fs/cifs/smb2misc.c at v5.11

tjh.dev / kernel
fork atom
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / fs / cifs / smb2misc.c
at v5.11 952 lines 28 kB view raw
wrap content
  1/*
  2 *   fs/cifs/smb2misc.c
  3 *
  4 *   Copyright (C) International Business Machines  Corp., 2002,2011
  5 *                 Etersoft, 2012
  6 *   Author(s): Steve French (sfrench@us.ibm.com)
  7 *              Pavel Shilovsky (pshilovsky@samba.org) 2012
  8 *
  9 *   This library is free software; you can redistribute it and/or modify
 10 *   it under the terms of the GNU Lesser General Public License as published
 11 *   by the Free Software Foundation; either version 2.1 of the License, or
 12 *   (at your option) any later version.
 13 *
 14 *   This library is distributed in the hope that it will be useful,
 15 *   but WITHOUT ANY WARRANTY; without even the implied warranty of
 16 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
 17 *   the GNU Lesser General Public License for more details.
 18 *
 19 *   You should have received a copy of the GNU Lesser General Public License
 20 *   along with this library; if not, write to the Free Software
 21 *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 22 */
 23#include <linux/ctype.h>
 24#include "smb2pdu.h"
 25#include "cifsglob.h"
 26#include "cifsproto.h"
 27#include "smb2proto.h"
 28#include "cifs_debug.h"
 29#include "cifs_unicode.h"
 30#include "smb2status.h"
 31#include "smb2glob.h"
 32#include "nterr.h"
 33
 34static int
 35check_smb2_hdr(struct smb2_sync_hdr *shdr, __u64 mid)
 36{
 37	__u64 wire_mid = le64_to_cpu(shdr->MessageId);
 38
 39	/*
 40	 * Make sure that this really is an SMB, that it is a response,
 41	 * and that the message ids match.
 42	 */
 43	if ((shdr->ProtocolId == SMB2_PROTO_NUMBER) &&
 44	    (mid == wire_mid)) {
 45		if (shdr->Flags & SMB2_FLAGS_SERVER_TO_REDIR)
 46			return 0;
 47		else {
 48			/* only one valid case where server sends us request */
 49			if (shdr->Command == SMB2_OPLOCK_BREAK)
 50				return 0;
 51			else
 52				cifs_dbg(VFS, "Received Request not response\n");
 53		}
 54	} else { /* bad signature or mid */
 55		if (shdr->ProtocolId != SMB2_PROTO_NUMBER)
 56			cifs_dbg(VFS, "Bad protocol string signature header %x\n",
 57				 le32_to_cpu(shdr->ProtocolId));
 58		if (mid != wire_mid)
 59			cifs_dbg(VFS, "Mids do not match: %llu and %llu\n",
 60				 mid, wire_mid);
 61	}
 62	cifs_dbg(VFS, "Bad SMB detected. The Mid=%llu\n", wire_mid);
 63	return 1;
 64}
 65
 66/*
 67 *  The following table defines the expected "StructureSize" of SMB2 responses
 68 *  in order by SMB2 command.  This is similar to "wct" in SMB/CIFS responses.
 69 *
 70 *  Note that commands are defined in smb2pdu.h in le16 but the array below is
 71 *  indexed by command in host byte order
 72 */
 73static const __le16 smb2_rsp_struct_sizes[NUMBER_OF_SMB2_COMMANDS] = {
 74	/* SMB2_NEGOTIATE */ cpu_to_le16(65),
 75	/* SMB2_SESSION_SETUP */ cpu_to_le16(9),
 76	/* SMB2_LOGOFF */ cpu_to_le16(4),
 77	/* SMB2_TREE_CONNECT */ cpu_to_le16(16),
 78	/* SMB2_TREE_DISCONNECT */ cpu_to_le16(4),
 79	/* SMB2_CREATE */ cpu_to_le16(89),
 80	/* SMB2_CLOSE */ cpu_to_le16(60),
 81	/* SMB2_FLUSH */ cpu_to_le16(4),
 82	/* SMB2_READ */ cpu_to_le16(17),
 83	/* SMB2_WRITE */ cpu_to_le16(17),
 84	/* SMB2_LOCK */ cpu_to_le16(4),
 85	/* SMB2_IOCTL */ cpu_to_le16(49),
 86	/* BB CHECK this ... not listed in documentation */
 87	/* SMB2_CANCEL */ cpu_to_le16(0),
 88	/* SMB2_ECHO */ cpu_to_le16(4),
 89	/* SMB2_QUERY_DIRECTORY */ cpu_to_le16(9),
 90	/* SMB2_CHANGE_NOTIFY */ cpu_to_le16(9),
 91	/* SMB2_QUERY_INFO */ cpu_to_le16(9),
 92	/* SMB2_SET_INFO */ cpu_to_le16(2),
 93	/* BB FIXME can also be 44 for lease break */
 94	/* SMB2_OPLOCK_BREAK */ cpu_to_le16(24)
 95};
 96
 97#define SMB311_NEGPROT_BASE_SIZE (sizeof(struct smb2_sync_hdr) + sizeof(struct smb2_negotiate_rsp))
 98
 99static __u32 get_neg_ctxt_len(struct smb2_sync_hdr *hdr, __u32 len,
100			      __u32 non_ctxlen)
101{
102	__u16 neg_count;
103	__u32 nc_offset, size_of_pad_before_neg_ctxts;
104	struct smb2_negotiate_rsp *pneg_rsp = (struct smb2_negotiate_rsp *)hdr;
105
106	/* Negotiate contexts are only valid for latest dialect SMB3.11 */
107	neg_count = le16_to_cpu(pneg_rsp->NegotiateContextCount);
108	if ((neg_count == 0) ||
109	   (pneg_rsp->DialectRevision != cpu_to_le16(SMB311_PROT_ID)))
110		return 0;
111
112	/*
113	 * if SPNEGO blob present (ie the RFC2478 GSS info which indicates
114	 * which security mechanisms the server supports) make sure that
115	 * the negotiate contexts start after it
116	 */
117	nc_offset = le32_to_cpu(pneg_rsp->NegotiateContextOffset);
118	/*
119	 * non_ctxlen is at least shdr->StructureSize + pdu->StructureSize2
120	 * and the latter is 1 byte bigger than the fix-sized area of the
121	 * NEGOTIATE response
122	 */
123	if (nc_offset + 1 < non_ctxlen) {
124		pr_warn_once("Invalid negotiate context offset %d\n", nc_offset);
125		return 0;
126	} else if (nc_offset + 1 == non_ctxlen) {
127		cifs_dbg(FYI, "no SPNEGO security blob in negprot rsp\n");
128		size_of_pad_before_neg_ctxts = 0;
129	} else if (non_ctxlen == SMB311_NEGPROT_BASE_SIZE)
130		/* has padding, but no SPNEGO blob */
131		size_of_pad_before_neg_ctxts = nc_offset - non_ctxlen + 1;
132	else
133		size_of_pad_before_neg_ctxts = nc_offset - non_ctxlen;
134
135	/* Verify that at least minimal negotiate contexts fit within frame */
136	if (len < nc_offset + (neg_count * sizeof(struct smb2_neg_context))) {
137		pr_warn_once("negotiate context goes beyond end\n");
138		return 0;
139	}
140
141	cifs_dbg(FYI, "length of negcontexts %d pad %d\n",
142		len - nc_offset, size_of_pad_before_neg_ctxts);
143
144	/* length of negcontexts including pad from end of sec blob to them */
145	return (len - nc_offset) + size_of_pad_before_neg_ctxts;
146}
147
148int
149smb2_check_message(char *buf, unsigned int len, struct TCP_Server_Info *srvr)
150{
151	struct smb2_sync_hdr *shdr = (struct smb2_sync_hdr *)buf;
152	struct smb2_sync_pdu *pdu = (struct smb2_sync_pdu *)shdr;
153	__u64 mid;
154	__u32 clc_len;  /* calculated length */
155	int command;
156	int pdu_size = sizeof(struct smb2_sync_pdu);
157	int hdr_size = sizeof(struct smb2_sync_hdr);
158
159	/*
160	 * Add function to do table lookup of StructureSize by command
161	 * ie Validate the wct via smb2_struct_sizes table above
162	 */
163	if (shdr->ProtocolId == SMB2_TRANSFORM_PROTO_NUM) {
164		struct smb2_transform_hdr *thdr =
165			(struct smb2_transform_hdr *)buf;
166		struct cifs_ses *ses = NULL;
167		struct list_head *tmp;
168
169		/* decrypt frame now that it is completely read in */
170		spin_lock(&cifs_tcp_ses_lock);
171		list_for_each(tmp, &srvr->smb_ses_list) {
172			ses = list_entry(tmp, struct cifs_ses, smb_ses_list);
173			if (ses->Suid == thdr->SessionId)
174				break;
175
176			ses = NULL;
177		}
178		spin_unlock(&cifs_tcp_ses_lock);
179		if (ses == NULL) {
180			cifs_dbg(VFS, "no decryption - session id not found\n");
181			return 1;
182		}
183	}
184
185	mid = le64_to_cpu(shdr->MessageId);
186	if (len < pdu_size) {
187		if ((len >= hdr_size)
188		    && (shdr->Status != 0)) {
189			pdu->StructureSize2 = 0;
190			/*
191			 * As with SMB/CIFS, on some error cases servers may
192			 * not return wct properly
193			 */
194			return 0;
195		} else {
196			cifs_dbg(VFS, "Length less than SMB header size\n");
197		}
198		return 1;
199	}
200	if (len > CIFSMaxBufSize + MAX_SMB2_HDR_SIZE) {
201		cifs_dbg(VFS, "SMB length greater than maximum, mid=%llu\n",
202			 mid);
203		return 1;
204	}
205
206	if (check_smb2_hdr(shdr, mid))
207		return 1;
208
209	if (shdr->StructureSize != SMB2_HEADER_STRUCTURE_SIZE) {
210		cifs_dbg(VFS, "Invalid structure size %u\n",
211			 le16_to_cpu(shdr->StructureSize));
212		return 1;
213	}
214
215	command = le16_to_cpu(shdr->Command);
216	if (command >= NUMBER_OF_SMB2_COMMANDS) {
217		cifs_dbg(VFS, "Invalid SMB2 command %d\n", command);
218		return 1;
219	}
220
221	if (smb2_rsp_struct_sizes[command] != pdu->StructureSize2) {
222		if (command != SMB2_OPLOCK_BREAK_HE && (shdr->Status == 0 ||
223		    pdu->StructureSize2 != SMB2_ERROR_STRUCTURE_SIZE2)) {
224			/* error packets have 9 byte structure size */
225			cifs_dbg(VFS, "Invalid response size %u for command %d\n",
226				 le16_to_cpu(pdu->StructureSize2), command);
227			return 1;
228		} else if (command == SMB2_OPLOCK_BREAK_HE
229			   && (shdr->Status == 0)
230			   && (le16_to_cpu(pdu->StructureSize2) != 44)
231			   && (le16_to_cpu(pdu->StructureSize2) != 36)) {
232			/* special case for SMB2.1 lease break message */
233			cifs_dbg(VFS, "Invalid response size %d for oplock break\n",
234				 le16_to_cpu(pdu->StructureSize2));
235			return 1;
236		}
237	}
238
239	clc_len = smb2_calc_size(buf, srvr);
240
241	if (shdr->Command == SMB2_NEGOTIATE)
242		clc_len += get_neg_ctxt_len(shdr, len, clc_len);
243
244	if (len != clc_len) {
245		cifs_dbg(FYI, "Calculated size %u length %u mismatch mid %llu\n",
246			 clc_len, len, mid);
247		/* create failed on symlink */
248		if (command == SMB2_CREATE_HE &&
249		    shdr->Status == STATUS_STOPPED_ON_SYMLINK)
250			return 0;
251		/* Windows 7 server returns 24 bytes more */
252		if (clc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE)
253			return 0;
254		/* server can return one byte more due to implied bcc[0] */
255		if (clc_len == len + 1)
256			return 0;
257
258		/*
259		 * Some windows servers (win2016) will pad also the final
260		 * PDU in a compound to 8 bytes.
261		 */
262		if (((clc_len + 7) & ~7) == len)
263			return 0;
264
265		/*
266		 * MacOS server pads after SMB2.1 write response with 3 bytes
267		 * of junk. Other servers match RFC1001 len to actual
268		 * SMB2/SMB3 frame length (header + smb2 response specific data)
269		 * Some windows servers also pad up to 8 bytes when compounding.
270		 */
271		if (clc_len < len)
272			return 0;
273
274		pr_warn_once(
275			"srv rsp too short, len %d not %d. cmd:%d mid:%llu\n",
276			len, clc_len, command, mid);
277
278		return 1;
279	}
280	return 0;
281}
282
283/*
284 * The size of the variable area depends on the offset and length fields
285 * located in different fields for various SMB2 responses. SMB2 responses
286 * with no variable length info, show an offset of zero for the offset field.
287 */
288static const bool has_smb2_data_area[NUMBER_OF_SMB2_COMMANDS] = {
289	/* SMB2_NEGOTIATE */ true,
290	/* SMB2_SESSION_SETUP */ true,
291	/* SMB2_LOGOFF */ false,
292	/* SMB2_TREE_CONNECT */	false,
293	/* SMB2_TREE_DISCONNECT */ false,
294	/* SMB2_CREATE */ true,
295	/* SMB2_CLOSE */ false,
296	/* SMB2_FLUSH */ false,
297	/* SMB2_READ */	true,
298	/* SMB2_WRITE */ false,
299	/* SMB2_LOCK */	false,
300	/* SMB2_IOCTL */ true,
301	/* SMB2_CANCEL */ false, /* BB CHECK this not listed in documentation */
302	/* SMB2_ECHO */ false,
303	/* SMB2_QUERY_DIRECTORY */ true,
304	/* SMB2_CHANGE_NOTIFY */ true,
305	/* SMB2_QUERY_INFO */ true,
306	/* SMB2_SET_INFO */ false,
307	/* SMB2_OPLOCK_BREAK */ false
308};
309
310/*
311 * Returns the pointer to the beginning of the data area. Length of the data
312 * area and the offset to it (from the beginning of the smb are also returned.
313 */
314char *
315smb2_get_data_area_len(int *off, int *len, struct smb2_sync_hdr *shdr)
316{
317	*off = 0;
318	*len = 0;
319
320	/* error responses do not have data area */
321	if (shdr->Status && shdr->Status != STATUS_MORE_PROCESSING_REQUIRED &&
322	    (((struct smb2_err_rsp *)shdr)->StructureSize) ==
323						SMB2_ERROR_STRUCTURE_SIZE2)
324		return NULL;
325
326	/*
327	 * Following commands have data areas so we have to get the location
328	 * of the data buffer offset and data buffer length for the particular
329	 * command.
330	 */
331	switch (shdr->Command) {
332	case SMB2_NEGOTIATE:
333		*off = le16_to_cpu(
334		  ((struct smb2_negotiate_rsp *)shdr)->SecurityBufferOffset);
335		*len = le16_to_cpu(
336		  ((struct smb2_negotiate_rsp *)shdr)->SecurityBufferLength);
337		break;
338	case SMB2_SESSION_SETUP:
339		*off = le16_to_cpu(
340		  ((struct smb2_sess_setup_rsp *)shdr)->SecurityBufferOffset);
341		*len = le16_to_cpu(
342		  ((struct smb2_sess_setup_rsp *)shdr)->SecurityBufferLength);
343		break;
344	case SMB2_CREATE:
345		*off = le32_to_cpu(
346		    ((struct smb2_create_rsp *)shdr)->CreateContextsOffset);
347		*len = le32_to_cpu(
348		    ((struct smb2_create_rsp *)shdr)->CreateContextsLength);
349		break;
350	case SMB2_QUERY_INFO:
351		*off = le16_to_cpu(
352		    ((struct smb2_query_info_rsp *)shdr)->OutputBufferOffset);
353		*len = le32_to_cpu(
354		    ((struct smb2_query_info_rsp *)shdr)->OutputBufferLength);
355		break;
356	case SMB2_READ:
357		/* TODO: is this a bug ? */
358		*off = ((struct smb2_read_rsp *)shdr)->DataOffset;
359		*len = le32_to_cpu(((struct smb2_read_rsp *)shdr)->DataLength);
360		break;
361	case SMB2_QUERY_DIRECTORY:
362		*off = le16_to_cpu(
363		  ((struct smb2_query_directory_rsp *)shdr)->OutputBufferOffset);
364		*len = le32_to_cpu(
365		  ((struct smb2_query_directory_rsp *)shdr)->OutputBufferLength);
366		break;
367	case SMB2_IOCTL:
368		*off = le32_to_cpu(
369		  ((struct smb2_ioctl_rsp *)shdr)->OutputOffset);
370		*len = le32_to_cpu(
371		  ((struct smb2_ioctl_rsp *)shdr)->OutputCount);
372		break;
373	case SMB2_CHANGE_NOTIFY:
374		*off = le16_to_cpu(
375		  ((struct smb2_change_notify_rsp *)shdr)->OutputBufferOffset);
376		*len = le32_to_cpu(
377		  ((struct smb2_change_notify_rsp *)shdr)->OutputBufferLength);
378		break;
379	default:
380		cifs_dbg(VFS, "no length check for command %d\n", le16_to_cpu(shdr->Command));
381		break;
382	}
383
384	/*
385	 * Invalid length or offset probably means data area is invalid, but
386	 * we have little choice but to ignore the data area in this case.
387	 */
388	if (*off > 4096) {
389		cifs_dbg(VFS, "offset %d too large, data area ignored\n", *off);
390		*len = 0;
391		*off = 0;
392	} else if (*off < 0) {
393		cifs_dbg(VFS, "negative offset %d to data invalid ignore data area\n",
394			 *off);
395		*off = 0;
396		*len = 0;
397	} else if (*len < 0) {
398		cifs_dbg(VFS, "negative data length %d invalid, data area ignored\n",
399			 *len);
400		*len = 0;
401	} else if (*len > 128 * 1024) {
402		cifs_dbg(VFS, "data area larger than 128K: %d\n", *len);
403		*len = 0;
404	}
405
406	/* return pointer to beginning of data area, ie offset from SMB start */
407	if ((*off != 0) && (*len != 0))
408		return (char *)shdr + *off;
409	else
410		return NULL;
411}
412
413/*
414 * Calculate the size of the SMB message based on the fixed header
415 * portion, the number of word parameters and the data portion of the message.
416 */
417unsigned int
418smb2_calc_size(void *buf, struct TCP_Server_Info *srvr)
419{
420	struct smb2_sync_pdu *pdu = (struct smb2_sync_pdu *)buf;
421	struct smb2_sync_hdr *shdr = &pdu->sync_hdr;
422	int offset; /* the offset from the beginning of SMB to data area */
423	int data_length; /* the length of the variable length data area */
424	/* Structure Size has already been checked to make sure it is 64 */
425	int len = le16_to_cpu(shdr->StructureSize);
426
427	/*
428	 * StructureSize2, ie length of fixed parameter area has already
429	 * been checked to make sure it is the correct length.
430	 */
431	len += le16_to_cpu(pdu->StructureSize2);
432
433	if (has_smb2_data_area[le16_to_cpu(shdr->Command)] == false)
434		goto calc_size_exit;
435
436	smb2_get_data_area_len(&offset, &data_length, shdr);
437	cifs_dbg(FYI, "SMB2 data length %d offset %d\n", data_length, offset);
438
439	if (data_length > 0) {
440		/*
441		 * Check to make sure that data area begins after fixed area,
442		 * Note that last byte of the fixed area is part of data area
443		 * for some commands, typically those with odd StructureSize,
444		 * so we must add one to the calculation.
445		 */
446		if (offset + 1 < len) {
447			cifs_dbg(VFS, "data area offset %d overlaps SMB2 header %d\n",
448				 offset + 1, len);
449			data_length = 0;
450		} else {
451			len = offset + data_length;
452		}
453	}
454calc_size_exit:
455	cifs_dbg(FYI, "SMB2 len %d\n", len);
456	return len;
457}
458
459/* Note: caller must free return buffer */
460__le16 *
461cifs_convert_path_to_utf16(const char *from, struct cifs_sb_info *cifs_sb)
462{
463	int len;
464	const char *start_of_path;
465	__le16 *to;
466	int map_type;
467
468	if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MAP_SFM_CHR)
469		map_type = SFM_MAP_UNI_RSVD;
470	else if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MAP_SPECIAL_CHR)
471		map_type = SFU_MAP_UNI_RSVD;
472	else
473		map_type = NO_MAP_UNI_RSVD;
474
475	/* Windows doesn't allow paths beginning with \ */
476	if (from[0] == '\\')
477		start_of_path = from + 1;
478
479	/* SMB311 POSIX extensions paths do not include leading slash */
480	else if (cifs_sb_master_tlink(cifs_sb) &&
481		 cifs_sb_master_tcon(cifs_sb)->posix_extensions &&
482		 (from[0] == '/')) {
483		start_of_path = from + 1;
484	} else
485		start_of_path = from;
486
487	to = cifs_strndup_to_utf16(start_of_path, PATH_MAX, &len,
488				   cifs_sb->local_nls, map_type);
489	return to;
490}
491
492__le32
493smb2_get_lease_state(struct cifsInodeInfo *cinode)
494{
495	__le32 lease = 0;
496
497	if (CIFS_CACHE_WRITE(cinode))
498		lease |= SMB2_LEASE_WRITE_CACHING;
499	if (CIFS_CACHE_HANDLE(cinode))
500		lease |= SMB2_LEASE_HANDLE_CACHING;
501	if (CIFS_CACHE_READ(cinode))
502		lease |= SMB2_LEASE_READ_CACHING;
503	return lease;
504}
505
506struct smb2_lease_break_work {
507	struct work_struct lease_break;
508	struct tcon_link *tlink;
509	__u8 lease_key[16];
510	__le32 lease_state;
511};
512
513static void
514cifs_ses_oplock_break(struct work_struct *work)
515{
516	struct smb2_lease_break_work *lw = container_of(work,
517				struct smb2_lease_break_work, lease_break);
518	int rc = 0;
519
520	rc = SMB2_lease_break(0, tlink_tcon(lw->tlink), lw->lease_key,
521			      lw->lease_state);
522
523	cifs_dbg(FYI, "Lease release rc %d\n", rc);
524	cifs_put_tlink(lw->tlink);
525	kfree(lw);
526}
527
528static void
529smb2_queue_pending_open_break(struct tcon_link *tlink, __u8 *lease_key,
530			      __le32 new_lease_state)
531{
532	struct smb2_lease_break_work *lw;
533
534	lw = kmalloc(sizeof(struct smb2_lease_break_work), GFP_KERNEL);
535	if (!lw) {
536		cifs_put_tlink(tlink);
537		return;
538	}
539
540	INIT_WORK(&lw->lease_break, cifs_ses_oplock_break);
541	lw->tlink = tlink;
542	lw->lease_state = new_lease_state;
543	memcpy(lw->lease_key, lease_key, SMB2_LEASE_KEY_SIZE);
544	queue_work(cifsiod_wq, &lw->lease_break);
545}
546
547static bool
548smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp)
549{
550	__u8 lease_state;
551	struct list_head *tmp;
552	struct cifsFileInfo *cfile;
553	struct cifsInodeInfo *cinode;
554	int ack_req = le32_to_cpu(rsp->Flags &
555				  SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED);
556
557	lease_state = le32_to_cpu(rsp->NewLeaseState);
558
559	list_for_each(tmp, &tcon->openFileList) {
560		cfile = list_entry(tmp, struct cifsFileInfo, tlist);
561		cinode = CIFS_I(d_inode(cfile->dentry));
562
563		if (memcmp(cinode->lease_key, rsp->LeaseKey,
564							SMB2_LEASE_KEY_SIZE))
565			continue;
566
567		cifs_dbg(FYI, "found in the open list\n");
568		cifs_dbg(FYI, "lease key match, lease break 0x%x\n",
569			 lease_state);
570
571		if (ack_req)
572			cfile->oplock_break_cancelled = false;
573		else
574			cfile->oplock_break_cancelled = true;
575
576		set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, &cinode->flags);
577
578		cfile->oplock_epoch = le16_to_cpu(rsp->Epoch);
579		cfile->oplock_level = lease_state;
580
581		cifs_queue_oplock_break(cfile);
582		return true;
583	}
584
585	return false;
586}
587
588static struct cifs_pending_open *
589smb2_tcon_find_pending_open_lease(struct cifs_tcon *tcon,
590				  struct smb2_lease_break *rsp)
591{
592	__u8 lease_state = le32_to_cpu(rsp->NewLeaseState);
593	int ack_req = le32_to_cpu(rsp->Flags &
594				  SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED);
595	struct cifs_pending_open *open;
596	struct cifs_pending_open *found = NULL;
597
598	list_for_each_entry(open, &tcon->pending_opens, olist) {
599		if (memcmp(open->lease_key, rsp->LeaseKey,
600			   SMB2_LEASE_KEY_SIZE))
601			continue;
602
603		if (!found && ack_req) {
604			found = open;
605		}
606
607		cifs_dbg(FYI, "found in the pending open list\n");
608		cifs_dbg(FYI, "lease key match, lease break 0x%x\n",
609			 lease_state);
610
611		open->oplock = lease_state;
612	}
613
614	return found;
615}
616
617static bool
618smb2_is_valid_lease_break(char *buffer)
619{
620	struct smb2_lease_break *rsp = (struct smb2_lease_break *)buffer;
621	struct list_head *tmp, *tmp1, *tmp2;
622	struct TCP_Server_Info *server;
623	struct cifs_ses *ses;
624	struct cifs_tcon *tcon;
625	struct cifs_pending_open *open;
626
627	cifs_dbg(FYI, "Checking for lease break\n");
628
629	/* look up tcon based on tid & uid */
630	spin_lock(&cifs_tcp_ses_lock);
631	list_for_each(tmp, &cifs_tcp_ses_list) {
632		server = list_entry(tmp, struct TCP_Server_Info, tcp_ses_list);
633
634		list_for_each(tmp1, &server->smb_ses_list) {
635			ses = list_entry(tmp1, struct cifs_ses, smb_ses_list);
636
637			list_for_each(tmp2, &ses->tcon_list) {
638				tcon = list_entry(tmp2, struct cifs_tcon,
639						  tcon_list);
640				spin_lock(&tcon->open_file_lock);
641				cifs_stats_inc(
642				    &tcon->stats.cifs_stats.num_oplock_brks);
643				if (smb2_tcon_has_lease(tcon, rsp)) {
644					spin_unlock(&tcon->open_file_lock);
645					spin_unlock(&cifs_tcp_ses_lock);
646					return true;
647				}
648				open = smb2_tcon_find_pending_open_lease(tcon,
649									 rsp);
650				if (open) {
651					__u8 lease_key[SMB2_LEASE_KEY_SIZE];
652					struct tcon_link *tlink;
653
654					tlink = cifs_get_tlink(open->tlink);
655					memcpy(lease_key, open->lease_key,
656					       SMB2_LEASE_KEY_SIZE);
657					spin_unlock(&tcon->open_file_lock);
658					spin_unlock(&cifs_tcp_ses_lock);
659					smb2_queue_pending_open_break(tlink,
660								      lease_key,
661								      rsp->NewLeaseState);
662					return true;
663				}
664				spin_unlock(&tcon->open_file_lock);
665
666				if (tcon->crfid.is_valid &&
667				    !memcmp(rsp->LeaseKey,
668					    tcon->crfid.fid->lease_key,
669					    SMB2_LEASE_KEY_SIZE)) {
670					INIT_WORK(&tcon->crfid.lease_break,
671						  smb2_cached_lease_break);
672					queue_work(cifsiod_wq,
673						   &tcon->crfid.lease_break);
674					spin_unlock(&cifs_tcp_ses_lock);
675					return true;
676				}
677			}
678		}
679	}
680	spin_unlock(&cifs_tcp_ses_lock);
681	cifs_dbg(FYI, "Can not process lease break - no lease matched\n");
682	return false;
683}
684
685bool
686smb2_is_valid_oplock_break(char *buffer, struct TCP_Server_Info *server)
687{
688	struct smb2_oplock_break *rsp = (struct smb2_oplock_break *)buffer;
689	struct list_head *tmp, *tmp1, *tmp2;
690	struct cifs_ses *ses;
691	struct cifs_tcon *tcon;
692	struct cifsInodeInfo *cinode;
693	struct cifsFileInfo *cfile;
694
695	cifs_dbg(FYI, "Checking for oplock break\n");
696
697	if (rsp->sync_hdr.Command != SMB2_OPLOCK_BREAK)
698		return false;
699
700	if (rsp->StructureSize !=
701				smb2_rsp_struct_sizes[SMB2_OPLOCK_BREAK_HE]) {
702		if (le16_to_cpu(rsp->StructureSize) == 44)
703			return smb2_is_valid_lease_break(buffer);
704		else
705			return false;
706	}
707
708	cifs_dbg(FYI, "oplock level 0x%x\n", rsp->OplockLevel);
709
710	/* look up tcon based on tid & uid */
711	spin_lock(&cifs_tcp_ses_lock);
712	list_for_each(tmp, &server->smb_ses_list) {
713		ses = list_entry(tmp, struct cifs_ses, smb_ses_list);
714
715		list_for_each(tmp1, &ses->tcon_list) {
716			tcon = list_entry(tmp1, struct cifs_tcon, tcon_list);
717
718			spin_lock(&tcon->open_file_lock);
719			list_for_each(tmp2, &tcon->openFileList) {
720				cfile = list_entry(tmp2, struct cifsFileInfo,
721						     tlist);
722				if (rsp->PersistentFid !=
723				    cfile->fid.persistent_fid ||
724				    rsp->VolatileFid !=
725				    cfile->fid.volatile_fid)
726					continue;
727
728				cifs_dbg(FYI, "file id match, oplock break\n");
729				cifs_stats_inc(
730				    &tcon->stats.cifs_stats.num_oplock_brks);
731				cinode = CIFS_I(d_inode(cfile->dentry));
732				spin_lock(&cfile->file_info_lock);
733				if (!CIFS_CACHE_WRITE(cinode) &&
734				    rsp->OplockLevel == SMB2_OPLOCK_LEVEL_NONE)
735					cfile->oplock_break_cancelled = true;
736				else
737					cfile->oplock_break_cancelled = false;
738
739				set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK,
740					&cinode->flags);
741
742				cfile->oplock_epoch = 0;
743				cfile->oplock_level = rsp->OplockLevel;
744
745				spin_unlock(&cfile->file_info_lock);
746
747				cifs_queue_oplock_break(cfile);
748
749				spin_unlock(&tcon->open_file_lock);
750				spin_unlock(&cifs_tcp_ses_lock);
751				return true;
752			}
753			spin_unlock(&tcon->open_file_lock);
754		}
755	}
756	spin_unlock(&cifs_tcp_ses_lock);
757	cifs_dbg(FYI, "Can not process oplock break for non-existent connection\n");
758	return false;
759}
760
761void
762smb2_cancelled_close_fid(struct work_struct *work)
763{
764	struct close_cancelled_open *cancelled = container_of(work,
765					struct close_cancelled_open, work);
766	struct cifs_tcon *tcon = cancelled->tcon;
767	int rc;
768
769	if (cancelled->mid)
770		cifs_tcon_dbg(VFS, "Close unmatched open for MID:%llx\n",
771			      cancelled->mid);
772	else
773		cifs_tcon_dbg(VFS, "Close interrupted close\n");
774
775	rc = SMB2_close(0, tcon, cancelled->fid.persistent_fid,
776			cancelled->fid.volatile_fid);
777	if (rc)
778		cifs_tcon_dbg(VFS, "Close cancelled mid failed rc:%d\n", rc);
779
780	cifs_put_tcon(tcon);
781	kfree(cancelled);
782}
783
784/*
785 * Caller should already has an extra reference to @tcon
786 * This function is used to queue work to close a handle to prevent leaks
787 * on the server.
788 * We handle two cases. If an open was interrupted after we sent the
789 * SMB2_CREATE to the server but before we processed the reply, and second
790 * if a close was interrupted before we sent the SMB2_CLOSE to the server.
791 */
792static int
793__smb2_handle_cancelled_cmd(struct cifs_tcon *tcon, __u16 cmd, __u64 mid,
794			    __u64 persistent_fid, __u64 volatile_fid)
795{
796	struct close_cancelled_open *cancelled;
797
798	cancelled = kzalloc(sizeof(*cancelled), GFP_ATOMIC);
799	if (!cancelled)
800		return -ENOMEM;
801
802	cancelled->fid.persistent_fid = persistent_fid;
803	cancelled->fid.volatile_fid = volatile_fid;
804	cancelled->tcon = tcon;
805	cancelled->cmd = cmd;
806	cancelled->mid = mid;
807	INIT_WORK(&cancelled->work, smb2_cancelled_close_fid);
808	WARN_ON(queue_work(cifsiod_wq, &cancelled->work) == false);
809
810	return 0;
811}
812
813int
814smb2_handle_cancelled_close(struct cifs_tcon *tcon, __u64 persistent_fid,
815			    __u64 volatile_fid)
816{
817	int rc;
818
819	cifs_dbg(FYI, "%s: tc_count=%d\n", __func__, tcon->tc_count);
820	spin_lock(&cifs_tcp_ses_lock);
821	if (tcon->tc_count <= 0) {
822		struct TCP_Server_Info *server = NULL;
823
824		WARN_ONCE(tcon->tc_count < 0, "tcon refcount is negative");
825		spin_unlock(&cifs_tcp_ses_lock);
826
827		if (tcon->ses)
828			server = tcon->ses->server;
829
830		cifs_server_dbg(FYI, "tid=%u: tcon is closing, skipping async close retry of fid %llu %llu\n",
831				tcon->tid, persistent_fid, volatile_fid);
832
833		return 0;
834	}
835	tcon->tc_count++;
836	spin_unlock(&cifs_tcp_ses_lock);
837
838	rc = __smb2_handle_cancelled_cmd(tcon, SMB2_CLOSE_HE, 0,
839					 persistent_fid, volatile_fid);
840	if (rc)
841		cifs_put_tcon(tcon);
842
843	return rc;
844}
845
846int
847smb2_handle_cancelled_mid(char *buffer, struct TCP_Server_Info *server)
848{
849	struct smb2_sync_hdr *sync_hdr = (struct smb2_sync_hdr *)buffer;
850	struct smb2_create_rsp *rsp = (struct smb2_create_rsp *)buffer;
851	struct cifs_tcon *tcon;
852	int rc;
853
854	if (sync_hdr->Command != SMB2_CREATE ||
855	    sync_hdr->Status != STATUS_SUCCESS)
856		return 0;
857
858	tcon = smb2_find_smb_tcon(server, sync_hdr->SessionId,
859				  sync_hdr->TreeId);
860	if (!tcon)
861		return -ENOENT;
862
863	rc = __smb2_handle_cancelled_cmd(tcon,
864					 le16_to_cpu(sync_hdr->Command),
865					 le64_to_cpu(sync_hdr->MessageId),
866					 rsp->PersistentFileId,
867					 rsp->VolatileFileId);
868	if (rc)
869		cifs_put_tcon(tcon);
870
871	return rc;
872}
873
874/**
875 * smb311_update_preauth_hash - update @ses hash with the packet data in @iov
876 *
877 * Assumes @iov does not contain the rfc1002 length and iov[0] has the
878 * SMB2 header.
879 *
880 * @ses:	server session structure
881 * @iov:	array containing the SMB request we will send to the server
882 * @nvec:	number of array entries for the iov
883 */
884int
885smb311_update_preauth_hash(struct cifs_ses *ses, struct kvec *iov, int nvec)
886{
887	int i, rc;
888	struct sdesc *d;
889	struct smb2_sync_hdr *hdr;
890	struct TCP_Server_Info *server = cifs_ses_server(ses);
891
892	hdr = (struct smb2_sync_hdr *)iov[0].iov_base;
893	/* neg prot are always taken */
894	if (hdr->Command == SMB2_NEGOTIATE)
895		goto ok;
896
897	/*
898	 * If we process a command which wasn't a negprot it means the
899	 * neg prot was already done, so the server dialect was set
900	 * and we can test it. Preauth requires 3.1.1 for now.
901	 */
902	if (server->dialect != SMB311_PROT_ID)
903		return 0;
904
905	if (hdr->Command != SMB2_SESSION_SETUP)
906		return 0;
907
908	/* skip last sess setup response */
909	if ((hdr->Flags & SMB2_FLAGS_SERVER_TO_REDIR)
910	    && (hdr->Status == NT_STATUS_OK
911		|| (hdr->Status !=
912		    cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED))))
913		return 0;
914
915ok:
916	rc = smb311_crypto_shash_allocate(server);
917	if (rc)
918		return rc;
919
920	d = server->secmech.sdescsha512;
921	rc = crypto_shash_init(&d->shash);
922	if (rc) {
923		cifs_dbg(VFS, "%s: Could not init sha512 shash\n", __func__);
924		return rc;
925	}
926
927	rc = crypto_shash_update(&d->shash, ses->preauth_sha_hash,
928				 SMB2_PREAUTH_HASH_SIZE);
929	if (rc) {
930		cifs_dbg(VFS, "%s: Could not update sha512 shash\n", __func__);
931		return rc;
932	}
933
934	for (i = 0; i < nvec; i++) {
935		rc = crypto_shash_update(&d->shash,
936					 iov[i].iov_base, iov[i].iov_len);
937		if (rc) {
938			cifs_dbg(VFS, "%s: Could not update sha512 shash\n",
939				 __func__);
940			return rc;
941		}
942	}
943
944	rc = crypto_shash_final(&d->shash, ses->preauth_sha_hash);
945	if (rc) {
946		cifs_dbg(VFS, "%s: Could not finalize sha512 shash\n",
947			 __func__);
948		return rc;
949	}
950
951	return 0;
952}