1 // SPDX-License-Identifier: LGPL-2.1 2 /* 3 * 4 * Copyright (C) International Business Machines Corp., 2002,2011 5 * Etersoft, 2012 6 * Author(s): Steve French (sfrench@us.ibm.com) 7 * Pavel Shilovsky (pshilovsky@samba.org) 2012 8 * 9 */ 10 #include <linux/ctype.h> 11 #include "cifsglob.h" 12 #include "cifsproto.h" 13 #include "smb2proto.h" 14 #include "cifs_debug.h" 15 #include "cifs_unicode.h" 16 #include "../common/smb2status.h" 17 #include "smb2glob.h" 18 #include "nterr.h" 19 #include "cached_dir.h" 20 21 static int 22 check_smb2_hdr(struct smb2_hdr *shdr, __u64 mid) 23 { 24 __u64 wire_mid = le64_to_cpu(shdr->MessageId); 25 26 /* 27 * Make sure that this really is an SMB, that it is a response, 28 * and that the message ids match. 29 */ 30 if ((shdr->ProtocolId == SMB2_PROTO_NUMBER) && 31 (mid == wire_mid)) { 32 if (shdr->Flags & SMB2_FLAGS_SERVER_TO_REDIR) 33 return 0; 34 else { 35 /* only one valid case where server sends us request */ 36 if (shdr->Command == SMB2_OPLOCK_BREAK) 37 return 0; 38 else 39 cifs_dbg(VFS, "Received Request not response\n"); 40 } 41 } else { /* bad signature or mid */ 42 if (shdr->ProtocolId != SMB2_PROTO_NUMBER) 43 cifs_dbg(VFS, "Bad protocol string signature header %x\n", 44 le32_to_cpu(shdr->ProtocolId)); 45 if (mid != wire_mid) 46 cifs_dbg(VFS, "Mids do not match: %llu and %llu\n", 47 mid, wire_mid); 48 } 49 cifs_dbg(VFS, "Bad SMB detected. The Mid=%llu\n", wire_mid); 50 return 1; 51 } 52 53 /* 54 * The following table defines the expected "StructureSize" of SMB2 responses 55 * in order by SMB2 command. This is similar to "wct" in SMB/CIFS responses. 56 * 57 * Note that commands are defined in smb2pdu.h in le16 but the array below is 58 * indexed by command in host byte order 59 */ 60 static const __le16 smb2_rsp_struct_sizes[NUMBER_OF_SMB2_COMMANDS] = { 61 /* SMB2_NEGOTIATE */ cpu_to_le16(65), 62 /* SMB2_SESSION_SETUP */ cpu_to_le16(9), 63 /* SMB2_LOGOFF */ cpu_to_le16(4), 64 /* SMB2_TREE_CONNECT */ cpu_to_le16(16), 65 /* SMB2_TREE_DISCONNECT */ cpu_to_le16(4), 66 /* SMB2_CREATE */ cpu_to_le16(89), 67 /* SMB2_CLOSE */ cpu_to_le16(60), 68 /* SMB2_FLUSH */ cpu_to_le16(4), 69 /* SMB2_READ */ cpu_to_le16(17), 70 /* SMB2_WRITE */ cpu_to_le16(17), 71 /* SMB2_LOCK */ cpu_to_le16(4), 72 /* SMB2_IOCTL */ cpu_to_le16(49), 73 /* BB CHECK this ... not listed in documentation */ 74 /* SMB2_CANCEL */ cpu_to_le16(0), 75 /* SMB2_ECHO */ cpu_to_le16(4), 76 /* SMB2_QUERY_DIRECTORY */ cpu_to_le16(9), 77 /* SMB2_CHANGE_NOTIFY */ cpu_to_le16(9), 78 /* SMB2_QUERY_INFO */ cpu_to_le16(9), 79 /* SMB2_SET_INFO */ cpu_to_le16(2), 80 /* BB FIXME can also be 44 for lease break */ 81 /* SMB2_OPLOCK_BREAK */ cpu_to_le16(24) 82 }; 83 84 #define SMB311_NEGPROT_BASE_SIZE (sizeof(struct smb2_hdr) + sizeof(struct smb2_negotiate_rsp)) 85 86 static __u32 get_neg_ctxt_len(struct smb2_hdr *hdr, __u32 len, 87 __u32 non_ctxlen) 88 { 89 __u16 neg_count; 90 __u32 nc_offset, size_of_pad_before_neg_ctxts; 91 struct smb2_negotiate_rsp *pneg_rsp = (struct smb2_negotiate_rsp *)hdr; 92 93 /* Negotiate contexts are only valid for latest dialect SMB3.11 */ 94 neg_count = le16_to_cpu(pneg_rsp->NegotiateContextCount); 95 if ((neg_count == 0) || 96 (pneg_rsp->DialectRevision != cpu_to_le16(SMB311_PROT_ID))) 97 return 0; 98 99 /* 100 * if SPNEGO blob present (ie the RFC2478 GSS info which indicates 101 * which security mechanisms the server supports) make sure that 102 * the negotiate contexts start after it 103 */ 104 nc_offset = le32_to_cpu(pneg_rsp->NegotiateContextOffset); 105 /* 106 * non_ctxlen is at least shdr->StructureSize + pdu->StructureSize2 107 * and the latter is 1 byte bigger than the fix-sized area of the 108 * NEGOTIATE response 109 */ 110 if (nc_offset + 1 < non_ctxlen) { 111 pr_warn_once("Invalid negotiate context offset %d\n", nc_offset); 112 return 0; 113 } else if (nc_offset + 1 == non_ctxlen) { 114 cifs_dbg(FYI, "no SPNEGO security blob in negprot rsp\n"); 115 size_of_pad_before_neg_ctxts = 0; 116 } else if (non_ctxlen == SMB311_NEGPROT_BASE_SIZE + 1) 117 /* has padding, but no SPNEGO blob */ 118 size_of_pad_before_neg_ctxts = nc_offset - non_ctxlen + 1; 119 else 120 size_of_pad_before_neg_ctxts = nc_offset - non_ctxlen; 121 122 /* Verify that at least minimal negotiate contexts fit within frame */ 123 if (len < nc_offset + (neg_count * sizeof(struct smb2_neg_context))) { 124 pr_warn_once("negotiate context goes beyond end\n"); 125 return 0; 126 } 127 128 cifs_dbg(FYI, "length of negcontexts %d pad %d\n", 129 len - nc_offset, size_of_pad_before_neg_ctxts); 130 131 /* length of negcontexts including pad from end of sec blob to them */ 132 return (len - nc_offset) + size_of_pad_before_neg_ctxts; 133 } 134 135 int 136 smb2_check_message(char *buf, unsigned int len, struct TCP_Server_Info *server) 137 { 138 struct TCP_Server_Info *pserver; 139 struct smb2_hdr *shdr = (struct smb2_hdr *)buf; 140 struct smb2_pdu *pdu = (struct smb2_pdu *)shdr; 141 int hdr_size = sizeof(struct smb2_hdr); 142 int pdu_size = sizeof(struct smb2_pdu); 143 int command; 144 __u32 calc_len; /* calculated length */ 145 __u64 mid; 146 147 /* If server is a channel, select the primary channel */ 148 pserver = SERVER_IS_CHAN(server) ? server->primary_server : server; 149 150 /* 151 * Add function to do table lookup of StructureSize by command 152 * ie Validate the wct via smb2_struct_sizes table above 153 */ 154 if (shdr->ProtocolId == SMB2_TRANSFORM_PROTO_NUM) { 155 struct smb2_transform_hdr *thdr = 156 (struct smb2_transform_hdr *)buf; 157 struct cifs_ses *ses = NULL; 158 struct cifs_ses *iter; 159 160 /* decrypt frame now that it is completely read in */ 161 spin_lock(&cifs_tcp_ses_lock); 162 list_for_each_entry(iter, &pserver->smb_ses_list, smb_ses_list) { 163 if (iter->Suid == le64_to_cpu(thdr->SessionId)) { 164 ses = iter; 165 break; 166 } 167 } 168 spin_unlock(&cifs_tcp_ses_lock); 169 if (!ses) { 170 cifs_dbg(VFS, "no decryption - session id not found\n"); 171 return 1; 172 } 173 } 174 175 mid = le64_to_cpu(shdr->MessageId); 176 if (check_smb2_hdr(shdr, mid)) 177 return 1; 178 179 if (shdr->StructureSize != SMB2_HEADER_STRUCTURE_SIZE) { 180 cifs_dbg(VFS, "Invalid structure size %u\n", 181 le16_to_cpu(shdr->StructureSize)); 182 return 1; 183 } 184 185 command = le16_to_cpu(shdr->Command); 186 if (command >= NUMBER_OF_SMB2_COMMANDS) { 187 cifs_dbg(VFS, "Invalid SMB2 command %d\n", command); 188 return 1; 189 } 190 191 if (len < pdu_size) { 192 if ((len >= hdr_size) 193 && (shdr->Status != 0)) { 194 pdu->StructureSize2 = 0; 195 /* 196 * As with SMB/CIFS, on some error cases servers may 197 * not return wct properly 198 */ 199 return 0; 200 } else { 201 cifs_dbg(VFS, "Length less than SMB header size\n"); 202 } 203 return 1; 204 } 205 if (len > CIFSMaxBufSize + MAX_SMB2_HDR_SIZE) { 206 cifs_dbg(VFS, "SMB length greater than maximum, mid=%llu\n", 207 mid); 208 return 1; 209 } 210 211 if (smb2_rsp_struct_sizes[command] != pdu->StructureSize2) { 212 if (command != SMB2_OPLOCK_BREAK_HE && (shdr->Status == 0 || 213 pdu->StructureSize2 != SMB2_ERROR_STRUCTURE_SIZE2_LE)) { 214 /* error packets have 9 byte structure size */ 215 cifs_dbg(VFS, "Invalid response size %u for command %d\n", 216 le16_to_cpu(pdu->StructureSize2), command); 217 return 1; 218 } else if (command == SMB2_OPLOCK_BREAK_HE 219 && (shdr->Status == 0) 220 && (le16_to_cpu(pdu->StructureSize2) != 44) 221 && (le16_to_cpu(pdu->StructureSize2) != 36)) { 222 /* special case for SMB2.1 lease break message */ 223 cifs_dbg(VFS, "Invalid response size %d for oplock break\n", 224 le16_to_cpu(pdu->StructureSize2)); 225 return 1; 226 } 227 } 228 229 calc_len = smb2_calc_size(buf); 230 231 /* For SMB2_IOCTL, OutputOffset and OutputLength are optional, so might 232 * be 0, and not a real miscalculation */ 233 if (command == SMB2_IOCTL_HE && calc_len == 0) 234 return 0; 235 236 if (command == SMB2_NEGOTIATE_HE) 237 calc_len += get_neg_ctxt_len(shdr, len, calc_len); 238 239 if (len != calc_len) { 240 /* create failed on symlink */ 241 if (command == SMB2_CREATE_HE && 242 shdr->Status == STATUS_STOPPED_ON_SYMLINK) 243 return 0; 244 /* Windows 7 server returns 24 bytes more */ 245 if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE) 246 return 0; 247 /* server can return one byte more due to implied bcc[0] */ 248 if (calc_len == len + 1) 249 return 0; 250 251 /* 252 * Some windows servers (win2016) will pad also the final 253 * PDU in a compound to 8 bytes. 254 */ 255 if (ALIGN(calc_len, 8) == len) 256 return 0; 257 258 /* 259 * MacOS server pads after SMB2.1 write response with 3 bytes 260 * of junk. Other servers match RFC1001 len to actual 261 * SMB2/SMB3 frame length (header + smb2 response specific data) 262 * Some windows servers also pad up to 8 bytes when compounding. 263 */ 264 if (calc_len < len) 265 return 0; 266 267 /* Only log a message if len was really miscalculated */ 268 if (unlikely(cifsFYI)) 269 cifs_dbg(FYI, "Server response too short: calculated " 270 "length %u doesn't match read length %u (cmd=%d, mid=%llu)\n", 271 calc_len, len, command, mid); 272 else 273 pr_warn("Server response too short: calculated length " 274 "%u doesn't match read length %u (cmd=%d, mid=%llu)\n", 275 calc_len, len, command, mid); 276 277 return 1; 278 } 279 return 0; 280 } 281 282 /* 283 * The size of the variable area depends on the offset and length fields 284 * located in different fields for various SMB2 responses. SMB2 responses 285 * with no variable length info, show an offset of zero for the offset field. 286 */ 287 static const bool has_smb2_data_area[NUMBER_OF_SMB2_COMMANDS] = { 288 /* SMB2_NEGOTIATE */ true, 289 /* SMB2_SESSION_SETUP */ true, 290 /* SMB2_LOGOFF */ false, 291 /* SMB2_TREE_CONNECT */ false, 292 /* SMB2_TREE_DISCONNECT */ false, 293 /* SMB2_CREATE */ true, 294 /* SMB2_CLOSE */ false, 295 /* SMB2_FLUSH */ false, 296 /* SMB2_READ */ true, 297 /* SMB2_WRITE */ false, 298 /* SMB2_LOCK */ false, 299 /* SMB2_IOCTL */ true, 300 /* SMB2_CANCEL */ false, /* BB CHECK this not listed in documentation */ 301 /* SMB2_ECHO */ false, 302 /* SMB2_QUERY_DIRECTORY */ true, 303 /* SMB2_CHANGE_NOTIFY */ true, 304 /* SMB2_QUERY_INFO */ true, 305 /* SMB2_SET_INFO */ false, 306 /* SMB2_OPLOCK_BREAK */ false 307 }; 308 309 /* 310 * Returns the pointer to the beginning of the data area. Length of the data 311 * area and the offset to it (from the beginning of the smb are also returned. 312 */ 313 char * 314 smb2_get_data_area_len(int *off, int *len, struct smb2_hdr *shdr) 315 { 316 const int max_off = 4096; 317 const int max_len = 128 * 1024; 318 319 *off = 0; 320 *len = 0; 321 322 /* error responses do not have data area */ 323 if (shdr->Status && shdr->Status != STATUS_MORE_PROCESSING_REQUIRED && 324 (((struct smb2_err_rsp *)shdr)->StructureSize) == 325 SMB2_ERROR_STRUCTURE_SIZE2_LE) 326 return NULL; 327 328 /* 329 * Following commands have data areas so we have to get the location 330 * of the data buffer offset and data buffer length for the particular 331 * command. 332 */ 333 switch (shdr->Command) { 334 case SMB2_NEGOTIATE: 335 *off = le16_to_cpu( 336 ((struct smb2_negotiate_rsp *)shdr)->SecurityBufferOffset); 337 *len = le16_to_cpu( 338 ((struct smb2_negotiate_rsp *)shdr)->SecurityBufferLength); 339 break; 340 case SMB2_SESSION_SETUP: 341 *off = le16_to_cpu( 342 ((struct smb2_sess_setup_rsp *)shdr)->SecurityBufferOffset); 343 *len = le16_to_cpu( 344 ((struct smb2_sess_setup_rsp *)shdr)->SecurityBufferLength); 345 break; 346 case SMB2_CREATE: 347 *off = le32_to_cpu( 348 ((struct smb2_create_rsp *)shdr)->CreateContextsOffset); 349 *len = le32_to_cpu( 350 ((struct smb2_create_rsp *)shdr)->CreateContextsLength); 351 break; 352 case SMB2_QUERY_INFO: 353 *off = le16_to_cpu( 354 ((struct smb2_query_info_rsp *)shdr)->OutputBufferOffset); 355 *len = le32_to_cpu( 356 ((struct smb2_query_info_rsp *)shdr)->OutputBufferLength); 357 break; 358 case SMB2_READ: 359 /* TODO: is this a bug ? */ 360 *off = ((struct smb2_read_rsp *)shdr)->DataOffset; 361 *len = le32_to_cpu(((struct smb2_read_rsp *)shdr)->DataLength); 362 break; 363 case SMB2_QUERY_DIRECTORY: 364 *off = le16_to_cpu( 365 ((struct smb2_query_directory_rsp *)shdr)->OutputBufferOffset); 366 *len = le32_to_cpu( 367 ((struct smb2_query_directory_rsp *)shdr)->OutputBufferLength); 368 break; 369 case SMB2_IOCTL: 370 *off = le32_to_cpu( 371 ((struct smb2_ioctl_rsp *)shdr)->OutputOffset); 372 *len = le32_to_cpu( 373 ((struct smb2_ioctl_rsp *)shdr)->OutputCount); 374 break; 375 case SMB2_CHANGE_NOTIFY: 376 *off = le16_to_cpu( 377 ((struct smb2_change_notify_rsp *)shdr)->OutputBufferOffset); 378 *len = le32_to_cpu( 379 ((struct smb2_change_notify_rsp *)shdr)->OutputBufferLength); 380 break; 381 default: 382 cifs_dbg(VFS, "no length check for command %d\n", le16_to_cpu(shdr->Command)); 383 break; 384 } 385 386 /* 387 * Invalid length or offset probably means data area is invalid, but 388 * we have little choice but to ignore the data area in this case. 389 */ 390 if (unlikely(*off < 0 || *off > max_off || 391 *len < 0 || *len > max_len)) { 392 cifs_dbg(VFS, "%s: invalid data area (off=%d len=%d)\n", 393 __func__, *off, *len); 394 *off = 0; 395 *len = 0; 396 } else if (*off == 0) { 397 *len = 0; 398 } 399 400 /* return pointer to beginning of data area, ie offset from SMB start */ 401 if (*off > 0 && *len > 0) 402 return (char *)shdr + *off; 403 return NULL; 404 } 405 406 /* 407 * Calculate the size of the SMB message based on the fixed header 408 * portion, the number of word parameters and the data portion of the message. 409 */ 410 unsigned int 411 smb2_calc_size(void *buf) 412 { 413 struct smb2_pdu *pdu = buf; 414 struct smb2_hdr *shdr = &pdu->hdr; 415 int offset; /* the offset from the beginning of SMB to data area */ 416 int data_length; /* the length of the variable length data area */ 417 /* Structure Size has already been checked to make sure it is 64 */ 418 int len = le16_to_cpu(shdr->StructureSize); 419 420 /* 421 * StructureSize2, ie length of fixed parameter area has already 422 * been checked to make sure it is the correct length. 423 */ 424 len += le16_to_cpu(pdu->StructureSize2); 425 426 if (has_smb2_data_area[le16_to_cpu(shdr->Command)] == false) 427 goto calc_size_exit; 428 429 smb2_get_data_area_len(&offset, &data_length, shdr); 430 cifs_dbg(FYI, "SMB2 data length %d offset %d\n", data_length, offset); 431 432 if (data_length > 0) { 433 /* 434 * Check to make sure that data area begins after fixed area, 435 * Note that last byte of the fixed area is part of data area 436 * for some commands, typically those with odd StructureSize, 437 * so we must add one to the calculation. 438 */ 439 if (offset + 1 < len) { 440 cifs_dbg(VFS, "data area offset %d overlaps SMB2 header %d\n", 441 offset + 1, len); 442 data_length = 0; 443 } else { 444 len = offset + data_length; 445 } 446 } 447 calc_size_exit: 448 cifs_dbg(FYI, "SMB2 len %d\n", len); 449 return len; 450 } 451 452 /* Note: caller must free return buffer */ 453 __le16 * 454 cifs_convert_path_to_utf16(const char *from, struct cifs_sb_info *cifs_sb) 455 { 456 int len; 457 const char *start_of_path; 458 __le16 *to; 459 int map_type; 460 461 if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MAP_SFM_CHR) 462 map_type = SFM_MAP_UNI_RSVD; 463 else if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MAP_SPECIAL_CHR) 464 map_type = SFU_MAP_UNI_RSVD; 465 else 466 map_type = NO_MAP_UNI_RSVD; 467 468 /* Windows doesn't allow paths beginning with \ */ 469 if (from[0] == '\\') 470 start_of_path = from + 1; 471 472 /* SMB311 POSIX extensions paths do not include leading slash */ 473 else if (cifs_sb_master_tlink(cifs_sb) && 474 cifs_sb_master_tcon(cifs_sb)->posix_extensions && 475 (from[0] == '/')) { 476 start_of_path = from + 1; 477 } else 478 start_of_path = from; 479 480 to = cifs_strndup_to_utf16(start_of_path, PATH_MAX, &len, 481 cifs_sb->local_nls, map_type); 482 return to; 483 } 484 485 __le32 486 smb2_get_lease_state(struct cifsInodeInfo *cinode) 487 { 488 __le32 lease = 0; 489 490 if (CIFS_CACHE_WRITE(cinode)) 491 lease |= SMB2_LEASE_WRITE_CACHING_LE; 492 if (CIFS_CACHE_HANDLE(cinode)) 493 lease |= SMB2_LEASE_HANDLE_CACHING_LE; 494 if (CIFS_CACHE_READ(cinode)) 495 lease |= SMB2_LEASE_READ_CACHING_LE; 496 return lease; 497 } 498 499 struct smb2_lease_break_work { 500 struct work_struct lease_break; 501 struct tcon_link *tlink; 502 __u8 lease_key[16]; 503 __le32 lease_state; 504 }; 505 506 static void 507 cifs_ses_oplock_break(struct work_struct *work) 508 { 509 struct smb2_lease_break_work *lw = container_of(work, 510 struct smb2_lease_break_work, lease_break); 511 int rc = 0; 512 513 rc = SMB2_lease_break(0, tlink_tcon(lw->tlink), lw->lease_key, 514 lw->lease_state); 515 516 cifs_dbg(FYI, "Lease release rc %d\n", rc); 517 cifs_put_tlink(lw->tlink); 518 kfree(lw); 519 } 520 521 static void 522 smb2_queue_pending_open_break(struct tcon_link *tlink, __u8 *lease_key, 523 __le32 new_lease_state) 524 { 525 struct smb2_lease_break_work *lw; 526 527 lw = kmalloc(sizeof(struct smb2_lease_break_work), GFP_KERNEL); 528 if (!lw) { 529 cifs_put_tlink(tlink); 530 return; 531 } 532 533 INIT_WORK(&lw->lease_break, cifs_ses_oplock_break); 534 lw->tlink = tlink; 535 lw->lease_state = new_lease_state; 536 memcpy(lw->lease_key, lease_key, SMB2_LEASE_KEY_SIZE); 537 queue_work(cifsiod_wq, &lw->lease_break); 538 } 539 540 static bool 541 smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp) 542 { 543 __u8 lease_state; 544 struct cifsFileInfo *cfile; 545 struct cifsInodeInfo *cinode; 546 int ack_req = le32_to_cpu(rsp->Flags & 547 SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED); 548 549 lease_state = le32_to_cpu(rsp->NewLeaseState); 550 551 list_for_each_entry(cfile, &tcon->openFileList, tlist) { 552 cinode = CIFS_I(d_inode(cfile->dentry)); 553 554 if (memcmp(cinode->lease_key, rsp->LeaseKey, 555 SMB2_LEASE_KEY_SIZE)) 556 continue; 557 558 cifs_dbg(FYI, "found in the open list\n"); 559 cifs_dbg(FYI, "lease key match, lease break 0x%x\n", 560 lease_state); 561 562 if (ack_req) 563 cfile->oplock_break_cancelled = false; 564 else 565 cfile->oplock_break_cancelled = true; 566 567 set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, &cinode->flags); 568 569 cfile->oplock_epoch = le16_to_cpu(rsp->Epoch); 570 cfile->oplock_level = lease_state; 571 572 cifs_queue_oplock_break(cfile); 573 return true; 574 } 575 576 return false; 577 } 578 579 static struct cifs_pending_open * 580 smb2_tcon_find_pending_open_lease(struct cifs_tcon *tcon, 581 struct smb2_lease_break *rsp) 582 { 583 __u8 lease_state = le32_to_cpu(rsp->NewLeaseState); 584 int ack_req = le32_to_cpu(rsp->Flags & 585 SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED); 586 struct cifs_pending_open *open; 587 struct cifs_pending_open *found = NULL; 588 589 list_for_each_entry(open, &tcon->pending_opens, olist) { 590 if (memcmp(open->lease_key, rsp->LeaseKey, 591 SMB2_LEASE_KEY_SIZE)) 592 continue; 593 594 if (!found && ack_req) { 595 found = open; 596 } 597 598 cifs_dbg(FYI, "found in the pending open list\n"); 599 cifs_dbg(FYI, "lease key match, lease break 0x%x\n", 600 lease_state); 601 602 open->oplock = lease_state; 603 } 604 605 return found; 606 } 607 608 static bool 609 smb2_is_valid_lease_break(char *buffer, struct TCP_Server_Info *server) 610 { 611 struct smb2_lease_break *rsp = (struct smb2_lease_break *)buffer; 612 struct TCP_Server_Info *pserver; 613 struct cifs_ses *ses; 614 struct cifs_tcon *tcon; 615 struct cifs_pending_open *open; 616 617 /* Trace receipt of lease break request from server */ 618 trace_smb3_lease_break_enter(le32_to_cpu(rsp->CurrentLeaseState), 619 le32_to_cpu(rsp->Flags), 620 le16_to_cpu(rsp->Epoch), 621 le32_to_cpu(rsp->hdr.Id.SyncId.TreeId), 622 le64_to_cpu(rsp->hdr.SessionId), 623 *((u64 *)rsp->LeaseKey), 624 *((u64 *)&rsp->LeaseKey[8])); 625 626 cifs_dbg(FYI, "Checking for lease break\n"); 627 628 /* If server is a channel, select the primary channel */ 629 pserver = SERVER_IS_CHAN(server) ? server->primary_server : server; 630 631 /* look up tcon based on tid & uid */ 632 spin_lock(&cifs_tcp_ses_lock); 633 list_for_each_entry(ses, &pserver->smb_ses_list, smb_ses_list) { 634 if (cifs_ses_exiting(ses)) 635 continue; 636 list_for_each_entry(tcon, &ses->tcon_list, tcon_list) { 637 spin_lock(&tcon->open_file_lock); 638 cifs_stats_inc( 639 &tcon->stats.cifs_stats.num_oplock_brks); 640 if (smb2_tcon_has_lease(tcon, rsp)) { 641 spin_unlock(&tcon->open_file_lock); 642 spin_unlock(&cifs_tcp_ses_lock); 643 return true; 644 } 645 open = smb2_tcon_find_pending_open_lease(tcon, 646 rsp); 647 if (open) { 648 __u8 lease_key[SMB2_LEASE_KEY_SIZE]; 649 struct tcon_link *tlink; 650 651 tlink = cifs_get_tlink(open->tlink); 652 memcpy(lease_key, open->lease_key, 653 SMB2_LEASE_KEY_SIZE); 654 spin_unlock(&tcon->open_file_lock); 655 spin_unlock(&cifs_tcp_ses_lock); 656 smb2_queue_pending_open_break(tlink, 657 lease_key, 658 rsp->NewLeaseState); 659 return true; 660 } 661 spin_unlock(&tcon->open_file_lock); 662 663 if (cached_dir_lease_break(tcon, rsp->LeaseKey)) { 664 spin_unlock(&cifs_tcp_ses_lock); 665 return true; 666 } 667 } 668 } 669 spin_unlock(&cifs_tcp_ses_lock); 670 cifs_dbg(FYI, "Can not process lease break - no lease matched\n"); 671 trace_smb3_lease_not_found(le32_to_cpu(rsp->CurrentLeaseState), 672 le32_to_cpu(rsp->Flags), 673 le16_to_cpu(rsp->Epoch), 674 le32_to_cpu(rsp->hdr.Id.SyncId.TreeId), 675 le64_to_cpu(rsp->hdr.SessionId), 676 *((u64 *)rsp->LeaseKey), 677 *((u64 *)&rsp->LeaseKey[8])); 678 679 return false; 680 } 681 682 bool 683 smb2_is_valid_oplock_break(char *buffer, struct TCP_Server_Info *server) 684 { 685 struct smb2_oplock_break *rsp = (struct smb2_oplock_break *)buffer; 686 struct TCP_Server_Info *pserver; 687 struct cifs_ses *ses; 688 struct cifs_tcon *tcon; 689 struct cifsInodeInfo *cinode; 690 struct cifsFileInfo *cfile; 691 692 cifs_dbg(FYI, "Checking for oplock break\n"); 693 694 if (rsp->hdr.Command != SMB2_OPLOCK_BREAK) 695 return false; 696 697 if (rsp->StructureSize != 698 smb2_rsp_struct_sizes[SMB2_OPLOCK_BREAK_HE]) { 699 if (le16_to_cpu(rsp->StructureSize) == 44) 700 return smb2_is_valid_lease_break(buffer, server); 701 else 702 return false; 703 } 704 705 cifs_dbg(FYI, "oplock level 0x%x\n", rsp->OplockLevel); 706 707 /* If server is a channel, select the primary channel */ 708 pserver = SERVER_IS_CHAN(server) ? server->primary_server : server; 709 710 /* look up tcon based on tid & uid */ 711 spin_lock(&cifs_tcp_ses_lock); 712 list_for_each_entry(ses, &pserver->smb_ses_list, smb_ses_list) { 713 if (cifs_ses_exiting(ses)) 714 continue; 715 list_for_each_entry(tcon, &ses->tcon_list, tcon_list) { 716 717 spin_lock(&tcon->open_file_lock); 718 list_for_each_entry(cfile, &tcon->openFileList, tlist) { 719 if (rsp->PersistentFid != 720 cfile->fid.persistent_fid || 721 rsp->VolatileFid != 722 cfile->fid.volatile_fid) 723 continue; 724 725 cifs_dbg(FYI, "file id match, oplock break\n"); 726 cifs_stats_inc( 727 &tcon->stats.cifs_stats.num_oplock_brks); 728 cinode = CIFS_I(d_inode(cfile->dentry)); 729 spin_lock(&cfile->file_info_lock); 730 if (!CIFS_CACHE_WRITE(cinode) && 731 rsp->OplockLevel == SMB2_OPLOCK_LEVEL_NONE) 732 cfile->oplock_break_cancelled = true; 733 else 734 cfile->oplock_break_cancelled = false; 735 736 set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, 737 &cinode->flags); 738 739 cfile->oplock_epoch = 0; 740 cfile->oplock_level = rsp->OplockLevel; 741 742 spin_unlock(&cfile->file_info_lock); 743 744 cifs_queue_oplock_break(cfile); 745 746 spin_unlock(&tcon->open_file_lock); 747 spin_unlock(&cifs_tcp_ses_lock); 748 return true; 749 } 750 spin_unlock(&tcon->open_file_lock); 751 } 752 } 753 spin_unlock(&cifs_tcp_ses_lock); 754 cifs_dbg(FYI, "No file id matched, oplock break ignored\n"); 755 trace_smb3_oplock_not_found(0 /* no xid */, rsp->PersistentFid, 756 le32_to_cpu(rsp->hdr.Id.SyncId.TreeId), 757 le64_to_cpu(rsp->hdr.SessionId)); 758 759 return true; 760 } 761 762 void 763 smb2_cancelled_close_fid(struct work_struct *work) 764 { 765 struct close_cancelled_open *cancelled = container_of(work, 766 struct close_cancelled_open, work); 767 struct cifs_tcon *tcon = cancelled->tcon; 768 int rc; 769 770 if (cancelled->mid) 771 cifs_tcon_dbg(VFS, "Close unmatched open for MID:%llu\n", 772 cancelled->mid); 773 else 774 cifs_tcon_dbg(VFS, "Close interrupted close\n"); 775 776 rc = SMB2_close(0, tcon, cancelled->fid.persistent_fid, 777 cancelled->fid.volatile_fid); 778 if (rc) 779 cifs_tcon_dbg(VFS, "Close cancelled mid failed rc:%d\n", rc); 780 781 cifs_put_tcon(tcon, netfs_trace_tcon_ref_put_cancelled_close_fid); 782 kfree(cancelled); 783 } 784 785 /* 786 * Caller should already has an extra reference to @tcon 787 * This function is used to queue work to close a handle to prevent leaks 788 * on the server. 789 * We handle two cases. If an open was interrupted after we sent the 790 * SMB2_CREATE to the server but before we processed the reply, and second 791 * if a close was interrupted before we sent the SMB2_CLOSE to the server. 792 */ 793 static int 794 __smb2_handle_cancelled_cmd(struct cifs_tcon *tcon, __u16 cmd, __u64 mid, 795 __u64 persistent_fid, __u64 volatile_fid) 796 { 797 struct close_cancelled_open *cancelled; 798 799 cancelled = kzalloc(sizeof(*cancelled), GFP_KERNEL); 800 if (!cancelled) 801 return -ENOMEM; 802 803 cancelled->fid.persistent_fid = persistent_fid; 804 cancelled->fid.volatile_fid = volatile_fid; 805 cancelled->tcon = tcon; 806 cancelled->cmd = cmd; 807 cancelled->mid = mid; 808 INIT_WORK(&cancelled->work, smb2_cancelled_close_fid); 809 WARN_ON(queue_work(cifsiod_wq, &cancelled->work) == false); 810 811 return 0; 812 } 813 814 int 815 smb2_handle_cancelled_close(struct cifs_tcon *tcon, __u64 persistent_fid, 816 __u64 volatile_fid) 817 { 818 int rc; 819 820 cifs_dbg(FYI, "%s: tc_count=%d\n", __func__, tcon->tc_count); 821 spin_lock(&cifs_tcp_ses_lock); 822 if (tcon->tc_count <= 0) { 823 struct TCP_Server_Info *server = NULL; 824 825 trace_smb3_tcon_ref(tcon->debug_id, tcon->tc_count, 826 netfs_trace_tcon_ref_see_cancelled_close); 827 WARN_ONCE(tcon->tc_count < 0, "tcon refcount is negative"); 828 spin_unlock(&cifs_tcp_ses_lock); 829 830 if (tcon->ses) { 831 server = tcon->ses->server; 832 cifs_server_dbg(FYI, 833 "tid=0x%x: tcon is closing, skipping async close retry of fid %llu %llu\n", 834 tcon->tid, persistent_fid, volatile_fid); 835 } 836 837 return 0; 838 } 839 tcon->tc_count++; 840 trace_smb3_tcon_ref(tcon->debug_id, tcon->tc_count, 841 netfs_trace_tcon_ref_get_cancelled_close); 842 spin_unlock(&cifs_tcp_ses_lock); 843 844 rc = __smb2_handle_cancelled_cmd(tcon, SMB2_CLOSE_HE, 0, 845 persistent_fid, volatile_fid); 846 if (rc) 847 cifs_put_tcon(tcon, netfs_trace_tcon_ref_put_cancelled_close); 848 849 return rc; 850 } 851 852 int 853 smb2_handle_cancelled_mid(struct mid_q_entry *mid, struct TCP_Server_Info *server) 854 { 855 struct smb2_hdr *hdr = mid->resp_buf; 856 struct smb2_create_rsp *rsp = mid->resp_buf; 857 struct cifs_tcon *tcon; 858 int rc; 859 860 if ((mid->optype & CIFS_CP_CREATE_CLOSE_OP) || hdr->Command != SMB2_CREATE || 861 hdr->Status != STATUS_SUCCESS) 862 return 0; 863 864 tcon = smb2_find_smb_tcon(server, le64_to_cpu(hdr->SessionId), 865 le32_to_cpu(hdr->Id.SyncId.TreeId)); 866 if (!tcon) 867 return -ENOENT; 868 869 rc = __smb2_handle_cancelled_cmd(tcon, 870 le16_to_cpu(hdr->Command), 871 le64_to_cpu(hdr->MessageId), 872 rsp->PersistentFileId, 873 rsp->VolatileFileId); 874 if (rc) 875 cifs_put_tcon(tcon, netfs_trace_tcon_ref_put_cancelled_mid); 876 877 return rc; 878 } 879 880 /** 881 * smb311_update_preauth_hash - update @ses hash with the packet data in @iov 882 * 883 * Assumes @iov does not contain the rfc1002 length and iov[0] has the 884 * SMB2 header. 885 * 886 * @ses: server session structure 887 * @server: pointer to server info 888 * @iov: array containing the SMB request we will send to the server 889 * @nvec: number of array entries for the iov 890 */ 891 int 892 smb311_update_preauth_hash(struct cifs_ses *ses, struct TCP_Server_Info *server, 893 struct kvec *iov, int nvec) 894 { 895 int i, rc; 896 struct smb2_hdr *hdr; 897 struct shash_desc *sha512 = NULL; 898 899 hdr = (struct smb2_hdr *)iov[0].iov_base; 900 /* neg prot are always taken */ 901 if (hdr->Command == SMB2_NEGOTIATE) 902 goto ok; 903 904 /* 905 * If we process a command which wasn't a negprot it means the 906 * neg prot was already done, so the server dialect was set 907 * and we can test it. Preauth requires 3.1.1 for now. 908 */ 909 if (server->dialect != SMB311_PROT_ID) 910 return 0; 911 912 if (hdr->Command != SMB2_SESSION_SETUP) 913 return 0; 914 915 /* skip last sess setup response */ 916 if ((hdr->Flags & SMB2_FLAGS_SERVER_TO_REDIR) 917 && (hdr->Status == NT_STATUS_OK 918 || (hdr->Status != 919 cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED)))) 920 return 0; 921 922 ok: 923 rc = smb311_crypto_shash_allocate(server); 924 if (rc) 925 return rc; 926 927 sha512 = server->secmech.sha512; 928 rc = crypto_shash_init(sha512); 929 if (rc) { 930 cifs_dbg(VFS, "%s: Could not init sha512 shash\n", __func__); 931 return rc; 932 } 933 934 rc = crypto_shash_update(sha512, ses->preauth_sha_hash, 935 SMB2_PREAUTH_HASH_SIZE); 936 if (rc) { 937 cifs_dbg(VFS, "%s: Could not update sha512 shash\n", __func__); 938 return rc; 939 } 940 941 for (i = 0; i < nvec; i++) { 942 rc = crypto_shash_update(sha512, iov[i].iov_base, iov[i].iov_len); 943 if (rc) { 944 cifs_dbg(VFS, "%s: Could not update sha512 shash\n", 945 __func__); 946 return rc; 947 } 948 } 949 950 rc = crypto_shash_final(sha512, ses->preauth_sha_hash); 951 if (rc) { 952 cifs_dbg(VFS, "%s: Could not finalize sha512 shash\n", 953 __func__); 954 return rc; 955 } 956 957 return 0; 958 } 959