xref: /openbmc/linux/net/sunrpc/auth_gss/auth_gss.c (revision 8d81cd1a)
1 // SPDX-License-Identifier: BSD-3-Clause
2 /*
3  * linux/net/sunrpc/auth_gss/auth_gss.c
4  *
5  * RPCSEC_GSS client authentication.
6  *
7  *  Copyright (c) 2000 The Regents of the University of Michigan.
8  *  All rights reserved.
9  *
10  *  Dug Song       <dugsong@monkey.org>
11  *  Andy Adamson   <andros@umich.edu>
12  */
13 
14 #include <linux/module.h>
15 #include <linux/init.h>
16 #include <linux/types.h>
17 #include <linux/slab.h>
18 #include <linux/sched.h>
19 #include <linux/pagemap.h>
20 #include <linux/sunrpc/clnt.h>
21 #include <linux/sunrpc/auth.h>
22 #include <linux/sunrpc/auth_gss.h>
23 #include <linux/sunrpc/gss_krb5.h>
24 #include <linux/sunrpc/svcauth_gss.h>
25 #include <linux/sunrpc/gss_err.h>
26 #include <linux/workqueue.h>
27 #include <linux/sunrpc/rpc_pipe_fs.h>
28 #include <linux/sunrpc/gss_api.h>
29 #include <linux/uaccess.h>
30 #include <linux/hashtable.h>
31 
32 #include "auth_gss_internal.h"
33 #include "../netns.h"
34 
35 #include <trace/events/rpcgss.h>
36 
37 static const struct rpc_authops authgss_ops;
38 
39 static const struct rpc_credops gss_credops;
40 static const struct rpc_credops gss_nullops;
41 
42 #define GSS_RETRY_EXPIRED 5
43 static unsigned int gss_expired_cred_retry_delay = GSS_RETRY_EXPIRED;
44 
45 #define GSS_KEY_EXPIRE_TIMEO 240
46 static unsigned int gss_key_expire_timeo = GSS_KEY_EXPIRE_TIMEO;
47 
48 #if IS_ENABLED(CONFIG_SUNRPC_DEBUG)
49 # define RPCDBG_FACILITY	RPCDBG_AUTH
50 #endif
51 
52 /*
53  * This compile-time check verifies that we will not exceed the
54  * slack space allotted by the client and server auth_gss code
55  * before they call gss_wrap().
56  */
57 #define GSS_KRB5_MAX_SLACK_NEEDED					\
58 	(GSS_KRB5_TOK_HDR_LEN		/* gss token header */		\
59 	+ GSS_KRB5_MAX_CKSUM_LEN	/* gss token checksum */	\
60 	+ GSS_KRB5_MAX_BLOCKSIZE	/* confounder */		\
61 	+ GSS_KRB5_MAX_BLOCKSIZE	/* possible padding */		\
62 	+ GSS_KRB5_TOK_HDR_LEN		/* encrypted hdr in v2 token */	\
63 	+ GSS_KRB5_MAX_CKSUM_LEN	/* encryption hmac */		\
64 	+ XDR_UNIT * 2			/* RPC verifier */		\
65 	+ GSS_KRB5_TOK_HDR_LEN						\
66 	+ GSS_KRB5_MAX_CKSUM_LEN)
67 
68 #define GSS_CRED_SLACK		(RPC_MAX_AUTH_SIZE * 2)
69 /* length of a krb5 verifier (48), plus data added before arguments when
70  * using integrity (two 4-byte integers): */
71 #define GSS_VERF_SLACK		100
72 
73 static DEFINE_HASHTABLE(gss_auth_hash_table, 4);
74 static DEFINE_SPINLOCK(gss_auth_hash_lock);
75 
76 struct gss_pipe {
77 	struct rpc_pipe_dir_object pdo;
78 	struct rpc_pipe *pipe;
79 	struct rpc_clnt *clnt;
80 	const char *name;
81 	struct kref kref;
82 };
83 
84 struct gss_auth {
85 	struct kref kref;
86 	struct hlist_node hash;
87 	struct rpc_auth rpc_auth;
88 	struct gss_api_mech *mech;
89 	enum rpc_gss_svc service;
90 	struct rpc_clnt *client;
91 	struct net	*net;
92 	netns_tracker	ns_tracker;
93 	/*
94 	 * There are two upcall pipes; dentry[1], named "gssd", is used
95 	 * for the new text-based upcall; dentry[0] is named after the
96 	 * mechanism (for example, "krb5") and exists for
97 	 * backwards-compatibility with older gssd's.
98 	 */
99 	struct gss_pipe *gss_pipe[2];
100 	const char *target_name;
101 };
102 
103 /* pipe_version >= 0 if and only if someone has a pipe open. */
104 static DEFINE_SPINLOCK(pipe_version_lock);
105 static struct rpc_wait_queue pipe_version_rpc_waitqueue;
106 static DECLARE_WAIT_QUEUE_HEAD(pipe_version_waitqueue);
107 static void gss_put_auth(struct gss_auth *gss_auth);
108 
109 static void gss_free_ctx(struct gss_cl_ctx *);
110 static const struct rpc_pipe_ops gss_upcall_ops_v0;
111 static const struct rpc_pipe_ops gss_upcall_ops_v1;
112 
113 static inline struct gss_cl_ctx *
114 gss_get_ctx(struct gss_cl_ctx *ctx)
115 {
116 	refcount_inc(&ctx->count);
117 	return ctx;
118 }
119 
120 static inline void
121 gss_put_ctx(struct gss_cl_ctx *ctx)
122 {
123 	if (refcount_dec_and_test(&ctx->count))
124 		gss_free_ctx(ctx);
125 }
126 
127 /* gss_cred_set_ctx:
128  * called by gss_upcall_callback and gss_create_upcall in order
129  * to set the gss context. The actual exchange of an old context
130  * and a new one is protected by the pipe->lock.
131  */
132 static void
133 gss_cred_set_ctx(struct rpc_cred *cred, struct gss_cl_ctx *ctx)
134 {
135 	struct gss_cred *gss_cred = container_of(cred, struct gss_cred, gc_base);
136 
137 	if (!test_bit(RPCAUTH_CRED_NEW, &cred->cr_flags))
138 		return;
139 	gss_get_ctx(ctx);
140 	rcu_assign_pointer(gss_cred->gc_ctx, ctx);
141 	set_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags);
142 	smp_mb__before_atomic();
143 	clear_bit(RPCAUTH_CRED_NEW, &cred->cr_flags);
144 }
145 
146 static struct gss_cl_ctx *
147 gss_cred_get_ctx(struct rpc_cred *cred)
148 {
149 	struct gss_cred *gss_cred = container_of(cred, struct gss_cred, gc_base);
150 	struct gss_cl_ctx *ctx = NULL;
151 
152 	rcu_read_lock();
153 	ctx = rcu_dereference(gss_cred->gc_ctx);
154 	if (ctx)
155 		gss_get_ctx(ctx);
156 	rcu_read_unlock();
157 	return ctx;
158 }
159 
160 static struct gss_cl_ctx *
161 gss_alloc_context(void)
162 {
163 	struct gss_cl_ctx *ctx;
164 
165 	ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
166 	if (ctx != NULL) {
167 		ctx->gc_proc = RPC_GSS_PROC_DATA;
168 		ctx->gc_seq = 1;	/* NetApp 6.4R1 doesn't accept seq. no. 0 */
169 		spin_lock_init(&ctx->gc_seq_lock);
170 		refcount_set(&ctx->count,1);
171 	}
172 	return ctx;
173 }
174 
175 #define GSSD_MIN_TIMEOUT (60 * 60)
176 static const void *
177 gss_fill_context(const void *p, const void *end, struct gss_cl_ctx *ctx, struct gss_api_mech *gm)
178 {
179 	const void *q;
180 	unsigned int seclen;
181 	unsigned int timeout;
182 	unsigned long now = jiffies;
183 	u32 window_size;
184 	int ret;
185 
186 	/* First unsigned int gives the remaining lifetime in seconds of the
187 	 * credential - e.g. the remaining TGT lifetime for Kerberos or
188 	 * the -t value passed to GSSD.
189 	 */
190 	p = simple_get_bytes(p, end, &timeout, sizeof(timeout));
191 	if (IS_ERR(p))
192 		goto err;
193 	if (timeout == 0)
194 		timeout = GSSD_MIN_TIMEOUT;
195 	ctx->gc_expiry = now + ((unsigned long)timeout * HZ);
196 	/* Sequence number window. Determines the maximum number of
197 	 * simultaneous requests
198 	 */
199 	p = simple_get_bytes(p, end, &window_size, sizeof(window_size));
200 	if (IS_ERR(p))
201 		goto err;
202 	ctx->gc_win = window_size;
203 	/* gssd signals an error by passing ctx->gc_win = 0: */
204 	if (ctx->gc_win == 0) {
205 		/*
206 		 * in which case, p points to an error code. Anything other
207 		 * than -EKEYEXPIRED gets converted to -EACCES.
208 		 */
209 		p = simple_get_bytes(p, end, &ret, sizeof(ret));
210 		if (!IS_ERR(p))
211 			p = (ret == -EKEYEXPIRED) ? ERR_PTR(-EKEYEXPIRED) :
212 						    ERR_PTR(-EACCES);
213 		goto err;
214 	}
215 	/* copy the opaque wire context */
216 	p = simple_get_netobj(p, end, &ctx->gc_wire_ctx);
217 	if (IS_ERR(p))
218 		goto err;
219 	/* import the opaque security context */
220 	p  = simple_get_bytes(p, end, &seclen, sizeof(seclen));
221 	if (IS_ERR(p))
222 		goto err;
223 	q = (const void *)((const char *)p + seclen);
224 	if (unlikely(q > end || q < p)) {
225 		p = ERR_PTR(-EFAULT);
226 		goto err;
227 	}
228 	ret = gss_import_sec_context(p, seclen, gm, &ctx->gc_gss_ctx, NULL, GFP_KERNEL);
229 	if (ret < 0) {
230 		trace_rpcgss_import_ctx(ret);
231 		p = ERR_PTR(ret);
232 		goto err;
233 	}
234 
235 	/* is there any trailing data? */
236 	if (q == end) {
237 		p = q;
238 		goto done;
239 	}
240 
241 	/* pull in acceptor name (if there is one) */
242 	p = simple_get_netobj(q, end, &ctx->gc_acceptor);
243 	if (IS_ERR(p))
244 		goto err;
245 done:
246 	trace_rpcgss_context(window_size, ctx->gc_expiry, now, timeout,
247 			     ctx->gc_acceptor.len, ctx->gc_acceptor.data);
248 err:
249 	return p;
250 }
251 
252 /* XXX: Need some documentation about why UPCALL_BUF_LEN is so small.
253  *	Is user space expecting no more than UPCALL_BUF_LEN bytes?
254  *	Note that there are now _two_ NI_MAXHOST sized data items
255  *	being passed in this string.
256  */
257 #define UPCALL_BUF_LEN	256
258 
259 struct gss_upcall_msg {
260 	refcount_t count;
261 	kuid_t	uid;
262 	const char *service_name;
263 	struct rpc_pipe_msg msg;
264 	struct list_head list;
265 	struct gss_auth *auth;
266 	struct rpc_pipe *pipe;
267 	struct rpc_wait_queue rpc_waitqueue;
268 	wait_queue_head_t waitqueue;
269 	struct gss_cl_ctx *ctx;
270 	char databuf[UPCALL_BUF_LEN];
271 };
272 
273 static int get_pipe_version(struct net *net)
274 {
275 	struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
276 	int ret;
277 
278 	spin_lock(&pipe_version_lock);
279 	if (sn->pipe_version >= 0) {
280 		atomic_inc(&sn->pipe_users);
281 		ret = sn->pipe_version;
282 	} else
283 		ret = -EAGAIN;
284 	spin_unlock(&pipe_version_lock);
285 	return ret;
286 }
287 
288 static void put_pipe_version(struct net *net)
289 {
290 	struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
291 
292 	if (atomic_dec_and_lock(&sn->pipe_users, &pipe_version_lock)) {
293 		sn->pipe_version = -1;
294 		spin_unlock(&pipe_version_lock);
295 	}
296 }
297 
298 static void
299 gss_release_msg(struct gss_upcall_msg *gss_msg)
300 {
301 	struct net *net = gss_msg->auth->net;
302 	if (!refcount_dec_and_test(&gss_msg->count))
303 		return;
304 	put_pipe_version(net);
305 	BUG_ON(!list_empty(&gss_msg->list));
306 	if (gss_msg->ctx != NULL)
307 		gss_put_ctx(gss_msg->ctx);
308 	rpc_destroy_wait_queue(&gss_msg->rpc_waitqueue);
309 	gss_put_auth(gss_msg->auth);
310 	kfree_const(gss_msg->service_name);
311 	kfree(gss_msg);
312 }
313 
314 static struct gss_upcall_msg *
315 __gss_find_upcall(struct rpc_pipe *pipe, kuid_t uid, const struct gss_auth *auth)
316 {
317 	struct gss_upcall_msg *pos;
318 	list_for_each_entry(pos, &pipe->in_downcall, list) {
319 		if (!uid_eq(pos->uid, uid))
320 			continue;
321 		if (pos->auth->service != auth->service)
322 			continue;
323 		refcount_inc(&pos->count);
324 		return pos;
325 	}
326 	return NULL;
327 }
328 
329 /* Try to add an upcall to the pipefs queue.
330  * If an upcall owned by our uid already exists, then we return a reference
331  * to that upcall instead of adding the new upcall.
332  */
333 static inline struct gss_upcall_msg *
334 gss_add_msg(struct gss_upcall_msg *gss_msg)
335 {
336 	struct rpc_pipe *pipe = gss_msg->pipe;
337 	struct gss_upcall_msg *old;
338 
339 	spin_lock(&pipe->lock);
340 	old = __gss_find_upcall(pipe, gss_msg->uid, gss_msg->auth);
341 	if (old == NULL) {
342 		refcount_inc(&gss_msg->count);
343 		list_add(&gss_msg->list, &pipe->in_downcall);
344 	} else
345 		gss_msg = old;
346 	spin_unlock(&pipe->lock);
347 	return gss_msg;
348 }
349 
350 static void
351 __gss_unhash_msg(struct gss_upcall_msg *gss_msg)
352 {
353 	list_del_init(&gss_msg->list);
354 	rpc_wake_up_status(&gss_msg->rpc_waitqueue, gss_msg->msg.errno);
355 	wake_up_all(&gss_msg->waitqueue);
356 	refcount_dec(&gss_msg->count);
357 }
358 
359 static void
360 gss_unhash_msg(struct gss_upcall_msg *gss_msg)
361 {
362 	struct rpc_pipe *pipe = gss_msg->pipe;
363 
364 	if (list_empty(&gss_msg->list))
365 		return;
366 	spin_lock(&pipe->lock);
367 	if (!list_empty(&gss_msg->list))
368 		__gss_unhash_msg(gss_msg);
369 	spin_unlock(&pipe->lock);
370 }
371 
372 static void
373 gss_handle_downcall_result(struct gss_cred *gss_cred, struct gss_upcall_msg *gss_msg)
374 {
375 	switch (gss_msg->msg.errno) {
376 	case 0:
377 		if (gss_msg->ctx == NULL)
378 			break;
379 		clear_bit(RPCAUTH_CRED_NEGATIVE, &gss_cred->gc_base.cr_flags);
380 		gss_cred_set_ctx(&gss_cred->gc_base, gss_msg->ctx);
381 		break;
382 	case -EKEYEXPIRED:
383 		set_bit(RPCAUTH_CRED_NEGATIVE, &gss_cred->gc_base.cr_flags);
384 	}
385 	gss_cred->gc_upcall_timestamp = jiffies;
386 	gss_cred->gc_upcall = NULL;
387 	rpc_wake_up_status(&gss_msg->rpc_waitqueue, gss_msg->msg.errno);
388 }
389 
390 static void
391 gss_upcall_callback(struct rpc_task *task)
392 {
393 	struct gss_cred *gss_cred = container_of(task->tk_rqstp->rq_cred,
394 			struct gss_cred, gc_base);
395 	struct gss_upcall_msg *gss_msg = gss_cred->gc_upcall;
396 	struct rpc_pipe *pipe = gss_msg->pipe;
397 
398 	spin_lock(&pipe->lock);
399 	gss_handle_downcall_result(gss_cred, gss_msg);
400 	spin_unlock(&pipe->lock);
401 	task->tk_status = gss_msg->msg.errno;
402 	gss_release_msg(gss_msg);
403 }
404 
405 static void gss_encode_v0_msg(struct gss_upcall_msg *gss_msg,
406 			      const struct cred *cred)
407 {
408 	struct user_namespace *userns = cred->user_ns;
409 
410 	uid_t uid = from_kuid_munged(userns, gss_msg->uid);
411 	memcpy(gss_msg->databuf, &uid, sizeof(uid));
412 	gss_msg->msg.data = gss_msg->databuf;
413 	gss_msg->msg.len = sizeof(uid);
414 
415 	BUILD_BUG_ON(sizeof(uid) > sizeof(gss_msg->databuf));
416 }
417 
418 static ssize_t
419 gss_v0_upcall(struct file *file, struct rpc_pipe_msg *msg,
420 		char __user *buf, size_t buflen)
421 {
422 	struct gss_upcall_msg *gss_msg = container_of(msg,
423 						      struct gss_upcall_msg,
424 						      msg);
425 	if (msg->copied == 0)
426 		gss_encode_v0_msg(gss_msg, file->f_cred);
427 	return rpc_pipe_generic_upcall(file, msg, buf, buflen);
428 }
429 
430 static int gss_encode_v1_msg(struct gss_upcall_msg *gss_msg,
431 				const char *service_name,
432 				const char *target_name,
433 				const struct cred *cred)
434 {
435 	struct user_namespace *userns = cred->user_ns;
436 	struct gss_api_mech *mech = gss_msg->auth->mech;
437 	char *p = gss_msg->databuf;
438 	size_t buflen = sizeof(gss_msg->databuf);
439 	int len;
440 
441 	len = scnprintf(p, buflen, "mech=%s uid=%d", mech->gm_name,
442 			from_kuid_munged(userns, gss_msg->uid));
443 	buflen -= len;
444 	p += len;
445 	gss_msg->msg.len = len;
446 
447 	/*
448 	 * target= is a full service principal that names the remote
449 	 * identity that we are authenticating to.
450 	 */
451 	if (target_name) {
452 		len = scnprintf(p, buflen, " target=%s", target_name);
453 		buflen -= len;
454 		p += len;
455 		gss_msg->msg.len += len;
456 	}
457 
458 	/*
459 	 * gssd uses service= and srchost= to select a matching key from
460 	 * the system's keytab to use as the source principal.
461 	 *
462 	 * service= is the service name part of the source principal,
463 	 * or "*" (meaning choose any).
464 	 *
465 	 * srchost= is the hostname part of the source principal. When
466 	 * not provided, gssd uses the local hostname.
467 	 */
468 	if (service_name) {
469 		char *c = strchr(service_name, '@');
470 
471 		if (!c)
472 			len = scnprintf(p, buflen, " service=%s",
473 					service_name);
474 		else
475 			len = scnprintf(p, buflen,
476 					" service=%.*s srchost=%s",
477 					(int)(c - service_name),
478 					service_name, c + 1);
479 		buflen -= len;
480 		p += len;
481 		gss_msg->msg.len += len;
482 	}
483 
484 	if (mech->gm_upcall_enctypes) {
485 		len = scnprintf(p, buflen, " enctypes=%s",
486 				mech->gm_upcall_enctypes);
487 		buflen -= len;
488 		p += len;
489 		gss_msg->msg.len += len;
490 	}
491 	trace_rpcgss_upcall_msg(gss_msg->databuf);
492 	len = scnprintf(p, buflen, "\n");
493 	if (len == 0)
494 		goto out_overflow;
495 	gss_msg->msg.len += len;
496 	gss_msg->msg.data = gss_msg->databuf;
497 	return 0;
498 out_overflow:
499 	WARN_ON_ONCE(1);
500 	return -ENOMEM;
501 }
502 
503 static ssize_t
504 gss_v1_upcall(struct file *file, struct rpc_pipe_msg *msg,
505 		char __user *buf, size_t buflen)
506 {
507 	struct gss_upcall_msg *gss_msg = container_of(msg,
508 						      struct gss_upcall_msg,
509 						      msg);
510 	int err;
511 	if (msg->copied == 0) {
512 		err = gss_encode_v1_msg(gss_msg,
513 					gss_msg->service_name,
514 					gss_msg->auth->target_name,
515 					file->f_cred);
516 		if (err)
517 			return err;
518 	}
519 	return rpc_pipe_generic_upcall(file, msg, buf, buflen);
520 }
521 
522 static struct gss_upcall_msg *
523 gss_alloc_msg(struct gss_auth *gss_auth,
524 		kuid_t uid, const char *service_name)
525 {
526 	struct gss_upcall_msg *gss_msg;
527 	int vers;
528 	int err = -ENOMEM;
529 
530 	gss_msg = kzalloc(sizeof(*gss_msg), GFP_KERNEL);
531 	if (gss_msg == NULL)
532 		goto err;
533 	vers = get_pipe_version(gss_auth->net);
534 	err = vers;
535 	if (err < 0)
536 		goto err_free_msg;
537 	gss_msg->pipe = gss_auth->gss_pipe[vers]->pipe;
538 	INIT_LIST_HEAD(&gss_msg->list);
539 	rpc_init_wait_queue(&gss_msg->rpc_waitqueue, "RPCSEC_GSS upcall waitq");
540 	init_waitqueue_head(&gss_msg->waitqueue);
541 	refcount_set(&gss_msg->count, 1);
542 	gss_msg->uid = uid;
543 	gss_msg->auth = gss_auth;
544 	kref_get(&gss_auth->kref);
545 	if (service_name) {
546 		gss_msg->service_name = kstrdup_const(service_name, GFP_KERNEL);
547 		if (!gss_msg->service_name) {
548 			err = -ENOMEM;
549 			goto err_put_pipe_version;
550 		}
551 	}
552 	return gss_msg;
553 err_put_pipe_version:
554 	put_pipe_version(gss_auth->net);
555 err_free_msg:
556 	kfree(gss_msg);
557 err:
558 	return ERR_PTR(err);
559 }
560 
561 static struct gss_upcall_msg *
562 gss_setup_upcall(struct gss_auth *gss_auth, struct rpc_cred *cred)
563 {
564 	struct gss_cred *gss_cred = container_of(cred,
565 			struct gss_cred, gc_base);
566 	struct gss_upcall_msg *gss_new, *gss_msg;
567 	kuid_t uid = cred->cr_cred->fsuid;
568 
569 	gss_new = gss_alloc_msg(gss_auth, uid, gss_cred->gc_principal);
570 	if (IS_ERR(gss_new))
571 		return gss_new;
572 	gss_msg = gss_add_msg(gss_new);
573 	if (gss_msg == gss_new) {
574 		int res;
575 		refcount_inc(&gss_msg->count);
576 		res = rpc_queue_upcall(gss_new->pipe, &gss_new->msg);
577 		if (res) {
578 			gss_unhash_msg(gss_new);
579 			refcount_dec(&gss_msg->count);
580 			gss_release_msg(gss_new);
581 			gss_msg = ERR_PTR(res);
582 		}
583 	} else
584 		gss_release_msg(gss_new);
585 	return gss_msg;
586 }
587 
588 static void warn_gssd(void)
589 {
590 	dprintk("AUTH_GSS upcall failed. Please check user daemon is running.\n");
591 }
592 
593 static inline int
594 gss_refresh_upcall(struct rpc_task *task)
595 {
596 	struct rpc_cred *cred = task->tk_rqstp->rq_cred;
597 	struct gss_auth *gss_auth = container_of(cred->cr_auth,
598 			struct gss_auth, rpc_auth);
599 	struct gss_cred *gss_cred = container_of(cred,
600 			struct gss_cred, gc_base);
601 	struct gss_upcall_msg *gss_msg;
602 	struct rpc_pipe *pipe;
603 	int err = 0;
604 
605 	gss_msg = gss_setup_upcall(gss_auth, cred);
606 	if (PTR_ERR(gss_msg) == -EAGAIN) {
607 		/* XXX: warning on the first, under the assumption we
608 		 * shouldn't normally hit this case on a refresh. */
609 		warn_gssd();
610 		rpc_sleep_on_timeout(&pipe_version_rpc_waitqueue,
611 				task, NULL, jiffies + (15 * HZ));
612 		err = -EAGAIN;
613 		goto out;
614 	}
615 	if (IS_ERR(gss_msg)) {
616 		err = PTR_ERR(gss_msg);
617 		goto out;
618 	}
619 	pipe = gss_msg->pipe;
620 	spin_lock(&pipe->lock);
621 	if (gss_cred->gc_upcall != NULL)
622 		rpc_sleep_on(&gss_cred->gc_upcall->rpc_waitqueue, task, NULL);
623 	else if (gss_msg->ctx == NULL && gss_msg->msg.errno >= 0) {
624 		gss_cred->gc_upcall = gss_msg;
625 		/* gss_upcall_callback will release the reference to gss_upcall_msg */
626 		refcount_inc(&gss_msg->count);
627 		rpc_sleep_on(&gss_msg->rpc_waitqueue, task, gss_upcall_callback);
628 	} else {
629 		gss_handle_downcall_result(gss_cred, gss_msg);
630 		err = gss_msg->msg.errno;
631 	}
632 	spin_unlock(&pipe->lock);
633 	gss_release_msg(gss_msg);
634 out:
635 	trace_rpcgss_upcall_result(from_kuid(&init_user_ns,
636 					     cred->cr_cred->fsuid), err);
637 	return err;
638 }
639 
640 static inline int
641 gss_create_upcall(struct gss_auth *gss_auth, struct gss_cred *gss_cred)
642 {
643 	struct net *net = gss_auth->net;
644 	struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
645 	struct rpc_pipe *pipe;
646 	struct rpc_cred *cred = &gss_cred->gc_base;
647 	struct gss_upcall_msg *gss_msg;
648 	DEFINE_WAIT(wait);
649 	int err;
650 
651 retry:
652 	err = 0;
653 	/* if gssd is down, just skip upcalling altogether */
654 	if (!gssd_running(net)) {
655 		warn_gssd();
656 		err = -EACCES;
657 		goto out;
658 	}
659 	gss_msg = gss_setup_upcall(gss_auth, cred);
660 	if (PTR_ERR(gss_msg) == -EAGAIN) {
661 		err = wait_event_interruptible_timeout(pipe_version_waitqueue,
662 				sn->pipe_version >= 0, 15 * HZ);
663 		if (sn->pipe_version < 0) {
664 			warn_gssd();
665 			err = -EACCES;
666 		}
667 		if (err < 0)
668 			goto out;
669 		goto retry;
670 	}
671 	if (IS_ERR(gss_msg)) {
672 		err = PTR_ERR(gss_msg);
673 		goto out;
674 	}
675 	pipe = gss_msg->pipe;
676 	for (;;) {
677 		prepare_to_wait(&gss_msg->waitqueue, &wait, TASK_KILLABLE);
678 		spin_lock(&pipe->lock);
679 		if (gss_msg->ctx != NULL || gss_msg->msg.errno < 0) {
680 			break;
681 		}
682 		spin_unlock(&pipe->lock);
683 		if (fatal_signal_pending(current)) {
684 			err = -ERESTARTSYS;
685 			goto out_intr;
686 		}
687 		schedule();
688 	}
689 	if (gss_msg->ctx) {
690 		trace_rpcgss_ctx_init(gss_cred);
691 		gss_cred_set_ctx(cred, gss_msg->ctx);
692 	} else {
693 		err = gss_msg->msg.errno;
694 	}
695 	spin_unlock(&pipe->lock);
696 out_intr:
697 	finish_wait(&gss_msg->waitqueue, &wait);
698 	gss_release_msg(gss_msg);
699 out:
700 	trace_rpcgss_upcall_result(from_kuid(&init_user_ns,
701 					     cred->cr_cred->fsuid), err);
702 	return err;
703 }
704 
705 static struct gss_upcall_msg *
706 gss_find_downcall(struct rpc_pipe *pipe, kuid_t uid)
707 {
708 	struct gss_upcall_msg *pos;
709 	list_for_each_entry(pos, &pipe->in_downcall, list) {
710 		if (!uid_eq(pos->uid, uid))
711 			continue;
712 		if (!rpc_msg_is_inflight(&pos->msg))
713 			continue;
714 		refcount_inc(&pos->count);
715 		return pos;
716 	}
717 	return NULL;
718 }
719 
720 #define MSG_BUF_MAXSIZE 1024
721 
722 static ssize_t
723 gss_pipe_downcall(struct file *filp, const char __user *src, size_t mlen)
724 {
725 	const void *p, *end;
726 	void *buf;
727 	struct gss_upcall_msg *gss_msg;
728 	struct rpc_pipe *pipe = RPC_I(file_inode(filp))->pipe;
729 	struct gss_cl_ctx *ctx;
730 	uid_t id;
731 	kuid_t uid;
732 	ssize_t err = -EFBIG;
733 
734 	if (mlen > MSG_BUF_MAXSIZE)
735 		goto out;
736 	err = -ENOMEM;
737 	buf = kmalloc(mlen, GFP_KERNEL);
738 	if (!buf)
739 		goto out;
740 
741 	err = -EFAULT;
742 	if (copy_from_user(buf, src, mlen))
743 		goto err;
744 
745 	end = (const void *)((char *)buf + mlen);
746 	p = simple_get_bytes(buf, end, &id, sizeof(id));
747 	if (IS_ERR(p)) {
748 		err = PTR_ERR(p);
749 		goto err;
750 	}
751 
752 	uid = make_kuid(current_user_ns(), id);
753 	if (!uid_valid(uid)) {
754 		err = -EINVAL;
755 		goto err;
756 	}
757 
758 	err = -ENOMEM;
759 	ctx = gss_alloc_context();
760 	if (ctx == NULL)
761 		goto err;
762 
763 	err = -ENOENT;
764 	/* Find a matching upcall */
765 	spin_lock(&pipe->lock);
766 	gss_msg = gss_find_downcall(pipe, uid);
767 	if (gss_msg == NULL) {
768 		spin_unlock(&pipe->lock);
769 		goto err_put_ctx;
770 	}
771 	list_del_init(&gss_msg->list);
772 	spin_unlock(&pipe->lock);
773 
774 	p = gss_fill_context(p, end, ctx, gss_msg->auth->mech);
775 	if (IS_ERR(p)) {
776 		err = PTR_ERR(p);
777 		switch (err) {
778 		case -EACCES:
779 		case -EKEYEXPIRED:
780 			gss_msg->msg.errno = err;
781 			err = mlen;
782 			break;
783 		case -EFAULT:
784 		case -ENOMEM:
785 		case -EINVAL:
786 		case -ENOSYS:
787 			gss_msg->msg.errno = -EAGAIN;
788 			break;
789 		default:
790 			printk(KERN_CRIT "%s: bad return from "
791 				"gss_fill_context: %zd\n", __func__, err);
792 			gss_msg->msg.errno = -EIO;
793 		}
794 		goto err_release_msg;
795 	}
796 	gss_msg->ctx = gss_get_ctx(ctx);
797 	err = mlen;
798 
799 err_release_msg:
800 	spin_lock(&pipe->lock);
801 	__gss_unhash_msg(gss_msg);
802 	spin_unlock(&pipe->lock);
803 	gss_release_msg(gss_msg);
804 err_put_ctx:
805 	gss_put_ctx(ctx);
806 err:
807 	kfree(buf);
808 out:
809 	return err;
810 }
811 
812 static int gss_pipe_open(struct inode *inode, int new_version)
813 {
814 	struct net *net = inode->i_sb->s_fs_info;
815 	struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
816 	int ret = 0;
817 
818 	spin_lock(&pipe_version_lock);
819 	if (sn->pipe_version < 0) {
820 		/* First open of any gss pipe determines the version: */
821 		sn->pipe_version = new_version;
822 		rpc_wake_up(&pipe_version_rpc_waitqueue);
823 		wake_up(&pipe_version_waitqueue);
824 	} else if (sn->pipe_version != new_version) {
825 		/* Trying to open a pipe of a different version */
826 		ret = -EBUSY;
827 		goto out;
828 	}
829 	atomic_inc(&sn->pipe_users);
830 out:
831 	spin_unlock(&pipe_version_lock);
832 	return ret;
833 
834 }
835 
836 static int gss_pipe_open_v0(struct inode *inode)
837 {
838 	return gss_pipe_open(inode, 0);
839 }
840 
841 static int gss_pipe_open_v1(struct inode *inode)
842 {
843 	return gss_pipe_open(inode, 1);
844 }
845 
846 static void
847 gss_pipe_release(struct inode *inode)
848 {
849 	struct net *net = inode->i_sb->s_fs_info;
850 	struct rpc_pipe *pipe = RPC_I(inode)->pipe;
851 	struct gss_upcall_msg *gss_msg;
852 
853 restart:
854 	spin_lock(&pipe->lock);
855 	list_for_each_entry(gss_msg, &pipe->in_downcall, list) {
856 
857 		if (!list_empty(&gss_msg->msg.list))
858 			continue;
859 		gss_msg->msg.errno = -EPIPE;
860 		refcount_inc(&gss_msg->count);
861 		__gss_unhash_msg(gss_msg);
862 		spin_unlock(&pipe->lock);
863 		gss_release_msg(gss_msg);
864 		goto restart;
865 	}
866 	spin_unlock(&pipe->lock);
867 
868 	put_pipe_version(net);
869 }
870 
871 static void
872 gss_pipe_destroy_msg(struct rpc_pipe_msg *msg)
873 {
874 	struct gss_upcall_msg *gss_msg = container_of(msg, struct gss_upcall_msg, msg);
875 
876 	if (msg->errno < 0) {
877 		refcount_inc(&gss_msg->count);
878 		gss_unhash_msg(gss_msg);
879 		if (msg->errno == -ETIMEDOUT)
880 			warn_gssd();
881 		gss_release_msg(gss_msg);
882 	}
883 	gss_release_msg(gss_msg);
884 }
885 
886 static void gss_pipe_dentry_destroy(struct dentry *dir,
887 		struct rpc_pipe_dir_object *pdo)
888 {
889 	struct gss_pipe *gss_pipe = pdo->pdo_data;
890 	struct rpc_pipe *pipe = gss_pipe->pipe;
891 
892 	if (pipe->dentry != NULL) {
893 		rpc_unlink(pipe->dentry);
894 		pipe->dentry = NULL;
895 	}
896 }
897 
898 static int gss_pipe_dentry_create(struct dentry *dir,
899 		struct rpc_pipe_dir_object *pdo)
900 {
901 	struct gss_pipe *p = pdo->pdo_data;
902 	struct dentry *dentry;
903 
904 	dentry = rpc_mkpipe_dentry(dir, p->name, p->clnt, p->pipe);
905 	if (IS_ERR(dentry))
906 		return PTR_ERR(dentry);
907 	p->pipe->dentry = dentry;
908 	return 0;
909 }
910 
911 static const struct rpc_pipe_dir_object_ops gss_pipe_dir_object_ops = {
912 	.create = gss_pipe_dentry_create,
913 	.destroy = gss_pipe_dentry_destroy,
914 };
915 
916 static struct gss_pipe *gss_pipe_alloc(struct rpc_clnt *clnt,
917 		const char *name,
918 		const struct rpc_pipe_ops *upcall_ops)
919 {
920 	struct gss_pipe *p;
921 	int err = -ENOMEM;
922 
923 	p = kmalloc(sizeof(*p), GFP_KERNEL);
924 	if (p == NULL)
925 		goto err;
926 	p->pipe = rpc_mkpipe_data(upcall_ops, RPC_PIPE_WAIT_FOR_OPEN);
927 	if (IS_ERR(p->pipe)) {
928 		err = PTR_ERR(p->pipe);
929 		goto err_free_gss_pipe;
930 	}
931 	p->name = name;
932 	p->clnt = clnt;
933 	kref_init(&p->kref);
934 	rpc_init_pipe_dir_object(&p->pdo,
935 			&gss_pipe_dir_object_ops,
936 			p);
937 	return p;
938 err_free_gss_pipe:
939 	kfree(p);
940 err:
941 	return ERR_PTR(err);
942 }
943 
944 struct gss_alloc_pdo {
945 	struct rpc_clnt *clnt;
946 	const char *name;
947 	const struct rpc_pipe_ops *upcall_ops;
948 };
949 
950 static int gss_pipe_match_pdo(struct rpc_pipe_dir_object *pdo, void *data)
951 {
952 	struct gss_pipe *gss_pipe;
953 	struct gss_alloc_pdo *args = data;
954 
955 	if (pdo->pdo_ops != &gss_pipe_dir_object_ops)
956 		return 0;
957 	gss_pipe = container_of(pdo, struct gss_pipe, pdo);
958 	if (strcmp(gss_pipe->name, args->name) != 0)
959 		return 0;
960 	if (!kref_get_unless_zero(&gss_pipe->kref))
961 		return 0;
962 	return 1;
963 }
964 
965 static struct rpc_pipe_dir_object *gss_pipe_alloc_pdo(void *data)
966 {
967 	struct gss_pipe *gss_pipe;
968 	struct gss_alloc_pdo *args = data;
969 
970 	gss_pipe = gss_pipe_alloc(args->clnt, args->name, args->upcall_ops);
971 	if (!IS_ERR(gss_pipe))
972 		return &gss_pipe->pdo;
973 	return NULL;
974 }
975 
976 static struct gss_pipe *gss_pipe_get(struct rpc_clnt *clnt,
977 		const char *name,
978 		const struct rpc_pipe_ops *upcall_ops)
979 {
980 	struct net *net = rpc_net_ns(clnt);
981 	struct rpc_pipe_dir_object *pdo;
982 	struct gss_alloc_pdo args = {
983 		.clnt = clnt,
984 		.name = name,
985 		.upcall_ops = upcall_ops,
986 	};
987 
988 	pdo = rpc_find_or_alloc_pipe_dir_object(net,
989 			&clnt->cl_pipedir_objects,
990 			gss_pipe_match_pdo,
991 			gss_pipe_alloc_pdo,
992 			&args);
993 	if (pdo != NULL)
994 		return container_of(pdo, struct gss_pipe, pdo);
995 	return ERR_PTR(-ENOMEM);
996 }
997 
998 static void __gss_pipe_free(struct gss_pipe *p)
999 {
1000 	struct rpc_clnt *clnt = p->clnt;
1001 	struct net *net = rpc_net_ns(clnt);
1002 
1003 	rpc_remove_pipe_dir_object(net,
1004 			&clnt->cl_pipedir_objects,
1005 			&p->pdo);
1006 	rpc_destroy_pipe_data(p->pipe);
1007 	kfree(p);
1008 }
1009 
1010 static void __gss_pipe_release(struct kref *kref)
1011 {
1012 	struct gss_pipe *p = container_of(kref, struct gss_pipe, kref);
1013 
1014 	__gss_pipe_free(p);
1015 }
1016 
1017 static void gss_pipe_free(struct gss_pipe *p)
1018 {
1019 	if (p != NULL)
1020 		kref_put(&p->kref, __gss_pipe_release);
1021 }
1022 
1023 /*
1024  * NOTE: we have the opportunity to use different
1025  * parameters based on the input flavor (which must be a pseudoflavor)
1026  */
1027 static struct gss_auth *
1028 gss_create_new(const struct rpc_auth_create_args *args, struct rpc_clnt *clnt)
1029 {
1030 	rpc_authflavor_t flavor = args->pseudoflavor;
1031 	struct gss_auth *gss_auth;
1032 	struct gss_pipe *gss_pipe;
1033 	struct rpc_auth * auth;
1034 	int err = -ENOMEM; /* XXX? */
1035 
1036 	if (!try_module_get(THIS_MODULE))
1037 		return ERR_PTR(err);
1038 	if (!(gss_auth = kmalloc(sizeof(*gss_auth), GFP_KERNEL)))
1039 		goto out_dec;
1040 	INIT_HLIST_NODE(&gss_auth->hash);
1041 	gss_auth->target_name = NULL;
1042 	if (args->target_name) {
1043 		gss_auth->target_name = kstrdup(args->target_name, GFP_KERNEL);
1044 		if (gss_auth->target_name == NULL)
1045 			goto err_free;
1046 	}
1047 	gss_auth->client = clnt;
1048 	gss_auth->net = get_net_track(rpc_net_ns(clnt), &gss_auth->ns_tracker,
1049 				      GFP_KERNEL);
1050 	err = -EINVAL;
1051 	gss_auth->mech = gss_mech_get_by_pseudoflavor(flavor);
1052 	if (!gss_auth->mech)
1053 		goto err_put_net;
1054 	gss_auth->service = gss_pseudoflavor_to_service(gss_auth->mech, flavor);
1055 	if (gss_auth->service == 0)
1056 		goto err_put_mech;
1057 	if (!gssd_running(gss_auth->net))
1058 		goto err_put_mech;
1059 	auth = &gss_auth->rpc_auth;
1060 	auth->au_cslack = GSS_CRED_SLACK >> 2;
1061 	BUILD_BUG_ON(GSS_KRB5_MAX_SLACK_NEEDED > RPC_MAX_AUTH_SIZE);
1062 	auth->au_rslack = GSS_KRB5_MAX_SLACK_NEEDED >> 2;
1063 	auth->au_verfsize = GSS_VERF_SLACK >> 2;
1064 	auth->au_ralign = GSS_VERF_SLACK >> 2;
1065 	__set_bit(RPCAUTH_AUTH_UPDATE_SLACK, &auth->au_flags);
1066 	auth->au_ops = &authgss_ops;
1067 	auth->au_flavor = flavor;
1068 	if (gss_pseudoflavor_to_datatouch(gss_auth->mech, flavor))
1069 		__set_bit(RPCAUTH_AUTH_DATATOUCH, &auth->au_flags);
1070 	refcount_set(&auth->au_count, 1);
1071 	kref_init(&gss_auth->kref);
1072 
1073 	err = rpcauth_init_credcache(auth);
1074 	if (err)
1075 		goto err_put_mech;
1076 	/*
1077 	 * Note: if we created the old pipe first, then someone who
1078 	 * examined the directory at the right moment might conclude
1079 	 * that we supported only the old pipe.  So we instead create
1080 	 * the new pipe first.
1081 	 */
1082 	gss_pipe = gss_pipe_get(clnt, "gssd", &gss_upcall_ops_v1);
1083 	if (IS_ERR(gss_pipe)) {
1084 		err = PTR_ERR(gss_pipe);
1085 		goto err_destroy_credcache;
1086 	}
1087 	gss_auth->gss_pipe[1] = gss_pipe;
1088 
1089 	gss_pipe = gss_pipe_get(clnt, gss_auth->mech->gm_name,
1090 			&gss_upcall_ops_v0);
1091 	if (IS_ERR(gss_pipe)) {
1092 		err = PTR_ERR(gss_pipe);
1093 		goto err_destroy_pipe_1;
1094 	}
1095 	gss_auth->gss_pipe[0] = gss_pipe;
1096 
1097 	return gss_auth;
1098 err_destroy_pipe_1:
1099 	gss_pipe_free(gss_auth->gss_pipe[1]);
1100 err_destroy_credcache:
1101 	rpcauth_destroy_credcache(auth);
1102 err_put_mech:
1103 	gss_mech_put(gss_auth->mech);
1104 err_put_net:
1105 	put_net_track(gss_auth->net, &gss_auth->ns_tracker);
1106 err_free:
1107 	kfree(gss_auth->target_name);
1108 	kfree(gss_auth);
1109 out_dec:
1110 	module_put(THIS_MODULE);
1111 	trace_rpcgss_createauth(flavor, err);
1112 	return ERR_PTR(err);
1113 }
1114 
1115 static void
1116 gss_free(struct gss_auth *gss_auth)
1117 {
1118 	gss_pipe_free(gss_auth->gss_pipe[0]);
1119 	gss_pipe_free(gss_auth->gss_pipe[1]);
1120 	gss_mech_put(gss_auth->mech);
1121 	put_net_track(gss_auth->net, &gss_auth->ns_tracker);
1122 	kfree(gss_auth->target_name);
1123 
1124 	kfree(gss_auth);
1125 	module_put(THIS_MODULE);
1126 }
1127 
1128 static void
1129 gss_free_callback(struct kref *kref)
1130 {
1131 	struct gss_auth *gss_auth = container_of(kref, struct gss_auth, kref);
1132 
1133 	gss_free(gss_auth);
1134 }
1135 
1136 static void
1137 gss_put_auth(struct gss_auth *gss_auth)
1138 {
1139 	kref_put(&gss_auth->kref, gss_free_callback);
1140 }
1141 
1142 static void
1143 gss_destroy(struct rpc_auth *auth)
1144 {
1145 	struct gss_auth *gss_auth = container_of(auth,
1146 			struct gss_auth, rpc_auth);
1147 
1148 	if (hash_hashed(&gss_auth->hash)) {
1149 		spin_lock(&gss_auth_hash_lock);
1150 		hash_del(&gss_auth->hash);
1151 		spin_unlock(&gss_auth_hash_lock);
1152 	}
1153 
1154 	gss_pipe_free(gss_auth->gss_pipe[0]);
1155 	gss_auth->gss_pipe[0] = NULL;
1156 	gss_pipe_free(gss_auth->gss_pipe[1]);
1157 	gss_auth->gss_pipe[1] = NULL;
1158 	rpcauth_destroy_credcache(auth);
1159 
1160 	gss_put_auth(gss_auth);
1161 }
1162 
1163 /*
1164  * Auths may be shared between rpc clients that were cloned from a
1165  * common client with the same xprt, if they also share the flavor and
1166  * target_name.
1167  *
1168  * The auth is looked up from the oldest parent sharing the same
1169  * cl_xprt, and the auth itself references only that common parent
1170  * (which is guaranteed to last as long as any of its descendants).
1171  */
1172 static struct gss_auth *
1173 gss_auth_find_or_add_hashed(const struct rpc_auth_create_args *args,
1174 		struct rpc_clnt *clnt,
1175 		struct gss_auth *new)
1176 {
1177 	struct gss_auth *gss_auth;
1178 	unsigned long hashval = (unsigned long)clnt;
1179 
1180 	spin_lock(&gss_auth_hash_lock);
1181 	hash_for_each_possible(gss_auth_hash_table,
1182 			gss_auth,
1183 			hash,
1184 			hashval) {
1185 		if (gss_auth->client != clnt)
1186 			continue;
1187 		if (gss_auth->rpc_auth.au_flavor != args->pseudoflavor)
1188 			continue;
1189 		if (gss_auth->target_name != args->target_name) {
1190 			if (gss_auth->target_name == NULL)
1191 				continue;
1192 			if (args->target_name == NULL)
1193 				continue;
1194 			if (strcmp(gss_auth->target_name, args->target_name))
1195 				continue;
1196 		}
1197 		if (!refcount_inc_not_zero(&gss_auth->rpc_auth.au_count))
1198 			continue;
1199 		goto out;
1200 	}
1201 	if (new)
1202 		hash_add(gss_auth_hash_table, &new->hash, hashval);
1203 	gss_auth = new;
1204 out:
1205 	spin_unlock(&gss_auth_hash_lock);
1206 	return gss_auth;
1207 }
1208 
1209 static struct gss_auth *
1210 gss_create_hashed(const struct rpc_auth_create_args *args,
1211 		  struct rpc_clnt *clnt)
1212 {
1213 	struct gss_auth *gss_auth;
1214 	struct gss_auth *new;
1215 
1216 	gss_auth = gss_auth_find_or_add_hashed(args, clnt, NULL);
1217 	if (gss_auth != NULL)
1218 		goto out;
1219 	new = gss_create_new(args, clnt);
1220 	if (IS_ERR(new))
1221 		return new;
1222 	gss_auth = gss_auth_find_or_add_hashed(args, clnt, new);
1223 	if (gss_auth != new)
1224 		gss_destroy(&new->rpc_auth);
1225 out:
1226 	return gss_auth;
1227 }
1228 
1229 static struct rpc_auth *
1230 gss_create(const struct rpc_auth_create_args *args, struct rpc_clnt *clnt)
1231 {
1232 	struct gss_auth *gss_auth;
1233 	struct rpc_xprt_switch *xps = rcu_access_pointer(clnt->cl_xpi.xpi_xpswitch);
1234 
1235 	while (clnt != clnt->cl_parent) {
1236 		struct rpc_clnt *parent = clnt->cl_parent;
1237 		/* Find the original parent for this transport */
1238 		if (rcu_access_pointer(parent->cl_xpi.xpi_xpswitch) != xps)
1239 			break;
1240 		clnt = parent;
1241 	}
1242 
1243 	gss_auth = gss_create_hashed(args, clnt);
1244 	if (IS_ERR(gss_auth))
1245 		return ERR_CAST(gss_auth);
1246 	return &gss_auth->rpc_auth;
1247 }
1248 
1249 static struct gss_cred *
1250 gss_dup_cred(struct gss_auth *gss_auth, struct gss_cred *gss_cred)
1251 {
1252 	struct gss_cred *new;
1253 
1254 	/* Make a copy of the cred so that we can reference count it */
1255 	new = kzalloc(sizeof(*gss_cred), GFP_KERNEL);
1256 	if (new) {
1257 		struct auth_cred acred = {
1258 			.cred = gss_cred->gc_base.cr_cred,
1259 		};
1260 		struct gss_cl_ctx *ctx =
1261 			rcu_dereference_protected(gss_cred->gc_ctx, 1);
1262 
1263 		rpcauth_init_cred(&new->gc_base, &acred,
1264 				&gss_auth->rpc_auth,
1265 				&gss_nullops);
1266 		new->gc_base.cr_flags = 1UL << RPCAUTH_CRED_UPTODATE;
1267 		new->gc_service = gss_cred->gc_service;
1268 		new->gc_principal = gss_cred->gc_principal;
1269 		kref_get(&gss_auth->kref);
1270 		rcu_assign_pointer(new->gc_ctx, ctx);
1271 		gss_get_ctx(ctx);
1272 	}
1273 	return new;
1274 }
1275 
1276 /*
1277  * gss_send_destroy_context will cause the RPCSEC_GSS to send a NULL RPC call
1278  * to the server with the GSS control procedure field set to
1279  * RPC_GSS_PROC_DESTROY. This should normally cause the server to release
1280  * all RPCSEC_GSS state associated with that context.
1281  */
1282 static void
1283 gss_send_destroy_context(struct rpc_cred *cred)
1284 {
1285 	struct gss_cred *gss_cred = container_of(cred, struct gss_cred, gc_base);
1286 	struct gss_auth *gss_auth = container_of(cred->cr_auth, struct gss_auth, rpc_auth);
1287 	struct gss_cl_ctx *ctx = rcu_dereference_protected(gss_cred->gc_ctx, 1);
1288 	struct gss_cred *new;
1289 	struct rpc_task *task;
1290 
1291 	new = gss_dup_cred(gss_auth, gss_cred);
1292 	if (new) {
1293 		ctx->gc_proc = RPC_GSS_PROC_DESTROY;
1294 
1295 		trace_rpcgss_ctx_destroy(gss_cred);
1296 		task = rpc_call_null(gss_auth->client, &new->gc_base,
1297 				     RPC_TASK_ASYNC);
1298 		if (!IS_ERR(task))
1299 			rpc_put_task(task);
1300 
1301 		put_rpccred(&new->gc_base);
1302 	}
1303 }
1304 
1305 /* gss_destroy_cred (and gss_free_ctx) are used to clean up after failure
1306  * to create a new cred or context, so they check that things have been
1307  * allocated before freeing them. */
1308 static void
1309 gss_do_free_ctx(struct gss_cl_ctx *ctx)
1310 {
1311 	gss_delete_sec_context(&ctx->gc_gss_ctx);
1312 	kfree(ctx->gc_wire_ctx.data);
1313 	kfree(ctx->gc_acceptor.data);
1314 	kfree(ctx);
1315 }
1316 
1317 static void
1318 gss_free_ctx_callback(struct rcu_head *head)
1319 {
1320 	struct gss_cl_ctx *ctx = container_of(head, struct gss_cl_ctx, gc_rcu);
1321 	gss_do_free_ctx(ctx);
1322 }
1323 
1324 static void
1325 gss_free_ctx(struct gss_cl_ctx *ctx)
1326 {
1327 	call_rcu(&ctx->gc_rcu, gss_free_ctx_callback);
1328 }
1329 
1330 static void
1331 gss_free_cred(struct gss_cred *gss_cred)
1332 {
1333 	kfree(gss_cred);
1334 }
1335 
1336 static void
1337 gss_free_cred_callback(struct rcu_head *head)
1338 {
1339 	struct gss_cred *gss_cred = container_of(head, struct gss_cred, gc_base.cr_rcu);
1340 	gss_free_cred(gss_cred);
1341 }
1342 
1343 static void
1344 gss_destroy_nullcred(struct rpc_cred *cred)
1345 {
1346 	struct gss_cred *gss_cred = container_of(cred, struct gss_cred, gc_base);
1347 	struct gss_auth *gss_auth = container_of(cred->cr_auth, struct gss_auth, rpc_auth);
1348 	struct gss_cl_ctx *ctx = rcu_dereference_protected(gss_cred->gc_ctx, 1);
1349 
1350 	RCU_INIT_POINTER(gss_cred->gc_ctx, NULL);
1351 	put_cred(cred->cr_cred);
1352 	call_rcu(&cred->cr_rcu, gss_free_cred_callback);
1353 	if (ctx)
1354 		gss_put_ctx(ctx);
1355 	gss_put_auth(gss_auth);
1356 }
1357 
1358 static void
1359 gss_destroy_cred(struct rpc_cred *cred)
1360 {
1361 	if (test_and_clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags) != 0)
1362 		gss_send_destroy_context(cred);
1363 	gss_destroy_nullcred(cred);
1364 }
1365 
1366 static int
1367 gss_hash_cred(struct auth_cred *acred, unsigned int hashbits)
1368 {
1369 	return hash_64(from_kuid(&init_user_ns, acred->cred->fsuid), hashbits);
1370 }
1371 
1372 /*
1373  * Lookup RPCSEC_GSS cred for the current process
1374  */
1375 static struct rpc_cred *gss_lookup_cred(struct rpc_auth *auth,
1376 					struct auth_cred *acred, int flags)
1377 {
1378 	return rpcauth_lookup_credcache(auth, acred, flags,
1379 					rpc_task_gfp_mask());
1380 }
1381 
1382 static struct rpc_cred *
1383 gss_create_cred(struct rpc_auth *auth, struct auth_cred *acred, int flags, gfp_t gfp)
1384 {
1385 	struct gss_auth *gss_auth = container_of(auth, struct gss_auth, rpc_auth);
1386 	struct gss_cred	*cred = NULL;
1387 	int err = -ENOMEM;
1388 
1389 	if (!(cred = kzalloc(sizeof(*cred), gfp)))
1390 		goto out_err;
1391 
1392 	rpcauth_init_cred(&cred->gc_base, acred, auth, &gss_credops);
1393 	/*
1394 	 * Note: in order to force a call to call_refresh(), we deliberately
1395 	 * fail to flag the credential as RPCAUTH_CRED_UPTODATE.
1396 	 */
1397 	cred->gc_base.cr_flags = 1UL << RPCAUTH_CRED_NEW;
1398 	cred->gc_service = gss_auth->service;
1399 	cred->gc_principal = acred->principal;
1400 	kref_get(&gss_auth->kref);
1401 	return &cred->gc_base;
1402 
1403 out_err:
1404 	return ERR_PTR(err);
1405 }
1406 
1407 static int
1408 gss_cred_init(struct rpc_auth *auth, struct rpc_cred *cred)
1409 {
1410 	struct gss_auth *gss_auth = container_of(auth, struct gss_auth, rpc_auth);
1411 	struct gss_cred *gss_cred = container_of(cred,struct gss_cred, gc_base);
1412 	int err;
1413 
1414 	do {
1415 		err = gss_create_upcall(gss_auth, gss_cred);
1416 	} while (err == -EAGAIN);
1417 	return err;
1418 }
1419 
1420 static char *
1421 gss_stringify_acceptor(struct rpc_cred *cred)
1422 {
1423 	char *string = NULL;
1424 	struct gss_cred *gss_cred = container_of(cred, struct gss_cred, gc_base);
1425 	struct gss_cl_ctx *ctx;
1426 	unsigned int len;
1427 	struct xdr_netobj *acceptor;
1428 
1429 	rcu_read_lock();
1430 	ctx = rcu_dereference(gss_cred->gc_ctx);
1431 	if (!ctx)
1432 		goto out;
1433 
1434 	len = ctx->gc_acceptor.len;
1435 	rcu_read_unlock();
1436 
1437 	/* no point if there's no string */
1438 	if (!len)
1439 		return NULL;
1440 realloc:
1441 	string = kmalloc(len + 1, GFP_KERNEL);
1442 	if (!string)
1443 		return NULL;
1444 
1445 	rcu_read_lock();
1446 	ctx = rcu_dereference(gss_cred->gc_ctx);
1447 
1448 	/* did the ctx disappear or was it replaced by one with no acceptor? */
1449 	if (!ctx || !ctx->gc_acceptor.len) {
1450 		kfree(string);
1451 		string = NULL;
1452 		goto out;
1453 	}
1454 
1455 	acceptor = &ctx->gc_acceptor;
1456 
1457 	/*
1458 	 * Did we find a new acceptor that's longer than the original? Allocate
1459 	 * a longer buffer and try again.
1460 	 */
1461 	if (len < acceptor->len) {
1462 		len = acceptor->len;
1463 		rcu_read_unlock();
1464 		kfree(string);
1465 		goto realloc;
1466 	}
1467 
1468 	memcpy(string, acceptor->data, acceptor->len);
1469 	string[acceptor->len] = '\0';
1470 out:
1471 	rcu_read_unlock();
1472 	return string;
1473 }
1474 
1475 /*
1476  * Returns -EACCES if GSS context is NULL or will expire within the
1477  * timeout (miliseconds)
1478  */
1479 static int
1480 gss_key_timeout(struct rpc_cred *rc)
1481 {
1482 	struct gss_cred *gss_cred = container_of(rc, struct gss_cred, gc_base);
1483 	struct gss_cl_ctx *ctx;
1484 	unsigned long timeout = jiffies + (gss_key_expire_timeo * HZ);
1485 	int ret = 0;
1486 
1487 	rcu_read_lock();
1488 	ctx = rcu_dereference(gss_cred->gc_ctx);
1489 	if (!ctx || time_after(timeout, ctx->gc_expiry))
1490 		ret = -EACCES;
1491 	rcu_read_unlock();
1492 
1493 	return ret;
1494 }
1495 
1496 static int
1497 gss_match(struct auth_cred *acred, struct rpc_cred *rc, int flags)
1498 {
1499 	struct gss_cred *gss_cred = container_of(rc, struct gss_cred, gc_base);
1500 	struct gss_cl_ctx *ctx;
1501 	int ret;
1502 
1503 	if (test_bit(RPCAUTH_CRED_NEW, &rc->cr_flags))
1504 		goto out;
1505 	/* Don't match with creds that have expired. */
1506 	rcu_read_lock();
1507 	ctx = rcu_dereference(gss_cred->gc_ctx);
1508 	if (!ctx || time_after(jiffies, ctx->gc_expiry)) {
1509 		rcu_read_unlock();
1510 		return 0;
1511 	}
1512 	rcu_read_unlock();
1513 	if (!test_bit(RPCAUTH_CRED_UPTODATE, &rc->cr_flags))
1514 		return 0;
1515 out:
1516 	if (acred->principal != NULL) {
1517 		if (gss_cred->gc_principal == NULL)
1518 			return 0;
1519 		ret = strcmp(acred->principal, gss_cred->gc_principal) == 0;
1520 	} else {
1521 		if (gss_cred->gc_principal != NULL)
1522 			return 0;
1523 		ret = uid_eq(rc->cr_cred->fsuid, acred->cred->fsuid);
1524 	}
1525 	return ret;
1526 }
1527 
1528 /*
1529  * Marshal credentials.
1530  *
1531  * The expensive part is computing the verifier. We can't cache a
1532  * pre-computed version of the verifier because the seqno, which
1533  * is different every time, is included in the MIC.
1534  */
1535 static int gss_marshal(struct rpc_task *task, struct xdr_stream *xdr)
1536 {
1537 	struct rpc_rqst *req = task->tk_rqstp;
1538 	struct rpc_cred *cred = req->rq_cred;
1539 	struct gss_cred	*gss_cred = container_of(cred, struct gss_cred,
1540 						 gc_base);
1541 	struct gss_cl_ctx	*ctx = gss_cred_get_ctx(cred);
1542 	__be32		*p, *cred_len;
1543 	u32             maj_stat = 0;
1544 	struct xdr_netobj mic;
1545 	struct kvec	iov;
1546 	struct xdr_buf	verf_buf;
1547 	int status;
1548 
1549 	/* Credential */
1550 
1551 	p = xdr_reserve_space(xdr, 7 * sizeof(*p) +
1552 			      ctx->gc_wire_ctx.len);
1553 	if (!p)
1554 		goto marshal_failed;
1555 	*p++ = rpc_auth_gss;
1556 	cred_len = p++;
1557 
1558 	spin_lock(&ctx->gc_seq_lock);
1559 	req->rq_seqno = (ctx->gc_seq < MAXSEQ) ? ctx->gc_seq++ : MAXSEQ;
1560 	spin_unlock(&ctx->gc_seq_lock);
1561 	if (req->rq_seqno == MAXSEQ)
1562 		goto expired;
1563 	trace_rpcgss_seqno(task);
1564 
1565 	*p++ = cpu_to_be32(RPC_GSS_VERSION);
1566 	*p++ = cpu_to_be32(ctx->gc_proc);
1567 	*p++ = cpu_to_be32(req->rq_seqno);
1568 	*p++ = cpu_to_be32(gss_cred->gc_service);
1569 	p = xdr_encode_netobj(p, &ctx->gc_wire_ctx);
1570 	*cred_len = cpu_to_be32((p - (cred_len + 1)) << 2);
1571 
1572 	/* Verifier */
1573 
1574 	/* We compute the checksum for the verifier over the xdr-encoded bytes
1575 	 * starting with the xid and ending at the end of the credential: */
1576 	iov.iov_base = req->rq_snd_buf.head[0].iov_base;
1577 	iov.iov_len = (u8 *)p - (u8 *)iov.iov_base;
1578 	xdr_buf_from_iov(&iov, &verf_buf);
1579 
1580 	p = xdr_reserve_space(xdr, sizeof(*p));
1581 	if (!p)
1582 		goto marshal_failed;
1583 	*p++ = rpc_auth_gss;
1584 	mic.data = (u8 *)(p + 1);
1585 	maj_stat = gss_get_mic(ctx->gc_gss_ctx, &verf_buf, &mic);
1586 	if (maj_stat == GSS_S_CONTEXT_EXPIRED)
1587 		goto expired;
1588 	else if (maj_stat != 0)
1589 		goto bad_mic;
1590 	if (xdr_stream_encode_opaque_inline(xdr, (void **)&p, mic.len) < 0)
1591 		goto marshal_failed;
1592 	status = 0;
1593 out:
1594 	gss_put_ctx(ctx);
1595 	return status;
1596 expired:
1597 	clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags);
1598 	status = -EKEYEXPIRED;
1599 	goto out;
1600 marshal_failed:
1601 	status = -EMSGSIZE;
1602 	goto out;
1603 bad_mic:
1604 	trace_rpcgss_get_mic(task, maj_stat);
1605 	status = -EIO;
1606 	goto out;
1607 }
1608 
1609 static int gss_renew_cred(struct rpc_task *task)
1610 {
1611 	struct rpc_cred *oldcred = task->tk_rqstp->rq_cred;
1612 	struct gss_cred *gss_cred = container_of(oldcred,
1613 						 struct gss_cred,
1614 						 gc_base);
1615 	struct rpc_auth *auth = oldcred->cr_auth;
1616 	struct auth_cred acred = {
1617 		.cred = oldcred->cr_cred,
1618 		.principal = gss_cred->gc_principal,
1619 	};
1620 	struct rpc_cred *new;
1621 
1622 	new = gss_lookup_cred(auth, &acred, RPCAUTH_LOOKUP_NEW);
1623 	if (IS_ERR(new))
1624 		return PTR_ERR(new);
1625 
1626 	task->tk_rqstp->rq_cred = new;
1627 	put_rpccred(oldcred);
1628 	return 0;
1629 }
1630 
1631 static int gss_cred_is_negative_entry(struct rpc_cred *cred)
1632 {
1633 	if (test_bit(RPCAUTH_CRED_NEGATIVE, &cred->cr_flags)) {
1634 		unsigned long now = jiffies;
1635 		unsigned long begin, expire;
1636 		struct gss_cred *gss_cred;
1637 
1638 		gss_cred = container_of(cred, struct gss_cred, gc_base);
1639 		begin = gss_cred->gc_upcall_timestamp;
1640 		expire = begin + gss_expired_cred_retry_delay * HZ;
1641 
1642 		if (time_in_range_open(now, begin, expire))
1643 			return 1;
1644 	}
1645 	return 0;
1646 }
1647 
1648 /*
1649 * Refresh credentials. XXX - finish
1650 */
1651 static int
1652 gss_refresh(struct rpc_task *task)
1653 {
1654 	struct rpc_cred *cred = task->tk_rqstp->rq_cred;
1655 	int ret = 0;
1656 
1657 	if (gss_cred_is_negative_entry(cred))
1658 		return -EKEYEXPIRED;
1659 
1660 	if (!test_bit(RPCAUTH_CRED_NEW, &cred->cr_flags) &&
1661 			!test_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags)) {
1662 		ret = gss_renew_cred(task);
1663 		if (ret < 0)
1664 			goto out;
1665 		cred = task->tk_rqstp->rq_cred;
1666 	}
1667 
1668 	if (test_bit(RPCAUTH_CRED_NEW, &cred->cr_flags))
1669 		ret = gss_refresh_upcall(task);
1670 out:
1671 	return ret;
1672 }
1673 
1674 /* Dummy refresh routine: used only when destroying the context */
1675 static int
1676 gss_refresh_null(struct rpc_task *task)
1677 {
1678 	return 0;
1679 }
1680 
1681 static int
1682 gss_validate(struct rpc_task *task, struct xdr_stream *xdr)
1683 {
1684 	struct rpc_cred *cred = task->tk_rqstp->rq_cred;
1685 	struct gss_cl_ctx *ctx = gss_cred_get_ctx(cred);
1686 	__be32		*p, *seq = NULL;
1687 	struct kvec	iov;
1688 	struct xdr_buf	verf_buf;
1689 	struct xdr_netobj mic;
1690 	u32		len, maj_stat;
1691 	int		status;
1692 
1693 	p = xdr_inline_decode(xdr, 2 * sizeof(*p));
1694 	if (!p)
1695 		goto validate_failed;
1696 	if (*p++ != rpc_auth_gss)
1697 		goto validate_failed;
1698 	len = be32_to_cpup(p);
1699 	if (len > RPC_MAX_AUTH_SIZE)
1700 		goto validate_failed;
1701 	p = xdr_inline_decode(xdr, len);
1702 	if (!p)
1703 		goto validate_failed;
1704 
1705 	seq = kmalloc(4, GFP_KERNEL);
1706 	if (!seq)
1707 		goto validate_failed;
1708 	*seq = cpu_to_be32(task->tk_rqstp->rq_seqno);
1709 	iov.iov_base = seq;
1710 	iov.iov_len = 4;
1711 	xdr_buf_from_iov(&iov, &verf_buf);
1712 	mic.data = (u8 *)p;
1713 	mic.len = len;
1714 	maj_stat = gss_verify_mic(ctx->gc_gss_ctx, &verf_buf, &mic);
1715 	if (maj_stat == GSS_S_CONTEXT_EXPIRED)
1716 		clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags);
1717 	if (maj_stat)
1718 		goto bad_mic;
1719 
1720 	/* We leave it to unwrap to calculate au_rslack. For now we just
1721 	 * calculate the length of the verifier: */
1722 	if (test_bit(RPCAUTH_AUTH_UPDATE_SLACK, &cred->cr_auth->au_flags))
1723 		cred->cr_auth->au_verfsize = XDR_QUADLEN(len) + 2;
1724 	status = 0;
1725 out:
1726 	gss_put_ctx(ctx);
1727 	kfree(seq);
1728 	return status;
1729 
1730 validate_failed:
1731 	status = -EIO;
1732 	goto out;
1733 bad_mic:
1734 	trace_rpcgss_verify_mic(task, maj_stat);
1735 	status = -EACCES;
1736 	goto out;
1737 }
1738 
1739 static noinline_for_stack int
1740 gss_wrap_req_integ(struct rpc_cred *cred, struct gss_cl_ctx *ctx,
1741 		   struct rpc_task *task, struct xdr_stream *xdr)
1742 {
1743 	struct rpc_rqst *rqstp = task->tk_rqstp;
1744 	struct xdr_buf integ_buf, *snd_buf = &rqstp->rq_snd_buf;
1745 	struct xdr_netobj mic;
1746 	__be32 *p, *integ_len;
1747 	u32 offset, maj_stat;
1748 
1749 	p = xdr_reserve_space(xdr, 2 * sizeof(*p));
1750 	if (!p)
1751 		goto wrap_failed;
1752 	integ_len = p++;
1753 	*p = cpu_to_be32(rqstp->rq_seqno);
1754 
1755 	if (rpcauth_wrap_req_encode(task, xdr))
1756 		goto wrap_failed;
1757 
1758 	offset = (u8 *)p - (u8 *)snd_buf->head[0].iov_base;
1759 	if (xdr_buf_subsegment(snd_buf, &integ_buf,
1760 				offset, snd_buf->len - offset))
1761 		goto wrap_failed;
1762 	*integ_len = cpu_to_be32(integ_buf.len);
1763 
1764 	p = xdr_reserve_space(xdr, 0);
1765 	if (!p)
1766 		goto wrap_failed;
1767 	mic.data = (u8 *)(p + 1);
1768 	maj_stat = gss_get_mic(ctx->gc_gss_ctx, &integ_buf, &mic);
1769 	if (maj_stat == GSS_S_CONTEXT_EXPIRED)
1770 		clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags);
1771 	else if (maj_stat)
1772 		goto bad_mic;
1773 	/* Check that the trailing MIC fit in the buffer, after the fact */
1774 	if (xdr_stream_encode_opaque_inline(xdr, (void **)&p, mic.len) < 0)
1775 		goto wrap_failed;
1776 	return 0;
1777 wrap_failed:
1778 	return -EMSGSIZE;
1779 bad_mic:
1780 	trace_rpcgss_get_mic(task, maj_stat);
1781 	return -EIO;
1782 }
1783 
1784 static void
1785 priv_release_snd_buf(struct rpc_rqst *rqstp)
1786 {
1787 	int i;
1788 
1789 	for (i=0; i < rqstp->rq_enc_pages_num; i++)
1790 		__free_page(rqstp->rq_enc_pages[i]);
1791 	kfree(rqstp->rq_enc_pages);
1792 	rqstp->rq_release_snd_buf = NULL;
1793 }
1794 
1795 static int
1796 alloc_enc_pages(struct rpc_rqst *rqstp)
1797 {
1798 	struct xdr_buf *snd_buf = &rqstp->rq_snd_buf;
1799 	int first, last, i;
1800 
1801 	if (rqstp->rq_release_snd_buf)
1802 		rqstp->rq_release_snd_buf(rqstp);
1803 
1804 	if (snd_buf->page_len == 0) {
1805 		rqstp->rq_enc_pages_num = 0;
1806 		return 0;
1807 	}
1808 
1809 	first = snd_buf->page_base >> PAGE_SHIFT;
1810 	last = (snd_buf->page_base + snd_buf->page_len - 1) >> PAGE_SHIFT;
1811 	rqstp->rq_enc_pages_num = last - first + 1 + 1;
1812 	rqstp->rq_enc_pages
1813 		= kmalloc_array(rqstp->rq_enc_pages_num,
1814 				sizeof(struct page *),
1815 				GFP_KERNEL);
1816 	if (!rqstp->rq_enc_pages)
1817 		goto out;
1818 	for (i=0; i < rqstp->rq_enc_pages_num; i++) {
1819 		rqstp->rq_enc_pages[i] = alloc_page(GFP_KERNEL);
1820 		if (rqstp->rq_enc_pages[i] == NULL)
1821 			goto out_free;
1822 	}
1823 	rqstp->rq_release_snd_buf = priv_release_snd_buf;
1824 	return 0;
1825 out_free:
1826 	rqstp->rq_enc_pages_num = i;
1827 	priv_release_snd_buf(rqstp);
1828 out:
1829 	return -EAGAIN;
1830 }
1831 
1832 static noinline_for_stack int
1833 gss_wrap_req_priv(struct rpc_cred *cred, struct gss_cl_ctx *ctx,
1834 		  struct rpc_task *task, struct xdr_stream *xdr)
1835 {
1836 	struct rpc_rqst *rqstp = task->tk_rqstp;
1837 	struct xdr_buf	*snd_buf = &rqstp->rq_snd_buf;
1838 	u32		pad, offset, maj_stat;
1839 	int		status;
1840 	__be32		*p, *opaque_len;
1841 	struct page	**inpages;
1842 	int		first;
1843 	struct kvec	*iov;
1844 
1845 	status = -EIO;
1846 	p = xdr_reserve_space(xdr, 2 * sizeof(*p));
1847 	if (!p)
1848 		goto wrap_failed;
1849 	opaque_len = p++;
1850 	*p = cpu_to_be32(rqstp->rq_seqno);
1851 
1852 	if (rpcauth_wrap_req_encode(task, xdr))
1853 		goto wrap_failed;
1854 
1855 	status = alloc_enc_pages(rqstp);
1856 	if (unlikely(status))
1857 		goto wrap_failed;
1858 	first = snd_buf->page_base >> PAGE_SHIFT;
1859 	inpages = snd_buf->pages + first;
1860 	snd_buf->pages = rqstp->rq_enc_pages;
1861 	snd_buf->page_base -= first << PAGE_SHIFT;
1862 	/*
1863 	 * Move the tail into its own page, in case gss_wrap needs
1864 	 * more space in the head when wrapping.
1865 	 *
1866 	 * Still... Why can't gss_wrap just slide the tail down?
1867 	 */
1868 	if (snd_buf->page_len || snd_buf->tail[0].iov_len) {
1869 		char *tmp;
1870 
1871 		tmp = page_address(rqstp->rq_enc_pages[rqstp->rq_enc_pages_num - 1]);
1872 		memcpy(tmp, snd_buf->tail[0].iov_base, snd_buf->tail[0].iov_len);
1873 		snd_buf->tail[0].iov_base = tmp;
1874 	}
1875 	offset = (u8 *)p - (u8 *)snd_buf->head[0].iov_base;
1876 	maj_stat = gss_wrap(ctx->gc_gss_ctx, offset, snd_buf, inpages);
1877 	/* slack space should prevent this ever happening: */
1878 	if (unlikely(snd_buf->len > snd_buf->buflen)) {
1879 		status = -EIO;
1880 		goto wrap_failed;
1881 	}
1882 	/* We're assuming that when GSS_S_CONTEXT_EXPIRED, the encryption was
1883 	 * done anyway, so it's safe to put the request on the wire: */
1884 	if (maj_stat == GSS_S_CONTEXT_EXPIRED)
1885 		clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags);
1886 	else if (maj_stat)
1887 		goto bad_wrap;
1888 
1889 	*opaque_len = cpu_to_be32(snd_buf->len - offset);
1890 	/* guess whether the pad goes into the head or the tail: */
1891 	if (snd_buf->page_len || snd_buf->tail[0].iov_len)
1892 		iov = snd_buf->tail;
1893 	else
1894 		iov = snd_buf->head;
1895 	p = iov->iov_base + iov->iov_len;
1896 	pad = xdr_pad_size(snd_buf->len - offset);
1897 	memset(p, 0, pad);
1898 	iov->iov_len += pad;
1899 	snd_buf->len += pad;
1900 
1901 	return 0;
1902 wrap_failed:
1903 	return status;
1904 bad_wrap:
1905 	trace_rpcgss_wrap(task, maj_stat);
1906 	return -EIO;
1907 }
1908 
1909 static int gss_wrap_req(struct rpc_task *task, struct xdr_stream *xdr)
1910 {
1911 	struct rpc_cred *cred = task->tk_rqstp->rq_cred;
1912 	struct gss_cred	*gss_cred = container_of(cred, struct gss_cred,
1913 			gc_base);
1914 	struct gss_cl_ctx *ctx = gss_cred_get_ctx(cred);
1915 	int status;
1916 
1917 	status = -EIO;
1918 	if (ctx->gc_proc != RPC_GSS_PROC_DATA) {
1919 		/* The spec seems a little ambiguous here, but I think that not
1920 		 * wrapping context destruction requests makes the most sense.
1921 		 */
1922 		status = rpcauth_wrap_req_encode(task, xdr);
1923 		goto out;
1924 	}
1925 	switch (gss_cred->gc_service) {
1926 	case RPC_GSS_SVC_NONE:
1927 		status = rpcauth_wrap_req_encode(task, xdr);
1928 		break;
1929 	case RPC_GSS_SVC_INTEGRITY:
1930 		status = gss_wrap_req_integ(cred, ctx, task, xdr);
1931 		break;
1932 	case RPC_GSS_SVC_PRIVACY:
1933 		status = gss_wrap_req_priv(cred, ctx, task, xdr);
1934 		break;
1935 	default:
1936 		status = -EIO;
1937 	}
1938 out:
1939 	gss_put_ctx(ctx);
1940 	return status;
1941 }
1942 
1943 /**
1944  * gss_update_rslack - Possibly update RPC receive buffer size estimates
1945  * @task: rpc_task for incoming RPC Reply being unwrapped
1946  * @cred: controlling rpc_cred for @task
1947  * @before: XDR words needed before each RPC Reply message
1948  * @after: XDR words needed following each RPC Reply message
1949  *
1950  */
1951 static void gss_update_rslack(struct rpc_task *task, struct rpc_cred *cred,
1952 			      unsigned int before, unsigned int after)
1953 {
1954 	struct rpc_auth *auth = cred->cr_auth;
1955 
1956 	if (test_and_clear_bit(RPCAUTH_AUTH_UPDATE_SLACK, &auth->au_flags)) {
1957 		auth->au_ralign = auth->au_verfsize + before;
1958 		auth->au_rslack = auth->au_verfsize + after;
1959 		trace_rpcgss_update_slack(task, auth);
1960 	}
1961 }
1962 
1963 static int
1964 gss_unwrap_resp_auth(struct rpc_task *task, struct rpc_cred *cred)
1965 {
1966 	gss_update_rslack(task, cred, 0, 0);
1967 	return 0;
1968 }
1969 
1970 /*
1971  * RFC 2203, Section 5.3.2.2
1972  *
1973  *	struct rpc_gss_integ_data {
1974  *		opaque databody_integ<>;
1975  *		opaque checksum<>;
1976  *	};
1977  *
1978  *	struct rpc_gss_data_t {
1979  *		unsigned int seq_num;
1980  *		proc_req_arg_t arg;
1981  *	};
1982  */
1983 static noinline_for_stack int
1984 gss_unwrap_resp_integ(struct rpc_task *task, struct rpc_cred *cred,
1985 		      struct gss_cl_ctx *ctx, struct rpc_rqst *rqstp,
1986 		      struct xdr_stream *xdr)
1987 {
1988 	struct xdr_buf gss_data, *rcv_buf = &rqstp->rq_rcv_buf;
1989 	u32 len, offset, seqno, maj_stat;
1990 	struct xdr_netobj mic;
1991 	int ret;
1992 
1993 	ret = -EIO;
1994 	mic.data = NULL;
1995 
1996 	/* opaque databody_integ<>; */
1997 	if (xdr_stream_decode_u32(xdr, &len))
1998 		goto unwrap_failed;
1999 	if (len & 3)
2000 		goto unwrap_failed;
2001 	offset = rcv_buf->len - xdr_stream_remaining(xdr);
2002 	if (xdr_stream_decode_u32(xdr, &seqno))
2003 		goto unwrap_failed;
2004 	if (seqno != rqstp->rq_seqno)
2005 		goto bad_seqno;
2006 	if (xdr_buf_subsegment(rcv_buf, &gss_data, offset, len))
2007 		goto unwrap_failed;
2008 
2009 	/*
2010 	 * The xdr_stream now points to the beginning of the
2011 	 * upper layer payload, to be passed below to
2012 	 * rpcauth_unwrap_resp_decode(). The checksum, which
2013 	 * follows the upper layer payload in @rcv_buf, is
2014 	 * located and parsed without updating the xdr_stream.
2015 	 */
2016 
2017 	/* opaque checksum<>; */
2018 	offset += len;
2019 	if (xdr_decode_word(rcv_buf, offset, &len))
2020 		goto unwrap_failed;
2021 	offset += sizeof(__be32);
2022 	if (offset + len > rcv_buf->len)
2023 		goto unwrap_failed;
2024 	mic.len = len;
2025 	mic.data = kmalloc(len, GFP_KERNEL);
2026 	if (ZERO_OR_NULL_PTR(mic.data))
2027 		goto unwrap_failed;
2028 	if (read_bytes_from_xdr_buf(rcv_buf, offset, mic.data, mic.len))
2029 		goto unwrap_failed;
2030 
2031 	maj_stat = gss_verify_mic(ctx->gc_gss_ctx, &gss_data, &mic);
2032 	if (maj_stat == GSS_S_CONTEXT_EXPIRED)
2033 		clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags);
2034 	if (maj_stat != GSS_S_COMPLETE)
2035 		goto bad_mic;
2036 
2037 	gss_update_rslack(task, cred, 2, 2 + 1 + XDR_QUADLEN(mic.len));
2038 	ret = 0;
2039 
2040 out:
2041 	kfree(mic.data);
2042 	return ret;
2043 
2044 unwrap_failed:
2045 	trace_rpcgss_unwrap_failed(task);
2046 	goto out;
2047 bad_seqno:
2048 	trace_rpcgss_bad_seqno(task, rqstp->rq_seqno, seqno);
2049 	goto out;
2050 bad_mic:
2051 	trace_rpcgss_verify_mic(task, maj_stat);
2052 	goto out;
2053 }
2054 
2055 static noinline_for_stack int
2056 gss_unwrap_resp_priv(struct rpc_task *task, struct rpc_cred *cred,
2057 		     struct gss_cl_ctx *ctx, struct rpc_rqst *rqstp,
2058 		     struct xdr_stream *xdr)
2059 {
2060 	struct xdr_buf *rcv_buf = &rqstp->rq_rcv_buf;
2061 	struct kvec *head = rqstp->rq_rcv_buf.head;
2062 	u32 offset, opaque_len, maj_stat;
2063 	__be32 *p;
2064 
2065 	p = xdr_inline_decode(xdr, 2 * sizeof(*p));
2066 	if (unlikely(!p))
2067 		goto unwrap_failed;
2068 	opaque_len = be32_to_cpup(p++);
2069 	offset = (u8 *)(p) - (u8 *)head->iov_base;
2070 	if (offset + opaque_len > rcv_buf->len)
2071 		goto unwrap_failed;
2072 
2073 	maj_stat = gss_unwrap(ctx->gc_gss_ctx, offset,
2074 			      offset + opaque_len, rcv_buf);
2075 	if (maj_stat == GSS_S_CONTEXT_EXPIRED)
2076 		clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags);
2077 	if (maj_stat != GSS_S_COMPLETE)
2078 		goto bad_unwrap;
2079 	/* gss_unwrap decrypted the sequence number */
2080 	if (be32_to_cpup(p++) != rqstp->rq_seqno)
2081 		goto bad_seqno;
2082 
2083 	/* gss_unwrap redacts the opaque blob from the head iovec.
2084 	 * rcv_buf has changed, thus the stream needs to be reset.
2085 	 */
2086 	xdr_init_decode(xdr, rcv_buf, p, rqstp);
2087 
2088 	gss_update_rslack(task, cred, 2 + ctx->gc_gss_ctx->align,
2089 			  2 + ctx->gc_gss_ctx->slack);
2090 
2091 	return 0;
2092 unwrap_failed:
2093 	trace_rpcgss_unwrap_failed(task);
2094 	return -EIO;
2095 bad_seqno:
2096 	trace_rpcgss_bad_seqno(task, rqstp->rq_seqno, be32_to_cpup(--p));
2097 	return -EIO;
2098 bad_unwrap:
2099 	trace_rpcgss_unwrap(task, maj_stat);
2100 	return -EIO;
2101 }
2102 
2103 static bool
2104 gss_seq_is_newer(u32 new, u32 old)
2105 {
2106 	return (s32)(new - old) > 0;
2107 }
2108 
2109 static bool
2110 gss_xmit_need_reencode(struct rpc_task *task)
2111 {
2112 	struct rpc_rqst *req = task->tk_rqstp;
2113 	struct rpc_cred *cred = req->rq_cred;
2114 	struct gss_cl_ctx *ctx = gss_cred_get_ctx(cred);
2115 	u32 win, seq_xmit = 0;
2116 	bool ret = true;
2117 
2118 	if (!ctx)
2119 		goto out;
2120 
2121 	if (gss_seq_is_newer(req->rq_seqno, READ_ONCE(ctx->gc_seq)))
2122 		goto out_ctx;
2123 
2124 	seq_xmit = READ_ONCE(ctx->gc_seq_xmit);
2125 	while (gss_seq_is_newer(req->rq_seqno, seq_xmit)) {
2126 		u32 tmp = seq_xmit;
2127 
2128 		seq_xmit = cmpxchg(&ctx->gc_seq_xmit, tmp, req->rq_seqno);
2129 		if (seq_xmit == tmp) {
2130 			ret = false;
2131 			goto out_ctx;
2132 		}
2133 	}
2134 
2135 	win = ctx->gc_win;
2136 	if (win > 0)
2137 		ret = !gss_seq_is_newer(req->rq_seqno, seq_xmit - win);
2138 
2139 out_ctx:
2140 	gss_put_ctx(ctx);
2141 out:
2142 	trace_rpcgss_need_reencode(task, seq_xmit, ret);
2143 	return ret;
2144 }
2145 
2146 static int
2147 gss_unwrap_resp(struct rpc_task *task, struct xdr_stream *xdr)
2148 {
2149 	struct rpc_rqst *rqstp = task->tk_rqstp;
2150 	struct rpc_cred *cred = rqstp->rq_cred;
2151 	struct gss_cred *gss_cred = container_of(cred, struct gss_cred,
2152 			gc_base);
2153 	struct gss_cl_ctx *ctx = gss_cred_get_ctx(cred);
2154 	int status = -EIO;
2155 
2156 	if (ctx->gc_proc != RPC_GSS_PROC_DATA)
2157 		goto out_decode;
2158 	switch (gss_cred->gc_service) {
2159 	case RPC_GSS_SVC_NONE:
2160 		status = gss_unwrap_resp_auth(task, cred);
2161 		break;
2162 	case RPC_GSS_SVC_INTEGRITY:
2163 		status = gss_unwrap_resp_integ(task, cred, ctx, rqstp, xdr);
2164 		break;
2165 	case RPC_GSS_SVC_PRIVACY:
2166 		status = gss_unwrap_resp_priv(task, cred, ctx, rqstp, xdr);
2167 		break;
2168 	}
2169 	if (status)
2170 		goto out;
2171 
2172 out_decode:
2173 	status = rpcauth_unwrap_resp_decode(task, xdr);
2174 out:
2175 	gss_put_ctx(ctx);
2176 	return status;
2177 }
2178 
2179 static const struct rpc_authops authgss_ops = {
2180 	.owner		= THIS_MODULE,
2181 	.au_flavor	= RPC_AUTH_GSS,
2182 	.au_name	= "RPCSEC_GSS",
2183 	.create		= gss_create,
2184 	.destroy	= gss_destroy,
2185 	.hash_cred	= gss_hash_cred,
2186 	.lookup_cred	= gss_lookup_cred,
2187 	.crcreate	= gss_create_cred,
2188 	.info2flavor	= gss_mech_info2flavor,
2189 	.flavor2info	= gss_mech_flavor2info,
2190 };
2191 
2192 static const struct rpc_credops gss_credops = {
2193 	.cr_name		= "AUTH_GSS",
2194 	.crdestroy		= gss_destroy_cred,
2195 	.cr_init		= gss_cred_init,
2196 	.crmatch		= gss_match,
2197 	.crmarshal		= gss_marshal,
2198 	.crrefresh		= gss_refresh,
2199 	.crvalidate		= gss_validate,
2200 	.crwrap_req		= gss_wrap_req,
2201 	.crunwrap_resp		= gss_unwrap_resp,
2202 	.crkey_timeout		= gss_key_timeout,
2203 	.crstringify_acceptor	= gss_stringify_acceptor,
2204 	.crneed_reencode	= gss_xmit_need_reencode,
2205 };
2206 
2207 static const struct rpc_credops gss_nullops = {
2208 	.cr_name		= "AUTH_GSS",
2209 	.crdestroy		= gss_destroy_nullcred,
2210 	.crmatch		= gss_match,
2211 	.crmarshal		= gss_marshal,
2212 	.crrefresh		= gss_refresh_null,
2213 	.crvalidate		= gss_validate,
2214 	.crwrap_req		= gss_wrap_req,
2215 	.crunwrap_resp		= gss_unwrap_resp,
2216 	.crstringify_acceptor	= gss_stringify_acceptor,
2217 };
2218 
2219 static const struct rpc_pipe_ops gss_upcall_ops_v0 = {
2220 	.upcall		= gss_v0_upcall,
2221 	.downcall	= gss_pipe_downcall,
2222 	.destroy_msg	= gss_pipe_destroy_msg,
2223 	.open_pipe	= gss_pipe_open_v0,
2224 	.release_pipe	= gss_pipe_release,
2225 };
2226 
2227 static const struct rpc_pipe_ops gss_upcall_ops_v1 = {
2228 	.upcall		= gss_v1_upcall,
2229 	.downcall	= gss_pipe_downcall,
2230 	.destroy_msg	= gss_pipe_destroy_msg,
2231 	.open_pipe	= gss_pipe_open_v1,
2232 	.release_pipe	= gss_pipe_release,
2233 };
2234 
2235 static __net_init int rpcsec_gss_init_net(struct net *net)
2236 {
2237 	return gss_svc_init_net(net);
2238 }
2239 
2240 static __net_exit void rpcsec_gss_exit_net(struct net *net)
2241 {
2242 	gss_svc_shutdown_net(net);
2243 }
2244 
2245 static struct pernet_operations rpcsec_gss_net_ops = {
2246 	.init = rpcsec_gss_init_net,
2247 	.exit = rpcsec_gss_exit_net,
2248 };
2249 
2250 /*
2251  * Initialize RPCSEC_GSS module
2252  */
2253 static int __init init_rpcsec_gss(void)
2254 {
2255 	int err = 0;
2256 
2257 	err = rpcauth_register(&authgss_ops);
2258 	if (err)
2259 		goto out;
2260 	err = gss_svc_init();
2261 	if (err)
2262 		goto out_unregister;
2263 	err = register_pernet_subsys(&rpcsec_gss_net_ops);
2264 	if (err)
2265 		goto out_svc_exit;
2266 	rpc_init_wait_queue(&pipe_version_rpc_waitqueue, "gss pipe version");
2267 	return 0;
2268 out_svc_exit:
2269 	gss_svc_shutdown();
2270 out_unregister:
2271 	rpcauth_unregister(&authgss_ops);
2272 out:
2273 	return err;
2274 }
2275 
2276 static void __exit exit_rpcsec_gss(void)
2277 {
2278 	unregister_pernet_subsys(&rpcsec_gss_net_ops);
2279 	gss_svc_shutdown();
2280 	rpcauth_unregister(&authgss_ops);
2281 	rcu_barrier(); /* Wait for completion of call_rcu()'s */
2282 }
2283 
2284 MODULE_ALIAS("rpc-auth-6");
2285 MODULE_LICENSE("GPL");
2286 module_param_named(expired_cred_retry_delay,
2287 		   gss_expired_cred_retry_delay,
2288 		   uint, 0644);
2289 MODULE_PARM_DESC(expired_cred_retry_delay, "Timeout (in seconds) until "
2290 		"the RPC engine retries an expired credential");
2291 
2292 module_param_named(key_expire_timeo,
2293 		   gss_key_expire_timeo,
2294 		   uint, 0644);
2295 MODULE_PARM_DESC(key_expire_timeo, "Time (in seconds) at the end of a "
2296 		"credential keys lifetime where the NFS layer cleans up "
2297 		"prior to key expiration");
2298 
2299 module_init(init_rpcsec_gss)
2300 module_exit(exit_rpcsec_gss)
2301