[CIFS] Fix buffer overflow if server sends corrupt response to small

request In SendReceive() function in transport.c - it memcpy's message payload into a buffer passed via out_buf param. The function assumes that all buffers are of size (CIFSMaxBufSize + MAX_CIFS_HDR_SIZE) , unfortunately it is also called with smaller (MAX_CIFS_SMALL_BUFFER_SIZE) buffers. There are eight callers (SMB worker functions) which are primarily affected by this change: TreeDisconnect, uLogoff, Close, findClose, SetFileSize, SetFileTimes, Lock and PosixLock CC: Dave Kleikamp <shaggy@austin.ibm.com> CC: Przemyslaw Wegrzyn <czajnik@czajsoft.pl> Acked-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
author: Steve French <sfrench@us.ibm.com> 2007-11-13 17:41:37 -0500
committer: Steve French <sfrench@us.ibm.com> 2007-11-13 17:41:37 -0500
commit: 133672efbc1085f9af990bdc145e1822ea93bcf3 (patch)
tree: b93b5ba3a9559d137fe7fb86f6d1a3d33189ce0b /fs/cifs/cifssmb.c
parent: 9418d5dc9ba40b88737580457bf3b7c63c60ec43 (diff)
1 files changed, 36 insertions, 61 deletions
diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
index 59d7b7c037ad..9e8a6bef029a 100644
--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -698,9 +698,7 @@ int
 CIFSSMBTDis(const int xid, struct cifsTconInfo *tcon)
 {
        struct smb_hdr *smb_buffer;
-        struct smb_hdr *smb_buffer_response; /* BB removeme BB */
        int rc = 0;
-        int length;
        cFYI(1, ("In tree disconnect"));
        /*
@@ -737,16 +735,12 @@ CIFSSMBTDis(const int xid, struct cifsTconInfo *tcon)
        if (rc) {
                up(&tcon->tconSem);
                return rc;
-        } else {
-                smb_buffer_response = smb_buffer; /* BB removeme BB */
        }
-        rc = SendReceive(xid, tcon->ses, smb_buffer, smb_buffer_response,
-                         &length, 0);
+        rc = SendReceiveNoRsp(xid, tcon->ses, smb_buffer, 0);
        if (rc)
                cFYI(1, ("Tree disconnect failed %d", rc));
-        if (smb_buffer)
-                cifs_small_buf_release(smb_buffer);
        up(&tcon->tconSem);
        /* No need to return error on this operation if tid invalidated and
@@ -760,10 +754,8 @@ CIFSSMBTDis(const int xid, struct cifsTconInfo *tcon)
 int
 CIFSSMBLogoff(const int xid, struct cifsSesInfo *ses)
 {
-        struct smb_hdr *smb_buffer_response;
        LOGOFF_ANDX_REQ *pSMB;
        int rc = 0;
-        int length;
        cFYI(1, ("In SMBLogoff for session disconnect"));
        if (ses)
@@ -782,8 +774,6 @@ CIFSSMBLogoff(const int xid, struct cifsSesInfo *ses)
                return rc;
        }
-        smb_buffer_response = (struct smb_hdr *)pSMB; /* BB removeme BB */
        if (ses->server) {
                pSMB->hdr.Mid = GetNextMid(ses->server);
@@ -795,8 +785,7 @@ CIFSSMBLogoff(const int xid, struct cifsSesInfo *ses)
        pSMB->hdr.Uid = ses->Suid;
        pSMB->AndXCommand = 0xFF;
-        rc = SendReceive(xid, ses, (struct smb_hdr *) pSMB,
+        rc = SendReceiveNoRsp(xid, ses, (struct smb_hdr *) pSMB, 0);
-                         smb_buffer_response, &length, 0);
        if (ses->server) {
                atomic_dec(&ses->server->socketUseCount);
                if (atomic_read(&ses->server->socketUseCount) == 0) {
@@ -807,7 +796,6 @@ CIFSSMBLogoff(const int xid, struct cifsSesInfo *ses)
                }
        }
        up(&ses->sesSem);
-        cifs_small_buf_release(pSMB);
        /* if session dead then we do not need to do ulogoff,
                since server closed smb session, no sense reporting
@@ -1255,7 +1243,7 @@ OldOpenRetry:
        pSMB->ByteCount = cpu_to_le16(count);
        /* long_op set to 1 to allow for oplock break timeouts */
        rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
-                         (struct smb_hdr *) pSMBr, &bytes_returned, 1);
+                        (struct smb_hdr *)pSMBr, &bytes_returned, CIFS_LONG_OP);
        cifs_stats_inc(&tcon->num_opens);
        if (rc) {
                cFYI(1, ("Error in Open = %d", rc));
@@ -1368,7 +1356,7 @@ openRetry:
        pSMB->ByteCount = cpu_to_le16(count);
        /* long_op set to 1 to allow for oplock break timeouts */
        rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
-                         (struct smb_hdr *) pSMBr, &bytes_returned, 1);
+                        (struct smb_hdr *)pSMBr, &bytes_returned, CIFS_LONG_OP);
        cifs_stats_inc(&tcon->num_opens);
        if (rc) {
                cFYI(1, ("Error in Open = %d", rc));
@@ -1446,7 +1434,7 @@ CIFSSMBRead(const int xid, struct cifsTconInfo *tcon, const int netfid,
        iov[0].iov_base = (char *)pSMB;
        iov[0].iov_len = pSMB->hdr.smb_buf_length + 4;
        rc = SendReceive2(xid, tcon->ses, iov, 1 /* num iovecs */,
-                         &resp_buf_type, 0 /* not long op */, 1 /* log err */ );
+                         &resp_buf_type, CIFS_STD_OP | CIFS_LOG_ERROR);
        cifs_stats_inc(&tcon->num_reads);
        pSMBr = (READ_RSP *)iov[0].iov_base;
        if (rc) {
@@ -1665,7 +1653,7 @@ CIFSSMBWrite2(const int xid, struct cifsTconInfo *tcon,
        rc = SendReceive2(xid, tcon->ses, iov, n_vec + 1, &resp_buf_type,
-                          long_op, 0 /* do not log STATUS code */ );
+                          long_op);
        cifs_stats_inc(&tcon->num_writes);
        if (rc) {
                cFYI(1, ("Send error Write2 = %d", rc));
@@ -1707,7 +1695,7 @@ CIFSSMBLock(const int xid, struct cifsTconInfo *tcon,
        int timeout = 0;
        __u16 count;
-        cFYI(1, ("In CIFSSMBLock - timeout %d numLock %d", waitFlag, numLock));
+        cFYI(1, ("CIFSSMBLock timeout %d numLock %d", waitFlag, numLock));
        rc = small_smb_init(SMB_COM_LOCKING_ANDX, 8, tcon, (void **) &pSMB);
        if (rc)
@@ -1716,10 +1704,10 @@ CIFSSMBLock(const int xid, struct cifsTconInfo *tcon,
        pSMBr = (LOCK_RSP *)pSMB; /* BB removeme BB */
        if (lockType == LOCKING_ANDX_OPLOCK_RELEASE) {
-                timeout = -1; /* no response expected */
+                timeout = CIFS_ASYNC_OP; /* no response expected */
                pSMB->Timeout = 0;
        } else if (waitFlag == TRUE) {
-                timeout = 3;  /* blocking operation, no timeout */
+                timeout = CIFS_BLOCKING_OP; /* blocking operation, no timeout */
                pSMB->Timeout = cpu_to_le32(-1);/* blocking - do not time out */
        } else {
                pSMB->Timeout = 0;
@@ -1749,15 +1737,16 @@ CIFSSMBLock(const int xid, struct cifsTconInfo *tcon,
        if (waitFlag) {
                rc = SendReceiveBlockingLock(xid, tcon, (struct smb_hdr *) pSMB,
                        (struct smb_hdr *) pSMBr, &bytes_returned);
+                cifs_small_buf_release(pSMB);
        } else {
-                rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
+                rc = SendReceiveNoRsp(xid, tcon->ses, (struct smb_hdr *)pSMB,
-                         (struct smb_hdr *) pSMBr, &bytes_returned, timeout);
+                                      timeout);
+                /* SMB buffer freed by function above */
        }
        cifs_stats_inc(&tcon->num_locks);
        if (rc) {
                cFYI(1, ("Send error in Lock = %d", rc));
        }
-        cifs_small_buf_release(pSMB);
        /* Note: On -EAGAIN error only caller can retry on handle based calls
        since file handle passed in no longer valid */
@@ -1776,7 +1765,9 @@ CIFSSMBPosixLock(const int xid, struct cifsTconInfo *tcon,
        int rc = 0;
        int timeout = 0;
        int bytes_returned = 0;
+        int resp_buf_type = 0;
        __u16 params, param_offset, offset, byte_count, count;
+        struct kvec iov[1];
        cFYI(1, ("Posix Lock"));
@@ -1818,7 +1809,7 @@ CIFSSMBPosixLock(const int xid, struct cifsTconInfo *tcon,
        parm_data->lock_type = cpu_to_le16(lock_type);
        if (waitFlag) {
-                timeout = 3;  /* blocking operation, no timeout */
+                timeout = CIFS_BLOCKING_OP; /* blocking operation, no timeout */
                parm_data->lock_flags = cpu_to_le16(1);
                pSMB->Timeout = cpu_to_le32(-1);
        } else
@@ -1838,8 +1829,13 @@ CIFSSMBPosixLock(const int xid, struct cifsTconInfo *tcon,
                rc = SendReceiveBlockingLock(xid, tcon, (struct smb_hdr *) pSMB,
                        (struct smb_hdr *) pSMBr, &bytes_returned);
        } else {
-                rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
+                iov[0].iov_base = (char *)pSMB;
-                        (struct smb_hdr *) pSMBr, &bytes_returned, timeout);
+                iov[0].iov_len = pSMB->hdr.smb_buf_length + 4;
+                rc = SendReceive2(xid, tcon->ses, iov, 1 /* num iovecs */,
+                                &resp_buf_type, timeout);
+                pSMB = NULL; /* request buf already freed by SendReceive2. Do
+                                not try to free it twice below on exit */
+                pSMBr = (struct smb_com_transaction2_sfi_rsp *)iov[0].iov_base;
        }
        if (rc) {
@@ -1874,6 +1870,11 @@ plk_err_exit:
        if (pSMB)
                cifs_small_buf_release(pSMB);
+        if (resp_buf_type == CIFS_SMALL_BUFFER)
+                cifs_small_buf_release(iov[0].iov_base);
+        else if (resp_buf_type == CIFS_LARGE_BUFFER)
+                cifs_buf_release(iov[0].iov_base);
        /* Note: On -EAGAIN error only caller can retry on handle based calls
           since file handle passed in no longer valid */
@@ -1886,8 +1887,6 @@ CIFSSMBClose(const int xid, struct cifsTconInfo *tcon, int smb_file_id)
 {
        int rc = 0;
        CLOSE_REQ *pSMB = NULL;
-        CLOSE_RSP *pSMBr = NULL;
-        int bytes_returned;
        cFYI(1, ("In CIFSSMBClose"));
 /* do not retry on dead session on close */
@@ -1897,13 +1896,10 @@ CIFSSMBClose(const int xid, struct cifsTconInfo *tcon, int smb_file_id)
        if (rc)
                return rc;
-        pSMBr = (CLOSE_RSP *)pSMB; /* BB removeme BB */
        pSMB->FileID = (__u16) smb_file_id;
        pSMB->LastWriteTime = 0xFFFFFFFF;
        pSMB->ByteCount = 0;
-        rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
+        rc = SendReceiveNoRsp(xid, tcon->ses, (struct smb_hdr *) pSMB, 0);
-                         (struct smb_hdr *) pSMBr, &bytes_returned, 0);
        cifs_stats_inc(&tcon->num_closes);
        if (rc) {
                if (rc != -EINTR) {
@@ -1912,8 +1908,6 @@ CIFSSMBClose(const int xid, struct cifsTconInfo *tcon, int smb_file_id)
                }
        }
-        cifs_small_buf_release(pSMB);
        /* Since session is dead, file will be closed on server already */
        if (rc == -EAGAIN)
                rc = 0;
@@ -3102,7 +3096,7 @@ CIFSSMBGetCIFSACL(const int xid, struct cifsTconInfo *tcon, __u16 fid,
        iov[0].iov_len = pSMB->hdr.smb_buf_length + 4;
        rc = SendReceive2(xid, tcon->ses, iov, 1 /* num iovec */, &buf_type,
-                         0 /* not long op */, 0 /* do not log STATUS codes */ );
+                         CIFS_STD_OP);
        cifs_stats_inc(&tcon->num_acl_get);
        if (rc) {
                cFYI(1, ("Send error in QuerySecDesc = %d", rc));
@@ -3763,8 +3757,6 @@ CIFSFindClose(const int xid, struct cifsTconInfo *tcon,
 {
        int rc = 0;
        FINDCLOSE_REQ *pSMB = NULL;
-        CLOSE_RSP *pSMBr = NULL; /* BB removeme BB */
-        int bytes_returned;
        cFYI(1, ("In CIFSSMBFindClose"));
        rc = small_smb_init(SMB_COM_FIND_CLOSE2, 1, tcon, (void **)&pSMB);
@@ -3776,16 +3768,13 @@ CIFSFindClose(const int xid, struct cifsTconInfo *tcon,
        if (rc)
                return rc;
-        pSMBr = (CLOSE_RSP *)pSMB;  /* BB removeme BB */
        pSMB->FileID = searchHandle;
        pSMB->ByteCount = 0;
-        rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
+        rc = SendReceiveNoRsp(xid, tcon->ses, (struct smb_hdr *) pSMB, 0);
-                         (struct smb_hdr *) pSMBr, &bytes_returned, 0);
        if (rc) {
                cERROR(1, ("Send error in FindClose = %d", rc));
        }
        cifs_stats_inc(&tcon->num_fclose);
-        cifs_small_buf_release(pSMB);
        /* Since session is dead, search handle closed on server already */
        if (rc == -EAGAIN)
@@ -4707,11 +4696,9 @@ CIFSSMBSetFileSize(const int xid, struct cifsTconInfo *tcon, __u64 size,
                   __u16 fid, __u32 pid_of_opener, int SetAllocation)
 {
        struct smb_com_transaction2_sfi_req *pSMB  = NULL;
-        struct smb_com_transaction2_sfi_rsp *pSMBr = NULL;
        char *data_offset;
        struct file_end_of_file_info *parm_data;
        int rc = 0;
-        int bytes_returned = 0;
        __u16 params, param_offset, offset, byte_count, count;
        cFYI(1, ("SetFileSize (via SetFileInfo) %lld",
@@ -4721,8 +4708,6 @@ CIFSSMBSetFileSize(const int xid, struct cifsTconInfo *tcon, __u64 size,
        if (rc)
                return rc;
-        pSMBr = (struct smb_com_transaction2_sfi_rsp *)pSMB;
        pSMB->hdr.Pid = cpu_to_le16((__u16)pid_of_opener);
        pSMB->hdr.PidHigh = cpu_to_le16((__u16)(pid_of_opener >> 16));
@@ -4773,17 +4758,13 @@ CIFSSMBSetFileSize(const int xid, struct cifsTconInfo *tcon, __u64 size,
        pSMB->Reserved4 = 0;
        pSMB->hdr.smb_buf_length += byte_count;
        pSMB->ByteCount = cpu_to_le16(byte_count);
-        rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
+        rc = SendReceiveNoRsp(xid, tcon->ses, (struct smb_hdr *) pSMB, 0);
-                         (struct smb_hdr *) pSMBr, &bytes_returned, 0);
        if (rc) {
                cFYI(1,
                     ("Send error in SetFileInfo (SetFileSize) = %d",
                      rc));
        }
-        if (pSMB)
-                cifs_small_buf_release(pSMB);
        /* Note: On -EAGAIN error only caller can retry on handle based calls
                since file handle passed in no longer valid */
@@ -4801,10 +4782,8 @@ CIFSSMBSetFileTimes(const int xid, struct cifsTconInfo *tcon,
                    const FILE_BASIC_INFO *data, __u16 fid)
 {
        struct smb_com_transaction2_sfi_req *pSMB  = NULL;
-        struct smb_com_transaction2_sfi_rsp *pSMBr = NULL;
        char *data_offset;
        int rc = 0;
-        int bytes_returned = 0;
        __u16 params, param_offset, offset, byte_count, count;
        cFYI(1, ("Set Times (via SetFileInfo)"));
@@ -4813,8 +4792,6 @@ CIFSSMBSetFileTimes(const int xid, struct cifsTconInfo *tcon,
        if (rc)
                return rc;
-        pSMBr = (struct smb_com_transaction2_sfi_rsp *)pSMB;
        /* At this point there is no need to override the current pid
        with the pid of the opener, but that could change if we someday
        use an existing handle (rather than opening one on the fly) */
@@ -4854,14 +4831,11 @@ CIFSSMBSetFileTimes(const int xid, struct cifsTconInfo *tcon,
        pSMB->hdr.smb_buf_length += byte_count;
        pSMB->ByteCount = cpu_to_le16(byte_count);
        memcpy(data_offset, data, sizeof(FILE_BASIC_INFO));
-        rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
+        rc = SendReceiveNoRsp(xid, tcon->ses, (struct smb_hdr *) pSMB, 0);
-                         (struct smb_hdr *) pSMBr, &bytes_returned, 0);
        if (rc) {
                cFYI(1, ("Send error in Set Time (SetFileInfo) = %d", rc));
        }
-        cifs_small_buf_release(pSMB);
        /* Note: On -EAGAIN error only caller can retry on handle based calls
                since file handle passed in no longer valid */
@@ -5152,7 +5126,8 @@ int CIFSSMBNotify(const int xid, struct cifsTconInfo *tcon,
        pSMB->ByteCount = 0;
        rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
-                        (struct smb_hdr *) pSMBr, &bytes_returned, -1);
+                         (struct smb_hdr *)pSMBr, &bytes_returned,
+                         CIFS_ASYNC_OP);
        if (rc) {
                cFYI(1, ("Error in Notify = %d", rc));
        } else {
author	Steve French <sfrench@us.ibm.com>	2007-11-13 17:41:37 -0500
committer	Steve French <sfrench@us.ibm.com>	2007-11-13 17:41:37 -0500
commit	133672efbc1085f9af990bdc145e1822ea93bcf3 (patch)
tree	b93b5ba3a9559d137fe7fb86f6d1a3d33189ce0b /fs/cifs/cifssmb.c
parent	9418d5dc9ba40b88737580457bf3b7c63c60ec43 (diff)

diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c index 59d7b7c037ad..9e8a6bef029a 100644 --- a/fs/cifs/cifssmb.c +++ b/fs/cifs/cifssmb.c
@@ -698,9 +698,7 @@ int
698	CIFSSMBTDis(const int xid, struct cifsTconInfo *tcon)	698	CIFSSMBTDis(const int xid, struct cifsTconInfo *tcon)
699	{	699	{
700	struct smb_hdr *smb_buffer;	700	struct smb_hdr *smb_buffer;
701	struct smb_hdr smb_buffer_response; / BB removeme BB */
702	int rc = 0;	701	int rc = 0;
703	int length;
704		702
705	cFYI(1, ("In tree disconnect"));	703	cFYI(1, ("In tree disconnect"));
706	/*	704	/*
@@ -737,16 +735,12 @@ CIFSSMBTDis(const int xid, struct cifsTconInfo *tcon)
737	if (rc) {	735	if (rc) {
738	up(&tcon->tconSem);	736	up(&tcon->tconSem);
739	return rc;	737	return rc;
740	} else {
741	smb_buffer_response = smb_buffer; /* BB removeme BB */
742	}	738	}
743	rc = SendReceive(xid, tcon->ses, smb_buffer, smb_buffer_response,	739
744	&length, 0);	740	rc = SendReceiveNoRsp(xid, tcon->ses, smb_buffer, 0);
745	if (rc)	741	if (rc)
746	cFYI(1, ("Tree disconnect failed %d", rc));	742	cFYI(1, ("Tree disconnect failed %d", rc));
747		743
748	if (smb_buffer)
749	cifs_small_buf_release(smb_buffer);
750	up(&tcon->tconSem);	744	up(&tcon->tconSem);
751		745
752	/* No need to return error on this operation if tid invalidated and	746	/* No need to return error on this operation if tid invalidated and
@@ -760,10 +754,8 @@ CIFSSMBTDis(const int xid, struct cifsTconInfo *tcon)
760	int	754	int
761	CIFSSMBLogoff(const int xid, struct cifsSesInfo *ses)	755	CIFSSMBLogoff(const int xid, struct cifsSesInfo *ses)
762	{	756	{
763	struct smb_hdr *smb_buffer_response;
764	LOGOFF_ANDX_REQ *pSMB;	757	LOGOFF_ANDX_REQ *pSMB;
765	int rc = 0;	758	int rc = 0;
766	int length;
767		759
768	cFYI(1, ("In SMBLogoff for session disconnect"));	760	cFYI(1, ("In SMBLogoff for session disconnect"));
769	if (ses)	761	if (ses)
@@ -782,8 +774,6 @@ CIFSSMBLogoff(const int xid, struct cifsSesInfo *ses)
782	return rc;	774	return rc;
783	}	775	}
784		776
785	smb_buffer_response = (struct smb_hdr )pSMB; / BB removeme BB */
786
787	if (ses->server) {	777	if (ses->server) {
788	pSMB->hdr.Mid = GetNextMid(ses->server);	778	pSMB->hdr.Mid = GetNextMid(ses->server);
789		779
@@ -795,8 +785,7 @@ CIFSSMBLogoff(const int xid, struct cifsSesInfo *ses)
795	pSMB->hdr.Uid = ses->Suid;	785	pSMB->hdr.Uid = ses->Suid;
796		786
797	pSMB->AndXCommand = 0xFF;	787	pSMB->AndXCommand = 0xFF;
798	rc = SendReceive(xid, ses, (struct smb_hdr *) pSMB,	788	rc = SendReceiveNoRsp(xid, ses, (struct smb_hdr *) pSMB, 0);
799	smb_buffer_response, &length, 0);
800	if (ses->server) {	789	if (ses->server) {
801	atomic_dec(&ses->server->socketUseCount);	790	atomic_dec(&ses->server->socketUseCount);
802	if (atomic_read(&ses->server->socketUseCount) == 0) {	791	if (atomic_read(&ses->server->socketUseCount) == 0) {
@@ -807,7 +796,6 @@ CIFSSMBLogoff(const int xid, struct cifsSesInfo *ses)
807	}	796	}
808	}	797	}
809	up(&ses->sesSem);	798	up(&ses->sesSem);
810	cifs_small_buf_release(pSMB);
811		799
812	/* if session dead then we do not need to do ulogoff,	800	/* if session dead then we do not need to do ulogoff,
813	since server closed smb session, no sense reporting	801	since server closed smb session, no sense reporting
@@ -1255,7 +1243,7 @@ OldOpenRetry:
1255	pSMB->ByteCount = cpu_to_le16(count);	1243	pSMB->ByteCount = cpu_to_le16(count);
1256	/* long_op set to 1 to allow for oplock break timeouts */	1244	/* long_op set to 1 to allow for oplock break timeouts */
1257	rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,	1245	rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
1258	(struct smb_hdr *) pSMBr, &bytes_returned, 1);	1246	(struct smb_hdr *)pSMBr, &bytes_returned, CIFS_LONG_OP);
1259	cifs_stats_inc(&tcon->num_opens);	1247	cifs_stats_inc(&tcon->num_opens);
1260	if (rc) {	1248	if (rc) {
1261	cFYI(1, ("Error in Open = %d", rc));	1249	cFYI(1, ("Error in Open = %d", rc));
@@ -1368,7 +1356,7 @@ openRetry:
1368	pSMB->ByteCount = cpu_to_le16(count);	1356	pSMB->ByteCount = cpu_to_le16(count);
1369	/* long_op set to 1 to allow for oplock break timeouts */	1357	/* long_op set to 1 to allow for oplock break timeouts */
1370	rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,	1358	rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
1371	(struct smb_hdr *) pSMBr, &bytes_returned, 1);	1359	(struct smb_hdr *)pSMBr, &bytes_returned, CIFS_LONG_OP);
1372	cifs_stats_inc(&tcon->num_opens);	1360	cifs_stats_inc(&tcon->num_opens);
1373	if (rc) {	1361	if (rc) {
1374	cFYI(1, ("Error in Open = %d", rc));	1362	cFYI(1, ("Error in Open = %d", rc));
@@ -1446,7 +1434,7 @@ CIFSSMBRead(const int xid, struct cifsTconInfo *tcon, const int netfid,
1446	iov[0].iov_base = (char *)pSMB;	1434	iov[0].iov_base = (char *)pSMB;
1447	iov[0].iov_len = pSMB->hdr.smb_buf_length + 4;	1435	iov[0].iov_len = pSMB->hdr.smb_buf_length + 4;
1448	rc = SendReceive2(xid, tcon->ses, iov, 1 /* num iovecs */,	1436	rc = SendReceive2(xid, tcon->ses, iov, 1 /* num iovecs */,
1449	&resp_buf_type, 0 /* not long op /, 1 / log err */ );	1437	&resp_buf_type, CIFS_STD_OP \| CIFS_LOG_ERROR);
1450	cifs_stats_inc(&tcon->num_reads);	1438	cifs_stats_inc(&tcon->num_reads);
1451	pSMBr = (READ_RSP *)iov[0].iov_base;	1439	pSMBr = (READ_RSP *)iov[0].iov_base;
1452	if (rc) {	1440	if (rc) {
@@ -1665,7 +1653,7 @@ CIFSSMBWrite2(const int xid, struct cifsTconInfo *tcon,
1665		1653
1666		1654
1667	rc = SendReceive2(xid, tcon->ses, iov, n_vec + 1, &resp_buf_type,	1655	rc = SendReceive2(xid, tcon->ses, iov, n_vec + 1, &resp_buf_type,
1668	long_op, 0 /* do not log STATUS code */ );	1656	long_op);
1669	cifs_stats_inc(&tcon->num_writes);	1657	cifs_stats_inc(&tcon->num_writes);
1670	if (rc) {	1658	if (rc) {
1671	cFYI(1, ("Send error Write2 = %d", rc));	1659	cFYI(1, ("Send error Write2 = %d", rc));
@@ -1707,7 +1695,7 @@ CIFSSMBLock(const int xid, struct cifsTconInfo *tcon,
1707	int timeout = 0;	1695	int timeout = 0;
1708	__u16 count;	1696	__u16 count;
1709		1697
1710	cFYI(1, ("In CIFSSMBLock - timeout %d numLock %d", waitFlag, numLock));	1698	cFYI(1, ("CIFSSMBLock timeout %d numLock %d", waitFlag, numLock));
1711	rc = small_smb_init(SMB_COM_LOCKING_ANDX, 8, tcon, (void **) &pSMB);	1699	rc = small_smb_init(SMB_COM_LOCKING_ANDX, 8, tcon, (void **) &pSMB);
1712		1700
1713	if (rc)	1701	if (rc)
@@ -1716,10 +1704,10 @@ CIFSSMBLock(const int xid, struct cifsTconInfo *tcon,
1716	pSMBr = (LOCK_RSP )pSMB; / BB removeme BB */	1704	pSMBr = (LOCK_RSP )pSMB; / BB removeme BB */
1717		1705
1718	if (lockType == LOCKING_ANDX_OPLOCK_RELEASE) {	1706	if (lockType == LOCKING_ANDX_OPLOCK_RELEASE) {
1719	timeout = -1; /* no response expected */	1707	timeout = CIFS_ASYNC_OP; /* no response expected */
1720	pSMB->Timeout = 0;	1708	pSMB->Timeout = 0;
1721	} else if (waitFlag == TRUE) {	1709	} else if (waitFlag == TRUE) {
1722	timeout = 3; /* blocking operation, no timeout */	1710	timeout = CIFS_BLOCKING_OP; /* blocking operation, no timeout */
1723	pSMB->Timeout = cpu_to_le32(-1);/* blocking - do not time out */	1711	pSMB->Timeout = cpu_to_le32(-1);/* blocking - do not time out */
1724	} else {	1712	} else {
1725	pSMB->Timeout = 0;	1713	pSMB->Timeout = 0;
@@ -1749,15 +1737,16 @@ CIFSSMBLock(const int xid, struct cifsTconInfo *tcon,
1749	if (waitFlag) {	1737	if (waitFlag) {
1750	rc = SendReceiveBlockingLock(xid, tcon, (struct smb_hdr *) pSMB,	1738	rc = SendReceiveBlockingLock(xid, tcon, (struct smb_hdr *) pSMB,
1751	(struct smb_hdr *) pSMBr, &bytes_returned);	1739	(struct smb_hdr *) pSMBr, &bytes_returned);
		1740	cifs_small_buf_release(pSMB);
1752	} else {	1741	} else {
1753	rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,	1742	rc = SendReceiveNoRsp(xid, tcon->ses, (struct smb_hdr *)pSMB,
1754	(struct smb_hdr *) pSMBr, &bytes_returned, timeout);	1743	timeout);
		1744	/* SMB buffer freed by function above */
1755	}	1745	}
1756	cifs_stats_inc(&tcon->num_locks);	1746	cifs_stats_inc(&tcon->num_locks);
1757	if (rc) {	1747	if (rc) {
1758	cFYI(1, ("Send error in Lock = %d", rc));	1748	cFYI(1, ("Send error in Lock = %d", rc));
1759	}	1749	}
1760	cifs_small_buf_release(pSMB);
1761		1750
1762	/* Note: On -EAGAIN error only caller can retry on handle based calls	1751	/* Note: On -EAGAIN error only caller can retry on handle based calls
1763	since file handle passed in no longer valid */	1752	since file handle passed in no longer valid */
@@ -1776,7 +1765,9 @@ CIFSSMBPosixLock(const int xid, struct cifsTconInfo *tcon,
1776	int rc = 0;	1765	int rc = 0;
1777	int timeout = 0;	1766	int timeout = 0;
1778	int bytes_returned = 0;	1767	int bytes_returned = 0;
		1768	int resp_buf_type = 0;
1779	__u16 params, param_offset, offset, byte_count, count;	1769	__u16 params, param_offset, offset, byte_count, count;
		1770	struct kvec iov[1];
1780		1771
1781	cFYI(1, ("Posix Lock"));	1772	cFYI(1, ("Posix Lock"));
1782		1773
@@ -1818,7 +1809,7 @@ CIFSSMBPosixLock(const int xid, struct cifsTconInfo *tcon,
1818		1809
1819	parm_data->lock_type = cpu_to_le16(lock_type);	1810	parm_data->lock_type = cpu_to_le16(lock_type);
1820	if (waitFlag) {	1811	if (waitFlag) {
1821	timeout = 3; /* blocking operation, no timeout */	1812	timeout = CIFS_BLOCKING_OP; /* blocking operation, no timeout */
1822	parm_data->lock_flags = cpu_to_le16(1);	1813	parm_data->lock_flags = cpu_to_le16(1);
1823	pSMB->Timeout = cpu_to_le32(-1);	1814	pSMB->Timeout = cpu_to_le32(-1);
1824	} else	1815	} else
@@ -1838,8 +1829,13 @@ CIFSSMBPosixLock(const int xid, struct cifsTconInfo *tcon,
1838	rc = SendReceiveBlockingLock(xid, tcon, (struct smb_hdr *) pSMB,	1829	rc = SendReceiveBlockingLock(xid, tcon, (struct smb_hdr *) pSMB,
1839	(struct smb_hdr *) pSMBr, &bytes_returned);	1830	(struct smb_hdr *) pSMBr, &bytes_returned);
1840	} else {	1831	} else {
1841	rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,	1832	iov[0].iov_base = (char *)pSMB;
1842	(struct smb_hdr *) pSMBr, &bytes_returned, timeout);	1833	iov[0].iov_len = pSMB->hdr.smb_buf_length + 4;
		1834	rc = SendReceive2(xid, tcon->ses, iov, 1 /* num iovecs */,
		1835	&resp_buf_type, timeout);
		1836	pSMB = NULL; /* request buf already freed by SendReceive2. Do
		1837	not try to free it twice below on exit */
		1838	pSMBr = (struct smb_com_transaction2_sfi_rsp *)iov[0].iov_base;
1843	}	1839	}
1844		1840
1845	if (rc) {	1841	if (rc) {
@@ -1874,6 +1870,11 @@ plk_err_exit:
1874	if (pSMB)	1870	if (pSMB)
1875	cifs_small_buf_release(pSMB);	1871	cifs_small_buf_release(pSMB);
1876		1872
		1873	if (resp_buf_type == CIFS_SMALL_BUFFER)
		1874	cifs_small_buf_release(iov[0].iov_base);
		1875	else if (resp_buf_type == CIFS_LARGE_BUFFER)
		1876	cifs_buf_release(iov[0].iov_base);
		1877
1877	/* Note: On -EAGAIN error only caller can retry on handle based calls	1878	/* Note: On -EAGAIN error only caller can retry on handle based calls
1878	since file handle passed in no longer valid */	1879	since file handle passed in no longer valid */
1879		1880
@@ -1886,8 +1887,6 @@ CIFSSMBClose(const int xid, struct cifsTconInfo *tcon, int smb_file_id)
1886	{	1887	{
1887	int rc = 0;	1888	int rc = 0;
1888	CLOSE_REQ *pSMB = NULL;	1889	CLOSE_REQ *pSMB = NULL;
1889	CLOSE_RSP *pSMBr = NULL;
1890	int bytes_returned;
1891	cFYI(1, ("In CIFSSMBClose"));	1890	cFYI(1, ("In CIFSSMBClose"));
1892		1891
1893	/* do not retry on dead session on close */	1892	/* do not retry on dead session on close */
@@ -1897,13 +1896,10 @@ CIFSSMBClose(const int xid, struct cifsTconInfo *tcon, int smb_file_id)
1897	if (rc)	1896	if (rc)
1898	return rc;	1897	return rc;
1899		1898
1900	pSMBr = (CLOSE_RSP )pSMB; / BB removeme BB */
1901
1902	pSMB->FileID = (__u16) smb_file_id;	1899	pSMB->FileID = (__u16) smb_file_id;
1903	pSMB->LastWriteTime = 0xFFFFFFFF;	1900	pSMB->LastWriteTime = 0xFFFFFFFF;
1904	pSMB->ByteCount = 0;	1901	pSMB->ByteCount = 0;
1905	rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,	1902	rc = SendReceiveNoRsp(xid, tcon->ses, (struct smb_hdr *) pSMB, 0);
1906	(struct smb_hdr *) pSMBr, &bytes_returned, 0);
1907	cifs_stats_inc(&tcon->num_closes);	1903	cifs_stats_inc(&tcon->num_closes);
1908	if (rc) {	1904	if (rc) {
1909	if (rc != -EINTR) {	1905	if (rc != -EINTR) {
@@ -1912,8 +1908,6 @@ CIFSSMBClose(const int xid, struct cifsTconInfo *tcon, int smb_file_id)
1912	}	1908	}
1913	}	1909	}
1914		1910
1915	cifs_small_buf_release(pSMB);
1916
1917	/* Since session is dead, file will be closed on server already */	1911	/* Since session is dead, file will be closed on server already */
1918	if (rc == -EAGAIN)	1912	if (rc == -EAGAIN)
1919	rc = 0;	1913	rc = 0;
@@ -3102,7 +3096,7 @@ CIFSSMBGetCIFSACL(const int xid, struct cifsTconInfo *tcon, __u16 fid,
3102	iov[0].iov_len = pSMB->hdr.smb_buf_length + 4;	3096	iov[0].iov_len = pSMB->hdr.smb_buf_length + 4;
3103		3097
3104	rc = SendReceive2(xid, tcon->ses, iov, 1 /* num iovec */, &buf_type,	3098	rc = SendReceive2(xid, tcon->ses, iov, 1 /* num iovec */, &buf_type,
3105	0 /* not long op /, 0 / do not log STATUS codes */ );	3099	CIFS_STD_OP);
3106	cifs_stats_inc(&tcon->num_acl_get);	3100	cifs_stats_inc(&tcon->num_acl_get);
3107	if (rc) {	3101	if (rc) {
3108	cFYI(1, ("Send error in QuerySecDesc = %d", rc));	3102	cFYI(1, ("Send error in QuerySecDesc = %d", rc));
@@ -3763,8 +3757,6 @@ CIFSFindClose(const int xid, struct cifsTconInfo *tcon,
3763	{	3757	{
3764	int rc = 0;	3758	int rc = 0;
3765	FINDCLOSE_REQ *pSMB = NULL;	3759	FINDCLOSE_REQ *pSMB = NULL;
3766	CLOSE_RSP pSMBr = NULL; / BB removeme BB */
3767	int bytes_returned;
3768		3760
3769	cFYI(1, ("In CIFSSMBFindClose"));	3761	cFYI(1, ("In CIFSSMBFindClose"));
3770	rc = small_smb_init(SMB_COM_FIND_CLOSE2, 1, tcon, (void **)&pSMB);	3762	rc = small_smb_init(SMB_COM_FIND_CLOSE2, 1, tcon, (void **)&pSMB);
@@ -3776,16 +3768,13 @@ CIFSFindClose(const int xid, struct cifsTconInfo *tcon,
3776	if (rc)	3768	if (rc)
3777	return rc;	3769	return rc;
3778		3770
3779	pSMBr = (CLOSE_RSP )pSMB; / BB removeme BB */
3780	pSMB->FileID = searchHandle;	3771	pSMB->FileID = searchHandle;
3781	pSMB->ByteCount = 0;	3772	pSMB->ByteCount = 0;
3782	rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,	3773	rc = SendReceiveNoRsp(xid, tcon->ses, (struct smb_hdr *) pSMB, 0);
3783	(struct smb_hdr *) pSMBr, &bytes_returned, 0);
3784	if (rc) {	3774	if (rc) {
3785	cERROR(1, ("Send error in FindClose = %d", rc));	3775	cERROR(1, ("Send error in FindClose = %d", rc));
3786	}	3776	}
3787	cifs_stats_inc(&tcon->num_fclose);	3777	cifs_stats_inc(&tcon->num_fclose);
3788	cifs_small_buf_release(pSMB);
3789		3778
3790	/* Since session is dead, search handle closed on server already */	3779	/* Since session is dead, search handle closed on server already */
3791	if (rc == -EAGAIN)	3780	if (rc == -EAGAIN)
@@ -4707,11 +4696,9 @@ CIFSSMBSetFileSize(const int xid, struct cifsTconInfo *tcon, __u64 size,
4707	__u16 fid, __u32 pid_of_opener, int SetAllocation)	4696	__u16 fid, __u32 pid_of_opener, int SetAllocation)
4708	{	4697	{
4709	struct smb_com_transaction2_sfi_req *pSMB = NULL;	4698	struct smb_com_transaction2_sfi_req *pSMB = NULL;
4710	struct smb_com_transaction2_sfi_rsp *pSMBr = NULL;
4711	char *data_offset;	4699	char *data_offset;
4712	struct file_end_of_file_info *parm_data;	4700	struct file_end_of_file_info *parm_data;
4713	int rc = 0;	4701	int rc = 0;
4714	int bytes_returned = 0;
4715	__u16 params, param_offset, offset, byte_count, count;	4702	__u16 params, param_offset, offset, byte_count, count;
4716		4703
4717	cFYI(1, ("SetFileSize (via SetFileInfo) %lld",	4704	cFYI(1, ("SetFileSize (via SetFileInfo) %lld",
@@ -4721,8 +4708,6 @@ CIFSSMBSetFileSize(const int xid, struct cifsTconInfo *tcon, __u64 size,
4721	if (rc)	4708	if (rc)
4722	return rc;	4709	return rc;
4723		4710
4724	pSMBr = (struct smb_com_transaction2_sfi_rsp *)pSMB;
4725
4726	pSMB->hdr.Pid = cpu_to_le16((__u16)pid_of_opener);	4711	pSMB->hdr.Pid = cpu_to_le16((__u16)pid_of_opener);
4727	pSMB->hdr.PidHigh = cpu_to_le16((__u16)(pid_of_opener >> 16));	4712	pSMB->hdr.PidHigh = cpu_to_le16((__u16)(pid_of_opener >> 16));
4728		4713
@@ -4773,17 +4758,13 @@ CIFSSMBSetFileSize(const int xid, struct cifsTconInfo *tcon, __u64 size,
4773	pSMB->Reserved4 = 0;	4758	pSMB->Reserved4 = 0;
4774	pSMB->hdr.smb_buf_length += byte_count;	4759	pSMB->hdr.smb_buf_length += byte_count;
4775	pSMB->ByteCount = cpu_to_le16(byte_count);	4760	pSMB->ByteCount = cpu_to_le16(byte_count);
4776	rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,	4761	rc = SendReceiveNoRsp(xid, tcon->ses, (struct smb_hdr *) pSMB, 0);
4777	(struct smb_hdr *) pSMBr, &bytes_returned, 0);
4778	if (rc) {	4762	if (rc) {
4779	cFYI(1,	4763	cFYI(1,
4780	("Send error in SetFileInfo (SetFileSize) = %d",	4764	("Send error in SetFileInfo (SetFileSize) = %d",
4781	rc));	4765	rc));
4782	}	4766	}
4783		4767
4784	if (pSMB)
4785	cifs_small_buf_release(pSMB);
4786
4787	/* Note: On -EAGAIN error only caller can retry on handle based calls	4768	/* Note: On -EAGAIN error only caller can retry on handle based calls
4788	since file handle passed in no longer valid */	4769	since file handle passed in no longer valid */
4789		4770
@@ -4801,10 +4782,8 @@ CIFSSMBSetFileTimes(const int xid, struct cifsTconInfo *tcon,
4801	const FILE_BASIC_INFO *data, __u16 fid)	4782	const FILE_BASIC_INFO *data, __u16 fid)
4802	{	4783	{
4803	struct smb_com_transaction2_sfi_req *pSMB = NULL;	4784	struct smb_com_transaction2_sfi_req *pSMB = NULL;
4804	struct smb_com_transaction2_sfi_rsp *pSMBr = NULL;
4805	char *data_offset;	4785	char *data_offset;
4806	int rc = 0;	4786	int rc = 0;
4807	int bytes_returned = 0;
4808	__u16 params, param_offset, offset, byte_count, count;	4787	__u16 params, param_offset, offset, byte_count, count;
4809		4788
4810	cFYI(1, ("Set Times (via SetFileInfo)"));	4789	cFYI(1, ("Set Times (via SetFileInfo)"));
@@ -4813,8 +4792,6 @@ CIFSSMBSetFileTimes(const int xid, struct cifsTconInfo *tcon,
4813	if (rc)	4792	if (rc)
4814	return rc;	4793	return rc;
4815		4794
4816	pSMBr = (struct smb_com_transaction2_sfi_rsp *)pSMB;
4817
4818	/* At this point there is no need to override the current pid	4795	/* At this point there is no need to override the current pid
4819	with the pid of the opener, but that could change if we someday	4796	with the pid of the opener, but that could change if we someday
4820	use an existing handle (rather than opening one on the fly) */	4797	use an existing handle (rather than opening one on the fly) */
@@ -4854,14 +4831,11 @@ CIFSSMBSetFileTimes(const int xid, struct cifsTconInfo *tcon,
4854	pSMB->hdr.smb_buf_length += byte_count;	4831	pSMB->hdr.smb_buf_length += byte_count;
4855	pSMB->ByteCount = cpu_to_le16(byte_count);	4832	pSMB->ByteCount = cpu_to_le16(byte_count);
4856	memcpy(data_offset, data, sizeof(FILE_BASIC_INFO));	4833	memcpy(data_offset, data, sizeof(FILE_BASIC_INFO));
4857	rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,	4834	rc = SendReceiveNoRsp(xid, tcon->ses, (struct smb_hdr *) pSMB, 0);
4858	(struct smb_hdr *) pSMBr, &bytes_returned, 0);
4859	if (rc) {	4835	if (rc) {
4860	cFYI(1, ("Send error in Set Time (SetFileInfo) = %d", rc));	4836	cFYI(1, ("Send error in Set Time (SetFileInfo) = %d", rc));
4861	}	4837	}
4862		4838
4863	cifs_small_buf_release(pSMB);
4864
4865	/* Note: On -EAGAIN error only caller can retry on handle based calls	4839	/* Note: On -EAGAIN error only caller can retry on handle based calls
4866	since file handle passed in no longer valid */	4840	since file handle passed in no longer valid */
4867		4841
@@ -5152,7 +5126,8 @@ int CIFSSMBNotify(const int xid, struct cifsTconInfo *tcon,
5152	pSMB->ByteCount = 0;	5126	pSMB->ByteCount = 0;
5153		5127
5154	rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,	5128	rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
5155	(struct smb_hdr *) pSMBr, &bytes_returned, -1);	5129	(struct smb_hdr *)pSMBr, &bytes_returned,
		5130	CIFS_ASYNC_OP);
5156	if (rc) {	5131	if (rc) {
5157	cFYI(1, ("Error in Notify = %d", rc));	5132	cFYI(1, ("Error in Notify = %d", rc));
5158	} else {	5133	} else {