mirror of
https://github.com/torvalds/linux
synced 2024-07-23 11:39:11 +00:00
![Christian Brauner](/assets/img/avatar_default.png)
Summary ======= This introduces FSCONFIG_CMD_CREATE_EXCL which will allows userspace to implement something like mount -t ext4 --exclusive /dev/sda /B which fails if a superblock for the requested filesystem does already exist: Before this patch ----------------- $ sudo ./move-mount -f xfs -o source=/dev/sda4 /A Requesting filesystem type xfs Mount options requested: source=/dev/sda4 Attaching mount at /A Moving single attached mount Setting key(source) with val(/dev/sda4) $ sudo ./move-mount -f xfs -o source=/dev/sda4 /B Requesting filesystem type xfs Mount options requested: source=/dev/sda4 Attaching mount at /B Moving single attached mount Setting key(source) with val(/dev/sda4) After this patch with --exclusive as a switch for FSCONFIG_CMD_CREATE_EXCL -------------------------------------------------------------------------- $ sudo ./move-mount -f xfs --exclusive -o source=/dev/sda4 /A Requesting filesystem type xfs Request exclusive superblock creation Mount options requested: source=/dev/sda4 Attaching mount at /A Moving single attached mount Setting key(source) with val(/dev/sda4) $ sudo ./move-mount -f xfs --exclusive -o source=/dev/sda4 /B Requesting filesystem type xfs Request exclusive superblock creation Mount options requested: source=/dev/sda4 Attaching mount at /B Moving single attached mount Setting key(source) with val(/dev/sda4) Device or resource busy | move-mount.c: 300: do_fsconfig: i xfs: reusing existing filesystem not allowed Details ======= As mentioned on the list (cf. [1]-[3]) mount requests like mount -t ext4 /dev/sda /A are ambigous for userspace. Either a new superblock has been created and mounted or an existing superblock has been reused and a bind-mount has been created. This becomes clear in the following example where two processes create the same mount for the same block device: P1 P2 fd_fs = fsopen("ext4"); fd_fs = fsopen("ext4"); fsconfig(fd_fs, FSCONFIG_SET_STRING, "source", "/dev/sda"); fsconfig(fd_fs, FSCONFIG_SET_STRING, "source", "/dev/sda"); fsconfig(fd_fs, FSCONFIG_SET_STRING, "dax", "always"); fsconfig(fd_fs, FSCONFIG_SET_STRING, "resuid", "1000"); // wins and creates superblock fsconfig(fd_fs, FSCONFIG_CMD_CREATE, ...) // finds compatible superblock of P1 // spins until P1 sets SB_BORN and grabs a reference fsconfig(fd_fs, FSCONFIG_CMD_CREATE, ...) fd_mnt1 = fsmount(fd_fs); fd_mnt2 = fsmount(fd_fs); move_mount(fd_mnt1, "/A") move_mount(fd_mnt2, "/B") Not just does P2 get a bind-mount but the mount options that P2 requestes are silently ignored. The VFS itself doesn't, can't and shouldn't enforce filesystem specific mount option compatibility. It only enforces incompatibility for read-only <-> read-write transitions: mount -t ext4 /dev/sda /A mount -t ext4 -o ro /dev/sda /B The read-only request will fail with EBUSY as the VFS can't just silently transition a superblock from read-write to read-only or vica versa without risking security issues. To userspace this silent superblock reuse can become a security issue in because there is currently no straightforward way for userspace to know that they did indeed manage to create a new superblock and didn't just reuse an existing one. This adds a new FSCONFIG_CMD_CREATE_EXCL command to fsconfig() that returns EBUSY if an existing superblock would be reused. Userspace that needs to be sure that it did create a new superblock with the requested mount options can request superblock creation using this command. If the command succeeds they can be sure that they did create a new superblock with the requested mount options. This requires the new mount api. With the old mount api it would be necessary to plumb this through every legacy filesystem's file_system_type->mount() method. If they want this feature they are most welcome to switch to the new mount api. Following is an analysis of the effect of FSCONFIG_CMD_CREATE_EXCL on each high-level superblock creation helper: (1) get_tree_nodev() Always allocate new superblock. Hence, FSCONFIG_CMD_CREATE and FSCONFIG_CMD_CREATE_EXCL are equivalent. The binderfs or overlayfs filesystems are examples. (4) get_tree_keyed() Finds an existing superblock based on sb->s_fs_info. Hence, FSCONFIG_CMD_CREATE would reuse an existing superblock whereas FSCONFIG_CMD_CREATE_EXCL would reject it with EBUSY. The mqueue or nfsd filesystems are examples. (2) get_tree_bdev() This effectively works like get_tree_keyed(). The ext4 or xfs filesystems are examples. (3) get_tree_single() Only one superblock of this filesystem type can ever exist. Hence, FSCONFIG_CMD_CREATE would reuse an existing superblock whereas FSCONFIG_CMD_CREATE_EXCL would reject it with EBUSY. The securityfs or configfs filesystems are examples. Note that some single-instance filesystems never destroy the superblock once it has been created during the first mount. For example, if securityfs has been mounted at least onces then the created superblock will never be destroyed again as long as there is still an LSM making use it. Consequently, even if securityfs is unmounted and the superblock seemingly destroyed it really isn't which means that FSCONFIG_CMD_CREATE_EXCL will continue rejecting reusing an existing superblock. This is acceptable thugh since special purpose filesystems such as this shouldn't have a need to use FSCONFIG_CMD_CREATE_EXCL anyway and if they do it's probably to make sure that mount options aren't ignored. Following is an analysis of the effect of FSCONFIG_CMD_CREATE_EXCL on filesystems that make use of the low-level sget_fc() helper directly. They're all effectively variants on get_tree_keyed(), get_tree_bdev(), or get_tree_nodev(): (5) mtd_get_sb() Similar logic to get_tree_keyed(). (6) afs_get_tree() Similar logic to get_tree_keyed(). (7) ceph_get_tree() Similar logic to get_tree_keyed(). Already explicitly allows forcing the allocation of a new superblock via CEPH_OPT_NOSHARE. This turns it into get_tree_nodev(). (8) fuse_get_tree_submount() Similar logic to get_tree_nodev(). (9) fuse_get_tree() Forces reuse of existing FUSE superblock. Forces reuse of existing superblock if passed in file refers to an existing FUSE connection. If FSCONFIG_CMD_CREATE_EXCL is specified together with an fd referring to an existing FUSE connections this would cause the superblock reusal to fail. If reusing is the intent then FSCONFIG_CMD_CREATE_EXCL shouldn't be specified. (10) fuse_get_tree() -> get_tree_nodev() Same logic as in get_tree_nodev(). (11) fuse_get_tree() -> get_tree_bdev() Same logic as in get_tree_bdev(). (12) virtio_fs_get_tree() Same logic as get_tree_keyed(). (13) gfs2_meta_get_tree() Forces reuse of existing gfs2 superblock. Mounting gfs2meta enforces that a gf2s superblock must already exist. If not, it will error out. Consequently, mounting gfs2meta with FSCONFIG_CMD_CREATE_EXCL would always fail. If reusing is the intent then FSCONFIG_CMD_CREATE_EXCL shouldn't be specified. (14) kernfs_get_tree() Similar logic to get_tree_keyed(). (15) nfs_get_tree_common() Similar logic to get_tree_keyed(). Already explicitly allows forcing the allocation of a new superblock via NFS_MOUNT_UNSHARED. This effectively turns it into get_tree_nodev(). Link: [1] https://lore.kernel.org/linux-block/20230704-fasching-wertarbeit-7c6ffb01c83d@brauner Link: [2] https://lore.kernel.org/linux-block/20230705-pumpwerk-vielversprechend-a4b1fd947b65@brauner Link: [3] https://lore.kernel.org/linux-fsdevel/20230725-einnahmen-warnschilder-17779aec0a97@brauner Reviewed-by: Josef Bacik <josef@toxicpanda.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Jan Kara <jack@suse.cz> Reviewed-by: Aleksa Sarai <cyphar@cyphar.com> Message-Id: <20230802-vfs-super-exclusive-v2-4-95dc4e41b870@kernel.org> Signed-off-by: Christian Brauner <brauner@kernel.org>
720 lines
18 KiB
C
720 lines
18 KiB
C
// SPDX-License-Identifier: GPL-2.0-or-later
|
|
/* Provide a way to create a superblock configuration context within the kernel
|
|
* that allows a superblock to be set up prior to mounting.
|
|
*
|
|
* Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
|
|
* Written by David Howells (dhowells@redhat.com)
|
|
*/
|
|
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
|
#include <linux/module.h>
|
|
#include <linux/fs_context.h>
|
|
#include <linux/fs_parser.h>
|
|
#include <linux/fs.h>
|
|
#include <linux/mount.h>
|
|
#include <linux/nsproxy.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/magic.h>
|
|
#include <linux/security.h>
|
|
#include <linux/mnt_namespace.h>
|
|
#include <linux/pid_namespace.h>
|
|
#include <linux/user_namespace.h>
|
|
#include <net/net_namespace.h>
|
|
#include <asm/sections.h>
|
|
#include "mount.h"
|
|
#include "internal.h"
|
|
|
|
enum legacy_fs_param {
|
|
LEGACY_FS_UNSET_PARAMS,
|
|
LEGACY_FS_MONOLITHIC_PARAMS,
|
|
LEGACY_FS_INDIVIDUAL_PARAMS,
|
|
};
|
|
|
|
struct legacy_fs_context {
|
|
char *legacy_data; /* Data page for legacy filesystems */
|
|
size_t data_size;
|
|
enum legacy_fs_param param_type;
|
|
};
|
|
|
|
static int legacy_init_fs_context(struct fs_context *fc);
|
|
|
|
static const struct constant_table common_set_sb_flag[] = {
|
|
{ "dirsync", SB_DIRSYNC },
|
|
{ "lazytime", SB_LAZYTIME },
|
|
{ "mand", SB_MANDLOCK },
|
|
{ "ro", SB_RDONLY },
|
|
{ "sync", SB_SYNCHRONOUS },
|
|
{ },
|
|
};
|
|
|
|
static const struct constant_table common_clear_sb_flag[] = {
|
|
{ "async", SB_SYNCHRONOUS },
|
|
{ "nolazytime", SB_LAZYTIME },
|
|
{ "nomand", SB_MANDLOCK },
|
|
{ "rw", SB_RDONLY },
|
|
{ },
|
|
};
|
|
|
|
/*
|
|
* Check for a common mount option that manipulates s_flags.
|
|
*/
|
|
static int vfs_parse_sb_flag(struct fs_context *fc, const char *key)
|
|
{
|
|
unsigned int token;
|
|
|
|
token = lookup_constant(common_set_sb_flag, key, 0);
|
|
if (token) {
|
|
fc->sb_flags |= token;
|
|
fc->sb_flags_mask |= token;
|
|
return 0;
|
|
}
|
|
|
|
token = lookup_constant(common_clear_sb_flag, key, 0);
|
|
if (token) {
|
|
fc->sb_flags &= ~token;
|
|
fc->sb_flags_mask |= token;
|
|
return 0;
|
|
}
|
|
|
|
return -ENOPARAM;
|
|
}
|
|
|
|
/**
|
|
* vfs_parse_fs_param_source - Handle setting "source" via parameter
|
|
* @fc: The filesystem context to modify
|
|
* @param: The parameter
|
|
*
|
|
* This is a simple helper for filesystems to verify that the "source" they
|
|
* accept is sane.
|
|
*
|
|
* Returns 0 on success, -ENOPARAM if this is not "source" parameter, and
|
|
* -EINVAL otherwise. In the event of failure, supplementary error information
|
|
* is logged.
|
|
*/
|
|
int vfs_parse_fs_param_source(struct fs_context *fc, struct fs_parameter *param)
|
|
{
|
|
if (strcmp(param->key, "source") != 0)
|
|
return -ENOPARAM;
|
|
|
|
if (param->type != fs_value_is_string)
|
|
return invalf(fc, "Non-string source");
|
|
|
|
if (fc->source)
|
|
return invalf(fc, "Multiple sources");
|
|
|
|
fc->source = param->string;
|
|
param->string = NULL;
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL(vfs_parse_fs_param_source);
|
|
|
|
/**
|
|
* vfs_parse_fs_param - Add a single parameter to a superblock config
|
|
* @fc: The filesystem context to modify
|
|
* @param: The parameter
|
|
*
|
|
* A single mount option in string form is applied to the filesystem context
|
|
* being set up. Certain standard options (for example "ro") are translated
|
|
* into flag bits without going to the filesystem. The active security module
|
|
* is allowed to observe and poach options. Any other options are passed over
|
|
* to the filesystem to parse.
|
|
*
|
|
* This may be called multiple times for a context.
|
|
*
|
|
* Returns 0 on success and a negative error code on failure. In the event of
|
|
* failure, supplementary error information may have been set.
|
|
*/
|
|
int vfs_parse_fs_param(struct fs_context *fc, struct fs_parameter *param)
|
|
{
|
|
int ret;
|
|
|
|
if (!param->key)
|
|
return invalf(fc, "Unnamed parameter\n");
|
|
|
|
ret = vfs_parse_sb_flag(fc, param->key);
|
|
if (ret != -ENOPARAM)
|
|
return ret;
|
|
|
|
ret = security_fs_context_parse_param(fc, param);
|
|
if (ret != -ENOPARAM)
|
|
/* Param belongs to the LSM or is disallowed by the LSM; so
|
|
* don't pass to the FS.
|
|
*/
|
|
return ret;
|
|
|
|
if (fc->ops->parse_param) {
|
|
ret = fc->ops->parse_param(fc, param);
|
|
if (ret != -ENOPARAM)
|
|
return ret;
|
|
}
|
|
|
|
/* If the filesystem doesn't take any arguments, give it the
|
|
* default handling of source.
|
|
*/
|
|
ret = vfs_parse_fs_param_source(fc, param);
|
|
if (ret != -ENOPARAM)
|
|
return ret;
|
|
|
|
return invalf(fc, "%s: Unknown parameter '%s'",
|
|
fc->fs_type->name, param->key);
|
|
}
|
|
EXPORT_SYMBOL(vfs_parse_fs_param);
|
|
|
|
/**
|
|
* vfs_parse_fs_string - Convenience function to just parse a string.
|
|
*/
|
|
int vfs_parse_fs_string(struct fs_context *fc, const char *key,
|
|
const char *value, size_t v_size)
|
|
{
|
|
int ret;
|
|
|
|
struct fs_parameter param = {
|
|
.key = key,
|
|
.type = fs_value_is_flag,
|
|
.size = v_size,
|
|
};
|
|
|
|
if (value) {
|
|
param.string = kmemdup_nul(value, v_size, GFP_KERNEL);
|
|
if (!param.string)
|
|
return -ENOMEM;
|
|
param.type = fs_value_is_string;
|
|
}
|
|
|
|
ret = vfs_parse_fs_param(fc, ¶m);
|
|
kfree(param.string);
|
|
return ret;
|
|
}
|
|
EXPORT_SYMBOL(vfs_parse_fs_string);
|
|
|
|
/**
|
|
* generic_parse_monolithic - Parse key[=val][,key[=val]]* mount data
|
|
* @ctx: The superblock configuration to fill in.
|
|
* @data: The data to parse
|
|
*
|
|
* Parse a blob of data that's in key[=val][,key[=val]]* form. This can be
|
|
* called from the ->monolithic_mount_data() fs_context operation.
|
|
*
|
|
* Returns 0 on success or the error returned by the ->parse_option() fs_context
|
|
* operation on failure.
|
|
*/
|
|
int generic_parse_monolithic(struct fs_context *fc, void *data)
|
|
{
|
|
char *options = data, *key;
|
|
int ret = 0;
|
|
|
|
if (!options)
|
|
return 0;
|
|
|
|
ret = security_sb_eat_lsm_opts(options, &fc->security);
|
|
if (ret)
|
|
return ret;
|
|
|
|
while ((key = strsep(&options, ",")) != NULL) {
|
|
if (*key) {
|
|
size_t v_len = 0;
|
|
char *value = strchr(key, '=');
|
|
|
|
if (value) {
|
|
if (value == key)
|
|
continue;
|
|
*value++ = 0;
|
|
v_len = strlen(value);
|
|
}
|
|
ret = vfs_parse_fs_string(fc, key, value, v_len);
|
|
if (ret < 0)
|
|
break;
|
|
}
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
EXPORT_SYMBOL(generic_parse_monolithic);
|
|
|
|
/**
|
|
* alloc_fs_context - Create a filesystem context.
|
|
* @fs_type: The filesystem type.
|
|
* @reference: The dentry from which this one derives (or NULL)
|
|
* @sb_flags: Filesystem/superblock flags (SB_*)
|
|
* @sb_flags_mask: Applicable members of @sb_flags
|
|
* @purpose: The purpose that this configuration shall be used for.
|
|
*
|
|
* Open a filesystem and create a mount context. The mount context is
|
|
* initialised with the supplied flags and, if a submount/automount from
|
|
* another superblock (referred to by @reference) is supplied, may have
|
|
* parameters such as namespaces copied across from that superblock.
|
|
*/
|
|
static struct fs_context *alloc_fs_context(struct file_system_type *fs_type,
|
|
struct dentry *reference,
|
|
unsigned int sb_flags,
|
|
unsigned int sb_flags_mask,
|
|
enum fs_context_purpose purpose)
|
|
{
|
|
int (*init_fs_context)(struct fs_context *);
|
|
struct fs_context *fc;
|
|
int ret = -ENOMEM;
|
|
|
|
fc = kzalloc(sizeof(struct fs_context), GFP_KERNEL_ACCOUNT);
|
|
if (!fc)
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
fc->purpose = purpose;
|
|
fc->sb_flags = sb_flags;
|
|
fc->sb_flags_mask = sb_flags_mask;
|
|
fc->fs_type = get_filesystem(fs_type);
|
|
fc->cred = get_current_cred();
|
|
fc->net_ns = get_net(current->nsproxy->net_ns);
|
|
fc->log.prefix = fs_type->name;
|
|
|
|
mutex_init(&fc->uapi_mutex);
|
|
|
|
switch (purpose) {
|
|
case FS_CONTEXT_FOR_MOUNT:
|
|
fc->user_ns = get_user_ns(fc->cred->user_ns);
|
|
break;
|
|
case FS_CONTEXT_FOR_SUBMOUNT:
|
|
fc->user_ns = get_user_ns(reference->d_sb->s_user_ns);
|
|
break;
|
|
case FS_CONTEXT_FOR_RECONFIGURE:
|
|
atomic_inc(&reference->d_sb->s_active);
|
|
fc->user_ns = get_user_ns(reference->d_sb->s_user_ns);
|
|
fc->root = dget(reference);
|
|
break;
|
|
}
|
|
|
|
/* TODO: Make all filesystems support this unconditionally */
|
|
init_fs_context = fc->fs_type->init_fs_context;
|
|
if (!init_fs_context)
|
|
init_fs_context = legacy_init_fs_context;
|
|
|
|
ret = init_fs_context(fc);
|
|
if (ret < 0)
|
|
goto err_fc;
|
|
fc->need_free = true;
|
|
return fc;
|
|
|
|
err_fc:
|
|
put_fs_context(fc);
|
|
return ERR_PTR(ret);
|
|
}
|
|
|
|
struct fs_context *fs_context_for_mount(struct file_system_type *fs_type,
|
|
unsigned int sb_flags)
|
|
{
|
|
return alloc_fs_context(fs_type, NULL, sb_flags, 0,
|
|
FS_CONTEXT_FOR_MOUNT);
|
|
}
|
|
EXPORT_SYMBOL(fs_context_for_mount);
|
|
|
|
struct fs_context *fs_context_for_reconfigure(struct dentry *dentry,
|
|
unsigned int sb_flags,
|
|
unsigned int sb_flags_mask)
|
|
{
|
|
return alloc_fs_context(dentry->d_sb->s_type, dentry, sb_flags,
|
|
sb_flags_mask, FS_CONTEXT_FOR_RECONFIGURE);
|
|
}
|
|
EXPORT_SYMBOL(fs_context_for_reconfigure);
|
|
|
|
struct fs_context *fs_context_for_submount(struct file_system_type *type,
|
|
struct dentry *reference)
|
|
{
|
|
return alloc_fs_context(type, reference, 0, 0, FS_CONTEXT_FOR_SUBMOUNT);
|
|
}
|
|
EXPORT_SYMBOL(fs_context_for_submount);
|
|
|
|
void fc_drop_locked(struct fs_context *fc)
|
|
{
|
|
struct super_block *sb = fc->root->d_sb;
|
|
dput(fc->root);
|
|
fc->root = NULL;
|
|
deactivate_locked_super(sb);
|
|
}
|
|
|
|
static void legacy_fs_context_free(struct fs_context *fc);
|
|
|
|
/**
|
|
* vfs_dup_fc_config: Duplicate a filesystem context.
|
|
* @src_fc: The context to copy.
|
|
*/
|
|
struct fs_context *vfs_dup_fs_context(struct fs_context *src_fc)
|
|
{
|
|
struct fs_context *fc;
|
|
int ret;
|
|
|
|
if (!src_fc->ops->dup)
|
|
return ERR_PTR(-EOPNOTSUPP);
|
|
|
|
fc = kmemdup(src_fc, sizeof(struct fs_context), GFP_KERNEL);
|
|
if (!fc)
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
mutex_init(&fc->uapi_mutex);
|
|
|
|
fc->fs_private = NULL;
|
|
fc->s_fs_info = NULL;
|
|
fc->source = NULL;
|
|
fc->security = NULL;
|
|
get_filesystem(fc->fs_type);
|
|
get_net(fc->net_ns);
|
|
get_user_ns(fc->user_ns);
|
|
get_cred(fc->cred);
|
|
if (fc->log.log)
|
|
refcount_inc(&fc->log.log->usage);
|
|
|
|
/* Can't call put until we've called ->dup */
|
|
ret = fc->ops->dup(fc, src_fc);
|
|
if (ret < 0)
|
|
goto err_fc;
|
|
|
|
ret = security_fs_context_dup(fc, src_fc);
|
|
if (ret < 0)
|
|
goto err_fc;
|
|
return fc;
|
|
|
|
err_fc:
|
|
put_fs_context(fc);
|
|
return ERR_PTR(ret);
|
|
}
|
|
EXPORT_SYMBOL(vfs_dup_fs_context);
|
|
|
|
/**
|
|
* logfc - Log a message to a filesystem context
|
|
* @fc: The filesystem context to log to.
|
|
* @fmt: The format of the buffer.
|
|
*/
|
|
void logfc(struct fc_log *log, const char *prefix, char level, const char *fmt, ...)
|
|
{
|
|
va_list va;
|
|
struct va_format vaf = {.fmt = fmt, .va = &va};
|
|
|
|
va_start(va, fmt);
|
|
if (!log) {
|
|
switch (level) {
|
|
case 'w':
|
|
printk(KERN_WARNING "%s%s%pV\n", prefix ? prefix : "",
|
|
prefix ? ": " : "", &vaf);
|
|
break;
|
|
case 'e':
|
|
printk(KERN_ERR "%s%s%pV\n", prefix ? prefix : "",
|
|
prefix ? ": " : "", &vaf);
|
|
break;
|
|
default:
|
|
printk(KERN_NOTICE "%s%s%pV\n", prefix ? prefix : "",
|
|
prefix ? ": " : "", &vaf);
|
|
break;
|
|
}
|
|
} else {
|
|
unsigned int logsize = ARRAY_SIZE(log->buffer);
|
|
u8 index;
|
|
char *q = kasprintf(GFP_KERNEL, "%c %s%s%pV\n", level,
|
|
prefix ? prefix : "",
|
|
prefix ? ": " : "", &vaf);
|
|
|
|
index = log->head & (logsize - 1);
|
|
BUILD_BUG_ON(sizeof(log->head) != sizeof(u8) ||
|
|
sizeof(log->tail) != sizeof(u8));
|
|
if ((u8)(log->head - log->tail) == logsize) {
|
|
/* The buffer is full, discard the oldest message */
|
|
if (log->need_free & (1 << index))
|
|
kfree(log->buffer[index]);
|
|
log->tail++;
|
|
}
|
|
|
|
log->buffer[index] = q ? q : "OOM: Can't store error string";
|
|
if (q)
|
|
log->need_free |= 1 << index;
|
|
else
|
|
log->need_free &= ~(1 << index);
|
|
log->head++;
|
|
}
|
|
va_end(va);
|
|
}
|
|
EXPORT_SYMBOL(logfc);
|
|
|
|
/*
|
|
* Free a logging structure.
|
|
*/
|
|
static void put_fc_log(struct fs_context *fc)
|
|
{
|
|
struct fc_log *log = fc->log.log;
|
|
int i;
|
|
|
|
if (log) {
|
|
if (refcount_dec_and_test(&log->usage)) {
|
|
fc->log.log = NULL;
|
|
for (i = 0; i <= 7; i++)
|
|
if (log->need_free & (1 << i))
|
|
kfree(log->buffer[i]);
|
|
kfree(log);
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* put_fs_context - Dispose of a superblock configuration context.
|
|
* @fc: The context to dispose of.
|
|
*/
|
|
void put_fs_context(struct fs_context *fc)
|
|
{
|
|
struct super_block *sb;
|
|
|
|
if (fc->root) {
|
|
sb = fc->root->d_sb;
|
|
dput(fc->root);
|
|
fc->root = NULL;
|
|
deactivate_super(sb);
|
|
}
|
|
|
|
if (fc->need_free && fc->ops && fc->ops->free)
|
|
fc->ops->free(fc);
|
|
|
|
security_free_mnt_opts(&fc->security);
|
|
put_net(fc->net_ns);
|
|
put_user_ns(fc->user_ns);
|
|
put_cred(fc->cred);
|
|
put_fc_log(fc);
|
|
put_filesystem(fc->fs_type);
|
|
kfree(fc->source);
|
|
kfree(fc);
|
|
}
|
|
EXPORT_SYMBOL(put_fs_context);
|
|
|
|
/*
|
|
* Free the config for a filesystem that doesn't support fs_context.
|
|
*/
|
|
static void legacy_fs_context_free(struct fs_context *fc)
|
|
{
|
|
struct legacy_fs_context *ctx = fc->fs_private;
|
|
|
|
if (ctx) {
|
|
if (ctx->param_type == LEGACY_FS_INDIVIDUAL_PARAMS)
|
|
kfree(ctx->legacy_data);
|
|
kfree(ctx);
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Duplicate a legacy config.
|
|
*/
|
|
static int legacy_fs_context_dup(struct fs_context *fc, struct fs_context *src_fc)
|
|
{
|
|
struct legacy_fs_context *ctx;
|
|
struct legacy_fs_context *src_ctx = src_fc->fs_private;
|
|
|
|
ctx = kmemdup(src_ctx, sizeof(*src_ctx), GFP_KERNEL);
|
|
if (!ctx)
|
|
return -ENOMEM;
|
|
|
|
if (ctx->param_type == LEGACY_FS_INDIVIDUAL_PARAMS) {
|
|
ctx->legacy_data = kmemdup(src_ctx->legacy_data,
|
|
src_ctx->data_size, GFP_KERNEL);
|
|
if (!ctx->legacy_data) {
|
|
kfree(ctx);
|
|
return -ENOMEM;
|
|
}
|
|
}
|
|
|
|
fc->fs_private = ctx;
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Add a parameter to a legacy config. We build up a comma-separated list of
|
|
* options.
|
|
*/
|
|
static int legacy_parse_param(struct fs_context *fc, struct fs_parameter *param)
|
|
{
|
|
struct legacy_fs_context *ctx = fc->fs_private;
|
|
unsigned int size = ctx->data_size;
|
|
size_t len = 0;
|
|
int ret;
|
|
|
|
ret = vfs_parse_fs_param_source(fc, param);
|
|
if (ret != -ENOPARAM)
|
|
return ret;
|
|
|
|
if (ctx->param_type == LEGACY_FS_MONOLITHIC_PARAMS)
|
|
return invalf(fc, "VFS: Legacy: Can't mix monolithic and individual options");
|
|
|
|
switch (param->type) {
|
|
case fs_value_is_string:
|
|
len = 1 + param->size;
|
|
fallthrough;
|
|
case fs_value_is_flag:
|
|
len += strlen(param->key);
|
|
break;
|
|
default:
|
|
return invalf(fc, "VFS: Legacy: Parameter type for '%s' not supported",
|
|
param->key);
|
|
}
|
|
|
|
if (size + len + 2 > PAGE_SIZE)
|
|
return invalf(fc, "VFS: Legacy: Cumulative options too large");
|
|
if (strchr(param->key, ',') ||
|
|
(param->type == fs_value_is_string &&
|
|
memchr(param->string, ',', param->size)))
|
|
return invalf(fc, "VFS: Legacy: Option '%s' contained comma",
|
|
param->key);
|
|
if (!ctx->legacy_data) {
|
|
ctx->legacy_data = kmalloc(PAGE_SIZE, GFP_KERNEL);
|
|
if (!ctx->legacy_data)
|
|
return -ENOMEM;
|
|
}
|
|
|
|
if (size)
|
|
ctx->legacy_data[size++] = ',';
|
|
len = strlen(param->key);
|
|
memcpy(ctx->legacy_data + size, param->key, len);
|
|
size += len;
|
|
if (param->type == fs_value_is_string) {
|
|
ctx->legacy_data[size++] = '=';
|
|
memcpy(ctx->legacy_data + size, param->string, param->size);
|
|
size += param->size;
|
|
}
|
|
ctx->legacy_data[size] = '\0';
|
|
ctx->data_size = size;
|
|
ctx->param_type = LEGACY_FS_INDIVIDUAL_PARAMS;
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Add monolithic mount data.
|
|
*/
|
|
static int legacy_parse_monolithic(struct fs_context *fc, void *data)
|
|
{
|
|
struct legacy_fs_context *ctx = fc->fs_private;
|
|
|
|
if (ctx->param_type != LEGACY_FS_UNSET_PARAMS) {
|
|
pr_warn("VFS: Can't mix monolithic and individual options\n");
|
|
return -EINVAL;
|
|
}
|
|
|
|
ctx->legacy_data = data;
|
|
ctx->param_type = LEGACY_FS_MONOLITHIC_PARAMS;
|
|
if (!ctx->legacy_data)
|
|
return 0;
|
|
|
|
if (fc->fs_type->fs_flags & FS_BINARY_MOUNTDATA)
|
|
return 0;
|
|
return security_sb_eat_lsm_opts(ctx->legacy_data, &fc->security);
|
|
}
|
|
|
|
/*
|
|
* Get a mountable root with the legacy mount command.
|
|
*/
|
|
static int legacy_get_tree(struct fs_context *fc)
|
|
{
|
|
struct legacy_fs_context *ctx = fc->fs_private;
|
|
struct super_block *sb;
|
|
struct dentry *root;
|
|
|
|
root = fc->fs_type->mount(fc->fs_type, fc->sb_flags,
|
|
fc->source, ctx->legacy_data);
|
|
if (IS_ERR(root))
|
|
return PTR_ERR(root);
|
|
|
|
sb = root->d_sb;
|
|
BUG_ON(!sb);
|
|
|
|
fc->root = root;
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Handle remount.
|
|
*/
|
|
static int legacy_reconfigure(struct fs_context *fc)
|
|
{
|
|
struct legacy_fs_context *ctx = fc->fs_private;
|
|
struct super_block *sb = fc->root->d_sb;
|
|
|
|
if (!sb->s_op->remount_fs)
|
|
return 0;
|
|
|
|
return sb->s_op->remount_fs(sb, &fc->sb_flags,
|
|
ctx ? ctx->legacy_data : NULL);
|
|
}
|
|
|
|
const struct fs_context_operations legacy_fs_context_ops = {
|
|
.free = legacy_fs_context_free,
|
|
.dup = legacy_fs_context_dup,
|
|
.parse_param = legacy_parse_param,
|
|
.parse_monolithic = legacy_parse_monolithic,
|
|
.get_tree = legacy_get_tree,
|
|
.reconfigure = legacy_reconfigure,
|
|
};
|
|
|
|
/*
|
|
* Initialise a legacy context for a filesystem that doesn't support
|
|
* fs_context.
|
|
*/
|
|
static int legacy_init_fs_context(struct fs_context *fc)
|
|
{
|
|
fc->fs_private = kzalloc(sizeof(struct legacy_fs_context), GFP_KERNEL_ACCOUNT);
|
|
if (!fc->fs_private)
|
|
return -ENOMEM;
|
|
fc->ops = &legacy_fs_context_ops;
|
|
return 0;
|
|
}
|
|
|
|
int parse_monolithic_mount_data(struct fs_context *fc, void *data)
|
|
{
|
|
int (*monolithic_mount_data)(struct fs_context *, void *);
|
|
|
|
monolithic_mount_data = fc->ops->parse_monolithic;
|
|
if (!monolithic_mount_data)
|
|
monolithic_mount_data = generic_parse_monolithic;
|
|
|
|
return monolithic_mount_data(fc, data);
|
|
}
|
|
|
|
/*
|
|
* Clean up a context after performing an action on it and put it into a state
|
|
* from where it can be used to reconfigure a superblock.
|
|
*
|
|
* Note that here we do only the parts that can't fail; the rest is in
|
|
* finish_clean_context() below and in between those fs_context is marked
|
|
* FS_CONTEXT_AWAITING_RECONF. The reason for splitup is that after
|
|
* successful mount or remount we need to report success to userland.
|
|
* Trying to do full reinit (for the sake of possible subsequent remount)
|
|
* and failing to allocate memory would've put us into a nasty situation.
|
|
* So here we only discard the old state and reinitialization is left
|
|
* until we actually try to reconfigure.
|
|
*/
|
|
void vfs_clean_context(struct fs_context *fc)
|
|
{
|
|
if (fc->need_free && fc->ops && fc->ops->free)
|
|
fc->ops->free(fc);
|
|
fc->need_free = false;
|
|
fc->fs_private = NULL;
|
|
fc->s_fs_info = NULL;
|
|
fc->sb_flags = 0;
|
|
security_free_mnt_opts(&fc->security);
|
|
kfree(fc->source);
|
|
fc->source = NULL;
|
|
fc->exclusive = false;
|
|
|
|
fc->purpose = FS_CONTEXT_FOR_RECONFIGURE;
|
|
fc->phase = FS_CONTEXT_AWAITING_RECONF;
|
|
}
|
|
|
|
int finish_clean_context(struct fs_context *fc)
|
|
{
|
|
int error;
|
|
|
|
if (fc->phase != FS_CONTEXT_AWAITING_RECONF)
|
|
return 0;
|
|
|
|
if (fc->fs_type->init_fs_context)
|
|
error = fc->fs_type->init_fs_context(fc);
|
|
else
|
|
error = legacy_init_fs_context(fc);
|
|
if (unlikely(error)) {
|
|
fc->phase = FS_CONTEXT_FAILED;
|
|
return error;
|
|
}
|
|
fc->need_free = true;
|
|
fc->phase = FS_CONTEXT_RECONF_PARAMS;
|
|
return 0;
|
|
}
|