1. 29 Apr, 2015 1 commit
  2. 19 Apr, 2015 1 commit
    • David Disseldorp's avatar
      cifs: fix use-after-free bug in find_writable_file · 57cf01ac
      David Disseldorp authored
      commit e1e9bda22d7ddf88515e8fe401887e313922823e upstream.
      
      Under intermittent network outages, find_writable_file() is susceptible
      to the following race condition, which results in a user-after-free in
      the cifs_writepages code-path:
      
      Thread 1                                        Thread 2
      ========                                        ========
      
      inv_file = NULL
      refind = 0
      spin_lock(&cifs_file_list_lock)
      
      // invalidHandle found on openFileList
      
      inv_file = open_file
      // inv_file->count currently 1
      
      cifsFileInfo_get(inv_file)
      // inv_file->count = 2
      
      spin_unlock(&cifs_file_list_lock);
      
      cifs_reopen_file()                            cifs_close()
      // fails (rc != 0)                            ->cifsFileInfo_put()
                                             spin_lock(&cifs_file_list_lock)
                                             // inv_file->count = 1
                                             spin_unlock(&cifs_file_list_lock)
      
      spin_lock(&cifs_file_list_lock);
      list_move_tail(&inv_file->flist,
            &cifs_inode->openFileList);
      spin_unlock(&cifs_file_list_lock);
      
      cifsFileInfo_put(inv_file);
      ->spin_lock(&cifs_file_list_lock)
      
        // inv_file->count = 0
        list_del(&cifs_file->flist);
        // cleanup!!
        kfree(cifs_file);
      
        spin_unlock(&cifs_file_list_lock);
      
      spin_lock(&cifs_file_list_lock);
      ++refind;
      // refind = 1
      goto refind_writable;
      
      At this point we loop back through with an invalid inv_file pointer
      and a refind value of 1. On second pass, inv_file is not overwritten on
      openFileList traversal, and is subsequently dereferenced.
      Signed-off-by: default avatarDavid Disseldorp <ddiss@suse.de>
      Reviewed-by: default avatarJeff Layton <jlayton@samba.org>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      57cf01ac
  3. 05 Oct, 2014 2 commits
    • Pavel Shilovsky's avatar
      CIFS: Fix SMB2 readdir error handling · 922798d5
      Pavel Shilovsky authored
      commit 52755808d4525f4d5b86d112d36ffc7a46f3fb48 upstream.
      
      SMB2 servers indicates the end of a directory search with
      STATUS_NO_MORE_FILE error code that is not processed now.
      This causes generic/257 xfstest to fail. Fix this by triggering
      the end of search by this error code in SMB2_query_directory.
      
      Also when negotiating CIFS protocol we tell the server to close
      the search automatically at the end and there is no need to do
      it itself. In the case of SMB2 protocol, we need to close it
      explicitly - separate close directory checks for different
      protocols.
      Signed-off-by: default avatarPavel Shilovsky <pshilovsky@samba.org>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      922798d5
    • Pavel Shilovsky's avatar
      CIFS: Fix directory rename error · c8d26061
      Pavel Shilovsky authored
      commit a07d322059db66b84c9eb4f98959df468e88b34b upstream.
      
      CIFS servers process nlink counts differently for files and directories.
      In cifs_rename() if we the request fails on the existing target, we
      try to remove it through cifs_unlink() but this is not what we want
      to do for directories. As the result the following sequence of commands
      
      mkdir {1,2}; mv -T 1 2; rmdir {1,2}; mkdir {1,2}; echo foo > 2/bar
      
      and XFS test generic/023 fail with -ENOENT error. That's why the second
      mkdir reuses the existing inode (target inode of the mv -T command) with
      S_DEAD flag.
      
      Fix this by checking whether the target is directory or not and
      calling cifs_rmdir() rather than cifs_unlink() for directories.
      Signed-off-by: default avatarPavel Shilovsky <pshilovsky@samba.org>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c8d26061
  4. 17 Sep, 2014 6 commits
  5. 09 Jul, 2014 1 commit
  6. 07 Jun, 2014 1 commit
  7. 07 Mar, 2014 2 commits
  8. 22 Feb, 2014 3 commits
    • Steve French's avatar
      retrieving CIFS ACLs when mounted with SMB2 fails dropping session · 6bd8c850
      Steve French authored
      commit 83e3bc23ef9ce7c03b7b4e5d3d790246ea59db3e upstream.
      
      The get/set ACL xattr support for CIFS ACLs attempts to send old
      cifs dialect protocol requests even when mounted with SMB2 or later
      dialects. Sending cifs requests on an smb2 session causes problems -
      the server drops the session due to the illegal request.
      
      This patch makes CIFS ACL operations protocol specific to fix that.
      
      Attempting to query/set CIFS ACLs for SMB2 will now return
      EOPNOTSUPP (until we add worker routines for sending query
      ACL requests via SMB2) instead of sending invalid (cifs)
      requests.
      
      A separate followon patch will be needed to fix cifs_acl_to_fattr
      (which takes a cifs specific u16 fid so can't be abstracted
      to work with SMB2 until that is changed) and will be needed
      to fix mount problems when "cifsacl" is specified on mount
      with e.g. vers=2.1
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      Reviewed-by: default avatarShirish Pargaonkar <spargaonkar@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6bd8c850
    • Steve French's avatar
      Add protocol specific operation for CIFS xattrs · 367d9644
      Steve French authored
      commit d979f3b0a1f0b5499ab85e68cdf02b56852918b6 upstream.
      
      Changeset 666753c3ef8fc88b0ddd5be4865d0aa66428ac35 added protocol
      operations for get/setxattr to avoid calling cifs operations
      on smb2/smb3 mounts for xattr operations and this changeset
      adds the calls to cifs specific protocol operations for xattrs
      (in order to reenable cifs support for xattrs which was
      temporarily disabled by the previous changeset.  We do not
      have SMB2/SMB3 worker function for setting xattrs yet so
      this only enables it for cifs.
      
      CCing stable since without these two small changsets (its
      small coreq 666753c3ef8fc88b0ddd5be4865d0aa66428ac35 is
      also needed) calling getfattr/setfattr on smb2/smb3 mounts
      causes problems.
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      Reviewed-by: default avatarShirish Pargaonkar <spargaonkar@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      367d9644
    • Steve French's avatar
      CIFS: Fix SMB2 mounts so they don't try to set or get xattrs via cifs · 53fecc53
      Steve French authored
      commit 666753c3ef8fc88b0ddd5be4865d0aa66428ac35 upstream.
      
      When mounting with smb2 (or smb2.1 or smb3) we need to check to make
      sure that attempts to query or set extended attributes do not
      attempt to send the request with the older cifs protocol instead
      (eventually we also need to add the support in SMB2
      to query/set extended attributes but this patch prevents us from
      using the wrong protocol for extended attribute operations).
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      53fecc53
  9. 04 Dec, 2013 1 commit
    • Steve French's avatar
      setfacl removes part of ACL when setting POSIX ACLs to Samba · 9d41513c
      Steve French authored
      commit b1d93356427be6f050dc55c86eb019d173700af6 upstream.
      
      setfacl over cifs mounts can remove the default ACL when setting the
      (non-default part of) the ACL and vice versa (we were leaving at 0
      rather than setting to -1 the count field for the unaffected
      half of the ACL.  For example notice the setfacl removed
      the default ACL in this sequence:
      
      steven@steven-GA-970A-DS3:~/cifs-2.6$ getfacl /mnt/test-dir ; setfacl
      -m default:user:test:rwx,user:test:rwx /mnt/test-dir
      getfacl: Removing leading '/' from absolute path names
      user::rwx
      group::r-x
      other::r-x
      default:user::rwx
      default:user:test:rwx
      default:group::r-x
      default:mask::rwx
      default:other::r-x
      
      steven@steven-GA-970A-DS3:~/cifs-2.6$ getfacl /mnt/test-dir
      getfacl: Removing leading '/' from absolute path names
      user::rwx
      user:test:rwx
      group::r-x
      mask::rwx
      other::r-x
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      Acked-by: default avatarJeremy Allison <jra@samba.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9d41513c
  10. 01 Oct, 2013 1 commit
  11. 27 Sep, 2013 3 commits
    • Pavel Shilovsky's avatar
      CIFS: Fix missing lease break · b08d9b57
      Pavel Shilovsky authored
      commit 933d4b36576c951d0371bbfed05ec0135d516a6e upstream.
      
      If a server sends a lease break to a connection that doesn't have
      opens with a lease key specified in the server response, we can't
      find an open file to send an ack. Fix this by walking through
      all connections we have.
      Signed-off-by: default avatarPavel Shilovsky <pshilovsky@samba.org>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b08d9b57
    • Pavel Shilovsky's avatar
      CIFS: Fix a memory leak when a lease break comes · af66f40c
      Pavel Shilovsky authored
      commit 1a05096de82f3cd672c76389f63964952678506f upstream.
      
      This happens when we receive a lease break from a server, then
      find an appropriate lease key in opened files and schedule the
      oplock_break slow work. lw pointer isn't freed in this case.
      Signed-off-by: default avatarPavel Shilovsky <pshilovsky@samba.org>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      af66f40c
    • Jeff Layton's avatar
      cifs: ensure that srv_mutex is held when dealing with ssocket pointer · 9b8ace67
      Jeff Layton authored
      commit 73e216a8a42c0ef3d08071705c946c38fdbe12b0 upstream.
      
      Oleksii reported that he had seen an oops similar to this:
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000088
      IP: [<ffffffff814dcc13>] sock_sendmsg+0x93/0xd0
      PGD 0
      Oops: 0000 [#1] PREEMPT SMP
      Modules linked in: ipt_MASQUERADE xt_REDIRECT xt_tcpudp iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack ip_tables x_tables carl9170 ath usb_storage f2fs nfnetlink_log nfnetlink md4 cifs dns_resolver hid_generic usbhid hid af_packet uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev rfcomm btusb bnep bluetooth qmi_wwan qcserial cdc_wdm usb_wwan usbnet usbserial mii snd_hda_codec_hdmi snd_hda_codec_realtek iwldvm mac80211 coretemp intel_powerclamp kvm_intel kvm iwlwifi snd_hda_intel cfg80211 snd_hda_codec xhci_hcd e1000e ehci_pci snd_hwdep sdhci_pci snd_pcm ehci_hcd microcode psmouse sdhci thinkpad_acpi mmc_core i2c_i801 pcspkr usbcore hwmon snd_timer snd_page_alloc snd ptp rfkill pps_core soundcore evdev usb_common vboxnetflt(O) vboxdrv(O)Oops#2 Part8
       loop tun binfmt_misc fuse msr acpi_call(O) ipv6 autofs4
      CPU: 0 PID: 21612 Comm: kworker/0:1 Tainted: G        W  O 3.10.1SIGN #28
      Hardware name: LENOVO 2306CTO/2306CTO, BIOS G2ET92WW (2.52 ) 02/22/2013
      Workqueue: cifsiod cifs_echo_request [cifs]
      task: ffff8801e1f416f0 ti: ffff880148744000 task.ti: ffff880148744000
      RIP: 0010:[<ffffffff814dcc13>]  [<ffffffff814dcc13>] sock_sendmsg+0x93/0xd0
      RSP: 0000:ffff880148745b00  EFLAGS: 00010246
      RAX: 0000000000000000 RBX: ffff880148745b78 RCX: 0000000000000048
      RDX: ffff880148745c90 RSI: ffff880181864a00 RDI: ffff880148745b78
      RBP: ffff880148745c48 R08: 0000000000000048 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: ffff880181864a00
      R13: ffff880148745c90 R14: 0000000000000048 R15: 0000000000000048
      FS:  0000000000000000(0000) GS:ffff88021e200000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000000088 CR3: 000000020c42c000 CR4: 00000000001407b0
      Oops#2 Part7
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Stack:
       ffff880148745b30 ffffffff810c4af9 0000004848745b30 ffff880181864a00
       ffffffff81ffbc40 0000000000000000 ffff880148745c90 ffffffff810a5aab
       ffff880148745bc0 ffffffff81ffbc40 ffff880148745b60 ffffffff815a9fb8
      Call Trace:
       [<ffffffff810c4af9>] ? finish_task_switch+0x49/0xe0
       [<ffffffff810a5aab>] ? lock_timer_base.isra.36+0x2b/0x50
       [<ffffffff815a9fb8>] ? _raw_spin_unlock_irqrestore+0x18/0x40
       [<ffffffff810a673f>] ? try_to_del_timer_sync+0x4f/0x70
       [<ffffffff815aa38f>] ? _raw_spin_unlock_bh+0x1f/0x30
       [<ffffffff814dcc87>] kernel_sendmsg+0x37/0x50
       [<ffffffffa081a0e0>] smb_send_kvec+0xd0/0x1d0 [cifs]
       [<ffffffffa081a263>] smb_send_rqst+0x83/0x1f0 [cifs]
       [<ffffffffa081ab6c>] cifs_call_async+0xec/0x1b0 [cifs]
       [<ffffffffa08245e0>] ? free_rsp_buf+0x40/0x40 [cifs]
      Oops#2 Part6
       [<ffffffffa082606e>] SMB2_echo+0x8e/0xb0 [cifs]
       [<ffffffffa0808789>] cifs_echo_request+0x79/0xa0 [cifs]
       [<ffffffff810b45b3>] process_one_work+0x173/0x4a0
       [<ffffffff810b52a1>] worker_thread+0x121/0x3a0
       [<ffffffff810b5180>] ? manage_workers.isra.27+0x2b0/0x2b0
       [<ffffffff810bae00>] kthread+0xc0/0xd0
       [<ffffffff810bad40>] ? kthread_create_on_node+0x120/0x120
       [<ffffffff815b199c>] ret_from_fork+0x7c/0xb0
       [<ffffffff810bad40>] ? kthread_create_on_node+0x120/0x120
      Code: 84 24 b8 00 00 00 4c 89 f1 4c 89 ea 4c 89 e6 48 89 df 4c 89 60 18 48 c7 40 28 00 00 00 00 4c 89 68 30 44 89 70 14 49 8b 44 24 28 <ff> 90 88 00 00 00 3d ef fd ff ff 74 10 48 8d 65 e0 5b 41 5c 41
       RIP  [<ffffffff814dcc13>] sock_sendmsg+0x93/0xd0
       RSP <ffff880148745b00>
      CR2: 0000000000000088
      
      The client was in the middle of trying to send a frame when the
      server->ssocket pointer got zeroed out. In most places, that we access
      that pointer, the srv_mutex is held. There's only one spot that I see
      that the server->ssocket pointer gets set and the srv_mutex isn't held.
      This patch corrects that.
      
      The upstream bug report was here:
      
          https://bugzilla.kernel.org/show_bug.cgi?id=60557Reported-by: default avatarOleksii Shevchuk <alxchk@gmail.com>
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9b8ace67
  12. 15 Aug, 2013 2 commits
  13. 22 Jul, 2013 3 commits
  14. 31 May, 2013 1 commit
  15. 24 May, 2013 6 commits
  16. 08 May, 2013 1 commit
  17. 05 May, 2013 5 commits