mk-rootfs.sh

hc

2023-12-11 072de836f53be56a70cecf70b43ae43b7ce17376

 kernel/fs/cifs/smb2misc.c
..
..
@@ -29,6 +29,7 @@
29
29
 #include "cifs_unicode.h"
30
30
 #include "smb2status.h"
31
31
 #include "smb2glob.h"
32
+#include "nterr.h"
32
33
 
33
34
 static int
34
35
 check_smb2_hdr(struct smb2_sync_hdr *shdr, __u64 mid)
..
..
@@ -93,6 +94,8 @@
93
94
 	/* SMB2_OPLOCK_BREAK */ cpu_to_le16(24)
94
95
 };
95
96
 
97
+#define SMB311_NEGPROT_BASE_SIZE (sizeof(struct smb2_sync_hdr) + sizeof(struct smb2_negotiate_rsp))
98
+
96
99
 static __u32 get_neg_ctxt_len(struct smb2_sync_hdr *hdr, __u32 len,
97
100
 			      __u32 non_ctxlen)
98
101
 {
..
..
@@ -108,15 +111,21 @@
108
111
 
109
112
 	/* Make sure that negotiate contexts start after gss security blob */
110
113
 	nc_offset = le32_to_cpu(pneg_rsp->NegotiateContextOffset);
111
-	if (nc_offset < non_ctxlen) {
112
-		printk_once(KERN_WARNING "invalid negotiate context offset\n");
114
+	if (nc_offset + 1 < non_ctxlen) {
115
+		pr_warn_once("Invalid negotiate context offset %d\n", nc_offset);
113
116
 		return 0;
114
-	}
115
-	size_of_pad_before_neg_ctxts = nc_offset - non_ctxlen;
117
+	} else if (nc_offset + 1 == non_ctxlen) {
118
+		cifs_dbg(FYI, "no SPNEGO security blob in negprot rsp\n");
119
+		size_of_pad_before_neg_ctxts = 0;
120
+	} else if (non_ctxlen == SMB311_NEGPROT_BASE_SIZE)
121
+		/* has padding, but no SPNEGO blob */
122
+		size_of_pad_before_neg_ctxts = nc_offset - non_ctxlen + 1;
123
+	else
124
+		size_of_pad_before_neg_ctxts = nc_offset - non_ctxlen;
116
125
 
117
126
 	/* Verify that at least minimal negotiate contexts fit within frame */
118
127
 	if (len < nc_offset + (neg_count * sizeof(struct smb2_neg_context))) {
119
-		printk_once(KERN_WARNING "negotiate context goes beyond end\n");
128
+		pr_warn_once("negotiate context goes beyond end\n");
120
129
 		return 0;
121
130
 	}
122
131
 
..
..
@@ -189,14 +198,14 @@
189
198
 		return 1;
190
199
 
191
200
 	if (shdr->StructureSize != SMB2_HEADER_STRUCTURE_SIZE) {
192
-		cifs_dbg(VFS, "Illegal structure size %u\n",
201
+		cifs_dbg(VFS, "Invalid structure size %u\n",
193
202
 			 le16_to_cpu(shdr->StructureSize));
194
203
 		return 1;
195
204
 	}
196
205
 
197
206
 	command = le16_to_cpu(shdr->Command);
198
207
 	if (command >= NUMBER_OF_SMB2_COMMANDS) {
199
-		cifs_dbg(VFS, "Illegal SMB2 command %d\n", command);
208
+		cifs_dbg(VFS, "Invalid SMB2 command %d\n", command);
200
209
 		return 1;
201
210
 	}
202
211
 
..
..
@@ -204,7 +213,7 @@
204
213
 		if (command != SMB2_OPLOCK_BREAK_HE && (shdr->Status == 0 ||
205
214
 		    pdu->StructureSize2 != SMB2_ERROR_STRUCTURE_SIZE2)) {
206
215
 			/* error packets have 9 byte structure size */
207
-			cifs_dbg(VFS, "Illegal response size %u for command %d\n",
216
+			cifs_dbg(VFS, "Invalid response size %u for command %d\n",
208
217
 				 le16_to_cpu(pdu->StructureSize2), command);
209
218
 			return 1;
210
219
 		} else if (command == SMB2_OPLOCK_BREAK_HE
..
..
@@ -212,7 +221,7 @@
212
221
 			   && (le16_to_cpu(pdu->StructureSize2) != 44)
213
222
 			   && (le16_to_cpu(pdu->StructureSize2) != 36)) {
214
223
 			/* special case for SMB2.1 lease break message */
215
-			cifs_dbg(VFS, "Illegal response size %d for oplock break\n",
224
+			cifs_dbg(VFS, "Invalid response size %d for oplock break\n",
216
225
 				 le16_to_cpu(pdu->StructureSize2));
217
226
 			return 1;
218
227
 		}
..
..
@@ -249,16 +258,10 @@
249
258
 		 * of junk. Other servers match RFC1001 len to actual
250
259
 		 * SMB2/SMB3 frame length (header + smb2 response specific data)
251
260
 		 * Some windows servers also pad up to 8 bytes when compounding.
252
-		 * If pad is longer than eight bytes, log the server behavior
253
-		 * (once), since may indicate a problem but allow it and continue
254
-		 * since the frame is parseable.
255
261
 		 */
256
-		if (clc_len < len) {
257
-			pr_warn_once(
258
-			     "srv rsp padded more than expected. Length %d not %d for cmd:%d mid:%llu\n",
259
-			     len, clc_len, command, mid);
262
+		if (clc_len < len)
260
263
 			return 0;
261
-		}
264
+
262
265
 		pr_warn_once(
263
266
 			"srv rsp too short, len %d not %d. cmd:%d mid:%llu\n",
264
267
 			len, clc_len, command, mid);
..
..
@@ -359,9 +362,13 @@
359
362
 		  ((struct smb2_ioctl_rsp *)shdr)->OutputCount);
360
363
 		break;
361
364
 	case SMB2_CHANGE_NOTIFY:
365
+		*off = le16_to_cpu(
366
+		  ((struct smb2_change_notify_rsp *)shdr)->OutputBufferOffset);
367
+		*len = le32_to_cpu(
368
+		  ((struct smb2_change_notify_rsp *)shdr)->OutputBufferLength);
369
+		break;
362
370
 	default:
363
-		/* BB FIXME for unimplemented cases above */
364
-		cifs_dbg(VFS, "no length check for command\n");
371
+		cifs_dbg(VFS, "no length check for command %d\n", le16_to_cpu(shdr->Command));
365
372
 		break;
366
373
 	}
367
374
 
..
..
@@ -747,19 +754,35 @@
747
754
 {
748
755
 	struct close_cancelled_open *cancelled = container_of(work,
749
756
 					struct close_cancelled_open, work);
757
+	struct cifs_tcon *tcon = cancelled->tcon;
758
+	int rc;
750
759
 
751
-	cifs_dbg(VFS, "Close unmatched open\n");
760
+	if (cancelled->mid)
761
+		cifs_tcon_dbg(VFS, "Close unmatched open for MID:%llx\n",
762
+			      cancelled->mid);
763
+	else
764
+		cifs_tcon_dbg(VFS, "Close interrupted close\n");
752
765
 
753
-	SMB2_close(0, cancelled->tcon, cancelled->fid.persistent_fid,
754
-		   cancelled->fid.volatile_fid);
755
-	cifs_put_tcon(cancelled->tcon);
766
+	rc = SMB2_close(0, tcon, cancelled->fid.persistent_fid,
767
+			cancelled->fid.volatile_fid);
768
+	if (rc)
769
+		cifs_tcon_dbg(VFS, "Close cancelled mid failed rc:%d\n", rc);
770
+
771
+	cifs_put_tcon(tcon);
756
772
 	kfree(cancelled);
757
773
 }
758
774
 
759
-/* Caller should already has an extra reference to @tcon */
775
+/*
776
+ * Caller should already has an extra reference to @tcon
777
+ * This function is used to queue work to close a handle to prevent leaks
778
+ * on the server.
779
+ * We handle two cases. If an open was interrupted after we sent the
780
+ * SMB2_CREATE to the server but before we processed the reply, and second
781
+ * if a close was interrupted before we sent the SMB2_CLOSE to the server.
782
+ */
760
783
 static int
761
-__smb2_handle_cancelled_close(struct cifs_tcon *tcon, __u64 persistent_fid,
762
-			      __u64 volatile_fid)
784
+__smb2_handle_cancelled_cmd(struct cifs_tcon *tcon, __u16 cmd, __u64 mid,
785
+			    __u64 persistent_fid, __u64 volatile_fid)
763
786
 {
764
787
 	struct close_cancelled_open *cancelled;
765
788
 
..
..
@@ -770,6 +793,8 @@
770
793
 	cancelled->fid.persistent_fid = persistent_fid;
771
794
 	cancelled->fid.volatile_fid = volatile_fid;
772
795
 	cancelled->tcon = tcon;
796
+	cancelled->cmd = cmd;
797
+	cancelled->mid = mid;
773
798
 	INIT_WORK(&cancelled->work, smb2_cancelled_close_fid);
774
799
 	WARN_ON(queue_work(cifsiod_wq, &cancelled->work) == false);
775
800
 
..
..
@@ -784,10 +809,25 @@
784
809
 
785
810
 	cifs_dbg(FYI, "%s: tc_count=%d\n", __func__, tcon->tc_count);
786
811
 	spin_lock(&cifs_tcp_ses_lock);
812
+	if (tcon->tc_count <= 0) {
813
+		struct TCP_Server_Info *server = NULL;
814
+
815
+		WARN_ONCE(tcon->tc_count < 0, "tcon refcount is negative");
816
+		spin_unlock(&cifs_tcp_ses_lock);
817
+
818
+		if (tcon->ses)
819
+			server = tcon->ses->server;
820
+
821
+		cifs_server_dbg(FYI, "tid=%u: tcon is closing, skipping async close retry of fid %llu %llu\n",
822
+				tcon->tid, persistent_fid, volatile_fid);
823
+
824
+		return 0;
825
+	}
787
826
 	tcon->tc_count++;
788
827
 	spin_unlock(&cifs_tcp_ses_lock);
789
828
 
790
-	rc = __smb2_handle_cancelled_close(tcon, persistent_fid, volatile_fid);
829
+	rc = __smb2_handle_cancelled_cmd(tcon, SMB2_CLOSE_HE, 0,
830
+					 persistent_fid, volatile_fid);
791
831
 	if (rc)
792
832
 		cifs_put_tcon(tcon);
793
833
 
..
..
@@ -795,14 +835,14 @@
795
835
 }
796
836
 
797
837
 int
798
-smb2_handle_cancelled_mid(char *buffer, struct TCP_Server_Info *server)
838
+smb2_handle_cancelled_mid(struct mid_q_entry *mid, struct TCP_Server_Info *server)
799
839
 {
800
-	struct smb2_sync_hdr *sync_hdr = (struct smb2_sync_hdr *)buffer;
801
-	struct smb2_create_rsp *rsp = (struct smb2_create_rsp *)buffer;
840
+	struct smb2_sync_hdr *sync_hdr = mid->resp_buf;
841
+	struct smb2_create_rsp *rsp = mid->resp_buf;
802
842
 	struct cifs_tcon *tcon;
803
843
 	int rc;
804
844
 
805
-	if (sync_hdr->Command != SMB2_CREATE ||
845
+	if ((mid->optype & CIFS_CP_CREATE_CLOSE_OP) || sync_hdr->Command != SMB2_CREATE ||
806
846
 	    sync_hdr->Status != STATUS_SUCCESS)
807
847
 		return 0;
808
848
 
..
..
@@ -811,8 +851,11 @@
811
851
 	if (!tcon)
812
852
 		return -ENOENT;
813
853
 
814
-	rc = __smb2_handle_cancelled_close(tcon, rsp->PersistentFileId,
815
-					   rsp->VolatileFileId);
854
+	rc = __smb2_handle_cancelled_cmd(tcon,
855
+					 le16_to_cpu(sync_hdr->Command),
856
+					 le64_to_cpu(sync_hdr->MessageId),
857
+					 rsp->PersistentFileId,
858
+					 rsp->VolatileFileId);
816
859
 	if (rc)
817
860
 		cifs_put_tcon(tcon);
818
861
 
..
..
@@ -831,33 +874,47 @@
831
874
 	int i, rc;
832
875
 	struct sdesc *d;
833
876
 	struct smb2_sync_hdr *hdr;
877
+	struct TCP_Server_Info *server = cifs_ses_server(ses);
834
878
 
835
-	if (ses->server->tcpStatus == CifsGood) {
836
-		/* skip non smb311 connections */
837
-		if (ses->server->dialect != SMB311_PROT_ID)
838
-			return 0;
879
+	hdr = (struct smb2_sync_hdr *)iov[0].iov_base;
880
+	/* neg prot are always taken */
881
+	if (hdr->Command == SMB2_NEGOTIATE)
882
+		goto ok;
839
883
 
840
-		/* skip last sess setup response */
841
-		hdr = (struct smb2_sync_hdr *)iov[0].iov_base;
842
-		if (hdr->Flags & SMB2_FLAGS_SIGNED)
843
-			return 0;
844
-	}
884
+	/*
885
+	 * If we process a command which wasn't a negprot it means the
886
+	 * neg prot was already done, so the server dialect was set
887
+	 * and we can test it. Preauth requires 3.1.1 for now.
888
+	 */
889
+	if (server->dialect != SMB311_PROT_ID)
890
+		return 0;
845
891
 
846
-	rc = smb311_crypto_shash_allocate(ses->server);
892
+	if (hdr->Command != SMB2_SESSION_SETUP)
893
+		return 0;
894
+
895
+	/* skip last sess setup response */
896
+	if ((hdr->Flags & SMB2_FLAGS_SERVER_TO_REDIR)
897
+	    && (hdr->Status == NT_STATUS_OK
898
+		|| (hdr->Status !=
899
+		    cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED))))
900
+		return 0;
901
+
902
+ok:
903
+	rc = smb311_crypto_shash_allocate(server);
847
904
 	if (rc)
848
905
 		return rc;
849
906
 
850
-	d = ses->server->secmech.sdescsha512;
907
+	d = server->secmech.sdescsha512;
851
908
 	rc = crypto_shash_init(&d->shash);
852
909
 	if (rc) {
853
-		cifs_dbg(VFS, "%s: could not init sha512 shash\n", __func__);
910
+		cifs_dbg(VFS, "%s: Could not init sha512 shash\n", __func__);
854
911
 		return rc;
855
912
 	}
856
913
 
857
914
 	rc = crypto_shash_update(&d->shash, ses->preauth_sha_hash,
858
915
 				 SMB2_PREAUTH_HASH_SIZE);
859
916
 	if (rc) {
860
-		cifs_dbg(VFS, "%s: could not update sha512 shash\n", __func__);
917
+		cifs_dbg(VFS, "%s: Could not update sha512 shash\n", __func__);
861
918
 		return rc;
862
919
 	}
863
920
 
..
..
@@ -865,7 +922,7 @@
865
922
 		rc = crypto_shash_update(&d->shash,
866
923
 					 iov[i].iov_base, iov[i].iov_len);
867
924
 		if (rc) {
868
-			cifs_dbg(VFS, "%s: could not update sha512 shash\n",
925
+			cifs_dbg(VFS, "%s: Could not update sha512 shash\n",
869
926
 				 __func__);
870
927
 			return rc;
871
928
 		}
..
..
@@ -873,7 +930,7 @@
873
930
 
874
931
 	rc = crypto_shash_final(&d->shash, ses->preauth_sha_hash);
875
932
 	if (rc) {
876
-		cifs_dbg(VFS, "%s: could not finalize sha512 shash\n",
933
+		cifs_dbg(VFS, "%s: Could not finalize sha512 shash\n",
877
934
 			 __func__);
878
935
 		return rc;
879
936
 	}