1396 }
1397
1398 if (has_file_id(fp->volatile_id)) {
1399 pr_err("Still in use durable fd: %llu\n", fp->volatile_id);
1400 return -EBADF;
1401 }
1402
1403 old_f_state = fp->f_state;
1404 fp->f_state = FP_NEW;
1405
1406 /*
1407 * Initialize fp's connection binding before publishing fp into the
1408 * session's file table. If __open_id() is ordered first, a
1409 * concurrent teardown that iterates the table can observe a valid
1410 * volatile_id with fp->conn == NULL and preserve a
1411 * partially-initialized fp. fp owns a strong reference on the new
1412 * conn (see ksmbd_open_fd()); undo it on __open_id() failure.
1413 */
1414 fp->conn = ksmbd_conn_get(conn);
1415 fp->tcon = work->tcon;
1416
1417 __open_id(&work->sess->file_table, fp, OPEN_ID_TYPE_VOLATILE_ID);
1418 if (!has_file_id(fp->volatile_id)) {
1419 fp->conn = NULL;
1420 fp->tcon = NULL;
1421 ksmbd_conn_put(conn);
1422 fp->f_state = old_f_state;
1423 return -EBADF;
1424 }
1425
1426 list_for_each_entry(smb_lock, &fp->lock_list, flist) {
1427 spin_lock(&conn->llist_lock);
1428 list_add_tail(&smb_lock->clist, &conn->lock_list);
1429 spin_unlock(&conn->llist_lock);
1430 }
1431
1432 ci = fp->f_ci;
1433 down_write(&ci->m_lock);
1434 list_for_each_entry_rcu(op, &ci->m_op_list, op_entry) {
1435 if (op->conn)
1436 continue;
1437 op->conn = ksmbd_conn_get(fp->conn);
1438 }
1439 up_write(&ci->m_lock);
1440
1441 fp->owner.uid = fp->owner.gid = 0;
1442 kfree(fp->owner.name);
1443 fp->owner.name = NULL;
1444
1445 return 0;
1446 }
1447
ksmbd_init_file_table(struct ksmbd_file_table * ft)1448 int ksmbd_init_file_table(struct ksmbd_file_table *ft)
1449 {
1450 ft->idr = kzalloc_obj(struct idr, KSMBD_DEFAULT_GFP);
1451 if (!ft->idr)
1452 return -ENOMEM;
1453
1454 idr_init(ft->idr);
1455 rwlock_init(&ft->lock);
1456 return 0;
1457 }
1458
ksmbd_destroy_file_table(struct ksmbd_session * sess)1459 void ksmbd_destroy_file_table(struct ksmbd_session *sess)
1460 {
1461 struct ksmbd_file_table *ft = &sess->file_table;
1462
1463 if (!ft->idr)
1464 return;
1465
1466 __close_file_table_ids(sess, NULL, session_fd_check, true);
1467 idr_destroy(ft->idr);
1468 kfree(ft->idr);
1469 ft->idr = NULL;
1470 }
1471
ksmbd_init_file_cache(void)1472 int ksmbd_init_file_cache(void)
1473 {
1474 filp_cache = kmem_cache_create("ksmbd_file_cache",
1475 sizeof(struct ksmbd_file), 0,
1476 SLAB_HWCACHE_ALIGN, NULL);
1477 if (!filp_cache)
1478 goto out;
1479
1480 init_waitqueue_head(&dh_wq);
1481
1482 return 0;
1483
1484 out:
1485 pr_err("failed to allocate file cache\n");
1486 return -ENOMEM;
1487 }
1488
ksmbd_exit_file_cache(void)1489 void ksmbd_exit_file_cache(void)
1490 {
1491 kmem_cache_destroy(filp_cache);
1492 }
1493