mirror of
https://github.com/torvalds/linux
synced 2024-07-23 11:39:11 +00:00
22ed7ecdae
Summary
=======
This introduces FSCONFIG_CMD_CREATE_EXCL which will allows userspace to
implement something like mount -t ext4 --exclusive /dev/sda /B which
fails if a superblock for the requested filesystem does already exist:
Before this patch
-----------------
$ sudo ./move-mount -f xfs -o source=/dev/sda4 /A
Requesting filesystem type xfs
Mount options requested: source=/dev/sda4
Attaching mount at /A
Moving single attached mount
Setting key(source) with val(/dev/sda4)
$ sudo ./move-mount -f xfs -o source=/dev/sda4 /B
Requesting filesystem type xfs
Mount options requested: source=/dev/sda4
Attaching mount at /B
Moving single attached mount
Setting key(source) with val(/dev/sda4)
After this patch with --exclusive as a switch for FSCONFIG_CMD_CREATE_EXCL
--------------------------------------------------------------------------
$ sudo ./move-mount -f xfs --exclusive -o source=/dev/sda4 /A
Requesting filesystem type xfs
Request exclusive superblock creation
Mount options requested: source=/dev/sda4
Attaching mount at /A
Moving single attached mount
Setting key(source) with val(/dev/sda4)
$ sudo ./move-mount -f xfs --exclusive -o source=/dev/sda4 /B
Requesting filesystem type xfs
Request exclusive superblock creation
Mount options requested: source=/dev/sda4
Attaching mount at /B
Moving single attached mount
Setting key(source) with val(/dev/sda4)
Device or resource busy | move-mount.c: 300: do_fsconfig: i xfs: reusing existing filesystem not allowed
Details
=======
As mentioned on the list (cf. [1]-[3]) mount requests like
mount -t ext4 /dev/sda /A are ambigous for userspace. Either a new
superblock has been created and mounted or an existing superblock has
been reused and a bind-mount has been created.
This becomes clear in the following example where two processes create
the same mount for the same block device:
P1 P2
fd_fs = fsopen("ext4"); fd_fs = fsopen("ext4");
fsconfig(fd_fs, FSCONFIG_SET_STRING, "source", "/dev/sda"); fsconfig(fd_fs, FSCONFIG_SET_STRING, "source", "/dev/sda");
fsconfig(fd_fs, FSCONFIG_SET_STRING, "dax", "always"); fsconfig(fd_fs, FSCONFIG_SET_STRING, "resuid", "1000");
// wins and creates superblock
fsconfig(fd_fs, FSCONFIG_CMD_CREATE, ...)
// finds compatible superblock of P1
// spins until P1 sets SB_BORN and grabs a reference
fsconfig(fd_fs, FSCONFIG_CMD_CREATE, ...)
fd_mnt1 = fsmount(fd_fs); fd_mnt2 = fsmount(fd_fs);
move_mount(fd_mnt1, "/A") move_mount(fd_mnt2, "/B")
Not just does P2 get a bind-mount but the mount options that P2
requestes are silently ignored. The VFS itself doesn't, can't and
shouldn't enforce filesystem specific mount option compatibility. It
only enforces incompatibility for read-only <-> read-write transitions:
mount -t ext4 /dev/sda /A
mount -t ext4 -o ro /dev/sda /B
The read-only request will fail with EBUSY as the VFS can't just
silently transition a superblock from read-write to read-only or vica
versa without risking security issues.
To userspace this silent superblock reuse can become a security issue in
because there is currently no straightforward way for userspace to know
that they did indeed manage to create a new superblock and didn't just
reuse an existing one.
This adds a new FSCONFIG_CMD_CREATE_EXCL command to fsconfig() that
returns EBUSY if an existing superblock would be reused. Userspace that
needs to be sure that it did create a new superblock with the requested
mount options can request superblock creation using this command. If the
command succeeds they can be sure that they did create a new superblock
with the requested mount options.
This requires the new mount api. With the old mount api it would be
necessary to plumb this through every legacy filesystem's
file_system_type->mount() method. If they want this feature they are
most welcome to switch to the new mount api.
Following is an analysis of the effect of FSCONFIG_CMD_CREATE_EXCL on
each high-level superblock creation helper:
(1) get_tree_nodev()
Always allocate new superblock. Hence, FSCONFIG_CMD_CREATE and
FSCONFIG_CMD_CREATE_EXCL are equivalent.
The binderfs or overlayfs filesystems are examples.
(4) get_tree_keyed()
Finds an existing superblock based on sb->s_fs_info. Hence,
FSCONFIG_CMD_CREATE would reuse an existing superblock whereas
FSCONFIG_CMD_CREATE_EXCL would reject it with EBUSY.
The mqueue or nfsd filesystems are examples.
(2) get_tree_bdev()
This effectively works like get_tree_keyed().
The ext4 or xfs filesystems are examples.
(3) get_tree_single()
Only one superblock of this filesystem type can ever exist.
Hence, FSCONFIG_CMD_CREATE would reuse an existing superblock
whereas FSCONFIG_CMD_CREATE_EXCL would reject it with EBUSY.
The securityfs or configfs filesystems are examples.
Note that some single-instance filesystems never destroy the
superblock once it has been created during the first mount. For
example, if securityfs has been mounted at least onces then the
created superblock will never be destroyed again as long as there is
still an LSM making use it. Consequently, even if securityfs is
unmounted and the superblock seemingly destroyed it really isn't
which means that FSCONFIG_CMD_CREATE_EXCL will continue rejecting
reusing an existing superblock.
This is acceptable thugh since special purpose filesystems such as
this shouldn't have a need to use FSCONFIG_CMD_CREATE_EXCL anyway
and if they do it's probably to make sure that mount options aren't
ignored.
Following is an analysis of the effect of FSCONFIG_CMD_CREATE_EXCL on
filesystems that make use of the low-level sget_fc() helper directly.
They're all effectively variants on get_tree_keyed(), get_tree_bdev(),
or get_tree_nodev():
(5) mtd_get_sb()
Similar logic to get_tree_keyed().
(6) afs_get_tree()
Similar logic to get_tree_keyed().
(7) ceph_get_tree()
Similar logic to get_tree_keyed().
Already explicitly allows forcing the allocation of a new superblock
via CEPH_OPT_NOSHARE. This turns it into get_tree_nodev().
(8) fuse_get_tree_submount()
Similar logic to get_tree_nodev().
(9) fuse_get_tree()
Forces reuse of existing FUSE superblock.
Forces reuse of existing superblock if passed in file refers to an
existing FUSE connection.
If FSCONFIG_CMD_CREATE_EXCL is specified together with an fd
referring to an existing FUSE connections this would cause the
superblock reusal to fail. If reusing is the intent then
FSCONFIG_CMD_CREATE_EXCL shouldn't be specified.
(10) fuse_get_tree()
-> get_tree_nodev()
Same logic as in get_tree_nodev().
(11) fuse_get_tree()
-> get_tree_bdev()
Same logic as in get_tree_bdev().
(12) virtio_fs_get_tree()
Same logic as get_tree_keyed().
(13) gfs2_meta_get_tree()
Forces reuse of existing gfs2 superblock.
Mounting gfs2meta enforces that a gf2s superblock must already
exist. If not, it will error out. Consequently, mounting gfs2meta
with FSCONFIG_CMD_CREATE_EXCL would always fail. If reusing is the
intent then FSCONFIG_CMD_CREATE_EXCL shouldn't be specified.
(14) kernfs_get_tree()
Similar logic to get_tree_keyed().
(15) nfs_get_tree_common()
Similar logic to get_tree_keyed().
Already explicitly allows forcing the allocation of a new superblock
via NFS_MOUNT_UNSHARED. This effectively turns it into
get_tree_nodev().
Link: [1] https://lore.kernel.org/linux-block/20230704-fasching-wertarbeit-7c6ffb01c83d@brauner
Link: [2] https://lore.kernel.org/linux-block/20230705-pumpwerk-vielversprechend-a4b1fd947b65@brauner
Link: [3] https://lore.kernel.org/linux-fsdevel/20230725-einnahmen-warnschilder-17779aec0a97@brauner
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Aleksa Sarai <cyphar@cyphar.com>
Message-Id: <20230802-vfs-super-exclusive-v2-4-95dc4e41b870@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
720 lines
18 KiB
C
720 lines
18 KiB
C
// SPDX-License-Identifier: GPL-2.0-or-later
|
|
/* Provide a way to create a superblock configuration context within the kernel
|
|
* that allows a superblock to be set up prior to mounting.
|
|
*
|
|
* Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
|
|
* Written by David Howells (dhowells@redhat.com)
|
|
*/
|
|
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
|
#include <linux/module.h>
|
|
#include <linux/fs_context.h>
|
|
#include <linux/fs_parser.h>
|
|
#include <linux/fs.h>
|
|
#include <linux/mount.h>
|
|
#include <linux/nsproxy.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/magic.h>
|
|
#include <linux/security.h>
|
|
#include <linux/mnt_namespace.h>
|
|
#include <linux/pid_namespace.h>
|
|
#include <linux/user_namespace.h>
|
|
#include <net/net_namespace.h>
|
|
#include <asm/sections.h>
|
|
#include "mount.h"
|
|
#include "internal.h"
|
|
|
|
enum legacy_fs_param {
|
|
LEGACY_FS_UNSET_PARAMS,
|
|
LEGACY_FS_MONOLITHIC_PARAMS,
|
|
LEGACY_FS_INDIVIDUAL_PARAMS,
|
|
};
|
|
|
|
struct legacy_fs_context {
|
|
char *legacy_data; /* Data page for legacy filesystems */
|
|
size_t data_size;
|
|
enum legacy_fs_param param_type;
|
|
};
|
|
|
|
static int legacy_init_fs_context(struct fs_context *fc);
|
|
|
|
static const struct constant_table common_set_sb_flag[] = {
|
|
{ "dirsync", SB_DIRSYNC },
|
|
{ "lazytime", SB_LAZYTIME },
|
|
{ "mand", SB_MANDLOCK },
|
|
{ "ro", SB_RDONLY },
|
|
{ "sync", SB_SYNCHRONOUS },
|
|
{ },
|
|
};
|
|
|
|
static const struct constant_table common_clear_sb_flag[] = {
|
|
{ "async", SB_SYNCHRONOUS },
|
|
{ "nolazytime", SB_LAZYTIME },
|
|
{ "nomand", SB_MANDLOCK },
|
|
{ "rw", SB_RDONLY },
|
|
{ },
|
|
};
|
|
|
|
/*
|
|
* Check for a common mount option that manipulates s_flags.
|
|
*/
|
|
static int vfs_parse_sb_flag(struct fs_context *fc, const char *key)
|
|
{
|
|
unsigned int token;
|
|
|
|
token = lookup_constant(common_set_sb_flag, key, 0);
|
|
if (token) {
|
|
fc->sb_flags |= token;
|
|
fc->sb_flags_mask |= token;
|
|
return 0;
|
|
}
|
|
|
|
token = lookup_constant(common_clear_sb_flag, key, 0);
|
|
if (token) {
|
|
fc->sb_flags &= ~token;
|
|
fc->sb_flags_mask |= token;
|
|
return 0;
|
|
}
|
|
|
|
return -ENOPARAM;
|
|
}
|
|
|
|
/**
|
|
* vfs_parse_fs_param_source - Handle setting "source" via parameter
|
|
* @fc: The filesystem context to modify
|
|
* @param: The parameter
|
|
*
|
|
* This is a simple helper for filesystems to verify that the "source" they
|
|
* accept is sane.
|
|
*
|
|
* Returns 0 on success, -ENOPARAM if this is not "source" parameter, and
|
|
* -EINVAL otherwise. In the event of failure, supplementary error information
|
|
* is logged.
|
|
*/
|
|
int vfs_parse_fs_param_source(struct fs_context *fc, struct fs_parameter *param)
|
|
{
|
|
if (strcmp(param->key, "source") != 0)
|
|
return -ENOPARAM;
|
|
|
|
if (param->type != fs_value_is_string)
|
|
return invalf(fc, "Non-string source");
|
|
|
|
if (fc->source)
|
|
return invalf(fc, "Multiple sources");
|
|
|
|
fc->source = param->string;
|
|
param->string = NULL;
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL(vfs_parse_fs_param_source);
|
|
|
|
/**
|
|
* vfs_parse_fs_param - Add a single parameter to a superblock config
|
|
* @fc: The filesystem context to modify
|
|
* @param: The parameter
|
|
*
|
|
* A single mount option in string form is applied to the filesystem context
|
|
* being set up. Certain standard options (for example "ro") are translated
|
|
* into flag bits without going to the filesystem. The active security module
|
|
* is allowed to observe and poach options. Any other options are passed over
|
|
* to the filesystem to parse.
|
|
*
|
|
* This may be called multiple times for a context.
|
|
*
|
|
* Returns 0 on success and a negative error code on failure. In the event of
|
|
* failure, supplementary error information may have been set.
|
|
*/
|
|
int vfs_parse_fs_param(struct fs_context *fc, struct fs_parameter *param)
|
|
{
|
|
int ret;
|
|
|
|
if (!param->key)
|
|
return invalf(fc, "Unnamed parameter\n");
|
|
|
|
ret = vfs_parse_sb_flag(fc, param->key);
|
|
if (ret != -ENOPARAM)
|
|
return ret;
|
|
|
|
ret = security_fs_context_parse_param(fc, param);
|
|
if (ret != -ENOPARAM)
|
|
/* Param belongs to the LSM or is disallowed by the LSM; so
|
|
* don't pass to the FS.
|
|
*/
|
|
return ret;
|
|
|
|
if (fc->ops->parse_param) {
|
|
ret = fc->ops->parse_param(fc, param);
|
|
if (ret != -ENOPARAM)
|
|
return ret;
|
|
}
|
|
|
|
/* If the filesystem doesn't take any arguments, give it the
|
|
* default handling of source.
|
|
*/
|
|
ret = vfs_parse_fs_param_source(fc, param);
|
|
if (ret != -ENOPARAM)
|
|
return ret;
|
|
|
|
return invalf(fc, "%s: Unknown parameter '%s'",
|
|
fc->fs_type->name, param->key);
|
|
}
|
|
EXPORT_SYMBOL(vfs_parse_fs_param);
|
|
|
|
/**
|
|
* vfs_parse_fs_string - Convenience function to just parse a string.
|
|
*/
|
|
int vfs_parse_fs_string(struct fs_context *fc, const char *key,
|
|
const char *value, size_t v_size)
|
|
{
|
|
int ret;
|
|
|
|
struct fs_parameter param = {
|
|
.key = key,
|
|
.type = fs_value_is_flag,
|
|
.size = v_size,
|
|
};
|
|
|
|
if (value) {
|
|
param.string = kmemdup_nul(value, v_size, GFP_KERNEL);
|
|
if (!param.string)
|
|
return -ENOMEM;
|
|
param.type = fs_value_is_string;
|
|
}
|
|
|
|
ret = vfs_parse_fs_param(fc, ¶m);
|
|
kfree(param.string);
|
|
return ret;
|
|
}
|
|
EXPORT_SYMBOL(vfs_parse_fs_string);
|
|
|
|
/**
|
|
* generic_parse_monolithic - Parse key[=val][,key[=val]]* mount data
|
|
* @ctx: The superblock configuration to fill in.
|
|
* @data: The data to parse
|
|
*
|
|
* Parse a blob of data that's in key[=val][,key[=val]]* form. This can be
|
|
* called from the ->monolithic_mount_data() fs_context operation.
|
|
*
|
|
* Returns 0 on success or the error returned by the ->parse_option() fs_context
|
|
* operation on failure.
|
|
*/
|
|
int generic_parse_monolithic(struct fs_context *fc, void *data)
|
|
{
|
|
char *options = data, *key;
|
|
int ret = 0;
|
|
|
|
if (!options)
|
|
return 0;
|
|
|
|
ret = security_sb_eat_lsm_opts(options, &fc->security);
|
|
if (ret)
|
|
return ret;
|
|
|
|
while ((key = strsep(&options, ",")) != NULL) {
|
|
if (*key) {
|
|
size_t v_len = 0;
|
|
char *value = strchr(key, '=');
|
|
|
|
if (value) {
|
|
if (value == key)
|
|
continue;
|
|
*value++ = 0;
|
|
v_len = strlen(value);
|
|
}
|
|
ret = vfs_parse_fs_string(fc, key, value, v_len);
|
|
if (ret < 0)
|
|
break;
|
|
}
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
EXPORT_SYMBOL(generic_parse_monolithic);
|
|
|
|
/**
|
|
* alloc_fs_context - Create a filesystem context.
|
|
* @fs_type: The filesystem type.
|
|
* @reference: The dentry from which this one derives (or NULL)
|
|
* @sb_flags: Filesystem/superblock flags (SB_*)
|
|
* @sb_flags_mask: Applicable members of @sb_flags
|
|
* @purpose: The purpose that this configuration shall be used for.
|
|
*
|
|
* Open a filesystem and create a mount context. The mount context is
|
|
* initialised with the supplied flags and, if a submount/automount from
|
|
* another superblock (referred to by @reference) is supplied, may have
|
|
* parameters such as namespaces copied across from that superblock.
|
|
*/
|
|
static struct fs_context *alloc_fs_context(struct file_system_type *fs_type,
|
|
struct dentry *reference,
|
|
unsigned int sb_flags,
|
|
unsigned int sb_flags_mask,
|
|
enum fs_context_purpose purpose)
|
|
{
|
|
int (*init_fs_context)(struct fs_context *);
|
|
struct fs_context *fc;
|
|
int ret = -ENOMEM;
|
|
|
|
fc = kzalloc(sizeof(struct fs_context), GFP_KERNEL_ACCOUNT);
|
|
if (!fc)
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
fc->purpose = purpose;
|
|
fc->sb_flags = sb_flags;
|
|
fc->sb_flags_mask = sb_flags_mask;
|
|
fc->fs_type = get_filesystem(fs_type);
|
|
fc->cred = get_current_cred();
|
|
fc->net_ns = get_net(current->nsproxy->net_ns);
|
|
fc->log.prefix = fs_type->name;
|
|
|
|
mutex_init(&fc->uapi_mutex);
|
|
|
|
switch (purpose) {
|
|
case FS_CONTEXT_FOR_MOUNT:
|
|
fc->user_ns = get_user_ns(fc->cred->user_ns);
|
|
break;
|
|
case FS_CONTEXT_FOR_SUBMOUNT:
|
|
fc->user_ns = get_user_ns(reference->d_sb->s_user_ns);
|
|
break;
|
|
case FS_CONTEXT_FOR_RECONFIGURE:
|
|
atomic_inc(&reference->d_sb->s_active);
|
|
fc->user_ns = get_user_ns(reference->d_sb->s_user_ns);
|
|
fc->root = dget(reference);
|
|
break;
|
|
}
|
|
|
|
/* TODO: Make all filesystems support this unconditionally */
|
|
init_fs_context = fc->fs_type->init_fs_context;
|
|
if (!init_fs_context)
|
|
init_fs_context = legacy_init_fs_context;
|
|
|
|
ret = init_fs_context(fc);
|
|
if (ret < 0)
|
|
goto err_fc;
|
|
fc->need_free = true;
|
|
return fc;
|
|
|
|
err_fc:
|
|
put_fs_context(fc);
|
|
return ERR_PTR(ret);
|
|
}
|
|
|
|
struct fs_context *fs_context_for_mount(struct file_system_type *fs_type,
|
|
unsigned int sb_flags)
|
|
{
|
|
return alloc_fs_context(fs_type, NULL, sb_flags, 0,
|
|
FS_CONTEXT_FOR_MOUNT);
|
|
}
|
|
EXPORT_SYMBOL(fs_context_for_mount);
|
|
|
|
struct fs_context *fs_context_for_reconfigure(struct dentry *dentry,
|
|
unsigned int sb_flags,
|
|
unsigned int sb_flags_mask)
|
|
{
|
|
return alloc_fs_context(dentry->d_sb->s_type, dentry, sb_flags,
|
|
sb_flags_mask, FS_CONTEXT_FOR_RECONFIGURE);
|
|
}
|
|
EXPORT_SYMBOL(fs_context_for_reconfigure);
|
|
|
|
struct fs_context *fs_context_for_submount(struct file_system_type *type,
|
|
struct dentry *reference)
|
|
{
|
|
return alloc_fs_context(type, reference, 0, 0, FS_CONTEXT_FOR_SUBMOUNT);
|
|
}
|
|
EXPORT_SYMBOL(fs_context_for_submount);
|
|
|
|
void fc_drop_locked(struct fs_context *fc)
|
|
{
|
|
struct super_block *sb = fc->root->d_sb;
|
|
dput(fc->root);
|
|
fc->root = NULL;
|
|
deactivate_locked_super(sb);
|
|
}
|
|
|
|
static void legacy_fs_context_free(struct fs_context *fc);
|
|
|
|
/**
|
|
* vfs_dup_fc_config: Duplicate a filesystem context.
|
|
* @src_fc: The context to copy.
|
|
*/
|
|
struct fs_context *vfs_dup_fs_context(struct fs_context *src_fc)
|
|
{
|
|
struct fs_context *fc;
|
|
int ret;
|
|
|
|
if (!src_fc->ops->dup)
|
|
return ERR_PTR(-EOPNOTSUPP);
|
|
|
|
fc = kmemdup(src_fc, sizeof(struct fs_context), GFP_KERNEL);
|
|
if (!fc)
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
mutex_init(&fc->uapi_mutex);
|
|
|
|
fc->fs_private = NULL;
|
|
fc->s_fs_info = NULL;
|
|
fc->source = NULL;
|
|
fc->security = NULL;
|
|
get_filesystem(fc->fs_type);
|
|
get_net(fc->net_ns);
|
|
get_user_ns(fc->user_ns);
|
|
get_cred(fc->cred);
|
|
if (fc->log.log)
|
|
refcount_inc(&fc->log.log->usage);
|
|
|
|
/* Can't call put until we've called ->dup */
|
|
ret = fc->ops->dup(fc, src_fc);
|
|
if (ret < 0)
|
|
goto err_fc;
|
|
|
|
ret = security_fs_context_dup(fc, src_fc);
|
|
if (ret < 0)
|
|
goto err_fc;
|
|
return fc;
|
|
|
|
err_fc:
|
|
put_fs_context(fc);
|
|
return ERR_PTR(ret);
|
|
}
|
|
EXPORT_SYMBOL(vfs_dup_fs_context);
|
|
|
|
/**
|
|
* logfc - Log a message to a filesystem context
|
|
* @fc: The filesystem context to log to.
|
|
* @fmt: The format of the buffer.
|
|
*/
|
|
void logfc(struct fc_log *log, const char *prefix, char level, const char *fmt, ...)
|
|
{
|
|
va_list va;
|
|
struct va_format vaf = {.fmt = fmt, .va = &va};
|
|
|
|
va_start(va, fmt);
|
|
if (!log) {
|
|
switch (level) {
|
|
case 'w':
|
|
printk(KERN_WARNING "%s%s%pV\n", prefix ? prefix : "",
|
|
prefix ? ": " : "", &vaf);
|
|
break;
|
|
case 'e':
|
|
printk(KERN_ERR "%s%s%pV\n", prefix ? prefix : "",
|
|
prefix ? ": " : "", &vaf);
|
|
break;
|
|
default:
|
|
printk(KERN_NOTICE "%s%s%pV\n", prefix ? prefix : "",
|
|
prefix ? ": " : "", &vaf);
|
|
break;
|
|
}
|
|
} else {
|
|
unsigned int logsize = ARRAY_SIZE(log->buffer);
|
|
u8 index;
|
|
char *q = kasprintf(GFP_KERNEL, "%c %s%s%pV\n", level,
|
|
prefix ? prefix : "",
|
|
prefix ? ": " : "", &vaf);
|
|
|
|
index = log->head & (logsize - 1);
|
|
BUILD_BUG_ON(sizeof(log->head) != sizeof(u8) ||
|
|
sizeof(log->tail) != sizeof(u8));
|
|
if ((u8)(log->head - log->tail) == logsize) {
|
|
/* The buffer is full, discard the oldest message */
|
|
if (log->need_free & (1 << index))
|
|
kfree(log->buffer[index]);
|
|
log->tail++;
|
|
}
|
|
|
|
log->buffer[index] = q ? q : "OOM: Can't store error string";
|
|
if (q)
|
|
log->need_free |= 1 << index;
|
|
else
|
|
log->need_free &= ~(1 << index);
|
|
log->head++;
|
|
}
|
|
va_end(va);
|
|
}
|
|
EXPORT_SYMBOL(logfc);
|
|
|
|
/*
|
|
* Free a logging structure.
|
|
*/
|
|
static void put_fc_log(struct fs_context *fc)
|
|
{
|
|
struct fc_log *log = fc->log.log;
|
|
int i;
|
|
|
|
if (log) {
|
|
if (refcount_dec_and_test(&log->usage)) {
|
|
fc->log.log = NULL;
|
|
for (i = 0; i <= 7; i++)
|
|
if (log->need_free & (1 << i))
|
|
kfree(log->buffer[i]);
|
|
kfree(log);
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* put_fs_context - Dispose of a superblock configuration context.
|
|
* @fc: The context to dispose of.
|
|
*/
|
|
void put_fs_context(struct fs_context *fc)
|
|
{
|
|
struct super_block *sb;
|
|
|
|
if (fc->root) {
|
|
sb = fc->root->d_sb;
|
|
dput(fc->root);
|
|
fc->root = NULL;
|
|
deactivate_super(sb);
|
|
}
|
|
|
|
if (fc->need_free && fc->ops && fc->ops->free)
|
|
fc->ops->free(fc);
|
|
|
|
security_free_mnt_opts(&fc->security);
|
|
put_net(fc->net_ns);
|
|
put_user_ns(fc->user_ns);
|
|
put_cred(fc->cred);
|
|
put_fc_log(fc);
|
|
put_filesystem(fc->fs_type);
|
|
kfree(fc->source);
|
|
kfree(fc);
|
|
}
|
|
EXPORT_SYMBOL(put_fs_context);
|
|
|
|
/*
|
|
* Free the config for a filesystem that doesn't support fs_context.
|
|
*/
|
|
static void legacy_fs_context_free(struct fs_context *fc)
|
|
{
|
|
struct legacy_fs_context *ctx = fc->fs_private;
|
|
|
|
if (ctx) {
|
|
if (ctx->param_type == LEGACY_FS_INDIVIDUAL_PARAMS)
|
|
kfree(ctx->legacy_data);
|
|
kfree(ctx);
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Duplicate a legacy config.
|
|
*/
|
|
static int legacy_fs_context_dup(struct fs_context *fc, struct fs_context *src_fc)
|
|
{
|
|
struct legacy_fs_context *ctx;
|
|
struct legacy_fs_context *src_ctx = src_fc->fs_private;
|
|
|
|
ctx = kmemdup(src_ctx, sizeof(*src_ctx), GFP_KERNEL);
|
|
if (!ctx)
|
|
return -ENOMEM;
|
|
|
|
if (ctx->param_type == LEGACY_FS_INDIVIDUAL_PARAMS) {
|
|
ctx->legacy_data = kmemdup(src_ctx->legacy_data,
|
|
src_ctx->data_size, GFP_KERNEL);
|
|
if (!ctx->legacy_data) {
|
|
kfree(ctx);
|
|
return -ENOMEM;
|
|
}
|
|
}
|
|
|
|
fc->fs_private = ctx;
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Add a parameter to a legacy config. We build up a comma-separated list of
|
|
* options.
|
|
*/
|
|
static int legacy_parse_param(struct fs_context *fc, struct fs_parameter *param)
|
|
{
|
|
struct legacy_fs_context *ctx = fc->fs_private;
|
|
unsigned int size = ctx->data_size;
|
|
size_t len = 0;
|
|
int ret;
|
|
|
|
ret = vfs_parse_fs_param_source(fc, param);
|
|
if (ret != -ENOPARAM)
|
|
return ret;
|
|
|
|
if (ctx->param_type == LEGACY_FS_MONOLITHIC_PARAMS)
|
|
return invalf(fc, "VFS: Legacy: Can't mix monolithic and individual options");
|
|
|
|
switch (param->type) {
|
|
case fs_value_is_string:
|
|
len = 1 + param->size;
|
|
fallthrough;
|
|
case fs_value_is_flag:
|
|
len += strlen(param->key);
|
|
break;
|
|
default:
|
|
return invalf(fc, "VFS: Legacy: Parameter type for '%s' not supported",
|
|
param->key);
|
|
}
|
|
|
|
if (size + len + 2 > PAGE_SIZE)
|
|
return invalf(fc, "VFS: Legacy: Cumulative options too large");
|
|
if (strchr(param->key, ',') ||
|
|
(param->type == fs_value_is_string &&
|
|
memchr(param->string, ',', param->size)))
|
|
return invalf(fc, "VFS: Legacy: Option '%s' contained comma",
|
|
param->key);
|
|
if (!ctx->legacy_data) {
|
|
ctx->legacy_data = kmalloc(PAGE_SIZE, GFP_KERNEL);
|
|
if (!ctx->legacy_data)
|
|
return -ENOMEM;
|
|
}
|
|
|
|
if (size)
|
|
ctx->legacy_data[size++] = ',';
|
|
len = strlen(param->key);
|
|
memcpy(ctx->legacy_data + size, param->key, len);
|
|
size += len;
|
|
if (param->type == fs_value_is_string) {
|
|
ctx->legacy_data[size++] = '=';
|
|
memcpy(ctx->legacy_data + size, param->string, param->size);
|
|
size += param->size;
|
|
}
|
|
ctx->legacy_data[size] = '\0';
|
|
ctx->data_size = size;
|
|
ctx->param_type = LEGACY_FS_INDIVIDUAL_PARAMS;
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Add monolithic mount data.
|
|
*/
|
|
static int legacy_parse_monolithic(struct fs_context *fc, void *data)
|
|
{
|
|
struct legacy_fs_context *ctx = fc->fs_private;
|
|
|
|
if (ctx->param_type != LEGACY_FS_UNSET_PARAMS) {
|
|
pr_warn("VFS: Can't mix monolithic and individual options\n");
|
|
return -EINVAL;
|
|
}
|
|
|
|
ctx->legacy_data = data;
|
|
ctx->param_type = LEGACY_FS_MONOLITHIC_PARAMS;
|
|
if (!ctx->legacy_data)
|
|
return 0;
|
|
|
|
if (fc->fs_type->fs_flags & FS_BINARY_MOUNTDATA)
|
|
return 0;
|
|
return security_sb_eat_lsm_opts(ctx->legacy_data, &fc->security);
|
|
}
|
|
|
|
/*
|
|
* Get a mountable root with the legacy mount command.
|
|
*/
|
|
static int legacy_get_tree(struct fs_context *fc)
|
|
{
|
|
struct legacy_fs_context *ctx = fc->fs_private;
|
|
struct super_block *sb;
|
|
struct dentry *root;
|
|
|
|
root = fc->fs_type->mount(fc->fs_type, fc->sb_flags,
|
|
fc->source, ctx->legacy_data);
|
|
if (IS_ERR(root))
|
|
return PTR_ERR(root);
|
|
|
|
sb = root->d_sb;
|
|
BUG_ON(!sb);
|
|
|
|
fc->root = root;
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Handle remount.
|
|
*/
|
|
static int legacy_reconfigure(struct fs_context *fc)
|
|
{
|
|
struct legacy_fs_context *ctx = fc->fs_private;
|
|
struct super_block *sb = fc->root->d_sb;
|
|
|
|
if (!sb->s_op->remount_fs)
|
|
return 0;
|
|
|
|
return sb->s_op->remount_fs(sb, &fc->sb_flags,
|
|
ctx ? ctx->legacy_data : NULL);
|
|
}
|
|
|
|
const struct fs_context_operations legacy_fs_context_ops = {
|
|
.free = legacy_fs_context_free,
|
|
.dup = legacy_fs_context_dup,
|
|
.parse_param = legacy_parse_param,
|
|
.parse_monolithic = legacy_parse_monolithic,
|
|
.get_tree = legacy_get_tree,
|
|
.reconfigure = legacy_reconfigure,
|
|
};
|
|
|
|
/*
|
|
* Initialise a legacy context for a filesystem that doesn't support
|
|
* fs_context.
|
|
*/
|
|
static int legacy_init_fs_context(struct fs_context *fc)
|
|
{
|
|
fc->fs_private = kzalloc(sizeof(struct legacy_fs_context), GFP_KERNEL_ACCOUNT);
|
|
if (!fc->fs_private)
|
|
return -ENOMEM;
|
|
fc->ops = &legacy_fs_context_ops;
|
|
return 0;
|
|
}
|
|
|
|
int parse_monolithic_mount_data(struct fs_context *fc, void *data)
|
|
{
|
|
int (*monolithic_mount_data)(struct fs_context *, void *);
|
|
|
|
monolithic_mount_data = fc->ops->parse_monolithic;
|
|
if (!monolithic_mount_data)
|
|
monolithic_mount_data = generic_parse_monolithic;
|
|
|
|
return monolithic_mount_data(fc, data);
|
|
}
|
|
|
|
/*
|
|
* Clean up a context after performing an action on it and put it into a state
|
|
* from where it can be used to reconfigure a superblock.
|
|
*
|
|
* Note that here we do only the parts that can't fail; the rest is in
|
|
* finish_clean_context() below and in between those fs_context is marked
|
|
* FS_CONTEXT_AWAITING_RECONF. The reason for splitup is that after
|
|
* successful mount or remount we need to report success to userland.
|
|
* Trying to do full reinit (for the sake of possible subsequent remount)
|
|
* and failing to allocate memory would've put us into a nasty situation.
|
|
* So here we only discard the old state and reinitialization is left
|
|
* until we actually try to reconfigure.
|
|
*/
|
|
void vfs_clean_context(struct fs_context *fc)
|
|
{
|
|
if (fc->need_free && fc->ops && fc->ops->free)
|
|
fc->ops->free(fc);
|
|
fc->need_free = false;
|
|
fc->fs_private = NULL;
|
|
fc->s_fs_info = NULL;
|
|
fc->sb_flags = 0;
|
|
security_free_mnt_opts(&fc->security);
|
|
kfree(fc->source);
|
|
fc->source = NULL;
|
|
fc->exclusive = false;
|
|
|
|
fc->purpose = FS_CONTEXT_FOR_RECONFIGURE;
|
|
fc->phase = FS_CONTEXT_AWAITING_RECONF;
|
|
}
|
|
|
|
int finish_clean_context(struct fs_context *fc)
|
|
{
|
|
int error;
|
|
|
|
if (fc->phase != FS_CONTEXT_AWAITING_RECONF)
|
|
return 0;
|
|
|
|
if (fc->fs_type->init_fs_context)
|
|
error = fc->fs_type->init_fs_context(fc);
|
|
else
|
|
error = legacy_init_fs_context(fc);
|
|
if (unlikely(error)) {
|
|
fc->phase = FS_CONTEXT_FAILED;
|
|
return error;
|
|
}
|
|
fc->need_free = true;
|
|
fc->phase = FS_CONTEXT_RECONF_PARAMS;
|
|
return 0;
|
|
}
|