From patchwork Tue Feb 13 06:53:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve French X-Patchwork-Id: 13554555 Received: from mail-lj1-f179.google.com (mail-lj1-f179.google.com [209.85.208.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5CA091756D for ; Tue, 13 Feb 2024 06:53:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707807216; cv=none; b=eZi6bKnBWuRT3hopHE/5u8TclqtzuXWppjJs5wefx0vI6b/yVS69ujQKnIC0EMA2cJa3NoLNcICeSYcDnvpLT/+EIkjpja+UfUs64XDX6GgRrGvEbjZ4A3GJya3zJz9T2TpLjSa2n7Wb8gmydzFiVTp+6xEJRowzjJMfaeVn1Pw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707807216; c=relaxed/simple; bh=6O80vXr2oAuuAArDuFNxfBffpg5aNWaCbqVykDAszO8=; h=MIME-Version:From:Date:Message-ID:Subject:To:Cc:Content-Type; b=ANmHFXPTxJbknbxlLkyqoFjs5efj9bd0yTBHjig1U4qZl919+20cMpiZ81czRhXkGsKaMPOvt+OyAQA9Fo7qdhLi6SNQKU1+A97nTyz2xukykci2vNwKSZQPzdCDCQDK2nT9m0pNlOgiEbbMtB7A2MYlNEyYw/UXw358OCiCiU0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=dMcTLwSH; arc=none smtp.client-ip=209.85.208.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="dMcTLwSH" Received: by mail-lj1-f179.google.com with SMTP id 38308e7fff4ca-2d10ad20955so2270161fa.0 for ; Mon, 12 Feb 2024 22:53:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1707807212; x=1708412012; darn=vger.kernel.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=Uro2vIL5UzfLR9CBkRK8hQUEzXauSQuSPFm2NOww4vM=; b=dMcTLwSHWevrxy7sr3DahfasP6uMzOSWRwPaXuBxP6vwhuXOajGOg9sT5p5/SVVJF0 pscQpvQyEqAtkY5T3JqRbKpCOvZ8jyF2emHiga5KVn/ko1qC843XWFfAd1xcyJVXTbKX gMVpjHeVMhqnhExfKOajMO75X7H8saXPK4CRew86HbQ4qlrIliSIzpqhghnx/M5fUsC+ UhGkiCI30G1KSQ4h+M1jMZoG36vCqLfd2TaKn4nwLwqWPA0gXQKIROThwgxx/3Ty8kcs pbzrLzju7I9wGD+W5qqi7moMKV331QuWDRIlBQL+klNqeIh3RPL3sjWsR3oz0TdOG+FT 9VhQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707807212; x=1708412012; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=Uro2vIL5UzfLR9CBkRK8hQUEzXauSQuSPFm2NOww4vM=; b=ObmDgK14h8MKB2xYWXlUk0i9hcdoqBoUnGvj53daB6AGcjkaUoElL8RLm9KjzjceiF 8GbLNPT3VyA6mb64qZZP4uJ8TKIM6zP8Q4313TwUb+yQUZbpx2LcOjDuwc9BWiYzNgux j7vnKFqDnU2dzcnrxRmx0X2BFzxB5GoPSyFHNI/fjvGNlNTlyr0hoZ17TcAah/MA8hB2 VAS+7nBUiVccAEixlZm5iEE6mrK5F04uvpYApBuWSix73LeXLqZJAAptHzBvKzhlxydz +y8E1qY7JJFKeKnQn98sEe5T4TcxJ4CfpqINW9zu8tqxRkizbHW2z3yBKx3XgDdsOC5/ fIZg== X-Gm-Message-State: AOJu0YxxfCcxplr/QNUrlOtPhbd8OM7m7ZZUu4Id1UrcEw37oAK8SYLX FlrI5Djz+XuiA0gazFNcytPEEBzmBhb8GRN6jMkqQTWEqHF7e0d8kXrtrqH06jB8iXXwM0OH8Bx VD3kzS20omheho9gEqQERWApOB29S7XfCNX505Q== X-Google-Smtp-Source: AGHT+IFo3HToQu71VcjBRfMjOYqBEEmCZPrE3c1U7kVrhysHVzjmvOq9ZHFxPTfNk+RaXE1HVzNNntIFhHtnrB3GJxg= X-Received: by 2002:a2e:8847:0:b0:2d0:d471:5c67 with SMTP id z7-20020a2e8847000000b002d0d4715c67mr5237830ljj.45.1707807211845; Mon, 12 Feb 2024 22:53:31 -0800 (PST) Precedence: bulk X-Mailing-List: linux-cifs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Steve French Date: Tue, 13 Feb 2024 00:53:19 -0600 Message-ID: Subject: [WIP PATCH] allow changing the password on remount in some cases To: CIFS Cc: Shyam Prasad N , Bharath S M , Meetakshi Setiya , David Howells , samba-technical cifs: Work-in-progress patch to allow changing password during remount There are cases where a session is disconnected but we can not reconnect successfully since the user's password has changed on the server (or expired) and this case currently can not be fixed without unmount and mounting again which is not always realistic to do. This patch allows remount to change the password when the session is disconnected. This patch needs to be tested for cases where you have multiuser mounts and to make sure that there are no cases where we are changing passwords for a different user than the one for the master tcon's session (cifs_sb->tcon->ses->username) Future patches should also allow us to setup the keyring (cifscreds) to have an "alternate password" so we would be able to change the password before the session drops (without the risk of races between when the password changes and the disconnect occurs - ie cases where the old password is still needed because the new password has not fully rolled out to all servers yet). See attached patch From 8632fcc917c0c35281b4bf4d8cadd5f5aaa18741 Mon Sep 17 00:00:00 2001 From: Steve French Date: Tue, 13 Feb 2024 00:40:01 -0600 Subject: [PATCH] cifs: Work-in-progress patch to allow changing password during remount There are cases where a session is disconnected and password has changed on the server (or expired) for this user and this currently can not be fixed without unmount and mounting again. This patch allows remount to change the password when the session is disconnect. It needs to be tested for cases where you have multiuser mounts and to make sure that there are no cases where we are changing passwords for a different user than the one for the master tcon's session (cifs_sb->tcon->ses->username) Future patches should also allow us to setup the keyring (cifscreds) to have an "alternate password" so we would be able to change the password before the session drops (without the risk of races between when the password changes and the disconnect occurs - ie cases where the old password is still needed because the new password has not fully rolled out to all servers yet). Cc: stable@vger.kernel.org Signed-off-by: Steve French --- fs/smb/client/fs_context.c | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c index aec8dbd1f9db..c7a0b2bd7a15 100644 --- a/fs/smb/client/fs_context.c +++ b/fs/smb/client/fs_context.c @@ -772,7 +772,7 @@ static void smb3_fs_context_free(struct fs_context *fc) */ static int smb3_verify_reconfigure_ctx(struct fs_context *fc, struct smb3_fs_context *new_ctx, - struct smb3_fs_context *old_ctx) + struct smb3_fs_context *old_ctx, bool need_recon) { if (new_ctx->posix_paths != old_ctx->posix_paths) { cifs_errorf(fc, "can not change posixpaths during remount\n"); @@ -798,8 +798,11 @@ static int smb3_verify_reconfigure_ctx(struct fs_context *fc, } if (new_ctx->password && (!old_ctx->password || strcmp(new_ctx->password, old_ctx->password))) { - cifs_errorf(fc, "can not change password during remount\n"); - return -EINVAL; + if (need_recon == false) { + cifs_errorf(fc, + "can not change password of active session during remount\n"); + return -EINVAL; + } } if (new_ctx->domainname && (!old_ctx->domainname || strcmp(new_ctx->domainname, old_ctx->domainname))) { @@ -843,9 +846,15 @@ static int smb3_reconfigure(struct fs_context *fc) struct smb3_fs_context *ctx = smb3_fc2context(fc); struct dentry *root = fc->root; struct cifs_sb_info *cifs_sb = CIFS_SB(root->d_sb); + struct cifs_ses *ses = cifs_sb_master_tcon(cifs_sb)->ses; + bool need_recon = false; int rc; - rc = smb3_verify_reconfigure_ctx(fc, ctx, cifs_sb->ctx); + if ((ses->ses_status == SES_NEED_RECON) || + (ses->ses_status == SES_IN_SETUP)) + need_recon = true; + + rc = smb3_verify_reconfigure_ctx(fc, ctx, cifs_sb->ctx, need_recon); if (rc) return rc; @@ -858,7 +867,12 @@ static int smb3_reconfigure(struct fs_context *fc) STEAL_STRING(cifs_sb, ctx, UNC); STEAL_STRING(cifs_sb, ctx, source); STEAL_STRING(cifs_sb, ctx, username); - STEAL_STRING_SENSITIVE(cifs_sb, ctx, password); + if (need_recon == false) + STEAL_STRING_SENSITIVE(cifs_sb, ctx, password); + else { + kfree_sensitive(ses->password); + ses->password = kstrdup(ctx->password, GFP_KERNEL); + } STEAL_STRING(cifs_sb, ctx, domainname); STEAL_STRING(cifs_sb, ctx, nodename); STEAL_STRING(cifs_sb, ctx, iocharset); -- 2.40.1