24 Mar, 2019

1 commit

  • commit c781af7e0c1fed9f1d0e0ec31b86f5b21a8dca17 upstream.

    When we hit failures during constructing MIDs or sending PDUs
    through the network, we end up not using message IDs assigned
    to the packet. The next SMB packet will skip those message IDs
    and continue with the next one. This behavior may lead to a server
    not granting us credits until we use the skipped IDs. Fix this by
    reverting the current ID to the original value if any errors occur
    before we push the packet through the network stack.

    This patch fixes the generic/310 test from the xfs-tests.

    Cc: # 4.19.x
    Signed-off-by: Pavel Shilovsky
    Signed-off-by: Steve French
    Signed-off-by: Greg Kroah-Hartman

    Pavel Shilovsky
     

03 Oct, 2018

1 commit

  • cifs_delete_mid() is called once we are finished handling a mid and we
    expect no more work done on this mid.

    Needed to fix recent commit:
    commit 730928c8f4be88e9d6a027a16b1e8fa9c59fc077
    ("cifs: update smb2_queryfs() to use compounding")

    Add a warning if someone tries to dequeue a mid that has already been
    flagged to be deleted.
    Also change list_del() to list_del_init() so that if we have similar bugs
    resurface in the future we will not oops.

    Signed-off-by: Ronnie Sahlberg
    Signed-off-by: Steve French
    Reviewed-by: Pavel Shilovsky

    Ronnie Sahlberg
     

10 Aug, 2018

1 commit


08 Aug, 2018

7 commits

  • When CONFIG_CIFS_STATS2 is enabled keep counters for slow
    commands (ie server took longer than 1 second to respond)
    by SMB2/SMB3 command code. This can help in diagnosing
    whether performance problems are on server (instead of
    client) and which commands are causing the problem.

    Sample output (the new lines contain words "slow responses ...")

    $ cat /proc/fs/cifs/Stats
    Resources in use
    CIFS Session: 1
    Share (unique mount targets): 2
    SMB Request/Response Buffer: 1 Pool size: 5
    SMB Small Req/Resp Buffer: 1 Pool size: 30
    Total Large 10 Small 490 Allocations
    Operations (MIDs): 0

    0 session 0 share reconnects
    Total vfs operations: 67 maximum at one time: 2
    4 slow responses from localhost for command 5
    1 slow responses from localhost for command 6
    1 slow responses from localhost for command 14
    1 slow responses from localhost for command 16

    1) \\localhost\test
    SMBs: 243
    Bytes read: 1024000 Bytes written: 104857600
    TreeConnects: 1 total 0 failed
    TreeDisconnects: 0 total 0 failed
    Creates: 40 total 0 failed
    Closes: 39 total 0 failed
    ...

    Signed-off-by: Steve French
    Reviewed-by: Pavel Shilovsky
    Reviewed-by: Aurelien Aptel

    Steve French
     
  • These are used for SMB3 encryption and compounded requests.
    Update these functions and the other functions related to SMB3 encryption to
    take an array of requests.

    Signed-off-by: Ronnie Sahlberg
    Signed-off-by: Steve French
    Reviewed-by: Pavel Shilovsky

    Ronnie Sahlberg
     
  • CONFIG_CIFS_STATS should always be enabled as Pavel recently
    noted. Simple statistics are not a significant performance hit,
    and removing the ifdef simplifies the code slightly.

    Signed-off-by: Steve French
    Reviewed-by: Ronnie Sahlberg
    Reviewed-by: Pavel Shilovsky

    Steve French
     
  • Signed-off-by: Ronnie Sahlberg
    Signed-off-by: Steve French
    Reviewed-by: Pavel Shilovsky
    Cc:

    Ronnie Sahlberg
     
  • These timers were a good idea but weren't used in current code,
    and the idea was cifs specific. Future patch will add similar timers
    for SMB2/SMB3, but no sense using memory for cifs timers that
    aren't used in current code.

    Signed-off-by: Steve French
    Reviewed-by: Ronnie Sahlberg

    Steve French
     
  • We really, really want to be encouraging use of secure dialects,
    and SMB3.1.1 offers useful security features, and will soon
    be the recommended dialect for many use cases. Simplify the code
    by removing the CONFIG_CIFS_SMB311 ifdef so users don't disable
    it in the build, and create compatibility and/or security issues
    with modern servers - many of which have been supporting this
    dialect for multiple years.

    Also clarify some of the Kconfig text for cifs.ko about
    SMB3.1.1 and current supported features in the module.

    Signed-off-by: Steve French
    Acked-by: Aurelien Aptel
    Reviewed-by: Ronnie Sahlberg

    Steve French
     
  • In cifs, the timestamps are stored in memory in the cifs_fattr structure,
    which uses the deprecated 'timespec' structure. Now that the VFS code
    has moved on to 'timespec64', the next step is to change over the fattr
    as well.

    This also makes 32-bit and 64-bit systems behave the same way, and
    no longer overflow the 32-bit time_t in year 2038.

    Signed-off-by: Arnd Bergmann
    Reviewed-by: Paulo Alcantara
    Signed-off-by: Steve French

    Arnd Bergmann
     

06 Jul, 2018

2 commits

  • smb{2,3}_create_lease_buf() store a lease key in the lease
    context for later usage on a lease break.

    In most paths, the key is currently sourced from data that
    happens to be on the stack near local variables for oplock in
    SMB2_open() callers, e.g. from open_shroot(), whereas
    smb2_open_file() properly allocates space on its stack for it.

    The address of those local variables holding the oplock is then
    passed to create_lease_buf handlers via SMB2_open(), and 16
    bytes near oplock are used. This causes a stack out-of-bounds
    access as reported by KASAN on SMB2.1 and SMB3 mounts (first
    out-of-bounds access is shown here):

    [ 111.528823] BUG: KASAN: stack-out-of-bounds in smb3_create_lease_buf+0x399/0x3b0 [cifs]
    [ 111.530815] Read of size 8 at addr ffff88010829f249 by task mount.cifs/985
    [ 111.532838] CPU: 3 PID: 985 Comm: mount.cifs Not tainted 4.18.0-rc3+ #91
    [ 111.534656] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
    [ 111.536838] Call Trace:
    [ 111.537528] dump_stack+0xc2/0x16b
    [ 111.540890] print_address_description+0x6a/0x270
    [ 111.542185] kasan_report+0x258/0x380
    [ 111.544701] smb3_create_lease_buf+0x399/0x3b0 [cifs]
    [ 111.546134] SMB2_open+0x1ef8/0x4b70 [cifs]
    [ 111.575883] open_shroot+0x339/0x550 [cifs]
    [ 111.591969] smb3_qfs_tcon+0x32c/0x1e60 [cifs]
    [ 111.617405] cifs_mount+0x4f3/0x2fc0 [cifs]
    [ 111.674332] cifs_smb3_do_mount+0x263/0xf10 [cifs]
    [ 111.677915] mount_fs+0x55/0x2b0
    [ 111.679504] vfs_kern_mount.part.22+0xaa/0x430
    [ 111.684511] do_mount+0xc40/0x2660
    [ 111.698301] ksys_mount+0x80/0xd0
    [ 111.701541] do_syscall_64+0x14e/0x4b0
    [ 111.711807] entry_SYSCALL_64_after_hwframe+0x44/0xa9
    [ 111.713665] RIP: 0033:0x7f372385b5fa
    [ 111.715311] Code: 48 8b 0d 99 78 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 3d 01 f0 ff ff 73 01 c3 48 8b 0d 66 78 2c 00 f7 d8 64 89 01 48
    [ 111.720330] RSP: 002b:00007ffff27049d8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
    [ 111.722601] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f372385b5fa
    [ 111.724842] RDX: 000055c2ecdc73b2 RSI: 000055c2ecdc73f9 RDI: 00007ffff270580f
    [ 111.727083] RBP: 00007ffff2705804 R08: 000055c2ee976060 R09: 0000000000001000
    [ 111.729319] R10: 0000000000000000 R11: 0000000000000206 R12: 00007f3723f4d000
    [ 111.731615] R13: 000055c2ee976060 R14: 00007f3723f4f90f R15: 0000000000000000

    [ 111.735448] The buggy address belongs to the page:
    [ 111.737420] page:ffffea000420a7c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
    [ 111.739890] flags: 0x17ffffc0000000()
    [ 111.741750] raw: 0017ffffc0000000 0000000000000000 dead000000000200 0000000000000000
    [ 111.744216] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
    [ 111.746679] page dumped because: kasan: bad access detected

    [ 111.750482] Memory state around the buggy address:
    [ 111.752562] ffff88010829f100: 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00
    [ 111.754991] ffff88010829f180: 00 00 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
    [ 111.757401] >ffff88010829f200: 00 00 00 00 00 f1 f1 f1 f1 01 f2 f2 f2 f2 f2 f2
    [ 111.759801] ^
    [ 111.762034] ffff88010829f280: f2 02 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00
    [ 111.764486] ffff88010829f300: f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    [ 111.766913] ==================================================================

    Lease keys are however already generated and stored in fid data
    on open and create paths: pass them down to the lease context
    creation handlers and use them.

    Suggested-by: Aurélien Aptel
    Reviewed-by: Aurelien Aptel
    Fixes: b8c32dbb0deb ("CIFS: Request SMB2.1 leases")
    Signed-off-by: Stefano Brivio
    Signed-off-by: Steve French

    Stefano Brivio
     
  • With protocol version 2.0 mounts we have seen crashes with corrupt mid
    entries. Either the server->pending_mid_q list becomes corrupt with a
    cyclic reference in one element or a mid object fetched by the
    demultiplexer thread becomes overwritten during use.

    Code review identified a race between the demultiplexer thread and the
    request issuing thread. The demultiplexer thread seems to be written
    with the assumption that it is the sole user of the mid object until
    it calls the mid callback which either wakes the issuer task or
    deletes the mid.

    This assumption is not true because the issuer task can be woken up
    earlier by a signal. If the demultiplexer thread has proceeded as far
    as setting the mid_state to MID_RESPONSE_RECEIVED then the issuer
    thread will happily end up calling cifs_delete_mid while the
    demultiplexer thread still is using the mid object.

    Inserting a delay in the cifs demultiplexer thread widens the race
    window and makes reproduction of the race very easy:

    if (server->large_buf)
    buf = server->bigbuf;

    + usleep_range(500, 4000);

    server->lstrp = jiffies;

    To resolve this I think the proper solution involves putting a
    reference count on the mid object. This patch makes sure that the
    demultiplexer thread holds a reference until it has finished
    processing the transaction.

    Cc: stable@vger.kernel.org
    Signed-off-by: Lars Persson
    Acked-by: Paulo Alcantara
    Reviewed-by: Ronnie Sahlberg
    Reviewed-by: Pavel Shilovsky
    Signed-off-by: Steve French

    Lars Persson
     

15 Jun, 2018

4 commits


07 Jun, 2018

1 commit

  • cifs->master_tlink is NULL against Win Server 2016 (which is
    strange.. not sure why) and is dereferenced in cifs_sb_master_tcon().

    move master_tlink getter to cifsglob.h so it can be used from
    smb2misc.c

    Signed-off-by: Aurelien Aptel
    Reviewed-by: Ronnie Sahlberg
    Signed-off-by: Steve French
    Acked-by: Pavel Shilovsky

    Aurelien Aptel
     

03 Jun, 2018

3 commits


01 Jun, 2018

1 commit


31 May, 2018

5 commits

  • If "posix" (or synonym "unix" for backward compatibility) specified on mount,
    and server advertises support for SMB3.11 POSIX negotiate context, then
    enable the new posix extensions on the tcon. This can be viewed by
    looking for "posix" in the mount options displayed by /proc/mounts
    for that mount (ie if posix extensions allowed by server and the
    experimental POSIX extensions also requested on the mount by specifying
    "posix" at mount time).

    Also add check to warn user if conflicting unix/nounix or posix/noposix specified
    on mount.

    Signed-off-by: Steve French

    Steve French
     
  • Unlike CIFS where UNIX/POSIX extensions had been negotiatable,
    SMB3 did not have POSIX extensions yet. Add the new SMB3.11
    POSIX negotiate context to ask the server whether it can
    support POSIX (and thus whether we can send the new POSIX open
    context).

    Signed-off-by: Steve French

    Steve French
     
  • To improve security it may be helpful to have additional ways to restrict the
    ability to override the default dialects (SMB2.1, SMB3 and SMB3.02) on mount
    with old dialects (CIFS/SMB1 and SMB2) since vers=1.0 (CIFS/SMB1) and vers=2.0
    are weaker and less secure.

    Add a module parameter "disable_legacy_dialects"
    (/sys/module/cifs/parameters/disable_legacy_dialects) which can be set to
    1 (or equivalently Y) to forbid use of vers=1.0 or vers=2.0 on mount.

    Also cleans up a few build warnings about globals for various module parms.

    Signed-off-by: Steve French

    Steve French
     
  • Note which ones of the module params are cifs dialect only
    (N/A for default dialect now that has moved to SMB2.1 or later)

    Signed-off-by: Steve French
    Reviewed-by: Ronnie Sahlberg

    Steve French
     
  • When direct I/O is used, the data buffer may not always align to page
    boundaries. Introduce a page offset in transport data structures to
    describe the location of the buffer within the page.

    Also change the function to pass the page offset when sending data to
    transport.

    Signed-off-by: Long Li
    Signed-off-by: Steve French

    Long Li
     

28 May, 2018

4 commits

  • In SMB2_open(), if we got a lease we need to store this in the fid structure
    or else we will never be able to map a lease break back to which file/fid
    it applies to.

    Signed-off-by: Ronnie Sahlberg
    Reviewed-by: Pavel Shilovsky
    Signed-off-by: Steve French

    Ronnie Sahlberg
     
  • and change the smb2 version to take heder_preamble_size into account
    instead of hardcoding it as 4 bytes.

    Signed-off-by: Ronnie Sahlberg
    Signed-off-by: Steve French

    Ronnie Sahlberg
     
  • We need a struct TCP_Server_Info *server to this method as it calls
    calc_size. The calc_size method will soon be changed to also
    take a server argument.

    Signed-off-by: Ronnie Sahlberg
    Signed-off-by: Steve French

    Ronnie Sahlberg
     
  • In SMB2/SMB3 unlike in cifs we unnecessarily open the root of the share
    over and over again in various places during mount and path revalidation
    and also in statfs. This patch cuts redundant traffic (opens and closes)
    by simply keeping the directory handle for the root around (and reopening
    it as needed on reconnect), so query calls don't require three round
    trips to copmlete - just one, and eases load on network, client and
    server (on mount alone, cuts network traffic by more than a third).

    Also add a new cifs mount parm "nohandlecache" to allow users whose
    servers might have resource constraints (eg in case they have a server
    with so many users connecting to it that this extra handle per mount
    could possibly be a resource concern).

    Signed-off-by: Steve French
    Reviewed-by: Ronnie Sahlberg

    Steve French
     

13 Apr, 2018

3 commits


03 Apr, 2018

2 commits

  • Some servers return inode number zero for the root directory, which
    causes ls to display incorrect data (missing "." and "..").

    If the server returns zero for the inode number of the root directory,
    fake an inode number for it.

    Signed-off-by: Steve French
    Reviewed-by: Pavel Shilovsky
    CC: Stable

    Steve French
     
  • This variable is set to 4 for all protocol versions and replaces
    the hardcoded constant 4 throughought the code.
    This will later be updated to reflect whether a response packet
    has a 4 byte length preamble or not once we start removing this
    field from the SMB2+ dialects.

    Signed-off-by: Ronnie Sahlberg
    Signed-off-by: Steve French
    Reviewed-by: Pavel Shilovsky

    Ronnie Sahlberg
     

02 Apr, 2018

2 commits

  • SMB3.11 clients must implement pre-authentification integrity.

    * new mechanism to certify requests/responses happening before Tree
    Connect.
    * supersedes VALIDATE_NEGOTIATE
    * fixes signing for SMB3.11

    Signed-off-by: Aurelien Aptel
    Signed-off-by: Steve French
    CC: Stable
    Reviewed-by: Ronnie Sahlberg

    Aurelien Aptel
     
  • * prepare for SMB3.11 pre-auth integrity
    * enable sha512 when SMB311 is enabled in Kconfig
    * add sha512 as a soft dependency

    Signed-off-by: Aurelien Aptel
    Signed-off-by: Steve French
    CC: Stable
    Reviewed-by: Ronnie Sahlberg

    Aurelien Aptel
     

27 Jan, 2018

1 commit

  • * Remove ses->ipc_tid.
    * Make IPC$ regular tcon.
    * Add a direct pointer to it in ses->tcon_ipc.
    * Distinguish PIPE tcon from IPC tcon by adding a tcon->pipe flag. All
    IPC tcons are pipes but not all pipes are IPC.
    * All TreeConnect functions now cannot take a NULL tcon object.

    The IPC tcon has the same lifetime as the session it belongs to. It is
    created when the session is created and destroyed when the session is
    destroyed.

    Since no mounts directly refer to the IPC tcon, its refcount should
    always be set to initialisation value (1). Thus we make sure
    cifs_put_tcon() skips it.

    If the mount request resulting in a new session being created requires
    encryption, try to require it too for IPC.

    * set SERVER_NAME_LENGTH to serverName actual size

    The maximum length of an ipv6 string representation is defined in
    INET6_ADDRSTRLEN as 45+1 for null but lets keep what we know works.

    Signed-off-by: Aurelien Aptel
    Signed-off-by: Steve French
    Reviewed-by: Pavel Shilovsky

    Aurelien Aptel
     

25 Jan, 2018

2 commits

  • This patch is for preparing upper layer doing SMB read via RDMA write.

    When RDMA write is used for SMB read, the returned data length is in
    DataRemaining in the response packet. Reading it properly by adding a
    parameter to specifiy where the returned data length is.

    Add the defition for memory registration to wdata and return the correct
    length based on if RDMA write is used.

    Signed-off-by: Long Li
    Signed-off-by: Steve French
    Reviewed-by: Pavel Shilovsky
    Reviewed-by: Ronnie Sahlberg

    Long Li
     
  • When sending I/O, if size is larger than rdma_readwrite_threshold we prepare
    to send SMB write packet for a RDMA read via memory registration. The actual
    I/O is done by remote peer through local RDMA hardware. Modify the relevant
    fields in the packet accordingly, and append a smbd_buffer_descriptor_v1 to
    the end of the SMB write packet.

    On write I/O finish, deregister the memory region if this was for a RDMA read.
    If remote invalidation is not used, the call to smbd_deregister_mr will do
    local invalidation and possibly wait. Memory region is normally deregistered
    in MID callback as soon as it's used. There are situations where the MID may
    not be created on I/O failure, under which memory region is deregistered when
    write data context is released.

    Signed-off-by: Long Li
    Signed-off-by: Steve French
    Reviewed-by: Pavel Shilovsky
    Reviewed-by: Ronnie Sahlberg

    Long Li