1. 03 10月, 2018 1 次提交
  2. 10 8月, 2018 1 次提交
  3. 08 8月, 2018 7 次提交
  4. 06 7月, 2018 2 次提交
    • R
      cifs: fix SMB1 breakage · 81f39f95
      Ronnie Sahlberg 提交于
      SMB1 mounting broke in commit 35e2cc1b
      ("cifs: Use correct packet length in SMB2_TRANSFORM header")
      Fix it and also rename smb2_rqst_len to smb_rqst_len
      to make it less unobvious that the function is also called from
      CIFS/SMB1
      
      Good job by Paulo reviewing and cleaning up Ronnie's original patch.
      Signed-off-by: NRonnie Sahlberg <lsahlber@redhat.com>
      Reviewed-by: NPaulo Alcantara <palcantara@suse.de>
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      81f39f95
    • L
      cifs: Fix use after free of a mid_q_entry · 696e420b
      Lars Persson 提交于
      With protocol version 2.0 mounts we have seen crashes with corrupt mid
      entries. Either the server->pending_mid_q list becomes corrupt with a
      cyclic reference in one element or a mid object fetched by the
      demultiplexer thread becomes overwritten during use.
      
      Code review identified a race between the demultiplexer thread and the
      request issuing thread. The demultiplexer thread seems to be written
      with the assumption that it is the sole user of the mid object until
      it calls the mid callback which either wakes the issuer task or
      deletes the mid.
      
      This assumption is not true because the issuer task can be woken up
      earlier by a signal. If the demultiplexer thread has proceeded as far
      as setting the mid_state to MID_RESPONSE_RECEIVED then the issuer
      thread will happily end up calling cifs_delete_mid while the
      demultiplexer thread still is using the mid object.
      
      Inserting a delay in the cifs demultiplexer thread widens the race
      window and makes reproduction of the race very easy:
      
      		if (server->large_buf)
      			buf = server->bigbuf;
      
      +		usleep_range(500, 4000);
      
      		server->lstrp = jiffies;
      
      To resolve this I think the proper solution involves putting a
      reference count on the mid object. This patch makes sure that the
      demultiplexer thread holds a reference until it has finished
      processing the transaction.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NLars Persson <larper@axis.com>
      Acked-by: NPaulo Alcantara <palcantara@suse.de>
      Reviewed-by: NRonnie Sahlberg <lsahlber@redhat.com>
      Reviewed-by: NPavel Shilovsky <pshilov@microsoft.com>
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      696e420b
  5. 16 6月, 2018 1 次提交
  6. 15 6月, 2018 4 次提交
    • P
      cifs: Fix kernel oops when traceSMB is enabled · 662bf5bc
      Paulo Alcantara 提交于
      When traceSMB is enabled through 'echo 1 > /proc/fs/cifs/traceSMB', after a
      mount, the following oops is triggered:
      
      [   27.137943] BUG: unable to handle kernel paging request at
      ffff8800f80c268b
      [   27.143396] PGD 2c6b067 P4D 2c6b067 PUD 0
      [   27.145386] Oops: 0000 [#1] SMP PTI
      [   27.146186] CPU: 2 PID: 2655 Comm: mount.cifs Not tainted 4.17.0+ #39
      [   27.147174] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
      1.0.0-prebuilt.qemu-project.org 04/01/2014
      [   27.148969] RIP: 0010:hex_dump_to_buffer+0x413/0x4b0
      [   27.149738] Code: 48 8b 44 24 08 31 db 45 31 d2 48 89 6c 24 18 44 89
      6c 24 24 48 c7 c1 78 b5 23 82 4c 89 64 24 10 44 89 d5 41 89 dc 4c 8d 58
      02 <44> 0f b7 00 4d 89 dd eb 1f 83 c5 01 41 01 c4 41 39 ef 0f 84 48 fe
      [   27.152396] RSP: 0018:ffffc9000058f8c0 EFLAGS: 00010246
      [   27.153129] RAX: ffff8800f80c268b RBX: 0000000000000000 RCX:
      ffffffff8223b578
      [   27.153867] RDX: 0000000000000000 RSI: ffffffff81a55496 RDI:
      0000000000000008
      [   27.154612] RBP: 0000000000000000 R08: 0000000000000020 R09:
      0000000000000083
      [   27.155355] R10: 0000000000000000 R11: ffff8800f80c268d R12:
      0000000000000000
      [   27.156101] R13: 0000000000000002 R14: ffffc9000058f94d R15:
      0000000000000008
      [   27.156838] FS:  00007f1693a6b740(0000) GS:ffff88007fd00000(0000)
      knlGS:0000000000000000
      [   27.158354] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   27.159093] CR2: ffff8800f80c268b CR3: 00000000798fa001 CR4:
      0000000000360ee0
      [   27.159892] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
      0000000000000000
      [   27.160661] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
      0000000000000400
      [   27.161464] Call Trace:
      [   27.162123]  print_hex_dump+0xd3/0x160
      [   27.162814] journal-offline (2658) used greatest stack depth: 13144
      bytes left
      [   27.162824]  ? __release_sock+0x60/0xd0
      [   27.165344]  ? tcp_sendmsg+0x31/0x40
      [   27.166177]  dump_smb+0x39/0x40
      [   27.166972]  ? vsnprintf+0x236/0x490
      [   27.167807]  __smb_send_rqst.constprop.12+0x103/0x430
      [   27.168554]  ? apic_timer_interrupt+0xa/0x20
      [   27.169306]  smb_send_rqst+0x48/0xc0
      [   27.169984]  cifs_send_recv+0xda/0x420
      [   27.170639]  SMB2_negotiate+0x23d/0xfa0
      [   27.171301]  ? vsnprintf+0x236/0x490
      [   27.171961]  ? smb2_negotiate+0x19/0x30
      [   27.172586]  smb2_negotiate+0x19/0x30
      [   27.173257]  cifs_negotiate_protocol+0x70/0xd0
      [   27.173935]  ? kstrdup+0x43/0x60
      [   27.174551]  cifs_get_smb_ses+0x295/0xbe0
      [   27.175260]  ? lock_timer_base+0x67/0x80
      [   27.175936]  ? __internal_add_timer+0x1a/0x50
      [   27.176575]  ? add_timer+0x10f/0x230
      [   27.177267]  cifs_mount+0x101/0x1190
      [   27.177940]  ? cifs_smb3_do_mount+0x144/0x5c0
      [   27.178575]  cifs_smb3_do_mount+0x144/0x5c0
      [   27.179270]  mount_fs+0x35/0x150
      [   27.179930]  vfs_kern_mount.part.28+0x54/0xf0
      [   27.180567]  do_mount+0x5ad/0xc40
      [   27.181234]  ? kmem_cache_alloc_trace+0xed/0x1a0
      [   27.181916]  ksys_mount+0x80/0xd0
      [   27.182535]  __x64_sys_mount+0x21/0x30
      [   27.183220]  do_syscall_64+0x4e/0x100
      [   27.183882]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [   27.184535] RIP: 0033:0x7f169339055a
      [   27.185192] Code: 48 8b 0d 41 d9 2b 00 f7 d8 64 89 01 48 83 c8 ff c3
      66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f
      05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 0e d9 2b 00 f7 d8 64 89 01 48
      [   27.187268] RSP: 002b:00007fff7b44eb58 EFLAGS: 00000202 ORIG_RAX:
      00000000000000a5
      [   27.188515] RAX: ffffffffffffffda RBX: 00007f1693a7e70e RCX:
      00007f169339055a
      [   27.189244] RDX: 000055b9f97f64e5 RSI: 000055b9f97f652c RDI:
      00007fff7b45074f
      [   27.189974] RBP: 000055b9fb8c9260 R08: 000055b9fb8ca8f0 R09:
      0000000000000000
      [   27.190721] R10: 0000000000000000 R11: 0000000000000202 R12:
      000055b9fb8ca8f0
      [   27.191429] R13: 0000000000000000 R14: 00007f1693a7c000 R15:
      00007f1693a7e91d
      [   27.192167] Modules linked in:
      [   27.192797] CR2: ffff8800f80c268b
      [   27.193435] ---[ end trace 67404c618badf323 ]---
      
      The problem was that dump_smb() had been called with an invalid pointer,
      that is, in __smb_send_rqst(), iov[1] doesn't exist (n_vec == 1).
      
      This patch fixes it by relying on the n_vec value to dump out the smb
      packets.
      Signed-off-by: NPaulo Alcantara <palcantara@suse.de>
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      Reviewed-by: NRonnie Sahlberg <lsahlber@redhat.com>
      662bf5bc
    • R
    • R
      cifs: remove smb2_send_recv() · 40eff45b
      Ronnie Sahlberg 提交于
      Now that we have the plumbing to pass request without an rfc1002
      header all the way down to the point we write to the socket we no
      longer need the smb2_send_recv() function.
      Signed-off-by: NRonnie Sahlberg <lsahlber@redhat.com>
      Signed-off-by: NSteve French <smfrench@gmail.com>
      40eff45b
    • R
      cifs: push rfc1002 generation down the stack · c713c877
      Ronnie Sahlberg 提交于
      Move the generation of the 4 byte length field down the stack and
      generate it immediately before we start writing the data to the socket.
      Signed-off-by: NRonnie Sahlberg <lsahlber@redhat.com>
      Signed-off-by: NAurelien Aptel <aaptel@suse.com>
      Signed-off-by: NSteve French <smfrench@gmail.com>
      c713c877
  7. 13 6月, 2018 1 次提交
    • K
      treewide: kmalloc() -> kmalloc_array() · 6da2ec56
      Kees Cook 提交于
      The kmalloc() function has a 2-factor argument form, kmalloc_array(). This
      patch replaces cases of:
      
              kmalloc(a * b, gfp)
      
      with:
              kmalloc_array(a * b, gfp)
      
      as well as handling cases of:
      
              kmalloc(a * b * c, gfp)
      
      with:
      
              kmalloc(array3_size(a, b, c), gfp)
      
      as it's slightly less ugly than:
      
              kmalloc_array(array_size(a, b), c, gfp)
      
      This does, however, attempt to ignore constant size factors like:
      
              kmalloc(4 * 1024, gfp)
      
      though any constants defined via macros get caught up in the conversion.
      
      Any factors with a sizeof() of "unsigned char", "char", and "u8" were
      dropped, since they're redundant.
      
      The tools/ directory was manually excluded, since it has its own
      implementation of kmalloc().
      
      The Coccinelle script used for this was:
      
      // Fix redundant parens around sizeof().
      @@
      type TYPE;
      expression THING, E;
      @@
      
      (
        kmalloc(
      -	(sizeof(TYPE)) * E
      +	sizeof(TYPE) * E
        , ...)
      |
        kmalloc(
      -	(sizeof(THING)) * E
      +	sizeof(THING) * E
        , ...)
      )
      
      // Drop single-byte sizes and redundant parens.
      @@
      expression COUNT;
      typedef u8;
      typedef __u8;
      @@
      
      (
        kmalloc(
      -	sizeof(u8) * (COUNT)
      +	COUNT
        , ...)
      |
        kmalloc(
      -	sizeof(__u8) * (COUNT)
      +	COUNT
        , ...)
      |
        kmalloc(
      -	sizeof(char) * (COUNT)
      +	COUNT
        , ...)
      |
        kmalloc(
      -	sizeof(unsigned char) * (COUNT)
      +	COUNT
        , ...)
      |
        kmalloc(
      -	sizeof(u8) * COUNT
      +	COUNT
        , ...)
      |
        kmalloc(
      -	sizeof(__u8) * COUNT
      +	COUNT
        , ...)
      |
        kmalloc(
      -	sizeof(char) * COUNT
      +	COUNT
        , ...)
      |
        kmalloc(
      -	sizeof(unsigned char) * COUNT
      +	COUNT
        , ...)
      )
      
      // 2-factor product with sizeof(type/expression) and identifier or constant.
      @@
      type TYPE;
      expression THING;
      identifier COUNT_ID;
      constant COUNT_CONST;
      @@
      
      (
      - kmalloc
      + kmalloc_array
        (
      -	sizeof(TYPE) * (COUNT_ID)
      +	COUNT_ID, sizeof(TYPE)
        , ...)
      |
      - kmalloc
      + kmalloc_array
        (
      -	sizeof(TYPE) * COUNT_ID
      +	COUNT_ID, sizeof(TYPE)
        , ...)
      |
      - kmalloc
      + kmalloc_array
        (
      -	sizeof(TYPE) * (COUNT_CONST)
      +	COUNT_CONST, sizeof(TYPE)
        , ...)
      |
      - kmalloc
      + kmalloc_array
        (
      -	sizeof(TYPE) * COUNT_CONST
      +	COUNT_CONST, sizeof(TYPE)
        , ...)
      |
      - kmalloc
      + kmalloc_array
        (
      -	sizeof(THING) * (COUNT_ID)
      +	COUNT_ID, sizeof(THING)
        , ...)
      |
      - kmalloc
      + kmalloc_array
        (
      -	sizeof(THING) * COUNT_ID
      +	COUNT_ID, sizeof(THING)
        , ...)
      |
      - kmalloc
      + kmalloc_array
        (
      -	sizeof(THING) * (COUNT_CONST)
      +	COUNT_CONST, sizeof(THING)
        , ...)
      |
      - kmalloc
      + kmalloc_array
        (
      -	sizeof(THING) * COUNT_CONST
      +	COUNT_CONST, sizeof(THING)
        , ...)
      )
      
      // 2-factor product, only identifiers.
      @@
      identifier SIZE, COUNT;
      @@
      
      - kmalloc
      + kmalloc_array
        (
      -	SIZE * COUNT
      +	COUNT, SIZE
        , ...)
      
      // 3-factor product with 1 sizeof(type) or sizeof(expression), with
      // redundant parens removed.
      @@
      expression THING;
      identifier STRIDE, COUNT;
      type TYPE;
      @@
      
      (
        kmalloc(
      -	sizeof(TYPE) * (COUNT) * (STRIDE)
      +	array3_size(COUNT, STRIDE, sizeof(TYPE))
        , ...)
      |
        kmalloc(
      -	sizeof(TYPE) * (COUNT) * STRIDE
      +	array3_size(COUNT, STRIDE, sizeof(TYPE))
        , ...)
      |
        kmalloc(
      -	sizeof(TYPE) * COUNT * (STRIDE)
      +	array3_size(COUNT, STRIDE, sizeof(TYPE))
        , ...)
      |
        kmalloc(
      -	sizeof(TYPE) * COUNT * STRIDE
      +	array3_size(COUNT, STRIDE, sizeof(TYPE))
        , ...)
      |
        kmalloc(
      -	sizeof(THING) * (COUNT) * (STRIDE)
      +	array3_size(COUNT, STRIDE, sizeof(THING))
        , ...)
      |
        kmalloc(
      -	sizeof(THING) * (COUNT) * STRIDE
      +	array3_size(COUNT, STRIDE, sizeof(THING))
        , ...)
      |
        kmalloc(
      -	sizeof(THING) * COUNT * (STRIDE)
      +	array3_size(COUNT, STRIDE, sizeof(THING))
        , ...)
      |
        kmalloc(
      -	sizeof(THING) * COUNT * STRIDE
      +	array3_size(COUNT, STRIDE, sizeof(THING))
        , ...)
      )
      
      // 3-factor product with 2 sizeof(variable), with redundant parens removed.
      @@
      expression THING1, THING2;
      identifier COUNT;
      type TYPE1, TYPE2;
      @@
      
      (
        kmalloc(
      -	sizeof(TYPE1) * sizeof(TYPE2) * COUNT
      +	array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
        , ...)
      |
        kmalloc(
      -	sizeof(TYPE1) * sizeof(THING2) * (COUNT)
      +	array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
        , ...)
      |
        kmalloc(
      -	sizeof(THING1) * sizeof(THING2) * COUNT
      +	array3_size(COUNT, sizeof(THING1), sizeof(THING2))
        , ...)
      |
        kmalloc(
      -	sizeof(THING1) * sizeof(THING2) * (COUNT)
      +	array3_size(COUNT, sizeof(THING1), sizeof(THING2))
        , ...)
      |
        kmalloc(
      -	sizeof(TYPE1) * sizeof(THING2) * COUNT
      +	array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
        , ...)
      |
        kmalloc(
      -	sizeof(TYPE1) * sizeof(THING2) * (COUNT)
      +	array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
        , ...)
      )
      
      // 3-factor product, only identifiers, with redundant parens removed.
      @@
      identifier STRIDE, SIZE, COUNT;
      @@
      
      (
        kmalloc(
      -	(COUNT) * STRIDE * SIZE
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        kmalloc(
      -	COUNT * (STRIDE) * SIZE
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        kmalloc(
      -	COUNT * STRIDE * (SIZE)
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        kmalloc(
      -	(COUNT) * (STRIDE) * SIZE
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        kmalloc(
      -	COUNT * (STRIDE) * (SIZE)
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        kmalloc(
      -	(COUNT) * STRIDE * (SIZE)
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        kmalloc(
      -	(COUNT) * (STRIDE) * (SIZE)
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        kmalloc(
      -	COUNT * STRIDE * SIZE
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      )
      
      // Any remaining multi-factor products, first at least 3-factor products,
      // when they're not all constants...
      @@
      expression E1, E2, E3;
      constant C1, C2, C3;
      @@
      
      (
        kmalloc(C1 * C2 * C3, ...)
      |
        kmalloc(
      -	(E1) * E2 * E3
      +	array3_size(E1, E2, E3)
        , ...)
      |
        kmalloc(
      -	(E1) * (E2) * E3
      +	array3_size(E1, E2, E3)
        , ...)
      |
        kmalloc(
      -	(E1) * (E2) * (E3)
      +	array3_size(E1, E2, E3)
        , ...)
      |
        kmalloc(
      -	E1 * E2 * E3
      +	array3_size(E1, E2, E3)
        , ...)
      )
      
      // And then all remaining 2 factors products when they're not all constants,
      // keeping sizeof() as the second factor argument.
      @@
      expression THING, E1, E2;
      type TYPE;
      constant C1, C2, C3;
      @@
      
      (
        kmalloc(sizeof(THING) * C2, ...)
      |
        kmalloc(sizeof(TYPE) * C2, ...)
      |
        kmalloc(C1 * C2 * C3, ...)
      |
        kmalloc(C1 * C2, ...)
      |
      - kmalloc
      + kmalloc_array
        (
      -	sizeof(TYPE) * (E2)
      +	E2, sizeof(TYPE)
        , ...)
      |
      - kmalloc
      + kmalloc_array
        (
      -	sizeof(TYPE) * E2
      +	E2, sizeof(TYPE)
        , ...)
      |
      - kmalloc
      + kmalloc_array
        (
      -	sizeof(THING) * (E2)
      +	E2, sizeof(THING)
        , ...)
      |
      - kmalloc
      + kmalloc_array
        (
      -	sizeof(THING) * E2
      +	E2, sizeof(THING)
        , ...)
      |
      - kmalloc
      + kmalloc_array
        (
      -	(E1) * E2
      +	E1, E2
        , ...)
      |
      - kmalloc
      + kmalloc_array
        (
      -	(E1) * (E2)
      +	E1, E2
        , ...)
      |
      - kmalloc
      + kmalloc_array
        (
      -	E1 * E2
      +	E1, E2
        , ...)
      )
      Signed-off-by: NKees Cook <keescook@chromium.org>
      6da2ec56
  8. 06 6月, 2018 2 次提交
  9. 01 6月, 2018 1 次提交
  10. 26 4月, 2018 1 次提交
  11. 24 4月, 2018 1 次提交
  12. 13 4月, 2018 1 次提交
  13. 03 4月, 2018 1 次提交
  14. 02 4月, 2018 1 次提交
  15. 25 1月, 2018 3 次提交
  16. 06 7月, 2017 1 次提交
  17. 13 5月, 2017 1 次提交
  18. 10 5月, 2017 1 次提交
    • S
      Don't delay freeing mids when blocked on slow socket write of request · de1892b8
      Steve French 提交于
      When processing responses, and in particular freeing mids (DeleteMidQEntry),
      which is very important since it also frees the associated buffers (cifs_buf_release),
      we can block a long time if (writes to) socket is slow due to low memory or networking
      issues.
      
      We can block in send (smb request) waiting for memory, and be blocked in processing
      responess (which could free memory if we let it) - since they both grab the
      server->srv_mutex.
      
      In practice, in the DeleteMidQEntry case - there is no reason we need to
      grab the srv_mutex so remove these around DeleteMidQEntry, and it allows
      us to free memory faster.
      Signed-off-by: NSteve French <steve.french@primarydata.com>
      Acked-by: NPavel Shilovsky <pshilov@microsoft.com>
      de1892b8
  19. 28 4月, 2017 1 次提交
  20. 07 4月, 2017 1 次提交
    • S
      Handle mismatched open calls · 38bd4906
      Sachin Prabhu 提交于
      A signal can interrupt a SendReceive call which result in incoming
      responses to the call being ignored. This is a problem for calls such as
      open which results in the successful response being ignored. This
      results in an open file resource on the server.
      
      The patch looks into responses which were cancelled after being sent and
      in case of successful open closes the open fids.
      
      For this patch, the check is only done in SendReceive2()
      
      RH-bz: 1403319
      Signed-off-by: NSachin Prabhu <sprabhu@redhat.com>
      Reviewed-by: NPavel Shilovsky <pshilov@microsoft.com>
      Cc: Stable <stable@vger.kernel.org>
      38bd4906
  21. 02 2月, 2017 6 次提交
  22. 25 12月, 2016 1 次提交