fs/cifs/smb2misc.c

0001 // SPDX-License-Identifier: LGPL-2.1
0002 /*
0003  *
0004  *   Copyright (C) International Business Machines  Corp., 2002,2011
0005  *                 Etersoft, 2012
0006  *   Author(s): Steve French (sfrench@us.ibm.com)
0007  *              Pavel Shilovsky (pshilovsky@samba.org) 2012
0008  *
0009  */
0010 #include <linux/ctype.h>
0011 #include "cifsglob.h"
0012 #include "cifsproto.h"
0013 #include "smb2proto.h"
0014 #include "cifs_debug.h"
0015 #include "cifs_unicode.h"
0016 #include "smb2status.h"
0017 #include "smb2glob.h"
0018 #include "nterr.h"
0019 #include "cached_dir.h"
0020
0021 static int
0022 check_smb2_hdr(struct smb2_hdr *shdr, __u64 mid)
0023 {
0024     __u64 wire_mid = le64_to_cpu(shdr->MessageId);
0025
0026     /*
0027      * Make sure that this really is an SMB, that it is a response,
0028      * and that the message ids match.
0029      */
0030     if ((shdr->ProtocolId == SMB2_PROTO_NUMBER) &&
0031         (mid == wire_mid)) {
0032         if (shdr->Flags & SMB2_FLAGS_SERVER_TO_REDIR)
0033             return 0;
0034         else {
0035             /* only one valid case where server sends us request */
0036             if (shdr->Command == SMB2_OPLOCK_BREAK)
0037                 return 0;
0038             else
0039                 cifs_dbg(VFS, "Received Request not response\n");
0040         }
0041     } else { /* bad signature or mid */
0042         if (shdr->ProtocolId != SMB2_PROTO_NUMBER)
0043             cifs_dbg(VFS, "Bad protocol string signature header %x\n",
0044                  le32_to_cpu(shdr->ProtocolId));
0045         if (mid != wire_mid)
0046             cifs_dbg(VFS, "Mids do not match: %llu and %llu\n",
0047                  mid, wire_mid);
0048     }
0049     cifs_dbg(VFS, "Bad SMB detected. The Mid=%llu\n", wire_mid);
0050     return 1;
0051 }
0052
0053 /*
0054  *  The following table defines the expected "StructureSize" of SMB2 responses
0055  *  in order by SMB2 command.  This is similar to "wct" in SMB/CIFS responses.
0056  *
0057  *  Note that commands are defined in smb2pdu.h in le16 but the array below is
0058  *  indexed by command in host byte order
0059  */
0060 static const __le16 smb2_rsp_struct_sizes[NUMBER_OF_SMB2_COMMANDS] = {
0061     /* SMB2_NEGOTIATE */ cpu_to_le16(65),
0062     /* SMB2_SESSION_SETUP */ cpu_to_le16(9),
0063     /* SMB2_LOGOFF */ cpu_to_le16(4),
0064     /* SMB2_TREE_CONNECT */ cpu_to_le16(16),
0065     /* SMB2_TREE_DISCONNECT */ cpu_to_le16(4),
0066     /* SMB2_CREATE */ cpu_to_le16(89),
0067     /* SMB2_CLOSE */ cpu_to_le16(60),
0068     /* SMB2_FLUSH */ cpu_to_le16(4),
0069     /* SMB2_READ */ cpu_to_le16(17),
0070     /* SMB2_WRITE */ cpu_to_le16(17),
0071     /* SMB2_LOCK */ cpu_to_le16(4),
0072     /* SMB2_IOCTL */ cpu_to_le16(49),
0073     /* BB CHECK this ... not listed in documentation */
0074     /* SMB2_CANCEL */ cpu_to_le16(0),
0075     /* SMB2_ECHO */ cpu_to_le16(4),
0076     /* SMB2_QUERY_DIRECTORY */ cpu_to_le16(9),
0077     /* SMB2_CHANGE_NOTIFY */ cpu_to_le16(9),
0078     /* SMB2_QUERY_INFO */ cpu_to_le16(9),
0079     /* SMB2_SET_INFO */ cpu_to_le16(2),
0080     /* BB FIXME can also be 44 for lease break */
0081     /* SMB2_OPLOCK_BREAK */ cpu_to_le16(24)
0082 };
0083
0084 #define SMB311_NEGPROT_BASE_SIZE (sizeof(struct smb2_hdr) + sizeof(struct smb2_negotiate_rsp))
0085
0086 static __u32 get_neg_ctxt_len(struct smb2_hdr *hdr, __u32 len,
0087                   __u32 non_ctxlen)
0088 {
0089     __u16 neg_count;
0090     __u32 nc_offset, size_of_pad_before_neg_ctxts;
0091     struct smb2_negotiate_rsp *pneg_rsp = (struct smb2_negotiate_rsp *)hdr;
0092
0093     /* Negotiate contexts are only valid for latest dialect SMB3.11 */
0094     neg_count = le16_to_cpu(pneg_rsp->NegotiateContextCount);
0095     if ((neg_count == 0) ||
0096        (pneg_rsp->DialectRevision != cpu_to_le16(SMB311_PROT_ID)))
0097         return 0;
0098
0099     /*
0100      * if SPNEGO blob present (ie the RFC2478 GSS info which indicates
0101      * which security mechanisms the server supports) make sure that
0102      * the negotiate contexts start after it
0103      */
0104     nc_offset = le32_to_cpu(pneg_rsp->NegotiateContextOffset);
0105     /*
0106      * non_ctxlen is at least shdr->StructureSize + pdu->StructureSize2
0107      * and the latter is 1 byte bigger than the fix-sized area of the
0108      * NEGOTIATE response
0109      */
0110     if (nc_offset + 1 < non_ctxlen) {
0111         pr_warn_once("Invalid negotiate context offset %d\n", nc_offset);
0112         return 0;
0113     } else if (nc_offset + 1 == non_ctxlen) {
0114         cifs_dbg(FYI, "no SPNEGO security blob in negprot rsp\n");
0115         size_of_pad_before_neg_ctxts = 0;
0116     } else if (non_ctxlen == SMB311_NEGPROT_BASE_SIZE)
0117         /* has padding, but no SPNEGO blob */
0118         size_of_pad_before_neg_ctxts = nc_offset - non_ctxlen + 1;
0119     else
0120         size_of_pad_before_neg_ctxts = nc_offset - non_ctxlen;
0121
0122     /* Verify that at least minimal negotiate contexts fit within frame */
0123     if (len < nc_offset + (neg_count * sizeof(struct smb2_neg_context))) {
0124         pr_warn_once("negotiate context goes beyond end\n");
0125         return 0;
0126     }
0127
0128     cifs_dbg(FYI, "length of negcontexts %d pad %d\n",
0129         len - nc_offset, size_of_pad_before_neg_ctxts);
0130
0131     /* length of negcontexts including pad from end of sec blob to them */
0132     return (len - nc_offset) + size_of_pad_before_neg_ctxts;
0133 }
0134
0135 int
0136 smb2_check_message(char *buf, unsigned int len, struct TCP_Server_Info *server)
0137 {
0138     struct smb2_hdr *shdr = (struct smb2_hdr *)buf;
0139     struct smb2_pdu *pdu = (struct smb2_pdu *)shdr;
0140     int hdr_size = sizeof(struct smb2_hdr);
0141     int pdu_size = sizeof(struct smb2_pdu);
0142     int command;
0143     __u32 calc_len; /* calculated length */
0144     __u64 mid;
0145
0146     /*
0147      * Add function to do table lookup of StructureSize by command
0148      * ie Validate the wct via smb2_struct_sizes table above
0149      */
0150     if (shdr->ProtocolId == SMB2_TRANSFORM_PROTO_NUM) {
0151         struct smb2_transform_hdr *thdr =
0152             (struct smb2_transform_hdr *)buf;
0153         struct cifs_ses *ses = NULL;
0154         struct cifs_ses *iter;
0155
0156         /* decrypt frame now that it is completely read in */
0157         spin_lock(&cifs_tcp_ses_lock);
0158         list_for_each_entry(iter, &server->smb_ses_list, smb_ses_list) {
0159             if (iter->Suid == le64_to_cpu(thdr->SessionId)) {
0160                 ses = iter;
0161                 break;
0162             }
0163         }
0164         spin_unlock(&cifs_tcp_ses_lock);
0165         if (!ses) {
0166             cifs_dbg(VFS, "no decryption - session id not found\n");
0167             return 1;
0168         }
0169     }
0170
0171     mid = le64_to_cpu(shdr->MessageId);
0172     if (len < pdu_size) {
0173         if ((len >= hdr_size)
0174             && (shdr->Status != 0)) {
0175             pdu->StructureSize2 = 0;
0176             /*
0177              * As with SMB/CIFS, on some error cases servers may
0178              * not return wct properly
0179              */
0180             return 0;
0181         } else {
0182             cifs_dbg(VFS, "Length less than SMB header size\n");
0183         }
0184         return 1;
0185     }
0186     if (len > CIFSMaxBufSize + MAX_SMB2_HDR_SIZE) {
0187         cifs_dbg(VFS, "SMB length greater than maximum, mid=%llu\n",
0188              mid);
0189         return 1;
0190     }
0191
0192     if (check_smb2_hdr(shdr, mid))
0193         return 1;
0194
0195     if (shdr->StructureSize != SMB2_HEADER_STRUCTURE_SIZE) {
0196         cifs_dbg(VFS, "Invalid structure size %u\n",
0197              le16_to_cpu(shdr->StructureSize));
0198         return 1;
0199     }
0200
0201     command = le16_to_cpu(shdr->Command);
0202     if (command >= NUMBER_OF_SMB2_COMMANDS) {
0203         cifs_dbg(VFS, "Invalid SMB2 command %d\n", command);
0204         return 1;
0205     }
0206
0207     if (smb2_rsp_struct_sizes[command] != pdu->StructureSize2) {
0208         if (command != SMB2_OPLOCK_BREAK_HE && (shdr->Status == 0 ||
0209             pdu->StructureSize2 != SMB2_ERROR_STRUCTURE_SIZE2_LE)) {
0210             /* error packets have 9 byte structure size */
0211             cifs_dbg(VFS, "Invalid response size %u for command %d\n",
0212                  le16_to_cpu(pdu->StructureSize2), command);
0213             return 1;
0214         } else if (command == SMB2_OPLOCK_BREAK_HE
0215                && (shdr->Status == 0)
0216                && (le16_to_cpu(pdu->StructureSize2) != 44)
0217                && (le16_to_cpu(pdu->StructureSize2) != 36)) {
0218             /* special case for SMB2.1 lease break message */
0219             cifs_dbg(VFS, "Invalid response size %d for oplock break\n",
0220                  le16_to_cpu(pdu->StructureSize2));
0221             return 1;
0222         }
0223     }
0224
0225     calc_len = smb2_calc_size(buf);
0226
0227     /* For SMB2_IOCTL, OutputOffset and OutputLength are optional, so might
0228      * be 0, and not a real miscalculation */
0229     if (command == SMB2_IOCTL_HE && calc_len == 0)
0230         return 0;
0231
0232     if (command == SMB2_NEGOTIATE_HE)
0233         calc_len += get_neg_ctxt_len(shdr, len, calc_len);
0234
0235     if (len != calc_len) {
0236         /* create failed on symlink */
0237         if (command == SMB2_CREATE_HE &&
0238             shdr->Status == STATUS_STOPPED_ON_SYMLINK)
0239             return 0;
0240         /* Windows 7 server returns 24 bytes more */
0241         if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE)
0242             return 0;
0243         /* server can return one byte more due to implied bcc[0] */
0244         if (calc_len == len + 1)
0245             return 0;
0246
0247         /*
0248          * Some windows servers (win2016) will pad also the final
0249          * PDU in a compound to 8 bytes.
0250          */
0251         if (((calc_len + 7) & ~7) == len)
0252             return 0;
0253
0254         /*
0255          * MacOS server pads after SMB2.1 write response with 3 bytes
0256          * of junk. Other servers match RFC1001 len to actual
0257          * SMB2/SMB3 frame length (header + smb2 response specific data)
0258          * Some windows servers also pad up to 8 bytes when compounding.
0259          */
0260         if (calc_len < len)
0261             return 0;
0262
0263         /* Only log a message if len was really miscalculated */
0264         if (unlikely(cifsFYI))
0265             cifs_dbg(FYI, "Server response too short: calculated "
0266                  "length %u doesn't match read length %u (cmd=%d, mid=%llu)\n",
0267                  calc_len, len, command, mid);
0268         else
0269             pr_warn("Server response too short: calculated length "
0270                 "%u doesn't match read length %u (cmd=%d, mid=%llu)\n",
0271                 calc_len, len, command, mid);
0272
0273         return 1;
0274     }
0275     return 0;
0276 }
0277
0278 /*
0279  * The size of the variable area depends on the offset and length fields
0280  * located in different fields for various SMB2 responses. SMB2 responses
0281  * with no variable length info, show an offset of zero for the offset field.
0282  */
0283 static const bool has_smb2_data_area[NUMBER_OF_SMB2_COMMANDS] = {
0284     /* SMB2_NEGOTIATE */ true,
0285     /* SMB2_SESSION_SETUP */ true,
0286     /* SMB2_LOGOFF */ false,
0287     /* SMB2_TREE_CONNECT */ false,
0288     /* SMB2_TREE_DISCONNECT */ false,
0289     /* SMB2_CREATE */ true,
0290     /* SMB2_CLOSE */ false,
0291     /* SMB2_FLUSH */ false,
0292     /* SMB2_READ */ true,
0293     /* SMB2_WRITE */ false,
0294     /* SMB2_LOCK */ false,
0295     /* SMB2_IOCTL */ true,
0296     /* SMB2_CANCEL */ false, /* BB CHECK this not listed in documentation */
0297     /* SMB2_ECHO */ false,
0298     /* SMB2_QUERY_DIRECTORY */ true,
0299     /* SMB2_CHANGE_NOTIFY */ true,
0300     /* SMB2_QUERY_INFO */ true,
0301     /* SMB2_SET_INFO */ false,
0302     /* SMB2_OPLOCK_BREAK */ false
0303 };
0304
0305 /*
0306  * Returns the pointer to the beginning of the data area. Length of the data
0307  * area and the offset to it (from the beginning of the smb are also returned.
0308  */
0309 char *
0310 smb2_get_data_area_len(int *off, int *len, struct smb2_hdr *shdr)
0311 {
0312     *off = 0;
0313     *len = 0;
0314
0315     /* error responses do not have data area */
0316     if (shdr->Status && shdr->Status != STATUS_MORE_PROCESSING_REQUIRED &&
0317         (((struct smb2_err_rsp *)shdr)->StructureSize) ==
0318                         SMB2_ERROR_STRUCTURE_SIZE2_LE)
0319         return NULL;
0320
0321     /*
0322      * Following commands have data areas so we have to get the location
0323      * of the data buffer offset and data buffer length for the particular
0324      * command.
0325      */
0326     switch (shdr->Command) {
0327     case SMB2_NEGOTIATE:
0328         *off = le16_to_cpu(
0329           ((struct smb2_negotiate_rsp *)shdr)->SecurityBufferOffset);
0330         *len = le16_to_cpu(
0331           ((struct smb2_negotiate_rsp *)shdr)->SecurityBufferLength);
0332         break;
0333     case SMB2_SESSION_SETUP:
0334         *off = le16_to_cpu(
0335           ((struct smb2_sess_setup_rsp *)shdr)->SecurityBufferOffset);
0336         *len = le16_to_cpu(
0337           ((struct smb2_sess_setup_rsp *)shdr)->SecurityBufferLength);
0338         break;
0339     case SMB2_CREATE:
0340         *off = le32_to_cpu(
0341             ((struct smb2_create_rsp *)shdr)->CreateContextsOffset);
0342         *len = le32_to_cpu(
0343             ((struct smb2_create_rsp *)shdr)->CreateContextsLength);
0344         break;
0345     case SMB2_QUERY_INFO:
0346         *off = le16_to_cpu(
0347             ((struct smb2_query_info_rsp *)shdr)->OutputBufferOffset);
0348         *len = le32_to_cpu(
0349             ((struct smb2_query_info_rsp *)shdr)->OutputBufferLength);
0350         break;
0351     case SMB2_READ:
0352         /* TODO: is this a bug ? */
0353         *off = ((struct smb2_read_rsp *)shdr)->DataOffset;
0354         *len = le32_to_cpu(((struct smb2_read_rsp *)shdr)->DataLength);
0355         break;
0356     case SMB2_QUERY_DIRECTORY:
0357         *off = le16_to_cpu(
0358           ((struct smb2_query_directory_rsp *)shdr)->OutputBufferOffset);
0359         *len = le32_to_cpu(
0360           ((struct smb2_query_directory_rsp *)shdr)->OutputBufferLength);
0361         break;
0362     case SMB2_IOCTL:
0363         *off = le32_to_cpu(
0364           ((struct smb2_ioctl_rsp *)shdr)->OutputOffset);
0365         *len = le32_to_cpu(
0366           ((struct smb2_ioctl_rsp *)shdr)->OutputCount);
0367         break;
0368     case SMB2_CHANGE_NOTIFY:
0369         *off = le16_to_cpu(
0370           ((struct smb2_change_notify_rsp *)shdr)->OutputBufferOffset);
0371         *len = le32_to_cpu(
0372           ((struct smb2_change_notify_rsp *)shdr)->OutputBufferLength);
0373         break;
0374     default:
0375         cifs_dbg(VFS, "no length check for command %d\n", le16_to_cpu(shdr->Command));
0376         break;
0377     }
0378
0379     /*
0380      * Invalid length or offset probably means data area is invalid, but
0381      * we have little choice but to ignore the data area in this case.
0382      */
0383     if (*off > 4096) {
0384         cifs_dbg(VFS, "offset %d too large, data area ignored\n", *off);
0385         *len = 0;
0386         *off = 0;
0387     } else if (*off < 0) {
0388         cifs_dbg(VFS, "negative offset %d to data invalid ignore data area\n",
0389              *off);
0390         *off = 0;
0391         *len = 0;
0392     } else if (*len < 0) {
0393         cifs_dbg(VFS, "negative data length %d invalid, data area ignored\n",
0394              *len);
0395         *len = 0;
0396     } else if (*len > 128 * 1024) {
0397         cifs_dbg(VFS, "data area larger than 128K: %d\n", *len);
0398         *len = 0;
0399     }
0400
0401     /* return pointer to beginning of data area, ie offset from SMB start */
0402     if ((*off != 0) && (*len != 0))
0403         return (char *)shdr + *off;
0404     else
0405         return NULL;
0406 }
0407
0408 /*
0409  * Calculate the size of the SMB message based on the fixed header
0410  * portion, the number of word parameters and the data portion of the message.
0411  */
0412 unsigned int
0413 smb2_calc_size(void *buf)
0414 {
0415     struct smb2_pdu *pdu = buf;
0416     struct smb2_hdr *shdr = &pdu->hdr;
0417     int offset; /* the offset from the beginning of SMB to data area */
0418     int data_length; /* the length of the variable length data area */
0419     /* Structure Size has already been checked to make sure it is 64 */
0420     int len = le16_to_cpu(shdr->StructureSize);
0421
0422     /*
0423      * StructureSize2, ie length of fixed parameter area has already
0424      * been checked to make sure it is the correct length.
0425      */
0426     len += le16_to_cpu(pdu->StructureSize2);
0427
0428     if (has_smb2_data_area[le16_to_cpu(shdr->Command)] == false)
0429         goto calc_size_exit;
0430
0431     smb2_get_data_area_len(&offset, &data_length, shdr);
0432     cifs_dbg(FYI, "SMB2 data length %d offset %d\n", data_length, offset);
0433
0434     if (data_length > 0) {
0435         /*
0436          * Check to make sure that data area begins after fixed area,
0437          * Note that last byte of the fixed area is part of data area
0438          * for some commands, typically those with odd StructureSize,
0439          * so we must add one to the calculation.
0440          */
0441         if (offset + 1 < len) {
0442             cifs_dbg(VFS, "data area offset %d overlaps SMB2 header %d\n",
0443                  offset + 1, len);
0444             data_length = 0;
0445         } else {
0446             len = offset + data_length;
0447         }
0448     }
0449 calc_size_exit:
0450     cifs_dbg(FYI, "SMB2 len %d\n", len);
0451     return len;
0452 }
0453
0454 /* Note: caller must free return buffer */
0455 __le16 *
0456 cifs_convert_path_to_utf16(const char *from, struct cifs_sb_info *cifs_sb)
0457 {
0458     int len;
0459     const char *start_of_path;
0460     __le16 *to;
0461     int map_type;
0462
0463     if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MAP_SFM_CHR)
0464         map_type = SFM_MAP_UNI_RSVD;
0465     else if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MAP_SPECIAL_CHR)
0466         map_type = SFU_MAP_UNI_RSVD;
0467     else
0468         map_type = NO_MAP_UNI_RSVD;
0469
0470     /* Windows doesn't allow paths beginning with \ */
0471     if (from[0] == '\\')
0472         start_of_path = from + 1;
0473
0474     /* SMB311 POSIX extensions paths do not include leading slash */
0475     else if (cifs_sb_master_tlink(cifs_sb) &&
0476          cifs_sb_master_tcon(cifs_sb)->posix_extensions &&
0477          (from[0] == '/')) {
0478         start_of_path = from + 1;
0479     } else
0480         start_of_path = from;
0481
0482     to = cifs_strndup_to_utf16(start_of_path, PATH_MAX, &len,
0483                    cifs_sb->local_nls, map_type);
0484     return to;
0485 }
0486
0487 __le32
0488 smb2_get_lease_state(struct cifsInodeInfo *cinode)
0489 {
0490     __le32 lease = 0;
0491
0492     if (CIFS_CACHE_WRITE(cinode))
0493         lease |= SMB2_LEASE_WRITE_CACHING_LE;
0494     if (CIFS_CACHE_HANDLE(cinode))
0495         lease |= SMB2_LEASE_HANDLE_CACHING_LE;
0496     if (CIFS_CACHE_READ(cinode))
0497         lease |= SMB2_LEASE_READ_CACHING_LE;
0498     return lease;
0499 }
0500
0501 struct smb2_lease_break_work {
0502     struct work_struct lease_break;
0503     struct tcon_link *tlink;
0504     __u8 lease_key[16];
0505     __le32 lease_state;
0506 };
0507
0508 static void
0509 cifs_ses_oplock_break(struct work_struct *work)
0510 {
0511     struct smb2_lease_break_work *lw = container_of(work,
0512                 struct smb2_lease_break_work, lease_break);
0513     int rc = 0;
0514
0515     rc = SMB2_lease_break(0, tlink_tcon(lw->tlink), lw->lease_key,
0516                   lw->lease_state);
0517
0518     cifs_dbg(FYI, "Lease release rc %d\n", rc);
0519     cifs_put_tlink(lw->tlink);
0520     kfree(lw);
0521 }
0522
0523 static void
0524 smb2_queue_pending_open_break(struct tcon_link *tlink, __u8 *lease_key,
0525                   __le32 new_lease_state)
0526 {
0527     struct smb2_lease_break_work *lw;
0528
0529     lw = kmalloc(sizeof(struct smb2_lease_break_work), GFP_KERNEL);
0530     if (!lw) {
0531         cifs_put_tlink(tlink);
0532         return;
0533     }
0534
0535     INIT_WORK(&lw->lease_break, cifs_ses_oplock_break);
0536     lw->tlink = tlink;
0537     lw->lease_state = new_lease_state;
0538     memcpy(lw->lease_key, lease_key, SMB2_LEASE_KEY_SIZE);
0539     queue_work(cifsiod_wq, &lw->lease_break);
0540 }
0541
0542 static bool
0543 smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp)
0544 {
0545     __u8 lease_state;
0546     struct cifsFileInfo *cfile;
0547     struct cifsInodeInfo *cinode;
0548     int ack_req = le32_to_cpu(rsp->Flags &
0549                   SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED);
0550
0551     lease_state = le32_to_cpu(rsp->NewLeaseState);
0552
0553     list_for_each_entry(cfile, &tcon->openFileList, tlist) {
0554         cinode = CIFS_I(d_inode(cfile->dentry));
0555
0556         if (memcmp(cinode->lease_key, rsp->LeaseKey,
0557                             SMB2_LEASE_KEY_SIZE))
0558             continue;
0559
0560         cifs_dbg(FYI, "found in the open list\n");
0561         cifs_dbg(FYI, "lease key match, lease break 0x%x\n",
0562              lease_state);
0563
0564         if (ack_req)
0565             cfile->oplock_break_cancelled = false;
0566         else
0567             cfile->oplock_break_cancelled = true;
0568
0569         set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, &cinode->flags);
0570
0571         cfile->oplock_epoch = le16_to_cpu(rsp->Epoch);
0572         cfile->oplock_level = lease_state;
0573
0574         cifs_queue_oplock_break(cfile);
0575         return true;
0576     }
0577
0578     return false;
0579 }
0580
0581 static struct cifs_pending_open *
0582 smb2_tcon_find_pending_open_lease(struct cifs_tcon *tcon,
0583                   struct smb2_lease_break *rsp)
0584 {
0585     __u8 lease_state = le32_to_cpu(rsp->NewLeaseState);
0586     int ack_req = le32_to_cpu(rsp->Flags &
0587                   SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED);
0588     struct cifs_pending_open *open;
0589     struct cifs_pending_open *found = NULL;
0590
0591     list_for_each_entry(open, &tcon->pending_opens, olist) {
0592         if (memcmp(open->lease_key, rsp->LeaseKey,
0593                SMB2_LEASE_KEY_SIZE))
0594             continue;
0595
0596         if (!found && ack_req) {
0597             found = open;
0598         }
0599
0600         cifs_dbg(FYI, "found in the pending open list\n");
0601         cifs_dbg(FYI, "lease key match, lease break 0x%x\n",
0602              lease_state);
0603
0604         open->oplock = lease_state;
0605     }
0606
0607     return found;
0608 }
0609
0610 static bool
0611 smb2_is_valid_lease_break(char *buffer)
0612 {
0613     struct smb2_lease_break *rsp = (struct smb2_lease_break *)buffer;
0614     struct TCP_Server_Info *server;
0615     struct cifs_ses *ses;
0616     struct cifs_tcon *tcon;
0617     struct cifs_pending_open *open;
0618
0619     cifs_dbg(FYI, "Checking for lease break\n");
0620
0621     /* look up tcon based on tid & uid */
0622     spin_lock(&cifs_tcp_ses_lock);
0623     list_for_each_entry(server, &cifs_tcp_ses_list, tcp_ses_list) {
0624         list_for_each_entry(ses, &server->smb_ses_list, smb_ses_list) {
0625             list_for_each_entry(tcon, &ses->tcon_list, tcon_list) {
0626                 spin_lock(&tcon->open_file_lock);
0627                 cifs_stats_inc(
0628                     &tcon->stats.cifs_stats.num_oplock_brks);
0629                 if (smb2_tcon_has_lease(tcon, rsp)) {
0630                     spin_unlock(&tcon->open_file_lock);
0631                     spin_unlock(&cifs_tcp_ses_lock);
0632                     return true;
0633                 }
0634                 open = smb2_tcon_find_pending_open_lease(tcon,
0635                                      rsp);
0636                 if (open) {
0637                     __u8 lease_key[SMB2_LEASE_KEY_SIZE];
0638                     struct tcon_link *tlink;
0639
0640                     tlink = cifs_get_tlink(open->tlink);
0641                     memcpy(lease_key, open->lease_key,
0642                            SMB2_LEASE_KEY_SIZE);
0643                     spin_unlock(&tcon->open_file_lock);
0644                     spin_unlock(&cifs_tcp_ses_lock);
0645                     smb2_queue_pending_open_break(tlink,
0646                                       lease_key,
0647                                       rsp->NewLeaseState);
0648                     return true;
0649                 }
0650                 spin_unlock(&tcon->open_file_lock);
0651
0652                 if (cached_dir_lease_break(tcon, rsp->LeaseKey)) {
0653                     spin_unlock(&cifs_tcp_ses_lock);
0654                     return true;
0655                 }
0656             }
0657         }
0658     }
0659     spin_unlock(&cifs_tcp_ses_lock);
0660     cifs_dbg(FYI, "Can not process lease break - no lease matched\n");
0661     trace_smb3_lease_not_found(le32_to_cpu(rsp->CurrentLeaseState),
0662                    le32_to_cpu(rsp->hdr.Id.SyncId.TreeId),
0663                    le64_to_cpu(rsp->hdr.SessionId),
0664                    *((u64 *)rsp->LeaseKey),
0665                    *((u64 *)&rsp->LeaseKey[8]));
0666
0667     return false;
0668 }
0669
0670 bool
0671 smb2_is_valid_oplock_break(char *buffer, struct TCP_Server_Info *server)
0672 {
0673     struct smb2_oplock_break *rsp = (struct smb2_oplock_break *)buffer;
0674     struct cifs_ses *ses;
0675     struct cifs_tcon *tcon;
0676     struct cifsInodeInfo *cinode;
0677     struct cifsFileInfo *cfile;
0678
0679     cifs_dbg(FYI, "Checking for oplock break\n");
0680
0681     if (rsp->hdr.Command != SMB2_OPLOCK_BREAK)
0682         return false;
0683
0684     if (rsp->StructureSize !=
0685                 smb2_rsp_struct_sizes[SMB2_OPLOCK_BREAK_HE]) {
0686         if (le16_to_cpu(rsp->StructureSize) == 44)
0687             return smb2_is_valid_lease_break(buffer);
0688         else
0689             return false;
0690     }
0691
0692     cifs_dbg(FYI, "oplock level 0x%x\n", rsp->OplockLevel);
0693
0694     /* look up tcon based on tid & uid */
0695     spin_lock(&cifs_tcp_ses_lock);
0696     list_for_each_entry(ses, &server->smb_ses_list, smb_ses_list) {
0697         list_for_each_entry(tcon, &ses->tcon_list, tcon_list) {
0698
0699             spin_lock(&tcon->open_file_lock);
0700             list_for_each_entry(cfile, &tcon->openFileList, tlist) {
0701                 if (rsp->PersistentFid !=
0702                     cfile->fid.persistent_fid ||
0703                     rsp->VolatileFid !=
0704                     cfile->fid.volatile_fid)
0705                     continue;
0706
0707                 cifs_dbg(FYI, "file id match, oplock break\n");
0708                 cifs_stats_inc(
0709                     &tcon->stats.cifs_stats.num_oplock_brks);
0710                 cinode = CIFS_I(d_inode(cfile->dentry));
0711                 spin_lock(&cfile->file_info_lock);
0712                 if (!CIFS_CACHE_WRITE(cinode) &&
0713                     rsp->OplockLevel == SMB2_OPLOCK_LEVEL_NONE)
0714                     cfile->oplock_break_cancelled = true;
0715                 else
0716                     cfile->oplock_break_cancelled = false;
0717
0718                 set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK,
0719                     &cinode->flags);
0720
0721                 cfile->oplock_epoch = 0;
0722                 cfile->oplock_level = rsp->OplockLevel;
0723
0724                 spin_unlock(&cfile->file_info_lock);
0725
0726                 cifs_queue_oplock_break(cfile);
0727
0728                 spin_unlock(&tcon->open_file_lock);
0729                 spin_unlock(&cifs_tcp_ses_lock);
0730                 return true;
0731             }
0732             spin_unlock(&tcon->open_file_lock);
0733         }
0734     }
0735     spin_unlock(&cifs_tcp_ses_lock);
0736     cifs_dbg(FYI, "No file id matched, oplock break ignored\n");
0737     trace_smb3_oplock_not_found(0 /* no xid */, rsp->PersistentFid,
0738                   le32_to_cpu(rsp->hdr.Id.SyncId.TreeId),
0739                   le64_to_cpu(rsp->hdr.SessionId));
0740
0741     return true;
0742 }
0743
0744 void
0745 smb2_cancelled_close_fid(struct work_struct *work)
0746 {
0747     struct close_cancelled_open *cancelled = container_of(work,
0748                     struct close_cancelled_open, work);
0749     struct cifs_tcon *tcon = cancelled->tcon;
0750     int rc;
0751
0752     if (cancelled->mid)
0753         cifs_tcon_dbg(VFS, "Close unmatched open for MID:%llu\n",
0754                   cancelled->mid);
0755     else
0756         cifs_tcon_dbg(VFS, "Close interrupted close\n");
0757
0758     rc = SMB2_close(0, tcon, cancelled->fid.persistent_fid,
0759             cancelled->fid.volatile_fid);
0760     if (rc)
0761         cifs_tcon_dbg(VFS, "Close cancelled mid failed rc:%d\n", rc);
0762
0763     cifs_put_tcon(tcon);
0764     kfree(cancelled);
0765 }
0766
0767 /*
0768  * Caller should already has an extra reference to @tcon
0769  * This function is used to queue work to close a handle to prevent leaks
0770  * on the server.
0771  * We handle two cases. If an open was interrupted after we sent the
0772  * SMB2_CREATE to the server but before we processed the reply, and second
0773  * if a close was interrupted before we sent the SMB2_CLOSE to the server.
0774  */
0775 static int
0776 __smb2_handle_cancelled_cmd(struct cifs_tcon *tcon, __u16 cmd, __u64 mid,
0777                 __u64 persistent_fid, __u64 volatile_fid)
0778 {
0779     struct close_cancelled_open *cancelled;
0780
0781     cancelled = kzalloc(sizeof(*cancelled), GFP_ATOMIC);
0782     if (!cancelled)
0783         return -ENOMEM;
0784
0785     cancelled->fid.persistent_fid = persistent_fid;
0786     cancelled->fid.volatile_fid = volatile_fid;
0787     cancelled->tcon = tcon;
0788     cancelled->cmd = cmd;
0789     cancelled->mid = mid;
0790     INIT_WORK(&cancelled->work, smb2_cancelled_close_fid);
0791     WARN_ON(queue_work(cifsiod_wq, &cancelled->work) == false);
0792
0793     return 0;
0794 }
0795
0796 int
0797 smb2_handle_cancelled_close(struct cifs_tcon *tcon, __u64 persistent_fid,
0798                 __u64 volatile_fid)
0799 {
0800     int rc;
0801
0802     cifs_dbg(FYI, "%s: tc_count=%d\n", __func__, tcon->tc_count);
0803     spin_lock(&cifs_tcp_ses_lock);
0804     if (tcon->tc_count <= 0) {
0805         struct TCP_Server_Info *server = NULL;
0806
0807         WARN_ONCE(tcon->tc_count < 0, "tcon refcount is negative");
0808         spin_unlock(&cifs_tcp_ses_lock);
0809
0810         if (tcon->ses)
0811             server = tcon->ses->server;
0812
0813         cifs_server_dbg(FYI, "tid=0x%x: tcon is closing, skipping async close retry of fid %llu %llu\n",
0814                 tcon->tid, persistent_fid, volatile_fid);
0815
0816         return 0;
0817     }
0818     tcon->tc_count++;
0819     spin_unlock(&cifs_tcp_ses_lock);
0820
0821     rc = __smb2_handle_cancelled_cmd(tcon, SMB2_CLOSE_HE, 0,
0822                      persistent_fid, volatile_fid);
0823     if (rc)
0824         cifs_put_tcon(tcon);
0825
0826     return rc;
0827 }
0828
0829 int
0830 smb2_handle_cancelled_mid(struct mid_q_entry *mid, struct TCP_Server_Info *server)
0831 {
0832     struct smb2_hdr *hdr = mid->resp_buf;
0833     struct smb2_create_rsp *rsp = mid->resp_buf;
0834     struct cifs_tcon *tcon;
0835     int rc;
0836
0837     if ((mid->optype & CIFS_CP_CREATE_CLOSE_OP) || hdr->Command != SMB2_CREATE ||
0838         hdr->Status != STATUS_SUCCESS)
0839         return 0;
0840
0841     tcon = smb2_find_smb_tcon(server, le64_to_cpu(hdr->SessionId),
0842                   le32_to_cpu(hdr->Id.SyncId.TreeId));
0843     if (!tcon)
0844         return -ENOENT;
0845
0846     rc = __smb2_handle_cancelled_cmd(tcon,
0847                      le16_to_cpu(hdr->Command),
0848                      le64_to_cpu(hdr->MessageId),
0849                      rsp->PersistentFileId,
0850                      rsp->VolatileFileId);
0851     if (rc)
0852         cifs_put_tcon(tcon);
0853
0854     return rc;
0855 }
0856
0857 /**
0858  * smb311_update_preauth_hash - update @ses hash with the packet data in @iov
0859  *
0860  * Assumes @iov does not contain the rfc1002 length and iov[0] has the
0861  * SMB2 header.
0862  *
0863  * @ses:    server session structure
0864  * @server: pointer to server info
0865  * @iov:    array containing the SMB request we will send to the server
0866  * @nvec:   number of array entries for the iov
0867  */
0868 int
0869 smb311_update_preauth_hash(struct cifs_ses *ses, struct TCP_Server_Info *server,
0870                struct kvec *iov, int nvec)
0871 {
0872     int i, rc;
0873     struct sdesc *d;
0874     struct smb2_hdr *hdr;
0875
0876     hdr = (struct smb2_hdr *)iov[0].iov_base;
0877     /* neg prot are always taken */
0878     if (hdr->Command == SMB2_NEGOTIATE)
0879         goto ok;
0880
0881     /*
0882      * If we process a command which wasn't a negprot it means the
0883      * neg prot was already done, so the server dialect was set
0884      * and we can test it. Preauth requires 3.1.1 for now.
0885      */
0886     if (server->dialect != SMB311_PROT_ID)
0887         return 0;
0888
0889     if (hdr->Command != SMB2_SESSION_SETUP)
0890         return 0;
0891
0892     /* skip last sess setup response */
0893     if ((hdr->Flags & SMB2_FLAGS_SERVER_TO_REDIR)
0894         && (hdr->Status == NT_STATUS_OK
0895         || (hdr->Status !=
0896             cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED))))
0897         return 0;
0898
0899 ok:
0900     rc = smb311_crypto_shash_allocate(server);
0901     if (rc)
0902         return rc;
0903
0904     d = server->secmech.sdescsha512;
0905     rc = crypto_shash_init(&d->shash);
0906     if (rc) {
0907         cifs_dbg(VFS, "%s: Could not init sha512 shash\n", __func__);
0908         return rc;
0909     }
0910
0911     rc = crypto_shash_update(&d->shash, ses->preauth_sha_hash,
0912                  SMB2_PREAUTH_HASH_SIZE);
0913     if (rc) {
0914         cifs_dbg(VFS, "%s: Could not update sha512 shash\n", __func__);
0915         return rc;
0916     }
0917
0918     for (i = 0; i < nvec; i++) {
0919         rc = crypto_shash_update(&d->shash,
0920                      iov[i].iov_base, iov[i].iov_len);
0921         if (rc) {
0922             cifs_dbg(VFS, "%s: Could not update sha512 shash\n",
0923                  __func__);
0924             return rc;
0925         }
0926     }
0927
0928     rc = crypto_shash_final(&d->shash, ses->preauth_sha_hash);
0929     if (rc) {
0930         cifs_dbg(VFS, "%s: Could not finalize sha512 shash\n",
0931              __func__);
0932         return rc;
0933     }
0934
0935     return 0;
0936 }