1 // SPDX-License-Identifier: LGPL-2.1 2 /* 3 * 4 * Copyright (C) International Business Machines Corp., 2002,2011 5 * Etersoft, 2012 6 * Author(s): Steve French (sfrench@us.ibm.com) 7 * Pavel Shilovsky (pshilovsky@samba.org) 2012 8 * 9 */ 10 #include <crypto/sha2.h> 11 #include <linux/ctype.h> 12 #include "cifsglob.h" 13 #include "cifsproto.h" 14 #include "smb2proto.h" 15 #include "cifs_debug.h" 16 #include "cifs_unicode.h" 17 #include "../common/smb2status.h" 18 #include "smb2glob.h" 19 #include "nterr.h" 20 #include "cached_dir.h" 21 22 static int 23 check_smb2_hdr(struct smb2_hdr *shdr, __u64 mid) 24 { 25 __u64 wire_mid = le64_to_cpu(shdr->MessageId); 26 27 /* 28 * Make sure that this really is an SMB, that it is a response, 29 * and that the message ids match. 30 */ 31 if ((shdr->ProtocolId == SMB2_PROTO_NUMBER) && 32 (mid == wire_mid)) { 33 if (shdr->Flags & SMB2_FLAGS_SERVER_TO_REDIR) 34 return 0; 35 else { 36 /* only one valid case where server sends us request */ 37 if (shdr->Command == SMB2_OPLOCK_BREAK) 38 return 0; 39 else 40 cifs_dbg(VFS, "Received Request not response\n"); 41 } 42 } else { /* bad signature or mid */ 43 if (shdr->ProtocolId != SMB2_PROTO_NUMBER) 44 cifs_dbg(VFS, "Bad protocol string signature header %x\n", 45 le32_to_cpu(shdr->ProtocolId)); 46 if (mid != wire_mid) 47 cifs_dbg(VFS, "Mids do not match: %llu and %llu\n", 48 mid, wire_mid); 49 } 50 cifs_dbg(VFS, "Bad SMB detected. The Mid=%llu\n", wire_mid); 51 return 1; 52 } 53 54 /* 55 * The following table defines the expected "StructureSize" of SMB2 responses 56 * in order by SMB2 command. This is similar to "wct" in SMB/CIFS responses. 57 * 58 * Note that commands are defined in smb2pdu.h in le16 but the array below is 59 * indexed by command in host byte order 60 */ 61 static const __le16 smb2_rsp_struct_sizes[NUMBER_OF_SMB2_COMMANDS] = { 62 /* SMB2_NEGOTIATE */ cpu_to_le16(65), 63 /* SMB2_SESSION_SETUP */ cpu_to_le16(9), 64 /* SMB2_LOGOFF */ cpu_to_le16(4), 65 /* SMB2_TREE_CONNECT */ cpu_to_le16(16), 66 /* SMB2_TREE_DISCONNECT */ cpu_to_le16(4), 67 /* SMB2_CREATE */ cpu_to_le16(89), 68 /* SMB2_CLOSE */ cpu_to_le16(60), 69 /* SMB2_FLUSH */ cpu_to_le16(4), 70 /* SMB2_READ */ cpu_to_le16(17), 71 /* SMB2_WRITE */ cpu_to_le16(17), 72 /* SMB2_LOCK */ cpu_to_le16(4), 73 /* SMB2_IOCTL */ cpu_to_le16(49), 74 /* BB CHECK this ... not listed in documentation */ 75 /* SMB2_CANCEL */ cpu_to_le16(0), 76 /* SMB2_ECHO */ cpu_to_le16(4), 77 /* SMB2_QUERY_DIRECTORY */ cpu_to_le16(9), 78 /* SMB2_CHANGE_NOTIFY */ cpu_to_le16(9), 79 /* SMB2_QUERY_INFO */ cpu_to_le16(9), 80 /* SMB2_SET_INFO */ cpu_to_le16(2), 81 /* BB FIXME can also be 44 for lease break */ 82 /* SMB2_OPLOCK_BREAK */ cpu_to_le16(24) 83 }; 84 85 #define SMB311_NEGPROT_BASE_SIZE (sizeof(struct smb2_hdr) + sizeof(struct smb2_negotiate_rsp)) 86 87 static __u32 get_neg_ctxt_len(struct smb2_hdr *hdr, __u32 len, 88 __u32 non_ctxlen) 89 { 90 __u16 neg_count; 91 __u32 nc_offset, size_of_pad_before_neg_ctxts; 92 struct smb2_negotiate_rsp *pneg_rsp = (struct smb2_negotiate_rsp *)hdr; 93 94 /* Negotiate contexts are only valid for latest dialect SMB3.11 */ 95 neg_count = le16_to_cpu(pneg_rsp->NegotiateContextCount); 96 if ((neg_count == 0) || 97 (pneg_rsp->DialectRevision != cpu_to_le16(SMB311_PROT_ID))) 98 return 0; 99 100 /* 101 * if SPNEGO blob present (ie the RFC2478 GSS info which indicates 102 * which security mechanisms the server supports) make sure that 103 * the negotiate contexts start after it 104 */ 105 nc_offset = le32_to_cpu(pneg_rsp->NegotiateContextOffset); 106 /* 107 * non_ctxlen is at least shdr->StructureSize + pdu->StructureSize2 108 * and the latter is 1 byte bigger than the fix-sized area of the 109 * NEGOTIATE response 110 */ 111 if (nc_offset + 1 < non_ctxlen) { 112 pr_warn_once("Invalid negotiate context offset %d\n", nc_offset); 113 return 0; 114 } else if (nc_offset + 1 == non_ctxlen) { 115 cifs_dbg(FYI, "no SPNEGO security blob in negprot rsp\n"); 116 size_of_pad_before_neg_ctxts = 0; 117 } else if (non_ctxlen == SMB311_NEGPROT_BASE_SIZE + 1) 118 /* has padding, but no SPNEGO blob */ 119 size_of_pad_before_neg_ctxts = nc_offset - non_ctxlen + 1; 120 else 121 size_of_pad_before_neg_ctxts = nc_offset - non_ctxlen; 122 123 /* Verify that at least minimal negotiate contexts fit within frame */ 124 if (len < nc_offset + (neg_count * sizeof(struct smb2_neg_context))) { 125 pr_warn_once("negotiate context goes beyond end\n"); 126 return 0; 127 } 128 129 cifs_dbg(FYI, "length of negcontexts %d pad %d\n", 130 len - nc_offset, size_of_pad_before_neg_ctxts); 131 132 /* length of negcontexts including pad from end of sec blob to them */ 133 return (len - nc_offset) + size_of_pad_before_neg_ctxts; 134 } 135 136 int 137 smb2_check_message(char *buf, unsigned int len, struct TCP_Server_Info *server) 138 { 139 struct TCP_Server_Info *pserver; 140 struct smb2_hdr *shdr = (struct smb2_hdr *)buf; 141 struct smb2_pdu *pdu = (struct smb2_pdu *)shdr; 142 int hdr_size = sizeof(struct smb2_hdr); 143 int pdu_size = sizeof(struct smb2_pdu); 144 int command; 145 __u32 calc_len; /* calculated length */ 146 __u64 mid; 147 148 /* If server is a channel, select the primary channel */ 149 pserver = SERVER_IS_CHAN(server) ? server->primary_server : server; 150 151 /* 152 * Add function to do table lookup of StructureSize by command 153 * ie Validate the wct via smb2_struct_sizes table above 154 */ 155 if (shdr->ProtocolId == SMB2_TRANSFORM_PROTO_NUM) { 156 struct smb2_transform_hdr *thdr = 157 (struct smb2_transform_hdr *)buf; 158 struct cifs_ses *ses = NULL; 159 struct cifs_ses *iter; 160 161 /* decrypt frame now that it is completely read in */ 162 spin_lock(&cifs_tcp_ses_lock); 163 list_for_each_entry(iter, &pserver->smb_ses_list, smb_ses_list) { 164 if (iter->Suid == le64_to_cpu(thdr->SessionId)) { 165 ses = iter; 166 break; 167 } 168 } 169 spin_unlock(&cifs_tcp_ses_lock); 170 if (!ses) { 171 cifs_dbg(VFS, "no decryption - session id not found\n"); 172 return 1; 173 } 174 } 175 176 mid = le64_to_cpu(shdr->MessageId); 177 if (check_smb2_hdr(shdr, mid)) 178 return 1; 179 180 if (shdr->StructureSize != SMB2_HEADER_STRUCTURE_SIZE) { 181 cifs_dbg(VFS, "Invalid structure size %u\n", 182 le16_to_cpu(shdr->StructureSize)); 183 return 1; 184 } 185 186 command = le16_to_cpu(shdr->Command); 187 if (command >= NUMBER_OF_SMB2_COMMANDS) { 188 cifs_dbg(VFS, "Invalid SMB2 command %d\n", command); 189 return 1; 190 } 191 192 if (len < pdu_size) { 193 if ((len >= hdr_size) 194 && (shdr->Status != 0)) { 195 pdu->StructureSize2 = 0; 196 /* 197 * As with SMB/CIFS, on some error cases servers may 198 * not return wct properly 199 */ 200 return 0; 201 } else { 202 cifs_dbg(VFS, "Length less than SMB header size\n"); 203 } 204 return 1; 205 } 206 if (len > CIFSMaxBufSize + MAX_SMB2_HDR_SIZE) { 207 cifs_dbg(VFS, "SMB length greater than maximum, mid=%llu\n", 208 mid); 209 return 1; 210 } 211 212 if (smb2_rsp_struct_sizes[command] != pdu->StructureSize2) { 213 if (command != SMB2_OPLOCK_BREAK_HE && (shdr->Status == 0 || 214 pdu->StructureSize2 != SMB2_ERROR_STRUCTURE_SIZE2_LE)) { 215 /* error packets have 9 byte structure size */ 216 cifs_dbg(VFS, "Invalid response size %u for command %d\n", 217 le16_to_cpu(pdu->StructureSize2), command); 218 return 1; 219 } else if (command == SMB2_OPLOCK_BREAK_HE 220 && (shdr->Status == 0) 221 && (le16_to_cpu(pdu->StructureSize2) != 44) 222 && (le16_to_cpu(pdu->StructureSize2) != 36)) { 223 /* special case for SMB2.1 lease break message */ 224 cifs_dbg(VFS, "Invalid response size %d for oplock break\n", 225 le16_to_cpu(pdu->StructureSize2)); 226 return 1; 227 } 228 } 229 230 calc_len = smb2_calc_size(buf); 231 232 /* For SMB2_IOCTL, OutputOffset and OutputLength are optional, so might 233 * be 0, and not a real miscalculation */ 234 if (command == SMB2_IOCTL_HE && calc_len == 0) 235 return 0; 236 237 if (command == SMB2_NEGOTIATE_HE) 238 calc_len += get_neg_ctxt_len(shdr, len, calc_len); 239 240 if (len != calc_len) { 241 /* create failed on symlink */ 242 if (command == SMB2_CREATE_HE && 243 shdr->Status == STATUS_STOPPED_ON_SYMLINK) 244 return 0; 245 /* Windows 7 server returns 24 bytes more */ 246 if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE) 247 return 0; 248 /* server can return one byte more due to implied bcc[0] */ 249 if (calc_len == len + 1) 250 return 0; 251 252 /* 253 * Some windows servers (win2016) will pad also the final 254 * PDU in a compound to 8 bytes. 255 */ 256 if (ALIGN(calc_len, 8) == len) 257 return 0; 258 259 /* 260 * MacOS server pads after SMB2.1 write response with 3 bytes 261 * of junk. Other servers match RFC1001 len to actual 262 * SMB2/SMB3 frame length (header + smb2 response specific data) 263 * Some windows servers also pad up to 8 bytes when compounding. 264 */ 265 if (calc_len < len) 266 return 0; 267 268 /* Only log a message if len was really miscalculated */ 269 if (unlikely(cifsFYI)) 270 cifs_dbg(FYI, "Server response too short: calculated " 271 "length %u doesn't match read length %u (cmd=%d, mid=%llu)\n", 272 calc_len, len, command, mid); 273 else 274 pr_warn("Server response too short: calculated length " 275 "%u doesn't match read length %u (cmd=%d, mid=%llu)\n", 276 calc_len, len, command, mid); 277 278 return 1; 279 } 280 return 0; 281 } 282 283 /* 284 * The size of the variable area depends on the offset and length fields 285 * located in different fields for various SMB2 responses. SMB2 responses 286 * with no variable length info, show an offset of zero for the offset field. 287 */ 288 static const bool has_smb2_data_area[NUMBER_OF_SMB2_COMMANDS] = { 289 /* SMB2_NEGOTIATE */ true, 290 /* SMB2_SESSION_SETUP */ true, 291 /* SMB2_LOGOFF */ false, 292 /* SMB2_TREE_CONNECT */ false, 293 /* SMB2_TREE_DISCONNECT */ false, 294 /* SMB2_CREATE */ true, 295 /* SMB2_CLOSE */ false, 296 /* SMB2_FLUSH */ false, 297 /* SMB2_READ */ true, 298 /* SMB2_WRITE */ false, 299 /* SMB2_LOCK */ false, 300 /* SMB2_IOCTL */ true, 301 /* SMB2_CANCEL */ false, /* BB CHECK this not listed in documentation */ 302 /* SMB2_ECHO */ false, 303 /* SMB2_QUERY_DIRECTORY */ true, 304 /* SMB2_CHANGE_NOTIFY */ true, 305 /* SMB2_QUERY_INFO */ true, 306 /* SMB2_SET_INFO */ false, 307 /* SMB2_OPLOCK_BREAK */ false 308 }; 309 310 /* 311 * Returns the pointer to the beginning of the data area. Length of the data 312 * area and the offset to it (from the beginning of the smb are also returned. 313 */ 314 char * 315 smb2_get_data_area_len(int *off, int *len, struct smb2_hdr *shdr) 316 { 317 const int max_off = 4096; 318 const int max_len = 128 * 1024; 319 320 *off = 0; 321 *len = 0; 322 323 /* error responses do not have data area */ 324 if (shdr->Status && shdr->Status != STATUS_MORE_PROCESSING_REQUIRED && 325 (((struct smb2_err_rsp *)shdr)->StructureSize) == 326 SMB2_ERROR_STRUCTURE_SIZE2_LE) 327 return NULL; 328 329 /* 330 * Following commands have data areas so we have to get the location 331 * of the data buffer offset and data buffer length for the particular 332 * command. 333 */ 334 switch (shdr->Command) { 335 case SMB2_NEGOTIATE: 336 *off = le16_to_cpu( 337 ((struct smb2_negotiate_rsp *)shdr)->SecurityBufferOffset); 338 *len = le16_to_cpu( 339 ((struct smb2_negotiate_rsp *)shdr)->SecurityBufferLength); 340 break; 341 case SMB2_SESSION_SETUP: 342 *off = le16_to_cpu( 343 ((struct smb2_sess_setup_rsp *)shdr)->SecurityBufferOffset); 344 *len = le16_to_cpu( 345 ((struct smb2_sess_setup_rsp *)shdr)->SecurityBufferLength); 346 break; 347 case SMB2_CREATE: 348 *off = le32_to_cpu( 349 ((struct smb2_create_rsp *)shdr)->CreateContextsOffset); 350 *len = le32_to_cpu( 351 ((struct smb2_create_rsp *)shdr)->CreateContextsLength); 352 break; 353 case SMB2_QUERY_INFO: 354 *off = le16_to_cpu( 355 ((struct smb2_query_info_rsp *)shdr)->OutputBufferOffset); 356 *len = le32_to_cpu( 357 ((struct smb2_query_info_rsp *)shdr)->OutputBufferLength); 358 break; 359 case SMB2_READ: 360 /* TODO: is this a bug ? */ 361 *off = ((struct smb2_read_rsp *)shdr)->DataOffset; 362 *len = le32_to_cpu(((struct smb2_read_rsp *)shdr)->DataLength); 363 break; 364 case SMB2_QUERY_DIRECTORY: 365 *off = le16_to_cpu( 366 ((struct smb2_query_directory_rsp *)shdr)->OutputBufferOffset); 367 *len = le32_to_cpu( 368 ((struct smb2_query_directory_rsp *)shdr)->OutputBufferLength); 369 break; 370 case SMB2_IOCTL: 371 *off = le32_to_cpu( 372 ((struct smb2_ioctl_rsp *)shdr)->OutputOffset); 373 *len = le32_to_cpu( 374 ((struct smb2_ioctl_rsp *)shdr)->OutputCount); 375 break; 376 case SMB2_CHANGE_NOTIFY: 377 *off = le16_to_cpu( 378 ((struct smb2_change_notify_rsp *)shdr)->OutputBufferOffset); 379 *len = le32_to_cpu( 380 ((struct smb2_change_notify_rsp *)shdr)->OutputBufferLength); 381 break; 382 default: 383 cifs_dbg(VFS, "no length check for command %d\n", le16_to_cpu(shdr->Command)); 384 break; 385 } 386 387 /* 388 * Invalid length or offset probably means data area is invalid, but 389 * we have little choice but to ignore the data area in this case. 390 */ 391 if (unlikely(*off < 0 || *off > max_off || 392 *len < 0 || *len > max_len)) { 393 cifs_dbg(VFS, "%s: invalid data area (off=%d len=%d)\n", 394 __func__, *off, *len); 395 *off = 0; 396 *len = 0; 397 } else if (*off == 0) { 398 *len = 0; 399 } 400 401 /* return pointer to beginning of data area, ie offset from SMB start */ 402 if (*off > 0 && *len > 0) 403 return (char *)shdr + *off; 404 return NULL; 405 } 406 407 /* 408 * Calculate the size of the SMB message based on the fixed header 409 * portion, the number of word parameters and the data portion of the message. 410 */ 411 unsigned int 412 smb2_calc_size(void *buf) 413 { 414 struct smb2_pdu *pdu = buf; 415 struct smb2_hdr *shdr = &pdu->hdr; 416 int offset; /* the offset from the beginning of SMB to data area */ 417 int data_length; /* the length of the variable length data area */ 418 /* Structure Size has already been checked to make sure it is 64 */ 419 int len = le16_to_cpu(shdr->StructureSize); 420 421 /* 422 * StructureSize2, ie length of fixed parameter area has already 423 * been checked to make sure it is the correct length. 424 */ 425 len += le16_to_cpu(pdu->StructureSize2); 426 427 if (has_smb2_data_area[le16_to_cpu(shdr->Command)] == false) 428 goto calc_size_exit; 429 430 smb2_get_data_area_len(&offset, &data_length, shdr); 431 cifs_dbg(FYI, "SMB2 data length %d offset %d\n", data_length, offset); 432 433 if (data_length > 0) { 434 /* 435 * Check to make sure that data area begins after fixed area, 436 * Note that last byte of the fixed area is part of data area 437 * for some commands, typically those with odd StructureSize, 438 * so we must add one to the calculation. 439 */ 440 if (offset + 1 < len) { 441 cifs_dbg(VFS, "data area offset %d overlaps SMB2 header %d\n", 442 offset + 1, len); 443 data_length = 0; 444 } else { 445 len = offset + data_length; 446 } 447 } 448 calc_size_exit: 449 cifs_dbg(FYI, "SMB2 len %d\n", len); 450 return len; 451 } 452 453 /* Note: caller must free return buffer */ 454 __le16 * 455 cifs_convert_path_to_utf16(const char *from, struct cifs_sb_info *cifs_sb) 456 { 457 int len; 458 const char *start_of_path; 459 __le16 *to; 460 int map_type; 461 462 if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MAP_SFM_CHR) 463 map_type = SFM_MAP_UNI_RSVD; 464 else if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MAP_SPECIAL_CHR) 465 map_type = SFU_MAP_UNI_RSVD; 466 else 467 map_type = NO_MAP_UNI_RSVD; 468 469 /* Windows doesn't allow paths beginning with \ */ 470 if (from[0] == '\\') 471 start_of_path = from + 1; 472 473 /* SMB311 POSIX extensions paths do not include leading slash */ 474 else if (cifs_sb_master_tlink(cifs_sb) && 475 cifs_sb_master_tcon(cifs_sb)->posix_extensions && 476 (from[0] == '/')) { 477 start_of_path = from + 1; 478 } else 479 start_of_path = from; 480 481 to = cifs_strndup_to_utf16(start_of_path, PATH_MAX, &len, 482 cifs_sb->local_nls, map_type); 483 return to; 484 } 485 486 __le32 487 smb2_get_lease_state(struct cifsInodeInfo *cinode) 488 { 489 __le32 lease = 0; 490 491 if (CIFS_CACHE_WRITE(cinode)) 492 lease |= SMB2_LEASE_WRITE_CACHING_LE; 493 if (CIFS_CACHE_HANDLE(cinode)) 494 lease |= SMB2_LEASE_HANDLE_CACHING_LE; 495 if (CIFS_CACHE_READ(cinode)) 496 lease |= SMB2_LEASE_READ_CACHING_LE; 497 return lease; 498 } 499 500 struct smb2_lease_break_work { 501 struct work_struct lease_break; 502 struct tcon_link *tlink; 503 __u8 lease_key[16]; 504 __le32 lease_state; 505 }; 506 507 static void 508 cifs_ses_oplock_break(struct work_struct *work) 509 { 510 struct smb2_lease_break_work *lw = container_of(work, 511 struct smb2_lease_break_work, lease_break); 512 int rc = 0; 513 514 rc = SMB2_lease_break(0, tlink_tcon(lw->tlink), lw->lease_key, 515 lw->lease_state); 516 517 cifs_dbg(FYI, "Lease release rc %d\n", rc); 518 cifs_put_tlink(lw->tlink); 519 kfree(lw); 520 } 521 522 static void 523 smb2_queue_pending_open_break(struct tcon_link *tlink, __u8 *lease_key, 524 __le32 new_lease_state) 525 { 526 struct smb2_lease_break_work *lw; 527 528 lw = kmalloc(sizeof(struct smb2_lease_break_work), GFP_KERNEL); 529 if (!lw) { 530 cifs_put_tlink(tlink); 531 return; 532 } 533 534 INIT_WORK(&lw->lease_break, cifs_ses_oplock_break); 535 lw->tlink = tlink; 536 lw->lease_state = new_lease_state; 537 memcpy(lw->lease_key, lease_key, SMB2_LEASE_KEY_SIZE); 538 queue_work(cifsiod_wq, &lw->lease_break); 539 } 540 541 static bool 542 smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp) 543 { 544 __u8 lease_state; 545 struct cifsFileInfo *cfile; 546 struct cifsInodeInfo *cinode; 547 int ack_req = le32_to_cpu(rsp->Flags & 548 SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED); 549 550 lease_state = le32_to_cpu(rsp->NewLeaseState); 551 552 list_for_each_entry(cfile, &tcon->openFileList, tlist) { 553 cinode = CIFS_I(d_inode(cfile->dentry)); 554 555 if (memcmp(cinode->lease_key, rsp->LeaseKey, 556 SMB2_LEASE_KEY_SIZE)) 557 continue; 558 559 cifs_dbg(FYI, "found in the open list\n"); 560 cifs_dbg(FYI, "lease key match, lease break 0x%x\n", 561 lease_state); 562 563 if (ack_req) 564 cfile->oplock_break_cancelled = false; 565 else 566 cfile->oplock_break_cancelled = true; 567 568 set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, &cinode->flags); 569 570 cfile->oplock_epoch = le16_to_cpu(rsp->Epoch); 571 cfile->oplock_level = lease_state; 572 573 cifs_queue_oplock_break(cfile); 574 return true; 575 } 576 577 return false; 578 } 579 580 static struct cifs_pending_open * 581 smb2_tcon_find_pending_open_lease(struct cifs_tcon *tcon, 582 struct smb2_lease_break *rsp) 583 { 584 __u8 lease_state = le32_to_cpu(rsp->NewLeaseState); 585 int ack_req = le32_to_cpu(rsp->Flags & 586 SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED); 587 struct cifs_pending_open *open; 588 struct cifs_pending_open *found = NULL; 589 590 list_for_each_entry(open, &tcon->pending_opens, olist) { 591 if (memcmp(open->lease_key, rsp->LeaseKey, 592 SMB2_LEASE_KEY_SIZE)) 593 continue; 594 595 if (!found && ack_req) { 596 found = open; 597 } 598 599 cifs_dbg(FYI, "found in the pending open list\n"); 600 cifs_dbg(FYI, "lease key match, lease break 0x%x\n", 601 lease_state); 602 603 open->oplock = lease_state; 604 } 605 606 return found; 607 } 608 609 static bool 610 smb2_is_valid_lease_break(char *buffer, struct TCP_Server_Info *server) 611 { 612 struct smb2_lease_break *rsp = (struct smb2_lease_break *)buffer; 613 struct TCP_Server_Info *pserver; 614 struct cifs_ses *ses; 615 struct cifs_tcon *tcon; 616 struct cifs_pending_open *open; 617 618 /* Trace receipt of lease break request from server */ 619 trace_smb3_lease_break_enter(le32_to_cpu(rsp->CurrentLeaseState), 620 le32_to_cpu(rsp->Flags), 621 le16_to_cpu(rsp->Epoch), 622 le32_to_cpu(rsp->hdr.Id.SyncId.TreeId), 623 le64_to_cpu(rsp->hdr.SessionId), 624 *((u64 *)rsp->LeaseKey), 625 *((u64 *)&rsp->LeaseKey[8])); 626 627 cifs_dbg(FYI, "Checking for lease break\n"); 628 629 /* If server is a channel, select the primary channel */ 630 pserver = SERVER_IS_CHAN(server) ? server->primary_server : server; 631 632 /* look up tcon based on tid & uid */ 633 spin_lock(&cifs_tcp_ses_lock); 634 list_for_each_entry(ses, &pserver->smb_ses_list, smb_ses_list) { 635 if (cifs_ses_exiting(ses)) 636 continue; 637 list_for_each_entry(tcon, &ses->tcon_list, tcon_list) { 638 spin_lock(&tcon->open_file_lock); 639 cifs_stats_inc( 640 &tcon->stats.cifs_stats.num_oplock_brks); 641 if (smb2_tcon_has_lease(tcon, rsp)) { 642 spin_unlock(&tcon->open_file_lock); 643 spin_unlock(&cifs_tcp_ses_lock); 644 return true; 645 } 646 open = smb2_tcon_find_pending_open_lease(tcon, 647 rsp); 648 if (open) { 649 __u8 lease_key[SMB2_LEASE_KEY_SIZE]; 650 struct tcon_link *tlink; 651 652 tlink = cifs_get_tlink(open->tlink); 653 memcpy(lease_key, open->lease_key, 654 SMB2_LEASE_KEY_SIZE); 655 spin_unlock(&tcon->open_file_lock); 656 spin_unlock(&cifs_tcp_ses_lock); 657 smb2_queue_pending_open_break(tlink, 658 lease_key, 659 rsp->NewLeaseState); 660 return true; 661 } 662 spin_unlock(&tcon->open_file_lock); 663 664 if (cached_dir_lease_break(tcon, rsp->LeaseKey)) { 665 spin_unlock(&cifs_tcp_ses_lock); 666 return true; 667 } 668 } 669 } 670 spin_unlock(&cifs_tcp_ses_lock); 671 cifs_dbg(FYI, "Can not process lease break - no lease matched\n"); 672 trace_smb3_lease_not_found(le32_to_cpu(rsp->CurrentLeaseState), 673 le32_to_cpu(rsp->Flags), 674 le16_to_cpu(rsp->Epoch), 675 le32_to_cpu(rsp->hdr.Id.SyncId.TreeId), 676 le64_to_cpu(rsp->hdr.SessionId), 677 *((u64 *)rsp->LeaseKey), 678 *((u64 *)&rsp->LeaseKey[8])); 679 680 return false; 681 } 682 683 bool 684 smb2_is_valid_oplock_break(char *buffer, struct TCP_Server_Info *server) 685 { 686 struct smb2_oplock_break *rsp = (struct smb2_oplock_break *)buffer; 687 struct TCP_Server_Info *pserver; 688 struct cifs_ses *ses; 689 struct cifs_tcon *tcon; 690 struct cifsInodeInfo *cinode; 691 struct cifsFileInfo *cfile; 692 693 cifs_dbg(FYI, "Checking for oplock break\n"); 694 695 if (rsp->hdr.Command != SMB2_OPLOCK_BREAK) 696 return false; 697 698 if (rsp->StructureSize != 699 smb2_rsp_struct_sizes[SMB2_OPLOCK_BREAK_HE]) { 700 if (le16_to_cpu(rsp->StructureSize) == 44) 701 return smb2_is_valid_lease_break(buffer, server); 702 else 703 return false; 704 } 705 706 cifs_dbg(FYI, "oplock level 0x%x\n", rsp->OplockLevel); 707 708 /* If server is a channel, select the primary channel */ 709 pserver = SERVER_IS_CHAN(server) ? server->primary_server : server; 710 711 /* look up tcon based on tid & uid */ 712 spin_lock(&cifs_tcp_ses_lock); 713 list_for_each_entry(ses, &pserver->smb_ses_list, smb_ses_list) { 714 if (cifs_ses_exiting(ses)) 715 continue; 716 list_for_each_entry(tcon, &ses->tcon_list, tcon_list) { 717 718 spin_lock(&tcon->open_file_lock); 719 list_for_each_entry(cfile, &tcon->openFileList, tlist) { 720 if (rsp->PersistentFid != 721 cfile->fid.persistent_fid || 722 rsp->VolatileFid != 723 cfile->fid.volatile_fid) 724 continue; 725 726 cifs_dbg(FYI, "file id match, oplock break\n"); 727 cifs_stats_inc( 728 &tcon->stats.cifs_stats.num_oplock_brks); 729 cinode = CIFS_I(d_inode(cfile->dentry)); 730 spin_lock(&cfile->file_info_lock); 731 if (!CIFS_CACHE_WRITE(cinode) && 732 rsp->OplockLevel == SMB2_OPLOCK_LEVEL_NONE) 733 cfile->oplock_break_cancelled = true; 734 else 735 cfile->oplock_break_cancelled = false; 736 737 set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, 738 &cinode->flags); 739 740 cfile->oplock_epoch = 0; 741 cfile->oplock_level = rsp->OplockLevel; 742 743 spin_unlock(&cfile->file_info_lock); 744 745 cifs_queue_oplock_break(cfile); 746 747 spin_unlock(&tcon->open_file_lock); 748 spin_unlock(&cifs_tcp_ses_lock); 749 return true; 750 } 751 spin_unlock(&tcon->open_file_lock); 752 } 753 } 754 spin_unlock(&cifs_tcp_ses_lock); 755 cifs_dbg(FYI, "No file id matched, oplock break ignored\n"); 756 trace_smb3_oplock_not_found(0 /* no xid */, rsp->PersistentFid, 757 le32_to_cpu(rsp->hdr.Id.SyncId.TreeId), 758 le64_to_cpu(rsp->hdr.SessionId)); 759 760 return true; 761 } 762 763 void 764 smb2_cancelled_close_fid(struct work_struct *work) 765 { 766 struct close_cancelled_open *cancelled = container_of(work, 767 struct close_cancelled_open, work); 768 struct cifs_tcon *tcon = cancelled->tcon; 769 int rc; 770 771 if (cancelled->mid) 772 cifs_tcon_dbg(VFS, "Close unmatched open for MID:%llu\n", 773 cancelled->mid); 774 else 775 cifs_tcon_dbg(VFS, "Close interrupted close\n"); 776 777 rc = SMB2_close(0, tcon, cancelled->fid.persistent_fid, 778 cancelled->fid.volatile_fid); 779 if (rc) 780 cifs_tcon_dbg(VFS, "Close cancelled mid failed rc:%d\n", rc); 781 782 cifs_put_tcon(tcon, netfs_trace_tcon_ref_put_cancelled_close_fid); 783 kfree(cancelled); 784 } 785 786 /* 787 * Caller should already has an extra reference to @tcon 788 * This function is used to queue work to close a handle to prevent leaks 789 * on the server. 790 * We handle two cases. If an open was interrupted after we sent the 791 * SMB2_CREATE to the server but before we processed the reply, and second 792 * if a close was interrupted before we sent the SMB2_CLOSE to the server. 793 */ 794 static int 795 __smb2_handle_cancelled_cmd(struct cifs_tcon *tcon, __u16 cmd, __u64 mid, 796 __u64 persistent_fid, __u64 volatile_fid) 797 { 798 struct close_cancelled_open *cancelled; 799 800 cancelled = kzalloc(sizeof(*cancelled), GFP_KERNEL); 801 if (!cancelled) 802 return -ENOMEM; 803 804 cancelled->fid.persistent_fid = persistent_fid; 805 cancelled->fid.volatile_fid = volatile_fid; 806 cancelled->tcon = tcon; 807 cancelled->cmd = cmd; 808 cancelled->mid = mid; 809 INIT_WORK(&cancelled->work, smb2_cancelled_close_fid); 810 WARN_ON(queue_work(cifsiod_wq, &cancelled->work) == false); 811 812 return 0; 813 } 814 815 int 816 smb2_handle_cancelled_close(struct cifs_tcon *tcon, __u64 persistent_fid, 817 __u64 volatile_fid) 818 { 819 int rc; 820 821 cifs_dbg(FYI, "%s: tc_count=%d\n", __func__, tcon->tc_count); 822 spin_lock(&cifs_tcp_ses_lock); 823 if (tcon->tc_count <= 0) { 824 struct TCP_Server_Info *server = NULL; 825 826 trace_smb3_tcon_ref(tcon->debug_id, tcon->tc_count, 827 netfs_trace_tcon_ref_see_cancelled_close); 828 WARN_ONCE(tcon->tc_count < 0, "tcon refcount is negative"); 829 spin_unlock(&cifs_tcp_ses_lock); 830 831 if (tcon->ses) { 832 server = tcon->ses->server; 833 cifs_server_dbg(FYI, 834 "tid=0x%x: tcon is closing, skipping async close retry of fid %llu %llu\n", 835 tcon->tid, persistent_fid, volatile_fid); 836 } 837 838 return 0; 839 } 840 tcon->tc_count++; 841 trace_smb3_tcon_ref(tcon->debug_id, tcon->tc_count, 842 netfs_trace_tcon_ref_get_cancelled_close); 843 spin_unlock(&cifs_tcp_ses_lock); 844 845 rc = __smb2_handle_cancelled_cmd(tcon, SMB2_CLOSE_HE, 0, 846 persistent_fid, volatile_fid); 847 if (rc) 848 cifs_put_tcon(tcon, netfs_trace_tcon_ref_put_cancelled_close); 849 850 return rc; 851 } 852 853 int 854 smb2_handle_cancelled_mid(struct mid_q_entry *mid, struct TCP_Server_Info *server) 855 { 856 struct smb2_hdr *hdr = mid->resp_buf; 857 struct smb2_create_rsp *rsp = mid->resp_buf; 858 struct cifs_tcon *tcon; 859 int rc; 860 861 if ((mid->optype & CIFS_CP_CREATE_CLOSE_OP) || hdr->Command != SMB2_CREATE || 862 hdr->Status != STATUS_SUCCESS) 863 return 0; 864 865 tcon = smb2_find_smb_tcon(server, le64_to_cpu(hdr->SessionId), 866 le32_to_cpu(hdr->Id.SyncId.TreeId)); 867 if (!tcon) 868 return -ENOENT; 869 870 rc = __smb2_handle_cancelled_cmd(tcon, 871 le16_to_cpu(hdr->Command), 872 le64_to_cpu(hdr->MessageId), 873 rsp->PersistentFileId, 874 rsp->VolatileFileId); 875 if (rc) 876 cifs_put_tcon(tcon, netfs_trace_tcon_ref_put_cancelled_mid); 877 878 return rc; 879 } 880 881 /** 882 * smb311_update_preauth_hash - update @ses hash with the packet data in @iov 883 * 884 * Assumes @iov does not contain the rfc1002 length and iov[0] has the 885 * SMB2 header. 886 * 887 * @ses: server session structure 888 * @server: pointer to server info 889 * @iov: array containing the SMB request we will send to the server 890 * @nvec: number of array entries for the iov 891 */ 892 void 893 smb311_update_preauth_hash(struct cifs_ses *ses, struct TCP_Server_Info *server, 894 struct kvec *iov, int nvec) 895 { 896 int i; 897 struct smb2_hdr *hdr; 898 struct sha512_ctx sha_ctx; 899 900 hdr = (struct smb2_hdr *)iov[0].iov_base; 901 /* neg prot are always taken */ 902 if (hdr->Command == SMB2_NEGOTIATE) 903 goto ok; 904 905 /* 906 * If we process a command which wasn't a negprot it means the 907 * neg prot was already done, so the server dialect was set 908 * and we can test it. Preauth requires 3.1.1 for now. 909 */ 910 if (server->dialect != SMB311_PROT_ID) 911 return; 912 913 if (hdr->Command != SMB2_SESSION_SETUP) 914 return; 915 916 /* skip last sess setup response */ 917 if ((hdr->Flags & SMB2_FLAGS_SERVER_TO_REDIR) 918 && (hdr->Status == NT_STATUS_OK 919 || (hdr->Status != 920 cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED)))) 921 return; 922 923 ok: 924 sha512_init(&sha_ctx); 925 sha512_update(&sha_ctx, ses->preauth_sha_hash, SMB2_PREAUTH_HASH_SIZE); 926 for (i = 0; i < nvec; i++) 927 sha512_update(&sha_ctx, iov[i].iov_base, iov[i].iov_len); 928 sha512_final(&sha_ctx, ses->preauth_sha_hash); 929 } 930