1. 12 4月, 2015 6 次提交
  2. 01 4月, 2015 8 次提交
  3. 22 3月, 2015 1 次提交
  4. 21 3月, 2015 2 次提交
    • D
      cifs: fix use-after-free bug in find_writable_file · e1e9bda2
      David Disseldorp 提交于
      Under intermittent network outages, find_writable_file() is susceptible
      to the following race condition, which results in a user-after-free in
      the cifs_writepages code-path:
      
      Thread 1                                        Thread 2
      ========                                        ========
      
      inv_file = NULL
      refind = 0
      spin_lock(&cifs_file_list_lock)
      
      // invalidHandle found on openFileList
      
      inv_file = open_file
      // inv_file->count currently 1
      
      cifsFileInfo_get(inv_file)
      // inv_file->count = 2
      
      spin_unlock(&cifs_file_list_lock);
      
      cifs_reopen_file()                            cifs_close()
      // fails (rc != 0)                            ->cifsFileInfo_put()
                                             spin_lock(&cifs_file_list_lock)
                                             // inv_file->count = 1
                                             spin_unlock(&cifs_file_list_lock)
      
      spin_lock(&cifs_file_list_lock);
      list_move_tail(&inv_file->flist,
            &cifs_inode->openFileList);
      spin_unlock(&cifs_file_list_lock);
      
      cifsFileInfo_put(inv_file);
      ->spin_lock(&cifs_file_list_lock)
      
        // inv_file->count = 0
        list_del(&cifs_file->flist);
        // cleanup!!
        kfree(cifs_file);
      
        spin_unlock(&cifs_file_list_lock);
      
      spin_lock(&cifs_file_list_lock);
      ++refind;
      // refind = 1
      goto refind_writable;
      
      At this point we loop back through with an invalid inv_file pointer
      and a refind value of 1. On second pass, inv_file is not overwritten on
      openFileList traversal, and is subsequently dereferenced.
      Signed-off-by: NDavid Disseldorp <ddiss@suse.de>
      Reviewed-by: NJeff Layton <jlayton@samba.org>
      CC: <stable@vger.kernel.org>
      Signed-off-by: NSteve French <smfrench@gmail.com>
      e1e9bda2
    • S
      cifs: smb2_clone_range() - exit on unhandled error · 2477bc58
      Sachin Prabhu 提交于
      While attempting to clone a file on a samba server, we receive a
      STATUS_INVALID_DEVICE_REQUEST. This is mapped to -EOPNOTSUPP which
      isn't handled in smb2_clone_range(). We end up looping in the while loop
      making same call to the samba server over and over again.
      
      The proposed fix is to exit and return the error value when encountered
      with an unhandled error.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NSachin Prabhu <sprabhu@redhat.com>
      Signed-off-by: NSteve French <steve.french@primarydata.com>
      Signed-off-by: NSteve French <smfrench@gmail.com>
      2477bc58
  5. 17 2月, 2015 1 次提交
  6. 11 2月, 2015 1 次提交
  7. 27 1月, 2015 1 次提交
  8. 21 1月, 2015 2 次提交
  9. 20 1月, 2015 2 次提交
  10. 19 1月, 2015 1 次提交
    • A
      fix deadlock in cifs_ioctl_clone() · 378ff1a5
      Al Viro 提交于
      It really needs to check that src is non-directory *and* use
      {un,}lock_two_nodirectories().  As it is, it's trivial to cause
      double-lock (ioctl(fd, CIFS_IOC_COPYCHUNK_FILE, fd)) and if the
      last argument is an fd of directory, we are asking for trouble
      by violating the locking order - all directories go before all
      non-directories.  If the last argument is an fd of parent
      directory, it has 50% odds of locking child before parent,
      which will cause AB-BA deadlock if we race with unlink().
      
      Cc: stable@vger.kernel.org @ 3.13+
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      378ff1a5
  11. 17 1月, 2015 3 次提交
  12. 23 12月, 2014 1 次提交
  13. 15 12月, 2014 2 次提交
    • K
      Fix signed/unsigned pointer warning · 97c7134a
      Kevin Cernekee 提交于
      Commit 2ae83bf9 ("[CIFS] Fix setting time before epoch (negative
      time values)") changed "u64 t" to "s64 t", which makes do_div() complain
      about a pointer signedness mismatch:
      
            CC      fs/cifs/netmisc.o
          In file included from ./arch/mips/include/asm/div64.h:12:0,
                           from include/linux/kernel.h:124,
                           from include/linux/list.h:8,
                           from include/linux/wait.h:6,
                           from include/linux/net.h:23,
                           from fs/cifs/netmisc.c:25:
          fs/cifs/netmisc.c: In function ‘cifs_NTtimeToUnix’:
          include/asm-generic/div64.h:43:28: warning: comparison of distinct pointer types lacks a cast [enabled by default]
            (void)(((typeof((n)) *)0) == ((uint64_t *)0)); \
                                      ^
          fs/cifs/netmisc.c:941:22: note: in expansion of macro ‘do_div’
             ts.tv_nsec = (long)do_div(t, 10000000) * 100;
      
      Introduce a temporary "u64 abs_t" variable to fix this.
      Signed-off-by: NKevin Cernekee <cernekee@gmail.com>
      Signed-off-by: NSteve French <steve.french@primarydata.com>
      97c7134a
    • S
      Convert MessageID in smb2_hdr to LE · 9235d098
      Sachin Prabhu 提交于
      We have encountered failures when When testing smb2 mounts on ppc64
      machines when using both Samba as well as Windows 2012.
      
      On poking around, the problem was determined to be caused by the
      high endian MessageID passed in the header for smb2. On checking the
      corresponding MID for smb1 is converted to LE before being sent on the
      wire.
      
      We have tested this patch successfully on a ppc64 machine.
      Signed-off-by: NSachin Prabhu <sprabhu@redhat.com>
      9235d098
  14. 11 12月, 2014 3 次提交
  15. 08 12月, 2014 6 次提交