]>
Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* |
2 | * linux/net/sunrpc/auth.c | |
3 | * | |
4 | * Generic RPC client authentication API. | |
5 | * | |
6 | * Copyright (C) 1996, Olaf Kirch <okir@monad.swb.de> | |
7 | */ | |
8 | ||
9 | #include <linux/types.h> | |
10 | #include <linux/sched.h> | |
5b825c3a | 11 | #include <linux/cred.h> |
1da177e4 LT |
12 | #include <linux/module.h> |
13 | #include <linux/slab.h> | |
14 | #include <linux/errno.h> | |
25337fdc | 15 | #include <linux/hash.h> |
1da177e4 | 16 | #include <linux/sunrpc/clnt.h> |
6a1a1e34 | 17 | #include <linux/sunrpc/gss_api.h> |
1da177e4 LT |
18 | #include <linux/spinlock.h> |
19 | ||
f895b252 | 20 | #if IS_ENABLED(CONFIG_SUNRPC_DEBUG) |
1da177e4 LT |
21 | # define RPCDBG_FACILITY RPCDBG_AUTH |
22 | #endif | |
23 | ||
241269bd TM |
24 | #define RPC_CREDCACHE_DEFAULT_HASHBITS (4) |
25 | struct rpc_cred_cache { | |
26 | struct hlist_head *hashtable; | |
27 | unsigned int hashbits; | |
28 | spinlock_t lock; | |
29 | }; | |
30 | ||
31 | static unsigned int auth_hashbits = RPC_CREDCACHE_DEFAULT_HASHBITS; | |
32 | ||
4e4c3bef TM |
33 | static const struct rpc_authops __rcu *auth_flavors[RPC_AUTH_MAXFLAVOR] = { |
34 | [RPC_AUTH_NULL] = (const struct rpc_authops __force __rcu *)&authnull_ops, | |
35 | [RPC_AUTH_UNIX] = (const struct rpc_authops __force __rcu *)&authunix_ops, | |
1da177e4 LT |
36 | NULL, /* others can be loadable modules */ |
37 | }; | |
38 | ||
e092bdcd | 39 | static LIST_HEAD(cred_unused); |
f5c2187c | 40 | static unsigned long number_cred_unused; |
e092bdcd | 41 | |
a52458b4 N |
42 | static struct cred machine_cred = { |
43 | .usage = ATOMIC_INIT(1), | |
e7f45099 S |
44 | #ifdef CONFIG_DEBUG_CREDENTIALS |
45 | .magic = CRED_MAGIC, | |
46 | #endif | |
5e16923b N |
47 | }; |
48 | ||
49 | /* | |
50 | * Return the machine_cred pointer to be used whenever | |
51 | * the a generic machine credential is needed. | |
52 | */ | |
a52458b4 | 53 | const struct cred *rpc_machine_cred(void) |
5e16923b N |
54 | { |
55 | return &machine_cred; | |
56 | } | |
57 | EXPORT_SYMBOL_GPL(rpc_machine_cred); | |
58 | ||
db5fe265 | 59 | #define MAX_HASHTABLE_BITS (14) |
8e4e15d4 | 60 | static int param_set_hashtbl_sz(const char *val, const struct kernel_param *kp) |
241269bd TM |
61 | { |
62 | unsigned long num; | |
63 | unsigned int nbits; | |
64 | int ret; | |
65 | ||
66 | if (!val) | |
67 | goto out_inval; | |
00cfaa94 | 68 | ret = kstrtoul(val, 0, &num); |
1a54c0cf | 69 | if (ret) |
241269bd | 70 | goto out_inval; |
34ae685c | 71 | nbits = fls(num - 1); |
241269bd TM |
72 | if (nbits > MAX_HASHTABLE_BITS || nbits < 2) |
73 | goto out_inval; | |
74 | *(unsigned int *)kp->arg = nbits; | |
75 | return 0; | |
76 | out_inval: | |
77 | return -EINVAL; | |
78 | } | |
79 | ||
8e4e15d4 | 80 | static int param_get_hashtbl_sz(char *buffer, const struct kernel_param *kp) |
241269bd TM |
81 | { |
82 | unsigned int nbits; | |
83 | ||
84 | nbits = *(unsigned int *)kp->arg; | |
85 | return sprintf(buffer, "%u", 1U << nbits); | |
86 | } | |
87 | ||
88 | #define param_check_hashtbl_sz(name, p) __param_check(name, p, unsigned int); | |
89 | ||
9c27847d | 90 | static const struct kernel_param_ops param_ops_hashtbl_sz = { |
8e4e15d4 SR |
91 | .set = param_set_hashtbl_sz, |
92 | .get = param_get_hashtbl_sz, | |
93 | }; | |
94 | ||
241269bd TM |
95 | module_param_named(auth_hashtable_size, auth_hashbits, hashtbl_sz, 0644); |
96 | MODULE_PARM_DESC(auth_hashtable_size, "RPC credential cache hashtable size"); | |
97 | ||
bae6746f TM |
98 | static unsigned long auth_max_cred_cachesize = ULONG_MAX; |
99 | module_param(auth_max_cred_cachesize, ulong, 0644); | |
100 | MODULE_PARM_DESC(auth_max_cred_cachesize, "RPC credential maximum total cache size"); | |
101 | ||
1da177e4 LT |
102 | static u32 |
103 | pseudoflavor_to_flavor(u32 flavor) { | |
1c74a244 | 104 | if (flavor > RPC_AUTH_MAXFLAVOR) |
1da177e4 LT |
105 | return RPC_AUTH_GSS; |
106 | return flavor; | |
107 | } | |
108 | ||
109 | int | |
f1c0a861 | 110 | rpcauth_register(const struct rpc_authops *ops) |
1da177e4 | 111 | { |
4e4c3bef | 112 | const struct rpc_authops *old; |
1da177e4 LT |
113 | rpc_authflavor_t flavor; |
114 | ||
115 | if ((flavor = ops->au_flavor) >= RPC_AUTH_MAXFLAVOR) | |
116 | return -EINVAL; | |
4e4c3bef TM |
117 | old = cmpxchg((const struct rpc_authops ** __force)&auth_flavors[flavor], NULL, ops); |
118 | if (old == NULL || old == ops) | |
119 | return 0; | |
120 | return -EPERM; | |
1da177e4 | 121 | } |
e8914c65 | 122 | EXPORT_SYMBOL_GPL(rpcauth_register); |
1da177e4 LT |
123 | |
124 | int | |
f1c0a861 | 125 | rpcauth_unregister(const struct rpc_authops *ops) |
1da177e4 | 126 | { |
4e4c3bef | 127 | const struct rpc_authops *old; |
1da177e4 LT |
128 | rpc_authflavor_t flavor; |
129 | ||
130 | if ((flavor = ops->au_flavor) >= RPC_AUTH_MAXFLAVOR) | |
131 | return -EINVAL; | |
4e4c3bef TM |
132 | |
133 | old = cmpxchg((const struct rpc_authops ** __force)&auth_flavors[flavor], ops, NULL); | |
134 | if (old == ops || old == NULL) | |
135 | return 0; | |
136 | return -EPERM; | |
1da177e4 | 137 | } |
e8914c65 | 138 | EXPORT_SYMBOL_GPL(rpcauth_unregister); |
1da177e4 | 139 | |
4e4c3bef TM |
140 | static const struct rpc_authops * |
141 | rpcauth_get_authops(rpc_authflavor_t flavor) | |
142 | { | |
143 | const struct rpc_authops *ops; | |
144 | ||
145 | if (flavor >= RPC_AUTH_MAXFLAVOR) | |
146 | return NULL; | |
147 | ||
148 | rcu_read_lock(); | |
149 | ops = rcu_dereference(auth_flavors[flavor]); | |
150 | if (ops == NULL) { | |
151 | rcu_read_unlock(); | |
152 | request_module("rpc-auth-%u", flavor); | |
153 | rcu_read_lock(); | |
154 | ops = rcu_dereference(auth_flavors[flavor]); | |
155 | if (ops == NULL) | |
156 | goto out; | |
157 | } | |
158 | if (!try_module_get(ops->owner)) | |
159 | ops = NULL; | |
160 | out: | |
161 | rcu_read_unlock(); | |
162 | return ops; | |
163 | } | |
164 | ||
165 | static void | |
166 | rpcauth_put_authops(const struct rpc_authops *ops) | |
167 | { | |
168 | module_put(ops->owner); | |
169 | } | |
170 | ||
9568c5e9 CL |
171 | /** |
172 | * rpcauth_get_pseudoflavor - check if security flavor is supported | |
173 | * @flavor: a security flavor | |
174 | * @info: a GSS mech OID, quality of protection, and service value | |
175 | * | |
176 | * Verifies that an appropriate kernel module is available or already loaded. | |
177 | * Returns an equivalent pseudoflavor, or RPC_AUTH_MAXFLAVOR if "flavor" is | |
178 | * not supported locally. | |
179 | */ | |
180 | rpc_authflavor_t | |
181 | rpcauth_get_pseudoflavor(rpc_authflavor_t flavor, struct rpcsec_gss_info *info) | |
182 | { | |
4e4c3bef | 183 | const struct rpc_authops *ops = rpcauth_get_authops(flavor); |
9568c5e9 CL |
184 | rpc_authflavor_t pseudoflavor; |
185 | ||
4e4c3bef | 186 | if (!ops) |
9568c5e9 | 187 | return RPC_AUTH_MAXFLAVOR; |
9568c5e9 CL |
188 | pseudoflavor = flavor; |
189 | if (ops->info2flavor != NULL) | |
190 | pseudoflavor = ops->info2flavor(info); | |
191 | ||
4e4c3bef | 192 | rpcauth_put_authops(ops); |
9568c5e9 CL |
193 | return pseudoflavor; |
194 | } | |
195 | EXPORT_SYMBOL_GPL(rpcauth_get_pseudoflavor); | |
196 | ||
a77c806f CL |
197 | /** |
198 | * rpcauth_get_gssinfo - find GSS tuple matching a GSS pseudoflavor | |
199 | * @pseudoflavor: GSS pseudoflavor to match | |
200 | * @info: rpcsec_gss_info structure to fill in | |
201 | * | |
202 | * Returns zero and fills in "info" if pseudoflavor matches a | |
203 | * supported mechanism. | |
204 | */ | |
205 | int | |
206 | rpcauth_get_gssinfo(rpc_authflavor_t pseudoflavor, struct rpcsec_gss_info *info) | |
207 | { | |
208 | rpc_authflavor_t flavor = pseudoflavor_to_flavor(pseudoflavor); | |
209 | const struct rpc_authops *ops; | |
210 | int result; | |
211 | ||
4e4c3bef | 212 | ops = rpcauth_get_authops(flavor); |
a77c806f | 213 | if (ops == NULL) |
a77c806f | 214 | return -ENOENT; |
a77c806f CL |
215 | |
216 | result = -ENOENT; | |
217 | if (ops->flavor2info != NULL) | |
218 | result = ops->flavor2info(pseudoflavor, info); | |
219 | ||
4e4c3bef | 220 | rpcauth_put_authops(ops); |
a77c806f CL |
221 | return result; |
222 | } | |
223 | EXPORT_SYMBOL_GPL(rpcauth_get_gssinfo); | |
224 | ||
6a1a1e34 CL |
225 | /** |
226 | * rpcauth_list_flavors - discover registered flavors and pseudoflavors | |
227 | * @array: array to fill in | |
228 | * @size: size of "array" | |
229 | * | |
230 | * Returns the number of array items filled in, or a negative errno. | |
231 | * | |
232 | * The returned array is not sorted by any policy. Callers should not | |
233 | * rely on the order of the items in the returned array. | |
234 | */ | |
235 | int | |
236 | rpcauth_list_flavors(rpc_authflavor_t *array, int size) | |
237 | { | |
4e4c3bef TM |
238 | const struct rpc_authops *ops; |
239 | rpc_authflavor_t flavor, pseudos[4]; | |
240 | int i, len, result = 0; | |
6a1a1e34 | 241 | |
4e4c3bef | 242 | rcu_read_lock(); |
6a1a1e34 | 243 | for (flavor = 0; flavor < RPC_AUTH_MAXFLAVOR; flavor++) { |
4e4c3bef | 244 | ops = rcu_dereference(auth_flavors[flavor]); |
6a1a1e34 CL |
245 | if (result >= size) { |
246 | result = -ENOMEM; | |
247 | break; | |
248 | } | |
249 | ||
250 | if (ops == NULL) | |
251 | continue; | |
252 | if (ops->list_pseudoflavors == NULL) { | |
253 | array[result++] = ops->au_flavor; | |
254 | continue; | |
255 | } | |
256 | len = ops->list_pseudoflavors(pseudos, ARRAY_SIZE(pseudos)); | |
257 | if (len < 0) { | |
258 | result = len; | |
259 | break; | |
260 | } | |
261 | for (i = 0; i < len; i++) { | |
262 | if (result >= size) { | |
263 | result = -ENOMEM; | |
264 | break; | |
265 | } | |
266 | array[result++] = pseudos[i]; | |
267 | } | |
268 | } | |
4e4c3bef | 269 | rcu_read_unlock(); |
6a1a1e34 CL |
270 | |
271 | dprintk("RPC: %s returns %d\n", __func__, result); | |
272 | return result; | |
273 | } | |
274 | EXPORT_SYMBOL_GPL(rpcauth_list_flavors); | |
275 | ||
1da177e4 | 276 | struct rpc_auth * |
82b98ca5 | 277 | rpcauth_create(const struct rpc_auth_create_args *args, struct rpc_clnt *clnt) |
1da177e4 | 278 | { |
4e4c3bef | 279 | struct rpc_auth *auth = ERR_PTR(-EINVAL); |
f1c0a861 | 280 | const struct rpc_authops *ops; |
4e4c3bef | 281 | u32 flavor = pseudoflavor_to_flavor(args->pseudoflavor); |
1da177e4 | 282 | |
4e4c3bef TM |
283 | ops = rpcauth_get_authops(flavor); |
284 | if (ops == NULL) | |
f344f6df OK |
285 | goto out; |
286 | ||
c2190661 | 287 | auth = ops->create(args, clnt); |
4e4c3bef TM |
288 | |
289 | rpcauth_put_authops(ops); | |
6a19275a BF |
290 | if (IS_ERR(auth)) |
291 | return auth; | |
1da177e4 | 292 | if (clnt->cl_auth) |
de7a8ce3 | 293 | rpcauth_release(clnt->cl_auth); |
1da177e4 | 294 | clnt->cl_auth = auth; |
f344f6df OK |
295 | |
296 | out: | |
1da177e4 LT |
297 | return auth; |
298 | } | |
e8914c65 | 299 | EXPORT_SYMBOL_GPL(rpcauth_create); |
1da177e4 LT |
300 | |
301 | void | |
de7a8ce3 | 302 | rpcauth_release(struct rpc_auth *auth) |
1da177e4 | 303 | { |
331bc71c | 304 | if (!refcount_dec_and_test(&auth->au_count)) |
1da177e4 LT |
305 | return; |
306 | auth->au_ops->destroy(auth); | |
307 | } | |
308 | ||
309 | static DEFINE_SPINLOCK(rpc_credcache_lock); | |
310 | ||
95cd6232 TM |
311 | /* |
312 | * On success, the caller is responsible for freeing the reference | |
313 | * held by the hashtable | |
314 | */ | |
315 | static bool | |
31be5bf1 TM |
316 | rpcauth_unhash_cred_locked(struct rpc_cred *cred) |
317 | { | |
95cd6232 TM |
318 | if (!test_and_clear_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags)) |
319 | return false; | |
31be5bf1 | 320 | hlist_del_rcu(&cred->cr_hash); |
95cd6232 | 321 | return true; |
31be5bf1 TM |
322 | } |
323 | ||
95cd6232 | 324 | static bool |
9499b434 TM |
325 | rpcauth_unhash_cred(struct rpc_cred *cred) |
326 | { | |
327 | spinlock_t *cache_lock; | |
95cd6232 | 328 | bool ret; |
9499b434 | 329 | |
95cd6232 TM |
330 | if (!test_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags)) |
331 | return false; | |
9499b434 TM |
332 | cache_lock = &cred->cr_auth->au_credcache->lock; |
333 | spin_lock(cache_lock); | |
95cd6232 | 334 | ret = rpcauth_unhash_cred_locked(cred); |
9499b434 | 335 | spin_unlock(cache_lock); |
f0380f3d | 336 | return ret; |
9499b434 TM |
337 | } |
338 | ||
1da177e4 LT |
339 | /* |
340 | * Initialize RPC credential cache | |
341 | */ | |
342 | int | |
f5c2187c | 343 | rpcauth_init_credcache(struct rpc_auth *auth) |
1da177e4 LT |
344 | { |
345 | struct rpc_cred_cache *new; | |
988664a0 | 346 | unsigned int hashsize; |
1da177e4 | 347 | |
8b3a7005 | 348 | new = kmalloc(sizeof(*new), GFP_KERNEL); |
1da177e4 | 349 | if (!new) |
241269bd TM |
350 | goto out_nocache; |
351 | new->hashbits = auth_hashbits; | |
988664a0 | 352 | hashsize = 1U << new->hashbits; |
241269bd TM |
353 | new->hashtable = kcalloc(hashsize, sizeof(new->hashtable[0]), GFP_KERNEL); |
354 | if (!new->hashtable) | |
355 | goto out_nohashtbl; | |
9499b434 | 356 | spin_lock_init(&new->lock); |
1da177e4 LT |
357 | auth->au_credcache = new; |
358 | return 0; | |
241269bd TM |
359 | out_nohashtbl: |
360 | kfree(new); | |
361 | out_nocache: | |
362 | return -ENOMEM; | |
1da177e4 | 363 | } |
e8914c65 | 364 | EXPORT_SYMBOL_GPL(rpcauth_init_credcache); |
1da177e4 | 365 | |
a0337d1d JL |
366 | char * |
367 | rpcauth_stringify_acceptor(struct rpc_cred *cred) | |
368 | { | |
369 | if (!cred->cr_ops->crstringify_acceptor) | |
370 | return NULL; | |
371 | return cred->cr_ops->crstringify_acceptor(cred); | |
372 | } | |
373 | EXPORT_SYMBOL_GPL(rpcauth_stringify_acceptor); | |
374 | ||
1da177e4 LT |
375 | /* |
376 | * Destroy a list of credentials | |
377 | */ | |
378 | static inline | |
e092bdcd | 379 | void rpcauth_destroy_credlist(struct list_head *head) |
1da177e4 LT |
380 | { |
381 | struct rpc_cred *cred; | |
382 | ||
e092bdcd TM |
383 | while (!list_empty(head)) { |
384 | cred = list_entry(head->next, struct rpc_cred, cr_lru); | |
385 | list_del_init(&cred->cr_lru); | |
1da177e4 LT |
386 | put_rpccred(cred); |
387 | } | |
388 | } | |
389 | ||
95cd6232 TM |
390 | static void |
391 | rpcauth_lru_add_locked(struct rpc_cred *cred) | |
392 | { | |
393 | if (!list_empty(&cred->cr_lru)) | |
394 | return; | |
395 | number_cred_unused++; | |
396 | list_add_tail(&cred->cr_lru, &cred_unused); | |
397 | } | |
398 | ||
399 | static void | |
400 | rpcauth_lru_add(struct rpc_cred *cred) | |
401 | { | |
402 | if (!list_empty(&cred->cr_lru)) | |
403 | return; | |
404 | spin_lock(&rpc_credcache_lock); | |
405 | rpcauth_lru_add_locked(cred); | |
406 | spin_unlock(&rpc_credcache_lock); | |
407 | } | |
408 | ||
409 | static void | |
410 | rpcauth_lru_remove_locked(struct rpc_cred *cred) | |
411 | { | |
412 | if (list_empty(&cred->cr_lru)) | |
413 | return; | |
414 | number_cred_unused--; | |
415 | list_del_init(&cred->cr_lru); | |
416 | } | |
417 | ||
418 | static void | |
419 | rpcauth_lru_remove(struct rpc_cred *cred) | |
420 | { | |
421 | if (list_empty(&cred->cr_lru)) | |
422 | return; | |
423 | spin_lock(&rpc_credcache_lock); | |
424 | rpcauth_lru_remove_locked(cred); | |
425 | spin_unlock(&rpc_credcache_lock); | |
426 | } | |
427 | ||
1da177e4 LT |
428 | /* |
429 | * Clear the RPC credential cache, and delete those credentials | |
430 | * that are not referenced. | |
431 | */ | |
432 | void | |
3ab9bb72 | 433 | rpcauth_clear_credcache(struct rpc_cred_cache *cache) |
1da177e4 | 434 | { |
e092bdcd TM |
435 | LIST_HEAD(free); |
436 | struct hlist_head *head; | |
1da177e4 | 437 | struct rpc_cred *cred; |
988664a0 | 438 | unsigned int hashsize = 1U << cache->hashbits; |
1da177e4 LT |
439 | int i; |
440 | ||
441 | spin_lock(&rpc_credcache_lock); | |
9499b434 | 442 | spin_lock(&cache->lock); |
988664a0 | 443 | for (i = 0; i < hashsize; i++) { |
e092bdcd TM |
444 | head = &cache->hashtable[i]; |
445 | while (!hlist_empty(head)) { | |
446 | cred = hlist_entry(head->first, struct rpc_cred, cr_hash); | |
31be5bf1 | 447 | rpcauth_unhash_cred_locked(cred); |
95cd6232 TM |
448 | /* Note: We now hold a reference to cred */ |
449 | rpcauth_lru_remove_locked(cred); | |
450 | list_add_tail(&cred->cr_lru, &free); | |
1da177e4 LT |
451 | } |
452 | } | |
9499b434 | 453 | spin_unlock(&cache->lock); |
1da177e4 LT |
454 | spin_unlock(&rpc_credcache_lock); |
455 | rpcauth_destroy_credlist(&free); | |
456 | } | |
457 | ||
3ab9bb72 TM |
458 | /* |
459 | * Destroy the RPC credential cache | |
460 | */ | |
461 | void | |
462 | rpcauth_destroy_credcache(struct rpc_auth *auth) | |
463 | { | |
464 | struct rpc_cred_cache *cache = auth->au_credcache; | |
465 | ||
466 | if (cache) { | |
467 | auth->au_credcache = NULL; | |
468 | rpcauth_clear_credcache(cache); | |
241269bd | 469 | kfree(cache->hashtable); |
3ab9bb72 TM |
470 | kfree(cache); |
471 | } | |
472 | } | |
e8914c65 | 473 | EXPORT_SYMBOL_GPL(rpcauth_destroy_credcache); |
3ab9bb72 | 474 | |
d2b83141 TM |
475 | |
476 | #define RPC_AUTH_EXPIRY_MORATORIUM (60 * HZ) | |
477 | ||
e092bdcd TM |
478 | /* |
479 | * Remove stale credentials. Avoid sleeping inside the loop. | |
480 | */ | |
70534a73 | 481 | static long |
f5c2187c | 482 | rpcauth_prune_expired(struct list_head *free, int nr_to_scan) |
1da177e4 | 483 | { |
eac0d18d | 484 | struct rpc_cred *cred, *next; |
d2b83141 | 485 | unsigned long expired = jiffies - RPC_AUTH_EXPIRY_MORATORIUM; |
70534a73 | 486 | long freed = 0; |
e092bdcd | 487 | |
eac0d18d TM |
488 | list_for_each_entry_safe(cred, next, &cred_unused, cr_lru) { |
489 | ||
20673406 TM |
490 | if (nr_to_scan-- == 0) |
491 | break; | |
79b18181 | 492 | if (refcount_read(&cred->cr_count) > 1) { |
95cd6232 TM |
493 | rpcauth_lru_remove_locked(cred); |
494 | continue; | |
495 | } | |
93a05e65 TM |
496 | /* |
497 | * Enforce a 60 second garbage collection moratorium | |
498 | * Note that the cred_unused list must be time-ordered. | |
499 | */ | |
95cd6232 TM |
500 | if (!time_in_range(cred->cr_expire, expired, jiffies)) |
501 | continue; | |
502 | if (!rpcauth_unhash_cred(cred)) | |
e092bdcd | 503 | continue; |
eac0d18d | 504 | |
95cd6232 TM |
505 | rpcauth_lru_remove_locked(cred); |
506 | freed++; | |
507 | list_add_tail(&cred->cr_lru, free); | |
1da177e4 | 508 | } |
95cd6232 | 509 | return freed ? freed : SHRINK_STOP; |
1da177e4 LT |
510 | } |
511 | ||
bae6746f TM |
512 | static unsigned long |
513 | rpcauth_cache_do_shrink(int nr_to_scan) | |
514 | { | |
515 | LIST_HEAD(free); | |
516 | unsigned long freed; | |
517 | ||
518 | spin_lock(&rpc_credcache_lock); | |
519 | freed = rpcauth_prune_expired(&free, nr_to_scan); | |
520 | spin_unlock(&rpc_credcache_lock); | |
521 | rpcauth_destroy_credlist(&free); | |
522 | ||
523 | return freed; | |
524 | } | |
525 | ||
1da177e4 | 526 | /* |
f5c2187c | 527 | * Run memory cache shrinker. |
1da177e4 | 528 | */ |
70534a73 DC |
529 | static unsigned long |
530 | rpcauth_cache_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) | |
531 | ||
1da177e4 | 532 | { |
70534a73 DC |
533 | if ((sc->gfp_mask & GFP_KERNEL) != GFP_KERNEL) |
534 | return SHRINK_STOP; | |
f5c2187c | 535 | |
70534a73 | 536 | /* nothing left, don't come back */ |
f5c2187c | 537 | if (list_empty(&cred_unused)) |
70534a73 DC |
538 | return SHRINK_STOP; |
539 | ||
bae6746f | 540 | return rpcauth_cache_do_shrink(sc->nr_to_scan); |
70534a73 DC |
541 | } |
542 | ||
543 | static unsigned long | |
544 | rpcauth_cache_shrink_count(struct shrinker *shrink, struct shrink_control *sc) | |
545 | ||
546 | { | |
4c3ffd05 | 547 | return number_cred_unused * sysctl_vfs_cache_pressure / 100; |
1da177e4 LT |
548 | } |
549 | ||
bae6746f TM |
550 | static void |
551 | rpcauth_cache_enforce_limit(void) | |
552 | { | |
553 | unsigned long diff; | |
554 | unsigned int nr_to_scan; | |
555 | ||
556 | if (number_cred_unused <= auth_max_cred_cachesize) | |
557 | return; | |
558 | diff = number_cred_unused - auth_max_cred_cachesize; | |
559 | nr_to_scan = 100; | |
560 | if (diff < nr_to_scan) | |
561 | nr_to_scan = diff; | |
562 | rpcauth_cache_do_shrink(nr_to_scan); | |
563 | } | |
564 | ||
1da177e4 LT |
565 | /* |
566 | * Look up a process' credentials in the authentication cache | |
567 | */ | |
568 | struct rpc_cred * | |
569 | rpcauth_lookup_credcache(struct rpc_auth *auth, struct auth_cred * acred, | |
3c6e0bc8 | 570 | int flags, gfp_t gfp) |
1da177e4 | 571 | { |
e092bdcd | 572 | LIST_HEAD(free); |
1da177e4 | 573 | struct rpc_cred_cache *cache = auth->au_credcache; |
31be5bf1 TM |
574 | struct rpc_cred *cred = NULL, |
575 | *entry, *new; | |
25337fdc TM |
576 | unsigned int nr; |
577 | ||
66cbd4ba | 578 | nr = auth->au_ops->hash_cred(acred, cache->hashbits); |
1da177e4 | 579 | |
31be5bf1 | 580 | rcu_read_lock(); |
b67bfe0d | 581 | hlist_for_each_entry_rcu(entry, &cache->hashtable[nr], cr_hash) { |
e092bdcd TM |
582 | if (!entry->cr_ops->crmatch(acred, entry, flags)) |
583 | continue; | |
584 | cred = get_rpccred(entry); | |
07d02a67 TM |
585 | if (cred) |
586 | break; | |
1da177e4 | 587 | } |
31be5bf1 TM |
588 | rcu_read_unlock(); |
589 | ||
9499b434 | 590 | if (cred != NULL) |
31be5bf1 | 591 | goto found; |
1da177e4 | 592 | |
3c6e0bc8 | 593 | new = auth->au_ops->crcreate(auth, acred, flags, gfp); |
31be5bf1 TM |
594 | if (IS_ERR(new)) { |
595 | cred = new; | |
596 | goto out; | |
597 | } | |
1da177e4 | 598 | |
9499b434 | 599 | spin_lock(&cache->lock); |
b67bfe0d | 600 | hlist_for_each_entry(entry, &cache->hashtable[nr], cr_hash) { |
31be5bf1 TM |
601 | if (!entry->cr_ops->crmatch(acred, entry, flags)) |
602 | continue; | |
603 | cred = get_rpccred(entry); | |
07d02a67 TM |
604 | if (cred) |
605 | break; | |
31be5bf1 TM |
606 | } |
607 | if (cred == NULL) { | |
5fe4755e | 608 | cred = new; |
31be5bf1 | 609 | set_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags); |
79b18181 | 610 | refcount_inc(&cred->cr_count); |
31be5bf1 TM |
611 | hlist_add_head_rcu(&cred->cr_hash, &cache->hashtable[nr]); |
612 | } else | |
613 | list_add_tail(&new->cr_lru, &free); | |
9499b434 | 614 | spin_unlock(&cache->lock); |
bae6746f | 615 | rpcauth_cache_enforce_limit(); |
31be5bf1 | 616 | found: |
f64f9e71 JP |
617 | if (test_bit(RPCAUTH_CRED_NEW, &cred->cr_flags) && |
618 | cred->cr_ops->cr_init != NULL && | |
619 | !(flags & RPCAUTH_LOOKUP_NEW)) { | |
fba3bad4 TM |
620 | int res = cred->cr_ops->cr_init(auth, cred); |
621 | if (res < 0) { | |
622 | put_rpccred(cred); | |
623 | cred = ERR_PTR(res); | |
624 | } | |
1da177e4 | 625 | } |
31be5bf1 TM |
626 | rpcauth_destroy_credlist(&free); |
627 | out: | |
628 | return cred; | |
1da177e4 | 629 | } |
e8914c65 | 630 | EXPORT_SYMBOL_GPL(rpcauth_lookup_credcache); |
1da177e4 LT |
631 | |
632 | struct rpc_cred * | |
8a317760 | 633 | rpcauth_lookupcred(struct rpc_auth *auth, int flags) |
1da177e4 | 634 | { |
86a264ab | 635 | struct auth_cred acred; |
1da177e4 | 636 | struct rpc_cred *ret; |
86a264ab | 637 | const struct cred *cred = current_cred(); |
1da177e4 | 638 | |
46121cf7 | 639 | dprintk("RPC: looking up %s cred\n", |
1da177e4 | 640 | auth->au_ops->au_name); |
86a264ab DH |
641 | |
642 | memset(&acred, 0, sizeof(acred)); | |
97f68c6b | 643 | acred.cred = cred; |
8a317760 | 644 | ret = auth->au_ops->lookup_cred(auth, &acred, flags); |
1da177e4 LT |
645 | return ret; |
646 | } | |
66b06860 | 647 | EXPORT_SYMBOL_GPL(rpcauth_lookupcred); |
1da177e4 | 648 | |
5fe4755e TM |
649 | void |
650 | rpcauth_init_cred(struct rpc_cred *cred, const struct auth_cred *acred, | |
651 | struct rpc_auth *auth, const struct rpc_credops *ops) | |
652 | { | |
653 | INIT_HLIST_NODE(&cred->cr_hash); | |
e092bdcd | 654 | INIT_LIST_HEAD(&cred->cr_lru); |
79b18181 | 655 | refcount_set(&cred->cr_count, 1); |
5fe4755e | 656 | cred->cr_auth = auth; |
2edd8d74 | 657 | cred->cr_flags = 0; |
5fe4755e TM |
658 | cred->cr_ops = ops; |
659 | cred->cr_expire = jiffies; | |
97f68c6b | 660 | cred->cr_cred = get_cred(acred->cred); |
5fe4755e | 661 | } |
e8914c65 | 662 | EXPORT_SYMBOL_GPL(rpcauth_init_cred); |
5fe4755e | 663 | |
8572b8e2 | 664 | static struct rpc_cred * |
5d351754 | 665 | rpcauth_bind_root_cred(struct rpc_task *task, int lookupflags) |
1da177e4 | 666 | { |
1be27f36 | 667 | struct rpc_auth *auth = task->tk_client->cl_auth; |
1da177e4 | 668 | struct auth_cred acred = { |
97f68c6b | 669 | .cred = get_task_cred(&init_task), |
1da177e4 | 670 | }; |
97f68c6b | 671 | struct rpc_cred *ret; |
1da177e4 | 672 | |
46121cf7 | 673 | dprintk("RPC: %5u looking up %s cred\n", |
1be27f36 | 674 | task->tk_pid, task->tk_client->cl_auth->au_ops->au_name); |
97f68c6b N |
675 | ret = auth->au_ops->lookup_cred(auth, &acred, lookupflags); |
676 | put_cred(acred.cred); | |
677 | return ret; | |
af093835 TM |
678 | } |
679 | ||
5e16923b N |
680 | static struct rpc_cred * |
681 | rpcauth_bind_machine_cred(struct rpc_task *task, int lookupflags) | |
682 | { | |
683 | struct rpc_auth *auth = task->tk_client->cl_auth; | |
684 | struct auth_cred acred = { | |
685 | .principal = task->tk_client->cl_principal, | |
686 | .cred = init_task.cred, | |
687 | }; | |
688 | ||
689 | if (!acred.principal) | |
690 | return NULL; | |
691 | dprintk("RPC: %5u looking up %s machine cred\n", | |
692 | task->tk_pid, task->tk_client->cl_auth->au_ops->au_name); | |
693 | return auth->au_ops->lookup_cred(auth, &acred, lookupflags); | |
694 | } | |
695 | ||
8572b8e2 | 696 | static struct rpc_cred * |
5d351754 | 697 | rpcauth_bind_new_cred(struct rpc_task *task, int lookupflags) |
af093835 TM |
698 | { |
699 | struct rpc_auth *auth = task->tk_client->cl_auth; | |
af093835 TM |
700 | |
701 | dprintk("RPC: %5u looking up %s cred\n", | |
702 | task->tk_pid, auth->au_ops->au_name); | |
8572b8e2 | 703 | return rpcauth_lookupcred(auth, lookupflags); |
1da177e4 LT |
704 | } |
705 | ||
a17c2153 | 706 | static int |
a52458b4 | 707 | rpcauth_bindcred(struct rpc_task *task, const struct cred *cred, int flags) |
1da177e4 | 708 | { |
a17c2153 | 709 | struct rpc_rqst *req = task->tk_rqstp; |
5e16923b | 710 | struct rpc_cred *new = NULL; |
5d351754 | 711 | int lookupflags = 0; |
a52458b4 N |
712 | struct rpc_auth *auth = task->tk_client->cl_auth; |
713 | struct auth_cred acred = { | |
714 | .cred = cred, | |
715 | }; | |
5d351754 TM |
716 | |
717 | if (flags & RPC_TASK_ASYNC) | |
718 | lookupflags |= RPCAUTH_LOOKUP_NEW; | |
1de7eea9 N |
719 | if (task->tk_op_cred) |
720 | /* Task must use exactly this rpc_cred */ | |
d6efccd9 | 721 | new = get_rpccred(task->tk_op_cred); |
1de7eea9 | 722 | else if (cred != NULL && cred != &machine_cred) |
a52458b4 | 723 | new = auth->au_ops->lookup_cred(auth, &acred, lookupflags); |
5e16923b N |
724 | else if (cred == &machine_cred) |
725 | new = rpcauth_bind_machine_cred(task, lookupflags); | |
726 | ||
727 | /* If machine cred couldn't be bound, try a root cred */ | |
728 | if (new) | |
729 | ; | |
730 | else if (cred == &machine_cred || (flags & RPC_TASK_ROOTCREDS)) | |
8572b8e2 | 731 | new = rpcauth_bind_root_cred(task, lookupflags); |
a68a72e1 N |
732 | else if (flags & RPC_TASK_NULLCREDS) |
733 | new = authnull_ops.lookup_cred(NULL, NULL, 0); | |
4ccda2cd | 734 | else |
8572b8e2 TM |
735 | new = rpcauth_bind_new_cred(task, lookupflags); |
736 | if (IS_ERR(new)) | |
737 | return PTR_ERR(new); | |
9a8f6b5e | 738 | put_rpccred(req->rq_cred); |
a17c2153 | 739 | req->rq_cred = new; |
8572b8e2 | 740 | return 0; |
1da177e4 LT |
741 | } |
742 | ||
743 | void | |
744 | put_rpccred(struct rpc_cred *cred) | |
745 | { | |
9a8f6b5e TM |
746 | if (cred == NULL) |
747 | return; | |
95cd6232 | 748 | rcu_read_lock(); |
79b18181 | 749 | if (refcount_dec_and_test(&cred->cr_count)) |
95cd6232 | 750 | goto destroy; |
79b18181 | 751 | if (refcount_read(&cred->cr_count) != 1 || |
95cd6232 TM |
752 | !test_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags)) |
753 | goto out; | |
754 | if (test_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags) != 0) { | |
755 | cred->cr_expire = jiffies; | |
756 | rpcauth_lru_add(cred); | |
757 | /* Race breaker */ | |
758 | if (unlikely(!test_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags))) | |
759 | rpcauth_lru_remove(cred); | |
760 | } else if (rpcauth_unhash_cred(cred)) { | |
761 | rpcauth_lru_remove(cred); | |
79b18181 | 762 | if (refcount_dec_and_test(&cred->cr_count)) |
95cd6232 | 763 | goto destroy; |
e092bdcd | 764 | } |
95cd6232 TM |
765 | out: |
766 | rcu_read_unlock(); | |
f0380f3d | 767 | return; |
95cd6232 TM |
768 | destroy: |
769 | rcu_read_unlock(); | |
770 | cred->cr_ops->crdestroy(cred); | |
1da177e4 | 771 | } |
e8914c65 | 772 | EXPORT_SYMBOL_GPL(put_rpccred); |
1da177e4 | 773 | |
d8ed029d AD |
774 | __be32 * |
775 | rpcauth_marshcred(struct rpc_task *task, __be32 *p) | |
1da177e4 | 776 | { |
a17c2153 | 777 | struct rpc_cred *cred = task->tk_rqstp->rq_cred; |
1da177e4 | 778 | |
46121cf7 | 779 | dprintk("RPC: %5u marshaling %s cred %p\n", |
1be27f36 | 780 | task->tk_pid, cred->cr_auth->au_ops->au_name, cred); |
0bbacc40 | 781 | |
1da177e4 LT |
782 | return cred->cr_ops->crmarshal(task, p); |
783 | } | |
784 | ||
d8ed029d AD |
785 | __be32 * |
786 | rpcauth_checkverf(struct rpc_task *task, __be32 *p) | |
1da177e4 | 787 | { |
a17c2153 | 788 | struct rpc_cred *cred = task->tk_rqstp->rq_cred; |
1da177e4 | 789 | |
46121cf7 | 790 | dprintk("RPC: %5u validating %s cred %p\n", |
1be27f36 | 791 | task->tk_pid, cred->cr_auth->au_ops->au_name, cred); |
0bbacc40 | 792 | |
1da177e4 LT |
793 | return cred->cr_ops->crvalidate(task, p); |
794 | } | |
795 | ||
9f06c719 CL |
796 | static void rpcauth_wrap_req_encode(kxdreproc_t encode, struct rpc_rqst *rqstp, |
797 | __be32 *data, void *obj) | |
798 | { | |
799 | struct xdr_stream xdr; | |
800 | ||
801 | xdr_init_encode(&xdr, &rqstp->rq_snd_buf, data); | |
802 | encode(rqstp, &xdr, obj); | |
803 | } | |
804 | ||
1da177e4 | 805 | int |
9f06c719 | 806 | rpcauth_wrap_req(struct rpc_task *task, kxdreproc_t encode, void *rqstp, |
d8ed029d | 807 | __be32 *data, void *obj) |
1da177e4 | 808 | { |
a17c2153 | 809 | struct rpc_cred *cred = task->tk_rqstp->rq_cred; |
1da177e4 | 810 | |
46121cf7 | 811 | dprintk("RPC: %5u using %s cred %p to wrap rpc data\n", |
1da177e4 LT |
812 | task->tk_pid, cred->cr_ops->cr_name, cred); |
813 | if (cred->cr_ops->crwrap_req) | |
814 | return cred->cr_ops->crwrap_req(task, encode, rqstp, data, obj); | |
815 | /* By default, we encode the arguments normally. */ | |
9f06c719 CL |
816 | rpcauth_wrap_req_encode(encode, rqstp, data, obj); |
817 | return 0; | |
1da177e4 LT |
818 | } |
819 | ||
bf269551 CL |
820 | static int |
821 | rpcauth_unwrap_req_decode(kxdrdproc_t decode, struct rpc_rqst *rqstp, | |
822 | __be32 *data, void *obj) | |
823 | { | |
824 | struct xdr_stream xdr; | |
825 | ||
826 | xdr_init_decode(&xdr, &rqstp->rq_rcv_buf, data); | |
827 | return decode(rqstp, &xdr, obj); | |
828 | } | |
829 | ||
1da177e4 | 830 | int |
bf269551 | 831 | rpcauth_unwrap_resp(struct rpc_task *task, kxdrdproc_t decode, void *rqstp, |
d8ed029d | 832 | __be32 *data, void *obj) |
1da177e4 | 833 | { |
a17c2153 | 834 | struct rpc_cred *cred = task->tk_rqstp->rq_cred; |
1da177e4 | 835 | |
46121cf7 | 836 | dprintk("RPC: %5u using %s cred %p to unwrap rpc data\n", |
1da177e4 LT |
837 | task->tk_pid, cred->cr_ops->cr_name, cred); |
838 | if (cred->cr_ops->crunwrap_resp) | |
839 | return cred->cr_ops->crunwrap_resp(task, decode, rqstp, | |
840 | data, obj); | |
841 | /* By default, we decode the arguments normally. */ | |
bf269551 | 842 | return rpcauth_unwrap_req_decode(decode, rqstp, data, obj); |
1da177e4 LT |
843 | } |
844 | ||
3021a5bb TM |
845 | bool |
846 | rpcauth_xmit_need_reencode(struct rpc_task *task) | |
847 | { | |
848 | struct rpc_cred *cred = task->tk_rqstp->rq_cred; | |
849 | ||
850 | if (!cred || !cred->cr_ops->crneed_reencode) | |
851 | return false; | |
852 | return cred->cr_ops->crneed_reencode(task); | |
853 | } | |
854 | ||
1da177e4 LT |
855 | int |
856 | rpcauth_refreshcred(struct rpc_task *task) | |
857 | { | |
9a84d380 | 858 | struct rpc_cred *cred; |
1da177e4 LT |
859 | int err; |
860 | ||
a17c2153 TM |
861 | cred = task->tk_rqstp->rq_cred; |
862 | if (cred == NULL) { | |
863 | err = rpcauth_bindcred(task, task->tk_msg.rpc_cred, task->tk_flags); | |
864 | if (err < 0) | |
865 | goto out; | |
866 | cred = task->tk_rqstp->rq_cred; | |
f81c6224 | 867 | } |
46121cf7 | 868 | dprintk("RPC: %5u refreshing %s cred %p\n", |
1be27f36 | 869 | task->tk_pid, cred->cr_auth->au_ops->au_name, cred); |
0bbacc40 | 870 | |
1da177e4 | 871 | err = cred->cr_ops->crrefresh(task); |
a17c2153 | 872 | out: |
1da177e4 LT |
873 | if (err < 0) |
874 | task->tk_status = err; | |
875 | return err; | |
876 | } | |
877 | ||
878 | void | |
879 | rpcauth_invalcred(struct rpc_task *task) | |
880 | { | |
a17c2153 | 881 | struct rpc_cred *cred = task->tk_rqstp->rq_cred; |
fc432dd9 | 882 | |
46121cf7 | 883 | dprintk("RPC: %5u invalidating %s cred %p\n", |
1be27f36 | 884 | task->tk_pid, cred->cr_auth->au_ops->au_name, cred); |
fc432dd9 TM |
885 | if (cred) |
886 | clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags); | |
1da177e4 LT |
887 | } |
888 | ||
889 | int | |
890 | rpcauth_uptodatecred(struct rpc_task *task) | |
891 | { | |
a17c2153 | 892 | struct rpc_cred *cred = task->tk_rqstp->rq_cred; |
fc432dd9 TM |
893 | |
894 | return cred == NULL || | |
895 | test_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags) != 0; | |
1da177e4 | 896 | } |
f5c2187c | 897 | |
8e1f936b | 898 | static struct shrinker rpc_cred_shrinker = { |
70534a73 DC |
899 | .count_objects = rpcauth_cache_shrink_count, |
900 | .scan_objects = rpcauth_cache_shrink_scan, | |
8e1f936b RR |
901 | .seeks = DEFAULT_SEEKS, |
902 | }; | |
f5c2187c | 903 | |
5d8d9a4d | 904 | int __init rpcauth_init_module(void) |
f5c2187c | 905 | { |
5d8d9a4d TM |
906 | int err; |
907 | ||
908 | err = rpc_init_authunix(); | |
909 | if (err < 0) | |
910 | goto out1; | |
2864486b KM |
911 | err = register_shrinker(&rpc_cred_shrinker); |
912 | if (err < 0) | |
89a4f758 | 913 | goto out2; |
5d8d9a4d TM |
914 | return 0; |
915 | out2: | |
916 | rpc_destroy_authunix(); | |
917 | out1: | |
918 | return err; | |
f5c2187c TM |
919 | } |
920 | ||
c135e84a | 921 | void rpcauth_remove_module(void) |
f5c2187c | 922 | { |
5d8d9a4d | 923 | rpc_destroy_authunix(); |
8e1f936b | 924 | unregister_shrinker(&rpc_cred_shrinker); |
f5c2187c | 925 | } |