1 // SPDX-License-Identifier: LGPL-2.1 2 /* 3 * 4 * Copyright (C) International Business Machines Corp., 2002,2011 5 * Etersoft, 2012 6 * Author(s): Steve French (sfrench@us.ibm.com) 7 * Pavel Shilovsky (pshilovsky@samba.org) 2012 8 * 9 */ 10 #include <crypto/sha2.h> 11 #include <linux/ctype.h> 12 #include "cifsglob.h" 13 #include "cifsproto.h" 14 #include "smb2proto.h" 15 #include "cifs_debug.h" 16 #include "cifs_unicode.h" 17 #include "../common/smb2status.h" 18 #include "smb2glob.h" 19 #include "nterr.h" 20 #include "cached_dir.h" 21 22 static int 23 check_smb2_hdr(struct smb2_hdr *shdr, __u64 mid) 24 { 25 __u64 wire_mid = le64_to_cpu(shdr->MessageId); 26 27 /* 28 * Make sure that this really is an SMB, that it is a response, 29 * and that the message ids match. 30 */ 31 if ((shdr->ProtocolId == SMB2_PROTO_NUMBER) && 32 (mid == wire_mid)) { 33 if (shdr->Flags & SMB2_FLAGS_SERVER_TO_REDIR) 34 return 0; 35 else { 36 /* only one valid case where server sends us request */ 37 if (shdr->Command == SMB2_OPLOCK_BREAK) 38 return 0; 39 else 40 cifs_dbg(VFS, "Received Request not response\n"); 41 } 42 } else { /* bad signature or mid */ 43 if (shdr->ProtocolId != SMB2_PROTO_NUMBER) 44 cifs_dbg(VFS, "Bad protocol string signature header %x\n", 45 le32_to_cpu(shdr->ProtocolId)); 46 if (mid != wire_mid) 47 cifs_dbg(VFS, "Mids do not match: %llu and %llu\n", 48 mid, wire_mid); 49 } 50 cifs_dbg(VFS, "Bad SMB detected. The Mid=%llu\n", wire_mid); 51 return 1; 52 } 53 54 /* 55 * The following table defines the expected "StructureSize" of SMB2 responses 56 * in order by SMB2 command. This is similar to "wct" in SMB/CIFS responses. 57 * 58 * Note that commands are defined in smb2pdu.h in le16 but the array below is 59 * indexed by command in host byte order 60 */ 61 static const __le16 smb2_rsp_struct_sizes[NUMBER_OF_SMB2_COMMANDS] = { 62 /* SMB2_NEGOTIATE */ cpu_to_le16(65), 63 /* SMB2_SESSION_SETUP */ cpu_to_le16(9), 64 /* SMB2_LOGOFF */ cpu_to_le16(4), 65 /* SMB2_TREE_CONNECT */ cpu_to_le16(16), 66 /* SMB2_TREE_DISCONNECT */ cpu_to_le16(4), 67 /* SMB2_CREATE */ cpu_to_le16(89), 68 /* SMB2_CLOSE */ cpu_to_le16(60), 69 /* SMB2_FLUSH */ cpu_to_le16(4), 70 /* SMB2_READ */ cpu_to_le16(17), 71 /* SMB2_WRITE */ cpu_to_le16(17), 72 /* SMB2_LOCK */ cpu_to_le16(4), 73 /* SMB2_IOCTL */ cpu_to_le16(49), 74 /* BB CHECK this ... not listed in documentation */ 75 /* SMB2_CANCEL */ cpu_to_le16(0), 76 /* SMB2_ECHO */ cpu_to_le16(4), 77 /* SMB2_QUERY_DIRECTORY */ cpu_to_le16(9), 78 /* SMB2_CHANGE_NOTIFY */ cpu_to_le16(9), 79 /* SMB2_QUERY_INFO */ cpu_to_le16(9), 80 /* SMB2_SET_INFO */ cpu_to_le16(2), 81 /* BB FIXME can also be 44 for lease break */ 82 /* SMB2_OPLOCK_BREAK */ cpu_to_le16(24) 83 }; 84 85 #define SMB311_NEGPROT_BASE_SIZE (sizeof(struct smb2_hdr) + sizeof(struct smb2_negotiate_rsp)) 86 87 static __u32 get_neg_ctxt_len(struct smb2_hdr *hdr, __u32 len, 88 __u32 non_ctxlen) 89 { 90 __u16 neg_count; 91 __u32 nc_offset, size_of_pad_before_neg_ctxts; 92 struct smb2_negotiate_rsp *pneg_rsp = (struct smb2_negotiate_rsp *)hdr; 93 94 /* Negotiate contexts are only valid for latest dialect SMB3.11 */ 95 neg_count = le16_to_cpu(pneg_rsp->NegotiateContextCount); 96 if ((neg_count == 0) || 97 (pneg_rsp->DialectRevision != cpu_to_le16(SMB311_PROT_ID))) 98 return 0; 99 100 /* 101 * if SPNEGO blob present (ie the RFC2478 GSS info which indicates 102 * which security mechanisms the server supports) make sure that 103 * the negotiate contexts start after it 104 */ 105 nc_offset = le32_to_cpu(pneg_rsp->NegotiateContextOffset); 106 /* 107 * non_ctxlen is at least shdr->StructureSize + pdu->StructureSize2 108 * and the latter is 1 byte bigger than the fix-sized area of the 109 * NEGOTIATE response 110 */ 111 if (nc_offset + 1 < non_ctxlen) { 112 pr_warn_once("Invalid negotiate context offset %d\n", nc_offset); 113 return 0; 114 } else if (nc_offset + 1 == non_ctxlen) { 115 cifs_dbg(FYI, "no SPNEGO security blob in negprot rsp\n"); 116 size_of_pad_before_neg_ctxts = 0; 117 } else if (non_ctxlen == SMB311_NEGPROT_BASE_SIZE + 1) 118 /* has padding, but no SPNEGO blob */ 119 size_of_pad_before_neg_ctxts = nc_offset - non_ctxlen + 1; 120 else 121 size_of_pad_before_neg_ctxts = nc_offset - non_ctxlen; 122 123 /* Verify that at least minimal negotiate contexts fit within frame */ 124 if (len < nc_offset + (neg_count * sizeof(struct smb2_neg_context))) { 125 pr_warn_once("negotiate context goes beyond end\n"); 126 return 0; 127 } 128 129 cifs_dbg(FYI, "length of negcontexts %d pad %d\n", 130 len - nc_offset, size_of_pad_before_neg_ctxts); 131 132 /* length of negcontexts including pad from end of sec blob to them */ 133 return (len - nc_offset) + size_of_pad_before_neg_ctxts; 134 } 135 136 int 137 smb2_check_message(char *buf, unsigned int pdu_len, unsigned int len, 138 struct TCP_Server_Info *server) 139 { 140 struct TCP_Server_Info *pserver; 141 struct smb2_hdr *shdr = (struct smb2_hdr *)buf; 142 struct smb2_pdu *pdu = (struct smb2_pdu *)shdr; 143 int hdr_size = sizeof(struct smb2_hdr); 144 int pdu_size = sizeof(struct smb2_pdu); 145 int command; 146 __u32 calc_len; /* calculated length */ 147 __u64 mid; 148 149 /* If server is a channel, select the primary channel */ 150 pserver = SERVER_IS_CHAN(server) ? server->primary_server : server; 151 152 /* 153 * Add function to do table lookup of StructureSize by command 154 * ie Validate the wct via smb2_struct_sizes table above 155 */ 156 if (shdr->ProtocolId == SMB2_TRANSFORM_PROTO_NUM) { 157 struct smb2_transform_hdr *thdr = 158 (struct smb2_transform_hdr *)buf; 159 struct cifs_ses *ses = NULL; 160 struct cifs_ses *iter; 161 162 /* decrypt frame now that it is completely read in */ 163 spin_lock(&cifs_tcp_ses_lock); 164 list_for_each_entry(iter, &pserver->smb_ses_list, smb_ses_list) { 165 if (iter->Suid == le64_to_cpu(thdr->SessionId)) { 166 ses = iter; 167 break; 168 } 169 } 170 spin_unlock(&cifs_tcp_ses_lock); 171 if (!ses) { 172 cifs_dbg(VFS, "no decryption - session id not found\n"); 173 return 1; 174 } 175 } 176 177 mid = le64_to_cpu(shdr->MessageId); 178 if (check_smb2_hdr(shdr, mid)) 179 return 1; 180 181 if (shdr->StructureSize != SMB2_HEADER_STRUCTURE_SIZE) { 182 cifs_dbg(VFS, "Invalid structure size %u\n", 183 le16_to_cpu(shdr->StructureSize)); 184 return 1; 185 } 186 187 command = le16_to_cpu(shdr->Command); 188 if (command >= NUMBER_OF_SMB2_COMMANDS) { 189 cifs_dbg(VFS, "Invalid SMB2 command %d\n", command); 190 return 1; 191 } 192 193 if (len < pdu_size) { 194 if ((len >= hdr_size) 195 && (shdr->Status != 0)) { 196 pdu->StructureSize2 = 0; 197 /* 198 * As with SMB/CIFS, on some error cases servers may 199 * not return wct properly 200 */ 201 return 0; 202 } else { 203 cifs_dbg(VFS, "Length less than SMB header size\n"); 204 } 205 return 1; 206 } 207 if (len > CIFSMaxBufSize + MAX_SMB2_HDR_SIZE) { 208 cifs_dbg(VFS, "SMB length greater than maximum, mid=%llu\n", 209 mid); 210 return 1; 211 } 212 213 if (smb2_rsp_struct_sizes[command] != pdu->StructureSize2) { 214 if (command != SMB2_OPLOCK_BREAK_HE && (shdr->Status == 0 || 215 pdu->StructureSize2 != SMB2_ERROR_STRUCTURE_SIZE2_LE)) { 216 /* error packets have 9 byte structure size */ 217 cifs_dbg(VFS, "Invalid response size %u for command %d\n", 218 le16_to_cpu(pdu->StructureSize2), command); 219 return 1; 220 } else if (command == SMB2_OPLOCK_BREAK_HE 221 && (shdr->Status == 0) 222 && (le16_to_cpu(pdu->StructureSize2) != 44) 223 && (le16_to_cpu(pdu->StructureSize2) != 36)) { 224 /* special case for SMB2.1 lease break message */ 225 cifs_dbg(VFS, "Invalid response size %d for oplock break\n", 226 le16_to_cpu(pdu->StructureSize2)); 227 return 1; 228 } 229 } 230 231 calc_len = smb2_calc_size(buf); 232 233 /* For SMB2_IOCTL, OutputOffset and OutputLength are optional, so might 234 * be 0, and not a real miscalculation */ 235 if (command == SMB2_IOCTL_HE && calc_len == 0) 236 return 0; 237 238 if (command == SMB2_NEGOTIATE_HE) 239 calc_len += get_neg_ctxt_len(shdr, len, calc_len); 240 241 if (len != calc_len) { 242 /* create failed on symlink */ 243 if (command == SMB2_CREATE_HE && 244 shdr->Status == STATUS_STOPPED_ON_SYMLINK) 245 return 0; 246 /* Windows 7 server returns 24 bytes more */ 247 if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE) 248 return 0; 249 /* server can return one byte more due to implied bcc[0] */ 250 if (calc_len == len + 1) 251 return 0; 252 253 /* 254 * Some windows servers (win2016) will pad also the final 255 * PDU in a compound to 8 bytes. 256 */ 257 if (ALIGN(calc_len, 8) == len) 258 return 0; 259 260 /* 261 * MacOS server pads after SMB2.1 write response with 3 bytes 262 * of junk. Other servers match RFC1001 len to actual 263 * SMB2/SMB3 frame length (header + smb2 response specific data) 264 * Some windows servers also pad up to 8 bytes when compounding. 265 */ 266 if (calc_len < len) 267 return 0; 268 269 /* Only log a message if len was really miscalculated */ 270 if (unlikely(cifsFYI)) 271 cifs_dbg(FYI, "Server response too short: calculated " 272 "length %u doesn't match read length %u (cmd=%d, mid=%llu)\n", 273 calc_len, len, command, mid); 274 else 275 pr_warn("Server response too short: calculated length " 276 "%u doesn't match read length %u (cmd=%d, mid=%llu)\n", 277 calc_len, len, command, mid); 278 279 return 1; 280 } 281 return 0; 282 } 283 284 /* 285 * The size of the variable area depends on the offset and length fields 286 * located in different fields for various SMB2 responses. SMB2 responses 287 * with no variable length info, show an offset of zero for the offset field. 288 */ 289 static const bool has_smb2_data_area[NUMBER_OF_SMB2_COMMANDS] = { 290 /* SMB2_NEGOTIATE */ true, 291 /* SMB2_SESSION_SETUP */ true, 292 /* SMB2_LOGOFF */ false, 293 /* SMB2_TREE_CONNECT */ false, 294 /* SMB2_TREE_DISCONNECT */ false, 295 /* SMB2_CREATE */ true, 296 /* SMB2_CLOSE */ false, 297 /* SMB2_FLUSH */ false, 298 /* SMB2_READ */ true, 299 /* SMB2_WRITE */ false, 300 /* SMB2_LOCK */ false, 301 /* SMB2_IOCTL */ true, 302 /* SMB2_CANCEL */ false, /* BB CHECK this not listed in documentation */ 303 /* SMB2_ECHO */ false, 304 /* SMB2_QUERY_DIRECTORY */ true, 305 /* SMB2_CHANGE_NOTIFY */ true, 306 /* SMB2_QUERY_INFO */ true, 307 /* SMB2_SET_INFO */ false, 308 /* SMB2_OPLOCK_BREAK */ false 309 }; 310 311 /* 312 * Returns the pointer to the beginning of the data area. Length of the data 313 * area and the offset to it (from the beginning of the smb are also returned. 314 */ 315 char * 316 smb2_get_data_area_len(int *off, int *len, struct smb2_hdr *shdr) 317 { 318 const int max_off = 4096; 319 const int max_len = 128 * 1024; 320 321 *off = 0; 322 *len = 0; 323 324 /* error responses do not have data area */ 325 if (shdr->Status && shdr->Status != STATUS_MORE_PROCESSING_REQUIRED && 326 (((struct smb2_err_rsp *)shdr)->StructureSize) == 327 SMB2_ERROR_STRUCTURE_SIZE2_LE) 328 return NULL; 329 330 /* 331 * Following commands have data areas so we have to get the location 332 * of the data buffer offset and data buffer length for the particular 333 * command. 334 */ 335 switch (shdr->Command) { 336 case SMB2_NEGOTIATE: 337 *off = le16_to_cpu( 338 ((struct smb2_negotiate_rsp *)shdr)->SecurityBufferOffset); 339 *len = le16_to_cpu( 340 ((struct smb2_negotiate_rsp *)shdr)->SecurityBufferLength); 341 break; 342 case SMB2_SESSION_SETUP: 343 *off = le16_to_cpu( 344 ((struct smb2_sess_setup_rsp *)shdr)->SecurityBufferOffset); 345 *len = le16_to_cpu( 346 ((struct smb2_sess_setup_rsp *)shdr)->SecurityBufferLength); 347 break; 348 case SMB2_CREATE: 349 *off = le32_to_cpu( 350 ((struct smb2_create_rsp *)shdr)->CreateContextsOffset); 351 *len = le32_to_cpu( 352 ((struct smb2_create_rsp *)shdr)->CreateContextsLength); 353 break; 354 case SMB2_QUERY_INFO: 355 *off = le16_to_cpu( 356 ((struct smb2_query_info_rsp *)shdr)->OutputBufferOffset); 357 *len = le32_to_cpu( 358 ((struct smb2_query_info_rsp *)shdr)->OutputBufferLength); 359 break; 360 case SMB2_READ: 361 /* TODO: is this a bug ? */ 362 *off = ((struct smb2_read_rsp *)shdr)->DataOffset; 363 *len = le32_to_cpu(((struct smb2_read_rsp *)shdr)->DataLength); 364 break; 365 case SMB2_QUERY_DIRECTORY: 366 *off = le16_to_cpu( 367 ((struct smb2_query_directory_rsp *)shdr)->OutputBufferOffset); 368 *len = le32_to_cpu( 369 ((struct smb2_query_directory_rsp *)shdr)->OutputBufferLength); 370 break; 371 case SMB2_IOCTL: 372 *off = le32_to_cpu( 373 ((struct smb2_ioctl_rsp *)shdr)->OutputOffset); 374 *len = le32_to_cpu( 375 ((struct smb2_ioctl_rsp *)shdr)->OutputCount); 376 break; 377 case SMB2_CHANGE_NOTIFY: 378 *off = le16_to_cpu( 379 ((struct smb2_change_notify_rsp *)shdr)->OutputBufferOffset); 380 *len = le32_to_cpu( 381 ((struct smb2_change_notify_rsp *)shdr)->OutputBufferLength); 382 break; 383 default: 384 cifs_dbg(VFS, "no length check for command %d\n", le16_to_cpu(shdr->Command)); 385 break; 386 } 387 388 /* 389 * Invalid length or offset probably means data area is invalid, but 390 * we have little choice but to ignore the data area in this case. 391 */ 392 if (unlikely(*off < 0 || *off > max_off || 393 *len < 0 || *len > max_len)) { 394 cifs_dbg(VFS, "%s: invalid data area (off=%d len=%d)\n", 395 __func__, *off, *len); 396 *off = 0; 397 *len = 0; 398 } else if (*off == 0) { 399 *len = 0; 400 } 401 402 /* return pointer to beginning of data area, ie offset from SMB start */ 403 if (*off > 0 && *len > 0) 404 return (char *)shdr + *off; 405 return NULL; 406 } 407 408 /* 409 * Calculate the size of the SMB message based on the fixed header 410 * portion, the number of word parameters and the data portion of the message. 411 */ 412 unsigned int 413 smb2_calc_size(void *buf) 414 { 415 struct smb2_pdu *pdu = buf; 416 struct smb2_hdr *shdr = &pdu->hdr; 417 int offset; /* the offset from the beginning of SMB to data area */ 418 int data_length; /* the length of the variable length data area */ 419 /* Structure Size has already been checked to make sure it is 64 */ 420 int len = le16_to_cpu(shdr->StructureSize); 421 422 /* 423 * StructureSize2, ie length of fixed parameter area has already 424 * been checked to make sure it is the correct length. 425 */ 426 len += le16_to_cpu(pdu->StructureSize2); 427 428 if (has_smb2_data_area[le16_to_cpu(shdr->Command)] == false) 429 goto calc_size_exit; 430 431 smb2_get_data_area_len(&offset, &data_length, shdr); 432 cifs_dbg(FYI, "SMB2 data length %d offset %d\n", data_length, offset); 433 434 if (data_length > 0) { 435 /* 436 * Check to make sure that data area begins after fixed area, 437 * Note that last byte of the fixed area is part of data area 438 * for some commands, typically those with odd StructureSize, 439 * so we must add one to the calculation. 440 */ 441 if (offset + 1 < len) { 442 cifs_dbg(VFS, "data area offset %d overlaps SMB2 header %d\n", 443 offset + 1, len); 444 data_length = 0; 445 } else { 446 len = offset + data_length; 447 } 448 } 449 calc_size_exit: 450 cifs_dbg(FYI, "SMB2 len %d\n", len); 451 return len; 452 } 453 454 /* Note: caller must free return buffer */ 455 __le16 * 456 cifs_convert_path_to_utf16(const char *from, struct cifs_sb_info *cifs_sb) 457 { 458 int len; 459 const char *start_of_path; 460 __le16 *to; 461 int map_type; 462 463 if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MAP_SFM_CHR) 464 map_type = SFM_MAP_UNI_RSVD; 465 else if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MAP_SPECIAL_CHR) 466 map_type = SFU_MAP_UNI_RSVD; 467 else 468 map_type = NO_MAP_UNI_RSVD; 469 470 /* Windows doesn't allow paths beginning with \ */ 471 if (from[0] == '\\') 472 start_of_path = from + 1; 473 474 /* SMB311 POSIX extensions paths do not include leading slash */ 475 else if (cifs_sb_master_tlink(cifs_sb) && 476 cifs_sb_master_tcon(cifs_sb)->posix_extensions && 477 (from[0] == '/')) { 478 start_of_path = from + 1; 479 } else 480 start_of_path = from; 481 482 to = cifs_strndup_to_utf16(start_of_path, PATH_MAX, &len, 483 cifs_sb->local_nls, map_type); 484 return to; 485 } 486 487 __le32 488 smb2_get_lease_state(struct cifsInodeInfo *cinode) 489 { 490 __le32 lease = 0; 491 492 if (CIFS_CACHE_WRITE(cinode)) 493 lease |= SMB2_LEASE_WRITE_CACHING_LE; 494 if (CIFS_CACHE_HANDLE(cinode)) 495 lease |= SMB2_LEASE_HANDLE_CACHING_LE; 496 if (CIFS_CACHE_READ(cinode)) 497 lease |= SMB2_LEASE_READ_CACHING_LE; 498 return lease; 499 } 500 501 struct smb2_lease_break_work { 502 struct work_struct lease_break; 503 struct tcon_link *tlink; 504 __u8 lease_key[16]; 505 __le32 lease_state; 506 }; 507 508 static void 509 cifs_ses_oplock_break(struct work_struct *work) 510 { 511 struct smb2_lease_break_work *lw = container_of(work, 512 struct smb2_lease_break_work, lease_break); 513 int rc = 0; 514 515 rc = SMB2_lease_break(0, tlink_tcon(lw->tlink), lw->lease_key, 516 lw->lease_state); 517 518 cifs_dbg(FYI, "Lease release rc %d\n", rc); 519 cifs_put_tlink(lw->tlink); 520 kfree(lw); 521 } 522 523 static void 524 smb2_queue_pending_open_break(struct tcon_link *tlink, __u8 *lease_key, 525 __le32 new_lease_state) 526 { 527 struct smb2_lease_break_work *lw; 528 529 lw = kmalloc(sizeof(struct smb2_lease_break_work), GFP_KERNEL); 530 if (!lw) { 531 cifs_put_tlink(tlink); 532 return; 533 } 534 535 INIT_WORK(&lw->lease_break, cifs_ses_oplock_break); 536 lw->tlink = tlink; 537 lw->lease_state = new_lease_state; 538 memcpy(lw->lease_key, lease_key, SMB2_LEASE_KEY_SIZE); 539 queue_work(cifsiod_wq, &lw->lease_break); 540 } 541 542 static bool 543 smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp) 544 { 545 __u8 lease_state; 546 struct cifsFileInfo *cfile; 547 struct cifsInodeInfo *cinode; 548 int ack_req = le32_to_cpu(rsp->Flags & 549 SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED); 550 551 lease_state = le32_to_cpu(rsp->NewLeaseState); 552 553 list_for_each_entry(cfile, &tcon->openFileList, tlist) { 554 cinode = CIFS_I(d_inode(cfile->dentry)); 555 556 if (memcmp(cinode->lease_key, rsp->LeaseKey, 557 SMB2_LEASE_KEY_SIZE)) 558 continue; 559 560 cifs_dbg(FYI, "found in the open list\n"); 561 cifs_dbg(FYI, "lease key match, lease break 0x%x\n", 562 lease_state); 563 564 if (ack_req) 565 cfile->oplock_break_cancelled = false; 566 else 567 cfile->oplock_break_cancelled = true; 568 569 set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, &cinode->flags); 570 571 cfile->oplock_epoch = le16_to_cpu(rsp->Epoch); 572 cfile->oplock_level = lease_state; 573 574 cifs_queue_oplock_break(cfile); 575 return true; 576 } 577 578 return false; 579 } 580 581 static struct cifs_pending_open * 582 smb2_tcon_find_pending_open_lease(struct cifs_tcon *tcon, 583 struct smb2_lease_break *rsp) 584 { 585 __u8 lease_state = le32_to_cpu(rsp->NewLeaseState); 586 int ack_req = le32_to_cpu(rsp->Flags & 587 SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED); 588 struct cifs_pending_open *open; 589 struct cifs_pending_open *found = NULL; 590 591 list_for_each_entry(open, &tcon->pending_opens, olist) { 592 if (memcmp(open->lease_key, rsp->LeaseKey, 593 SMB2_LEASE_KEY_SIZE)) 594 continue; 595 596 if (!found && ack_req) { 597 found = open; 598 } 599 600 cifs_dbg(FYI, "found in the pending open list\n"); 601 cifs_dbg(FYI, "lease key match, lease break 0x%x\n", 602 lease_state); 603 604 open->oplock = lease_state; 605 } 606 607 return found; 608 } 609 610 static bool 611 smb2_is_valid_lease_break(char *buffer, struct TCP_Server_Info *server) 612 { 613 struct smb2_lease_break *rsp = (struct smb2_lease_break *)buffer; 614 struct TCP_Server_Info *pserver; 615 struct cifs_ses *ses; 616 struct cifs_tcon *tcon; 617 struct cifs_pending_open *open; 618 619 /* Trace receipt of lease break request from server */ 620 trace_smb3_lease_break_enter(le32_to_cpu(rsp->CurrentLeaseState), 621 le32_to_cpu(rsp->Flags), 622 le16_to_cpu(rsp->Epoch), 623 le32_to_cpu(rsp->hdr.Id.SyncId.TreeId), 624 le64_to_cpu(rsp->hdr.SessionId), 625 *((u64 *)rsp->LeaseKey), 626 *((u64 *)&rsp->LeaseKey[8])); 627 628 cifs_dbg(FYI, "Checking for lease break\n"); 629 630 /* If server is a channel, select the primary channel */ 631 pserver = SERVER_IS_CHAN(server) ? server->primary_server : server; 632 633 /* look up tcon based on tid & uid */ 634 spin_lock(&cifs_tcp_ses_lock); 635 list_for_each_entry(ses, &pserver->smb_ses_list, smb_ses_list) { 636 if (cifs_ses_exiting(ses)) 637 continue; 638 list_for_each_entry(tcon, &ses->tcon_list, tcon_list) { 639 spin_lock(&tcon->open_file_lock); 640 cifs_stats_inc( 641 &tcon->stats.cifs_stats.num_oplock_brks); 642 if (smb2_tcon_has_lease(tcon, rsp)) { 643 spin_unlock(&tcon->open_file_lock); 644 spin_unlock(&cifs_tcp_ses_lock); 645 return true; 646 } 647 open = smb2_tcon_find_pending_open_lease(tcon, 648 rsp); 649 if (open) { 650 __u8 lease_key[SMB2_LEASE_KEY_SIZE]; 651 struct tcon_link *tlink; 652 653 tlink = cifs_get_tlink(open->tlink); 654 memcpy(lease_key, open->lease_key, 655 SMB2_LEASE_KEY_SIZE); 656 spin_unlock(&tcon->open_file_lock); 657 spin_unlock(&cifs_tcp_ses_lock); 658 smb2_queue_pending_open_break(tlink, 659 lease_key, 660 rsp->NewLeaseState); 661 return true; 662 } 663 spin_unlock(&tcon->open_file_lock); 664 665 if (cached_dir_lease_break(tcon, rsp->LeaseKey)) { 666 spin_unlock(&cifs_tcp_ses_lock); 667 return true; 668 } 669 } 670 } 671 spin_unlock(&cifs_tcp_ses_lock); 672 cifs_dbg(FYI, "Can not process lease break - no lease matched\n"); 673 trace_smb3_lease_not_found(le32_to_cpu(rsp->CurrentLeaseState), 674 le32_to_cpu(rsp->Flags), 675 le16_to_cpu(rsp->Epoch), 676 le32_to_cpu(rsp->hdr.Id.SyncId.TreeId), 677 le64_to_cpu(rsp->hdr.SessionId), 678 *((u64 *)rsp->LeaseKey), 679 *((u64 *)&rsp->LeaseKey[8])); 680 681 return false; 682 } 683 684 bool 685 smb2_is_valid_oplock_break(char *buffer, struct TCP_Server_Info *server) 686 { 687 struct smb2_oplock_break *rsp = (struct smb2_oplock_break *)buffer; 688 struct TCP_Server_Info *pserver; 689 struct cifs_ses *ses; 690 struct cifs_tcon *tcon; 691 struct cifsInodeInfo *cinode; 692 struct cifsFileInfo *cfile; 693 694 cifs_dbg(FYI, "Checking for oplock break\n"); 695 696 if (rsp->hdr.Command != SMB2_OPLOCK_BREAK) 697 return false; 698 699 if (rsp->StructureSize != 700 smb2_rsp_struct_sizes[SMB2_OPLOCK_BREAK_HE]) { 701 if (le16_to_cpu(rsp->StructureSize) == 44) 702 return smb2_is_valid_lease_break(buffer, server); 703 else 704 return false; 705 } 706 707 cifs_dbg(FYI, "oplock level 0x%x\n", rsp->OplockLevel); 708 709 /* If server is a channel, select the primary channel */ 710 pserver = SERVER_IS_CHAN(server) ? server->primary_server : server; 711 712 /* look up tcon based on tid & uid */ 713 spin_lock(&cifs_tcp_ses_lock); 714 list_for_each_entry(ses, &pserver->smb_ses_list, smb_ses_list) { 715 if (cifs_ses_exiting(ses)) 716 continue; 717 list_for_each_entry(tcon, &ses->tcon_list, tcon_list) { 718 719 spin_lock(&tcon->open_file_lock); 720 list_for_each_entry(cfile, &tcon->openFileList, tlist) { 721 if (rsp->PersistentFid != 722 cfile->fid.persistent_fid || 723 rsp->VolatileFid != 724 cfile->fid.volatile_fid) 725 continue; 726 727 cifs_dbg(FYI, "file id match, oplock break\n"); 728 cifs_stats_inc( 729 &tcon->stats.cifs_stats.num_oplock_brks); 730 cinode = CIFS_I(d_inode(cfile->dentry)); 731 spin_lock(&cfile->file_info_lock); 732 if (!CIFS_CACHE_WRITE(cinode) && 733 rsp->OplockLevel == SMB2_OPLOCK_LEVEL_NONE) 734 cfile->oplock_break_cancelled = true; 735 else 736 cfile->oplock_break_cancelled = false; 737 738 set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, 739 &cinode->flags); 740 741 cfile->oplock_epoch = 0; 742 cfile->oplock_level = rsp->OplockLevel; 743 744 spin_unlock(&cfile->file_info_lock); 745 746 cifs_queue_oplock_break(cfile); 747 748 spin_unlock(&tcon->open_file_lock); 749 spin_unlock(&cifs_tcp_ses_lock); 750 return true; 751 } 752 spin_unlock(&tcon->open_file_lock); 753 } 754 } 755 spin_unlock(&cifs_tcp_ses_lock); 756 cifs_dbg(FYI, "No file id matched, oplock break ignored\n"); 757 trace_smb3_oplock_not_found(0 /* no xid */, rsp->PersistentFid, 758 le32_to_cpu(rsp->hdr.Id.SyncId.TreeId), 759 le64_to_cpu(rsp->hdr.SessionId)); 760 761 return true; 762 } 763 764 void 765 smb2_cancelled_close_fid(struct work_struct *work) 766 { 767 struct close_cancelled_open *cancelled = container_of(work, 768 struct close_cancelled_open, work); 769 struct cifs_tcon *tcon = cancelled->tcon; 770 int rc; 771 772 if (cancelled->mid) 773 cifs_tcon_dbg(VFS, "Close unmatched open for MID:%llu\n", 774 cancelled->mid); 775 else 776 cifs_tcon_dbg(VFS, "Close interrupted close\n"); 777 778 rc = SMB2_close(0, tcon, cancelled->fid.persistent_fid, 779 cancelled->fid.volatile_fid); 780 if (rc) 781 cifs_tcon_dbg(VFS, "Close cancelled mid failed rc:%d\n", rc); 782 783 cifs_put_tcon(tcon, netfs_trace_tcon_ref_put_cancelled_close_fid); 784 kfree(cancelled); 785 } 786 787 /* 788 * Caller should already has an extra reference to @tcon 789 * This function is used to queue work to close a handle to prevent leaks 790 * on the server. 791 * We handle two cases. If an open was interrupted after we sent the 792 * SMB2_CREATE to the server but before we processed the reply, and second 793 * if a close was interrupted before we sent the SMB2_CLOSE to the server. 794 */ 795 static int 796 __smb2_handle_cancelled_cmd(struct cifs_tcon *tcon, __u16 cmd, __u64 mid, 797 __u64 persistent_fid, __u64 volatile_fid) 798 { 799 struct close_cancelled_open *cancelled; 800 801 cancelled = kzalloc(sizeof(*cancelled), GFP_KERNEL); 802 if (!cancelled) 803 return -ENOMEM; 804 805 cancelled->fid.persistent_fid = persistent_fid; 806 cancelled->fid.volatile_fid = volatile_fid; 807 cancelled->tcon = tcon; 808 cancelled->cmd = cmd; 809 cancelled->mid = mid; 810 INIT_WORK(&cancelled->work, smb2_cancelled_close_fid); 811 WARN_ON(queue_work(cifsiod_wq, &cancelled->work) == false); 812 813 return 0; 814 } 815 816 int 817 smb2_handle_cancelled_close(struct cifs_tcon *tcon, __u64 persistent_fid, 818 __u64 volatile_fid) 819 { 820 int rc; 821 822 cifs_dbg(FYI, "%s: tc_count=%d\n", __func__, tcon->tc_count); 823 spin_lock(&cifs_tcp_ses_lock); 824 if (tcon->tc_count <= 0) { 825 struct TCP_Server_Info *server = NULL; 826 827 trace_smb3_tcon_ref(tcon->debug_id, tcon->tc_count, 828 netfs_trace_tcon_ref_see_cancelled_close); 829 WARN_ONCE(tcon->tc_count < 0, "tcon refcount is negative"); 830 spin_unlock(&cifs_tcp_ses_lock); 831 832 if (tcon->ses) { 833 server = tcon->ses->server; 834 cifs_server_dbg(FYI, 835 "tid=0x%x: tcon is closing, skipping async close retry of fid %llu %llu\n", 836 tcon->tid, persistent_fid, volatile_fid); 837 } 838 839 return 0; 840 } 841 tcon->tc_count++; 842 trace_smb3_tcon_ref(tcon->debug_id, tcon->tc_count, 843 netfs_trace_tcon_ref_get_cancelled_close); 844 spin_unlock(&cifs_tcp_ses_lock); 845 846 rc = __smb2_handle_cancelled_cmd(tcon, SMB2_CLOSE_HE, 0, 847 persistent_fid, volatile_fid); 848 if (rc) 849 cifs_put_tcon(tcon, netfs_trace_tcon_ref_put_cancelled_close); 850 851 return rc; 852 } 853 854 int 855 smb2_handle_cancelled_mid(struct mid_q_entry *mid, struct TCP_Server_Info *server) 856 { 857 struct smb2_hdr *hdr = mid->resp_buf; 858 struct smb2_create_rsp *rsp = mid->resp_buf; 859 struct cifs_tcon *tcon; 860 int rc; 861 862 if ((mid->optype & CIFS_CP_CREATE_CLOSE_OP) || hdr->Command != SMB2_CREATE || 863 hdr->Status != STATUS_SUCCESS) 864 return 0; 865 866 tcon = smb2_find_smb_tcon(server, le64_to_cpu(hdr->SessionId), 867 le32_to_cpu(hdr->Id.SyncId.TreeId)); 868 if (!tcon) 869 return -ENOENT; 870 871 rc = __smb2_handle_cancelled_cmd(tcon, 872 le16_to_cpu(hdr->Command), 873 le64_to_cpu(hdr->MessageId), 874 rsp->PersistentFileId, 875 rsp->VolatileFileId); 876 if (rc) 877 cifs_put_tcon(tcon, netfs_trace_tcon_ref_put_cancelled_mid); 878 879 return rc; 880 } 881 882 /** 883 * smb311_update_preauth_hash - update @ses hash with the packet data in @iov 884 * 885 * Assumes @iov does not contain the rfc1002 length and iov[0] has the 886 * SMB2 header. 887 * 888 * @ses: server session structure 889 * @server: pointer to server info 890 * @iov: array containing the SMB request we will send to the server 891 * @nvec: number of array entries for the iov 892 */ 893 void 894 smb311_update_preauth_hash(struct cifs_ses *ses, struct TCP_Server_Info *server, 895 struct kvec *iov, int nvec) 896 { 897 int i; 898 struct smb2_hdr *hdr; 899 struct sha512_ctx sha_ctx; 900 901 hdr = (struct smb2_hdr *)iov[0].iov_base; 902 /* neg prot are always taken */ 903 if (hdr->Command == SMB2_NEGOTIATE) 904 goto ok; 905 906 /* 907 * If we process a command which wasn't a negprot it means the 908 * neg prot was already done, so the server dialect was set 909 * and we can test it. Preauth requires 3.1.1 for now. 910 */ 911 if (server->dialect != SMB311_PROT_ID) 912 return; 913 914 if (hdr->Command != SMB2_SESSION_SETUP) 915 return; 916 917 /* skip last sess setup response */ 918 if ((hdr->Flags & SMB2_FLAGS_SERVER_TO_REDIR) 919 && (hdr->Status == NT_STATUS_OK 920 || (hdr->Status != 921 cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED)))) 922 return; 923 924 ok: 925 sha512_init(&sha_ctx); 926 sha512_update(&sha_ctx, ses->preauth_sha_hash, SMB2_PREAUTH_HASH_SIZE); 927 for (i = 0; i < nvec; i++) 928 sha512_update(&sha_ctx, iov[i].iov_base, iov[i].iov_len); 929 sha512_final(&sha_ctx, ses->preauth_sha_hash); 930 } 931