An error occurred fetching the project authors.
  1. 10 Nov, 2023 1 commit
  2. 09 Nov, 2023 2 commits
  3. 08 Nov, 2023 1 commit
    • David Howells's avatar
      cifs: Fix encryption of cleared, but unset rq_iter data buffers · 37de5a80
      David Howells authored
      Each smb_rqst struct contains two things: an array of kvecs (rq_iov) that
      contains the protocol data for an RPC op and an iterator (rq_iter) that
      contains the data payload of an RPC op.  When an smb_rqst is allocated
      rq_iter is it always cleared, but we don't set it up unless we're going to
      use it.
      
      The functions that determines the size of the ciphertext buffer that will
      be needed to encrypt a request, cifs_get_num_sgs(), assumes that rq_iter is
      always initialised - and employs user_backed_iter() to check that the
      iterator isn't user-backed.  This used to incidentally work, because
      ->user_backed was set to false because the iterator has never been
      initialised, but with commit f1b4cb65[1]
      which changes user_backed_iter() to determine this based on the iterator
      type insted, a warning is now emitted:
      
              WARNING: CPU: 7 PID: 4584 at fs/smb/client/cifsglob.h:2165 smb2_get_aead_req+0x3fc/0x420 [cifs]
              ...
              RIP: 0010:smb2_get_aead_req+0x3fc/0x420 [cifs]
              ...
               crypt_message+0x33e/0x550 [cifs]
               smb3_init_transform_rq+0x27d/0x3f0 [cifs]
               smb_send_rqst+0xc7/0x160 [cifs]
               compound_send_recv+0x3ca/0x9f0 [cifs]
               cifs_send_recv+0x25/0x30 [cifs]
               SMB2_tcon+0x38a/0x820 [cifs]
               cifs_get_smb_ses+0x69c/0xee0 [cifs]
               cifs_mount_get_session+0x76/0x1d0 [cifs]
               dfs_mount_share+0x74/0x9d0 [cifs]
               cifs_mount+0x6e/0x2e0 [cifs]
               cifs_smb3_do_mount+0x143/0x300 [cifs]
               smb3_get_tree+0x15e/0x290 [cifs]
               vfs_get_tree+0x2d/0xe0
               do_new_mount+0x124/0x340
               __se_sys_mount+0x143/0x1a0
      
      The problem is that rq_iter was never set, so the type is 0 (ie. ITER_UBUF)
      which causes user_backed_iter() to return true.  The code doesn't
      malfunction because it checks the size of the iterator - which is 0.
      
      Fix cifs_get_num_sgs() to ignore rq_iter if its count is 0, thereby
      bypassing the warnings.
      
      It might be better to explicitly initialise rq_iter to a zero-length
      ITER_BVEC, say, as it can always be reinitialised later.
      
      Fixes: d08089f6 ("cifs: Change the I/O paths to use an iterator rather than a page list")
      Reported-by: default avatarDamian Tometzki <damian@riscv-rocks.de>
      Closes: https://lore.kernel.org/r/ZUfQo47uo0p2ZsYg@fedora.fritz.box/Tested-by: default avatarDamian Tometzki <damian@riscv-rocks.de>
      Cc: stable@vger.kernel.org
      cc: Eric Biggers <ebiggers@kernel.org>
      cc: linux-cifs@vger.kernel.org
      cc: linux-fsdevel@vger.kernel.org
      Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f1b4cb650b9a0eeba206d8f069fcdc532bfbcd74 [1]
      Reviewed-by: default avatarPaulo Alcantara (SUSE) <pc@manguebit.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      37de5a80
  4. 20 Sep, 2023 1 commit
    • Zhang Xiaoxu's avatar
      cifs: Fix UAF in cifs_demultiplex_thread() · d527f513
      Zhang Xiaoxu authored
      There is a UAF when xfstests on cifs:
      
        BUG: KASAN: use-after-free in smb2_is_network_name_deleted+0x27/0x160
        Read of size 4 at addr ffff88810103fc08 by task cifsd/923
      
        CPU: 1 PID: 923 Comm: cifsd Not tainted 6.1.0-rc4+ #45
        ...
        Call Trace:
         <TASK>
         dump_stack_lvl+0x34/0x44
         print_report+0x171/0x472
         kasan_report+0xad/0x130
         kasan_check_range+0x145/0x1a0
         smb2_is_network_name_deleted+0x27/0x160
         cifs_demultiplex_thread.cold+0x172/0x5a4
         kthread+0x165/0x1a0
         ret_from_fork+0x1f/0x30
         </TASK>
      
        Allocated by task 923:
         kasan_save_stack+0x1e/0x40
         kasan_set_track+0x21/0x30
         __kasan_slab_alloc+0x54/0x60
         kmem_cache_alloc+0x147/0x320
         mempool_alloc+0xe1/0x260
         cifs_small_buf_get+0x24/0x60
         allocate_buffers+0xa1/0x1c0
         cifs_demultiplex_thread+0x199/0x10d0
         kthread+0x165/0x1a0
         ret_from_fork+0x1f/0x30
      
        Freed by task 921:
         kasan_save_stack+0x1e/0x40
         kasan_set_track+0x21/0x30
         kasan_save_free_info+0x2a/0x40
         ____kasan_slab_free+0x143/0x1b0
         kmem_cache_free+0xe3/0x4d0
         cifs_small_buf_release+0x29/0x90
         SMB2_negotiate+0x8b7/0x1c60
         smb2_negotiate+0x51/0x70
         cifs_negotiate_protocol+0xf0/0x160
         cifs_get_smb_ses+0x5fa/0x13c0
         mount_get_conns+0x7a/0x750
         cifs_mount+0x103/0xd00
         cifs_smb3_do_mount+0x1dd/0xcb0
         smb3_get_tree+0x1d5/0x300
         vfs_get_tree+0x41/0xf0
         path_mount+0x9b3/0xdd0
         __x64_sys_mount+0x190/0x1d0
         do_syscall_64+0x35/0x80
         entry_SYSCALL_64_after_hwframe+0x46/0xb0
      
      The UAF is because:
      
       mount(pid: 921)               | cifsd(pid: 923)
      -------------------------------|-------------------------------
                                     | cifs_demultiplex_thread
      SMB2_negotiate                 |
       cifs_send_recv                |
        compound_send_recv           |
         smb_send_rqst               |
          wait_for_response          |
           wait_event_state      [1] |
                                     |  standard_receive3
                                     |   cifs_handle_standard
                                     |    handle_mid
                                     |     mid->resp_buf = buf;  [2]
                                     |     dequeue_mid           [3]
           KILL the process      [4] |
          resp_iov[i].iov_base = buf |
       free_rsp_buf              [5] |
                                     |   is_network_name_deleted [6]
                                     |   callback
      
      1. After send request to server, wait the response until
          mid->mid_state != SUBMITTED;
      2. Receive response from server, and set it to mid;
      3. Set the mid state to RECEIVED;
      4. Kill the process, the mid state already RECEIVED, get 0;
      5. Handle and release the negotiate response;
      6. UAF.
      
      It can be easily reproduce with add some delay in [3] - [6].
      
      Only sync call has the problem since async call's callback is
      executed in cifsd process.
      
      Add an extra state to mark the mid state to READY before wakeup the
      waitter, then it can get the resp safely.
      
      Fixes: ec637e3f ("[CIFS] Avoid extra large buffer allocation (and memcpy) in cifs_readpages")
      Reviewed-by: default avatarPaulo Alcantara (SUSE) <pc@manguebit.com>
      Signed-off-by: default avatarZhang Xiaoxu <zhangxiaoxu5@huawei.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      d527f513
  5. 19 Sep, 2023 1 commit
  6. 07 Sep, 2023 1 commit
  7. 31 Aug, 2023 1 commit
  8. 30 Aug, 2023 1 commit
  9. 25 Aug, 2023 1 commit
    • Steve French's avatar
      [SMB3] send channel sequence number in SMB3 requests after reconnects · 09ee7a3b
      Steve French authored
      The ChannelSequence field in the SMB3 header is supposed to be
      increased after reconnect to allow the server to distinguish
      requests from before and after the reconnect.  We had always
      been setting it to zero.  There are cases where incrementing
      ChannelSequence on requests after network reconnects can reduce
      the chance of data corruptions.
      
      See MS-SMB2 3.2.4.1 and 3.2.7.1
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      Cc: stable@vger.kernel.org # 5.16+
      09ee7a3b
  10. 20 Aug, 2023 6 commits
    • Paulo Alcantara's avatar
      smb: client: reduce stack usage in smb2_set_ea() · f4e5ceb6
      Paulo Alcantara authored
      Clang warns about exceeded stack frame size
      
        fs/smb/client/smb2ops.c:1080:1: warning: stack frame size (1432)
        exceeds limit (1024) in 'smb2_set_ea' [-Wframe-larger-than]
      
      Fix this by allocating a structure that will hold most of the large
      variables.
      Signed-off-by: default avatarPaulo Alcantara (SUSE) <pc@manguebit.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      f4e5ceb6
    • Paulo Alcantara's avatar
      smb: cilent: set reparse mount points as automounts · a18280e7
      Paulo Alcantara authored
      By doing so we can selectively mark those submounts as 'noserverino'
      rather than whole mount and thus avoiding inode collisions in them.
      
      Consider a "test" SMB share that has two mounted NTFS volumes
      (vol0 & vol1) inside it.
      
      * Before patch
      
      $ mount.cifs //srv/test /mnt/1 -o ...,serverino
      $ ls -li /mnt/1/vol0
      total 1
      281474976710693 drwxr-xr-x 2 root root 0 Jul 15 00:23 $RECYCLE.BIN
      281474976710696 drwxr-xr-x 2 root root 0 Jul 18 18:23 System Volume...
      281474976710699 -rwxr-xr-x 1 root root 0 Aug 14 21:53 f0
      281474976710700 -rwxr-xr-x 1 root root 0 Aug 15 18:52 f2
      281474976710698 drwxr-xr-x 2 root root 0 Aug 12 19:39 foo
      281474976710692 -rwxr-xr-x 1 root root 5 Aug  4 21:18 vol0_f0.txt
      $ ls -li /mnt/1/vol1
      total 0
      281474976710693 drwxr-xr-x 2 root root 0 Jul 15 00:23 $RECYCLE.BIN
      281474976710696 drwxr-xr-x 2 root root 0 Jul 18 18:23 System Volume...
      281474976710698 drwxr-xr-x 2 root root 0 Aug 12 19:39 bar
      281474976710699 -rwxr-xr-x 1 root root 0 Aug 14 22:03 f0
      281474976710700 -rwxr-xr-x 1 root root 0 Aug 14 22:52 f1
      281474976710692 -rwxr-xr-x 1 root root 0 Jul 15 00:23 vol1_f0.txt
      
      * After patch
      
      $ mount.cifs //srv/test /mnt/1 -o ...,serverino
      $ ls -li /mnt/1/vol0
      total 1
      590 drwxr-xr-x 2 root root 0 Jul 15 00:23 $RECYCLE.BIN
      594 drwxr-xr-x 2 root root 0 Jul 18 18:23 System Volume Information
      591 -rwxr-xr-x 1 root root 0 Aug 14 21:53 f0
      592 -rwxr-xr-x 1 root root 0 Aug 15 18:52 f2
      593 drwxr-xr-x 2 root root 0 Aug 12 19:39 foo
      595 -rwxr-xr-x 1 root root 5 Aug  4 21:18 vol0_f0.txt
      $ ls -li /mnt/1/vol1
      total 0
      596 drwxr-xr-x 2 root root 0 Jul 15 00:23 $RECYCLE.BIN
      600 drwxr-xr-x 2 root root 0 Jul 18 18:23 System Volume Information
      597 drwxr-xr-x 2 root root 0 Aug 12 19:39 bar
      598 -rwxr-xr-x 1 root root 0 Aug 14 22:03 f0
      599 -rwxr-xr-x 1 root root 0 Aug 14 22:52 f1
      601 -rwxr-xr-x 1 root root 0 Jul 15 00:23 vol1_f0.txt
      Signed-off-by: default avatarPaulo Alcantara (SUSE) <pc@manguebit.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      a18280e7
    • Paulo Alcantara's avatar
      smb: client: do not query reparse points twice on symlinks · 9a49e221
      Paulo Alcantara authored
      Save a roundtrip by getting the reparse point tag and buffer at once
      in ->query_reparse_point() and then pass the buffer down to
      ->query_symlink().
      Signed-off-by: default avatarPaulo Alcantara (SUSE) <pc@manguebit.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      9a49e221
    • Paulo Alcantara's avatar
      smb: client: parse reparse point flag in create response · 5f71ebc4
      Paulo Alcantara authored
      Check for reparse point flag on query info calls as specified in
      MS-SMB2 2.2.14.
      Signed-off-by: default avatarPaulo Alcantara (SUSE) <pc@manguebit.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      5f71ebc4
    • Paulo Alcantara's avatar
      smb: client: move some params to cifs_open_info_data · 8b4e285d
      Paulo Alcantara authored
      Instead of passing @adjust_tz and some reparse point related fields as
      parameters in ->query_path_info() and
      {smb311_posix,cifs}_info_to_fattr() calls, move them to
      cifs_open_info_data structure as they can be easily accessed through
      @data.
      
      No functional changes.
      Signed-off-by: default avatarPaulo Alcantara (SUSE) <pc@manguebit.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      8b4e285d
    • Paulo Alcantara's avatar
      smb: client: ensure to try all targets when finding nested links · ce04127c
      Paulo Alcantara authored
      With current implementation, when a nested DFS link is found during
      mount(2), the client follows the referral and then try to connect to
      all of its targets.  If all targets failed, the client bails out
      rather than retrying remaining targets from previous referral.
      
      Fix this by stacking all referrals and targets so the client can retry
      remaining targets from previous referrals in case all targets of
      current referral have failed.
      
      Thanks to samba, this can be easily tested like below
      
      * Run the following under dfs folder in samba server
      
        $ ln -s "msdfs:srv\\bad-share" link1
        $ ln -s "msdfs:srv\\dfs\\link1,srv\\good-share" link0
      
      * Before patch
      
        $ mount.cifs //srv/dfs/link0 /mnt -o ...
        mount error(2): No such file or directory
        Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)...
      
      * After patch
      
        $ mount.cifs //srv/dfs/link0 /mnt -o ...
        # ls /mnt
        bar  fileshare1  sub
      Signed-off-by: default avatarPaulo Alcantara (SUSE) <pc@manguebit.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      ce04127c
  11. 25 Jul, 2023 1 commit
  12. 14 Jul, 2023 1 commit
  13. 28 Jun, 2023 1 commit
    • Paulo Alcantara's avatar
      smb: client: fix shared DFS root mounts with different prefixes · 3ae872de
      Paulo Alcantara authored
      When having two DFS root mounts that are connected to same namespace,
      same mount options but different prefix paths, we can't really use the
      shared @server->origin_fullpath when chasing DFS links in them.
      
      Move the origin_fullpath field to cifs_tcon structure so when having
      shared DFS root mounts with different prefix paths, and we need to
      chase any DFS links, dfs_get_automount_devname() will pick up the
      correct full path out of the @tcon that will be used for the new
      mount.
      
      Before patch
      
        mount.cifs //dom/dfs/dir /mnt/1 -o ...
        mount.cifs //dom/dfs /mnt/2 -o ...
        # shared server, ses, tcon
        # server: origin_fullpath=//dom/dfs/dir
      
        # @server->origin_fullpath + '/dir/link1'
        $ ls /mnt/2/dir/link1
        ls: cannot open directory '/mnt/2/dir/link1': No such file or directory
      
      After patch
      
        mount.cifs //dom/dfs/dir /mnt/1 -o ...
        mount.cifs //dom/dfs /mnt/2 -o ...
        # shared server & ses
        # tcon_1: origin_fullpath=//dom/dfs/dir
        # tcon_2: origin_fullpath=//dom/dfs
      
        # @tcon_2->origin_fullpath + '/dir/link1'
        $ ls /mnt/2/dir/link1
        dir0  dir1  dir10  dir3  dir5  dir6  dir7  dir9  target2_file.txt  tsub
      
      Fixes: 8e355415 ("cifs: fix sharing of DFS connections")
      Signed-off-by: default avatarPaulo Alcantara (SUSE) <pc@manguebit.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      3ae872de
  14. 12 Jun, 2023 1 commit
  15. 24 May, 2023 1 commit
  16. 17 May, 2023 1 commit
    • Bharath SM's avatar
      SMB3: drop reference to cfile before sending oplock break · 59a556ae
      Bharath SM authored
      In cifs_oplock_break function we drop reference to a cfile at
      the end of function, due to which close command goes on wire
      after lease break acknowledgment even if file is already closed
      by application but we had deferred the handle close.
      If other client with limited file shareaccess waiting on lease
      break ack proceeds operation on that file as soon as first client
      sends ack, then we may encounter status sharing violation error
      because of open handle.
      Solution is to put reference to cfile(send close on wire if last ref)
      and then send oplock acknowledgment to server.
      
      Fixes: 9e31678f ("SMB3: fix lease break timeout when multiple deferred close handles for the same file.")
      Cc: stable@kernel.org
      Signed-off-by: default avatarBharath SM <bharathsm@microsoft.com>
      Reviewed-by: default avatarShyam Prasad N <sprasad@microsoft.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      59a556ae
  17. 04 May, 2023 3 commits
  18. 15 Mar, 2023 2 commits
    • Paulo Alcantara's avatar
      cifs: fix use-after-free bug in refresh_cache_worker() · 396935de
      Paulo Alcantara authored
      The UAF bug occurred because we were putting DFS root sessions in
      cifs_umount() while DFS cache refresher was being executed.
      
      Make DFS root sessions have same lifetime as DFS tcons so we can avoid
      the use-after-free bug is DFS cache refresher and other places that
      require IPCs to get new DFS referrals on.  Also, get rid of mount
      group handling in DFS cache as we no longer need it.
      
      This fixes below use-after-free bug catched by KASAN
      
      [ 379.946955] BUG: KASAN: use-after-free in __refresh_tcon.isra.0+0x10b/0xc10 [cifs]
      [ 379.947642] Read of size 8 at addr ffff888018f57030 by task kworker/u4:3/56
      [ 379.948096]
      [ 379.948208] CPU: 0 PID: 56 Comm: kworker/u4:3 Not tainted 6.2.0-rc7-lku #23
      [ 379.948661] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
      rel-1.16.0-0-gd239552-rebuilt.opensuse.org 04/01/2014
      [ 379.949368] Workqueue: cifs-dfscache refresh_cache_worker [cifs]
      [ 379.949942] Call Trace:
      [ 379.950113] <TASK>
      [ 379.950260] dump_stack_lvl+0x50/0x67
      [ 379.950510] print_report+0x16a/0x48e
      [ 379.950759] ? __virt_addr_valid+0xd8/0x160
      [ 379.951040] ? __phys_addr+0x41/0x80
      [ 379.951285] kasan_report+0xdb/0x110
      [ 379.951533] ? __refresh_tcon.isra.0+0x10b/0xc10 [cifs]
      [ 379.952056] ? __refresh_tcon.isra.0+0x10b/0xc10 [cifs]
      [ 379.952585] __refresh_tcon.isra.0+0x10b/0xc10 [cifs]
      [ 379.953096] ? __pfx___refresh_tcon.isra.0+0x10/0x10 [cifs]
      [ 379.953637] ? __pfx___mutex_lock+0x10/0x10
      [ 379.953915] ? lock_release+0xb6/0x720
      [ 379.954167] ? __pfx_lock_acquire+0x10/0x10
      [ 379.954443] ? refresh_cache_worker+0x34e/0x6d0 [cifs]
      [ 379.954960] ? __pfx_wb_workfn+0x10/0x10
      [ 379.955239] refresh_cache_worker+0x4ad/0x6d0 [cifs]
      [ 379.955755] ? __pfx_refresh_cache_worker+0x10/0x10 [cifs]
      [ 379.956323] ? __pfx_lock_acquired+0x10/0x10
      [ 379.956615] ? read_word_at_a_time+0xe/0x20
      [ 379.956898] ? lockdep_hardirqs_on_prepare+0x12/0x220
      [ 379.957235] process_one_work+0x535/0x990
      [ 379.957509] ? __pfx_process_one_work+0x10/0x10
      [ 379.957812] ? lock_acquired+0xb7/0x5f0
      [ 379.958069] ? __list_add_valid+0x37/0xd0
      [ 379.958341] ? __list_add_valid+0x37/0xd0
      [ 379.958611] worker_thread+0x8e/0x630
      [ 379.958861] ? __pfx_worker_thread+0x10/0x10
      [ 379.959148] kthread+0x17d/0x1b0
      [ 379.959369] ? __pfx_kthread+0x10/0x10
      [ 379.959630] ret_from_fork+0x2c/0x50
      [ 379.959879] </TASK>
      Signed-off-by: default avatarPaulo Alcantara (SUSE) <pc@manguebit.com>
      Cc: stable@vger.kernel.org # 6.2
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      396935de
    • Paulo Alcantara's avatar
      cifs: set DFS root session in cifs_get_smb_ses() · b56bce50
      Paulo Alcantara authored
      Set the DFS root session pointer earlier when creating a new SMB
      session to prevent racing with smb2_reconnect(), cifs_reconnect_tcon()
      and DFS cache refresher.
      Signed-off-by: default avatarPaulo Alcantara (SUSE) <pc@manguebit.com>
      Cc: stable@vger.kernel.org # 6.2
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      b56bce50
  19. 21 Feb, 2023 1 commit
  20. 20 Feb, 2023 2 commits
  21. 11 Jan, 2023 1 commit
  22. 19 Dec, 2022 3 commits
  23. 14 Dec, 2022 1 commit
  24. 12 Dec, 2022 2 commits
    • Paulo Alcantara's avatar
      cifs: fix oops during encryption · f7f291e1
      Paulo Alcantara authored
      When running xfstests against Azure the following oops occurred on an
      arm64 system
      
        Unable to handle kernel write to read-only memory at virtual address
        ffff0001221cf000
        Mem abort info:
          ESR = 0x9600004f
          EC = 0x25: DABT (current EL), IL = 32 bits
          SET = 0, FnV = 0
          EA = 0, S1PTW = 0
          FSC = 0x0f: level 3 permission fault
        Data abort info:
          ISV = 0, ISS = 0x0000004f
          CM = 0, WnR = 1
        swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000294f3000
        [ffff0001221cf000] pgd=18000001ffff8003, p4d=18000001ffff8003,
        pud=18000001ff82e003, pmd=18000001ff71d003, pte=00600001221cf787
        Internal error: Oops: 9600004f [#1] PREEMPT SMP
        ...
        pstate: 80000005 (Nzcv daif -PAN -UAO -TCO BTYPE=--)
        pc : __memcpy+0x40/0x230
        lr : scatterwalk_copychunks+0xe0/0x200
        sp : ffff800014e92de0
        x29: ffff800014e92de0 x28: ffff000114f9de80 x27: 0000000000000008
        x26: 0000000000000008 x25: ffff800014e92e78 x24: 0000000000000008
        x23: 0000000000000001 x22: 0000040000000000 x21: ffff000000000000
        x20: 0000000000000001 x19: ffff0001037c4488 x18: 0000000000000014
        x17: 235e1c0d6efa9661 x16: a435f9576b6edd6c x15: 0000000000000058
        x14: 0000000000000001 x13: 0000000000000008 x12: ffff000114f2e590
        x11: ffffffffffffffff x10: 0000040000000000 x9 : ffff8000105c3580
        x8 : 2e9413b10000001a x7 : 534b4410fb86b005 x6 : 534b4410fb86b005
        x5 : ffff0001221cf008 x4 : ffff0001037c4490 x3 : 0000000000000001
        x2 : 0000000000000008 x1 : ffff0001037c4488 x0 : ffff0001221cf000
        Call trace:
         __memcpy+0x40/0x230
         scatterwalk_map_and_copy+0x98/0x100
         crypto_ccm_encrypt+0x150/0x180
         crypto_aead_encrypt+0x2c/0x40
         crypt_message+0x750/0x880
         smb3_init_transform_rq+0x298/0x340
         smb_send_rqst.part.11+0xd8/0x180
         smb_send_rqst+0x3c/0x100
         compound_send_recv+0x534/0xbc0
         smb2_query_info_compound+0x32c/0x440
         smb2_set_ea+0x438/0x4c0
         cifs_xattr_set+0x5d4/0x7c0
      
      This is because in scatterwalk_copychunks(), we attempted to write to
      a buffer (@sign) that was allocated in the stack (vmalloc area) by
      crypt_message() and thus accessing its remaining 8 (x2) bytes ended up
      crossing a page boundary.
      
      To simply fix it, we could just pass @sign kmalloc'd from
      crypt_message() and then we're done.  Luckily, we don't seem to pass
      any other vmalloc'd buffers in smb_rqst::rq_iov...
      
      Instead, let's map the correct pages and offsets from vmalloc buffers
      as well in cifs_sg_set_buf() and then avoiding such oopses.
      Signed-off-by: default avatarPaulo Alcantara (SUSE) <pc@cjr.nz>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      f7f291e1
    • Steve French's avatar
      cifs: minor cleanup of some headers · c19204cb
      Steve French authored
      checkpatch showed formatting problems with extra spaces,
      and extra semicolon and some missing blank lines in some
      cifs headers.
      Reviewed-by: default avatarPaulo Alcantara (SUSE) <pc@cjr.nz>
      Reviewed-by: default avatarGermano Percossi <germano.percossi@gmail.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      c19204cb
  25. 15 Oct, 2022 1 commit
    • Steve French's avatar
      smb3: improve SMB3 change notification support · e3e94634
      Steve French authored
      Change notification is a commonly supported feature by most servers,
      but the current ioctl to request notification when a directory is
      changed does not return the information about what changed
      (even though it is returned by the server in the SMB3 change
      notify response), it simply returns when there is a change.
      
      This ioctl improves upon CIFS_IOC_NOTIFY by returning the notify
      information structure which includes the name of the file(s) that
      changed and why. See MS-SMB2 2.2.35 for details on the individual
      filter flags and the file_notify_information structure returned.
      
      To use this simply pass in the following (with enough space
      to fit at least one file_notify_information structure)
      
      struct __attribute__((__packed__)) smb3_notify {
             uint32_t completion_filter;
             bool     watch_tree;
             uint32_t data_len;
             uint8_t  data[];
      } __packed;
      
      using CIFS_IOC_NOTIFY_INFO 0xc009cf0b
       or equivalently _IOWR(CIFS_IOCTL_MAGIC, 11, struct smb3_notify_info)
      
      The ioctl will block until the server detects a change to that
      directory or its subdirectories (if watch_tree is set).
      Acked-by: default avatarPaulo Alcantara (SUSE) <pc@cjr.nz>
      Acked-by: default avatarRonnie Sahlberg <lsahlber@redhat.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      e3e94634
  26. 13 Oct, 2022 1 commit
    • Paulo Alcantara's avatar
      cifs: improve symlink handling for smb2+ · 76894f3e
      Paulo Alcantara authored
      When creating inode for symlink, the client used to send below
      requests to fill it in:
      
          * create+query_info+close (STATUS_STOPPED_ON_SYMLINK)
          * create(+reparse_flag)+query_info+close (set file attrs)
          * create+ioctl(get_reparse)+close (query reparse tag)
      
      and then for every access to the symlink dentry, the ->link() method
      would send another:
      
          * create+ioctl(get_reparse)+close (parse symlink)
      
      So, in order to improve:
      
          (i) Get rid of unnecessary roundtrips and then resolve symlinks as
      	follows:
      
              * create+query_info+close (STATUS_STOPPED_ON_SYMLINK +
      	                           parse symlink + get reparse tag)
              * create(+reparse_flag)+query_info+close (set file attrs)
      
          (ii) Set the resolved symlink target directly in inode->i_link and
               use simple_get_link() for ->link() to simply return it.
      Signed-off-by: default avatarPaulo Alcantara (SUSE) <pc@cjr.nz>
      Reviewed-by: default avatarRonnie Sahlberg <lsahlber@redhat.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      76894f3e
  27. 08 Oct, 2022 1 commit