Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2365c4ea authored by Pavel Shilovsky's avatar Pavel Shilovsky Committed by Steve French
Browse files

CIFS: Fix too big maxBuf size for SMB3 mounts 



SMB3 servers can respond with MaxTransactSize of more than 4M
that can cause a memory allocation error returned from kmalloc
in a lock codepath. Also the client doesn't support multicredit
requests now and allows buffer sizes of 65536 bytes only. Set
MaxTransactSize to this maximum supported value.

Cc: stable@vger.kernel.org # 3.7+
Signed-off-by: default avatarPavel Shilovsky <piastry@etersoft.ru>
Acked-by: default avatarJeff Layton <jlayton@redhat.com>
Signed-off-by: default avatarSteve French <smfrench@gmail.com>
parent 5d81de8e

fs/cifs/smb2glob.h

+3 −0
Original line number Diff line number Diff line
@@ -57,4 +57,7 @@ 
#define SMB2_CMACAES_SIZE (16)

#define SMB3_SIGNKEY_SIZE (16)



/* Maximum buffer size value we can send with 1 credit */

#define SMB2_MAX_BUFFER_SIZE 65536



#endif	/* _SMB2_GLOB_H */

fs/cifs/smb2ops.c

+4 −10
Original line number Diff line number Diff line
@@ -182,11 +182,8 @@ smb2_negotiate_wsize(struct cifs_tcon *tcon, struct smb_vol *volume_info) 
	/* start with specified wsize, or default */

	wsize = volume_info->wsize ? volume_info->wsize : CIFS_DEFAULT_IOSIZE;

	wsize = min_t(unsigned int, wsize, server->max_write);

	/*

	 * limit write size to 2 ** 16, because we don't support multicredit

	 * requests now.

	 */

	wsize = min_t(unsigned int, wsize, 2 << 15);

	/* set it to the maximum buffer size value we can send with 1 credit */

	wsize = min_t(unsigned int, wsize, SMB2_MAX_BUFFER_SIZE);



	return wsize;

}
@@ -200,11 +197,8 @@ smb2_negotiate_rsize(struct cifs_tcon *tcon, struct smb_vol *volume_info) 
	/* start with specified rsize, or default */

	rsize = volume_info->rsize ? volume_info->rsize : CIFS_DEFAULT_IOSIZE;

	rsize = min_t(unsigned int, rsize, server->max_read);

	/*

	 * limit write size to 2 ** 16, because we don't support multicredit

	 * requests now.

	 */

	rsize = min_t(unsigned int, rsize, 2 << 15);

	/* set it to the maximum buffer size value we can send with 1 credit */

	rsize = min_t(unsigned int, rsize, SMB2_MAX_BUFFER_SIZE);



	return rsize;

}

fs/cifs/smb2pdu.c

+3 −1
Original line number Diff line number Diff line
@@ -413,7 +413,9 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses) 


	/* SMB2 only has an extended negflavor */

	server->negflavor = CIFS_NEGFLAVOR_EXTENDED;

	server->maxBuf = le32_to_cpu(rsp->MaxTransactSize);

	/* set it to the maximum buffer size value we can send with 1 credit */

	server->maxBuf = min_t(unsigned int, le32_to_cpu(rsp->MaxTransactSize),

			       SMB2_MAX_BUFFER_SIZE);

	server->max_read = le32_to_cpu(rsp->MaxReadSize);

	server->max_write = le32_to_cpu(rsp->MaxWriteSize);

	/* BB Do we need to validate the SecurityMode? */