aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2014-02-17 16:50:11 -0500
committerLinus Torvalds <torvalds@linux-foundation.org>2014-02-17 16:50:11 -0500
commit351a7934c0e788262f83380188f18e575f6bc63f (patch)
treee9edae6b05459ce1aa4f045be5eb53f705d026ae
parent7026f1929e18921fd67bf478f475a8fdfdff16ae (diff)
parent2365c4eaf077c48574ab6f143960048fc0f31518 (diff)
Merge branch 'for-linus' of git://git.samba.org/sfrench/cifs-2.6
Pull CIFS fixes from Steve French: "Three cifs fixes, the most important fixing the problem with passing bogus pointers with writev (CVE-2014-0069). Two additional cifs fixes are still in review (including the fix for an append problem which Al also discovered)" * 'for-linus' of git://git.samba.org/sfrench/cifs-2.6: CIFS: Fix too big maxBuf size for SMB3 mounts cifs: ensure that uncached writes handle unmapped areas correctly [CIFS] Fix cifsacl mounts over smb2 to not call cifs
-rw-r--r--fs/cifs/cifsacl.c33
-rw-r--r--fs/cifs/cifsglob.h2
-rw-r--r--fs/cifs/cifsproto.h6
-rw-r--r--fs/cifs/dir.c2
-rw-r--r--fs/cifs/file.c39
-rw-r--r--fs/cifs/inode.c2
-rw-r--r--fs/cifs/smb1ops.c1
-rw-r--r--fs/cifs/smb2glob.h3
-rw-r--r--fs/cifs/smb2ops.c14
-rw-r--r--fs/cifs/smb2pdu.c4
10 files changed, 78 insertions, 28 deletions
diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c
index c819b0bd491a..7ff866dbb89e 100644
--- a/fs/cifs/cifsacl.c
+++ b/fs/cifs/cifsacl.c
@@ -865,8 +865,8 @@ static int build_sec_desc(struct cifs_ntsd *pntsd, struct cifs_ntsd *pnntsd,
865 return rc; 865 return rc;
866} 866}
867 867
868static struct cifs_ntsd *get_cifs_acl_by_fid(struct cifs_sb_info *cifs_sb, 868struct cifs_ntsd *get_cifs_acl_by_fid(struct cifs_sb_info *cifs_sb,
869 __u16 fid, u32 *pacllen) 869 const struct cifs_fid *cifsfid, u32 *pacllen)
870{ 870{
871 struct cifs_ntsd *pntsd = NULL; 871 struct cifs_ntsd *pntsd = NULL;
872 unsigned int xid; 872 unsigned int xid;
@@ -877,7 +877,8 @@ static struct cifs_ntsd *get_cifs_acl_by_fid(struct cifs_sb_info *cifs_sb,
877 return ERR_CAST(tlink); 877 return ERR_CAST(tlink);
878 878
879 xid = get_xid(); 879 xid = get_xid();
880 rc = CIFSSMBGetCIFSACL(xid, tlink_tcon(tlink), fid, &pntsd, pacllen); 880 rc = CIFSSMBGetCIFSACL(xid, tlink_tcon(tlink), cifsfid->netfid, &pntsd,
881 pacllen);
881 free_xid(xid); 882 free_xid(xid);
882 883
883 cifs_put_tlink(tlink); 884 cifs_put_tlink(tlink);
@@ -946,7 +947,7 @@ struct cifs_ntsd *get_cifs_acl(struct cifs_sb_info *cifs_sb,
946 if (!open_file) 947 if (!open_file)
947 return get_cifs_acl_by_path(cifs_sb, path, pacllen); 948 return get_cifs_acl_by_path(cifs_sb, path, pacllen);
948 949
949 pntsd = get_cifs_acl_by_fid(cifs_sb, open_file->fid.netfid, pacllen); 950 pntsd = get_cifs_acl_by_fid(cifs_sb, &open_file->fid, pacllen);
950 cifsFileInfo_put(open_file); 951 cifsFileInfo_put(open_file);
951 return pntsd; 952 return pntsd;
952} 953}
@@ -1006,19 +1007,31 @@ out:
1006/* Translate the CIFS ACL (simlar to NTFS ACL) for a file into mode bits */ 1007/* Translate the CIFS ACL (simlar to NTFS ACL) for a file into mode bits */
1007int 1008int
1008cifs_acl_to_fattr(struct cifs_sb_info *cifs_sb, struct cifs_fattr *fattr, 1009cifs_acl_to_fattr(struct cifs_sb_info *cifs_sb, struct cifs_fattr *fattr,
1009 struct inode *inode, const char *path, const __u16 *pfid) 1010 struct inode *inode, const char *path,
1011 const struct cifs_fid *pfid)
1010{ 1012{
1011 struct cifs_ntsd *pntsd = NULL; 1013 struct cifs_ntsd *pntsd = NULL;
1012 u32 acllen = 0; 1014 u32 acllen = 0;
1013 int rc = 0; 1015 int rc = 0;
1016 struct tcon_link *tlink = cifs_sb_tlink(cifs_sb);
1017 struct cifs_tcon *tcon;
1014 1018
1015 cifs_dbg(NOISY, "converting ACL to mode for %s\n", path); 1019 cifs_dbg(NOISY, "converting ACL to mode for %s\n", path);
1016 1020
1017 if (pfid) 1021 if (IS_ERR(tlink))
1018 pntsd = get_cifs_acl_by_fid(cifs_sb, *pfid, &acllen); 1022 return PTR_ERR(tlink);
1019 else 1023 tcon = tlink_tcon(tlink);
1020 pntsd = get_cifs_acl(cifs_sb, inode, path, &acllen);
1021 1024
1025 if (pfid && (tcon->ses->server->ops->get_acl_by_fid))
1026 pntsd = tcon->ses->server->ops->get_acl_by_fid(cifs_sb, pfid,
1027 &acllen);
1028 else if (tcon->ses->server->ops->get_acl)
1029 pntsd = tcon->ses->server->ops->get_acl(cifs_sb, inode, path,
1030 &acllen);
1031 else {
1032 cifs_put_tlink(tlink);
1033 return -EOPNOTSUPP;
1034 }
1022 /* if we can retrieve the ACL, now parse Access Control Entries, ACEs */ 1035 /* if we can retrieve the ACL, now parse Access Control Entries, ACEs */
1023 if (IS_ERR(pntsd)) { 1036 if (IS_ERR(pntsd)) {
1024 rc = PTR_ERR(pntsd); 1037 rc = PTR_ERR(pntsd);
@@ -1030,6 +1043,8 @@ cifs_acl_to_fattr(struct cifs_sb_info *cifs_sb, struct cifs_fattr *fattr,
1030 cifs_dbg(VFS, "parse sec desc failed rc = %d\n", rc); 1043 cifs_dbg(VFS, "parse sec desc failed rc = %d\n", rc);
1031 } 1044 }
1032 1045
1046 cifs_put_tlink(tlink);
1047
1033 return rc; 1048 return rc;
1034} 1049}
1035 1050
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index 86dc28c7aa5c..cf32f0393369 100644
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -398,6 +398,8 @@ struct smb_version_operations {
398 const struct nls_table *, int); 398 const struct nls_table *, int);
399 struct cifs_ntsd * (*get_acl)(struct cifs_sb_info *, struct inode *, 399 struct cifs_ntsd * (*get_acl)(struct cifs_sb_info *, struct inode *,
400 const char *, u32 *); 400 const char *, u32 *);
401 struct cifs_ntsd * (*get_acl_by_fid)(struct cifs_sb_info *,
402 const struct cifs_fid *, u32 *);
401 int (*set_acl)(struct cifs_ntsd *, __u32, struct inode *, const char *, 403 int (*set_acl)(struct cifs_ntsd *, __u32, struct inode *, const char *,
402 int); 404 int);
403}; 405};
diff --git a/fs/cifs/cifsproto.h b/fs/cifs/cifsproto.h
index d00e09dfc452..acc4ee8ed075 100644
--- a/fs/cifs/cifsproto.h
+++ b/fs/cifs/cifsproto.h
@@ -151,7 +151,7 @@ extern struct inode *cifs_iget(struct super_block *sb,
151 151
152extern int cifs_get_inode_info(struct inode **inode, const char *full_path, 152extern int cifs_get_inode_info(struct inode **inode, const char *full_path,
153 FILE_ALL_INFO *data, struct super_block *sb, 153 FILE_ALL_INFO *data, struct super_block *sb,
154 int xid, const __u16 *fid); 154 int xid, const struct cifs_fid *fid);
155extern int cifs_get_inode_info_unix(struct inode **pinode, 155extern int cifs_get_inode_info_unix(struct inode **pinode,
156 const unsigned char *search_path, 156 const unsigned char *search_path,
157 struct super_block *sb, unsigned int xid); 157 struct super_block *sb, unsigned int xid);
@@ -162,11 +162,13 @@ extern int cifs_rename_pending_delete(const char *full_path,
162 const unsigned int xid); 162 const unsigned int xid);
163extern int cifs_acl_to_fattr(struct cifs_sb_info *cifs_sb, 163extern int cifs_acl_to_fattr(struct cifs_sb_info *cifs_sb,
164 struct cifs_fattr *fattr, struct inode *inode, 164 struct cifs_fattr *fattr, struct inode *inode,
165 const char *path, const __u16 *pfid); 165 const char *path, const struct cifs_fid *pfid);
166extern int id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64, 166extern int id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64,
167 kuid_t, kgid_t); 167 kuid_t, kgid_t);
168extern struct cifs_ntsd *get_cifs_acl(struct cifs_sb_info *, struct inode *, 168extern struct cifs_ntsd *get_cifs_acl(struct cifs_sb_info *, struct inode *,
169 const char *, u32 *); 169 const char *, u32 *);
170extern struct cifs_ntsd *get_cifs_acl_by_fid(struct cifs_sb_info *,
171 const struct cifs_fid *, u32 *);
170extern int set_cifs_acl(struct cifs_ntsd *, __u32, struct inode *, 172extern int set_cifs_acl(struct cifs_ntsd *, __u32, struct inode *,
171 const char *, int); 173 const char *, int);
172 174
diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
index d3a6796caa5a..3db0c5fd9a11 100644
--- a/fs/cifs/dir.c
+++ b/fs/cifs/dir.c
@@ -378,7 +378,7 @@ cifs_create_get_file_info:
378 xid); 378 xid);
379 else { 379 else {
380 rc = cifs_get_inode_info(&newinode, full_path, buf, inode->i_sb, 380 rc = cifs_get_inode_info(&newinode, full_path, buf, inode->i_sb,
381 xid, &fid->netfid); 381 xid, fid);
382 if (newinode) { 382 if (newinode) {
383 if (server->ops->set_lease_key) 383 if (server->ops->set_lease_key)
384 server->ops->set_lease_key(newinode, fid); 384 server->ops->set_lease_key(newinode, fid);
diff --git a/fs/cifs/file.c b/fs/cifs/file.c
index 755584684f6c..53c15074bb36 100644
--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -244,7 +244,7 @@ cifs_nt_open(char *full_path, struct inode *inode, struct cifs_sb_info *cifs_sb,
244 xid); 244 xid);
245 else 245 else
246 rc = cifs_get_inode_info(&inode, full_path, buf, inode->i_sb, 246 rc = cifs_get_inode_info(&inode, full_path, buf, inode->i_sb,
247 xid, &fid->netfid); 247 xid, fid);
248 248
249out: 249out:
250 kfree(buf); 250 kfree(buf);
@@ -2389,7 +2389,7 @@ cifs_iovec_write(struct file *file, const struct iovec *iov,
2389 unsigned long nr_segs, loff_t *poffset) 2389 unsigned long nr_segs, loff_t *poffset)
2390{ 2390{
2391 unsigned long nr_pages, i; 2391 unsigned long nr_pages, i;
2392 size_t copied, len, cur_len; 2392 size_t bytes, copied, len, cur_len;
2393 ssize_t total_written = 0; 2393 ssize_t total_written = 0;
2394 loff_t offset; 2394 loff_t offset;
2395 struct iov_iter it; 2395 struct iov_iter it;
@@ -2444,14 +2444,45 @@ cifs_iovec_write(struct file *file, const struct iovec *iov,
2444 2444
2445 save_len = cur_len; 2445 save_len = cur_len;
2446 for (i = 0; i < nr_pages; i++) { 2446 for (i = 0; i < nr_pages; i++) {
2447 copied = min_t(const size_t, cur_len, PAGE_SIZE); 2447 bytes = min_t(const size_t, cur_len, PAGE_SIZE);
2448 copied = iov_iter_copy_from_user(wdata->pages[i], &it, 2448 copied = iov_iter_copy_from_user(wdata->pages[i], &it,
2449 0, copied); 2449 0, bytes);
2450 cur_len -= copied; 2450 cur_len -= copied;
2451 iov_iter_advance(&it, copied); 2451 iov_iter_advance(&it, copied);
2452 /*
2453 * If we didn't copy as much as we expected, then that
2454 * may mean we trod into an unmapped area. Stop copying
2455 * at that point. On the next pass through the big
2456 * loop, we'll likely end up getting a zero-length
2457 * write and bailing out of it.
2458 */
2459 if (copied < bytes)
2460 break;
2452 } 2461 }
2453 cur_len = save_len - cur_len; 2462 cur_len = save_len - cur_len;
2454 2463
2464 /*
2465 * If we have no data to send, then that probably means that
2466 * the copy above failed altogether. That's most likely because
2467 * the address in the iovec was bogus. Set the rc to -EFAULT,
2468 * free anything we allocated and bail out.
2469 */
2470 if (!cur_len) {
2471 for (i = 0; i < nr_pages; i++)
2472 put_page(wdata->pages[i]);
2473 kfree(wdata);
2474 rc = -EFAULT;
2475 break;
2476 }
2477
2478 /*
2479 * i + 1 now represents the number of pages we actually used in
2480 * the copy phase above. Bring nr_pages down to that, and free
2481 * any pages that we didn't use.
2482 */
2483 for ( ; nr_pages > i + 1; nr_pages--)
2484 put_page(wdata->pages[nr_pages - 1]);
2485
2455 wdata->sync_mode = WB_SYNC_ALL; 2486 wdata->sync_mode = WB_SYNC_ALL;
2456 wdata->nr_pages = nr_pages; 2487 wdata->nr_pages = nr_pages;
2457 wdata->offset = (__u64)offset; 2488 wdata->offset = (__u64)offset;
diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
index be58b8fcdb3c..aadc2b68678b 100644
--- a/fs/cifs/inode.c
+++ b/fs/cifs/inode.c
@@ -677,7 +677,7 @@ cgfi_exit:
677int 677int
678cifs_get_inode_info(struct inode **inode, const char *full_path, 678cifs_get_inode_info(struct inode **inode, const char *full_path,
679 FILE_ALL_INFO *data, struct super_block *sb, int xid, 679 FILE_ALL_INFO *data, struct super_block *sb, int xid,
680 const __u16 *fid) 680 const struct cifs_fid *fid)
681{ 681{
682 bool validinum = false; 682 bool validinum = false;
683 __u16 srchflgs; 683 __u16 srchflgs;
diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c
index bfd66d84831e..526fb89f9230 100644
--- a/fs/cifs/smb1ops.c
+++ b/fs/cifs/smb1ops.c
@@ -1073,6 +1073,7 @@ struct smb_version_operations smb1_operations = {
1073#endif /* CIFS_XATTR */ 1073#endif /* CIFS_XATTR */
1074#ifdef CONFIG_CIFS_ACL 1074#ifdef CONFIG_CIFS_ACL
1075 .get_acl = get_cifs_acl, 1075 .get_acl = get_cifs_acl,
1076 .get_acl_by_fid = get_cifs_acl_by_fid,
1076 .set_acl = set_cifs_acl, 1077 .set_acl = set_cifs_acl,
1077#endif /* CIFS_ACL */ 1078#endif /* CIFS_ACL */
1078}; 1079};
diff --git a/fs/cifs/smb2glob.h b/fs/cifs/smb2glob.h
index c38350851b08..bc0bb9c34f72 100644
--- a/fs/cifs/smb2glob.h
+++ b/fs/cifs/smb2glob.h
@@ -57,4 +57,7 @@
57#define SMB2_CMACAES_SIZE (16) 57#define SMB2_CMACAES_SIZE (16)
58#define SMB3_SIGNKEY_SIZE (16) 58#define SMB3_SIGNKEY_SIZE (16)
59 59
60/* Maximum buffer size value we can send with 1 credit */
61#define SMB2_MAX_BUFFER_SIZE 65536
62
60#endif /* _SMB2_GLOB_H */ 63#endif /* _SMB2_GLOB_H */
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
index 757da3e54d3d..192f51a12cf1 100644
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -182,11 +182,8 @@ smb2_negotiate_wsize(struct cifs_tcon *tcon, struct smb_vol *volume_info)
182 /* start with specified wsize, or default */ 182 /* start with specified wsize, or default */
183 wsize = volume_info->wsize ? volume_info->wsize : CIFS_DEFAULT_IOSIZE; 183 wsize = volume_info->wsize ? volume_info->wsize : CIFS_DEFAULT_IOSIZE;
184 wsize = min_t(unsigned int, wsize, server->max_write); 184 wsize = min_t(unsigned int, wsize, server->max_write);
185 /* 185 /* set it to the maximum buffer size value we can send with 1 credit */
186 * limit write size to 2 ** 16, because we don't support multicredit 186 wsize = min_t(unsigned int, wsize, SMB2_MAX_BUFFER_SIZE);
187 * requests now.
188 */
189 wsize = min_t(unsigned int, wsize, 2 << 15);
190 187
191 return wsize; 188 return wsize;
192} 189}
@@ -200,11 +197,8 @@ smb2_negotiate_rsize(struct cifs_tcon *tcon, struct smb_vol *volume_info)
200 /* start with specified rsize, or default */ 197 /* start with specified rsize, or default */
201 rsize = volume_info->rsize ? volume_info->rsize : CIFS_DEFAULT_IOSIZE; 198 rsize = volume_info->rsize ? volume_info->rsize : CIFS_DEFAULT_IOSIZE;
202 rsize = min_t(unsigned int, rsize, server->max_read); 199 rsize = min_t(unsigned int, rsize, server->max_read);
203 /* 200 /* set it to the maximum buffer size value we can send with 1 credit */
204 * limit write size to 2 ** 16, because we don't support multicredit 201 rsize = min_t(unsigned int, rsize, SMB2_MAX_BUFFER_SIZE);
205 * requests now.
206 */
207 rsize = min_t(unsigned int, rsize, 2 << 15);
208 202
209 return rsize; 203 return rsize;
210} 204}
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index a3f7a9c3cc69..860344701067 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -413,7 +413,9 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses)
413 413
414 /* SMB2 only has an extended negflavor */ 414 /* SMB2 only has an extended negflavor */
415 server->negflavor = CIFS_NEGFLAVOR_EXTENDED; 415 server->negflavor = CIFS_NEGFLAVOR_EXTENDED;
416 server->maxBuf = le32_to_cpu(rsp->MaxTransactSize); 416 /* set it to the maximum buffer size value we can send with 1 credit */
417 server->maxBuf = min_t(unsigned int, le32_to_cpu(rsp->MaxTransactSize),
418 SMB2_MAX_BUFFER_SIZE);
417 server->max_read = le32_to_cpu(rsp->MaxReadSize); 419 server->max_read = le32_to_cpu(rsp->MaxReadSize);
418 server->max_write = le32_to_cpu(rsp->MaxWriteSize); 420 server->max_write = le32_to_cpu(rsp->MaxWriteSize);
419 /* BB Do we need to validate the SecurityMode? */ 421 /* BB Do we need to validate the SecurityMode? */