diff options
author | Andy Adamson <andros@netapp.com> | 2011-01-25 10:38:01 -0500 |
---|---|---|
committer | Trond Myklebust <Trond.Myklebust@netapp.com> | 2011-01-25 15:26:51 -0500 |
commit | 778be232a207e79088ba70d832ac25dfea6fbf1a (patch) | |
tree | 307249459e5ef45c4b3651c7fc5c454cdb3e0c92 /fs | |
parent | 80c30e8de4f81851b1f712bcc596e11d53bc76f1 (diff) |
NFS do not find client in NFSv4 pg_authenticate
The information required to find the nfs_client cooresponding to the incoming
back channel request is contained in the NFS layer. Perform minimal checking
in the RPC layer pg_authenticate method, and push more detailed checking into
the NFS layer where the nfs_client can be found.
Signed-off-by: Andy Adamson <andros@netapp.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/nfs/callback.c | 109 | ||||
-rw-r--r-- | fs/nfs/callback.h | 4 | ||||
-rw-r--r-- | fs/nfs/callback_proc.c | 10 | ||||
-rw-r--r-- | fs/nfs/callback_xdr.c | 5 | ||||
-rw-r--r-- | fs/nfs/client.c | 15 | ||||
-rw-r--r-- | fs/nfs/internal.h | 3 | ||||
-rw-r--r-- | fs/nfs/nfs4state.c | 6 |
7 files changed, 41 insertions, 111 deletions
diff --git a/fs/nfs/callback.c b/fs/nfs/callback.c index 199016528fcb..e3d294269058 100644 --- a/fs/nfs/callback.c +++ b/fs/nfs/callback.c | |||
@@ -135,33 +135,6 @@ out_err: | |||
135 | 135 | ||
136 | #if defined(CONFIG_NFS_V4_1) | 136 | #if defined(CONFIG_NFS_V4_1) |
137 | /* | 137 | /* |
138 | * * CB_SEQUENCE operations will fail until the callback sessionid is set. | ||
139 | * */ | ||
140 | int nfs4_set_callback_sessionid(struct nfs_client *clp) | ||
141 | { | ||
142 | struct svc_serv *serv = clp->cl_rpcclient->cl_xprt->bc_serv; | ||
143 | struct nfs4_sessionid *bc_sid; | ||
144 | |||
145 | if (!serv->sv_bc_xprt) | ||
146 | return -EINVAL; | ||
147 | |||
148 | /* on success freed in xprt_free */ | ||
149 | bc_sid = kmalloc(sizeof(struct nfs4_sessionid), GFP_KERNEL); | ||
150 | if (!bc_sid) | ||
151 | return -ENOMEM; | ||
152 | memcpy(bc_sid->data, &clp->cl_session->sess_id.data, | ||
153 | NFS4_MAX_SESSIONID_LEN); | ||
154 | spin_lock_bh(&serv->sv_cb_lock); | ||
155 | serv->sv_bc_xprt->xpt_bc_sid = bc_sid; | ||
156 | spin_unlock_bh(&serv->sv_cb_lock); | ||
157 | dprintk("%s set xpt_bc_sid=%u:%u:%u:%u for sv_bc_xprt %p\n", __func__, | ||
158 | ((u32 *)bc_sid->data)[0], ((u32 *)bc_sid->data)[1], | ||
159 | ((u32 *)bc_sid->data)[2], ((u32 *)bc_sid->data)[3], | ||
160 | serv->sv_bc_xprt); | ||
161 | return 0; | ||
162 | } | ||
163 | |||
164 | /* | ||
165 | * The callback service for NFSv4.1 callbacks | 138 | * The callback service for NFSv4.1 callbacks |
166 | */ | 139 | */ |
167 | static int | 140 | static int |
@@ -266,10 +239,6 @@ static inline void nfs_callback_bc_serv(u32 minorversion, struct rpc_xprt *xprt, | |||
266 | struct nfs_callback_data *cb_info) | 239 | struct nfs_callback_data *cb_info) |
267 | { | 240 | { |
268 | } | 241 | } |
269 | int nfs4_set_callback_sessionid(struct nfs_client *clp) | ||
270 | { | ||
271 | return 0; | ||
272 | } | ||
273 | #endif /* CONFIG_NFS_V4_1 */ | 242 | #endif /* CONFIG_NFS_V4_1 */ |
274 | 243 | ||
275 | /* | 244 | /* |
@@ -359,78 +328,58 @@ void nfs_callback_down(int minorversion) | |||
359 | mutex_unlock(&nfs_callback_mutex); | 328 | mutex_unlock(&nfs_callback_mutex); |
360 | } | 329 | } |
361 | 330 | ||
362 | static int check_gss_callback_principal(struct nfs_client *clp, | 331 | /* Boolean check of RPC_AUTH_GSS principal */ |
363 | struct svc_rqst *rqstp) | 332 | int |
333 | check_gss_callback_principal(struct nfs_client *clp, struct svc_rqst *rqstp) | ||
364 | { | 334 | { |
365 | struct rpc_clnt *r = clp->cl_rpcclient; | 335 | struct rpc_clnt *r = clp->cl_rpcclient; |
366 | char *p = svc_gss_principal(rqstp); | 336 | char *p = svc_gss_principal(rqstp); |
367 | 337 | ||
338 | if (rqstp->rq_authop->flavour != RPC_AUTH_GSS) | ||
339 | return 1; | ||
340 | |||
368 | /* No RPC_AUTH_GSS on NFSv4.1 back channel yet */ | 341 | /* No RPC_AUTH_GSS on NFSv4.1 back channel yet */ |
369 | if (clp->cl_minorversion != 0) | 342 | if (clp->cl_minorversion != 0) |
370 | return SVC_DROP; | 343 | return 0; |
371 | /* | 344 | /* |
372 | * It might just be a normal user principal, in which case | 345 | * It might just be a normal user principal, in which case |
373 | * userspace won't bother to tell us the name at all. | 346 | * userspace won't bother to tell us the name at all. |
374 | */ | 347 | */ |
375 | if (p == NULL) | 348 | if (p == NULL) |
376 | return SVC_DENIED; | 349 | return 0; |
377 | 350 | ||
378 | /* Expect a GSS_C_NT_HOSTBASED_NAME like "nfs@serverhostname" */ | 351 | /* Expect a GSS_C_NT_HOSTBASED_NAME like "nfs@serverhostname" */ |
379 | 352 | ||
380 | if (memcmp(p, "nfs@", 4) != 0) | 353 | if (memcmp(p, "nfs@", 4) != 0) |
381 | return SVC_DENIED; | 354 | return 0; |
382 | p += 4; | 355 | p += 4; |
383 | if (strcmp(p, r->cl_server) != 0) | 356 | if (strcmp(p, r->cl_server) != 0) |
384 | return SVC_DENIED; | 357 | return 0; |
385 | return SVC_OK; | 358 | return 1; |
386 | } | 359 | } |
387 | 360 | ||
388 | /* pg_authenticate method helper */ | 361 | /* |
389 | static struct nfs_client *nfs_cb_find_client(struct svc_rqst *rqstp) | 362 | * pg_authenticate method for nfsv4 callback threads. |
390 | { | 363 | * |
391 | struct nfs4_sessionid *sessionid = bc_xprt_sid(rqstp); | 364 | * The authflavor has been negotiated, so an incorrect flavor is a server |
392 | int is_cb_compound = rqstp->rq_proc == CB_COMPOUND ? 1 : 0; | 365 | * bug. Drop packets with incorrect authflavor. |
393 | 366 | * | |
394 | dprintk("--> %s rq_proc %d\n", __func__, rqstp->rq_proc); | 367 | * All other checking done after NFS decoding where the nfs_client can be |
395 | if (svc_is_backchannel(rqstp)) | 368 | * found in nfs4_callback_compound |
396 | /* Sessionid (usually) set after CB_NULL ping */ | 369 | */ |
397 | return nfs4_find_client_sessionid(svc_addr(rqstp), sessionid, | ||
398 | is_cb_compound); | ||
399 | else | ||
400 | /* No callback identifier in pg_authenticate */ | ||
401 | return nfs4_find_client_no_ident(svc_addr(rqstp)); | ||
402 | } | ||
403 | |||
404 | /* pg_authenticate method for nfsv4 callback threads. */ | ||
405 | static int nfs_callback_authenticate(struct svc_rqst *rqstp) | 370 | static int nfs_callback_authenticate(struct svc_rqst *rqstp) |
406 | { | 371 | { |
407 | struct nfs_client *clp; | ||
408 | RPC_IFDEBUG(char buf[RPC_MAX_ADDRBUFLEN]); | ||
409 | int ret = SVC_OK; | ||
410 | |||
411 | /* Don't talk to strangers */ | ||
412 | clp = nfs_cb_find_client(rqstp); | ||
413 | if (clp == NULL) | ||
414 | return SVC_DROP; | ||
415 | |||
416 | dprintk("%s: %s NFSv4 callback!\n", __func__, | ||
417 | svc_print_addr(rqstp, buf, sizeof(buf))); | ||
418 | |||
419 | switch (rqstp->rq_authop->flavour) { | 372 | switch (rqstp->rq_authop->flavour) { |
420 | case RPC_AUTH_NULL: | 373 | case RPC_AUTH_NULL: |
421 | if (rqstp->rq_proc != CB_NULL) | 374 | if (rqstp->rq_proc != CB_NULL) |
422 | ret = SVC_DENIED; | 375 | return SVC_DROP; |
423 | break; | 376 | break; |
424 | case RPC_AUTH_UNIX: | 377 | case RPC_AUTH_GSS: |
425 | break; | 378 | /* No RPC_AUTH_GSS support yet in NFSv4.1 */ |
426 | case RPC_AUTH_GSS: | 379 | if (svc_is_backchannel(rqstp)) |
427 | ret = check_gss_callback_principal(clp, rqstp); | 380 | return SVC_DROP; |
428 | break; | ||
429 | default: | ||
430 | ret = SVC_DENIED; | ||
431 | } | 381 | } |
432 | nfs_put_client(clp); | 382 | return SVC_OK; |
433 | return ret; | ||
434 | } | 383 | } |
435 | 384 | ||
436 | /* | 385 | /* |
diff --git a/fs/nfs/callback.h b/fs/nfs/callback.h index d3b44f9bd747..46d93ce7311b 100644 --- a/fs/nfs/callback.h +++ b/fs/nfs/callback.h | |||
@@ -7,6 +7,7 @@ | |||
7 | */ | 7 | */ |
8 | #ifndef __LINUX_FS_NFS_CALLBACK_H | 8 | #ifndef __LINUX_FS_NFS_CALLBACK_H |
9 | #define __LINUX_FS_NFS_CALLBACK_H | 9 | #define __LINUX_FS_NFS_CALLBACK_H |
10 | #include <linux/sunrpc/svc.h> | ||
10 | 11 | ||
11 | #define NFS4_CALLBACK 0x40000000 | 12 | #define NFS4_CALLBACK 0x40000000 |
12 | #define NFS4_CALLBACK_XDRSIZE 2048 | 13 | #define NFS4_CALLBACK_XDRSIZE 2048 |
@@ -37,7 +38,6 @@ enum nfs4_callback_opnum { | |||
37 | struct cb_process_state { | 38 | struct cb_process_state { |
38 | __be32 drc_status; | 39 | __be32 drc_status; |
39 | struct nfs_client *clp; | 40 | struct nfs_client *clp; |
40 | struct nfs4_sessionid *svc_sid; /* v4.1 callback service sessionid */ | ||
41 | }; | 41 | }; |
42 | 42 | ||
43 | struct cb_compound_hdr_arg { | 43 | struct cb_compound_hdr_arg { |
@@ -168,7 +168,7 @@ extern unsigned nfs4_callback_layoutrecall( | |||
168 | extern void nfs4_check_drain_bc_complete(struct nfs4_session *ses); | 168 | extern void nfs4_check_drain_bc_complete(struct nfs4_session *ses); |
169 | extern void nfs4_cb_take_slot(struct nfs_client *clp); | 169 | extern void nfs4_cb_take_slot(struct nfs_client *clp); |
170 | #endif /* CONFIG_NFS_V4_1 */ | 170 | #endif /* CONFIG_NFS_V4_1 */ |
171 | 171 | extern int check_gss_callback_principal(struct nfs_client *, struct svc_rqst *); | |
172 | extern __be32 nfs4_callback_getattr(struct cb_getattrargs *args, | 172 | extern __be32 nfs4_callback_getattr(struct cb_getattrargs *args, |
173 | struct cb_getattrres *res, | 173 | struct cb_getattrres *res, |
174 | struct cb_process_state *cps); | 174 | struct cb_process_state *cps); |
diff --git a/fs/nfs/callback_proc.c b/fs/nfs/callback_proc.c index 4bb91cb2620d..829f406e91dd 100644 --- a/fs/nfs/callback_proc.c +++ b/fs/nfs/callback_proc.c | |||
@@ -373,17 +373,11 @@ __be32 nfs4_callback_sequence(struct cb_sequenceargs *args, | |||
373 | { | 373 | { |
374 | struct nfs_client *clp; | 374 | struct nfs_client *clp; |
375 | int i; | 375 | int i; |
376 | __be32 status; | 376 | __be32 status = htonl(NFS4ERR_BADSESSION); |
377 | 377 | ||
378 | cps->clp = NULL; | 378 | cps->clp = NULL; |
379 | 379 | ||
380 | status = htonl(NFS4ERR_BADSESSION); | 380 | clp = nfs4_find_client_sessionid(args->csa_addr, &args->csa_sessionid); |
381 | /* Incoming session must match the callback session */ | ||
382 | if (memcmp(&args->csa_sessionid, cps->svc_sid, NFS4_MAX_SESSIONID_LEN)) | ||
383 | goto out; | ||
384 | |||
385 | clp = nfs4_find_client_sessionid(args->csa_addr, | ||
386 | &args->csa_sessionid, 1); | ||
387 | if (clp == NULL) | 381 | if (clp == NULL) |
388 | goto out; | 382 | goto out; |
389 | 383 | ||
diff --git a/fs/nfs/callback_xdr.c b/fs/nfs/callback_xdr.c index 23112c263f81..14e0f9371d14 100644 --- a/fs/nfs/callback_xdr.c +++ b/fs/nfs/callback_xdr.c | |||
@@ -794,10 +794,9 @@ static __be32 nfs4_callback_compound(struct svc_rqst *rqstp, void *argp, void *r | |||
794 | 794 | ||
795 | if (hdr_arg.minorversion == 0) { | 795 | if (hdr_arg.minorversion == 0) { |
796 | cps.clp = nfs4_find_client_ident(hdr_arg.cb_ident); | 796 | cps.clp = nfs4_find_client_ident(hdr_arg.cb_ident); |
797 | if (!cps.clp) | 797 | if (!cps.clp || !check_gss_callback_principal(cps.clp, rqstp)) |
798 | return rpc_drop_reply; | 798 | return rpc_drop_reply; |
799 | } else | 799 | } |
800 | cps.svc_sid = bc_xprt_sid(rqstp); | ||
801 | 800 | ||
802 | hdr_res.taglen = hdr_arg.taglen; | 801 | hdr_res.taglen = hdr_arg.taglen; |
803 | hdr_res.tag = hdr_arg.tag; | 802 | hdr_res.tag = hdr_arg.tag; |
diff --git a/fs/nfs/client.c b/fs/nfs/client.c index 192f2f860265..bd3ca32879e7 100644 --- a/fs/nfs/client.c +++ b/fs/nfs/client.c | |||
@@ -1206,16 +1206,11 @@ nfs4_find_client_ident(int cb_ident) | |||
1206 | * For CB_COMPOUND calls, find a client by IP address, protocol version, | 1206 | * For CB_COMPOUND calls, find a client by IP address, protocol version, |
1207 | * minorversion, and sessionID | 1207 | * minorversion, and sessionID |
1208 | * | 1208 | * |
1209 | * CREATE_SESSION triggers a CB_NULL ping from servers. The callback service | ||
1210 | * sessionid can only be set after the CREATE_SESSION return, so a CB_NULL | ||
1211 | * can arrive before the callback sessionid is set. For CB_NULL calls, | ||
1212 | * find a client by IP address protocol version, and minorversion. | ||
1213 | * | ||
1214 | * Returns NULL if no such client | 1209 | * Returns NULL if no such client |
1215 | */ | 1210 | */ |
1216 | struct nfs_client * | 1211 | struct nfs_client * |
1217 | nfs4_find_client_sessionid(const struct sockaddr *addr, | 1212 | nfs4_find_client_sessionid(const struct sockaddr *addr, |
1218 | struct nfs4_sessionid *sid, int is_cb_compound) | 1213 | struct nfs4_sessionid *sid) |
1219 | { | 1214 | { |
1220 | struct nfs_client *clp; | 1215 | struct nfs_client *clp; |
1221 | 1216 | ||
@@ -1227,9 +1222,9 @@ nfs4_find_client_sessionid(const struct sockaddr *addr, | |||
1227 | if (!nfs4_has_session(clp)) | 1222 | if (!nfs4_has_session(clp)) |
1228 | continue; | 1223 | continue; |
1229 | 1224 | ||
1230 | /* Match sessionid unless cb_null call*/ | 1225 | /* Match sessionid*/ |
1231 | if (is_cb_compound && (memcmp(clp->cl_session->sess_id.data, | 1226 | if (memcmp(clp->cl_session->sess_id.data, |
1232 | sid->data, NFS4_MAX_SESSIONID_LEN) != 0)) | 1227 | sid->data, NFS4_MAX_SESSIONID_LEN) != 0) |
1233 | continue; | 1228 | continue; |
1234 | 1229 | ||
1235 | atomic_inc(&clp->cl_count); | 1230 | atomic_inc(&clp->cl_count); |
@@ -1244,7 +1239,7 @@ nfs4_find_client_sessionid(const struct sockaddr *addr, | |||
1244 | 1239 | ||
1245 | struct nfs_client * | 1240 | struct nfs_client * |
1246 | nfs4_find_client_sessionid(const struct sockaddr *addr, | 1241 | nfs4_find_client_sessionid(const struct sockaddr *addr, |
1247 | struct nfs4_sessionid *sid, int is_cb_compound) | 1242 | struct nfs4_sessionid *sid) |
1248 | { | 1243 | { |
1249 | return NULL; | 1244 | return NULL; |
1250 | } | 1245 | } |
diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h index 4644f04b4b46..cf9fdbdabc67 100644 --- a/fs/nfs/internal.h +++ b/fs/nfs/internal.h | |||
@@ -133,8 +133,7 @@ extern void nfs_put_client(struct nfs_client *); | |||
133 | extern struct nfs_client *nfs4_find_client_no_ident(const struct sockaddr *); | 133 | extern struct nfs_client *nfs4_find_client_no_ident(const struct sockaddr *); |
134 | extern struct nfs_client *nfs4_find_client_ident(int); | 134 | extern struct nfs_client *nfs4_find_client_ident(int); |
135 | extern struct nfs_client * | 135 | extern struct nfs_client * |
136 | nfs4_find_client_sessionid(const struct sockaddr *, struct nfs4_sessionid *, | 136 | nfs4_find_client_sessionid(const struct sockaddr *, struct nfs4_sessionid *); |
137 | int); | ||
138 | extern struct nfs_server *nfs_create_server( | 137 | extern struct nfs_server *nfs_create_server( |
139 | const struct nfs_parsed_mount_data *, | 138 | const struct nfs_parsed_mount_data *, |
140 | struct nfs_fh *); | 139 | struct nfs_fh *); |
diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c index 2336d532cf66..e6742b57a04c 100644 --- a/fs/nfs/nfs4state.c +++ b/fs/nfs/nfs4state.c | |||
@@ -232,12 +232,6 @@ int nfs41_init_clientid(struct nfs_client *clp, struct rpc_cred *cred) | |||
232 | status = nfs4_proc_create_session(clp); | 232 | status = nfs4_proc_create_session(clp); |
233 | if (status != 0) | 233 | if (status != 0) |
234 | goto out; | 234 | goto out; |
235 | status = nfs4_set_callback_sessionid(clp); | ||
236 | if (status != 0) { | ||
237 | printk(KERN_WARNING "Sessionid not set. No callback service\n"); | ||
238 | nfs_callback_down(1); | ||
239 | status = 0; | ||
240 | } | ||
241 | nfs41_setup_state_renewal(clp); | 235 | nfs41_setup_state_renewal(clp); |
242 | nfs_mark_client_ready(clp, NFS_CS_READY); | 236 | nfs_mark_client_ready(clp, NFS_CS_READY); |
243 | out: | 237 | out: |