From patchwork Fri Oct 11 09:00:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amir Goldstein X-Patchwork-Id: 13832255 Received: from mail-lf1-f42.google.com (mail-lf1-f42.google.com [209.85.167.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2E18D804; Fri, 11 Oct 2024 09:00:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728637233; cv=none; b=T9KeiJjSIqzU/Kfl8AyodjzIWIGJkNzfwjKfuUb9YzBbrM+TGEb2eOXMu5YchlcfnJcoAiRaPrugDXlBvA2xVUl9dES6lSdJ1D/2FWnteheEgjIUAzOJWTxO8e/26d3r5AnzaTkWjAi3Pv+z4RjnlkQiOK+0dmteN2L25CXv8AY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728637233; c=relaxed/simple; bh=JPQLgql+RewUOKYyXw1fBtRDmH8dVTiO78IMH0ukFnY=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=t8iSC+YBxczgReuslzdi9TVlGRySrvS2ueYR7+IfIdiBfAe17RBaM2MhKmMwpY8g/w+o7bYVf8hAckKrN16+jmZbnmykqKM1Xem2zcgC5yt5TmbwD4i8f+/U5z4Gi8Bop62zrwVzp4Hk82N2PVrHLf4+qnVgrY/j6PhY5Z6k+ys= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=JXK0fKli; arc=none smtp.client-ip=209.85.167.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="JXK0fKli" Received: by mail-lf1-f42.google.com with SMTP id 2adb3069b0e04-5399041167cso2869528e87.0; Fri, 11 Oct 2024 02:00:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1728637229; x=1729242029; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Bvq4+KTpN68zt7ADgZnnr5hR6veztOtGJTyaDh5q59g=; b=JXK0fKli7IFhg46bA5aRQMgvwBVNYMKqitquYISJzpKc3Vc8iJhR+aDWcoRdD2zaGH lSpnlcBm8xS9prIbVOKpEPCOcdTFsMzIBfiV3Kh4g2/Lp0p04SxUUIqSApuKbe/YfAP3 1JHF0r1f6btuWMXGi2fB9abD7hSRBmGzaXoXSmMOAHDgfJ5EWrt7k4jgMswRYhj5kcRE +TjstsSmHZdciDhPHNwj+lxAF317xG/YePU0haYVml3HAUizmBJARCv0flDMKb8e2B7b WDLGBKc3WDlZUdwVVa/k3bqy5u9F4AH2JPRWt0QQeA+BIS8IR7UmVqhelPakKJ/R/I+z s/Mg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728637229; x=1729242029; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Bvq4+KTpN68zt7ADgZnnr5hR6veztOtGJTyaDh5q59g=; b=RvoGdddA31MeGkK3f7iJd+Dk0I0Q4H6fmm8c/YLz48VoSi0ZQU5xab/AO4lhbfn5ym QYc+FEJ4Bus8nSyN0I8ZzVoK5k8IumUluK1DRAa+Me8Bf3FMwCitwmEMWT9vuULRQ6HE ataIKoQDfp8LNPCliktrOjPyBM8gztVYq6ABR7g+CWoHDgIA5zUL2MekUUAwMsGOQJ5Z 5HAfxFmT/gIkTzRxQE6osemJhJK7cTOksMETnVxLAvFIrjE8Iaet3OISbU2ELO4o8+iL YZ08uyVk7vp3Rts8bhtcqyu1SukVN4yrwNFA2YQ7xA1yMyx0LIAdicbWJMO14qa/xfvY ConA== X-Forwarded-Encrypted: i=1; AJvYcCWAEEpdSrzKB8qumA33ZjHan5+7bevvIOIOb5msiffcxStyopAkdvWDR6waZ+SwbJ7yHQ7MqpUgX9Qs@vger.kernel.org, AJvYcCX3dtr05n2id3xXZX5qFxlRpCs0nogp7coj5lvzTxgAHXmBGtHoGFk5xTCqB+ZvXlaC6oPMSZ6dNuQIWU16@vger.kernel.org X-Gm-Message-State: AOJu0YxULuV6++6MrQDoT1z97wChk2z5oTIWWW4DzOsEOd0ug/bf38GM J7jE47ecobBiRv+6JyB3ugH4UEPkkLQd+dZRlT6tJ8ebbCLuJ63T X-Google-Smtp-Source: AGHT+IFb2R3dYIF+F9C4oVm2uhHOlhQm3wdZG/PTMeOyXYEwMR+toxwpFxXCGgigyFtBrZ4kj5TQZw== X-Received: by 2002:a05:6512:3196:b0:539:a353:279b with SMTP id 2adb3069b0e04-539da3b1ec8mr1339843e87.9.1728637228672; Fri, 11 Oct 2024 02:00:28 -0700 (PDT) Received: from amir-ThinkPad-T480.arnhem.chello.nl (92-109-99-123.cable.dynamic.v4.ziggo.nl. [92.109.99.123]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a99a7ec5697sm189606066b.22.2024.10.11.02.00.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 11 Oct 2024 02:00:28 -0700 (PDT) From: Amir Goldstein To: Christian Brauner Cc: Jeff Layton , Jan Kara , Aleksa Sarai , Chuck Lever , linux-fsdevel@vger.kernel.org, linux-nfs@vger.kernel.org Subject: [PATCH v4 1/3] fs: prepare for "explicit connectable" file handles Date: Fri, 11 Oct 2024 11:00:21 +0200 Message-Id: <20241011090023.655623-2-amir73il@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20241011090023.655623-1-amir73il@gmail.com> References: <20241011090023.655623-1-amir73il@gmail.com> Precedence: bulk X-Mailing-List: linux-nfs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 We would like to use the high 16bit of the handle_type field to encode file handle traits, such as "connectable". In preparation for this change, make sure that filesystems do not return a handle_type value with upper bits set and that the open_by_handle_at(2) syscall rejects these handle types. Signed-off-by: Amir Goldstein Reviewed-by: Jan Kara --- fs/exportfs/expfs.c | 17 +++++++++++++++-- fs/fhandle.c | 7 +++++++ include/linux/exportfs.h | 11 +++++++++++ 3 files changed, 33 insertions(+), 2 deletions(-) diff --git a/fs/exportfs/expfs.c b/fs/exportfs/expfs.c index 4f2dd4ab4486..0c899cfba578 100644 --- a/fs/exportfs/expfs.c +++ b/fs/exportfs/expfs.c @@ -382,14 +382,24 @@ int exportfs_encode_inode_fh(struct inode *inode, struct fid *fid, int *max_len, struct inode *parent, int flags) { const struct export_operations *nop = inode->i_sb->s_export_op; + enum fid_type type; if (!exportfs_can_encode_fh(nop, flags)) return -EOPNOTSUPP; if (!nop && (flags & EXPORT_FH_FID)) - return exportfs_encode_ino64_fid(inode, fid, max_len); + type = exportfs_encode_ino64_fid(inode, fid, max_len); + else + type = nop->encode_fh(inode, fid->raw, max_len, parent); + + if (type > 0 && FILEID_USER_FLAGS(type)) { + pr_warn_once("%s: unexpected fh type value 0x%x from fstype %s.\n", + __func__, type, inode->i_sb->s_type->name); + return -EINVAL; + } + + return type; - return nop->encode_fh(inode, fid->raw, max_len, parent); } EXPORT_SYMBOL_GPL(exportfs_encode_inode_fh); @@ -436,6 +446,9 @@ exportfs_decode_fh_raw(struct vfsmount *mnt, struct fid *fid, int fh_len, char nbuf[NAME_MAX+1]; int err; + if (fileid_type < 0 || FILEID_USER_FLAGS(fileid_type)) + return ERR_PTR(-EINVAL); + /* * Try to get any dentry for the given file handle from the filesystem. */ diff --git a/fs/fhandle.c b/fs/fhandle.c index 82df28d45cd7..218511f38cbb 100644 --- a/fs/fhandle.c +++ b/fs/fhandle.c @@ -307,6 +307,11 @@ static int handle_to_path(int mountdirfd, struct file_handle __user *ufh, retval = -EINVAL; goto out_path; } + if (f_handle.handle_type < 0 || + FILEID_USER_FLAGS(f_handle.handle_type) & ~FILEID_VALID_USER_FLAGS) { + retval = -EINVAL; + goto out_path; + } handle = kmalloc(struct_size(handle, f_handle, f_handle.handle_bytes), GFP_KERNEL); if (!handle) { @@ -322,6 +327,8 @@ static int handle_to_path(int mountdirfd, struct file_handle __user *ufh, goto out_handle; } + /* Filesystem code should not be exposed to user flags */ + handle->handle_type &= ~FILEID_USER_FLAGS_MASK; retval = do_handle_to_path(handle, path, &ctx); out_handle: diff --git a/include/linux/exportfs.h b/include/linux/exportfs.h index 893a1d21dc1c..5e14d4500a75 100644 --- a/include/linux/exportfs.h +++ b/include/linux/exportfs.h @@ -160,6 +160,17 @@ struct fid { #define EXPORT_FH_FID 0x2 /* File handle may be non-decodeable */ #define EXPORT_FH_DIR_ONLY 0x4 /* Only decode file handle for a directory */ +/* + * Filesystems use only lower 8 bits of file_handle type for fid_type. + * name_to_handle_at() uses upper 16 bits of type as user flags to be + * interpreted by open_by_handle_at(). + */ +#define FILEID_USER_FLAGS_MASK 0xffff0000 +#define FILEID_USER_FLAGS(type) ((type) & FILEID_USER_FLAGS_MASK) + +/* Flags supported in encoded handle_type that is exported to user */ +#define FILEID_VALID_USER_FLAGS (0) + /** * struct export_operations - for nfsd to communicate with file systems * @encode_fh: encode a file handle fragment from a dentry From patchwork Fri Oct 11 09:00:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amir Goldstein X-Patchwork-Id: 13832256 Received: from mail-ed1-f43.google.com (mail-ed1-f43.google.com [209.85.208.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B216620B1E6; Fri, 11 Oct 2024 09:00:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728637233; cv=none; b=OBxqW9FBDve7QBzEr57Jl1VUZc3woNBmoWAxSXF5LTHZr9RJag0OBAkK7xUlNth3z36vxlNIqSWSuCzLRoetyd25aeVuok/upqoMs60KEIuXRxmZ6YpUn9rlzbcYffEQ5yEOTAIT/4miAuRQQnXjTFGj4MBcO6O7hk4AntKnDSg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728637233; c=relaxed/simple; bh=Nax2AtUdXVVk99rKmk0WjhWoAiQmsaXVkwNsUcPGNxk=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=BsDhmTZKnroC0EbzdhQaz7ymqEdesgfBTCuSs4T+/FIzVTxcv32LgMvxfNXAwVQ7WwSjh63Ea8ROOMyUohqKCKh97zbJVW3TWD0jPzK5DduFd1hkFj4pjAYOmPb8ZWz/uGEM2Rc6Q1Lh2Y4tcjJ+Lw3KO/UEmyyloQwEeyL6slY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=MZHFh+RQ; arc=none smtp.client-ip=209.85.208.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="MZHFh+RQ" Received: by mail-ed1-f43.google.com with SMTP id 4fb4d7f45d1cf-5c42f406e29so2126845a12.2; Fri, 11 Oct 2024 02:00:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1728637230; x=1729242030; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Mlo3ULNgO8c4NC/nfO/Vuar4ajtr+hLPgASSMxV2JcI=; b=MZHFh+RQlbbsOwZgcwpYcHyNtYg3YB8DfL/Jc9gS+4gGZa7NmTDNxvLfDPLIVgO3bh ePbbAzwqcaValYiMYwA7V505lLuXq31jI1KU55dk7fhGBiGk8ndMH2tyL2D5Nmxquzes eG6lLbLgLBmoDVBlrnvTwMHG2CVEZywgkoVUIlm0H4H9OzzVpcKPBeE6MfwafzTcv6lV pk2thmQtDa8UOwbo5se+kwWqBSI3A/kZb9VXDLiYG7gcgzPUMeGIJTgAOPD1im2iwATF rClTjzbhCG2Yx9ufh0pJ5B/cLlSyfINxvr+zg1IjBRuIwTTkKTnD81TJQB/wgbEcjb/4 md5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728637230; x=1729242030; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Mlo3ULNgO8c4NC/nfO/Vuar4ajtr+hLPgASSMxV2JcI=; b=GKqoXPsA3VU1ybRB0Bf3TYhpnI/I/H+MtqfXcqSYheP7oj4tP2VR+jC02G6P5OlOPO tWwlfFZp7cOYH4KO7beqc/QxhnPm9GHldaX3Uml4WshPpMdKv+/dJFfrccqYHkhYjmed ZC1oZEQfIiYV0HRjBmfjaHVE3mLyzTeKEAAbOHRjd3ya4b2BQvktcqxw6Oa1AXrd+8Zk jSFCCAD/+I1D1DZP8uXCc9VttkuQDDKwRPO4TNatrKtlxLZIWmfFDcjrnEOdR9jJ39cf KnasJnPBm7bQcqL5nGzc6axyGPNrusGcT1JtFHqa2dAEBpgAehV5sYCWl/NkOzIVbG3k mivA== X-Forwarded-Encrypted: i=1; AJvYcCU8E3a8rls8NJqE3rc63FYzOyR1odhmi04zgK/c28eXG2FqQcVuaiVZ2y6sOvVm0AwctlPYr3EMNCXqwp1r@vger.kernel.org, AJvYcCXxIBGMxDgxyUzAqk1T0v3i0l21P6qM4/ihpF/s8y9MQ52Wg6rvEPiTQFuivc6jQ1FT/whbdg7zafFD@vger.kernel.org X-Gm-Message-State: AOJu0YzEmW8MMEr58DCmhssSHMwT1rs+P/AXaLjFgqq/3yNa3XNRyIEk WY5C5H/z0+Q5V8VZI6ruGVetyUa9O/sT4HSn0bEEil2WHMkEahFjf3FdRonP X-Google-Smtp-Source: AGHT+IHGsawZ/k7vNRlJs2vc+Ajbp9uzfZGjsYmtz/VtdCm6gZsrlV8+e/+h0RuzJXMYgZS303tKfQ== X-Received: by 2002:a17:907:948e:b0:a99:451b:38fe with SMTP id a640c23a62f3a-a99b93c8be7mr146498766b.26.1728637229548; Fri, 11 Oct 2024 02:00:29 -0700 (PDT) Received: from amir-ThinkPad-T480.arnhem.chello.nl (92-109-99-123.cable.dynamic.v4.ziggo.nl. [92.109.99.123]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a99a7ec5697sm189606066b.22.2024.10.11.02.00.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 11 Oct 2024 02:00:29 -0700 (PDT) From: Amir Goldstein To: Christian Brauner Cc: Jeff Layton , Jan Kara , Aleksa Sarai , Chuck Lever , linux-fsdevel@vger.kernel.org, linux-nfs@vger.kernel.org Subject: [PATCH v4 2/3] fs: name_to_handle_at() support for "explicit connectable" file handles Date: Fri, 11 Oct 2024 11:00:22 +0200 Message-Id: <20241011090023.655623-3-amir73il@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20241011090023.655623-1-amir73il@gmail.com> References: <20241011090023.655623-1-amir73il@gmail.com> Precedence: bulk X-Mailing-List: linux-nfs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 nfsd encodes "connectable" file handles for the subtree_check feature, which can be resolved to an open file with a connected path. So far, userspace nfs server could not make use of this functionality. Introduce a new flag AT_HANDLE_CONNECTABLE to name_to_handle_at(2). When used, the encoded file handle is "explicitly connectable". The "explicitly connectable" file handle sets bits in the high 16bit of the handle_type field, so open_by_handle_at(2) will know that it needs to open a file with a connected path. old kernels will now recognize the handle_type with high bits set, so "explicitly connectable" file handles cannot be decoded by open_by_handle_at(2) on old kernels. The flag AT_HANDLE_CONNECTABLE is not allowed together with either AT_HANDLE_FID or AT_EMPTY_PATH. Signed-off-by: Amir Goldstein --- fs/fhandle.c | 48 ++++++++++++++++++++++++++++++++++---- include/linux/exportfs.h | 2 ++ include/uapi/linux/fcntl.h | 1 + 3 files changed, 46 insertions(+), 5 deletions(-) diff --git a/fs/fhandle.c b/fs/fhandle.c index 218511f38cbb..8339a1041025 100644 --- a/fs/fhandle.c +++ b/fs/fhandle.c @@ -31,6 +31,14 @@ static long do_sys_name_to_handle(const struct path *path, if (!exportfs_can_encode_fh(path->dentry->d_sb->s_export_op, fh_flags)) return -EOPNOTSUPP; + /* + * A request to encode a connectable handle for a disconnected dentry + * is unexpected since AT_EMPTY_PATH is not allowed. + */ + if (fh_flags & EXPORT_FH_CONNECTABLE && + WARN_ON(path->dentry->d_flags & DCACHE_DISCONNECTED)) + return -EINVAL; + if (copy_from_user(&f_handle, ufh, sizeof(struct file_handle))) return -EFAULT; @@ -45,7 +53,7 @@ static long do_sys_name_to_handle(const struct path *path, /* convert handle size to multiple of sizeof(u32) */ handle_dwords = f_handle.handle_bytes >> 2; - /* we ask for a non connectable maybe decodeable file handle */ + /* Encode a possibly decodeable/connectable file handle */ retval = exportfs_encode_fh(path->dentry, (struct fid *)handle->f_handle, &handle_dwords, fh_flags); @@ -67,8 +75,23 @@ static long do_sys_name_to_handle(const struct path *path, * non variable part of the file_handle */ handle_bytes = 0; - } else + } else { + /* + * When asked to encode a connectable file handle, encode this + * property in the file handle itself, so that we later know + * how to decode it. + * For sanity, also encode in the file handle if the encoded + * object is a directory and verify this during decode, because + * decoding directory file handles is quite different than + * decoding connectable non-directory file handles. + */ + if (fh_flags & EXPORT_FH_CONNECTABLE) { + handle->handle_type |= FILEID_IS_CONNECTABLE; + if (d_is_dir(path->dentry)) + fh_flags |= FILEID_IS_DIR; + } retval = 0; + } /* copy the mount id */ if (unique_mntid) { if (put_user(real_mount(path->mnt)->mnt_id_unique, @@ -109,15 +132,30 @@ SYSCALL_DEFINE5(name_to_handle_at, int, dfd, const char __user *, name, { struct path path; int lookup_flags; - int fh_flags; + int fh_flags = 0; int err; if (flag & ~(AT_SYMLINK_FOLLOW | AT_EMPTY_PATH | AT_HANDLE_FID | - AT_HANDLE_MNT_ID_UNIQUE)) + AT_HANDLE_MNT_ID_UNIQUE | AT_HANDLE_CONNECTABLE)) + return -EINVAL; + + /* + * AT_HANDLE_FID means there is no intention to decode file handle + * AT_HANDLE_CONNECTABLE means there is an intention to decode a + * connected fd (with known path), so these flags are conflicting. + * AT_EMPTY_PATH could be used along with a dfd that refers to a + * disconnected non-directory, which cannot be used to encode a + * connectable file handle, because its parent is unknown. + */ + if (flag & AT_HANDLE_CONNECTABLE && + flag & (AT_HANDLE_FID | AT_EMPTY_PATH)) return -EINVAL; + else if (flag & AT_HANDLE_FID) + fh_flags |= EXPORT_FH_FID; + else if (flag & AT_HANDLE_CONNECTABLE) + fh_flags |= EXPORT_FH_CONNECTABLE; lookup_flags = (flag & AT_SYMLINK_FOLLOW) ? LOOKUP_FOLLOW : 0; - fh_flags = (flag & AT_HANDLE_FID) ? EXPORT_FH_FID : 0; if (flag & AT_EMPTY_PATH) lookup_flags |= LOOKUP_EMPTY; err = user_path_at(dfd, name, lookup_flags, &path); diff --git a/include/linux/exportfs.h b/include/linux/exportfs.h index 5e14d4500a75..4ee42b2cf4ab 100644 --- a/include/linux/exportfs.h +++ b/include/linux/exportfs.h @@ -169,6 +169,8 @@ struct fid { #define FILEID_USER_FLAGS(type) ((type) & FILEID_USER_FLAGS_MASK) /* Flags supported in encoded handle_type that is exported to user */ +#define FILEID_IS_CONNECTABLE 0x10000 +#define FILEID_IS_DIR 0x20000 #define FILEID_VALID_USER_FLAGS (0) /** diff --git a/include/uapi/linux/fcntl.h b/include/uapi/linux/fcntl.h index 87e2dec79fea..56ff2100e021 100644 --- a/include/uapi/linux/fcntl.h +++ b/include/uapi/linux/fcntl.h @@ -153,6 +153,7 @@ object identity and may not be usable with open_by_handle_at(2). */ #define AT_HANDLE_MNT_ID_UNIQUE 0x001 /* Return the u64 unique mount ID. */ +#define AT_HANDLE_CONNECTABLE 0x002 /* Request a connectable file handle */ #if defined(__KERNEL__) #define AT_GETATTR_NOSEC 0x80000000 From patchwork Fri Oct 11 09:00:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amir Goldstein X-Patchwork-Id: 13832257 Received: from mail-lf1-f42.google.com (mail-lf1-f42.google.com [209.85.167.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D9C081FC8; Fri, 11 Oct 2024 09:00:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728637234; cv=none; b=UMovBfJ9mMubUqQ6pZLknFhjNdlVfFPpVb/uvV35iyX+jgjdfDYLkqxCDAtAfGek03MhhPedt5DAjOMdG1RstyBy0H6ka2/050+P46m4sVwvFFGryPSuEe/Ourt2hpBfot86WiqqmHXehbeNamPvsUNqMTaEVi2uNG9PwXUIojU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728637234; c=relaxed/simple; bh=QfZzpLb04UiSzQ8sv2BVc+rITqtQFDZ0Rag/FVeGwiM=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=tsbZCcN4lPUG3q8UT5Wnaqtd7qG4a+X9Ky2oOWn0Z0p7qjs/Lqb5NAwdJsyh9EOjEKTzVPAoghQfYYpp78J2LNzNElaGSbfxnF80Psp2c9ltBzFAO6cSe3/g4H1pcV3iUNLrrUT392jtQNkDiKvEbeum2gLTzOkkeosDgpeFQ1Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=TUizK+Q9; arc=none smtp.client-ip=209.85.167.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="TUizK+Q9" Received: by mail-lf1-f42.google.com with SMTP id 2adb3069b0e04-5398b589032so3094075e87.1; Fri, 11 Oct 2024 02:00:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1728637231; x=1729242031; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=GPox3TI38Lne0sRREj+Vbmklv8qC3yu1G4Yws0fG520=; b=TUizK+Q9O3YEc4efTVa5FCzfSMwFnFgrQIkx5N7lJRZ2oWhF+4+DSvjwGqtfhuzQPa QWfn6i2U9wW2384BNOR1iZK5xM43QkP+hhPc0ASpHIKCR4nFt2qms+UFc4jMSW34uEXw AwvIWQzoW2WpdzjGUk6DDmmDvw/V4Tii89LIjgH2rUwImDrLivioFhGeflheAeZpyhI7 tjvy0DnXLxtvVJ3nFKaJTct7NvSoOhZwomRMVjLMHL/gDFttvRSeu+annlHf0F96QXUQ RGbcoojYxHnQg9yIRJSB4ZNbl1GTJuMjSvN7xuvoHeDnuKxm/GDPI2ChYaMC+HxKKgxj WwiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728637231; x=1729242031; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=GPox3TI38Lne0sRREj+Vbmklv8qC3yu1G4Yws0fG520=; b=i2uwBE/Cw/1uDiGl5pmeRK3avukA3nOsEbDP3YAnXoJWcQoxcEsq1HtBER/+LU383r GTHaOQRJCVWzlRV6aNQIDeKXpICK1lhlqyBXNKN9JCagDuR/JwOWRU82kjHxP80eYhwB T4xaoBDQvaTHOdDG0QfBVNyikjbFUSCg/KIA2SyJj8dPLzNWDKmP2ux6jhpuJJjsnOtl DFi3l8zmmy9GRHSDNun2KS9qn9Y8xtbvRibBi8wRbayG+hCzw9QU2q7/vWXVsEcCqzrM dsuESEWTWogXt/LD7kiis9qqJvLIOuMie1UjhQQfxnTFwTnKpsU4/BVxhxzWknVe0jGK fuVg== X-Forwarded-Encrypted: i=1; AJvYcCVL2OKz4feM/QomkwTd++UR7I/wwN4n+1XqEDe6+Mu/ajQ5IC8aECEE6YRuqZhGwAX4tBfNo7kGADPx@vger.kernel.org, AJvYcCWFNEsTfFZNRYRK06+h4zaqe7t5yjDhkD61xuNB9UoEuAWR8E/H+9fJ0t+R4UG1DmvCRWBjqs0kEMZPZve1@vger.kernel.org X-Gm-Message-State: AOJu0YxUv9E1Z+IFgKYxSiiiacVclMvp/IuQYqoNV1azFitI7ycFLnqC FbVuNxgAyTMaAoOsCnqlQXmULyx+lcBTqOK+l3thI1vuXMLwMX7t X-Google-Smtp-Source: AGHT+IEm4lBSNsrNMA3CbR0tQ3L9or2EawGWgIb688lSzSFUfMabv/r8mpBBLEKWPInwlWz3JVU0Bw== X-Received: by 2002:a05:6512:15a0:b0:538:9e36:7b6a with SMTP id 2adb3069b0e04-539da4e29e9mr1227183e87.32.1728637230386; Fri, 11 Oct 2024 02:00:30 -0700 (PDT) Received: from amir-ThinkPad-T480.arnhem.chello.nl (92-109-99-123.cable.dynamic.v4.ziggo.nl. [92.109.99.123]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a99a7ec5697sm189606066b.22.2024.10.11.02.00.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 11 Oct 2024 02:00:29 -0700 (PDT) From: Amir Goldstein To: Christian Brauner Cc: Jeff Layton , Jan Kara , Aleksa Sarai , Chuck Lever , linux-fsdevel@vger.kernel.org, linux-nfs@vger.kernel.org Subject: [PATCH v4 3/3] fs: open_by_handle_at() support for decoding "explicit connectable" file handles Date: Fri, 11 Oct 2024 11:00:23 +0200 Message-Id: <20241011090023.655623-4-amir73il@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20241011090023.655623-1-amir73il@gmail.com> References: <20241011090023.655623-1-amir73il@gmail.com> Precedence: bulk X-Mailing-List: linux-nfs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Teach open_by_handle_at(2) about the type format of "explicit connectable" file handles that were created using the AT_HANDLE_CONNECTABLE flag to name_to_handle_at(2). When decoding an "explicit connectable" file handles, name_to_handle_at(2) should fail if it cannot open a "connected" fd with known path, which is accessible (to capable user) from mount fd path. Note that this does not check if the path is accessible to the calling user, just that it is accessible wrt the mount namesapce, so if there is no "connected" alias, or if parts of the path are hidden in the mount namespace, open_by_handle_at(2) will return -ESTALE. Signed-off-by: Amir Goldstein Reviewed-by: Jeff Layton --- fs/fhandle.c | 20 +++++++++++++++++++- include/linux/exportfs.h | 2 +- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/fs/fhandle.c b/fs/fhandle.c index 8339a1041025..75cfd190cd69 100644 --- a/fs/fhandle.c +++ b/fs/fhandle.c @@ -246,7 +246,13 @@ static int vfs_dentry_acceptable(void *context, struct dentry *dentry) if (!(ctx->flags & HANDLE_CHECK_SUBTREE) || d == root) retval = 1; - WARN_ON_ONCE(d != root && d != root->d_sb->s_root); + /* + * exportfs_decode_fh_raw() does not call acceptable() callback with + * a disconnected directory dentry, so we should have reached either + * mount fd directory or sb root. + */ + if (ctx->fh_flags & EXPORT_FH_DIR_ONLY) + WARN_ON_ONCE(d != root && d != root->d_sb->s_root); dput(d); return retval; } @@ -350,6 +356,7 @@ static int handle_to_path(int mountdirfd, struct file_handle __user *ufh, retval = -EINVAL; goto out_path; } + handle = kmalloc(struct_size(handle, f_handle, f_handle.handle_bytes), GFP_KERNEL); if (!handle) { @@ -365,6 +372,17 @@ static int handle_to_path(int mountdirfd, struct file_handle __user *ufh, goto out_handle; } + /* + * If handle was encoded with AT_HANDLE_CONNECTABLE, verify that we + * are decoding an fd with connected path, which is accessible from + * the mount fd path. + */ + if (f_handle.handle_type & FILEID_IS_CONNECTABLE) { + ctx.fh_flags |= EXPORT_FH_CONNECTABLE; + ctx.flags |= HANDLE_CHECK_SUBTREE; + } + if (f_handle.handle_type & FILEID_IS_DIR) + ctx.fh_flags |= EXPORT_FH_DIR_ONLY; /* Filesystem code should not be exposed to user flags */ handle->handle_type &= ~FILEID_USER_FLAGS_MASK; retval = do_handle_to_path(handle, path, &ctx); diff --git a/include/linux/exportfs.h b/include/linux/exportfs.h index 4ee42b2cf4ab..fcab6ab1d38a 100644 --- a/include/linux/exportfs.h +++ b/include/linux/exportfs.h @@ -171,7 +171,7 @@ struct fid { /* Flags supported in encoded handle_type that is exported to user */ #define FILEID_IS_CONNECTABLE 0x10000 #define FILEID_IS_DIR 0x20000 -#define FILEID_VALID_USER_FLAGS (0) +#define FILEID_VALID_USER_FLAGS (FILEID_IS_CONNECTABLE | FILEID_IS_DIR) /** * struct export_operations - for nfsd to communicate with file systems