1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * NFS exporting and validation. 4 * 5 * We maintain a list of clients, each of which has a list of 6 * exports. To export an fs to a given client, you first have 7 * to create the client entry with NFSCTL_ADDCLIENT, which 8 * creates a client control block and adds it to the hash 9 * table. Then, you call NFSCTL_EXPORT for each fs. 10 * 11 * 12 * Copyright (C) 1995, 1996 Olaf Kirch, <okir@monad.swb.de> 13 */ 14 15 #include <linux/slab.h> 16 #include <linux/namei.h> 17 #include <linux/module.h> 18 #include <linux/exportfs.h> 19 #include <linux/sunrpc/svc_xprt.h> 20 21 #include "nfsd.h" 22 #include "nfsfh.h" 23 #include "netns.h" 24 #include "pnfs.h" 25 #include "filecache.h" 26 #include "trace.h" 27 28 #define NFSDDBG_FACILITY NFSDDBG_EXPORT 29 30 /* 31 * We have two caches. 32 * One maps client+vfsmnt+dentry to export options - the export map 33 * The other maps client+filehandle-fragment to export options. - the expkey map 34 * 35 * The export options are actually stored in the first map, and the 36 * second map contains a reference to the entry in the first map. 37 */ 38 39 static struct workqueue_struct *nfsd_export_wq; 40 41 #define EXPKEY_HASHBITS 8 42 #define EXPKEY_HASHMAX (1 << EXPKEY_HASHBITS) 43 #define EXPKEY_HASHMASK (EXPKEY_HASHMAX -1) 44 45 static void expkey_release(struct work_struct *work) 46 { 47 struct svc_expkey *key = container_of(to_rcu_work(work), 48 struct svc_expkey, ek_rwork); 49 50 if (test_bit(CACHE_VALID, &key->h.flags) && 51 !test_bit(CACHE_NEGATIVE, &key->h.flags)) 52 path_put(&key->ek_path); 53 auth_domain_put(key->ek_client); 54 kfree(key); 55 } 56 57 static void expkey_put(struct kref *ref) 58 { 59 struct svc_expkey *key = container_of(ref, struct svc_expkey, h.ref); 60 61 INIT_RCU_WORK(&key->ek_rwork, expkey_release); 62 queue_rcu_work(nfsd_export_wq, &key->ek_rwork); 63 } 64 65 static int expkey_upcall(struct cache_detail *cd, struct cache_head *h) 66 { 67 return sunrpc_cache_pipe_upcall(cd, h); 68 } 69 70 static void expkey_request(struct cache_detail *cd, 71 struct cache_head *h, 72 char **bpp, int *blen) 73 { 74 /* client fsidtype \xfsid */ 75 struct svc_expkey *ek = container_of(h, struct svc_expkey, h); 76 char type[5]; 77 78 qword_add(bpp, blen, ek->ek_client->name); 79 snprintf(type, 5, "%d", ek->ek_fsidtype); 80 qword_add(bpp, blen, type); 81 qword_addhex(bpp, blen, (char*)ek->ek_fsid, key_len(ek->ek_fsidtype)); 82 (*bpp)[-1] = '\n'; 83 } 84 85 static struct svc_expkey *svc_expkey_update(struct cache_detail *cd, struct svc_expkey *new, 86 struct svc_expkey *old); 87 static struct svc_expkey *svc_expkey_lookup(struct cache_detail *cd, struct svc_expkey *); 88 89 static int expkey_parse(struct cache_detail *cd, char *mesg, int mlen) 90 { 91 /* client fsidtype fsid expiry [path] */ 92 char *buf; 93 int len; 94 struct auth_domain *dom = NULL; 95 int err; 96 u8 fsidtype; 97 struct svc_expkey key; 98 struct svc_expkey *ek = NULL; 99 100 if (mesg[mlen - 1] != '\n') 101 return -EINVAL; 102 mesg[mlen-1] = 0; 103 104 buf = kmalloc(PAGE_SIZE, GFP_KERNEL); 105 err = -ENOMEM; 106 if (!buf) 107 goto out; 108 109 err = -EINVAL; 110 if (qword_get(&mesg, buf, PAGE_SIZE) <= 0) 111 goto out; 112 113 err = -ENOENT; 114 dom = auth_domain_find(buf); 115 if (!dom) 116 goto out; 117 dprintk("found domain %s\n", buf); 118 119 err = -EINVAL; 120 if (qword_get(&mesg, buf, PAGE_SIZE) <= 0) 121 goto out; 122 if (kstrtou8(buf, 10, &fsidtype)) 123 goto out; 124 dprintk("found fsidtype %u\n", fsidtype); 125 if (key_len(fsidtype)==0) /* invalid type */ 126 goto out; 127 if ((len=qword_get(&mesg, buf, PAGE_SIZE)) <= 0) 128 goto out; 129 dprintk("found fsid length %d\n", len); 130 if (len != key_len(fsidtype)) 131 goto out; 132 133 /* OK, we seem to have a valid key */ 134 key.h.flags = 0; 135 err = get_expiry(&mesg, &key.h.expiry_time); 136 if (err) 137 goto out; 138 139 key.ek_client = dom; 140 key.ek_fsidtype = fsidtype; 141 memcpy(key.ek_fsid, buf, len); 142 143 ek = svc_expkey_lookup(cd, &key); 144 err = -ENOMEM; 145 if (!ek) 146 goto out; 147 148 /* now we want a pathname, or empty meaning NEGATIVE */ 149 err = -EINVAL; 150 len = qword_get(&mesg, buf, PAGE_SIZE); 151 if (len < 0) 152 goto out; 153 dprintk("Path seems to be <%s>\n", buf); 154 err = 0; 155 if (len == 0) { 156 set_bit(CACHE_NEGATIVE, &key.h.flags); 157 ek = svc_expkey_update(cd, &key, ek); 158 if (ek) 159 trace_nfsd_expkey_update(ek, NULL); 160 else 161 err = -ENOMEM; 162 } else { 163 err = kern_path(buf, 0, &key.ek_path); 164 if (err) 165 goto out; 166 167 dprintk("Found the path %s\n", buf); 168 169 ek = svc_expkey_update(cd, &key, ek); 170 if (ek) 171 trace_nfsd_expkey_update(ek, buf); 172 else 173 err = -ENOMEM; 174 path_put(&key.ek_path); 175 } 176 cache_flush(); 177 out: 178 if (ek) 179 cache_put(&ek->h, cd); 180 if (dom) 181 auth_domain_put(dom); 182 kfree(buf); 183 return err; 184 } 185 186 static int expkey_show(struct seq_file *m, 187 struct cache_detail *cd, 188 struct cache_head *h) 189 { 190 struct svc_expkey *ek ; 191 int i; 192 193 if (h ==NULL) { 194 seq_puts(m, "#domain fsidtype fsid [path]\n"); 195 return 0; 196 } 197 ek = container_of(h, struct svc_expkey, h); 198 seq_printf(m, "%s %d 0x", ek->ek_client->name, 199 ek->ek_fsidtype); 200 for (i=0; i < key_len(ek->ek_fsidtype)/4; i++) 201 seq_printf(m, "%08x", ek->ek_fsid[i]); 202 if (test_bit(CACHE_VALID, &h->flags) && 203 !test_bit(CACHE_NEGATIVE, &h->flags)) { 204 seq_printf(m, " "); 205 seq_path(m, &ek->ek_path, "\\ \t\n"); 206 } 207 seq_printf(m, "\n"); 208 return 0; 209 } 210 211 static inline int expkey_match (struct cache_head *a, struct cache_head *b) 212 { 213 struct svc_expkey *orig = container_of(a, struct svc_expkey, h); 214 struct svc_expkey *new = container_of(b, struct svc_expkey, h); 215 216 if (orig->ek_fsidtype != new->ek_fsidtype || 217 orig->ek_client != new->ek_client || 218 memcmp(orig->ek_fsid, new->ek_fsid, key_len(orig->ek_fsidtype)) != 0) 219 return 0; 220 return 1; 221 } 222 223 static inline void expkey_init(struct cache_head *cnew, 224 struct cache_head *citem) 225 { 226 struct svc_expkey *new = container_of(cnew, struct svc_expkey, h); 227 struct svc_expkey *item = container_of(citem, struct svc_expkey, h); 228 229 kref_get(&item->ek_client->ref); 230 new->ek_client = item->ek_client; 231 new->ek_fsidtype = item->ek_fsidtype; 232 233 memcpy(new->ek_fsid, item->ek_fsid, sizeof(new->ek_fsid)); 234 } 235 236 static inline void expkey_update(struct cache_head *cnew, 237 struct cache_head *citem) 238 { 239 struct svc_expkey *new = container_of(cnew, struct svc_expkey, h); 240 struct svc_expkey *item = container_of(citem, struct svc_expkey, h); 241 242 new->ek_path = item->ek_path; 243 path_get(&item->ek_path); 244 } 245 246 static struct cache_head *expkey_alloc(void) 247 { 248 struct svc_expkey *i = kmalloc_obj(*i); 249 if (i) 250 return &i->h; 251 else 252 return NULL; 253 } 254 255 static void expkey_flush(void) 256 { 257 /* 258 * Take the nfsd_mutex here to ensure that the file cache is not 259 * destroyed while we're in the middle of flushing. 260 */ 261 mutex_lock(&nfsd_mutex); 262 nfsd_file_cache_purge(current->nsproxy->net_ns); 263 mutex_unlock(&nfsd_mutex); 264 } 265 266 static const struct cache_detail svc_expkey_cache_template = { 267 .owner = THIS_MODULE, 268 .hash_size = EXPKEY_HASHMAX, 269 .name = "nfsd.fh", 270 .cache_put = expkey_put, 271 .cache_upcall = expkey_upcall, 272 .cache_request = expkey_request, 273 .cache_parse = expkey_parse, 274 .cache_show = expkey_show, 275 .match = expkey_match, 276 .init = expkey_init, 277 .update = expkey_update, 278 .alloc = expkey_alloc, 279 .flush = expkey_flush, 280 }; 281 282 static int 283 svc_expkey_hash(struct svc_expkey *item) 284 { 285 int hash = item->ek_fsidtype; 286 char * cp = (char*)item->ek_fsid; 287 int len = key_len(item->ek_fsidtype); 288 289 hash ^= hash_mem(cp, len, EXPKEY_HASHBITS); 290 hash ^= hash_ptr(item->ek_client, EXPKEY_HASHBITS); 291 hash &= EXPKEY_HASHMASK; 292 return hash; 293 } 294 295 static struct svc_expkey * 296 svc_expkey_lookup(struct cache_detail *cd, struct svc_expkey *item) 297 { 298 struct cache_head *ch; 299 int hash = svc_expkey_hash(item); 300 301 ch = sunrpc_cache_lookup_rcu(cd, &item->h, hash); 302 if (ch) 303 return container_of(ch, struct svc_expkey, h); 304 else 305 return NULL; 306 } 307 308 static struct svc_expkey * 309 svc_expkey_update(struct cache_detail *cd, struct svc_expkey *new, 310 struct svc_expkey *old) 311 { 312 struct cache_head *ch; 313 int hash = svc_expkey_hash(new); 314 315 ch = sunrpc_cache_update(cd, &new->h, &old->h, hash); 316 if (ch) 317 return container_of(ch, struct svc_expkey, h); 318 else 319 return NULL; 320 } 321 322 323 #define EXPORT_HASHBITS 8 324 #define EXPORT_HASHMAX (1<< EXPORT_HASHBITS) 325 326 static void nfsd4_fslocs_free(struct nfsd4_fs_locations *fsloc) 327 { 328 struct nfsd4_fs_location *locations = fsloc->locations; 329 int i; 330 331 if (!locations) 332 return; 333 334 for (i = 0; i < fsloc->locations_count; i++) { 335 kfree(locations[i].path); 336 kfree(locations[i].hosts); 337 } 338 339 kfree(locations); 340 fsloc->locations = NULL; 341 } 342 343 static int export_stats_init(struct export_stats *stats) 344 { 345 stats->start_time = ktime_get_seconds(); 346 return percpu_counter_init_many(stats->counter, 0, GFP_KERNEL, 347 EXP_STATS_COUNTERS_NUM); 348 } 349 350 static void export_stats_reset(struct export_stats *stats) 351 { 352 if (stats) { 353 int i; 354 355 for (i = 0; i < EXP_STATS_COUNTERS_NUM; i++) 356 percpu_counter_set(&stats->counter[i], 0); 357 } 358 } 359 360 static void export_stats_destroy(struct export_stats *stats) 361 { 362 if (stats) 363 percpu_counter_destroy_many(stats->counter, 364 EXP_STATS_COUNTERS_NUM); 365 } 366 367 static void svc_export_release(struct work_struct *work) 368 { 369 struct svc_export *exp = container_of(to_rcu_work(work), 370 struct svc_export, ex_rwork); 371 372 path_put(&exp->ex_path); 373 auth_domain_put(exp->ex_client); 374 nfsd4_fslocs_free(&exp->ex_fslocs); 375 export_stats_destroy(exp->ex_stats); 376 kfree(exp->ex_stats); 377 kfree(exp->ex_uuid); 378 kfree(exp); 379 } 380 381 static void svc_export_put(struct kref *ref) 382 { 383 struct svc_export *exp = container_of(ref, struct svc_export, h.ref); 384 385 INIT_RCU_WORK(&exp->ex_rwork, svc_export_release); 386 queue_rcu_work(nfsd_export_wq, &exp->ex_rwork); 387 } 388 389 static int svc_export_upcall(struct cache_detail *cd, struct cache_head *h) 390 { 391 return sunrpc_cache_pipe_upcall(cd, h); 392 } 393 394 static void svc_export_request(struct cache_detail *cd, 395 struct cache_head *h, 396 char **bpp, int *blen) 397 { 398 /* client path */ 399 struct svc_export *exp = container_of(h, struct svc_export, h); 400 char *pth; 401 402 qword_add(bpp, blen, exp->ex_client->name); 403 pth = d_path(&exp->ex_path, *bpp, *blen); 404 if (IS_ERR(pth)) { 405 /* is this correct? */ 406 (*bpp)[0] = '\n'; 407 return; 408 } 409 qword_add(bpp, blen, pth); 410 (*bpp)[-1] = '\n'; 411 } 412 413 static struct svc_export *svc_export_update(struct svc_export *new, 414 struct svc_export *old); 415 static struct svc_export *svc_export_lookup(struct svc_export *); 416 417 static int check_export(const struct path *path, int *flags, unsigned char *uuid) 418 { 419 struct inode *inode = d_inode(path->dentry); 420 421 /* 422 * We currently export only dirs, regular files, and (for v4 423 * pseudoroot) symlinks. 424 */ 425 if (!S_ISDIR(inode->i_mode) && 426 !S_ISLNK(inode->i_mode) && 427 !S_ISREG(inode->i_mode)) 428 return -ENOTDIR; 429 430 /* 431 * Mountd should never pass down a writeable V4ROOT export, but, 432 * just to make sure: 433 */ 434 if (*flags & NFSEXP_V4ROOT) 435 *flags |= NFSEXP_READONLY; 436 437 /* There are two requirements on a filesystem to be exportable. 438 * 1: We must be able to identify the filesystem from a number. 439 * either a device number (so FS_REQUIRES_DEV needed) 440 * or an FSID number (so NFSEXP_FSID or ->uuid is needed). 441 * 2: We must be able to find an inode from a filehandle. 442 * This means that s_export_op must be set and comply with 443 * the requirements for remote filesystem export. 444 * 3: We must not currently be on an idmapped mount. 445 */ 446 if (!(inode->i_sb->s_type->fs_flags & FS_REQUIRES_DEV) && 447 !(*flags & NFSEXP_FSID) && 448 uuid == NULL) { 449 dprintk("exp_export: export of non-dev fs without fsid\n"); 450 return -EINVAL; 451 } 452 453 if (!exportfs_may_export(inode->i_sb->s_export_op)) { 454 dprintk("exp_export: export of invalid fs type (%s).\n", 455 inode->i_sb->s_type->name); 456 return -EINVAL; 457 } 458 459 if (is_idmapped_mnt(path->mnt)) { 460 dprintk("exp_export: export of idmapped mounts not yet supported.\n"); 461 return -EINVAL; 462 } 463 464 if (inode->i_sb->s_export_op->flags & EXPORT_OP_NOSUBTREECHK && 465 !(*flags & NFSEXP_NOSUBTREECHECK)) { 466 dprintk("%s: %s does not support subtree checking!\n", 467 __func__, inode->i_sb->s_type->name); 468 return -EINVAL; 469 } 470 return 0; 471 } 472 473 #ifdef CONFIG_NFSD_V4 474 475 static int 476 fsloc_parse(char **mesg, char *buf, struct nfsd4_fs_locations *fsloc) 477 { 478 int len; 479 int migrated, i, err; 480 481 /* more than one fsloc */ 482 if (fsloc->locations) 483 return -EINVAL; 484 485 /* listsize */ 486 err = get_uint(mesg, &fsloc->locations_count); 487 if (err) 488 return err; 489 if (fsloc->locations_count > MAX_FS_LOCATIONS) 490 return -EINVAL; 491 if (fsloc->locations_count == 0) 492 return 0; 493 494 fsloc->locations = kzalloc_objs(struct nfsd4_fs_location, 495 fsloc->locations_count); 496 if (!fsloc->locations) 497 return -ENOMEM; 498 for (i=0; i < fsloc->locations_count; i++) { 499 /* colon separated host list */ 500 err = -EINVAL; 501 len = qword_get(mesg, buf, PAGE_SIZE); 502 if (len <= 0) 503 goto out_free_all; 504 err = -ENOMEM; 505 fsloc->locations[i].hosts = kstrdup(buf, GFP_KERNEL); 506 if (!fsloc->locations[i].hosts) 507 goto out_free_all; 508 err = -EINVAL; 509 /* slash separated path component list */ 510 len = qword_get(mesg, buf, PAGE_SIZE); 511 if (len <= 0) 512 goto out_free_all; 513 err = -ENOMEM; 514 fsloc->locations[i].path = kstrdup(buf, GFP_KERNEL); 515 if (!fsloc->locations[i].path) 516 goto out_free_all; 517 } 518 /* migrated */ 519 err = get_int(mesg, &migrated); 520 if (err) 521 goto out_free_all; 522 err = -EINVAL; 523 if (migrated < 0 || migrated > 1) 524 goto out_free_all; 525 fsloc->migrated = migrated; 526 return 0; 527 out_free_all: 528 nfsd4_fslocs_free(fsloc); 529 return err; 530 } 531 532 static int secinfo_parse(char **mesg, char *buf, struct svc_export *exp) 533 { 534 struct exp_flavor_info *f; 535 u32 listsize; 536 int err; 537 538 /* more than one secinfo */ 539 if (exp->ex_nflavors) 540 return -EINVAL; 541 542 err = get_uint(mesg, &listsize); 543 if (err) 544 return err; 545 if (listsize > MAX_SECINFO_LIST) 546 return -EINVAL; 547 548 for (f = exp->ex_flavors; f < exp->ex_flavors + listsize; f++) { 549 err = get_uint(mesg, &f->pseudoflavor); 550 if (err) 551 return err; 552 /* 553 * XXX: It would be nice to also check whether this 554 * pseudoflavor is supported, so we can discover the 555 * problem at export time instead of when a client fails 556 * to authenticate. 557 */ 558 err = get_uint(mesg, &f->flags); 559 if (err) 560 return err; 561 /* Only some flags are allowed to differ between flavors: */ 562 if (~NFSEXP_SECINFO_FLAGS & (f->flags ^ exp->ex_flags)) 563 return -EINVAL; 564 } 565 exp->ex_nflavors = listsize; 566 return 0; 567 } 568 569 #else /* CONFIG_NFSD_V4 */ 570 static inline int 571 fsloc_parse(char **mesg, char *buf, struct nfsd4_fs_locations *fsloc){return 0;} 572 static inline int 573 secinfo_parse(char **mesg, char *buf, struct svc_export *exp) { return 0; } 574 #endif 575 576 static int xprtsec_parse(char **mesg, char *buf, struct svc_export *exp) 577 { 578 unsigned int i, mode, listsize; 579 int err; 580 581 err = get_uint(mesg, &listsize); 582 if (err) 583 return err; 584 if (listsize > NFSEXP_XPRTSEC_NUM) 585 return -EINVAL; 586 587 exp->ex_xprtsec_modes = 0; 588 for (i = 0; i < listsize; i++) { 589 err = get_uint(mesg, &mode); 590 if (err) 591 return err; 592 if (mode > NFSEXP_XPRTSEC_MTLS) 593 return -EINVAL; 594 exp->ex_xprtsec_modes |= mode; 595 } 596 return 0; 597 } 598 599 static inline int 600 nfsd_uuid_parse(char **mesg, char *buf, unsigned char **puuid) 601 { 602 int len; 603 604 /* more than one uuid */ 605 if (*puuid) 606 return -EINVAL; 607 608 /* expect a 16 byte uuid encoded as \xXXXX... */ 609 len = qword_get(mesg, buf, PAGE_SIZE); 610 if (len != EX_UUID_LEN) 611 return -EINVAL; 612 613 *puuid = kmemdup(buf, EX_UUID_LEN, GFP_KERNEL); 614 if (*puuid == NULL) 615 return -ENOMEM; 616 617 return 0; 618 } 619 620 static int svc_export_parse(struct cache_detail *cd, char *mesg, int mlen) 621 { 622 /* client path expiry [flags anonuid anongid fsid] */ 623 char *buf; 624 int err; 625 struct auth_domain *dom = NULL; 626 struct svc_export exp = {}, *expp; 627 int an_int; 628 629 if (mesg[mlen-1] != '\n') 630 return -EINVAL; 631 mesg[mlen-1] = 0; 632 633 buf = kmalloc(PAGE_SIZE, GFP_KERNEL); 634 if (!buf) 635 return -ENOMEM; 636 637 /* client */ 638 err = -EINVAL; 639 if (qword_get(&mesg, buf, PAGE_SIZE) <= 0) 640 goto out; 641 642 err = -ENOENT; 643 dom = auth_domain_find(buf); 644 if (!dom) 645 goto out; 646 647 /* path */ 648 err = -EINVAL; 649 if (qword_get(&mesg, buf, PAGE_SIZE) <= 0) 650 goto out1; 651 652 err = kern_path(buf, 0, &exp.ex_path); 653 if (err) 654 goto out1; 655 656 exp.ex_client = dom; 657 exp.cd = cd; 658 exp.ex_devid_map = NULL; 659 exp.ex_xprtsec_modes = NFSEXP_XPRTSEC_ALL; 660 661 /* expiry */ 662 err = get_expiry(&mesg, &exp.h.expiry_time); 663 if (err) 664 goto out3; 665 666 /* flags */ 667 err = get_int(&mesg, &an_int); 668 if (err == -ENOENT) { 669 err = 0; 670 set_bit(CACHE_NEGATIVE, &exp.h.flags); 671 } else { 672 if (err || an_int < 0) 673 goto out3; 674 exp.ex_flags= an_int; 675 676 /* anon uid */ 677 err = get_int(&mesg, &an_int); 678 if (err) 679 goto out3; 680 exp.ex_anon_uid= make_kuid(current_user_ns(), an_int); 681 682 /* anon gid */ 683 err = get_int(&mesg, &an_int); 684 if (err) 685 goto out3; 686 exp.ex_anon_gid= make_kgid(current_user_ns(), an_int); 687 688 /* fsid */ 689 err = get_int(&mesg, &an_int); 690 if (err) 691 goto out3; 692 exp.ex_fsid = an_int; 693 694 while (qword_get(&mesg, buf, PAGE_SIZE) > 0) { 695 if (strcmp(buf, "fsloc") == 0) 696 err = fsloc_parse(&mesg, buf, &exp.ex_fslocs); 697 else if (strcmp(buf, "uuid") == 0) 698 err = nfsd_uuid_parse(&mesg, buf, &exp.ex_uuid); 699 else if (strcmp(buf, "secinfo") == 0) 700 err = secinfo_parse(&mesg, buf, &exp); 701 else if (strcmp(buf, "xprtsec") == 0) 702 err = xprtsec_parse(&mesg, buf, &exp); 703 else 704 /* quietly ignore unknown words and anything 705 * following. Newer user-space can try to set 706 * new values, then see what the result was. 707 */ 708 break; 709 if (err) 710 goto out4; 711 } 712 713 err = check_export(&exp.ex_path, &exp.ex_flags, exp.ex_uuid); 714 if (err) 715 goto out4; 716 717 /* 718 * No point caching this if it would immediately expire. 719 * Also, this protects exportfs's dummy export from the 720 * anon_uid/anon_gid checks: 721 */ 722 if (exp.h.expiry_time < seconds_since_boot()) 723 goto out4; 724 /* 725 * For some reason exportfs has been passing down an 726 * invalid (-1) uid & gid on the "dummy" export which it 727 * uses to test export support. To make sure exportfs 728 * sees errors from check_export we therefore need to 729 * delay these checks till after check_export: 730 */ 731 err = -EINVAL; 732 if (!uid_valid(exp.ex_anon_uid)) 733 goto out4; 734 if (!gid_valid(exp.ex_anon_gid)) 735 goto out4; 736 err = 0; 737 738 if (exp.ex_flags & NFSEXP_PNFS) 739 nfsd4_setup_layout_type(&exp); 740 } 741 742 expp = svc_export_lookup(&exp); 743 if (!expp) { 744 err = -ENOMEM; 745 goto out4; 746 } 747 expp = svc_export_update(&exp, expp); 748 if (expp) { 749 trace_nfsd_export_update(expp); 750 cache_flush(); 751 exp_put(expp); 752 } else 753 err = -ENOMEM; 754 out4: 755 nfsd4_fslocs_free(&exp.ex_fslocs); 756 kfree(exp.ex_uuid); 757 out3: 758 path_put(&exp.ex_path); 759 out1: 760 auth_domain_put(dom); 761 out: 762 kfree(buf); 763 return err; 764 } 765 766 static void exp_flags(struct seq_file *m, int flag, int fsid, 767 kuid_t anonu, kgid_t anong, struct nfsd4_fs_locations *fslocs); 768 static void show_secinfo(struct seq_file *m, struct svc_export *exp); 769 770 static int is_export_stats_file(struct seq_file *m) 771 { 772 /* 773 * The export_stats file uses the same ops as the exports file. 774 * We use the file's name to determine the reported info per export. 775 * There is no rename in nsfdfs, so d_name.name is stable. 776 */ 777 return !strcmp(m->file->f_path.dentry->d_name.name, "export_stats"); 778 } 779 780 static int svc_export_show(struct seq_file *m, 781 struct cache_detail *cd, 782 struct cache_head *h) 783 { 784 struct svc_export *exp; 785 bool export_stats = is_export_stats_file(m); 786 787 if (h == NULL) { 788 if (export_stats) 789 seq_puts(m, "#path domain start-time\n#\tstats\n"); 790 else 791 seq_puts(m, "#path domain(flags)\n"); 792 return 0; 793 } 794 exp = container_of(h, struct svc_export, h); 795 seq_path(m, &exp->ex_path, " \t\n\\"); 796 seq_putc(m, '\t'); 797 seq_escape(m, exp->ex_client->name, " \t\n\\"); 798 if (export_stats) { 799 struct percpu_counter *counter = exp->ex_stats->counter; 800 801 seq_printf(m, "\t%lld\n", exp->ex_stats->start_time); 802 seq_printf(m, "\tfh_stale: %lld\n", 803 percpu_counter_sum_positive(&counter[EXP_STATS_FH_STALE])); 804 seq_printf(m, "\tio_read: %lld\n", 805 percpu_counter_sum_positive(&counter[EXP_STATS_IO_READ])); 806 seq_printf(m, "\tio_write: %lld\n", 807 percpu_counter_sum_positive(&counter[EXP_STATS_IO_WRITE])); 808 seq_putc(m, '\n'); 809 return 0; 810 } 811 seq_putc(m, '('); 812 if (test_bit(CACHE_VALID, &h->flags) && 813 !test_bit(CACHE_NEGATIVE, &h->flags)) { 814 exp_flags(m, exp->ex_flags, exp->ex_fsid, 815 exp->ex_anon_uid, exp->ex_anon_gid, &exp->ex_fslocs); 816 if (exp->ex_uuid) { 817 int i; 818 seq_puts(m, ",uuid="); 819 for (i = 0; i < EX_UUID_LEN; i++) { 820 if ((i&3) == 0 && i) 821 seq_putc(m, ':'); 822 seq_printf(m, "%02x", exp->ex_uuid[i]); 823 } 824 } 825 show_secinfo(m, exp); 826 } 827 seq_puts(m, ")\n"); 828 return 0; 829 } 830 static int svc_export_match(struct cache_head *a, struct cache_head *b) 831 { 832 struct svc_export *orig = container_of(a, struct svc_export, h); 833 struct svc_export *new = container_of(b, struct svc_export, h); 834 return orig->ex_client == new->ex_client && 835 path_equal(&orig->ex_path, &new->ex_path); 836 } 837 838 static void svc_export_init(struct cache_head *cnew, struct cache_head *citem) 839 { 840 struct svc_export *new = container_of(cnew, struct svc_export, h); 841 struct svc_export *item = container_of(citem, struct svc_export, h); 842 843 kref_get(&item->ex_client->ref); 844 new->ex_client = item->ex_client; 845 new->ex_path = item->ex_path; 846 path_get(&item->ex_path); 847 new->ex_fslocs.locations = NULL; 848 new->ex_fslocs.locations_count = 0; 849 new->ex_fslocs.migrated = 0; 850 new->ex_layout_types = 0; 851 new->ex_uuid = NULL; 852 new->cd = item->cd; 853 export_stats_reset(new->ex_stats); 854 } 855 856 static void export_update(struct cache_head *cnew, struct cache_head *citem) 857 { 858 struct svc_export *new = container_of(cnew, struct svc_export, h); 859 struct svc_export *item = container_of(citem, struct svc_export, h); 860 int i; 861 862 new->ex_flags = item->ex_flags; 863 new->ex_anon_uid = item->ex_anon_uid; 864 new->ex_anon_gid = item->ex_anon_gid; 865 new->ex_fsid = item->ex_fsid; 866 new->ex_devid_map = item->ex_devid_map; 867 item->ex_devid_map = NULL; 868 new->ex_uuid = item->ex_uuid; 869 item->ex_uuid = NULL; 870 new->ex_fslocs.locations = item->ex_fslocs.locations; 871 item->ex_fslocs.locations = NULL; 872 new->ex_fslocs.locations_count = item->ex_fslocs.locations_count; 873 item->ex_fslocs.locations_count = 0; 874 new->ex_fslocs.migrated = item->ex_fslocs.migrated; 875 item->ex_fslocs.migrated = 0; 876 new->ex_layout_types = item->ex_layout_types; 877 new->ex_nflavors = item->ex_nflavors; 878 for (i = 0; i < MAX_SECINFO_LIST; i++) { 879 new->ex_flavors[i] = item->ex_flavors[i]; 880 } 881 new->ex_xprtsec_modes = item->ex_xprtsec_modes; 882 } 883 884 static struct cache_head *svc_export_alloc(void) 885 { 886 struct svc_export *i = kmalloc_obj(*i); 887 if (!i) 888 return NULL; 889 890 i->ex_stats = kmalloc_obj(*(i->ex_stats)); 891 if (!i->ex_stats) { 892 kfree(i); 893 return NULL; 894 } 895 896 if (export_stats_init(i->ex_stats)) { 897 kfree(i->ex_stats); 898 kfree(i); 899 return NULL; 900 } 901 902 return &i->h; 903 } 904 905 static const struct cache_detail svc_export_cache_template = { 906 .owner = THIS_MODULE, 907 .hash_size = EXPORT_HASHMAX, 908 .name = "nfsd.export", 909 .cache_put = svc_export_put, 910 .cache_upcall = svc_export_upcall, 911 .cache_request = svc_export_request, 912 .cache_parse = svc_export_parse, 913 .cache_show = svc_export_show, 914 .match = svc_export_match, 915 .init = svc_export_init, 916 .update = export_update, 917 .alloc = svc_export_alloc, 918 }; 919 920 static int 921 svc_export_hash(struct svc_export *exp) 922 { 923 int hash; 924 925 hash = hash_ptr(exp->ex_client, EXPORT_HASHBITS); 926 hash ^= hash_ptr(exp->ex_path.dentry, EXPORT_HASHBITS); 927 hash ^= hash_ptr(exp->ex_path.mnt, EXPORT_HASHBITS); 928 return hash; 929 } 930 931 static struct svc_export * 932 svc_export_lookup(struct svc_export *exp) 933 { 934 struct cache_head *ch; 935 int hash = svc_export_hash(exp); 936 937 ch = sunrpc_cache_lookup_rcu(exp->cd, &exp->h, hash); 938 if (ch) 939 return container_of(ch, struct svc_export, h); 940 else 941 return NULL; 942 } 943 944 static struct svc_export * 945 svc_export_update(struct svc_export *new, struct svc_export *old) 946 { 947 struct cache_head *ch; 948 int hash = svc_export_hash(old); 949 950 ch = sunrpc_cache_update(old->cd, &new->h, &old->h, hash); 951 if (ch) 952 return container_of(ch, struct svc_export, h); 953 else 954 return NULL; 955 } 956 957 958 static struct svc_expkey * 959 exp_find_key(struct cache_detail *cd, struct auth_domain *clp, int fsid_type, 960 u32 *fsidv, struct cache_req *reqp) 961 { 962 struct svc_expkey key, *ek; 963 int err; 964 965 if (!clp) 966 return ERR_PTR(-ENOENT); 967 968 key.ek_client = clp; 969 key.ek_fsidtype = fsid_type; 970 memcpy(key.ek_fsid, fsidv, key_len(fsid_type)); 971 972 ek = svc_expkey_lookup(cd, &key); 973 if (ek == NULL) 974 return ERR_PTR(-ENOMEM); 975 err = cache_check(cd, &ek->h, reqp); 976 if (err) { 977 trace_nfsd_exp_find_key(&key, err); 978 return ERR_PTR(err); 979 } 980 return ek; 981 } 982 983 static struct svc_export * 984 exp_get_by_name(struct cache_detail *cd, struct auth_domain *clp, 985 const struct path *path, struct cache_req *reqp) 986 { 987 struct svc_export *exp, key; 988 int err; 989 990 if (!clp) 991 return ERR_PTR(-ENOENT); 992 993 key.ex_client = clp; 994 key.ex_path = *path; 995 key.cd = cd; 996 997 exp = svc_export_lookup(&key); 998 if (exp == NULL) 999 return ERR_PTR(-ENOMEM); 1000 err = cache_check(cd, &exp->h, reqp); 1001 if (err) { 1002 trace_nfsd_exp_get_by_name(&key, err); 1003 return ERR_PTR(err); 1004 } 1005 return exp; 1006 } 1007 1008 /* 1009 * Find the export entry for a given dentry. 1010 */ 1011 static struct svc_export * 1012 exp_parent(struct cache_detail *cd, struct auth_domain *clp, struct path *path) 1013 { 1014 struct dentry *saved = dget(path->dentry); 1015 struct svc_export *exp = exp_get_by_name(cd, clp, path, NULL); 1016 1017 while (PTR_ERR(exp) == -ENOENT && !IS_ROOT(path->dentry)) { 1018 struct dentry *parent = dget_parent(path->dentry); 1019 dput(path->dentry); 1020 path->dentry = parent; 1021 exp = exp_get_by_name(cd, clp, path, NULL); 1022 } 1023 dput(path->dentry); 1024 path->dentry = saved; 1025 return exp; 1026 } 1027 1028 1029 1030 /* 1031 * Obtain the root fh on behalf of a client. 1032 * This could be done in user space, but I feel that it adds some safety 1033 * since its harder to fool a kernel module than a user space program. 1034 */ 1035 int 1036 exp_rootfh(struct net *net, struct auth_domain *clp, char *name, 1037 struct knfsd_fh *f, int maxsize) 1038 { 1039 struct svc_export *exp; 1040 struct path path; 1041 struct inode *inode __maybe_unused; 1042 struct svc_fh fh; 1043 int err; 1044 struct nfsd_net *nn = net_generic(net, nfsd_net_id); 1045 struct cache_detail *cd = nn->svc_export_cache; 1046 1047 err = -EPERM; 1048 /* NB: we probably ought to check that it's NUL-terminated */ 1049 if (kern_path(name, 0, &path)) { 1050 printk("nfsd: exp_rootfh path not found %s", name); 1051 return err; 1052 } 1053 inode = d_inode(path.dentry); 1054 1055 dprintk("nfsd: exp_rootfh(%s [%p] %s:%s/%llu)\n", 1056 name, path.dentry, clp->name, 1057 inode->i_sb->s_id, inode->i_ino); 1058 exp = exp_parent(cd, clp, &path); 1059 if (IS_ERR(exp)) { 1060 err = PTR_ERR(exp); 1061 goto out; 1062 } 1063 1064 /* 1065 * fh must be initialized before calling fh_compose 1066 */ 1067 fh_init(&fh, maxsize); 1068 if (fh_compose(&fh, exp, path.dentry, NULL)) 1069 err = -EINVAL; 1070 else 1071 err = 0; 1072 memcpy(f, &fh.fh_handle, sizeof(struct knfsd_fh)); 1073 fh_put(&fh); 1074 exp_put(exp); 1075 out: 1076 path_put(&path); 1077 return err; 1078 } 1079 1080 static struct svc_export *exp_find(struct cache_detail *cd, 1081 struct auth_domain *clp, int fsid_type, 1082 u32 *fsidv, struct cache_req *reqp) 1083 { 1084 struct svc_export *exp; 1085 struct nfsd_net *nn = net_generic(cd->net, nfsd_net_id); 1086 struct svc_expkey *ek = exp_find_key(nn->svc_expkey_cache, clp, fsid_type, fsidv, reqp); 1087 if (IS_ERR(ek)) 1088 return ERR_CAST(ek); 1089 1090 exp = exp_get_by_name(cd, clp, &ek->ek_path, reqp); 1091 cache_put(&ek->h, nn->svc_expkey_cache); 1092 1093 if (IS_ERR(exp)) 1094 return ERR_CAST(exp); 1095 return exp; 1096 } 1097 1098 /** 1099 * check_xprtsec_policy - check if access to export is allowed by the 1100 * xprtsec policy 1101 * @exp: svc_export that is being accessed. 1102 * @rqstp: svc_rqst attempting to access @exp. 1103 * 1104 * Helper function for check_nfsd_access(). Note that callers should be 1105 * using check_nfsd_access() instead of calling this function directly. The 1106 * one exception is __fh_verify() since it has logic that may result in one 1107 * or both of the helpers being skipped. 1108 * 1109 * Return values: 1110 * %nfs_ok if access is granted, or 1111 * %nfserr_wrongsec if access is denied 1112 */ 1113 __be32 check_xprtsec_policy(struct svc_export *exp, struct svc_rqst *rqstp) 1114 { 1115 struct svc_xprt *xprt = rqstp->rq_xprt; 1116 1117 if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_NONE) { 1118 if (!test_bit(XPT_TLS_SESSION, &xprt->xpt_flags)) 1119 return nfs_ok; 1120 } 1121 if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_TLS) { 1122 if (test_bit(XPT_TLS_SESSION, &xprt->xpt_flags) && 1123 !test_bit(XPT_PEER_AUTH, &xprt->xpt_flags)) 1124 return nfs_ok; 1125 } 1126 if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_MTLS) { 1127 if (test_bit(XPT_TLS_SESSION, &xprt->xpt_flags) && 1128 test_bit(XPT_PEER_AUTH, &xprt->xpt_flags)) 1129 return nfs_ok; 1130 } 1131 return nfserr_wrongsec; 1132 } 1133 1134 /** 1135 * check_security_flavor - check if access to export is allowed by the 1136 * security flavor 1137 * @exp: svc_export that is being accessed. 1138 * @rqstp: svc_rqst attempting to access @exp. 1139 * @may_bypass_gss: reduce strictness of authorization check 1140 * 1141 * Helper function for check_nfsd_access(). Note that callers should be 1142 * using check_nfsd_access() instead of calling this function directly. The 1143 * one exception is __fh_verify() since it has logic that may result in one 1144 * or both of the helpers being skipped. 1145 * 1146 * Return values: 1147 * %nfs_ok if access is granted, or 1148 * %nfserr_wrongsec if access is denied 1149 */ 1150 __be32 check_security_flavor(struct svc_export *exp, struct svc_rqst *rqstp, 1151 bool may_bypass_gss) 1152 { 1153 struct exp_flavor_info *f, *end = exp->ex_flavors + exp->ex_nflavors; 1154 1155 /* legacy gss-only clients are always OK: */ 1156 if (exp->ex_client == rqstp->rq_gssclient) 1157 return nfs_ok; 1158 /* ip-address based client; check sec= export option: */ 1159 for (f = exp->ex_flavors; f < end; f++) { 1160 if (f->pseudoflavor == rqstp->rq_cred.cr_flavor) 1161 return nfs_ok; 1162 } 1163 /* defaults in absence of sec= options: */ 1164 if (exp->ex_nflavors == 0) { 1165 if (rqstp->rq_cred.cr_flavor == RPC_AUTH_NULL || 1166 rqstp->rq_cred.cr_flavor == RPC_AUTH_UNIX) 1167 return nfs_ok; 1168 } 1169 1170 /* If the compound op contains a spo_must_allowed op, 1171 * it will be sent with integrity/protection which 1172 * will have to be expressly allowed on mounts that 1173 * don't support it 1174 */ 1175 1176 if (nfsd4_spo_must_allow(rqstp)) 1177 return nfs_ok; 1178 1179 /* Some calls may be processed without authentication 1180 * on GSS exports. For example NFS2/3 calls on root 1181 * directory, see section 2.3.2 of rfc 2623. 1182 * For "may_bypass_gss" check that export has really 1183 * enabled some flavor with authentication (GSS or any 1184 * other) and also check that the used auth flavor is 1185 * without authentication (none or sys). 1186 */ 1187 if (may_bypass_gss && ( 1188 rqstp->rq_cred.cr_flavor == RPC_AUTH_NULL || 1189 rqstp->rq_cred.cr_flavor == RPC_AUTH_UNIX)) { 1190 for (f = exp->ex_flavors; f < end; f++) { 1191 if (f->pseudoflavor >= RPC_AUTH_DES) 1192 return 0; 1193 } 1194 } 1195 1196 return nfserr_wrongsec; 1197 } 1198 1199 /** 1200 * check_nfsd_access - check if access to export is allowed. 1201 * @exp: svc_export that is being accessed. 1202 * @rqstp: svc_rqst attempting to access @exp. 1203 * @may_bypass_gss: reduce strictness of authorization check 1204 * 1205 * Return values: 1206 * %nfs_ok if access is granted, or 1207 * %nfserr_wrongsec if access is denied 1208 */ 1209 __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp, 1210 bool may_bypass_gss) 1211 { 1212 __be32 status; 1213 1214 status = check_xprtsec_policy(exp, rqstp); 1215 if (status != nfs_ok) 1216 return status; 1217 return check_security_flavor(exp, rqstp, may_bypass_gss); 1218 } 1219 1220 /* 1221 * Uses rq_client and rq_gssclient to find an export; uses rq_client (an 1222 * auth_unix client) if it's available and has secinfo information; 1223 * otherwise, will try to use rq_gssclient. 1224 * 1225 * Called from functions that handle requests; functions that do work on 1226 * behalf of mountd are passed a single client name to use, and should 1227 * use exp_get_by_name() or exp_find(). 1228 */ 1229 struct svc_export * 1230 rqst_exp_get_by_name(struct svc_rqst *rqstp, const struct path *path) 1231 { 1232 struct svc_export *gssexp, *exp = ERR_PTR(-ENOENT); 1233 struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id); 1234 struct cache_detail *cd = nn->svc_export_cache; 1235 1236 if (rqstp->rq_client == NULL) 1237 goto gss; 1238 1239 /* First try the auth_unix client: */ 1240 exp = exp_get_by_name(cd, rqstp->rq_client, path, &rqstp->rq_chandle); 1241 if (PTR_ERR(exp) == -ENOENT) 1242 goto gss; 1243 if (IS_ERR(exp)) 1244 return exp; 1245 /* If it has secinfo, assume there are no gss/... clients */ 1246 if (exp->ex_nflavors > 0) 1247 return exp; 1248 gss: 1249 /* Otherwise, try falling back on gss client */ 1250 if (rqstp->rq_gssclient == NULL) 1251 return exp; 1252 gssexp = exp_get_by_name(cd, rqstp->rq_gssclient, path, &rqstp->rq_chandle); 1253 if (PTR_ERR(gssexp) == -ENOENT) 1254 return exp; 1255 if (!IS_ERR(exp)) 1256 exp_put(exp); 1257 return gssexp; 1258 } 1259 1260 /** 1261 * rqst_exp_find - Find an svc_export in the context of a rqst or similar 1262 * @reqp: The handle to be used to suspend the request if a cache-upcall is needed 1263 * If NULL, missing in-cache information will result in failure. 1264 * @net: The network namespace in which the request exists 1265 * @cl: default auth_domain to use for looking up the export 1266 * @gsscl: an alternate auth_domain defined using deprecated gss/krb5 format. 1267 * @fsid_type: The type of fsid to look for 1268 * @fsidv: The actual fsid to look up in the context of either client. 1269 * 1270 * Perform a lookup for @cl/@fsidv in the given @net for an export. If 1271 * none found and @gsscl specified, repeat the lookup. 1272 * 1273 * Returns an export, or an error pointer. 1274 */ 1275 struct svc_export * 1276 rqst_exp_find(struct cache_req *reqp, struct net *net, 1277 struct auth_domain *cl, struct auth_domain *gsscl, 1278 int fsid_type, u32 *fsidv) 1279 { 1280 struct nfsd_net *nn = net_generic(net, nfsd_net_id); 1281 struct svc_export *gssexp, *exp = ERR_PTR(-ENOENT); 1282 struct cache_detail *cd = nn->svc_export_cache; 1283 1284 if (!cl) 1285 goto gss; 1286 1287 /* First try the auth_unix client: */ 1288 exp = exp_find(cd, cl, fsid_type, fsidv, reqp); 1289 if (PTR_ERR(exp) == -ENOENT) 1290 goto gss; 1291 if (IS_ERR(exp)) 1292 return exp; 1293 /* If it has secinfo, assume there are no gss/... clients */ 1294 if (exp->ex_nflavors > 0) 1295 return exp; 1296 gss: 1297 /* Otherwise, try falling back on gss client */ 1298 if (!gsscl) 1299 return exp; 1300 gssexp = exp_find(cd, gsscl, fsid_type, fsidv, reqp); 1301 if (PTR_ERR(gssexp) == -ENOENT) 1302 return exp; 1303 if (!IS_ERR(exp)) 1304 exp_put(exp); 1305 return gssexp; 1306 } 1307 1308 struct svc_export * 1309 rqst_exp_parent(struct svc_rqst *rqstp, struct path *path) 1310 { 1311 struct dentry *saved = dget(path->dentry); 1312 struct svc_export *exp = rqst_exp_get_by_name(rqstp, path); 1313 1314 while (PTR_ERR(exp) == -ENOENT && !IS_ROOT(path->dentry)) { 1315 struct dentry *parent = dget_parent(path->dentry); 1316 dput(path->dentry); 1317 path->dentry = parent; 1318 exp = rqst_exp_get_by_name(rqstp, path); 1319 } 1320 dput(path->dentry); 1321 path->dentry = saved; 1322 return exp; 1323 } 1324 1325 struct svc_export *rqst_find_fsidzero_export(struct svc_rqst *rqstp) 1326 { 1327 u32 fsidv[2]; 1328 1329 mk_fsid(FSID_NUM, fsidv, 0, 0, 0, NULL); 1330 1331 return rqst_exp_find(&rqstp->rq_chandle, SVC_NET(rqstp), 1332 rqstp->rq_client, rqstp->rq_gssclient, 1333 FSID_NUM, fsidv); 1334 } 1335 1336 /* 1337 * Called when we need the filehandle for the root of the pseudofs, 1338 * for a given NFSv4 client. The root is defined to be the 1339 * export point with fsid==0 1340 */ 1341 __be32 1342 exp_pseudoroot(struct svc_rqst *rqstp, struct svc_fh *fhp) 1343 { 1344 struct svc_export *exp; 1345 __be32 rv; 1346 1347 exp = rqst_find_fsidzero_export(rqstp); 1348 if (IS_ERR(exp)) 1349 return nfserrno(PTR_ERR(exp)); 1350 rv = fh_compose(fhp, exp, exp->ex_path.dentry, NULL); 1351 exp_put(exp); 1352 return rv; 1353 } 1354 1355 static struct flags { 1356 int flag; 1357 char *name[2]; 1358 } expflags[] = { 1359 { NFSEXP_READONLY, {"ro", "rw"}}, 1360 { NFSEXP_INSECURE_PORT, {"insecure", ""}}, 1361 { NFSEXP_ROOTSQUASH, {"root_squash", "no_root_squash"}}, 1362 { NFSEXP_ALLSQUASH, {"all_squash", ""}}, 1363 { NFSEXP_ASYNC, {"async", "sync"}}, 1364 { NFSEXP_GATHERED_WRITES, {"wdelay", "no_wdelay"}}, 1365 { NFSEXP_NOREADDIRPLUS, {"nordirplus", ""}}, 1366 { NFSEXP_SECURITY_LABEL, {"security_label", ""}}, 1367 { NFSEXP_SIGN_FH, {"sign_fh", ""}}, 1368 { NFSEXP_NOHIDE, {"nohide", ""}}, 1369 { NFSEXP_NOSUBTREECHECK, {"no_subtree_check", ""}}, 1370 { NFSEXP_NOAUTHNLM, {"insecure_locks", ""}}, 1371 { NFSEXP_CROSSMOUNT, {"crossmnt", ""}}, 1372 { NFSEXP_V4ROOT, {"v4root", ""}}, 1373 { NFSEXP_PNFS, {"pnfs", ""}}, 1374 { 0, {"", ""}} 1375 }; 1376 1377 static void show_expflags(struct seq_file *m, int flags, int mask) 1378 { 1379 struct flags *flg; 1380 int state, first = 0; 1381 1382 for (flg = expflags; flg->flag; flg++) { 1383 if (flg->flag & ~mask) 1384 continue; 1385 state = (flg->flag & flags) ? 0 : 1; 1386 if (*flg->name[state]) 1387 seq_printf(m, "%s%s", first++?",":"", flg->name[state]); 1388 } 1389 } 1390 1391 static void show_secinfo_flags(struct seq_file *m, int flags) 1392 { 1393 seq_printf(m, ","); 1394 show_expflags(m, flags, NFSEXP_SECINFO_FLAGS); 1395 } 1396 1397 static bool secinfo_flags_equal(int f, int g) 1398 { 1399 f &= NFSEXP_SECINFO_FLAGS; 1400 g &= NFSEXP_SECINFO_FLAGS; 1401 return f == g; 1402 } 1403 1404 static int show_secinfo_run(struct seq_file *m, struct exp_flavor_info **fp, struct exp_flavor_info *end) 1405 { 1406 int flags; 1407 1408 flags = (*fp)->flags; 1409 seq_printf(m, ",sec=%d", (*fp)->pseudoflavor); 1410 (*fp)++; 1411 while (*fp != end && secinfo_flags_equal(flags, (*fp)->flags)) { 1412 seq_printf(m, ":%d", (*fp)->pseudoflavor); 1413 (*fp)++; 1414 } 1415 return flags; 1416 } 1417 1418 static void show_secinfo(struct seq_file *m, struct svc_export *exp) 1419 { 1420 struct exp_flavor_info *f; 1421 struct exp_flavor_info *end = exp->ex_flavors + exp->ex_nflavors; 1422 int flags; 1423 1424 if (exp->ex_nflavors == 0) 1425 return; 1426 f = exp->ex_flavors; 1427 flags = show_secinfo_run(m, &f, end); 1428 if (!secinfo_flags_equal(flags, exp->ex_flags)) 1429 show_secinfo_flags(m, flags); 1430 while (f != end) { 1431 flags = show_secinfo_run(m, &f, end); 1432 show_secinfo_flags(m, flags); 1433 } 1434 } 1435 1436 static void exp_flags(struct seq_file *m, int flag, int fsid, 1437 kuid_t anonu, kgid_t anong, struct nfsd4_fs_locations *fsloc) 1438 { 1439 struct user_namespace *userns = m->file->f_cred->user_ns; 1440 1441 show_expflags(m, flag, NFSEXP_ALLFLAGS); 1442 if (flag & NFSEXP_FSID) 1443 seq_printf(m, ",fsid=%d", fsid); 1444 if (!uid_eq(anonu, make_kuid(userns, (uid_t)-2)) && 1445 !uid_eq(anonu, make_kuid(userns, 0x10000-2))) 1446 seq_printf(m, ",anonuid=%u", from_kuid_munged(userns, anonu)); 1447 if (!gid_eq(anong, make_kgid(userns, (gid_t)-2)) && 1448 !gid_eq(anong, make_kgid(userns, 0x10000-2))) 1449 seq_printf(m, ",anongid=%u", from_kgid_munged(userns, anong)); 1450 if (fsloc && fsloc->locations_count > 0) { 1451 char *loctype = (fsloc->migrated) ? "refer" : "replicas"; 1452 int i; 1453 1454 seq_printf(m, ",%s=", loctype); 1455 seq_escape(m, fsloc->locations[0].path, ",;@ \t\n\\"); 1456 seq_putc(m, '@'); 1457 seq_escape(m, fsloc->locations[0].hosts, ",;@ \t\n\\"); 1458 for (i = 1; i < fsloc->locations_count; i++) { 1459 seq_putc(m, ';'); 1460 seq_escape(m, fsloc->locations[i].path, ",;@ \t\n\\"); 1461 seq_putc(m, '@'); 1462 seq_escape(m, fsloc->locations[i].hosts, ",;@ \t\n\\"); 1463 } 1464 } 1465 } 1466 1467 static int e_show(struct seq_file *m, void *p) 1468 { 1469 struct cache_head *cp = p; 1470 struct svc_export *exp = container_of(cp, struct svc_export, h); 1471 struct cache_detail *cd = m->private; 1472 bool export_stats = is_export_stats_file(m); 1473 1474 if (p == SEQ_START_TOKEN) { 1475 seq_puts(m, "# Version 1.1\n"); 1476 if (export_stats) 1477 seq_puts(m, "# Path Client Start-time\n#\tStats\n"); 1478 else 1479 seq_puts(m, "# Path Client(Flags) # IPs\n"); 1480 return 0; 1481 } 1482 1483 if (cache_check_rcu(cd, &exp->h, NULL)) 1484 return 0; 1485 1486 return svc_export_show(m, cd, cp); 1487 } 1488 1489 const struct seq_operations nfs_exports_op = { 1490 .start = cache_seq_start_rcu, 1491 .next = cache_seq_next_rcu, 1492 .stop = cache_seq_stop_rcu, 1493 .show = e_show, 1494 }; 1495 1496 /** 1497 * nfsd_export_wq_init - allocate the export release workqueue 1498 * 1499 * Called once at module load. The workqueue runs deferred svc_export and 1500 * svc_expkey release work scheduled by queue_rcu_work() in the cache put 1501 * callbacks. 1502 * 1503 * Return values: 1504 * %0: workqueue allocated 1505 * %-ENOMEM: allocation failed 1506 */ 1507 int nfsd_export_wq_init(void) 1508 { 1509 nfsd_export_wq = alloc_workqueue("nfsd_export", WQ_UNBOUND, 0); 1510 if (!nfsd_export_wq) 1511 return -ENOMEM; 1512 return 0; 1513 } 1514 1515 /** 1516 * nfsd_export_wq_shutdown - drain and free the export release workqueue 1517 * 1518 * Called once at module unload. Per-namespace teardown in 1519 * nfsd_export_shutdown() has already drained all deferred work. 1520 */ 1521 void nfsd_export_wq_shutdown(void) 1522 { 1523 destroy_workqueue(nfsd_export_wq); 1524 } 1525 1526 /* 1527 * Initialize the exports module. 1528 */ 1529 int 1530 nfsd_export_init(struct net *net) 1531 { 1532 int rv; 1533 struct nfsd_net *nn = net_generic(net, nfsd_net_id); 1534 1535 dprintk("nfsd: initializing export module (net: %x).\n", net->ns.inum); 1536 1537 nn->svc_export_cache = cache_create_net(&svc_export_cache_template, net); 1538 if (IS_ERR(nn->svc_export_cache)) 1539 return PTR_ERR(nn->svc_export_cache); 1540 rv = cache_register_net(nn->svc_export_cache, net); 1541 if (rv) 1542 goto destroy_export_cache; 1543 1544 nn->svc_expkey_cache = cache_create_net(&svc_expkey_cache_template, net); 1545 if (IS_ERR(nn->svc_expkey_cache)) { 1546 rv = PTR_ERR(nn->svc_expkey_cache); 1547 goto unregister_export_cache; 1548 } 1549 rv = cache_register_net(nn->svc_expkey_cache, net); 1550 if (rv) 1551 goto destroy_expkey_cache; 1552 return 0; 1553 1554 destroy_expkey_cache: 1555 cache_destroy_net(nn->svc_expkey_cache, net); 1556 unregister_export_cache: 1557 cache_unregister_net(nn->svc_export_cache, net); 1558 destroy_export_cache: 1559 cache_destroy_net(nn->svc_export_cache, net); 1560 return rv; 1561 } 1562 1563 /* 1564 * Flush exports table - called when last nfsd thread is killed 1565 */ 1566 void 1567 nfsd_export_flush(struct net *net) 1568 { 1569 struct nfsd_net *nn = net_generic(net, nfsd_net_id); 1570 1571 cache_purge(nn->svc_expkey_cache); 1572 cache_purge(nn->svc_export_cache); 1573 } 1574 1575 /* 1576 * Shutdown the exports module. 1577 */ 1578 void 1579 nfsd_export_shutdown(struct net *net) 1580 { 1581 struct nfsd_net *nn = net_generic(net, nfsd_net_id); 1582 1583 dprintk("nfsd: shutting down export module (net: %x).\n", net->ns.inum); 1584 1585 cache_unregister_net(nn->svc_expkey_cache, net); 1586 cache_unregister_net(nn->svc_export_cache, net); 1587 /* Drain deferred export and expkey release work. */ 1588 rcu_barrier(); 1589 flush_workqueue(nfsd_export_wq); 1590 cache_destroy_net(nn->svc_expkey_cache, net); 1591 cache_destroy_net(nn->svc_export_cache, net); 1592 svcauth_unix_purge(net); 1593 1594 dprintk("nfsd: export shutdown complete (net: %x).\n", net->ns.inum); 1595 } 1596