write in 30M

hc

2024-02-20 ea08eeccae9297f7aabd2ef7f0c2517ac4549acc

 kernel/net/sunrpc/auth.c
..
..
@@ -1,3 +1,4 @@
1
+// SPDX-License-Identifier: GPL-2.0-only
1
2
 /*
2
3
  * linux/net/sunrpc/auth.c
3
4
  *
..
..
@@ -17,9 +18,7 @@
17
18
 #include <linux/sunrpc/gss_api.h>
18
19
 #include <linux/spinlock.h>
19
20
 
20
-#if IS_ENABLED(CONFIG_SUNRPC_DEBUG)
21
-# define RPCDBG_FACILITY	RPCDBG_AUTH
22
-#endif
21
+#include <trace/events/sunrpc.h>
23
22
 
24
23
 #define RPC_CREDCACHE_DEFAULT_HASHBITS	(4)
25
24
 struct rpc_cred_cache {
..
..
@@ -30,15 +29,31 @@
30
29
 
31
30
 static unsigned int auth_hashbits = RPC_CREDCACHE_DEFAULT_HASHBITS;
32
31
 
33
-static DEFINE_SPINLOCK(rpc_authflavor_lock);
34
-static const struct rpc_authops *auth_flavors[RPC_AUTH_MAXFLAVOR] = {
35
-	&authnull_ops,		/* AUTH_NULL */
36
-	&authunix_ops,		/* AUTH_UNIX */
32
+static const struct rpc_authops __rcu *auth_flavors[RPC_AUTH_MAXFLAVOR] = {
33
+	[RPC_AUTH_NULL] = (const struct rpc_authops __force __rcu *)&authnull_ops,
34
+	[RPC_AUTH_UNIX] = (const struct rpc_authops __force __rcu *)&authunix_ops,
37
35
 	NULL,			/* others can be loadable modules */
38
36
 };
39
37
 
40
38
 static LIST_HEAD(cred_unused);
41
39
 static unsigned long number_cred_unused;
40
+
41
+static struct cred machine_cred = {
42
+	.usage = ATOMIC_INIT(1),
43
+#ifdef CONFIG_DEBUG_CREDENTIALS
44
+	.magic = CRED_MAGIC,
45
+#endif
46
+};
47
+
48
+/*
49
+ * Return the machine_cred pointer to be used whenever
50
+ * the a generic machine credential is needed.
51
+ */
52
+const struct cred *rpc_machine_cred(void)
53
+{
54
+	return &machine_cred;
55
+}
56
+EXPORT_SYMBOL_GPL(rpc_machine_cred);
42
57
 
43
58
 #define MAX_HASHTABLE_BITS (14)
44
59
 static int param_set_hashtbl_sz(const char *val, const struct kernel_param *kp)
..
..
@@ -66,7 +81,7 @@
66
81
 	unsigned int nbits;
67
82
 
68
83
 	nbits = *(unsigned int *)kp->arg;
69
-	return sprintf(buffer, "%u", 1U << nbits);
84
+	return sprintf(buffer, "%u\n", 1U << nbits);
70
85
 }
71
86
 
72
87
 #define param_check_hashtbl_sz(name, p) __param_check(name, p, unsigned int);
..
..
@@ -93,38 +108,64 @@
93
108
 int
94
109
 rpcauth_register(const struct rpc_authops *ops)
95
110
 {
111
+	const struct rpc_authops *old;
96
112
 	rpc_authflavor_t flavor;
97
-	int ret = -EPERM;
98
113
 
99
114
 	if ((flavor = ops->au_flavor) >= RPC_AUTH_MAXFLAVOR)
100
115
 		return -EINVAL;
101
-	spin_lock(&rpc_authflavor_lock);
102
-	if (auth_flavors[flavor] == NULL) {
103
-		auth_flavors[flavor] = ops;
104
-		ret = 0;
105
-	}
106
-	spin_unlock(&rpc_authflavor_lock);
107
-	return ret;
116
+	old = cmpxchg((const struct rpc_authops ** __force)&auth_flavors[flavor], NULL, ops);
117
+	if (old == NULL || old == ops)
118
+		return 0;
119
+	return -EPERM;
108
120
 }
109
121
 EXPORT_SYMBOL_GPL(rpcauth_register);
110
122
 
111
123
 int
112
124
 rpcauth_unregister(const struct rpc_authops *ops)
113
125
 {
126
+	const struct rpc_authops *old;
114
127
 	rpc_authflavor_t flavor;
115
-	int ret = -EPERM;
116
128
 
117
129
 	if ((flavor = ops->au_flavor) >= RPC_AUTH_MAXFLAVOR)
118
130
 		return -EINVAL;
119
-	spin_lock(&rpc_authflavor_lock);
120
-	if (auth_flavors[flavor] == ops) {
121
-		auth_flavors[flavor] = NULL;
122
-		ret = 0;
123
-	}
124
-	spin_unlock(&rpc_authflavor_lock);
125
-	return ret;
131
+
132
+	old = cmpxchg((const struct rpc_authops ** __force)&auth_flavors[flavor], ops, NULL);
133
+	if (old == ops || old == NULL)
134
+		return 0;
135
+	return -EPERM;
126
136
 }
127
137
 EXPORT_SYMBOL_GPL(rpcauth_unregister);
138
+
139
+static const struct rpc_authops *
140
+rpcauth_get_authops(rpc_authflavor_t flavor)
141
+{
142
+	const struct rpc_authops *ops;
143
+
144
+	if (flavor >= RPC_AUTH_MAXFLAVOR)
145
+		return NULL;
146
+
147
+	rcu_read_lock();
148
+	ops = rcu_dereference(auth_flavors[flavor]);
149
+	if (ops == NULL) {
150
+		rcu_read_unlock();
151
+		request_module("rpc-auth-%u", flavor);
152
+		rcu_read_lock();
153
+		ops = rcu_dereference(auth_flavors[flavor]);
154
+		if (ops == NULL)
155
+			goto out;
156
+	}
157
+	if (!try_module_get(ops->owner))
158
+		ops = NULL;
159
+out:
160
+	rcu_read_unlock();
161
+	return ops;
162
+}
163
+
164
+static void
165
+rpcauth_put_authops(const struct rpc_authops *ops)
166
+{
167
+	module_put(ops->owner);
168
+}
128
169
 
129
170
 /**
130
171
  * rpcauth_get_pseudoflavor - check if security flavor is supported
..
..
@@ -138,25 +179,16 @@
138
179
 rpc_authflavor_t
139
180
 rpcauth_get_pseudoflavor(rpc_authflavor_t flavor, struct rpcsec_gss_info *info)
140
181
 {
141
-	const struct rpc_authops *ops;
182
+	const struct rpc_authops *ops = rpcauth_get_authops(flavor);
142
183
 	rpc_authflavor_t pseudoflavor;
143
184
 
144
-	ops = auth_flavors[flavor];
145
-	if (ops == NULL)
146
-		request_module("rpc-auth-%u", flavor);
147
-	spin_lock(&rpc_authflavor_lock);
148
-	ops = auth_flavors[flavor];
149
-	if (ops == NULL || !try_module_get(ops->owner)) {
150
-		spin_unlock(&rpc_authflavor_lock);
185
+	if (!ops)
151
186
 		return RPC_AUTH_MAXFLAVOR;
152
-	}
153
-	spin_unlock(&rpc_authflavor_lock);
154
-
155
187
 	pseudoflavor = flavor;
156
188
 	if (ops->info2flavor != NULL)
157
189
 		pseudoflavor = ops->info2flavor(info);
158
190
 
159
-	module_put(ops->owner);
191
+	rpcauth_put_authops(ops);
160
192
 	return pseudoflavor;
161
193
 }
162
194
 EXPORT_SYMBOL_GPL(rpcauth_get_pseudoflavor);
..
..
@@ -176,104 +208,33 @@
176
208
 	const struct rpc_authops *ops;
177
209
 	int result;
178
210
 
179
-	if (flavor >= RPC_AUTH_MAXFLAVOR)
180
-		return -EINVAL;
181
-
182
-	ops = auth_flavors[flavor];
211
+	ops = rpcauth_get_authops(flavor);
183
212
 	if (ops == NULL)
184
-		request_module("rpc-auth-%u", flavor);
185
-	spin_lock(&rpc_authflavor_lock);
186
-	ops = auth_flavors[flavor];
187
-	if (ops == NULL || !try_module_get(ops->owner)) {
188
-		spin_unlock(&rpc_authflavor_lock);
189
213
 		return -ENOENT;
190
-	}
191
-	spin_unlock(&rpc_authflavor_lock);
192
214
 
193
215
 	result = -ENOENT;
194
216
 	if (ops->flavor2info != NULL)
195
217
 		result = ops->flavor2info(pseudoflavor, info);
196
218
 
197
-	module_put(ops->owner);
219
+	rpcauth_put_authops(ops);
198
220
 	return result;
199
221
 }
200
222
 EXPORT_SYMBOL_GPL(rpcauth_get_gssinfo);
201
223
 
202
-/**
203
- * rpcauth_list_flavors - discover registered flavors and pseudoflavors
204
- * @array: array to fill in
205
- * @size: size of "array"
206
- *
207
- * Returns the number of array items filled in, or a negative errno.
208
- *
209
- * The returned array is not sorted by any policy.  Callers should not
210
- * rely on the order of the items in the returned array.
211
- */
212
-int
213
-rpcauth_list_flavors(rpc_authflavor_t *array, int size)
214
-{
215
-	rpc_authflavor_t flavor;
216
-	int result = 0;
217
-
218
-	spin_lock(&rpc_authflavor_lock);
219
-	for (flavor = 0; flavor < RPC_AUTH_MAXFLAVOR; flavor++) {
220
-		const struct rpc_authops *ops = auth_flavors[flavor];
221
-		rpc_authflavor_t pseudos[4];
222
-		int i, len;
223
-
224
-		if (result >= size) {
225
-			result = -ENOMEM;
226
-			break;
227
-		}
228
-
229
-		if (ops == NULL)
230
-			continue;
231
-		if (ops->list_pseudoflavors == NULL) {
232
-			array[result++] = ops->au_flavor;
233
-			continue;
234
-		}
235
-		len = ops->list_pseudoflavors(pseudos, ARRAY_SIZE(pseudos));
236
-		if (len < 0) {
237
-			result = len;
238
-			break;
239
-		}
240
-		for (i = 0; i < len; i++) {
241
-			if (result >= size) {
242
-				result = -ENOMEM;
243
-				break;
244
-			}
245
-			array[result++] = pseudos[i];
246
-		}
247
-	}
248
-	spin_unlock(&rpc_authflavor_lock);
249
-
250
-	dprintk("RPC:       %s returns %d\n", __func__, result);
251
-	return result;
252
-}
253
-EXPORT_SYMBOL_GPL(rpcauth_list_flavors);
254
-
255
224
 struct rpc_auth *
256
225
 rpcauth_create(const struct rpc_auth_create_args *args, struct rpc_clnt *clnt)
257
226
 {
258
-	struct rpc_auth		*auth;
227
+	struct rpc_auth	*auth = ERR_PTR(-EINVAL);
259
228
 	const struct rpc_authops *ops;
260
-	u32			flavor = pseudoflavor_to_flavor(args->pseudoflavor);
229
+	u32 flavor = pseudoflavor_to_flavor(args->pseudoflavor);
261
230
 
262
-	auth = ERR_PTR(-EINVAL);
263
-	if (flavor >= RPC_AUTH_MAXFLAVOR)
231
+	ops = rpcauth_get_authops(flavor);
232
+	if (ops == NULL)
264
233
 		goto out;
265
234
 
266
-	if ((ops = auth_flavors[flavor]) == NULL)
267
-		request_module("rpc-auth-%u", flavor);
268
-	spin_lock(&rpc_authflavor_lock);
269
-	ops = auth_flavors[flavor];
270
-	if (ops == NULL || !try_module_get(ops->owner)) {
271
-		spin_unlock(&rpc_authflavor_lock);
272
-		goto out;
273
-	}
274
-	spin_unlock(&rpc_authflavor_lock);
275
235
 	auth = ops->create(args, clnt);
276
-	module_put(ops->owner);
236
+
237
+	rpcauth_put_authops(ops);
277
238
 	if (IS_ERR(auth))
278
239
 		return auth;
279
240
 	if (clnt->cl_auth)
..
..
@@ -288,32 +249,37 @@
288
249
 void
289
250
 rpcauth_release(struct rpc_auth *auth)
290
251
 {
291
-	if (!atomic_dec_and_test(&auth->au_count))
252
+	if (!refcount_dec_and_test(&auth->au_count))
292
253
 		return;
293
254
 	auth->au_ops->destroy(auth);
294
255
 }
295
256
 
296
257
 static DEFINE_SPINLOCK(rpc_credcache_lock);
297
258
 
298
-static void
259
+/*
260
+ * On success, the caller is responsible for freeing the reference
261
+ * held by the hashtable
262
+ */
263
+static bool
299
264
 rpcauth_unhash_cred_locked(struct rpc_cred *cred)
300
265
 {
266
+	if (!test_and_clear_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags))
267
+		return false;
301
268
 	hlist_del_rcu(&cred->cr_hash);
302
-	smp_mb__before_atomic();
303
-	clear_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags);
269
+	return true;
304
270
 }
305
271
 
306
-static int
272
+static bool
307
273
 rpcauth_unhash_cred(struct rpc_cred *cred)
308
274
 {
309
275
 	spinlock_t *cache_lock;
310
-	int ret;
276
+	bool ret;
311
277
 
278
+	if (!test_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags))
279
+		return false;
312
280
 	cache_lock = &cred->cr_auth->au_credcache->lock;
313
281
 	spin_lock(cache_lock);
314
-	ret = atomic_read(&cred->cr_count) == 0;
315
-	if (ret)
316
-		rpcauth_unhash_cred_locked(cred);
282
+	ret = rpcauth_unhash_cred_locked(cred);
317
283
 	spin_unlock(cache_lock);
318
284
 	return ret;
319
285
 }
..
..
@@ -345,29 +311,6 @@
345
311
 }
346
312
 EXPORT_SYMBOL_GPL(rpcauth_init_credcache);
347
313
 
348
-/*
349
- * Setup a credential key lifetime timeout notification
350
- */
351
-int
352
-rpcauth_key_timeout_notify(struct rpc_auth *auth, struct rpc_cred *cred)
353
-{
354
-	if (!cred->cr_auth->au_ops->key_timeout)
355
-		return 0;
356
-	return cred->cr_auth->au_ops->key_timeout(auth, cred);
357
-}
358
-EXPORT_SYMBOL_GPL(rpcauth_key_timeout_notify);
359
-
360
-bool
361
-rpcauth_cred_key_to_expire(struct rpc_auth *auth, struct rpc_cred *cred)
362
-{
363
-	if (auth->au_flags & RPCAUTH_AUTH_NO_CRKEY_TIMEOUT)
364
-		return false;
365
-	if (!cred->cr_ops->crkey_to_expire)
366
-		return false;
367
-	return cred->cr_ops->crkey_to_expire(cred);
368
-}
369
-EXPORT_SYMBOL_GPL(rpcauth_cred_key_to_expire);
370
-
371
314
 char *
372
315
 rpcauth_stringify_acceptor(struct rpc_cred *cred)
373
316
 {
..
..
@@ -392,6 +335,44 @@
392
335
 	}
393
336
 }
394
337
 
338
+static void
339
+rpcauth_lru_add_locked(struct rpc_cred *cred)
340
+{
341
+	if (!list_empty(&cred->cr_lru))
342
+		return;
343
+	number_cred_unused++;
344
+	list_add_tail(&cred->cr_lru, &cred_unused);
345
+}
346
+
347
+static void
348
+rpcauth_lru_add(struct rpc_cred *cred)
349
+{
350
+	if (!list_empty(&cred->cr_lru))
351
+		return;
352
+	spin_lock(&rpc_credcache_lock);
353
+	rpcauth_lru_add_locked(cred);
354
+	spin_unlock(&rpc_credcache_lock);
355
+}
356
+
357
+static void
358
+rpcauth_lru_remove_locked(struct rpc_cred *cred)
359
+{
360
+	if (list_empty(&cred->cr_lru))
361
+		return;
362
+	number_cred_unused--;
363
+	list_del_init(&cred->cr_lru);
364
+}
365
+
366
+static void
367
+rpcauth_lru_remove(struct rpc_cred *cred)
368
+{
369
+	if (list_empty(&cred->cr_lru))
370
+		return;
371
+	spin_lock(&rpc_credcache_lock);
372
+	rpcauth_lru_remove_locked(cred);
373
+	spin_unlock(&rpc_credcache_lock);
374
+}
375
+
395
376
 /*
396
377
  * Clear the RPC credential cache, and delete those credentials
397
378
  * that are not referenced.
..
..
@@ -411,13 +392,10 @@
411
392
 		head = &cache->hashtable[i];
412
393
 		while (!hlist_empty(head)) {
413
394
 			cred = hlist_entry(head->first, struct rpc_cred, cr_hash);
414
-			get_rpccred(cred);
415
-			if (!list_empty(&cred->cr_lru)) {
416
-				list_del(&cred->cr_lru);
417
-				number_cred_unused--;
418
-			}
419
-			list_add_tail(&cred->cr_lru, &free);
420
395
 			rpcauth_unhash_cred_locked(cred);
396
+			/* Note: We now hold a reference to cred */
397
+			rpcauth_lru_remove_locked(cred);
398
+			list_add_tail(&cred->cr_lru, &free);
421
399
 		}
422
400
 	}
423
401
 	spin_unlock(&cache->lock);
..
..
@@ -451,7 +429,6 @@
451
429
 static long
452
430
 rpcauth_prune_expired(struct list_head *free, int nr_to_scan)
453
431
 {
454
-	spinlock_t *cache_lock;
455
432
 	struct rpc_cred *cred, *next;
456
433
 	unsigned long expired = jiffies - RPC_AUTH_EXPIRY_MORATORIUM;
457
434
 	long freed = 0;
..
..
@@ -460,32 +437,24 @@
460
437
 
461
438
 		if (nr_to_scan-- == 0)
462
439
 			break;
440
+		if (refcount_read(&cred->cr_count) > 1) {
441
+			rpcauth_lru_remove_locked(cred);
442
+			continue;
443
+		}
463
444
 		/*
464
445
 		 * Enforce a 60 second garbage collection moratorium
465
446
 		 * Note that the cred_unused list must be time-ordered.
466
447
 		 */
467
-		if (time_in_range(cred->cr_expire, expired, jiffies) &&
468
-		    test_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags) != 0) {
469
-			freed = SHRINK_STOP;
470
-			break;
471
-		}
472
-
473
-		list_del_init(&cred->cr_lru);
474
-		number_cred_unused--;
475
-		freed++;
476
-		if (atomic_read(&cred->cr_count) != 0)
448
+		if (time_in_range(cred->cr_expire, expired, jiffies))
449
+			continue;
450
+		if (!rpcauth_unhash_cred(cred))
477
451
 			continue;
478
452
 
479
-		cache_lock = &cred->cr_auth->au_credcache->lock;
480
-		spin_lock(cache_lock);
481
-		if (atomic_read(&cred->cr_count) == 0) {
482
-			get_rpccred(cred);
483
-			list_add_tail(&cred->cr_lru, free);
484
-			rpcauth_unhash_cred_locked(cred);
485
-		}
486
-		spin_unlock(cache_lock);
453
+		rpcauth_lru_remove_locked(cred);
454
+		freed++;
455
+		list_add_tail(&cred->cr_lru, free);
487
456
 	}
488
-	return freed;
457
+	return freed ? freed : SHRINK_STOP;
489
458
 }
490
459
 
491
460
 static unsigned long
..
..
@@ -560,28 +529,14 @@
560
529
 	hlist_for_each_entry_rcu(entry, &cache->hashtable[nr], cr_hash) {
561
530
 		if (!entry->cr_ops->crmatch(acred, entry, flags))
562
531
 			continue;
563
-		if (flags & RPCAUTH_LOOKUP_RCU) {
564
-			if (test_bit(RPCAUTH_CRED_HASHED, &entry->cr_flags) &&
565
-			    !test_bit(RPCAUTH_CRED_NEW, &entry->cr_flags))
566
-				cred = entry;
567
-			break;
568
-		}
569
-		spin_lock(&cache->lock);
570
-		if (test_bit(RPCAUTH_CRED_HASHED, &entry->cr_flags) == 0) {
571
-			spin_unlock(&cache->lock);
572
-			continue;
573
-		}
574
532
 		cred = get_rpccred(entry);
575
-		spin_unlock(&cache->lock);
576
-		break;
533
+		if (cred)
534
+			break;
577
535
 	}
578
536
 	rcu_read_unlock();
579
537
 
580
538
 	if (cred != NULL)
581
539
 		goto found;
582
-
583
-	if (flags & RPCAUTH_LOOKUP_RCU)
584
-		return ERR_PTR(-ECHILD);
585
540
 
586
541
 	new = auth->au_ops->crcreate(auth, acred, flags, gfp);
587
542
 	if (IS_ERR(new)) {
..
..
@@ -594,11 +549,13 @@
594
549
 		if (!entry->cr_ops->crmatch(acred, entry, flags))
595
550
 			continue;
596
551
 		cred = get_rpccred(entry);
597
-		break;
552
+		if (cred)
553
+			break;
598
554
 	}
599
555
 	if (cred == NULL) {
600
556
 		cred = new;
601
557
 		set_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags);
558
+		refcount_inc(&cred->cr_count);
602
559
 		hlist_add_head_rcu(&cred->cr_hash, &cache->hashtable[nr]);
603
560
 	} else
604
561
 		list_add_tail(&new->cr_lru, &free);
..
..
@@ -627,13 +584,8 @@
627
584
 	struct rpc_cred *ret;
628
585
 	const struct cred *cred = current_cred();
629
586
 
630
-	dprintk("RPC:       looking up %s cred\n",
631
-		auth->au_ops->au_name);
632
-
633
587
 	memset(&acred, 0, sizeof(acred));
634
-	acred.uid = cred->fsuid;
635
-	acred.gid = cred->fsgid;
636
-	acred.group_info = cred->group_info;
588
+	acred.cred = cred;
637
589
 	ret = auth->au_ops->lookup_cred(auth, &acred, flags);
638
590
 	return ret;
639
591
 }
..
..
@@ -645,34 +597,40 @@
645
597
 {
646
598
 	INIT_HLIST_NODE(&cred->cr_hash);
647
599
 	INIT_LIST_HEAD(&cred->cr_lru);
648
-	atomic_set(&cred->cr_count, 1);
600
+	refcount_set(&cred->cr_count, 1);
649
601
 	cred->cr_auth = auth;
602
+	cred->cr_flags = 0;
650
603
 	cred->cr_ops = ops;
651
604
 	cred->cr_expire = jiffies;
652
-	cred->cr_uid = acred->uid;
605
+	cred->cr_cred = get_cred(acred->cred);
653
606
 }
654
607
 EXPORT_SYMBOL_GPL(rpcauth_init_cred);
655
-
656
-struct rpc_cred *
657
-rpcauth_generic_bind_cred(struct rpc_task *task, struct rpc_cred *cred, int lookupflags)
658
-{
659
-	dprintk("RPC: %5u holding %s cred %p\n", task->tk_pid,
660
-			cred->cr_auth->au_ops->au_name, cred);
661
-	return get_rpccred(cred);
662
-}
663
-EXPORT_SYMBOL_GPL(rpcauth_generic_bind_cred);
664
608
 
665
609
 static struct rpc_cred *
666
610
 rpcauth_bind_root_cred(struct rpc_task *task, int lookupflags)
667
611
 {
668
612
 	struct rpc_auth *auth = task->tk_client->cl_auth;
669
613
 	struct auth_cred acred = {
670
-		.uid = GLOBAL_ROOT_UID,
671
-		.gid = GLOBAL_ROOT_GID,
614
+		.cred = get_task_cred(&init_task),
615
+	};
616
+	struct rpc_cred *ret;
617
+
618
+	ret = auth->au_ops->lookup_cred(auth, &acred, lookupflags);
619
+	put_cred(acred.cred);
620
+	return ret;
621
+}
622
+
623
+static struct rpc_cred *
624
+rpcauth_bind_machine_cred(struct rpc_task *task, int lookupflags)
625
+{
626
+	struct rpc_auth *auth = task->tk_client->cl_auth;
627
+	struct auth_cred acred = {
628
+		.principal = task->tk_client->cl_principal,
629
+		.cred = init_task.cred,
672
630
 	};
673
631
 
674
-	dprintk("RPC: %5u looking up %s cred\n",
675
-		task->tk_pid, task->tk_client->cl_auth->au_ops->au_name);
632
+	if (!acred.principal)
633
+		return NULL;
676
634
 	return auth->au_ops->lookup_cred(auth, &acred, lookupflags);
677
635
 }
678
636
 
..
..
@@ -681,24 +639,37 @@
681
639
 {
682
640
 	struct rpc_auth *auth = task->tk_client->cl_auth;
683
641
 
684
-	dprintk("RPC: %5u looking up %s cred\n",
685
-		task->tk_pid, auth->au_ops->au_name);
686
642
 	return rpcauth_lookupcred(auth, lookupflags);
687
643
 }
688
644
 
689
645
 static int
690
-rpcauth_bindcred(struct rpc_task *task, struct rpc_cred *cred, int flags)
646
+rpcauth_bindcred(struct rpc_task *task, const struct cred *cred, int flags)
691
647
 {
692
648
 	struct rpc_rqst *req = task->tk_rqstp;
693
-	struct rpc_cred *new;
649
+	struct rpc_cred *new = NULL;
694
650
 	int lookupflags = 0;
651
+	struct rpc_auth *auth = task->tk_client->cl_auth;
652
+	struct auth_cred acred = {
653
+		.cred = cred,
654
+	};
695
655
 
696
656
 	if (flags & RPC_TASK_ASYNC)
697
657
 		lookupflags |= RPCAUTH_LOOKUP_NEW;
698
-	if (cred != NULL)
699
-		new = cred->cr_ops->crbind(task, cred, lookupflags);
700
-	else if (flags & RPC_TASK_ROOTCREDS)
658
+	if (task->tk_op_cred)
659
+		/* Task must use exactly this rpc_cred */
660
+		new = get_rpccred(task->tk_op_cred);
661
+	else if (cred != NULL && cred != &machine_cred)
662
+		new = auth->au_ops->lookup_cred(auth, &acred, lookupflags);
663
+	else if (cred == &machine_cred)
664
+		new = rpcauth_bind_machine_cred(task, lookupflags);
665
+
666
+	/* If machine cred couldn't be bound, try a root cred */
667
+	if (new)
668
+		;
669
+	else if (cred == &machine_cred || (flags & RPC_TASK_ROOTCREDS))
701
670
 		new = rpcauth_bind_root_cred(task, lookupflags);
671
+	else if (flags & RPC_TASK_NULLCREDS)
672
+		new = authnull_ops.lookup_cred(NULL, NULL, 0);
702
673
 	else
703
674
 		new = rpcauth_bind_new_cred(task, lookupflags);
704
675
 	if (IS_ERR(new))
..
..
@@ -713,108 +684,138 @@
713
684
 {
714
685
 	if (cred == NULL)
715
686
 		return;
716
-	/* Fast path for unhashed credentials */
717
-	if (test_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags) == 0) {
718
-		if (atomic_dec_and_test(&cred->cr_count))
719
-			cred->cr_ops->crdestroy(cred);
720
-		return;
687
+	rcu_read_lock();
688
+	if (refcount_dec_and_test(&cred->cr_count))
689
+		goto destroy;
690
+	if (refcount_read(&cred->cr_count) != 1 ||
691
+	    !test_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags))
692
+		goto out;
693
+	if (test_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags) != 0) {
694
+		cred->cr_expire = jiffies;
695
+		rpcauth_lru_add(cred);
696
+		/* Race breaker */
697
+		if (unlikely(!test_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags)))
698
+			rpcauth_lru_remove(cred);
699
+	} else if (rpcauth_unhash_cred(cred)) {
700
+		rpcauth_lru_remove(cred);
701
+		if (refcount_dec_and_test(&cred->cr_count))
702
+			goto destroy;
721
703
 	}
722
-
723
-	if (!atomic_dec_and_lock(&cred->cr_count, &rpc_credcache_lock))
724
-		return;
725
-	if (!list_empty(&cred->cr_lru)) {
726
-		number_cred_unused--;
727
-		list_del_init(&cred->cr_lru);
728
-	}
729
-	if (test_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags) != 0) {
730
-		if (test_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags) != 0) {
731
-			cred->cr_expire = jiffies;
732
-			list_add_tail(&cred->cr_lru, &cred_unused);
733
-			number_cred_unused++;
734
-			goto out_nodestroy;
735
-		}
736
-		if (!rpcauth_unhash_cred(cred)) {
737
-			/* We were hashed and someone looked us up... */
738
-			goto out_nodestroy;
739
-		}
740
-	}
741
-	spin_unlock(&rpc_credcache_lock);
742
-	cred->cr_ops->crdestroy(cred);
704
+out:
705
+	rcu_read_unlock();
743
706
 	return;
744
-out_nodestroy:
745
-	spin_unlock(&rpc_credcache_lock);
707
+destroy:
708
+	rcu_read_unlock();
709
+	cred->cr_ops->crdestroy(cred);
746
710
 }
747
711
 EXPORT_SYMBOL_GPL(put_rpccred);
748
712
 
749
-__be32 *
750
-rpcauth_marshcred(struct rpc_task *task, __be32 *p)
713
+/**
714
+ * rpcauth_marshcred - Append RPC credential to end of @xdr
715
+ * @task: controlling RPC task
716
+ * @xdr: xdr_stream containing initial portion of RPC Call header
717
+ *
718
+ * On success, an appropriate verifier is added to @xdr, @xdr is
719
+ * updated to point past the verifier, and zero is returned.
720
+ * Otherwise, @xdr is in an undefined state and a negative errno
721
+ * is returned.
722
+ */
723
+int rpcauth_marshcred(struct rpc_task *task, struct xdr_stream *xdr)
751
724
 {
752
-	struct rpc_cred	*cred = task->tk_rqstp->rq_cred;
725
+	const struct rpc_credops *ops = task->tk_rqstp->rq_cred->cr_ops;
753
726
 
754
-	dprintk("RPC: %5u marshaling %s cred %p\n",
755
-		task->tk_pid, cred->cr_auth->au_ops->au_name, cred);
756
-
757
-	return cred->cr_ops->crmarshal(task, p);
727
+	return ops->crmarshal(task, xdr);
758
728
 }
759
729
 
760
-__be32 *
761
-rpcauth_checkverf(struct rpc_task *task, __be32 *p)
730
+/**
731
+ * rpcauth_wrap_req_encode - XDR encode the RPC procedure
732
+ * @task: controlling RPC task
733
+ * @xdr: stream where on-the-wire bytes are to be marshalled
734
+ *
735
+ * On success, @xdr contains the encoded and wrapped message.
736
+ * Otherwise, @xdr is in an undefined state.
737
+ */
738
+int rpcauth_wrap_req_encode(struct rpc_task *task, struct xdr_stream *xdr)
762
739
 {
763
-	struct rpc_cred	*cred = task->tk_rqstp->rq_cred;
740
+	kxdreproc_t encode = task->tk_msg.rpc_proc->p_encode;
764
741
 
765
-	dprintk("RPC: %5u validating %s cred %p\n",
766
-		task->tk_pid, cred->cr_auth->au_ops->au_name, cred);
767
-
768
-	return cred->cr_ops->crvalidate(task, p);
769
-}
770
-
771
-static void rpcauth_wrap_req_encode(kxdreproc_t encode, struct rpc_rqst *rqstp,
772
-				   __be32 *data, void *obj)
773
-{
774
-	struct xdr_stream xdr;
775
-
776
-	xdr_init_encode(&xdr, &rqstp->rq_snd_buf, data);
777
-	encode(rqstp, &xdr, obj);
778
-}
779
-
780
-int
781
-rpcauth_wrap_req(struct rpc_task *task, kxdreproc_t encode, void *rqstp,
782
-		__be32 *data, void *obj)
783
-{
784
-	struct rpc_cred *cred = task->tk_rqstp->rq_cred;
785
-
786
-	dprintk("RPC: %5u using %s cred %p to wrap rpc data\n",
787
-			task->tk_pid, cred->cr_ops->cr_name, cred);
788
-	if (cred->cr_ops->crwrap_req)
789
-		return cred->cr_ops->crwrap_req(task, encode, rqstp, data, obj);
790
-	/* By default, we encode the arguments normally. */
791
-	rpcauth_wrap_req_encode(encode, rqstp, data, obj);
742
+	encode(task->tk_rqstp, xdr, task->tk_msg.rpc_argp);
792
743
 	return 0;
793
744
 }
745
+EXPORT_SYMBOL_GPL(rpcauth_wrap_req_encode);
794
746
 
795
-static int
796
-rpcauth_unwrap_req_decode(kxdrdproc_t decode, struct rpc_rqst *rqstp,
797
-			  __be32 *data, void *obj)
747
+/**
748
+ * rpcauth_wrap_req - XDR encode and wrap the RPC procedure
749
+ * @task: controlling RPC task
750
+ * @xdr: stream where on-the-wire bytes are to be marshalled
751
+ *
752
+ * On success, @xdr contains the encoded and wrapped message,
753
+ * and zero is returned. Otherwise, @xdr is in an undefined
754
+ * state and a negative errno is returned.
755
+ */
756
+int rpcauth_wrap_req(struct rpc_task *task, struct xdr_stream *xdr)
798
757
 {
799
-	struct xdr_stream xdr;
758
+	const struct rpc_credops *ops = task->tk_rqstp->rq_cred->cr_ops;
800
759
 
801
-	xdr_init_decode(&xdr, &rqstp->rq_rcv_buf, data);
802
-	return decode(rqstp, &xdr, obj);
760
+	return ops->crwrap_req(task, xdr);
803
761
 }
804
762
 
763
+/**
764
+ * rpcauth_checkverf - Validate verifier in RPC Reply header
765
+ * @task: controlling RPC task
766
+ * @xdr: xdr_stream containing RPC Reply header
767
+ *
768
+ * On success, @xdr is updated to point past the verifier and
769
+ * zero is returned. Otherwise, @xdr is in an undefined state
770
+ * and a negative errno is returned.
771
+ */
805
772
 int
806
-rpcauth_unwrap_resp(struct rpc_task *task, kxdrdproc_t decode, void *rqstp,
807
-		__be32 *data, void *obj)
773
+rpcauth_checkverf(struct rpc_task *task, struct xdr_stream *xdr)
774
+{
775
+	const struct rpc_credops *ops = task->tk_rqstp->rq_cred->cr_ops;
776
+
777
+	return ops->crvalidate(task, xdr);
778
+}
779
+
780
+/**
781
+ * rpcauth_unwrap_resp_decode - Invoke XDR decode function
782
+ * @task: controlling RPC task
783
+ * @xdr: stream where the Reply message resides
784
+ *
785
+ * Returns zero on success; otherwise a negative errno is returned.
786
+ */
787
+int
788
+rpcauth_unwrap_resp_decode(struct rpc_task *task, struct xdr_stream *xdr)
789
+{
790
+	kxdrdproc_t decode = task->tk_msg.rpc_proc->p_decode;
791
+
792
+	return decode(task->tk_rqstp, xdr, task->tk_msg.rpc_resp);
793
+}
794
+EXPORT_SYMBOL_GPL(rpcauth_unwrap_resp_decode);
795
+
796
+/**
797
+ * rpcauth_unwrap_resp - Invoke unwrap and decode function for the cred
798
+ * @task: controlling RPC task
799
+ * @xdr: stream where the Reply message resides
800
+ *
801
+ * Returns zero on success; otherwise a negative errno is returned.
802
+ */
803
+int
804
+rpcauth_unwrap_resp(struct rpc_task *task, struct xdr_stream *xdr)
805
+{
806
+	const struct rpc_credops *ops = task->tk_rqstp->rq_cred->cr_ops;
807
+
808
+	return ops->crunwrap_resp(task, xdr);
809
+}
810
+
811
+bool
812
+rpcauth_xmit_need_reencode(struct rpc_task *task)
808
813
 {
809
814
 	struct rpc_cred *cred = task->tk_rqstp->rq_cred;
810
815
 
811
-	dprintk("RPC: %5u using %s cred %p to unwrap rpc data\n",
812
-			task->tk_pid, cred->cr_ops->cr_name, cred);
813
-	if (cred->cr_ops->crunwrap_resp)
814
-		return cred->cr_ops->crunwrap_resp(task, decode, rqstp,
815
-						   data, obj);
816
-	/* By default, we decode the arguments normally. */
817
-	return rpcauth_unwrap_req_decode(decode, rqstp, data, obj);
816
+	if (!cred || !cred->cr_ops->crneed_reencode)
817
+		return false;
818
+	return cred->cr_ops->crneed_reencode(task);
818
819
 }
819
820
 
820
821
 int
..
..
@@ -830,8 +831,6 @@
830
831
 			goto out;
831
832
 		cred = task->tk_rqstp->rq_cred;
832
833
 	}
833
-	dprintk("RPC: %5u refreshing %s cred %p\n",
834
-		task->tk_pid, cred->cr_auth->au_ops->au_name, cred);
835
834
 
836
835
 	err = cred->cr_ops->crrefresh(task);
837
836
 out:
..
..
@@ -845,8 +844,6 @@
845
844
 {
846
845
 	struct rpc_cred *cred = task->tk_rqstp->rq_cred;
847
846
 
848
-	dprintk("RPC: %5u invalidating %s cred %p\n",
849
-		task->tk_pid, cred->cr_auth->au_ops->au_name, cred);
850
847
 	if (cred)
851
848
 		clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags);
852
849
 }
..
..
@@ -873,15 +870,10 @@
873
870
 	err = rpc_init_authunix();
874
871
 	if (err < 0)
875
872
 		goto out1;
876
-	err = rpc_init_generic_auth();
877
-	if (err < 0)
878
-		goto out2;
879
873
 	err = register_shrinker(&rpc_cred_shrinker);
880
874
 	if (err < 0)
881
-		goto out3;
875
+		goto out2;
882
876
 	return 0;
883
-out3:
884
-	rpc_destroy_generic_auth();
885
877
 out2:
886
878
 	rpc_destroy_authunix();
887
879
 out1:
..
..
@@ -891,6 +883,5 @@
891
883
 void rpcauth_remove_module(void)
892
884
 {
893
885
 	rpc_destroy_authunix();
894
-	rpc_destroy_generic_auth();
895
886
 	unregister_shrinker(&rpc_cred_shrinker);
896
887
 }