1. 16 11月, 2020 2 次提交
    • R
      smb3: Avoid Mid pending list corruption · ac873aa3
      Rohith Surabattula 提交于
      When reconnect happens Mid queue can be corrupted when both
      demultiplex and offload thread try to dequeue the MID from the
      pending list.
      
      These patches address a problem found during decryption offload:
               CIFS: VFS: trying to dequeue a deleted mid
      that could cause a refcount use after free:
               Workqueue: smb3decryptd smb2_decrypt_offload [cifs]
      Signed-off-by: NRohith Surabattula <rohiths@microsoft.com>
      Reviewed-by: NPavel Shilovsky <pshilov@microsoft.com>
      CC: Stable <stable@vger.kernel.org> #5.4+
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      ac873aa3
    • R
      smb3: Call cifs reconnect from demultiplex thread · de9ac0a6
      Rohith Surabattula 提交于
      cifs_reconnect needs to be called only from demultiplex thread.
      skip cifs_reconnect in offload thread. So, cifs_reconnect will be
      called by demultiplex thread in subsequent request.
      
      These patches address a problem found during decryption offload:
           CIFS: VFS: trying to dequeue a deleted mid
      that can cause a refcount use after free:
      
      [ 1271.389453] Workqueue: smb3decryptd smb2_decrypt_offload [cifs]
      [ 1271.389456] RIP: 0010:refcount_warn_saturate+0xae/0xf0
      [ 1271.389457] Code: fa 1d 6a 01 01 e8 c7 44 b1 ff 0f 0b 5d c3 80 3d e7 1d 6a 01 00 75 91 48 c7 c7 d8 be 1d a2 c6 05 d7 1d 6a 01 01 e8 a7 44 b1 ff <0f> 0b 5d c3 80 3d c5 1d 6a 01 00 0f 85 6d ff ff ff 48 c7 c7 30 bf
      [ 1271.389458] RSP: 0018:ffffa4cdc1f87e30 EFLAGS: 00010286
      [ 1271.389458] RAX: 0000000000000000 RBX: ffff9974d2809f00 RCX: ffff9974df898cc8
      [ 1271.389459] RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9974df898cc0
      [ 1271.389460] RBP: ffffa4cdc1f87e30 R08: 0000000000000004 R09: 00000000000002c0
      [ 1271.389460] R10: 0000000000000000 R11: 0000000000000001 R12: ffff9974b7fdb5c0
      [ 1271.389461] R13: ffff9974d2809f00 R14: ffff9974ccea0a80 R15: ffff99748e60db80
      [ 1271.389462] FS:  0000000000000000(0000) GS:ffff9974df880000(0000) knlGS:0000000000000000
      [ 1271.389462] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 1271.389463] CR2: 000055c60f344fe4 CR3: 0000001031a3c002 CR4: 00000000003706e0
      [ 1271.389465] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [ 1271.389465] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [ 1271.389466] Call Trace:
      [ 1271.389483]  cifs_mid_q_entry_release+0xce/0x110 [cifs]
      [ 1271.389499]  smb2_decrypt_offload+0xa9/0x1c0 [cifs]
      [ 1271.389501]  process_one_work+0x1e8/0x3b0
      [ 1271.389503]  worker_thread+0x50/0x370
      [ 1271.389504]  kthread+0x12f/0x150
      [ 1271.389506]  ? process_one_work+0x3b0/0x3b0
      [ 1271.389507]  ? __kthread_bind_mask+0x70/0x70
      [ 1271.389509]  ret_from_fork+0x22/0x30
      Signed-off-by: NRohith Surabattula <rohiths@microsoft.com>
      Reviewed-by: NPavel Shilovsky <pshilov@microsoft.com>
      CC: Stable <stable@vger.kernel.org> #5.4+
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      de9ac0a6
  2. 24 10月, 2020 2 次提交
    • S
      smb3: remove two unused variables · 6a87266c
      Steve French 提交于
      Fix two unused variables in commit
      "add support for stat of WSL reparse points for special file types"
      Reported-by: Nkernel test robot <lkp@intel.com>
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      6a87266c
    • S
      smb3: add support for stat of WSL reparse points for special file types · 2e4564b3
      Steve French 提交于
      This is needed so when mounting to Windows we do not
      misinterpret various special files created by Linux (WSL) as symlinks.
      An earlier patch addressed readdir.  This patch fixes stat (getattr).
      
      With this patch:
        File: /mnt1/char
        Size: 0          Blocks: 0          IO Block: 16384  character special file
      Device: 34h/52d Inode: 844424930132069  Links: 1     Device type: 0,0
      Access: (0755/crwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
      Access: 2020-10-21 17:46:51.839458900 -0500
      Modify: 2020-10-21 17:46:51.839458900 -0500
      Change: 2020-10-21 18:30:39.797358800 -0500
       Birth: -
        File: /mnt1/fifo
        Size: 0          Blocks: 0          IO Block: 16384  fifo
      Device: 34h/52d Inode: 1125899906842722  Links: 1
      Access: (0755/prwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
      Access: 2020-10-21 16:21:37.259249700 -0500
      Modify: 2020-10-21 16:21:37.259249700 -0500
      Change: 2020-10-21 18:30:39.797358800 -0500
       Birth: -
        File: /mnt1/block
        Size: 0          Blocks: 0          IO Block: 16384  block special file
      Device: 34h/52d Inode: 844424930132068  Links: 1     Device type: 0,0
      Access: (0755/brwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
      Access: 2020-10-21 17:10:47.913103200 -0500
      Modify: 2020-10-21 17:10:47.913103200 -0500
      Change: 2020-10-21 18:30:39.796725500 -0500
       Birth: -
      
      without the patch all show up incorrectly as symlinks with annoying "operation not supported error also returned"
        File: /mnt1/charstat: cannot read symbolic link '/mnt1/char': Operation not supported
      
        Size: 0          Blocks: 0          IO Block: 16384  symbolic link
      Device: 34h/52d Inode: 844424930132069  Links: 1
      Access: (0000/l---------)  Uid: (    0/    root)   Gid: (    0/    root)
      Access: 2020-10-21 17:46:51.839458900 -0500
      Modify: 2020-10-21 17:46:51.839458900 -0500
      Change: 2020-10-21 18:30:39.797358800 -0500
       Birth: -
        File: /mnt1/fifostat: cannot read symbolic link '/mnt1/fifo': Operation not supported
      
        Size: 0          Blocks: 0          IO Block: 16384  symbolic link
      Device: 34h/52d Inode: 1125899906842722  Links: 1
      Access: (0000/l---------)  Uid: (    0/    root)   Gid: (    0/    root)
      Access: 2020-10-21 16:21:37.259249700 -0500
      Modify: 2020-10-21 16:21:37.259249700 -0500
      Change: 2020-10-21 18:30:39.797358800 -0500
       Birth: -
        File: /mnt1/blockstat: cannot read symbolic link '/mnt1/block': Operation not supported
      
        Size: 0          Blocks: 0          IO Block: 16384  symbolic link
      Device: 34h/52d Inode: 844424930132068  Links: 1
      Access: (0000/l---------)  Uid: (    0/    root)   Gid: (    0/    root)
      Access: 2020-10-21 17:10:47.913103200 -0500
      Modify: 2020-10-21 17:10:47.913103200 -0500
      Change: 2020-10-21 18:30:39.796725500 -0500
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      Reviewed-by: NRonnie Sahlberg <lsahlber@redhat.com>
      2e4564b3
  3. 22 10月, 2020 2 次提交
  4. 21 10月, 2020 1 次提交
  5. 20 10月, 2020 3 次提交
  6. 16 10月, 2020 1 次提交
  7. 12 10月, 2020 1 次提交
  8. 11 10月, 2020 1 次提交
    • V
      cifs: Fix incomplete memory allocation on setxattr path · 64b7f674
      Vladimir Zapolskiy 提交于
      On setxattr() syscall path due to an apprent typo the size of a dynamically
      allocated memory chunk for storing struct smb2_file_full_ea_info object is
      computed incorrectly, to be more precise the first addend is the size of
      a pointer instead of the wanted object size. Coincidentally it makes no
      difference on 64-bit platforms, however on 32-bit targets the following
      memcpy() writes 4 bytes of data outside of the dynamically allocated memory.
      
        =============================================================================
        BUG kmalloc-16 (Not tainted): Redzone overwritten
        -----------------------------------------------------------------------------
      
        Disabling lock debugging due to kernel taint
        INFO: 0x79e69a6f-0x9e5cdecf @offset=368. First byte 0x73 instead of 0xcc
        INFO: Slab 0xd36d2454 objects=85 used=51 fp=0xf7d0fc7a flags=0x35000201
        INFO: Object 0x6f171df3 @offset=352 fp=0x00000000
      
        Redzone 5d4ff02d: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
        Object 6f171df3: 00 00 00 00 00 05 06 00 73 6e 72 75 62 00 66 69  ........snrub.fi
        Redzone 79e69a6f: 73 68 32 0a                                      sh2.
        Padding 56254d82: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
        CPU: 0 PID: 8196 Comm: attr Tainted: G    B             5.9.0-rc8+ #3
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014
        Call Trace:
         dump_stack+0x54/0x6e
         print_trailer+0x12c/0x134
         check_bytes_and_report.cold+0x3e/0x69
         check_object+0x18c/0x250
         free_debug_processing+0xfe/0x230
         __slab_free+0x1c0/0x300
         kfree+0x1d3/0x220
         smb2_set_ea+0x27d/0x540
         cifs_xattr_set+0x57f/0x620
         __vfs_setxattr+0x4e/0x60
         __vfs_setxattr_noperm+0x4e/0x100
         __vfs_setxattr_locked+0xae/0xd0
         vfs_setxattr+0x4e/0xe0
         setxattr+0x12c/0x1a0
         path_setxattr+0xa4/0xc0
         __ia32_sys_lsetxattr+0x1d/0x20
         __do_fast_syscall_32+0x40/0x70
         do_fast_syscall_32+0x29/0x60
         do_SYSENTER_32+0x15/0x20
         entry_SYSENTER_32+0x9f/0xf2
      
      Fixes: 5517554e ("cifs: Add support for writing attributes on SMB2+")
      Signed-off-by: NVladimir Zapolskiy <vladimir@tuxera.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      64b7f674
  9. 08 7月, 2020 1 次提交
  10. 24 6月, 2020 2 次提交
  11. 22 6月, 2020 1 次提交
    • X
      cifs: Fix cached_fid refcnt leak in open_shroot · 77577de6
      Xiyu Yang 提交于
      open_shroot() invokes kref_get(), which increases the refcount of the
      "tcon->crfid" object. When open_shroot() returns not zero, it means the
      open operation failed and close_shroot() will not be called to decrement
      the refcount of the "tcon->crfid".
      
      The reference counting issue happens in one normal path of
      open_shroot(). When the cached root have been opened successfully in a
      concurrent process, the function increases the refcount and jump to
      "oshr_free" to return. However the current return value "rc" may not
      equal to 0, thus the increased refcount will not be balanced outside the
      function, causing a refcnt leak.
      
      Fix this issue by setting the value of "rc" to 0 before jumping to
      "oshr_free" label.
      Signed-off-by: NXiyu Yang <xiyuyang19@fudan.edu.cn>
      Signed-off-by: NXin Tan <tanxin.ctf@gmail.com>
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      CC: Stable <stable@vger.kernel.org>
      77577de6
  12. 05 6月, 2020 2 次提交
    • A
      cifs: multichannel: move channel selection above transport layer · 352d96f3
      Aurelien Aptel 提交于
      Move the channel (TCP_Server_Info*) selection from the tranport
      layer to higher in the call stack so that:
      
      - credit handling is done with the server that will actually be used
        to send.
        * ->wait_mtu_credit
        * ->set_credits / set_credits
        * ->add_credits / add_credits
        * add_credits_and_wake_if
      
      - potential reconnection (smb2_reconnect) done when initializing a
        request is checked and done with the server that will actually be
        used to send.
      
      To do this:
      
      - remove the cifs_pick_channel() call out of compound_send_recv()
      
      - select channel and pass it down by adding a cifs_pick_channel(ses)
        call in:
        - smb311_posix_mkdir
        - SMB2_open
        - SMB2_ioctl
        - __SMB2_close
        - query_info
        - SMB2_change_notify
        - SMB2_flush
        - smb2_async_readv  (if none provided in context param)
        - SMB2_read         (if none provided in context param)
        - smb2_async_writev (if none provided in context param)
        - SMB2_write        (if none provided in context param)
        - SMB2_query_directory
        - send_set_info
        - SMB2_oplock_break
        - SMB311_posix_qfs_info
        - SMB2_QFS_info
        - SMB2_QFS_attr
        - smb2_lockv
        - SMB2_lease_break
          - smb2_compound_op
        - smb2_set_ea
        - smb2_ioctl_query_info
        - smb2_query_dir_first
        - smb2_query_info_comound
        - smb2_query_symlink
        - cifs_writepages
        - cifs_write_from_iter
        - cifs_send_async_read
        - cifs_read
        - cifs_readpages
      
      - add TCP_Server_Info *server param argument to:
        - cifs_send_recv
        - compound_send_recv
        - SMB2_open_init
        - SMB2_query_info_init
        - SMB2_set_info_init
        - SMB2_close_init
        - SMB2_ioctl_init
        - smb2_iotcl_req_init
        - SMB2_query_directory_init
        - SMB2_notify_init
        - SMB2_flush_init
        - build_qfs_info_req
        - smb2_hdr_assemble
        - smb2_reconnect
        - fill_small_buf
        - smb2_plain_req_init
        - __smb2_plain_req_init
      
      The read/write codepath is different than the rest as it is using
      pages, io iterators and async calls. To deal with those we add a
      server pointer in the cifs_writedata/cifs_readdata/cifs_io_parms
      context struct and set it in:
      
      - cifs_writepages      (wdata)
      - cifs_write_from_iter (wdata)
      - cifs_readpages       (rdata)
      - cifs_send_async_read (rdata)
      
      The [rw]data->server pointer is eventually copied to
      cifs_io_parms->server to pass it down to SMB2_read/SMB2_write.
      If SMB2_read/SMB2_write is called from a different place that doesn't
      set the server field it will pick a channel.
      
      Some places do not pick a channel and just use ses->server or
      cifs_ses_server(ses). All cifs_ses_server(ses) calls are in codepaths
      involving negprot/sess.setup.
      
      - SMB2_negotiate         (binding channel)
      - SMB2_sess_alloc_buffer (binding channel)
      - SMB2_echo              (uses provided one)
      - SMB2_logoff            (uses master)
      - SMB2_tdis              (uses master)
      
      (list not exhaustive)
      Signed-off-by: NAurelien Aptel <aaptel@suse.com>
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      352d96f3
    • A
      cifs: multichannel: always zero struct cifs_io_parms · 7c06514a
      Aurelien Aptel 提交于
      SMB2_read/SMB2_write check and use cifs_io_parms->server, which might
      be uninitialized memory.
      
      This change makes all callers zero-initialize the struct.
      Signed-off-by: NAurelien Aptel <aaptel@suse.com>
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      7c06514a
  13. 04 6月, 2020 3 次提交
  14. 01 6月, 2020 2 次提交
  15. 23 4月, 2020 1 次提交
  16. 30 3月, 2020 1 次提交
  17. 23 3月, 2020 3 次提交
  18. 18 3月, 2020 2 次提交
    • M
      CIFS: fiemap: do not return EINVAL if get nothing · 979a2665
      Murphy Zhou 提交于
      If we call fiemap on a truncated file with none blocks allocated,
      it makes sense we get nothing from this call. No output means
      no blocks have been counted, but the call succeeded. It's a valid
      response.
      
      Simple example reproducer:
      xfs_io -f 'truncate 2M' -c 'fiemap -v' /cifssch/testfile
      xfs_io: ioctl(FS_IOC_FIEMAP) ["/cifssch/testfile"]: Invalid argument
      Signed-off-by: NMurphy Zhou <jencce.kernel@gmail.com>
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      Reviewed-by: NPavel Shilovsky <pshilov@microsoft.com>
      CC: Stable <stable@vger.kernel.org>
      979a2665
    • S
      CIFS: Increment num_remote_opens stats counter even in case of smb2_query_dir_first · 1be1fa42
      Shyam Prasad N 提交于
      The num_remote_opens counter keeps track of the number of open files which must be
      maintained by the server at any point. This is a per-tree-connect counter, and the value
      of this counter gets displayed in the /proc/fs/cifs/Stats output as a following...
      
      Open files: 0 total (local), 1 open on server
                                   ^^^^^^^^^^^^^^^^
      As a thumb-rule, we want to increment this counter for each open/create that we
      successfully execute on the server. Similarly, we should decrement the counter when
      we successfully execute a close.
      
      In this case, an increment was being missed in case of smb2_query_dir_first,
      in case of successful open. As a result, we would underflow the counter and we
      could even see the counter go to negative after sufficient smb2_query_dir_first calls.
      
      I tested the stats counter for a bunch of filesystem operations with the fix.
      And it looks like the counter looks correct to me.
      
      I also check if we missed the increments and decrements elsewhere. It does not
      seem so. Few other cases where an open is done and we don't increment the counter are
      the compound calls where the corresponding close is also sent in the request.
      Signed-off-by: NShyam Prasad N <nspmangalore@gmail.com>
      CC: Stable <stable@vger.kernel.org>
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      Reviewed-by: NAurelien Aptel <aaptel@suse.com>
      Reviewed-by: NPavel Shilovsky <pshilov@microsoft.com>
      1be1fa42
  19. 25 2月, 2020 1 次提交
    • A
      cifs: fix rename() by ensuring source handle opened with DELETE bit · 86f740f2
      Aurelien Aptel 提交于
      To rename a file in SMB2 we open it with the DELETE access and do a
      special SetInfo on it. If the handle is missing the DELETE bit the
      server will fail the SetInfo with STATUS_ACCESS_DENIED.
      
      We currently try to reuse any existing opened handle we have with
      cifs_get_writable_path(). That function looks for handles with WRITE
      access but doesn't check for DELETE, making rename() fail if it finds
      a handle to reuse. Simple reproducer below.
      
      To select handles with the DELETE bit, this patch adds a flag argument
      to cifs_get_writable_path() and find_writable_file() and the existing
      'bool fsuid_only' argument is converted to a flag.
      
      The cifsFileInfo struct only stores the UNIX open mode but not the
      original SMB access flags. Since the DELETE bit is not mapped in that
      mode, this patch stores the access mask in cifs_fid on file open,
      which is accessible from cifsFileInfo.
      
      Simple reproducer:
      
      	#include <stdio.h>
      	#include <stdlib.h>
      	#include <sys/types.h>
      	#include <sys/stat.h>
      	#include <fcntl.h>
      	#include <unistd.h>
      	#define E(s) perror(s), exit(1)
      
      	int main(int argc, char *argv[])
      	{
      		int fd, ret;
      		if (argc != 3) {
      			fprintf(stderr, "Usage: %s A B\n"
      			"create&open A in write mode, "
      			"rename A to B, close A\n", argv[0]);
      			return 0;
      		}
      
      		fd = openat(AT_FDCWD, argv[1], O_WRONLY|O_CREAT|O_SYNC, 0666);
      		if (fd == -1) E("openat()");
      
      		ret = rename(argv[1], argv[2]);
      		if (ret) E("rename()");
      
      		ret = close(fd);
      		if (ret) E("close()");
      
      		return ret;
      	}
      
      $ gcc -o bugrename bugrename.c
      $ ./bugrename /mnt/a /mnt/b
      rename(): Permission denied
      
      Fixes: 8de9e86c ("cifs: create a helper to find a writeable handle by path name")
      CC: Stable <stable@vger.kernel.org>
      Signed-off-by: NAurelien Aptel <aaptel@suse.com>
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      Reviewed-by: NPavel Shilovsky <pshilov@microsoft.com>
      Reviewed-by: NPaulo Alcantara (SUSE) <pc@cjr.nz>
      86f740f2
  20. 15 2月, 2020 2 次提交
  21. 06 2月, 2020 1 次提交
    • S
      cifs: add SMB3 change notification support · d26c2ddd
      Steve French 提交于
      A commonly used SMB3 feature is change notification, allowing an
      app to be notified about changes to a directory. The SMB3
      Notify request blocks until the server detects a change to that
      directory or its contents that matches the completion flags
      that were passed in and the "watch_tree" flag (which indicates
      whether subdirectories under this directory should be also
      included).  See MS-SMB2 2.2.35 for additional detail.
      
      To use this simply pass in the following structure to ioctl:
      
       struct __attribute__((__packed__)) smb3_notify {
              uint32_t completion_filter;
              bool    watch_tree;
       } __packed;
      
       using CIFS_IOC_NOTIFY  0x4005cf09
       or equivalently _IOW(CIFS_IOCTL_MAGIC, 9, struct smb3_notify)
      
      SMB3 change notification is supported by all major servers.
      The ioctl will block until the server detects a change to that
      directory or its subdirectories (if watch_tree is set).
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      Reviewed-by: NAurelien Aptel <aaptel@suse.com>
      Acked-by: NPaulo Alcantara (SUSE) <pc@cjr.nz>
      d26c2ddd
  22. 05 2月, 2020 1 次提交
  23. 04 2月, 2020 1 次提交
  24. 27 1月, 2020 3 次提交