1 // SPDX-License-Identifier: LGPL-2.1 2 /* 3 * 4 * Copyright (C) International Business Machines Corp., 2002,2011 5 * Etersoft, 2012 6 * Author(s): Steve French (sfrench@us.ibm.com) 7 * Pavel Shilovsky (pshilovsky@samba.org) 2012 8 * 9 */ 10 #include <crypto/sha2.h> 11 #include <linux/ctype.h> 12 #include "cifsglob.h" 13 #include "cifsproto.h" 14 #include "smb2proto.h" 15 #include "cifs_debug.h" 16 #include "cifs_unicode.h" 17 #include "../common/smb2status.h" 18 #include "smb2glob.h" 19 #include "nterr.h" 20 #include "cached_dir.h" 21 22 static int 23 check_smb2_hdr(struct smb2_hdr *shdr, __u64 mid) 24 { 25 __u64 wire_mid = le64_to_cpu(shdr->MessageId); 26 27 /* 28 * Make sure that this really is an SMB, that it is a response, 29 * and that the message ids match. 30 */ 31 if ((shdr->ProtocolId == SMB2_PROTO_NUMBER) && 32 (mid == wire_mid)) { 33 if (shdr->Flags & SMB2_FLAGS_SERVER_TO_REDIR) 34 return 0; 35 else { 36 /* only one valid case where server sends us request */ 37 if (shdr->Command == SMB2_OPLOCK_BREAK) 38 return 0; 39 else 40 cifs_dbg(VFS, "Received Request not response\n"); 41 } 42 } else { /* bad signature or mid */ 43 if (shdr->ProtocolId != SMB2_PROTO_NUMBER) 44 cifs_dbg(VFS, "Bad protocol string signature header %x\n", 45 le32_to_cpu(shdr->ProtocolId)); 46 if (mid != wire_mid) 47 cifs_dbg(VFS, "Mids do not match: %llu and %llu\n", 48 mid, wire_mid); 49 } 50 cifs_dbg(VFS, "Bad SMB detected. The Mid=%llu\n", wire_mid); 51 return 1; 52 } 53 54 /* 55 * The following table defines the expected "StructureSize" of SMB2 responses 56 * in order by SMB2 command. This is similar to "wct" in SMB/CIFS responses. 57 * 58 * Note that commands are defined in smb2pdu.h in le16 but the array below is 59 * indexed by command in host byte order 60 */ 61 static const __le16 smb2_rsp_struct_sizes[NUMBER_OF_SMB2_COMMANDS] = { 62 /* SMB2_NEGOTIATE */ cpu_to_le16(65), 63 /* SMB2_SESSION_SETUP */ cpu_to_le16(9), 64 /* SMB2_LOGOFF */ cpu_to_le16(4), 65 /* SMB2_TREE_CONNECT */ cpu_to_le16(16), 66 /* SMB2_TREE_DISCONNECT */ cpu_to_le16(4), 67 /* SMB2_CREATE */ cpu_to_le16(89), 68 /* SMB2_CLOSE */ cpu_to_le16(60), 69 /* SMB2_FLUSH */ cpu_to_le16(4), 70 /* SMB2_READ */ cpu_to_le16(17), 71 /* SMB2_WRITE */ cpu_to_le16(17), 72 /* SMB2_LOCK */ cpu_to_le16(4), 73 /* SMB2_IOCTL */ cpu_to_le16(49), 74 /* BB CHECK this ... not listed in documentation */ 75 /* SMB2_CANCEL */ cpu_to_le16(0), 76 /* SMB2_ECHO */ cpu_to_le16(4), 77 /* SMB2_QUERY_DIRECTORY */ cpu_to_le16(9), 78 /* SMB2_CHANGE_NOTIFY */ cpu_to_le16(9), 79 /* SMB2_QUERY_INFO */ cpu_to_le16(9), 80 /* SMB2_SET_INFO */ cpu_to_le16(2), 81 /* BB FIXME can also be 44 for lease break */ 82 /* SMB2_OPLOCK_BREAK */ cpu_to_le16(24) 83 }; 84 85 #define SMB311_NEGPROT_BASE_SIZE (sizeof(struct smb2_hdr) + sizeof(struct smb2_negotiate_rsp)) 86 87 static __u32 get_neg_ctxt_len(struct smb2_hdr *hdr, __u32 len, 88 __u32 non_ctxlen) 89 { 90 __u16 neg_count; 91 __u32 nc_offset, size_of_pad_before_neg_ctxts; 92 struct smb2_negotiate_rsp *pneg_rsp = (struct smb2_negotiate_rsp *)hdr; 93 94 /* Negotiate contexts are only valid for latest dialect SMB3.11 */ 95 neg_count = le16_to_cpu(pneg_rsp->NegotiateContextCount); 96 if ((neg_count == 0) || 97 (pneg_rsp->DialectRevision != cpu_to_le16(SMB311_PROT_ID))) 98 return 0; 99 100 /* 101 * if SPNEGO blob present (ie the RFC2478 GSS info which indicates 102 * which security mechanisms the server supports) make sure that 103 * the negotiate contexts start after it 104 */ 105 nc_offset = le32_to_cpu(pneg_rsp->NegotiateContextOffset); 106 /* 107 * non_ctxlen is at least shdr->StructureSize + pdu->StructureSize2 108 * and the latter is 1 byte bigger than the fix-sized area of the 109 * NEGOTIATE response 110 */ 111 if (nc_offset + 1 < non_ctxlen) { 112 pr_warn_once("Invalid negotiate context offset %d\n", nc_offset); 113 return 0; 114 } else if (nc_offset + 1 == non_ctxlen) { 115 cifs_dbg(FYI, "no SPNEGO security blob in negprot rsp\n"); 116 size_of_pad_before_neg_ctxts = 0; 117 } else if (non_ctxlen == SMB311_NEGPROT_BASE_SIZE + 1) 118 /* has padding, but no SPNEGO blob */ 119 size_of_pad_before_neg_ctxts = nc_offset - non_ctxlen + 1; 120 else 121 size_of_pad_before_neg_ctxts = nc_offset - non_ctxlen; 122 123 /* Verify that at least minimal negotiate contexts fit within frame */ 124 if (len < nc_offset + (neg_count * sizeof(struct smb2_neg_context))) { 125 pr_warn_once("negotiate context goes beyond end\n"); 126 return 0; 127 } 128 129 cifs_dbg(FYI, "length of negcontexts %d pad %d\n", 130 len - nc_offset, size_of_pad_before_neg_ctxts); 131 132 /* length of negcontexts including pad from end of sec blob to them */ 133 return (len - nc_offset) + size_of_pad_before_neg_ctxts; 134 } 135 136 int 137 smb2_check_message(char *buf, unsigned int pdu_len, unsigned int len, 138 struct TCP_Server_Info *server) 139 { 140 struct TCP_Server_Info *pserver; 141 struct smb2_hdr *shdr = (struct smb2_hdr *)buf; 142 struct smb2_pdu *pdu = (struct smb2_pdu *)shdr; 143 int hdr_size = sizeof(struct smb2_hdr); 144 int pdu_size = sizeof(struct smb2_pdu); 145 int command; 146 __u32 calc_len; /* calculated length */ 147 __u64 mid; 148 149 /* If server is a channel, select the primary channel */ 150 pserver = SERVER_IS_CHAN(server) ? server->primary_server : server; 151 152 /* 153 * Add function to do table lookup of StructureSize by command 154 * ie Validate the wct via smb2_struct_sizes table above 155 */ 156 if (shdr->ProtocolId == SMB2_TRANSFORM_PROTO_NUM) { 157 struct smb2_transform_hdr *thdr = 158 (struct smb2_transform_hdr *)buf; 159 struct cifs_ses *ses = NULL; 160 struct cifs_ses *iter; 161 162 /* decrypt frame now that it is completely read in */ 163 spin_lock(&cifs_tcp_ses_lock); 164 list_for_each_entry(iter, &pserver->smb_ses_list, smb_ses_list) { 165 if (iter->Suid == le64_to_cpu(thdr->SessionId)) { 166 ses = iter; 167 break; 168 } 169 } 170 spin_unlock(&cifs_tcp_ses_lock); 171 if (!ses) { 172 cifs_dbg(VFS, "no decryption - session id not found\n"); 173 return 1; 174 } 175 } 176 177 mid = le64_to_cpu(shdr->MessageId); 178 if (check_smb2_hdr(shdr, mid)) 179 return 1; 180 181 if (shdr->StructureSize != SMB2_HEADER_STRUCTURE_SIZE) { 182 cifs_dbg(VFS, "Invalid structure size %u\n", 183 le16_to_cpu(shdr->StructureSize)); 184 return 1; 185 } 186 187 command = le16_to_cpu(shdr->Command); 188 if (command >= NUMBER_OF_SMB2_COMMANDS) { 189 cifs_dbg(VFS, "Invalid SMB2 command %d\n", command); 190 return 1; 191 } 192 193 if (len < pdu_size) { 194 if ((len >= hdr_size) 195 && (shdr->Status != 0)) { 196 pdu->StructureSize2 = 0; 197 /* 198 * As with SMB/CIFS, on some error cases servers may 199 * not return wct properly 200 */ 201 return 0; 202 } else { 203 cifs_dbg(VFS, "Length less than SMB header size\n"); 204 } 205 return 1; 206 } 207 if (len > CIFSMaxBufSize + MAX_SMB2_HDR_SIZE) { 208 cifs_dbg(VFS, "SMB length greater than maximum, mid=%llu\n", 209 mid); 210 return 1; 211 } 212 213 if (smb2_rsp_struct_sizes[command] != pdu->StructureSize2) { 214 if (command != SMB2_OPLOCK_BREAK_HE && (shdr->Status == 0 || 215 pdu->StructureSize2 != SMB2_ERROR_STRUCTURE_SIZE2_LE)) { 216 /* error packets have 9 byte structure size */ 217 cifs_dbg(VFS, "Invalid response size %u for command %d\n", 218 le16_to_cpu(pdu->StructureSize2), command); 219 return 1; 220 } else if (command == SMB2_OPLOCK_BREAK_HE 221 && (shdr->Status == 0) 222 && (le16_to_cpu(pdu->StructureSize2) != 44) 223 && (le16_to_cpu(pdu->StructureSize2) != 36)) { 224 /* special case for SMB2.1 lease break message */ 225 cifs_dbg(VFS, "Invalid response size %d for oplock break\n", 226 le16_to_cpu(pdu->StructureSize2)); 227 return 1; 228 } 229 } 230 231 calc_len = smb2_calc_size(buf); 232 233 /* For SMB2_IOCTL, OutputOffset and OutputLength are optional, so might 234 * be 0, and not a real miscalculation */ 235 if (command == SMB2_IOCTL_HE && calc_len == 0) 236 return 0; 237 238 if (command == SMB2_NEGOTIATE_HE) 239 calc_len += get_neg_ctxt_len(shdr, len, calc_len); 240 241 if (len != calc_len) { 242 /* create failed on symlink */ 243 if (command == SMB2_CREATE_HE && 244 shdr->Status == STATUS_STOPPED_ON_SYMLINK && 245 len > calc_len) 246 return 0; 247 /* Windows 7 server returns 24 bytes more */ 248 if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE) 249 return 0; 250 /* server can return one byte more due to implied bcc[0] */ 251 if (calc_len == len + 1) 252 return 0; 253 254 /* 255 * Some windows servers (win2016) will pad also the final 256 * PDU in a compound to 8 bytes. 257 */ 258 if (ALIGN(calc_len, 8) == len) 259 return 0; 260 261 /* 262 * MacOS server pads after SMB2.1 write response with 3 bytes 263 * of junk. Other servers match RFC1001 len to actual 264 * SMB2/SMB3 frame length (header + smb2 response specific data) 265 * Some windows servers also pad up to 8 bytes when compounding. 266 */ 267 if (calc_len < len) 268 return 0; 269 270 /* Only log a message if len was really miscalculated */ 271 if (unlikely(cifsFYI)) 272 cifs_dbg(FYI, "Server response too short: calculated " 273 "length %u doesn't match read length %u (cmd=%d, mid=%llu)\n", 274 calc_len, len, command, mid); 275 else 276 pr_warn("Server response too short: calculated length " 277 "%u doesn't match read length %u (cmd=%d, mid=%llu)\n", 278 calc_len, len, command, mid); 279 280 return 1; 281 } 282 return 0; 283 } 284 285 /* 286 * The size of the variable area depends on the offset and length fields 287 * located in different fields for various SMB2 responses. SMB2 responses 288 * with no variable length info, show an offset of zero for the offset field. 289 */ 290 static const bool has_smb2_data_area[NUMBER_OF_SMB2_COMMANDS] = { 291 /* SMB2_NEGOTIATE */ true, 292 /* SMB2_SESSION_SETUP */ true, 293 /* SMB2_LOGOFF */ false, 294 /* SMB2_TREE_CONNECT */ false, 295 /* SMB2_TREE_DISCONNECT */ false, 296 /* SMB2_CREATE */ true, 297 /* SMB2_CLOSE */ false, 298 /* SMB2_FLUSH */ false, 299 /* SMB2_READ */ true, 300 /* SMB2_WRITE */ false, 301 /* SMB2_LOCK */ false, 302 /* SMB2_IOCTL */ true, 303 /* SMB2_CANCEL */ false, /* BB CHECK this not listed in documentation */ 304 /* SMB2_ECHO */ false, 305 /* SMB2_QUERY_DIRECTORY */ true, 306 /* SMB2_CHANGE_NOTIFY */ true, 307 /* SMB2_QUERY_INFO */ true, 308 /* SMB2_SET_INFO */ false, 309 /* SMB2_OPLOCK_BREAK */ false 310 }; 311 312 /* 313 * Returns the pointer to the beginning of the data area. Length of the data 314 * area and the offset to it (from the beginning of the smb are also returned. 315 */ 316 char * 317 smb2_get_data_area_len(int *off, int *len, struct smb2_hdr *shdr) 318 { 319 const int max_off = 4096; 320 const int max_len = 128 * 1024; 321 322 *off = 0; 323 *len = 0; 324 325 /* error responses do not have data area */ 326 if (shdr->Status && shdr->Status != STATUS_MORE_PROCESSING_REQUIRED && 327 (((struct smb2_err_rsp *)shdr)->StructureSize) == 328 SMB2_ERROR_STRUCTURE_SIZE2_LE) 329 return NULL; 330 331 /* 332 * Following commands have data areas so we have to get the location 333 * of the data buffer offset and data buffer length for the particular 334 * command. 335 */ 336 switch (shdr->Command) { 337 case SMB2_NEGOTIATE: 338 *off = le16_to_cpu( 339 ((struct smb2_negotiate_rsp *)shdr)->SecurityBufferOffset); 340 *len = le16_to_cpu( 341 ((struct smb2_negotiate_rsp *)shdr)->SecurityBufferLength); 342 break; 343 case SMB2_SESSION_SETUP: 344 *off = le16_to_cpu( 345 ((struct smb2_sess_setup_rsp *)shdr)->SecurityBufferOffset); 346 *len = le16_to_cpu( 347 ((struct smb2_sess_setup_rsp *)shdr)->SecurityBufferLength); 348 break; 349 case SMB2_CREATE: 350 *off = le32_to_cpu( 351 ((struct smb2_create_rsp *)shdr)->CreateContextsOffset); 352 *len = le32_to_cpu( 353 ((struct smb2_create_rsp *)shdr)->CreateContextsLength); 354 break; 355 case SMB2_QUERY_INFO: 356 *off = le16_to_cpu( 357 ((struct smb2_query_info_rsp *)shdr)->OutputBufferOffset); 358 *len = le32_to_cpu( 359 ((struct smb2_query_info_rsp *)shdr)->OutputBufferLength); 360 break; 361 case SMB2_READ: 362 /* TODO: is this a bug ? */ 363 *off = ((struct smb2_read_rsp *)shdr)->DataOffset; 364 *len = le32_to_cpu(((struct smb2_read_rsp *)shdr)->DataLength); 365 break; 366 case SMB2_QUERY_DIRECTORY: 367 *off = le16_to_cpu( 368 ((struct smb2_query_directory_rsp *)shdr)->OutputBufferOffset); 369 *len = le32_to_cpu( 370 ((struct smb2_query_directory_rsp *)shdr)->OutputBufferLength); 371 break; 372 case SMB2_IOCTL: 373 *off = le32_to_cpu( 374 ((struct smb2_ioctl_rsp *)shdr)->OutputOffset); 375 *len = le32_to_cpu( 376 ((struct smb2_ioctl_rsp *)shdr)->OutputCount); 377 break; 378 case SMB2_CHANGE_NOTIFY: 379 *off = le16_to_cpu( 380 ((struct smb2_change_notify_rsp *)shdr)->OutputBufferOffset); 381 *len = le32_to_cpu( 382 ((struct smb2_change_notify_rsp *)shdr)->OutputBufferLength); 383 break; 384 default: 385 cifs_dbg(VFS, "no length check for command %d\n", le16_to_cpu(shdr->Command)); 386 break; 387 } 388 389 /* 390 * Invalid length or offset probably means data area is invalid, but 391 * we have little choice but to ignore the data area in this case. 392 */ 393 if (unlikely(*off < 0 || *off > max_off || 394 *len < 0 || *len > max_len)) { 395 cifs_dbg(VFS, "%s: invalid data area (off=%d len=%d)\n", 396 __func__, *off, *len); 397 *off = 0; 398 *len = 0; 399 } else if (*off == 0) { 400 *len = 0; 401 } 402 403 /* return pointer to beginning of data area, ie offset from SMB start */ 404 if (*off > 0 && *len > 0) 405 return (char *)shdr + *off; 406 return NULL; 407 } 408 409 /* 410 * Calculate the size of the SMB message based on the fixed header 411 * portion, the number of word parameters and the data portion of the message. 412 */ 413 unsigned int 414 smb2_calc_size(void *buf) 415 { 416 struct smb2_pdu *pdu = buf; 417 struct smb2_hdr *shdr = &pdu->hdr; 418 int offset; /* the offset from the beginning of SMB to data area */ 419 int data_length; /* the length of the variable length data area */ 420 /* Structure Size has already been checked to make sure it is 64 */ 421 int len = le16_to_cpu(shdr->StructureSize); 422 423 /* 424 * StructureSize2, ie length of fixed parameter area has already 425 * been checked to make sure it is the correct length. 426 */ 427 len += le16_to_cpu(pdu->StructureSize2); 428 429 if (has_smb2_data_area[le16_to_cpu(shdr->Command)] == false) 430 goto calc_size_exit; 431 432 smb2_get_data_area_len(&offset, &data_length, shdr); 433 cifs_dbg(FYI, "SMB2 data length %d offset %d\n", data_length, offset); 434 435 if (data_length > 0) { 436 /* 437 * Check to make sure that data area begins after fixed area, 438 * Note that last byte of the fixed area is part of data area 439 * for some commands, typically those with odd StructureSize, 440 * so we must add one to the calculation. 441 */ 442 if (offset + 1 < len) { 443 cifs_dbg(VFS, "data area offset %d overlaps SMB2 header %d\n", 444 offset + 1, len); 445 data_length = 0; 446 } else { 447 len = offset + data_length; 448 } 449 } 450 calc_size_exit: 451 cifs_dbg(FYI, "SMB2 len %d\n", len); 452 return len; 453 } 454 455 /* Note: caller must free return buffer */ 456 __le16 * 457 cifs_convert_path_to_utf16(const char *from, struct cifs_sb_info *cifs_sb) 458 { 459 const char *start_of_path; 460 int len; 461 462 /* Windows doesn't allow paths beginning with \ */ 463 if (from[0] == '\\') 464 start_of_path = from + 1; 465 466 /* SMB311 POSIX extensions paths do not include leading slash */ 467 else if (cifs_sb_master_tlink(cifs_sb) && 468 cifs_sb_master_tcon(cifs_sb)->posix_extensions && 469 (from[0] == '/')) { 470 start_of_path = from + 1; 471 } else 472 start_of_path = from; 473 474 return cifs_strndup_to_utf16(start_of_path, PATH_MAX, &len, 475 cifs_sb->local_nls, cifs_remap(cifs_sb)); 476 } 477 478 __le32 smb2_get_lease_state(struct cifsInodeInfo *cinode, unsigned int oplock) 479 { 480 unsigned int sbflags = cifs_sb_flags(CIFS_SB(cinode)); 481 __le32 lease = 0; 482 483 if ((oplock & CIFS_CACHE_WRITE_FLG) || (sbflags & CIFS_MOUNT_RW_CACHE)) 484 lease |= SMB2_LEASE_WRITE_CACHING_LE; 485 if (oplock & CIFS_CACHE_HANDLE_FLG) 486 lease |= SMB2_LEASE_HANDLE_CACHING_LE; 487 if ((oplock & CIFS_CACHE_READ_FLG) || (sbflags & CIFS_MOUNT_RO_CACHE)) 488 lease |= SMB2_LEASE_READ_CACHING_LE; 489 return lease; 490 } 491 492 struct smb2_lease_break_work { 493 struct work_struct lease_break; 494 struct tcon_link *tlink; 495 __u8 lease_key[16]; 496 __le32 lease_state; 497 }; 498 499 static void 500 cifs_ses_oplock_break(struct work_struct *work) 501 { 502 struct smb2_lease_break_work *lw = container_of(work, 503 struct smb2_lease_break_work, lease_break); 504 int rc = 0; 505 506 rc = SMB2_lease_break(0, tlink_tcon(lw->tlink), lw->lease_key, 507 lw->lease_state); 508 509 cifs_dbg(FYI, "Lease release rc %d\n", rc); 510 cifs_put_tlink(lw->tlink); 511 kfree(lw); 512 } 513 514 static void 515 smb2_queue_pending_open_break(struct tcon_link *tlink, __u8 *lease_key, 516 __le32 new_lease_state) 517 { 518 struct smb2_lease_break_work *lw; 519 520 lw = kmalloc_obj(struct smb2_lease_break_work); 521 if (!lw) { 522 cifs_put_tlink(tlink); 523 return; 524 } 525 526 INIT_WORK(&lw->lease_break, cifs_ses_oplock_break); 527 lw->tlink = tlink; 528 lw->lease_state = new_lease_state; 529 memcpy(lw->lease_key, lease_key, SMB2_LEASE_KEY_SIZE); 530 queue_work(cifsiod_wq, &lw->lease_break); 531 } 532 533 static bool 534 smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp) 535 { 536 __u8 lease_state; 537 struct cifsFileInfo *cfile; 538 struct cifsInodeInfo *cinode; 539 int ack_req = le32_to_cpu(rsp->Flags & 540 SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED); 541 542 lease_state = le32_to_cpu(rsp->NewLeaseState); 543 544 list_for_each_entry(cfile, &tcon->openFileList, tlist) { 545 cinode = CIFS_I(d_inode(cfile->dentry)); 546 547 if (memcmp(cinode->lease_key, rsp->LeaseKey, 548 SMB2_LEASE_KEY_SIZE)) 549 continue; 550 551 cifs_dbg(FYI, "found in the open list\n"); 552 cifs_dbg(FYI, "lease key match, lease break 0x%x\n", 553 lease_state); 554 555 if (ack_req) 556 cfile->oplock_break_cancelled = false; 557 else 558 cfile->oplock_break_cancelled = true; 559 560 set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, &cinode->flags); 561 562 cfile->oplock_epoch = le16_to_cpu(rsp->Epoch); 563 cfile->oplock_level = lease_state; 564 565 cifs_queue_oplock_break(cfile); 566 return true; 567 } 568 569 return false; 570 } 571 572 static struct cifs_pending_open * 573 smb2_tcon_find_pending_open_lease(struct cifs_tcon *tcon, 574 struct smb2_lease_break *rsp) 575 { 576 __u8 lease_state = le32_to_cpu(rsp->NewLeaseState); 577 int ack_req = le32_to_cpu(rsp->Flags & 578 SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED); 579 struct cifs_pending_open *open; 580 struct cifs_pending_open *found = NULL; 581 582 list_for_each_entry(open, &tcon->pending_opens, olist) { 583 if (memcmp(open->lease_key, rsp->LeaseKey, 584 SMB2_LEASE_KEY_SIZE)) 585 continue; 586 587 if (!found && ack_req) { 588 found = open; 589 } 590 591 cifs_dbg(FYI, "found in the pending open list\n"); 592 cifs_dbg(FYI, "lease key match, lease break 0x%x\n", 593 lease_state); 594 595 open->oplock = lease_state; 596 } 597 598 return found; 599 } 600 601 static bool 602 smb2_is_valid_lease_break(char *buffer, struct TCP_Server_Info *server) 603 { 604 struct smb2_lease_break *rsp = (struct smb2_lease_break *)buffer; 605 struct TCP_Server_Info *pserver; 606 struct cifs_ses *ses; 607 struct cifs_tcon *tcon; 608 struct cifs_pending_open *open; 609 610 /* Trace receipt of lease break request from server */ 611 trace_smb3_lease_break_enter(le32_to_cpu(rsp->CurrentLeaseState), 612 le32_to_cpu(rsp->Flags), 613 le16_to_cpu(rsp->Epoch), 614 le32_to_cpu(rsp->hdr.Id.SyncId.TreeId), 615 le64_to_cpu(rsp->hdr.SessionId), 616 *((u64 *)rsp->LeaseKey), 617 *((u64 *)&rsp->LeaseKey[8])); 618 619 cifs_dbg(FYI, "Checking for lease break\n"); 620 621 /* If server is a channel, select the primary channel */ 622 pserver = SERVER_IS_CHAN(server) ? server->primary_server : server; 623 624 /* look up tcon based on tid & uid */ 625 spin_lock(&cifs_tcp_ses_lock); 626 list_for_each_entry(ses, &pserver->smb_ses_list, smb_ses_list) { 627 if (cifs_ses_exiting(ses)) 628 continue; 629 list_for_each_entry(tcon, &ses->tcon_list, tcon_list) { 630 spin_lock(&tcon->open_file_lock); 631 cifs_stats_inc( 632 &tcon->stats.cifs_stats.num_oplock_brks); 633 if (smb2_tcon_has_lease(tcon, rsp)) { 634 spin_unlock(&tcon->open_file_lock); 635 spin_unlock(&cifs_tcp_ses_lock); 636 return true; 637 } 638 open = smb2_tcon_find_pending_open_lease(tcon, 639 rsp); 640 if (open) { 641 __u8 lease_key[SMB2_LEASE_KEY_SIZE]; 642 struct tcon_link *tlink; 643 644 tlink = cifs_get_tlink(open->tlink); 645 memcpy(lease_key, open->lease_key, 646 SMB2_LEASE_KEY_SIZE); 647 spin_unlock(&tcon->open_file_lock); 648 spin_unlock(&cifs_tcp_ses_lock); 649 smb2_queue_pending_open_break(tlink, 650 lease_key, 651 rsp->NewLeaseState); 652 return true; 653 } 654 spin_unlock(&tcon->open_file_lock); 655 656 if (cached_dir_lease_break(tcon, rsp->LeaseKey)) { 657 spin_unlock(&cifs_tcp_ses_lock); 658 return true; 659 } 660 } 661 } 662 spin_unlock(&cifs_tcp_ses_lock); 663 cifs_dbg(FYI, "Can not process lease break - no lease matched\n"); 664 trace_smb3_lease_not_found(le32_to_cpu(rsp->CurrentLeaseState), 665 le32_to_cpu(rsp->Flags), 666 le16_to_cpu(rsp->Epoch), 667 le32_to_cpu(rsp->hdr.Id.SyncId.TreeId), 668 le64_to_cpu(rsp->hdr.SessionId), 669 *((u64 *)rsp->LeaseKey), 670 *((u64 *)&rsp->LeaseKey[8])); 671 672 return false; 673 } 674 675 bool 676 smb2_is_valid_oplock_break(char *buffer, struct TCP_Server_Info *server) 677 { 678 struct smb2_oplock_break *rsp = (struct smb2_oplock_break *)buffer; 679 struct TCP_Server_Info *pserver; 680 struct cifs_ses *ses; 681 struct cifs_tcon *tcon; 682 struct cifsInodeInfo *cinode; 683 struct cifsFileInfo *cfile; 684 685 cifs_dbg(FYI, "Checking for oplock break\n"); 686 687 if (rsp->hdr.Command != SMB2_OPLOCK_BREAK) 688 return false; 689 690 if (rsp->StructureSize != 691 smb2_rsp_struct_sizes[SMB2_OPLOCK_BREAK_HE]) { 692 if (le16_to_cpu(rsp->StructureSize) == 44) 693 return smb2_is_valid_lease_break(buffer, server); 694 else 695 return false; 696 } 697 698 cifs_dbg(FYI, "oplock level 0x%x\n", rsp->OplockLevel); 699 700 /* If server is a channel, select the primary channel */ 701 pserver = SERVER_IS_CHAN(server) ? server->primary_server : server; 702 703 /* look up tcon based on tid & uid */ 704 spin_lock(&cifs_tcp_ses_lock); 705 list_for_each_entry(ses, &pserver->smb_ses_list, smb_ses_list) { 706 if (cifs_ses_exiting(ses)) 707 continue; 708 list_for_each_entry(tcon, &ses->tcon_list, tcon_list) { 709 710 spin_lock(&tcon->open_file_lock); 711 list_for_each_entry(cfile, &tcon->openFileList, tlist) { 712 if (rsp->PersistentFid != 713 cfile->fid.persistent_fid || 714 rsp->VolatileFid != 715 cfile->fid.volatile_fid) 716 continue; 717 718 cifs_dbg(FYI, "file id match, oplock break\n"); 719 cifs_stats_inc( 720 &tcon->stats.cifs_stats.num_oplock_brks); 721 cinode = CIFS_I(d_inode(cfile->dentry)); 722 spin_lock(&cfile->file_info_lock); 723 if (!CIFS_CACHE_WRITE(cinode) && 724 rsp->OplockLevel == SMB2_OPLOCK_LEVEL_NONE) 725 cfile->oplock_break_cancelled = true; 726 else 727 cfile->oplock_break_cancelled = false; 728 729 set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, 730 &cinode->flags); 731 732 cfile->oplock_epoch = 0; 733 cfile->oplock_level = rsp->OplockLevel; 734 735 spin_unlock(&cfile->file_info_lock); 736 737 cifs_queue_oplock_break(cfile); 738 739 spin_unlock(&tcon->open_file_lock); 740 spin_unlock(&cifs_tcp_ses_lock); 741 return true; 742 } 743 spin_unlock(&tcon->open_file_lock); 744 } 745 } 746 spin_unlock(&cifs_tcp_ses_lock); 747 cifs_dbg(FYI, "No file id matched, oplock break ignored\n"); 748 trace_smb3_oplock_not_found(0 /* no xid */, rsp->PersistentFid, 749 le32_to_cpu(rsp->hdr.Id.SyncId.TreeId), 750 le64_to_cpu(rsp->hdr.SessionId)); 751 752 return true; 753 } 754 755 void 756 smb2_cancelled_close_fid(struct work_struct *work) 757 { 758 struct close_cancelled_open *cancelled = container_of(work, 759 struct close_cancelled_open, work); 760 struct cifs_tcon *tcon = cancelled->tcon; 761 int rc; 762 763 if (cancelled->mid) 764 cifs_tcon_dbg(VFS, "Close unmatched open for MID:%llu\n", 765 cancelled->mid); 766 else 767 cifs_tcon_dbg(VFS, "Close interrupted close\n"); 768 769 rc = SMB2_close(0, tcon, cancelled->fid.persistent_fid, 770 cancelled->fid.volatile_fid); 771 if (rc) 772 cifs_tcon_dbg(VFS, "Close cancelled mid failed rc:%d\n", rc); 773 774 cifs_put_tcon(tcon, netfs_trace_tcon_ref_put_cancelled_close_fid); 775 kfree(cancelled); 776 } 777 778 /* 779 * Caller should already has an extra reference to @tcon 780 * This function is used to queue work to close a handle to prevent leaks 781 * on the server. 782 * We handle two cases. If an open was interrupted after we sent the 783 * SMB2_CREATE to the server but before we processed the reply, and second 784 * if a close was interrupted before we sent the SMB2_CLOSE to the server. 785 */ 786 static int 787 __smb2_handle_cancelled_cmd(struct cifs_tcon *tcon, __u16 cmd, __u64 mid, 788 __u64 persistent_fid, __u64 volatile_fid) 789 { 790 struct close_cancelled_open *cancelled; 791 792 cancelled = kzalloc_obj(*cancelled); 793 if (!cancelled) 794 return -ENOMEM; 795 796 cancelled->fid.persistent_fid = persistent_fid; 797 cancelled->fid.volatile_fid = volatile_fid; 798 cancelled->tcon = tcon; 799 cancelled->cmd = cmd; 800 cancelled->mid = mid; 801 INIT_WORK(&cancelled->work, smb2_cancelled_close_fid); 802 WARN_ON(queue_work(cifsiod_wq, &cancelled->work) == false); 803 804 return 0; 805 } 806 807 int 808 smb2_handle_cancelled_close(struct cifs_tcon *tcon, __u64 persistent_fid, 809 __u64 volatile_fid) 810 { 811 int rc; 812 813 cifs_dbg(FYI, "%s: tc_count=%d\n", __func__, tcon->tc_count); 814 spin_lock(&tcon->tc_lock); 815 if (tcon->tc_count <= 0) { 816 struct TCP_Server_Info *server = NULL; 817 818 trace_smb3_tcon_ref(tcon->debug_id, tcon->tc_count, 819 netfs_trace_tcon_ref_see_cancelled_close); 820 WARN_ONCE(tcon->tc_count < 0, "tcon refcount is negative"); 821 spin_unlock(&tcon->tc_lock); 822 823 if (tcon->ses) { 824 server = tcon->ses->server; 825 cifs_server_dbg(FYI, 826 "tid=0x%x: tcon is closing, skipping async close retry of fid %llu %llu\n", 827 tcon->tid, persistent_fid, volatile_fid); 828 } 829 830 return 0; 831 } 832 tcon->tc_count++; 833 trace_smb3_tcon_ref(tcon->debug_id, tcon->tc_count, 834 netfs_trace_tcon_ref_get_cancelled_close); 835 spin_unlock(&tcon->tc_lock); 836 837 rc = __smb2_handle_cancelled_cmd(tcon, SMB2_CLOSE_HE, 0, 838 persistent_fid, volatile_fid); 839 if (rc) 840 cifs_put_tcon(tcon, netfs_trace_tcon_ref_put_cancelled_close); 841 842 return rc; 843 } 844 845 int 846 smb2_handle_cancelled_mid(struct mid_q_entry *mid, struct TCP_Server_Info *server) 847 { 848 struct smb2_hdr *hdr = mid->resp_buf; 849 struct smb2_create_rsp *rsp = mid->resp_buf; 850 struct cifs_tcon *tcon; 851 int rc; 852 853 if ((mid->optype & CIFS_CP_CREATE_CLOSE_OP) || hdr->Command != SMB2_CREATE || 854 hdr->Status != STATUS_SUCCESS) 855 return 0; 856 857 tcon = smb2_find_smb_tcon(server, le64_to_cpu(hdr->SessionId), 858 le32_to_cpu(hdr->Id.SyncId.TreeId)); 859 if (!tcon) 860 return -ENOENT; 861 862 rc = __smb2_handle_cancelled_cmd(tcon, 863 le16_to_cpu(hdr->Command), 864 le64_to_cpu(hdr->MessageId), 865 rsp->PersistentFileId, 866 rsp->VolatileFileId); 867 if (rc) 868 cifs_put_tcon(tcon, netfs_trace_tcon_ref_put_cancelled_mid); 869 870 return rc; 871 } 872 873 /** 874 * smb311_update_preauth_hash - update @ses hash with the packet data in @iov 875 * 876 * Assumes @iov does not contain the rfc1002 length and iov[0] has the 877 * SMB2 header. 878 * 879 * @ses: server session structure 880 * @server: pointer to server info 881 * @iov: array containing the SMB request we will send to the server 882 * @nvec: number of array entries for the iov 883 */ 884 void 885 smb311_update_preauth_hash(struct cifs_ses *ses, struct TCP_Server_Info *server, 886 struct kvec *iov, int nvec) 887 { 888 int i; 889 struct smb2_hdr *hdr; 890 struct sha512_ctx sha_ctx; 891 892 hdr = (struct smb2_hdr *)iov[0].iov_base; 893 /* neg prot are always taken */ 894 if (hdr->Command == SMB2_NEGOTIATE) 895 goto ok; 896 897 /* 898 * If we process a command which wasn't a negprot it means the 899 * neg prot was already done, so the server dialect was set 900 * and we can test it. Preauth requires 3.1.1 for now. 901 */ 902 if (server->dialect != SMB311_PROT_ID) 903 return; 904 905 if (hdr->Command != SMB2_SESSION_SETUP) 906 return; 907 908 /* skip last sess setup response */ 909 if ((hdr->Flags & SMB2_FLAGS_SERVER_TO_REDIR) 910 && (hdr->Status == NT_STATUS_OK 911 || (hdr->Status != 912 cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED)))) 913 return; 914 915 ok: 916 sha512_init(&sha_ctx); 917 sha512_update(&sha_ctx, ses->preauth_sha_hash, SMB2_PREAUTH_HASH_SIZE); 918 for (i = 0; i < nvec; i++) 919 sha512_update(&sha_ctx, iov[i].iov_base, iov[i].iov_len); 920 sha512_final(&sha_ctx, ses->preauth_sha_hash); 921 } 922