Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b2d44d14 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag '4.18-rc3-smb3fixes' of git://git.samba.org/sfrench/cifs-2.6 

Pull cifs fixes from Steve French:
 "Five smb3/cifs fixes for stable (including for some leaks and memory
  overwrites) and also a few fixes for recent regressions in packet
  signing.

  Additional testing at the recent SMB3 test event, and some good work
  by Paulo and others spotted the issues fixed here. In addition to my
  xfstest runs on these, Aurelien and Stefano did additional test runs
  to verify this set"

* tag '4.18-rc3-smb3fixes' of git://git.samba.org/sfrench/cifs-2.6:
  cifs: Fix stack out-of-bounds in smb{2,3}_create_lease_buf()
  cifs: Fix infinite loop when using hard mount option
  cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting
  cifs: Fix memory leak in smb2_set_ea()
  cifs: fix SMB1 breakage
  cifs: Fix validation of signed data in smb2
  cifs: Fix validation of signed data in smb3+
  cifs: Fix use after free of a mid_q_entry
parents 4f572efd 729c0c9d

fs/cifs/cifsglob.h

+2 −1
Original line number Diff line number Diff line
@@ -423,7 +423,7 @@ struct smb_version_operations { 
	void (*set_oplock_level)(struct cifsInodeInfo *, __u32, unsigned int,

				 bool *);

	/* create lease context buffer for CREATE request */

	char * (*create_lease_buf)(u8 *, u8);

	char * (*create_lease_buf)(u8 *lease_key, u8 oplock);

	/* parse lease context buffer and return oplock/epoch info */

	__u8 (*parse_lease_buf)(void *buf, unsigned int *epoch, char *lkey);

	ssize_t (*copychunk_range)(const unsigned int,
@@ -1416,6 +1416,7 @@ typedef int (mid_handle_t)(struct TCP_Server_Info *server, 
/* one of these for every pending CIFS request to the server */

struct mid_q_entry {

	struct list_head qhead;	/* mids waiting on reply from this server */

	struct kref refcount;

	struct TCP_Server_Info *server;	/* server corresponding to this mid */

	__u64 mid;		/* multiplex id */

	__u32 pid;		/* process id */

fs/cifs/cifsproto.h

+1 −0
Original line number Diff line number Diff line
@@ -82,6 +82,7 @@ extern struct mid_q_entry *AllocMidQEntry(const struct smb_hdr *smb_buffer, 
					struct TCP_Server_Info *server);

extern void DeleteMidQEntry(struct mid_q_entry *midEntry);

extern void cifs_delete_mid(struct mid_q_entry *mid);

extern void cifs_mid_q_entry_release(struct mid_q_entry *midEntry);

extern void cifs_wake_up_task(struct mid_q_entry *mid);

extern int cifs_handle_standard(struct TCP_Server_Info *server,

				struct mid_q_entry *mid);

fs/cifs/cifssmb.c

+8 −2
Original line number Diff line number Diff line
@@ -157,8 +157,14 @@ cifs_reconnect_tcon(struct cifs_tcon *tcon, int smb_command) 
	 * greater than cifs socket timeout which is 7 seconds

	 */

	while (server->tcpStatus == CifsNeedReconnect) {

		wait_event_interruptible_timeout(server->response_q,

			(server->tcpStatus != CifsNeedReconnect), 10 * HZ);

		rc = wait_event_interruptible_timeout(server->response_q,

						      (server->tcpStatus != CifsNeedReconnect),

						      10 * HZ);

		if (rc < 0) {

			cifs_dbg(FYI, "%s: aborting reconnect due to a received"

				 " signal by the process\n", __func__);

			return -ERESTARTSYS;

		}



		/* are we still trying to reconnect? */

		if (server->tcpStatus != CifsNeedReconnect)

fs/cifs/connect.c

+7 −1
Original line number Diff line number Diff line
@@ -924,6 +924,7 @@ cifs_demultiplex_thread(void *p) 
				server->pdu_size = next_offset;

		}



		mid_entry = NULL;

		if (server->ops->is_transform_hdr &&

		    server->ops->receive_transform &&

		    server->ops->is_transform_hdr(buf)) {
@@ -938,8 +939,11 @@ cifs_demultiplex_thread(void *p) 
				length = mid_entry->receive(server, mid_entry);

		}



		if (length < 0)

		if (length < 0) {

			if (mid_entry)

				cifs_mid_q_entry_release(mid_entry);

			continue;

		}



		if (server->large_buf)

			buf = server->bigbuf;
@@ -956,6 +960,8 @@ cifs_demultiplex_thread(void *p) 


			if (!mid_entry->multiRsp || mid_entry->multiEnd)

				mid_entry->callback(mid_entry);



			cifs_mid_q_entry_release(mid_entry);

		} else if (server->ops->is_oplock_break &&

			   server->ops->is_oplock_break(buf, server)) {

			cifs_dbg(FYI, "Received oplock break\n");

fs/cifs/smb1ops.c

+1 −0
Original line number Diff line number Diff line
@@ -107,6 +107,7 @@ cifs_find_mid(struct TCP_Server_Info *server, char *buffer) 
		if (compare_mid(mid->mid, buf) &&

		    mid->mid_state == MID_REQUEST_SUBMITTED &&

		    le16_to_cpu(mid->command) == buf->Command) {

			kref_get(&mid->refcount);

			spin_unlock(&GlobalMid_Lock);

			return mid;

		}