Author: Al Viro <[email protected]> Date: Tue Dec 19 00:33:46 2023 +0900 fs: introduce lock_rename_child() helper [ Upstream commit 9bc37e04823b5280dd0f22b6680fc23fe81ca325 ] Pass the dentry of a source file and the dentry of a destination directory to lock parent inodes for rename. As soon as this function returns, ->d_parent of the source file dentry is stable and inodes are properly locked for calling vfs-rename. This helper is needed for ksmbd server. rename request of SMB protocol has to rename an opened file, no matter which directory it's in. Signed-off-by: Al Viro <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Al Viro <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Arnd Bergmann <[email protected]> Date: Mon Oct 16 22:08:38 2023 +0200 kasan: disable kasan_non_canonical_hook() for HW tags commit 17c17567fe510857b18fe01b7a88027600e76ac6 upstream. On arm64, building with CONFIG_KASAN_HW_TAGS now causes a compile-time error: mm/kasan/report.c: In function 'kasan_non_canonical_hook': mm/kasan/report.c:637:20: error: 'KASAN_SHADOW_OFFSET' undeclared (first use in this function) 637 | if (addr < KASAN_SHADOW_OFFSET) | ^~~~~~~~~~~~~~~~~~~ mm/kasan/report.c:637:20: note: each undeclared identifier is reported only once for each function it appears in mm/kasan/report.c:640:77: error: expected expression before ';' token 640 | orig_addr = (addr - KASAN_SHADOW_OFFSET) << KASAN_SHADOW_SCALE_SHIFT; This was caused by removing the dependency on CONFIG_KASAN_INLINE that used to prevent this from happening. Use the more specific dependency on KASAN_SW_TAGS || KASAN_GENERIC to only ignore the function for hwasan mode. Link: https://lkml.kernel.org/r/[email protected] Fixes: 12ec6a919b0f ("kasan: print the original fault addr when access invalid shadow") Signed-off-by: Arnd Bergmann <[email protected]> Cc: Alexander Potapenko <[email protected]> Cc: Andrey Konovalov <[email protected]> Cc: Andrey Ryabinin <[email protected]> Cc: Dmitry Vyukov <[email protected]> Cc: Haibo Li <[email protected]> Cc: Kees Cook <[email protected]> Cc: Vincenzo Frascino <[email protected]> Cc: AngeloGioacchino Del Regno <[email protected]> Cc: Matthias Brugger <[email protected]> Signed-off-by: Andrew Morton <[email protected]> Signed-off-by: Amit Pundir <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:25 2023 +0900 ksmbd: add missing calling smb2_set_err_rsp() on error [ Upstream commit 0e2378eaa2b3a663726cf740d4aaa8a801e2cb31 ] If some error happen on smb2_sess_setup(), Need to call smb2_set_err_rsp() to set error response. This patch add missing calling smb2_set_err_rsp() on error. Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:11 2023 +0900 ksmbd: add missing compound request handing in some commands [ Upstream commit 7b7d709ef7cf285309157fb94c33f625dd22c5e1 ] This patch add the compound request handling to the some commands. Existing clients do not send these commands as compound requests, but ksmbd should consider that they may come. Cc: [email protected] Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:03 2023 +0900 ksmbd: add mnt_want_write to ksmbd vfs functions [ Upstream commit 40b268d384a22276dca1450549f53eed60e21deb ] ksmbd is doing write access using vfs helpers. There are the cases that mnt_want_write() is not called in vfs helper. This patch add missing mnt_want_write() to ksmbd vfs functions. Cc: [email protected] Cc: Amir Goldstein <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:32:41 2023 +0900 ksmbd: add smb-direct shutdown [ Upstream commit 136dff3a6b71dc16c30b35cc390feb0bfc32ed50 ] When killing ksmbd server after connecting rdma, ksmbd threads does not terminate properly because the rdma connection is still alive. This patch add shutdown operation to disconnect rdma connection while ksmbd threads terminate. Signed-off-by: Yufan Chen <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:32:44 2023 +0900 ksmbd: add support for key exchange [ Upstream commit f9929ef6a2a55f03aac61248c6a3a987b8546f2a ] When mounting cifs client, can see the following warning message. CIFS: decode_ntlmssp_challenge: authentication has been weakened as server does not support key exchange To remove this warning message, Add support for key exchange feature to ksmbd. This patch decrypts 16-byte ciphertext value sent by the client using RC4 with session key. The decrypted value is the recovered secondary key that will use instead of the session key for signing and sealing. Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:19 2023 +0900 ksmbd: add support for read compound [ Upstream commit e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d ] MacOS sends a compound request including read to the server (e.g. open-read-close). So far, ksmbd has not handled read as a compound request. For compatibility between ksmbd and an OS that supports SMB, This patch provides compound support for read requests. Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:44 2023 +0900 ksmbd: add support for surrogate pair conversion [ Upstream commit 0c180317c654a494fe429adbf7bc9b0793caf9e2 ] ksmbd is missing supporting to convert filename included surrogate pair characters. It triggers a "file or folder does not exist" error in Windows client. [Steps to Reproduce for bug] 1. Create surrogate pair file touch $(echo -e '\xf0\x9d\x9f\xa3') touch $(echo -e '\xf0\x9d\x9f\xa4') 2. Try to open these files in ksmbd share through Windows client. This patch update unicode functions not to consider about surrogate pair (and IVS). Reviewed-by: Marios Makassikis <[email protected]> Tested-by: Marios Makassikis <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: David Disseldorp <[email protected]> Date: Tue Dec 19 00:33:44 2023 +0900 ksmbd: avoid duplicate negotiate ctx offset increments [ Upstream commit a12a07a85aff72e19520328f78b1c64d2281a1ec ] Both pneg_ctxt and ctxt_size change in unison, with each adding the length of the previously added context, rounded up to an eight byte boundary. Drop pneg_ctxt increments and instead use the ctxt_size offset when passing output pointers to per-context helper functions. This slightly simplifies offset tracking and shaves off a few text bytes. Before (x86-64 gcc 7.5): text data bss dec hex filename 213234 8677 672 222583 36577 ksmbd.ko After: text data bss dec hex filename 213218 8677 672 222567 36567 ksmbd.ko Signed-off-by: David Disseldorp <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: David Disseldorp <[email protected]> Date: Tue Dec 19 00:33:42 2023 +0900 ksmbd: avoid out of bounds access in decode_preauth_ctxt() [ Upstream commit e7067a446264a7514fa1cfaa4052cdb6803bc6a2 ] Confirm that the accessed pneg_ctxt->HashAlgorithms address sits within the SMB request boundary; deassemble_neg_contexts() only checks that the eight byte smb2_neg_context header + (client controlled) DataLength are within the packet boundary, which is insufficient. Checking for sizeof(struct smb2_preauth_neg_context) is overkill given that the type currently assumes SMB311_SALT_SIZE bytes of trailing Salt. Signed-off-by: David Disseldorp <[email protected]> Acked-by: Namjae Jeon <[email protected]> Cc: <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:33:50 2023 +0900 ksmbd: block asynchronous requests when making a delay on session setup [ Upstream commit b096d97f47326b1e2dbdef1c91fab69ffda54d17 ] ksmbd make a delay of 5 seconds on session setup to avoid dictionary attacks. But the 5 seconds delay can be bypassed by using asynchronous requests. This patch block all requests on current connection when making a delay on sesstion setup failure. Cc: [email protected] Reported-by: [email protected] # ZDI-CAN-20482 Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:33:22 2023 +0900 ksmbd: call ib_drain_qp when disconnected [ Upstream commit 141fa9824c0fc11d44b2d5bb1266a33e95fa67fd ] When disconnected, call ib_drain_qp to cancel all pending work requests and prevent ksmbd_conn_handler_loop from waiting for a long time for those work requests to compelete. Signed-off-by: Hyunchul Lee <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Reviewed-by: Tom Talpey <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:33:57 2023 +0900 ksmbd: call putname after using the last component [ Upstream commit 6fe55c2799bc29624770c26f98ba7b06214f43e0 ] last component point filename struct. Currently putname is called after vfs_path_parent_lookup(). And then last component is used for lookup_one_qstr_excl(). name in last component is freed by previous calling putname(). And It cause file lookup failure when testing generic/464 test of xfstest. Fixes: 74d7970febf7 ("ksmbd: fix racy issue from using ->d_parent and ->d_name") Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Atte Heikkilä <[email protected]> Date: Tue Dec 19 00:33:12 2023 +0900 ksmbd: casefold utf-8 share names and fix ascii lowercase conversion [ Upstream commit 16b5f54e30c1ddec36bdf946a299b3254aace477 ] strtolower() corrupts all UTF-8 share names that have a byte in the C0 (À ISO8859-1) to DE (Þ ISO8859-1) range, since the non-ASCII part of ISO8859-1 is incompatible with UTF-8. Prevent this by checking that a byte is in the ASCII range with isascii(), before the conversion to lowercase with tolower(). Properly handle case-insensitivity of UTF-8 share names by casefolding them, but fallback to ASCII lowercase conversion on failure or if CONFIG_UNICODE is not set. Refactor to move the share name casefolding immediately after the share name extraction. Also, make the associated constness corrections. Signed-off-by: Atte Heikkilä <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:32:27 2023 +0900 ksmbd: change LeaseKey data type to u8 array [ Upstream commit 2734b692f7b8167b93498dcd698067623d4267ca ] cifs define LeaseKey as u8 array in structure. To move lease structure to smbfs_common, ksmbd change LeaseKey data type to u8 array. Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:33:13 2023 +0900 ksmbd: change security id to the one samba used for posix extension [ Upstream commit 5609bdd9ffdccd83f9003511b1801584b703baa5 ] Samba set SIDOWNER and SIDUNIX_GROUP in create posix context and set SIDUNIX_USER/GROUP in other sids for posix extension. This patch change security id to the one samba used. Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Lu Hongfei <[email protected]> Date: Tue Dec 19 00:34:07 2023 +0900 ksmbd: Change the return value of ksmbd_vfs_query_maximal_access to void [ Upstream commit ccb5889af97c03c67a83fcd649602034578c0d61 ] The return value of ksmbd_vfs_query_maximal_access is meaningless, it is better to modify it to void. Signed-off-by: Lu Hongfei <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:15 2023 +0900 ksmbd: check if a mount point is crossed during path lookup [ Upstream commit 2b57a4322b1b14348940744fdc02f9a86cbbdbeb ] Since commit 74d7970febf7 ("ksmbd: fix racy issue from using ->d_parent and ->d_name"), ksmbd can not lookup cross mount points. If last component is a cross mount point during path lookup, check if it is crossed to follow it down. And allow path lookup to cross a mount point when a crossmnt parameter is set to 'yes' in smb.conf. Cc: [email protected] Fixes: 74d7970febf7 ("ksmbd: fix racy issue from using ->d_parent and ->d_name") Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:30 2023 +0900 ksmbd: check iov vector index in ksmbd_conn_write() [ Upstream commit 73f949ea87c7d697210653501ca21efe57295327 ] If ->iov_idx is zero, This means that the iov vector for the response was not added during the request process. In other words, it means that there is a problem in generating a response, So this patch return as an error to avoid NULL pointer dereferencing problem. Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:01 2023 +0900 ksmbd: check the validation of pdu_size in ksmbd_conn_handler_loop [ Upstream commit 368ba06881c395f1c9a7ba22203cf8d78b4addc0 ] The length field of netbios header must be greater than the SMB header sizes(smb1 or smb2 header), otherwise the packet is an invalid SMB packet. If `pdu_size` is 0, ksmbd allocates a 4 bytes chunk to `conn->request_buf`. In the function `get_smb2_cmd_val` ksmbd will read cmd from `rcv_hdr->Command`, which is `conn->request_buf + 12`, causing the KASAN detector to print the following error message: [ 7.205018] BUG: KASAN: slab-out-of-bounds in get_smb2_cmd_val+0x45/0x60 [ 7.205423] Read of size 2 at addr ffff8880062d8b50 by task ksmbd:42632/248 ... [ 7.207125] <TASK> [ 7.209191] get_smb2_cmd_val+0x45/0x60 [ 7.209426] ksmbd_conn_enqueue_request+0x3a/0x100 [ 7.209712] ksmbd_server_process_request+0x72/0x160 [ 7.210295] ksmbd_conn_handler_loop+0x30c/0x550 [ 7.212280] kthread+0x160/0x190 [ 7.212762] ret_from_fork+0x1f/0x30 [ 7.212981] </TASK> Cc: [email protected] Reported-by: Chih-Yen Chang <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Al Viro <[email protected]> Date: Tue Dec 19 00:33:10 2023 +0900 ksmbd: constify struct path [ Upstream commit c22180a5e2a9e1426fab01d9e54011ec531b1b52 ] ... in particular, there should never be a non-const pointers to any file->f_path. Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Al Viro <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: ye xingchen <[email protected]> Date: Tue Dec 19 00:33:28 2023 +0900 ksmbd: Convert to use sysfs_emit()/sysfs_emit_at() APIs [ Upstream commit 72ee45fd46d0d3578c4e6046f66fae3218543ce3 ] Follow the advice of the Documentation/filesystems/sysfs.rst and show() should only use sysfs_emit() or sysfs_emit_at() when formatting the value to be returned to user space. Signed-off-by: ye xingchen <[email protected]> Reviewed-by: Sergey Senozhatsky <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Tom Talpey <[email protected]> Date: Tue Dec 19 00:33:18 2023 +0900 ksmbd: decrease the number of SMB3 smbdirect server SGEs [ Upstream commit 2b4eeeaa90617c5e37da7c804c422b4e833b87b2 ] The server-side SMBDirect layer requires no more than 6 send SGEs The previous default of 8 causes ksmbd to fail on the SoftiWARP (siw) provider, and possibly others. Additionally, large numbers of SGEs reduces performance significantly on adapter implementations. Signed-off-by: Tom Talpey <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Yang Li <[email protected]> Date: Tue Dec 19 00:32:34 2023 +0900 ksmbd: Delete an invalid argument description in smb2_populate_readdir_entry() [ Upstream commit f5c381392948dcae19f854b9586b806654f08a11 ] A warning is reported because an invalid argument description, it is found by running scripts/kernel-doc, which is caused by using 'make W=1'. fs/ksmbd/smb2pdu.c:3406: warning: Excess function parameter 'user_ns' description in 'smb2_populate_readdir_entry' Reported-by: Abaci Robot <[email protected]> Fixes: 475d6f98804c ("ksmbd: fix translation in smb2_populate_readdir_entry()") Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Yang Li <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:33:40 2023 +0900 ksmbd: delete asynchronous work from list [ Upstream commit 3a9b557f44ea8f216aab515a7db20e23f0eb51b9 ] When smb2_lock request is canceled by smb2_cancel or smb2_close(), ksmbd is missing deleting async_request_entry async_requests list. Because calling init_smb2_rsp_hdr() in smb2_lock() mark ->synchronous as true and then it will not be deleted in ksmbd_conn_try_dequeue_request(). This patch add release_async_work() to release the ones allocated for async work. Cc: [email protected] Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:33:49 2023 +0900 ksmbd: destroy expired sessions [ Upstream commit ea174a91893956450510945a0c5d1a10b5323656 ] client can indefinitely send smb2 session setup requests with the SessionId set to 0, thus indefinitely spawning new sessions, and causing indefinite memory usage. This patch limit to the number of sessions using expired timeout and session state. Cc: [email protected] Reported-by: [email protected] # ZDI-CAN-20478 Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Al Viro <[email protected]> Date: Tue Dec 19 00:33:09 2023 +0900 ksmbd: don't open-code %pD [ Upstream commit 369c1634cc7ae8645a5cba4c7eb874755c2a6a07 ] a bunch of places used %pd with file->f_path.dentry; shorter (and saner) way to spell that is %pD with file... Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Al Viro <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Al Viro <[email protected]> Date: Tue Dec 19 00:33:08 2023 +0900 ksmbd: don't open-code file_path() [ Upstream commit 2f5930c1d7936b74eb820c5b157011994c707a74 ] Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Al Viro <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:54 2023 +0900 ksmbd: don't update ->op_state as OPLOCK_STATE_NONE on error [ Upstream commit cd80ce7e68f1624ac29cd0a6b057789d1236641e ] ksmbd set ->op_state as OPLOCK_STATE_NONE on lease break ack error. op_state of lease should not be updated because client can send lease break ack again. This patch fix smb2.lease.breaking2 test failure. Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:33:15 2023 +0900 ksmbd: fill sids in SMB_FIND_FILE_POSIX_INFO response [ Upstream commit d5919f2a1459083bd0aaede7fc44e945290e44df ] This patch fill missing sids in SMB_FIND_FILE_POSIX_INFO response. Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Atte Heikkilä <[email protected]> Date: Tue Dec 19 00:34:21 2023 +0900 ksmbd: fix `force create mode' and `force directory mode' [ Upstream commit 65656f5242e500dcfeffa6a0a1519eae14724f86 ] `force create mode' and `force directory mode' should be bitwise ORed with the perms after `create mask' and `directory mask' have been applied, respectively. Signed-off-by: Atte Heikkilä <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Yang Li <[email protected]> Date: Tue Dec 19 00:32:32 2023 +0900 ksmbd: Fix buffer_check_err() kernel-doc comment [ Upstream commit e230d013378489bcd4b5589ca1d2a5b91ff8d098 ] Add the description of @rsp_org in buffer_check_err() kernel-doc comment to remove a warning found by running scripts/kernel-doc, which is caused by using 'make W=1'. fs/ksmbd/smb2pdu.c:4028: warning: Function parameter or member 'rsp_org' not described in 'buffer_check_err' Reported-by: Abaci Robot <[email protected]> Fixes: cb4517201b8a ("ksmbd: remove smb2_buf_length in smb2_hdr") Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Yang Li <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:33:16 2023 +0900 ksmbd: fix encryption failure issue for session logoff response [ Upstream commit af705ef2b0ded0d8f54c238fdf3c17a1d47ad924 ] If client send encrypted session logoff request on seal mount, Encryption for that response fails. ksmbd: Could not get encryption key CIFS: VFS: cifs_put_smb_ses: Session Logoff failure rc=-512 Session lookup fails in ksmbd_get_encryption_key() because sess->state is set to SMB2_SESSION_EXPIRED in session logoff. There is no need to do session lookup again to encrypt the response. This patch change to use ksmbd_session in ksmbd_work. Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:46 2023 +0900 ksmbd: fix kernel-doc comment of ksmbd_vfs_kern_path_locked() [ Upstream commit f6049712e520287ad695e9d4f1572ab76807fa0c ] Fix argument list that the kdoc format and script verified in ksmbd_vfs_kern_path_locked(). fs/smb/server/vfs.c:1207: warning: Function parameter or member 'parent_path' not described in 'ksmbd_vfs_kern_path_locked' Reported-by: kernel test robot <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:41 2023 +0900 ksmbd: fix kernel-doc comment of ksmbd_vfs_setxattr() [ Upstream commit 3354db668808d5b6d7c5e0cb19ff4c9da4bb5e58 ] Fix argument list that the kdoc format and script verified in ksmbd_vfs_setxattr(). fs/smb/server/vfs.c:929: warning: Function parameter or member 'path' not described in 'ksmbd_vfs_setxattr' Reported-by: kernel test robot <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Kangjing Huang <[email protected]> Date: Tue Dec 19 00:34:43 2023 +0900 ksmbd: fix missing RDMA-capable flag for IPoIB device in ksmbd_rdma_capable_netdev() [ Upstream commit ecce70cf17d91c3dd87a0c4ea00b2d1387729701 ] Physical ib_device does not have an underlying net_device, thus its association with IPoIB net_device cannot be retrieved via ops.get_netdev() or ib_device_get_by_netdev(). ksmbd reads physical ib_device port GUID from the lower 16 bytes of the hardware addresses on IPoIB net_device and match its underlying ib_device using ib_find_gid() Signed-off-by: Kangjing Huang <[email protected]> Acked-by: Namjae Jeon <[email protected]> Reviewed-by: Tom Talpey <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Kuan-Ting Chen <[email protected]> Date: Tue Dec 19 00:33:55 2023 +0900 ksmbd: fix multiple out-of-bounds read during context decoding [ Upstream commit 0512a5f89e1fae74251fde6893ff634f1c96c6fb ] Check the remaining data length before accessing the context structure to ensure that the entire structure is contained within the packet. Additionally, since the context data length `ctxt_len` has already been checked against the total packet length `len_of_ctxts`, update the comparison to use `ctxt_len`. Cc: [email protected] Signed-off-by: Kuan-Ting Chen <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:37 2023 +0900 ksmbd: fix Null pointer dereferences in ksmbd_update_fstate() [ Upstream commit 414849040fcf11d45025b8ae26c9fd91da1465da ] Coverity Scan report the following one. This report is a false alarm. Because fp is never NULL when rc is zero. This patch add null check for fp in ksmbd_update_fstate to make alarm silence. *** CID 1568583: Null pointer dereferences (FORWARD_NULL) /fs/smb/server/smb2pdu.c: 3408 in smb2_open() 3402 path_put(&path); 3403 path_put(&parent_path); 3404 } 3405 ksmbd_revert_fsids(work); 3406 err_out1: 3407 if (!rc) { >>> CID 1568583: Null pointer dereferences (FORWARD_NULL) >>> Passing null pointer "fp" to "ksmbd_update_fstate", which dereferences it. 3408 ksmbd_update_fstate(&work->sess->file_table, fp, FP_INITED); 3409 rc = ksmbd_iov_pin_rsp(work, (void *)rsp, iov_len); 3410 } 3411 if (rc) { 3412 if (rc == -EINVAL) 3413 rsp->hdr.Status = STATUS_INVALID_PARAMETER; Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound") Reported-by: Coverity Scan <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Yang Li <[email protected]> Date: Tue Dec 19 00:34:23 2023 +0900 ksmbd: Fix one kernel-doc comment [ Upstream commit bf26f1b4e0918f017775edfeacf6d867204b680b ] Fix one kernel-doc comment to silence the warning: fs/smb/server/smb2pdu.c:4160: warning: Excess function parameter 'infoclass_size' description in 'buffer_check_err' Signed-off-by: Yang Li <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:17 2023 +0900 ksmbd: fix out of bounds in init_smb2_rsp_hdr() [ Upstream commit 536bb492d39bb6c080c92f31e8a55fe9934f452b ] If client send smb2 negotiate request and then send smb1 negotiate request, init_smb2_rsp_hdr is called for smb1 negotiate request since need_neg is set to false. This patch ignore smb1 packets after ->need_neg is set to false. Reported-by: [email protected] # ZDI-CAN-21541 Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:10 2023 +0900 ksmbd: fix out of bounds read in smb2_sess_setup [ Upstream commit 98422bdd4cb3ca4d08844046f6507d7ec2c2b8d8 ] ksmbd does not consider the case of that smb2 session setup is in compound request. If this is the second payload of the compound, OOB read issue occurs while processing the first payload in the smb2_sess_setup(). Cc: [email protected] Reported-by: [email protected] # ZDI-CAN-21355 Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:33:58 2023 +0900 ksmbd: fix out-of-bound read in deassemble_neg_contexts() [ Upstream commit f1a411873c85b642f13b01f21b534c2bab81fc1b ] The check in the beginning is `clen + sizeof(struct smb2_neg_context) <= len_of_ctxts`, but in the end of loop, `len_of_ctxts` will subtract `((clen + 7) & ~0x7) + sizeof(struct smb2_neg_context)`, which causes integer underflow when clen does the 8 alignment. We should use `(clen + 7) & ~0x7` in the check to avoid underflow from happening. Then there are some variables that need to be declared unsigned instead of signed. [ 11.671070] BUG: KASAN: slab-out-of-bounds in smb2_handle_negotiate+0x799/0x1610 [ 11.671533] Read of size 2 at addr ffff888005e86cf2 by task kworker/0:0/7 ... [ 11.673383] Call Trace: [ 11.673541] <TASK> [ 11.673679] dump_stack_lvl+0x33/0x50 [ 11.673913] print_report+0xcc/0x620 [ 11.674671] kasan_report+0xae/0xe0 [ 11.675171] kasan_check_range+0x35/0x1b0 [ 11.675412] smb2_handle_negotiate+0x799/0x1610 [ 11.676217] ksmbd_smb_negotiate_common+0x526/0x770 [ 11.676795] handle_ksmbd_work+0x274/0x810 ... Cc: [email protected] Signed-off-by: Chih-Yen Chang <[email protected]> Tested-by: Chih-Yen Chang <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:33:59 2023 +0900 ksmbd: fix out-of-bound read in parse_lease_state() [ Upstream commit fc6c6a3c324c1b3e93a03d0cfa3749c781f23de0 ] This bug is in parse_lease_state, and it is caused by the missing check of `struct create_context`. When the ksmbd traverses the create_contexts, it doesn't check if the field of `NameOffset` and `Next` is valid, The KASAN message is following: [ 6.664323] BUG: KASAN: slab-out-of-bounds in parse_lease_state+0x7d/0x280 [ 6.664738] Read of size 2 at addr ffff888005c08988 by task kworker/0:3/103 ... [ 6.666644] Call Trace: [ 6.666796] <TASK> [ 6.666933] dump_stack_lvl+0x33/0x50 [ 6.667167] print_report+0xcc/0x620 [ 6.667903] kasan_report+0xae/0xe0 [ 6.668374] kasan_check_range+0x35/0x1b0 [ 6.668621] parse_lease_state+0x7d/0x280 [ 6.668868] smb2_open+0xbe8/0x4420 [ 6.675137] handle_ksmbd_work+0x282/0x820 Use smb2_find_context_vals() to find smb2 create request lease context. smb2_find_context_vals validate create context fields. Cc: [email protected] Reported-by: Chih-Yen Chang <[email protected]> Tested-by: Chih-Yen Chang <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Jiapeng Chong <[email protected]> Date: Tue Dec 19 00:33:36 2023 +0900 ksmbd: Fix parameter name and comment mismatch [ Upstream commit 63f09a9986eb58578ed6ad0e27a6e2c54e49f797 ] fs/ksmbd/vfs.c:965: warning: Function parameter or member 'attr_value' not described in 'ksmbd_vfs_setxattr'. Reported-by: Abaci Robot <[email protected]> Link: https://bugzilla.openanolis.cn/show_bug.cgi?id=3946 Signed-off-by: Jiapeng Chong <[email protected]> Acked-by: Namjae Jeon <[email protected]> Reviewed-by: Sergey Senozhatsky <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:28 2023 +0900 ksmbd: fix passing freed memory 'aux_payload_buf' [ Upstream commit 59d8d24f4610333560cf2e8fe3f44cafe30322eb ] The patch e2b76ab8b5c9: "ksmbd: add support for read compound" leads to the following Smatch static checker warning: fs/smb/server/smb2pdu.c:6329 smb2_read() warn: passing freed memory 'aux_payload_buf' It doesn't matter that we're passing a freed variable because nbytes is zero. This patch set "aux_payload_buf = NULL" to make smatch silence. Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound") Reported-by: Dan Carpenter <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:00 2023 +0900 ksmbd: fix posix_acls and acls dereferencing possible ERR_PTR() [ Upstream commit 25933573ef48f3586f559c2cac6c436c62dcf63f ] Dan reported the following error message: fs/smb/server/smbacl.c:1296 smb_check_perm_dacl() error: 'posix_acls' dereferencing possible ERR_PTR() fs/smb/server/vfs.c:1323 ksmbd_vfs_make_xattr_posix_acl() error: 'posix_acls' dereferencing possible ERR_PTR() fs/smb/server/vfs.c:1830 ksmbd_vfs_inherit_posix_acl() error: 'acls' dereferencing possible ERR_PTR() __get_acl() returns a mix of error pointers and NULL. This change it with IS_ERR_OR_NULL(). Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Cc: [email protected] Reported-by: Dan Carpenter <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:49 2023 +0900 ksmbd: fix possible deadlock in smb2_open [ Upstream commit 864fb5d3716303a045c3ffb397f651bfd37bfb36 ] [ 8743.393379] ====================================================== [ 8743.393385] WARNING: possible circular locking dependency detected [ 8743.393391] 6.4.0-rc1+ #11 Tainted: G OE [ 8743.393397] ------------------------------------------------------ [ 8743.393402] kworker/0:2/12921 is trying to acquire lock: [ 8743.393408] ffff888127a14460 (sb_writers#8){.+.+}-{0:0}, at: ksmbd_vfs_setxattr+0x3d/0xd0 [ksmbd] [ 8743.393510] but task is already holding lock: [ 8743.393515] ffff8880360d97f0 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: ksmbd_vfs_kern_path_locked+0x181/0x670 [ksmbd] [ 8743.393618] which lock already depends on the new lock. [ 8743.393623] the existing dependency chain (in reverse order) is: [ 8743.393628] -> #1 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}: [ 8743.393648] down_write_nested+0x9a/0x1b0 [ 8743.393660] filename_create+0x128/0x270 [ 8743.393670] do_mkdirat+0xab/0x1f0 [ 8743.393680] __x64_sys_mkdir+0x47/0x60 [ 8743.393690] do_syscall_64+0x5d/0x90 [ 8743.393701] entry_SYSCALL_64_after_hwframe+0x72/0xdc [ 8743.393711] -> #0 (sb_writers#8){.+.+}-{0:0}: [ 8743.393728] __lock_acquire+0x2201/0x3b80 [ 8743.393737] lock_acquire+0x18f/0x440 [ 8743.393746] mnt_want_write+0x5f/0x240 [ 8743.393755] ksmbd_vfs_setxattr+0x3d/0xd0 [ksmbd] [ 8743.393839] ksmbd_vfs_set_dos_attrib_xattr+0xcc/0x110 [ksmbd] [ 8743.393924] compat_ksmbd_vfs_set_dos_attrib_xattr+0x39/0x50 [ksmbd] [ 8743.394010] smb2_open+0x3432/0x3cc0 [ksmbd] [ 8743.394099] handle_ksmbd_work+0x2c9/0x7b0 [ksmbd] [ 8743.394187] process_one_work+0x65a/0xb30 [ 8743.394198] worker_thread+0x2cf/0x700 [ 8743.394209] kthread+0x1ad/0x1f0 [ 8743.394218] ret_from_fork+0x29/0x50 This patch add mnt_want_write() above parent inode lock and remove nested mnt_want_write calls in smb2_open(). Fixes: 40b268d384a2 ("ksmbd: add mnt_want_write to ksmbd vfs functions") Cc: [email protected] Reported-by: Marios Makassikis <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Hangyu Hua <[email protected]> Date: Tue Dec 19 00:33:37 2023 +0900 ksmbd: fix possible memory leak in smb2_lock() [ Upstream commit d3ca9f7aeba793d74361d88a8800b2f205c9236b ] argv needs to be free when setup_async_work fails or when the current process is woken up. Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Cc: [email protected] Signed-off-by: Hangyu Hua <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:38 2023 +0900 ksmbd: fix potential double free on smb2_read_pipe() error path [ Upstream commit 1903e6d0578118e9aab1ee23f4a9de55737d1d05 ] Fix new smatch warnings: fs/smb/server/smb2pdu.c:6131 smb2_read_pipe() error: double free of 'rpc_resp' Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound") Reported-by: kernel test robot <[email protected]> Reported-by: Dan Carpenter <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:31 2023 +0900 ksmbd: fix race condition between session lookup and expire [ Upstream commit 53ff5cf89142b978b1a5ca8dc4d4425e6a09745f ] Thread A + Thread B ksmbd_session_lookup | smb2_sess_setup sess = xa_load | | | xa_erase(&conn->sessions, sess->id); | | ksmbd_session_destroy(sess) --> kfree(sess) | // UAF! | sess->last_active = jiffies | + This patch add rwsem to fix race condition between ksmbd_session_lookup and ksmbd_expire_session. Reported-by: luosili <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:35 2023 +0900 ksmbd: fix race condition between tree conn lookup and disconnect [ Upstream commit 33b235a6e6ebe0f05f3586a71e8d281d00f71e2e ] if thread A in smb2_write is using work-tcon, other thread B use smb2_tree_disconnect free the tcon, then thread A will use free'd tcon. Time + Thread A | Thread A smb2_write | smb2_tree_disconnect | | | kfree(tree_conn) | // UAF! | work->tcon->share_conf | + This patch add state, reference count and lock for tree conn to fix race condition issue. Reported-by: luosili <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:34 2023 +0900 ksmbd: fix race condition from parallel smb2 lock requests [ Upstream commit 75ac9a3dd65f7eab4d12b0a0f744234b5300a491 ] There is a race condition issue between parallel smb2 lock request. Time + Thread A | Thread A smb2_lock | smb2_lock | insert smb_lock to lock_list | spin_unlock(&work->conn->llist_lock) | | | spin_lock(&conn->llist_lock); | kfree(cmp_lock); | // UAF! | list_add(&smb_lock->llist, &rollback_list) + This patch swaps the line for adding the smb lock to the rollback list and adding the lock list of connection to fix the race issue. Reported-by: luosili <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:33 2023 +0900 ksmbd: fix race condition from parallel smb2 logoff requests [ Upstream commit 7ca9da7d873ee8024e9548d3366101c2b6843eab ] If parallel smb2 logoff requests come in before closing door, running request count becomes more than 1 even though connection status is set to KSMBD_SESS_NEED_RECONNECT. It can't get condition true, and sleep forever. This patch fix race condition problem by returning error if connection status was already set to KSMBD_SESS_NEED_RECONNECT. Reported-by: luosili <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:32 2023 +0900 ksmbd: fix race condition with fp [ Upstream commit 5a7ee91d1154f35418367a6eaae74046fd06ed89 ] fp can used in each command. If smb2_close command is coming at the same time, UAF issue can happen by race condition. Time + Thread A | Thread B1 B2 .... B5 smb2_open | smb2_close | __open_id | insert fp to file_table | | | atomic_dec_and_test(&fp->refcount) | if fp->refcount == 0, free fp by kfree. // UAF! | use fp | + This patch add f_state not to use freed fp is used and not to free fp in use. Reported-by: luosili <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:33:48 2023 +0900 ksmbd: fix racy issue from session setup and logoff [ Upstream commit f5c779b7ddbda30866cf2a27c63e34158f858c73 ] This racy issue is triggered by sending concurrent session setup and logoff requests. This patch does not set connection status as KSMBD_SESS_GOOD if state is KSMBD_SESS_NEED_RECONNECT in session setup. And relookup session to validate if session is deleted in logoff. Cc: [email protected] Reported-by: [email protected] # ZDI-CAN-20481, ZDI-CAN-20590, ZDI-CAN-20596 Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:33:51 2023 +0900 ksmbd: fix racy issue from smb2 close and logoff with multichannel [ Upstream commit abcc506a9a71976a8b4c9bf3ee6efd13229c1e19 ] When smb client send concurrent smb2 close and logoff request with multichannel connection, It can cause racy issue. logoff request free tcon and can cause UAF issues in smb2 close. When receiving logoff request with multichannel, ksmbd should wait until all remaning requests complete as well as ones in the current connection, and then make session expired. Cc: [email protected] Reported-by: [email protected] # ZDI-CAN-20796 ZDI-CAN-20595 Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:33:47 2023 +0900 ksmbd: fix racy issue from using ->d_parent and ->d_name [ Upstream commit 74d7970febf7e9005375aeda0df821d2edffc9f7 ] Al pointed out that ksmbd has racy issue from using ->d_parent and ->d_name in ksmbd_vfs_unlink and smb2_vfs_rename(). and use new lock_rename_child() to lock stable parent while underlying rename racy. Introduce vfs_path_parent_lookup helper to avoid out of share access and export vfs functions like the following ones to use vfs_path_parent_lookup(). - rename __lookup_hash() to lookup_one_qstr_excl(). - export lookup_one_qstr_excl(). - export getname_kernel() and putname(). vfs_path_parent_lookup() is used for parent lookup of destination file using absolute pathname given from FILE_RENAME_INFORMATION request. Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:33:52 2023 +0900 ksmbd: fix racy issue under cocurrent smb2 tree disconnect [ Upstream commit 30210947a343b6b3ca13adc9bfc88e1543e16dd5 ] There is UAF issue under cocurrent smb2 tree disconnect. This patch introduce TREE_CONN_EXPIRE flags for tcon to avoid cocurrent access. Cc: [email protected] Reported-by: [email protected] # ZDI-CAN-20592 Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Marios Makassikis <[email protected]> Date: Tue Dec 19 00:34:42 2023 +0900 ksmbd: fix recursive locking in vfs helpers [ Upstream commit 807252f028c59b9a3bac4d62ad84761548c10f11 ] Running smb2.rename test from Samba smbtorture suite against a kernel built with lockdep triggers a "possible recursive locking detected" warning. This is because mnt_want_write() is called twice with no mnt_drop_write() in between: -> ksmbd_vfs_mkdir() -> ksmbd_vfs_kern_path_create() -> kern_path_create() -> filename_create() -> mnt_want_write() -> mnt_want_write() Fix this by removing the mnt_want_write/mnt_drop_write calls from vfs helpers that call kern_path_create(). Full lockdep trace below: ============================================ WARNING: possible recursive locking detected 6.6.0-rc5 #775 Not tainted -------------------------------------------- kworker/1:1/32 is trying to acquire lock: ffff888005ac83f8 (sb_writers#5){.+.+}-{0:0}, at: ksmbd_vfs_mkdir+0xe1/0x410 but task is already holding lock: ffff888005ac83f8 (sb_writers#5){.+.+}-{0:0}, at: filename_create+0xb6/0x260 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(sb_writers#5); lock(sb_writers#5); *** DEADLOCK *** May be due to missing lock nesting notation 4 locks held by kworker/1:1/32: #0: ffff8880064e4138 ((wq_completion)ksmbd-io){+.+.}-{0:0}, at: process_one_work+0x40e/0x980 #1: ffff888005b0fdd0 ((work_completion)(&work->work)){+.+.}-{0:0}, at: process_one_work+0x40e/0x980 #2: ffff888005ac83f8 (sb_writers#5){.+.+}-{0:0}, at: filename_create+0xb6/0x260 #3: ffff8880057ce760 (&type->i_mutex_dir_key#3/1){+.+.}-{3:3}, at: filename_create+0x123/0x260 Cc: [email protected] Fixes: 40b268d384a2 ("ksmbd: add mnt_want_write to ksmbd vfs functions") Signed-off-by: Marios Makassikis <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Marios Makassikis <[email protected]> Date: Tue Dec 19 00:33:27 2023 +0900 ksmbd: Fix resource leak in smb2_lock() [ Upstream commit 01f6c61bae3d658058ee6322af77acea26a5ee3a ] "flock" is leaked if an error happens before smb2_lock_init(), as the lock is not added to the lock_list to be cleaned up. Signed-off-by: Marios Makassikis <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:33:41 2023 +0900 ksmbd: fix slab-out-of-bounds in init_smb2_rsp_hdr [ Upstream commit dc8289f912387c3bcfbc5d2db29c8947fa207c11 ] When smb1 mount fails, KASAN detect slab-out-of-bounds in init_smb2_rsp_hdr like the following one. For smb1 negotiate(56bytes) , init_smb2_rsp_hdr() for smb2 is called. The issue occurs while handling smb1 negotiate as smb2 server operations. Add smb server operations for smb1 (get_cmd_val, init_rsp_hdr, allocate_rsp_buf, check_user_session) to handle smb1 negotiate so that smb2 server operation does not handle it. [ 411.400423] CIFS: VFS: Use of the less secure dialect vers=1.0 is not recommended unless required for access to very old servers [ 411.400452] CIFS: Attempting to mount \\192.168.45.139\homes [ 411.479312] ksmbd: init_smb2_rsp_hdr : 492 [ 411.479323] ================================================================== [ 411.479327] BUG: KASAN: slab-out-of-bounds in init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd] [ 411.479369] Read of size 16 at addr ffff888488ed0734 by task kworker/14:1/199 [ 411.479379] CPU: 14 PID: 199 Comm: kworker/14:1 Tainted: G OE 6.1.21 #3 [ 411.479386] Hardware name: ASUSTeK COMPUTER INC. Z10PA-D8 Series/Z10PA-D8 Series, BIOS 3801 08/23/2019 [ 411.479390] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] [ 411.479425] Call Trace: [ 411.479428] <TASK> [ 411.479432] dump_stack_lvl+0x49/0x63 [ 411.479444] print_report+0x171/0x4a8 [ 411.479452] ? kasan_complete_mode_report_info+0x3c/0x200 [ 411.479463] ? init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd] [ 411.479497] kasan_report+0xb4/0x130 [ 411.479503] ? init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd] [ 411.479537] kasan_check_range+0x149/0x1e0 [ 411.479543] memcpy+0x24/0x70 [ 411.479550] init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd] [ 411.479585] handle_ksmbd_work+0x109/0x760 [ksmbd] [ 411.479616] ? _raw_spin_unlock_irqrestore+0x50/0x50 [ 411.479624] ? smb3_encrypt_resp+0x340/0x340 [ksmbd] [ 411.479656] process_one_work+0x49c/0x790 [ 411.479667] worker_thread+0x2b1/0x6e0 [ 411.479674] ? process_one_work+0x790/0x790 [ 411.479680] kthread+0x177/0x1b0 [ 411.479686] ? kthread_complete_and_exit+0x30/0x30 [ 411.479692] ret_from_fork+0x22/0x30 [ 411.479702] </TASK> Fixes: 39b291b86b59 ("ksmbd: return unsupported error on smb1 mount") Cc: [email protected] Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:24 2023 +0900 ksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob() [ Upstream commit 4b081ce0d830b684fdf967abc3696d1261387254 ] If authblob->SessionKey.Length is bigger than session key size(CIFS_KEY_SIZE), slub overflow can happen in key exchange codes. cifs_arc4_crypt copy to session key array from SessionKey from client. Cc: [email protected] Reported-by: [email protected] # ZDI-CAN-21940 Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Yang Li <[email protected]> Date: Tue Dec 19 00:32:35 2023 +0900 ksmbd: Fix smb2_get_name() kernel-doc comment [ Upstream commit d4eeb82674acadf789277b577986e8e7d3faf695 ] Remove some warnings found by running scripts/kernel-doc, which is caused by using 'make W=1'. fs/ksmbd/smb2pdu.c:623: warning: Function parameter or member 'local_nls' not described in 'smb2_get_name' fs/ksmbd/smb2pdu.c:623: warning: Excess function parameter 'nls_table' description in 'smb2_get_name' Reported-by: Abaci Robot <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Yang Li <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Yang Li <[email protected]> Date: Tue Dec 19 00:32:33 2023 +0900 ksmbd: Fix smb2_set_info_file() kernel-doc comment [ Upstream commit 4bfd9eed15e163969156e976c62db5ef423e5b0f ] Fix argument list that the kdoc format and script verified in smb2_set_info_file(). The warnings were found by running scripts/kernel-doc, which is caused by using 'make W=1'. fs/ksmbd/smb2pdu.c:5862: warning: Function parameter or member 'req' not described in 'smb2_set_info_file' fs/ksmbd/smb2pdu.c:5862: warning: Excess function parameter 'info_class' description in 'smb2_set_info_file' Reported-by: Abaci Robot <[email protected]> Fixes: 9496e268e3af ("ksmbd: add request buffer validation in smb2_set_info") Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Yang Li <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Yang Li <[email protected]> Date: Tue Dec 19 00:32:59 2023 +0900 ksmbd: Fix some kernel-doc comments [ Upstream commit 7820c6ee029548290b318e522eb2578516d05393 ] Remove some warnings found by running scripts/kernel-doc, which is caused by using 'make W=1'. fs/ksmbd/misc.c:30: warning: Function parameter or member 'str' not described in 'match_pattern' fs/ksmbd/misc.c:30: warning: Excess function parameter 'string' description in 'match_pattern' fs/ksmbd/misc.c:163: warning: Function parameter or member 'share' not described in 'convert_to_nt_pathname' fs/ksmbd/misc.c:163: warning: Function parameter or member 'path' not described in 'convert_to_nt_pathname' fs/ksmbd/misc.c:163: warning: Excess function parameter 'filename' description in 'convert_to_nt_pathname' fs/ksmbd/misc.c:163: warning: Excess function parameter 'sharepath' description in 'convert_to_nt_pathname' fs/ksmbd/misc.c:259: warning: Function parameter or member 'share' not described in 'convert_to_unix_name' fs/ksmbd/misc.c:259: warning: Function parameter or member 'name' not described in 'convert_to_unix_name' fs/ksmbd/misc.c:259: warning: Excess function parameter 'path' description in 'convert_to_unix_name' fs/ksmbd/misc.c:259: warning: Excess function parameter 'tid' description in 'convert_to_unix_name' Reported-by: Abaci Robot <[email protected]> Signed-off-by: Yang Li <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Colin Ian King <[email protected]> Date: Tue Dec 19 00:33:35 2023 +0900 ksmbd: Fix spelling mistake "excceed" -> "exceeded" [ Upstream commit 7a17c61ee3b2683c40090179c273f4701fca9677 ] There is a spelling mistake in an error message. Fix it. Signed-off-by: Colin Ian King <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Dawei Li <[email protected]> Date: Tue Dec 19 00:33:32 2023 +0900 ksmbd: fix typo, syncronous->synchronous [ Upstream commit f8d6e7442aa716a233c7eba99dec628f8885e00b ] syncronous->synchronous Signed-off-by: Dawei Li <[email protected]> Acked-by: Namjae Jeon <[email protected]> Reviewed-by: Sergey Senozhatsky <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:33:56 2023 +0900 ksmbd: fix UAF issue from opinfo->conn [ Upstream commit 36322523dddb11107e9f7f528675a0dec2536103 ] If opinfo->conn is another connection and while ksmbd send oplock break request to cient on current connection, The connection for opinfo->conn can be disconnect and conn could be freed. When sending oplock break request, this ksmbd_conn can be used and cause user-after-free issue. When getting opinfo from the list, ksmbd check connection is being released. If it is not released, Increase ->r_count to wait that connection is freed. Cc: [email protected] Reported-by: Per Forlin <[email protected]> Tested-by: Per Forlin <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:33:53 2023 +0900 ksmbd: fix uninitialized pointer read in ksmbd_vfs_rename() [ Upstream commit 48b47f0caaa8a9f05ed803cb4f335fa3a7bfc622 ] Uninitialized rd.delegated_inode can be used in vfs_rename(). Fix this by setting rd.delegated_inode to NULL to avoid the uninitialized read. Fixes: 74d7970febf7 ("ksmbd: fix racy issue from using ->d_parent and ->d_name") Reported-by: Coverity Scan <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:33:54 2023 +0900 ksmbd: fix uninitialized pointer read in smb2_create_link() [ Upstream commit df14afeed2e6c1bbadef7d2f9c46887bbd6d8d94 ] There is a case that file_present is true and path is uninitialized. This patch change file_present is set to false by default and set to true when patch is initialized. Fixes: 74d7970febf7 ("ksmbd: fix racy issue from using ->d_parent and ->d_name") Reported-by: Coverity Scan <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Wang Ming <[email protected]> Date: Tue Dec 19 00:34:14 2023 +0900 ksmbd: Fix unsigned expression compared with zero [ Upstream commit 0266a2f791294e0b4ba36f4a1d89b8615ea3cac0 ] The return value of the ksmbd_vfs_getcasexattr() is signed. However, the return value is being assigned to an unsigned variable and subsequently recasted, causing warnings. Use a signed type. Signed-off-by: Wang Ming <[email protected]> Acked-by: Tom Talpey <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:36 2023 +0900 ksmbd: fix wrong error response status by using set_smb2_rsp_status() [ Upstream commit be0f89d4419dc5413a1cf06db3671c9949be0d52 ] set_smb2_rsp_status() after __process_request() sets the wrong error status. This patch resets all iov vectors and sets the error status on clean one. Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound") Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:20 2023 +0900 ksmbd: fix wrong interim response on compound [ Upstream commit 041bba4414cda37d00063952c9bff9c3d5812a19 ] If smb2_lock or smb2_open request is compound, ksmbd could send wrong interim response to client. ksmbd allocate new interim buffer instead of using resonse buffer to support compound request. Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:33:38 2023 +0900 ksmbd: fix wrong signingkey creation when encryption is AES256 [ Upstream commit 7a891d4b62d62566323676cb0e922ded4f37afe1 ] MacOS and Win11 support AES256 encrytion and it is included in the cipher array of encryption context. Especially on macOS, The most preferred cipher is AES256. Connecting to ksmbd fails on newer MacOS clients that support AES256 encryption. MacOS send disconnect request after receiving final session setup response from ksmbd. Because final session setup is signed with signing key was generated incorrectly. For signging key, 'L' value should be initialized to 128 if key size is 16bytes. Cc: [email protected] Reported-by: Miao Lihua <[email protected]> Tested-by: Miao Lihua <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:32:58 2023 +0900 ksmbd: fix wrong smbd max read/write size check [ Upstream commit 7a84399e1ce3f5f2fbec3e7dd93459ba25badc2f ] smb-direct max read/write size can be different with smb2 max read/write size. So smb2_read() can return error by wrong max read/write size check. This patch use smb_direct_max_read_write_size for this check in smb-direct read/write(). Signed-off-by: Namjae Jeon <[email protected]> Reviewed-by: Hyunchul Lee <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:47 2023 +0900 ksmbd: handle malformed smb1 message [ Upstream commit 5a5409d90bd05f87fe5623a749ccfbf3f7c7d400 ] If set_smb1_rsp_status() is not implemented, It will cause NULL pointer dereferece error when client send malformed smb1 message. This patch add set_smb1_rsp_status() to ignore malformed smb1 message. Cc: [email protected] Reported-by: Robert Morris <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:33:20 2023 +0900 ksmbd: hide socket error message when ipv6 config is disable [ Upstream commit 5876e99611a91dfb2fb1f7af9d1ae5c017c8331c ] When ipv6 config is disable(CONFIG_IPV6 is not set), ksmbd fallback to create ipv4 socket. User reported that this error message lead to misunderstood some issue. Users have requested not to print this error message that occurs even though there is no problem. Signed-off-by: Namjae Jeon <[email protected]> Acked-by: Tom Talpey <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Dawei Li <[email protected]> Date: Tue Dec 19 00:33:30 2023 +0900 ksmbd: Implements sess->ksmbd_chann_list as xarray [ Upstream commit 1d9c4172110e645b383ff13eee759728d74f1a5d ] For some ops on channel: 1. lookup_chann_list(), possibly on high frequency. 2. ksmbd_chann_del(). Connection is used as indexing key to lookup channel, in that case, linear search based on list may suffer a bit for performance. Implements sess->ksmbd_chann_list as xarray. Signed-off-by: Dawei Li <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Dawei Li <[email protected]> Date: Tue Dec 19 00:33:31 2023 +0900 ksmbd: Implements sess->rpc_handle_list as xarray [ Upstream commit b685757c7b08d5073046fb379be965fd6c06aafc ] For some ops on rpc handle: 1. ksmbd_session_rpc_method(), possibly on high frequency. 2. ksmbd_session_rpc_close(). id is used as indexing key to lookup channel, in that case, linear search based on list may suffer a bit for performance. Implements sess->rpc_handle_list as xarray. Signed-off-by: Dawei Li <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Atte Heikkilä <[email protected]> Date: Tue Dec 19 00:33:21 2023 +0900 ksmbd: make utf-8 file name comparison work in __caseless_lookup() [ Upstream commit dbab80e2071ad8c702e50dab43326608a127d27b ] Case-insensitive file name lookups with __caseless_lookup() use strncasecmp() for file name comparison. strncasecmp() assumes an ISO8859-1-compatible encoding, which is not the case here as UTF-8 is always used. As such, use of strncasecmp() here produces correct results only if both strings use characters in the ASCII range only. Fix this by using utf8_strncasecmp() if CONFIG_UNICODE is set. On failure or if CONFIG_UNICODE is not set, fallback to strncasecmp(). Also, as we are adding an include for `linux/unicode.h', include it in `fs/ksmbd/connection.h' as well since it should be explicit there. Signed-off-by: Atte Heikkilä <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:51 2023 +0900 ksmbd: move oplock handling after unlock parent dir [ Upstream commit 2e450920d58b4991a436c8cecf3484bcacd8e535 ] ksmbd should process secound parallel smb2 create request during waiting oplock break ack. parent lock range that is too large in smb2_open() causes smb2_open() to be serialized. Move the oplock handling to the bottom of smb2_open() and make it called after parent unlock. This fixes the failure of smb2.lease.breaking1 testcase. Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:53 2023 +0900 ksmbd: move setting SMB2_FLAGS_ASYNC_COMMAND and AsyncId [ Upstream commit 9ac45ac7cf65b0623ceeab9b28b307a08efa22dc ] Directly set SMB2_FLAGS_ASYNC_COMMAND flags and AsyncId in smb2 header of interim response instead of current response header. Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:45 2023 +0900 ksmbd: no need to wait for binded connection termination at logoff [ Upstream commit 67797da8a4b82446d42c52b6ee1419a3100d78ff ] The connection could be binded to the existing session for Multichannel. session will be destroyed when binded connections are released. So no need to wait for that's connection at logoff. Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Zongmin Zhou <[email protected]> Date: Tue Dec 19 00:34:48 2023 +0900 ksmbd: prevent memory leak on error return [ Upstream commit 90044481e7cca6cb3125b3906544954a25f1309f ] When allocated memory for 'new' failed,just return will cause memory leak of 'ar'. Fixes: 1819a9042999 ("ksmbd: reorganize ksmbd_iov_pin_rsp()") Reported-by: kernel test robot <[email protected]> Reported-by: Dan Carpenter <[email protected]> Closes: https://lore.kernel.org/r/[email protected]/ Signed-off-by: Zongmin Zhou<[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:22 2023 +0900 ksmbd: reduce descriptor size if remaining bytes is less than request size [ Upstream commit e628bf939aafb61fbc56e9bdac8795cea5127e25 ] Create 3 kinds of files to reproduce this problem. dd if=/dev/urandom of=127k.bin bs=1024 count=127 dd if=/dev/urandom of=128k.bin bs=1024 count=128 dd if=/dev/urandom of=129k.bin bs=1024 count=129 When copying files from ksmbd share to windows or cifs.ko, The following error message happen from windows client. "The file '129k.bin' is too large for the destination filesystem." We can see the error logs from ksmbd debug prints [48394.611537] ksmbd: RDMA r/w request 0x0: token 0x669d, length 0x20000 [48394.612054] ksmbd: smb_direct: RDMA write, len 0x20000, needed credits 0x1 [48394.612572] ksmbd: filename 129k.bin, offset 131072, len 131072 [48394.614189] ksmbd: nbytes 1024, offset 132096 mincount 0 [48394.614585] ksmbd: Failed to process 8 [-22] And we can reproduce it with cifs.ko, e.g. dd if=129k.bin of=/dev/null bs=128KB count=2 This problem is that ksmbd rdma return error if remaining bytes is less than Length of Buffer Descriptor V1 Structure. smb_direct_rdma_xmit() ... if (desc_buf_len == 0 || total_length > buf_len || total_length > t->max_rdma_rw_size) return -EINVAL; This patch reduce descriptor size with remaining bytes and remove the check for total_length and buf_len. Cc: [email protected] Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Tom Talpey <[email protected]> Date: Tue Dec 19 00:33:19 2023 +0900 ksmbd: reduce server smbdirect max send/receive segment sizes [ Upstream commit 78af146e109bef5b3c411964141c6f8adbccd3b0 ] Reduce ksmbd smbdirect max segment send and receive size to 1364 to match protocol norms. Larger buffers are unnecessary and add significant memory overhead. Signed-off-by: Tom Talpey <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Hyunchul Lee <[email protected]> Date: Tue Dec 19 00:32:36 2023 +0900 ksmbd: register ksmbd ib client with ib_register_client() [ Upstream commit 31928a001bed0d9642711d2eba520fc46d41c376 ] Register ksmbd ib client with ib_register_client() to find the rdma capable network adapter. If ops.get_netdev(Chelsio NICs) is NULL, ksmbd will find it using ib_device_get_by_netdev in old way. Signed-off-by: Hyunchul Lee <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:52 2023 +0900 ksmbd: release interim response after sending status pending response [ Upstream commit 2a3f7857ec742e212d6cee7fbbf7b0e2ae7f5161 ] Add missing release async id and delete interim response entry after sending status pending response. This only cause when smb2 lease is enable. Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Christophe JAILLET <[email protected]> Date: Tue Dec 19 00:32:48 2023 +0900 ksmbd: Remove a redundant zeroing of memory [ Upstream commit 56b401fb0c506120f25c1b4feeb96d9117efe171 ] fill_transform_hdr() has only one caller that already clears tr_buf (it is kzalloc'ed). So there is no need to clear it another time here. Remove the superfluous memset() and add a comment to remind that the caller must clear the buffer. Signed-off-by: Christophe JAILLET <[email protected]> Acked-by: Hyunchul Lee <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Hyunchul Lee <[email protected]> Date: Tue Dec 19 00:33:03 2023 +0900 ksmbd: remove duplicate flag set in smb2_write [ Upstream commit 745bbc0995c25917dfafb645b8efb29813ef9e0b ] The writethrough flag is set again if is_rdma_channel is false. Signed-off-by: Hyunchul Lee <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Dawei Li <[email protected]> Date: Tue Dec 19 00:33:33 2023 +0900 ksmbd: Remove duplicated codes [ Upstream commit 7010357004096e54c884813e702d71147dc081f8 ] ksmbd_neg_token_init_mech_token() and ksmbd_neg_token_targ_resp_token() share same implementation, unify them. Signed-off-by: Dawei Li <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Steve French <[email protected]> Date: Tue Dec 19 00:34:26 2023 +0900 ksmbd: remove experimental warning [ Upstream commit f5069159f32c8c943e047f22731317463c8e9b84 ] ksmbd has made significant improvements over the past two years and is regularly tested and used. Remove the experimental warning. Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:32:51 2023 +0900 ksmbd: remove filename in ksmbd_file [ Upstream commit 50f500b7f6335404b18bbffa93e3a905a08d061a ] If the filename is change by underlying rename the server, fp->filename and real filename can be different. This patch remove the uses of fp->filename in ksmbd and replace it with d_path(). Signed-off-by: Namjae Jeon <[email protected]> Reviewed-by: Hyunchul Lee <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:33:11 2023 +0900 ksmbd: remove generic_fillattr use in smb2_open() [ Upstream commit 823d0d3e2b05791ba8cbab22574b947c21f89c18 ] Removed the use of unneeded generic_fillattr() in smb2_open(). Reviewed-by: Hyunchul Lee <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:32:24 2023 +0900 ksmbd: remove md4 leftovers [ Upstream commit 561a1cf57535154f094f31167a9170197caae686 ] As NTLM authentication is removed, md4 is no longer used. ksmbd remove md4 leftovers, i.e. select CRYPTO_MD4, MODULE_SOFTDEP md4. Acked-by: Hyunchul Lee <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Christophe JAILLET <[email protected]> Date: Tue Dec 19 00:32:23 2023 +0900 ksmbd: Remove redundant 'flush_workqueue()' calls [ Upstream commit e8d585b2f68c0b10c966ee55146de043429085a3 ] 'destroy_workqueue()' already drains the queue before destroying it, so there is no need to flush it explicitly. Remove the redundant 'flush_workqueue()' calls. This was generated with coccinelle: @@ expression E; @@ - flush_workqueue(E); destroy_workqueue(E); Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Christophe JAILLET <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:32:25 2023 +0900 ksmbd: remove smb2_buf_length in smb2_hdr [ Upstream commit cb4517201b8acdb5fd5314494aaf86c267f22345 ] To move smb2_hdr to smbfs_common, This patch remove smb2_buf_length variable in smb2_hdr. Also, declare smb2_get_msg function to get smb2 request/response from ->request/response_buf. Cc: Ronnie Sahlberg <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:32:26 2023 +0900 ksmbd: remove smb2_buf_length in smb2_transform_hdr [ Upstream commit 2dd9129f7dec1de369e4447a54ea2edf695f765b ] To move smb2_transform_hdr to smbfs_common, This patch remove smb2_buf_length variable in smb2_transform_hdr. Cc: Ronnie Sahlberg <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Hyunchul Lee <[email protected]> Date: Tue Dec 19 00:33:07 2023 +0900 ksmbd: remove unnecessary generic_fillattr in smb2_open [ Upstream commit c90b31eaf9e77269d3803ed9223a2e0168b519ac ] Remove unnecessary generic_fillattr to fix wrong AllocationSize of SMB2_CREATE response, And Move the call of ksmbd_vfs_getattr above the place where stat is needed because of truncate. This patch fixes wrong AllocationSize of SMB2_CREATE response. Because ext4 updates inode->i_blocks only when disk space is allocated, generic_fillattr does not set stat.blocks properly for delayed allocation. But ext4 returns the blocks that include the delayed allocation blocks when getattr is called. The issue can be reproduced with commands below: touch ${FILENAME} xfs_io -c "pwrite -S 0xAB 0 40k" ${FILENAME} xfs_io -c "stat" ${FILENAME} 40KB are written, but the count of blocks is 8. Signed-off-by: Hyunchul Lee <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:27 2023 +0900 ksmbd: remove unneeded mark_inode_dirty in set_info_sec() [ Upstream commit e4e14095cc68a2efefba6f77d95efe1137e751d4 ] mark_inode_dirty will be called in notify_change(). This patch remove unneeded mark_inode_dirty in set_info_sec(). Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: David Disseldorp <[email protected]> Date: Tue Dec 19 00:33:45 2023 +0900 ksmbd: remove unused compression negotiate ctx packing [ Upstream commit af36c51e0e111de4e908328d49cba49de758f66e ] build_compression_ctxt() is currently unreachable due to conn.compress_algorithm remaining zero (SMB3_COMPRESS_NONE). It appears to have been broken in a couple of subtle ways over the years: - prior to d6c9ad23b421 ("ksmbd: use the common definitions for NEGOTIATE_PROTOCOL") smb2_compression_ctx.DataLength was set to 8, which didn't account for the single CompressionAlgorithms flexible array member. - post d6c9ad23b421 smb2_compression_capabilities_context CompressionAlgorithms is a three member array, while CompressionAlgorithmCount is set to indicate only one member. assemble_neg_contexts() ctxt_size is also incorrectly incremented by sizeof(struct smb2_compression_capabilities_context) + 2, which assumes one flexible array member. Signed-off-by: David Disseldorp <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Cheng-Han Wu <[email protected]> Date: Tue Dec 19 00:34:39 2023 +0900 ksmbd: Remove unused field in ksmbd_user struct [ Upstream commit eacc655e18d1dec9b50660d16a1ddeeb4d6c48f2 ] fs/smb/server/mgmt/user_config.h:21: Remove the unused field 'failed_login_count' from the ksmbd_user struct. Signed-off-by: Cheng-Han Wu <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Marios Makassikis <[email protected]> Date: Tue Dec 19 00:32:30 2023 +0900 ksmbd: Remove unused fields from ksmbd_file struct definition [ Upstream commit 305f8bda15ebbe4004681286a5c67d0dc296c771 ] These fields are remnants of the not upstreamed SMB1 code. Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Marios Makassikis <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Tom Rix <[email protected]> Date: Tue Dec 19 00:33:39 2023 +0900 ksmbd: remove unused is_char_allowed function [ Upstream commit 2824861773eb512b37547516d81ef78108032cb2 ] clang with W=1 reports fs/ksmbd/unicode.c:122:19: error: unused function 'is_char_allowed' [-Werror,-Wunused-function] static inline int is_char_allowed(char *ch) ^ This function is not used so remove it. Signed-off-by: Tom Rix <[email protected]> Reviewed-by: Sergey Senozhatsky <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:33:04 2023 +0900 ksmbd: remove unused ksmbd_share_configs_cleanup function [ Upstream commit 1c90b54718fdea4f89e7e0c2415803f33f6d0b00 ] remove unused ksmbd_share_configs_cleanup function. Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:04 2023 +0900 ksmbd: remove unused ksmbd_tree_conn_share function [ Upstream commit 7bd9f0876fdef00f4e155be35e6b304981a53f80 ] Remove unused ksmbd_tree_conn_share function. Signed-off-by: Namjae Jeon <[email protected]> Reviewed-by: Sergey Senozhatsky <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Marios Makassikis <[email protected]> Date: Tue Dec 19 00:32:29 2023 +0900 ksmbd: Remove unused parameter from smb2_get_name() [ Upstream commit 80917f17e3f99027661a45262c310139e53a9faa ] The 'share' parameter is no longer used by smb2_get_name() since commit 265fd1991c1d ("ksmbd: use LOOKUP_BENEATH to prevent the out of share access"). Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Marios Makassikis <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:40 2023 +0900 ksmbd: reorganize ksmbd_iov_pin_rsp() [ Upstream commit 1819a904299942b309f687cc0f08b123500aa178 ] If ksmbd_iov_pin_rsp fail, io vertor should be rollback. This patch moves memory allocations to before setting the io vector to avoid rollbacks. Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound") Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Gustavo A. R. Silva <[email protected]> Date: Tue Dec 19 00:34:13 2023 +0900 ksmbd: Replace one-element array with flexible-array member [ Upstream commit 11d5e2061e973a8d4ff2b95a114b4b8ef8652633 ] One-element arrays are deprecated, and we are replacing them with flexible array members instead. So, replace one-element array with flexible-array member in struct smb_negotiate_req. This results in no differences in binary output. Link: https://github.com/KSPP/linux/issues/79 Link: https://github.com/KSPP/linux/issues/317 Signed-off-by: Gustavo A. R. Silva <[email protected]> Reviewed-by: Kees Cook <[email protected]> Acked-by: Namjae Jeon <[email protected]> Reviewed-by: Sergey Senozhatsky <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Gustavo A. R. Silva <[email protected]> Date: Tue Dec 19 00:33:24 2023 +0900 ksmbd: replace one-element arrays with flexible-array members [ Upstream commit d272e01fa0a2f15c5c331a37cd99c6875c7b7186 ] One-element arrays are deprecated, and we are replacing them with flexible array members instead. So, replace one-element arrays with flexible-array members in multiple structs in fs/ksmbd/smb_common.h and one in fs/ksmbd/smb2pdu.h. Important to mention is that doing a build before/after this patch results in no binary output differences. This helps with the ongoing efforts to tighten the FORTIFY_SOURCE routines on memcpy() and help us make progress towards globally enabling -fstrict-flex-arrays=3 [1]. Link: https://github.com/KSPP/linux/issues/242 Link: https://github.com/KSPP/linux/issues/79 Link: https://gcc.gnu.org/pipermail/gcc-patches/2022-October/602902.html [1] Signed-off-by: Gustavo A. R. Silva <[email protected]> Reviewed-by: Sergey Senozhatsky <[email protected]> Acked-by: Namjae Jeon <[email protected]> Reviewed-by: Kees Cook <[email protected]> Signed-off-by: Kees Cook <[email protected]> Link: https://lore.kernel.org/r/Y3OxronfaPYv9qGP@work Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Lu Hongfei <[email protected]> Date: Tue Dec 19 00:34:09 2023 +0900 ksmbd: Replace the ternary conditional operator with min() [ Upstream commit f65fadb0422537d73f9a6472861852dc2f7a6a5b ] It would be better to replace the traditional ternary conditional operator with min() in compare_sids. Signed-off-by: Lu Hongfei <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Jakob Koschel <[email protected]> Date: Tue Dec 19 00:32:49 2023 +0900 ksmbd: replace usage of found with dedicated list iterator variable [ Upstream commit edf5f0548fbb77e20b898460dc25281b0f4d974d ] To move the list iterator variable into the list_for_each_entry_*() macro in the future it should be avoided to use the list iterator variable after the loop body. To *never* use the list iterator variable after the loop it was concluded to use a separate iterator variable instead of a found boolean [1]. This removes the need to use a found variable and simply checking if the variable was set, can determine if the break/goto was hit. Link: https://lore.kernel.org/all/CAHk-=wgRr_D8CB-D9Kg-c=EHreAsk5SqXPwr9Y7k9sA6cWXJ6w@mail.gmail.com/ Signed-off-by: Jakob Koschel <[email protected]> Reviewed-by: Hyunchul Lee <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Atte Heikkilä <[email protected]> Date: Tue Dec 19 00:33:06 2023 +0900 ksmbd: request update to stale share config [ Upstream commit 4963d74f8a6cc0eafd71d9ffc13e3a11ff1dd160 ] ksmbd_share_config_get() retrieves the cached share config as long as there is at least one connection to the share. This is an issue when the user space utilities are used to update share configs. In that case there is a need to inform ksmbd that it should not use the cached share config for a new connection to the share. With these changes the tree connection flag KSMBD_TREE_CONN_FLAG_UPDATE indicates this. When this flag is set, ksmbd removes the share config from the shares hash table meaning that ksmbd_share_config_get() ends up requesting a share config from user space. Signed-off-by: Atte Heikkilä <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:06 2023 +0900 ksmbd: return a literal instead of 'err' in ksmbd_vfs_kern_path_locked() [ Upstream commit cf5e7f734f445588a30350591360bca2f6bf016f ] Return a literal instead of 'err' in ksmbd_vfs_kern_path_locked(). Reported-by: Dan Carpenter <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:29 2023 +0900 ksmbd: return invalid parameter error response if smb2 request is invalid [ Upstream commit f2f11fca5d7112e2f91c4854cddd68a059fdaa4a ] If smb2 request from client is invalid, The following kernel oops could happen. The patch e2b76ab8b5c9: "ksmbd: add support for read compound" leads this issue. When request is invalid, It doesn't set anything in the response buffer. This patch add missing set invalid parameter error response. [ 673.085542] ksmbd: cli req too short, len 184 not 142. cmd:5 mid:109 [ 673.085580] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 673.085591] #PF: supervisor read access in kernel mode [ 673.085600] #PF: error_code(0x0000) - not-present page [ 673.085608] PGD 0 P4D 0 [ 673.085620] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 673.085631] CPU: 3 PID: 1039 Comm: kworker/3:0 Not tainted 6.6.0-rc2-tmt #16 [ 673.085643] Hardware name: AZW U59/U59, BIOS JTKT001 05/05/2022 [ 673.085651] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] [ 673.085719] RIP: 0010:ksmbd_conn_write+0x68/0xc0 [ksmbd] [ 673.085808] RAX: 0000000000000000 RBX: ffff88811ade4f00 RCX: 0000000000000000 [ 673.085817] RDX: 0000000000000000 RSI: ffff88810c2a9780 RDI: ffff88810c2a9ac0 [ 673.085826] RBP: ffffc900005e3e00 R08: 0000000000000000 R09: 0000000000000000 [ 673.085834] R10: ffffffffa3168160 R11: 63203a64626d736b R12: ffff8881057c8800 [ 673.085842] R13: ffff8881057c8820 R14: ffff8882781b2380 R15: ffff8881057c8800 [ 673.085852] FS: 0000000000000000(0000) GS:ffff888278180000(0000) knlGS:0000000000000000 [ 673.085864] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 673.085872] CR2: 0000000000000000 CR3: 000000015b63c000 CR4: 0000000000350ee0 [ 673.085883] Call Trace: [ 673.085890] <TASK> [ 673.085900] ? show_regs+0x6a/0x80 [ 673.085916] ? __die+0x25/0x70 [ 673.085926] ? page_fault_oops+0x154/0x4b0 [ 673.085938] ? tick_nohz_tick_stopped+0x18/0x50 [ 673.085954] ? __irq_work_queue_local+0xba/0x140 [ 673.085967] ? do_user_addr_fault+0x30f/0x6c0 [ 673.085979] ? exc_page_fault+0x79/0x180 [ 673.085992] ? asm_exc_page_fault+0x27/0x30 [ 673.086009] ? ksmbd_conn_write+0x68/0xc0 [ksmbd] [ 673.086067] ? ksmbd_conn_write+0x46/0xc0 [ksmbd] [ 673.086123] handle_ksmbd_work+0x28d/0x4b0 [ksmbd] [ 673.086177] process_one_work+0x178/0x350 [ 673.086193] ? __pfx_worker_thread+0x10/0x10 [ 673.086202] worker_thread+0x2f3/0x420 [ 673.086210] ? _raw_spin_unlock_irqrestore+0x27/0x50 [ 673.086222] ? __pfx_worker_thread+0x10/0x10 [ 673.086230] kthread+0x103/0x140 [ 673.086242] ? __pfx_kthread+0x10/0x10 [ 673.086253] ret_from_fork+0x39/0x60 [ 673.086263] ? __pfx_kthread+0x10/0x10 [ 673.086274] ret_from_fork_asm+0x1b/0x30 Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound") Reported-by: Tom Talpey <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Marios Makassikis <[email protected]> Date: Tue Dec 19 00:33:29 2023 +0900 ksmbd: send proper error response in smb2_tree_connect() [ Upstream commit cdfb2fef522d0c3f9cf293db51de88e9b3d46846 ] Currently, smb2_tree_connect doesn't send an error response packet on error. This causes libsmb2 to skip the specific error code and fail with the following: smb2_service failed with : Failed to parse fixed part of command payload. Unexpected size of Error reply. Expected 9, got 8 Signed-off-by: Marios Makassikis <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:50 2023 +0900 ksmbd: separately allocate ci per dentry [ Upstream commit 4274a9dc6aeb9fea66bffba15697a35ae8983b6a ] xfstests generic/002 test fail when enabling smb2 leases feature. This test create hard link file, but removeal failed. ci has a file open count to count file open through the smb client, but in the case of hard link files, The allocation of ci per inode cause incorrectly open count for file deletion. This patch allocate ci per dentry to counts open counts for hard link. Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:32:37 2023 +0900 ksmbd: set 445 port to smbdirect port by default [ Upstream commit cb097b3dd5ece9596a0a0b7e33893c02a9bde8c6 ] When SMB Direct is used with iWARP, Windows use 5445 port for smb direct port, 445 port for SMB. This patch check ib_device using ib_client to know if NICs type is iWARP or Infiniband. Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:32:31 2023 +0900 ksmbd: set both ipv4 and ipv6 in FSCTL_QUERY_NETWORK_INTERFACE_INFO [ Upstream commit a58b45a4dbfd0bf2ebb157789da4d8e6368afb1b ] Set ipv4 and ipv6 address in FSCTL_QUERY_NETWORK_INTERFACE_INFO. Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:33:14 2023 +0900 ksmbd: set file permission mode to match Samba server posix extension behavior [ Upstream commit f6c2b201da7588f7f7688ddc99b7bb000609129c ] Set file permission mode to match Samba server posix extension behavior. Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: David Disseldorp <[email protected]> Date: Tue Dec 19 00:33:43 2023 +0900 ksmbd: set NegotiateContextCount once instead of every inc [ Upstream commit 34e8ccf9ce24b6b2e275bbe35cd392e18fbbd369 ] There are no early returns, so marshalling the incremented NegotiateContextCount with every context is unnecessary. Signed-off-by: David Disseldorp <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:33:17 2023 +0900 ksmbd: set NTLMSSP_NEGOTIATE_SEAL flag to challenge blob [ Upstream commit 5bedae90b369ca1a7660b9af39591ed19009b495 ] If NTLMSSP_NEGOTIATE_SEAL flags is set in negotiate blob from client, Set NTLMSSP_NEGOTIATE_SEAL flag to challenge blob. Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:33:25 2023 +0900 ksmbd: set SMB2_SESSION_FLAG_ENCRYPT_DATA when enforcing data encryption for this share [ Upstream commit 37ba7b005a7a4454046bd8659c7a9c5330552396 ] Currently, SMB2_SESSION_FLAG_ENCRYPT_DATA is always set session setup response. Since this forces data encryption from the client, there is a problem that data is always encrypted regardless of the use of the cifs seal mount option. SMB2_SESSION_FLAG_ENCRYPT_DATA should be set according to KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION flags, and in case of KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION_OFF, encryption mode is turned off for all connections. Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Steve French <[email protected]> Date: Tue Dec 19 00:32:47 2023 +0900 ksmbd: shorten experimental warning on loading the module [ Upstream commit adc32821409aef8d7f6d868c20a96f4901f48705 ] ksmbd is continuing to improve. Shorten the warning message logged the first time it is loaded to: "The ksmbd server is experimental" Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Hyunchul Lee <[email protected]> Date: Tue Dec 19 00:32:38 2023 +0900 ksmbd: smbd: call rdma_accept() under CM handler [ Upstream commit 99b7650ac51847e81b4d5139824e321e6cb76130 ] if CONFIG_LOCKDEP is enabled, the following kernel warning message is generated because rdma_accept() checks whehter the handler_mutex is held by lockdep_assert_held. CM(Connection Manager) holds the mutex before CM handler callback is called. [ 63.211405 ] WARNING: CPU: 1 PID: 345 at drivers/infiniband/core/cma.c:4405 rdma_accept+0x17a/0x350 [ 63.212080 ] RIP: 0010:rdma_accept+0x17a/0x350 ... [ 63.214036 ] Call Trace: [ 63.214098 ] <TASK> [ 63.214185 ] smb_direct_accept_client+0xb4/0x170 [ksmbd] [ 63.214412 ] smb_direct_prepare+0x322/0x8c0 [ksmbd] [ 63.214555 ] ? rcu_read_lock_sched_held+0x3a/0x70 [ 63.214700 ] ksmbd_conn_handler_loop+0x63/0x270 [ksmbd] [ 63.214826 ] ? ksmbd_conn_alive+0x80/0x80 [ksmbd] [ 63.214952 ] kthread+0x171/0x1a0 [ 63.215039 ] ? set_kthread_struct+0x40/0x40 [ 63.215128 ] ret_from_fork+0x22/0x30 To avoid this, move creating a queue pair and accepting a client from transport_ops->prepare() to smb_direct_handle_connect_request(). Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Hyunchul Lee <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Hyunchul Lee <[email protected]> Date: Tue Dec 19 00:32:53 2023 +0900 ksmbd: smbd: change prototypes of RDMA read/write related functions [ Upstream commit 1807abcf8778bcbbf584fe54da9ccbe9029c49bb ] Change the prototypes of RDMA read/write operations to accept a pointer and length of buffer descriptors. Signed-off-by: Hyunchul Lee <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Hyunchul Lee <[email protected]> Date: Tue Dec 19 00:32:40 2023 +0900 ksmbd: smbd: change the default maximum read/write, receive size [ Upstream commit 4d02c4fdc0e256b493f9a3b604c7ff18f0019f17 ] Due to restriction that cannot handle multiple buffer descriptor structures, decrease the maximum read/write size for Windows clients. And set the maximum fragmented receive size in consideration of the receive queue size. Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Hyunchul Lee <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Hyunchul Lee <[email protected]> Date: Tue Dec 19 00:32:56 2023 +0900 ksmbd: smbd: change the return value of get_sg_list [ Upstream commit 4e3edd0092704b25626a0fe60a974f6f382ff93d ] Make get_sg_list return EINVAL if there aren't mapped scatterlists. Signed-off-by: Hyunchul Lee <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Hyunchul Lee <[email protected]> Date: Tue Dec 19 00:32:39 2023 +0900 ksmbd: smbd: create MR pool [ Upstream commit c9f189271cff85d5d735e25dfa4bc95952ec12d8 ] Create a memory region pool because rdma_rw_ctx_init() uses memory registration if memory registration yields better performance than using multiple SGE entries. Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Hyunchul Lee <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Hyunchul Lee <[email protected]> Date: Tue Dec 19 00:33:00 2023 +0900 ksmbd: smbd: fix connection dropped issue [ Upstream commit 5366afc4065075a4456941fbd51c33604d631ee5 ] When there are bursty connection requests, RDMA connection event handler is deferred and Negotiation requests are received even if connection status is NEW. To handle it, set the status to CONNECTED if Negotiation requests are received. Reported-by: Yufan Chen <[email protected]> Signed-off-by: Hyunchul Lee <[email protected]> Tested-by: Yufan Chen <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Hyunchul Lee <[email protected]> Date: Tue Dec 19 00:32:42 2023 +0900 ksmbd: smbd: fix missing client's memory region invalidation [ Upstream commit 2fd5dcb1c8ef96c9f0fa8bda53ca480524b80ae7 ] if the Channel of a SMB2 WRITE request is SMB2_CHANNEL_RDMA_V1_INVALIDTE, a client does not invalidate its memory regions but ksmbd must do it by sending a SMB2 WRITE response with IB_WR_SEND_WITH_INV. But if errors occur while processing a SMB2 READ/WRITE request, ksmbd sends a response with IB_WR_SEND. So a client could use memory regions already in use. Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Hyunchul Lee <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Hyunchul Lee <[email protected]> Date: Tue Dec 19 00:32:57 2023 +0900 ksmbd: smbd: handle multiple Buffer descriptors [ Upstream commit ee1b0558965909872775183dc237cdf9f8eddaba ] Make ksmbd handle multiple buffer descriptors when reading and writing files using SMB direct: Post the work requests of rdma_rw_ctx for RDMA read/write in smb_direct_rdma_xmit(), and the work request for the READ/WRITE response with a remote invalidation in smb_direct_writev(). Signed-off-by: Hyunchul Lee <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Hyunchul Lee <[email protected]> Date: Tue Dec 19 00:32:54 2023 +0900 ksmbd: smbd: introduce read/write credits for RDMA read/write [ Upstream commit ddbdc861e37c168cf2fb8a7b7477f5d18b4daf76 ] SMB2_READ/SMB2_WRITE request has to be granted the number of rw credits, the pages the request wants to transfer / the maximum pages which can be registered with one MR to read and write a file. And allocate enough RDMA resources for the maximum number of rw credits allowed by ksmbd. Signed-off-by: Hyunchul Lee <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Hyunchul Lee <[email protected]> Date: Tue Dec 19 00:33:01 2023 +0900 ksmbd: smbd: relax the count of sges required [ Upstream commit 621433b7e25d6d42e5f75bd8c4a62d6c7251511b ] Remove the condition that the count of sges must be greater than or equal to SMB_DIRECT_MAX_SEND_SGES(8). Because ksmbd needs sges only for SMB direct header, SMB2 transform header, SMB2 response, and optional payload. Signed-off-by: Hyunchul Lee <[email protected]> Acked-by: Namjae Jeon <[email protected]> Reviewed-by: Tom Talpey <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Christophe JAILLET <[email protected]> Date: Tue Dec 19 00:33:02 2023 +0900 ksmbd: smbd: Remove useless license text when SPDX-License-Identifier is already used [ Upstream commit 06ee1c0aebd5dfdf6bf237165b22415f64f38b7c ] An SPDX-License-Identifier is already in place. There is no need to duplicate part of the corresponding license. Signed-off-by: Christophe JAILLET <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Hyunchul Lee <[email protected]> Date: Tue Dec 19 00:32:55 2023 +0900 ksmbd: smbd: simplify tracking pending packets [ Upstream commit 11659a8ddbd9c4c1ab6f3b8f52837178ef121b20 ] Because we don't have to tracking pending packets by dividing these into packets with payload and packets without payload, merge the tracking code. Signed-off-by: Hyunchul Lee <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Hyunchul Lee <[email protected]> Date: Tue Dec 19 00:32:43 2023 +0900 ksmbd: smbd: validate buffer descriptor structures [ Upstream commit 6d896d3b44cf64ab9b2483697e222098e7b72f70 ] Check ChannelInfoOffset and ChannelInfoLength to validate buffer descriptor structures. And add a debug log to print the structures' content. Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Hyunchul Lee <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Paulo Alcantara (SUSE) <[email protected]> Date: Tue Dec 19 00:32:46 2023 +0900 ksmbd: store fids as opaque u64 integers [ Upstream commit 2d004c6cae567e33ab2e197757181c72a322451f ] There is no need to store the fids as le64 integers as they are opaque to the client and only used for equality. Signed-off-by: Paulo Alcantara (SUSE) <[email protected]> Reviewed-by: Tom Talpey <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Yang Yingliang <[email protected]> Date: Tue Dec 19 00:34:18 2023 +0900 ksmbd: switch to use kmemdup_nul() helper [ Upstream commit 084ba46fc41c21ba827fd92e61f78def7a6e52ea ] Use kmemdup_nul() helper instead of open-coding to simplify the code. Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Yang Yingliang <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Steve French <[email protected]> Date: Tue Dec 19 00:33:34 2023 +0900 ksmbd: update Kconfig to note Kerberos support and fix indentation [ Upstream commit d280a958f8b2b62610c280ecdf35d780e7922620 ] Fix indentation of server config options, and also since support for very old, less secure, NTLM authentication was removed (and quite a while ago), remove the mention of that in Kconfig, but do note Kerberos (not just NTLMv2) which are supported and much more secure. Acked-by: Namjae Jeon <[email protected]> Acked-by: David Howells <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Jeff Layton <[email protected]> Date: Tue Dec 19 00:33:26 2023 +0900 ksmbd: use F_SETLK when unlocking a file [ Upstream commit 7ecbe92696bb7fe32c80b6cf64736a0d157717a9 ] ksmbd seems to be trying to use a cmd value of 0 when unlocking a file. That activity requires a type of F_UNLCK with a cmd of F_SETLK. For local POSIX locking, it doesn't matter much since vfs_lock_file ignores @cmd, but filesystems that define their own ->lock operation expect to see it set sanely. Cc: David Howells <[email protected]> Signed-off-by: Jeff Layton <[email protected]> Reviewed-by: David Howells <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Ralph Boehme <[email protected]> Date: Tue Dec 19 00:32:21 2023 +0900 ksmbd: use ksmbd_req_buf_next() in ksmbd_verify_smb_message() [ Upstream commit a088ac859f8124d491f02a19d080fc5ee4dbd202 ] Use ksmbd_req_buf_next() in ksmbd_verify_smb_message(). Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Ralph Boehme <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:08 2023 +0900 ksmbd: use kvzalloc instead of kvmalloc [ Upstream commit 81a94b27847f7d2e499415db14dd9dc7c22b19b0 ] Use kvzalloc instead of kvmalloc. Reported-by: kernel test robot <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:05 2023 +0900 ksmbd: use kzalloc() instead of __GFP_ZERO [ Upstream commit f87d4f85f43f0d4b12ef64b015478d8053e1a33e ] Use kzalloc() instead of __GFP_ZERO. Reported-by: Dan Carpenter <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Reviewed-by: Sergey Senozhatsky <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Tobias Klauser <[email protected]> Date: Tue Dec 19 00:32:45 2023 +0900 ksmbd: use netif_is_bridge_port [ Upstream commit 1b699bf3a8786f7d41eebd9f6ba673185fa5b6bd ] Use netif_is_bridge_port defined in <linux/netdevice.h> instead of open-coding it. Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Tobias Klauser <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Hyunchul Lee <[email protected]> Date: Tue Dec 19 00:32:28 2023 +0900 ksmbd: use oid registry functions to decode OIDs [ Upstream commit 294277410cf3b46bee2b8282ab754e52975c0a70 ] Use look_up_OID to decode OIDs rather than implementing functions. Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Hyunchul Lee <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Gustavo A. R. Silva <[email protected]> Date: Tue Dec 19 00:34:12 2023 +0900 ksmbd: Use struct_size() helper in ksmbd_negotiate_smb_dialect() [ Upstream commit 5211cc8727ed9701b04976ab47602955e5641bda ] Prefer struct_size() over open-coded versions. Link: https://github.com/KSPP/linux/issues/160 Signed-off-by: Gustavo A. R. Silva <[email protected]> Reviewed-by: Kees Cook <[email protected]> Acked-by: Namjae Jeon <[email protected]> Reviewed-by: Sergey Senozhatsky <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:33:05 2023 +0900 ksmbd: use wait_event instead of schedule_timeout() [ Upstream commit a14c573870a664386adc10526a6c2648ea56dae1 ] ksmbd threads eating masses of cputime when connection is disconnected. If connection is disconnected, ksmbd thread waits for pending requests to be processed using schedule_timeout. schedule_timeout() incorrectly is used, and it is more efficient to use wait_event/wake_up than to check r_count every time with timeout. Signed-off-by: Namjae Jeon <[email protected]> Reviewed-by: Hyunchul Lee <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:32:52 2023 +0900 ksmbd: validate length in smb2_write() [ Upstream commit 158a66b245739e15858de42c0ba60fcf3de9b8e6 ] The SMB2 Write packet contains data that is to be written to a file or to a pipe. Depending on the client, there may be padding between the header and the data field. Currently, the length is validated only in the case padding is present. Since the DataOffset field always points to the beginning of the data, there is no need to have a special case for padding. By removing this, the length is validated in both cases. Signed-off-by: Marios Makassikis <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:16 2023 +0900 ksmbd: validate session id and tree id in compound request [ Upstream commit 3df0411e132ee74a87aa13142dfd2b190275332e ] `smb2_get_msg()` in smb2_get_ksmbd_tcon() and smb2_check_user_session() will always return the first request smb2 header in a compound request. if `SMB2_TREE_CONNECT_HE` is the first command in compound request, will return 0, i.e. The tree id check is skipped. This patch use ksmbd_req_buf_next() to get current command in compound. Reported-by: [email protected] # ZDI-CAN-21506 Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Atte Heikkilä <[email protected]> Date: Tue Dec 19 00:33:23 2023 +0900 ksmbd: validate share name from share config response [ Upstream commit f5ba1cdaf5eb380e148183bda06d4844b457d095 ] Share config response may contain the share name without casefolding as it is known to the user space daemon. When it is present, casefold and compare it to the share name the share config request was made with. If they differ, we have a share config which is incompatible with the way share config caching is done. This is the case when CONFIG_UNICODE is not set, the share name contains non-ASCII characters, and those non- ASCII characters do not match those in the share name known to user space. In other words, when CONFIG_UNICODE is not set, UTF-8 share names now work but are only case-insensitive in the ASCII range. Signed-off-by: Atte Heikkilä <[email protected]> Acked-by: Tom Talpey <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Namjae Jeon <[email protected]> Date: Tue Dec 19 00:34:02 2023 +0900 ksmbd: validate smb request protocol id [ Upstream commit 1c1bcf2d3ea061613119b534f57507c377df20f9 ] This patch add the validation for smb request protocol id. If it is not one of the four ids(SMB1_PROTO_NUMBER, SMB2_PROTO_NUMBER, SMB2_TRANSFORM_PROTO_NUM, SMB2_COMPRESSION_TRANSFORM_ID), don't allow processing the request. And this will fix the following KASAN warning also. [ 13.905265] BUG: KASAN: slab-out-of-bounds in init_smb2_rsp_hdr+0x1b9/0x1f0 [ 13.905900] Read of size 16 at addr ffff888005fd2f34 by task kworker/0:2/44 ... [ 13.908553] Call Trace: [ 13.908793] <TASK> [ 13.908995] dump_stack_lvl+0x33/0x50 [ 13.909369] print_report+0xcc/0x620 [ 13.910870] kasan_report+0xae/0xe0 [ 13.911519] kasan_check_range+0x35/0x1b0 [ 13.911796] init_smb2_rsp_hdr+0x1b9/0x1f0 [ 13.912492] handle_ksmbd_work+0xe5/0x820 Cc: [email protected] Reported-by: Chih-Yen Chang <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Ralph Boehme <[email protected]> Date: Tue Dec 19 00:32:22 2023 +0900 ksmdb: use cmd helper variable in smb2_get_ksmbd_tcon() [ Upstream commit 341b16014bf871115f0883e831372c4b76389d03 ] Use cmd helper variable in smb2_get_ksmbd_tcon(). Cc: Tom Talpey <[email protected]> Cc: Ronnie Sahlberg <[email protected]> Cc: Steve French <[email protected]> Cc: Hyunchul Lee <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Ralph Boehme <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Greg Kroah-Hartman <[email protected]> Date: Sat Dec 23 10:42:00 2023 +0100 Linux 5.15.145 Link: https://lore.kernel.org/r/[email protected] Tested-by: Florian Fainelli <[email protected]> Tested-by: Allen Pais <[email protected]> Tested-by: Shuah Khan <[email protected]> Tested-by: Namjae Jeon <[email protected]> Tested-by: Linux Kernel Functional Testing <[email protected]> Tested-by: Ron Economos <[email protected]> Tested-by: Guenter Roeck <[email protected]> Tested-by: SeongJae Park <[email protected]> Tested-by: Jon Hunter <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Amit Pundir <[email protected]> Date: Tue Dec 19 15:41:16 2023 +0530 Revert "drm/bridge: lt9611uxc: fix the race in the error path" This reverts commit d0d01bb4a56093fa214c0949e9e7ccb9fb437795. This and the dependent fixes broke display on RB5. Signed-off-by: Amit Pundir <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Amit Pundir <[email protected]> Date: Tue Dec 19 15:41:17 2023 +0530 Revert "drm/bridge: lt9611uxc: Register and attach our DSI device at probe" This reverts commit 29aba28ea195182f547cd8dac1b80eed51b6b73d. This and the dependent fixes broke display on RB5. Signed-off-by: Amit Pundir <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Amit Pundir <[email protected]> Date: Tue Dec 19 15:41:18 2023 +0530 Revert "drm/bridge: lt9611uxc: Switch to devm MIPI-DSI helpers" This reverts commit f53a045793289483b3c2930007fc52c7f1f642d5. This and the dependent fixes broke display on RB5. Signed-off-by: Amit Pundir <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Steve French <[email protected]> Date: Tue Dec 19 00:32:50 2023 +0900 smb3: fix ksmbd bigendian bug in oplock break, and move its struct to smbfs_common [ Upstream commit c7803b05f74bc3941b127f3155671e1944f632ae ] Fix an endian bug in ksmbd for one remaining use of Persistent/VolatileFid that unnecessarily converted it (it is an opaque endian field that does not need to be and should not be converted) in oplock_break for ksmbd, and move the definitions for the oplock and lease break protocol requests and responses to fs/smbfs_common/smb2pdu.h Also move a few more definitions for various protocol requests that were duplicated (in fs/cifs/smb2pdu.h and fs/ksmbd/smb2pdu.h) into fs/smbfs_common/smb2pdu.h including: - various ioctls and reparse structures - validate negotiate request and response structs - duplicate extents structs Reviewed-by: Paulo Alcantara (SUSE) <[email protected]> Reviewed-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Francis Laniel <[email protected]> Date: Tue Dec 5 19:57:49 2023 +0100 tracing/kprobes: Return EADDRNOTAVAIL when func matches several symbols commit b022f0c7e404887a7c5229788fc99eff9f9a80d5 upstream. When a kprobe is attached to a function that's name is not unique (is static and shares the name with other functions in the kernel), the kprobe is attached to the first function it finds. This is a bug as the function that it is attaching to is not necessarily the one that the user wants to attach to. Instead of blindly picking a function to attach to what is ambiguous, error with EADDRNOTAVAIL to let the user know that this function is not unique, and that the user must use another unique function with an address offset to get to the function they want to attach to. Link: https://lore.kernel.org/all/[email protected]/ Cc: [email protected] Fixes: 413d37d1eb69 ("tracing: Add kprobe-based event tracer") Suggested-by: Masami Hiramatsu <[email protected]> Signed-off-by: Francis Laniel <[email protected]> Link: https://lore.kernel.org/lkml/[email protected]/ Acked-by: Masami Hiramatsu (Google) <[email protected]> Signed-off-by: Masami Hiramatsu (Google) <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>