Commit 0a183f24 authored by NeilBrown's avatar NeilBrown Committed by Anna Schumaker

NFSD: Handle @rqstp == NULL in check_nfsd_access()

LOCALIO-initiated open operations are not running in an nfsd thread
and thus do not have an associated svc_rqst context.
Signed-off-by: default avatarNeilBrown <neilb@suse.de>
Co-developed-by: default avatarMike Snitzer <snitzer@kernel.org>
Signed-off-by: default avatarMike Snitzer <snitzer@kernel.org>
Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
Reviewed-by: default avatarJeff Layton <jlayton@kernel.org>
Signed-off-by: default avatarAnna Schumaker <anna.schumaker@oracle.com>
parent 1545e488
...@@ -1074,10 +1074,30 @@ static struct svc_export *exp_find(struct cache_detail *cd, ...@@ -1074,10 +1074,30 @@ static struct svc_export *exp_find(struct cache_detail *cd,
return exp; return exp;
} }
/**
* check_nfsd_access - check if access to export is allowed.
* @exp: svc_export that is being accessed.
* @rqstp: svc_rqst attempting to access @exp (will be NULL for LOCALIO).
*
* Return values:
* %nfs_ok if access is granted, or
* %nfserr_wrongsec if access is denied
*/
__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp) __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp)
{ {
struct exp_flavor_info *f, *end = exp->ex_flavors + exp->ex_nflavors; struct exp_flavor_info *f, *end = exp->ex_flavors + exp->ex_nflavors;
struct svc_xprt *xprt = rqstp->rq_xprt; struct svc_xprt *xprt;
/*
* If rqstp is NULL, this is a LOCALIO request which will only
* ever use a filehandle/credential pair for which access has
* been affirmed (by ACCESS or OPEN NFS requests) over the
* wire. So there is no need for further checks here.
*/
if (!rqstp)
return nfs_ok;
xprt = rqstp->rq_xprt;
if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_NONE) { if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_NONE) {
if (!test_bit(XPT_TLS_SESSION, &xprt->xpt_flags)) if (!test_bit(XPT_TLS_SESSION, &xprt->xpt_flags))
...@@ -1098,17 +1118,17 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp) ...@@ -1098,17 +1118,17 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp)
ok: ok:
/* legacy gss-only clients are always OK: */ /* legacy gss-only clients are always OK: */
if (exp->ex_client == rqstp->rq_gssclient) if (exp->ex_client == rqstp->rq_gssclient)
return 0; return nfs_ok;
/* ip-address based client; check sec= export option: */ /* ip-address based client; check sec= export option: */
for (f = exp->ex_flavors; f < end; f++) { for (f = exp->ex_flavors; f < end; f++) {
if (f->pseudoflavor == rqstp->rq_cred.cr_flavor) if (f->pseudoflavor == rqstp->rq_cred.cr_flavor)
return 0; return nfs_ok;
} }
/* defaults in absence of sec= options: */ /* defaults in absence of sec= options: */
if (exp->ex_nflavors == 0) { if (exp->ex_nflavors == 0) {
if (rqstp->rq_cred.cr_flavor == RPC_AUTH_NULL || if (rqstp->rq_cred.cr_flavor == RPC_AUTH_NULL ||
rqstp->rq_cred.cr_flavor == RPC_AUTH_UNIX) rqstp->rq_cred.cr_flavor == RPC_AUTH_UNIX)
return 0; return nfs_ok;
} }
/* If the compound op contains a spo_must_allowed op, /* If the compound op contains a spo_must_allowed op,
...@@ -1118,7 +1138,7 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp) ...@@ -1118,7 +1138,7 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp)
*/ */
if (nfsd4_spo_must_allow(rqstp)) if (nfsd4_spo_must_allow(rqstp))
return 0; return nfs_ok;
denied: denied:
return nfserr_wrongsec; return nfserr_wrongsec;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment