Merge branch 'timers/urgent' into timers/core

Reason: Get upstream fixes and kfree_rcu which is necessary for a follow up patch. Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
author: Thomas Gleixner <tglx@linutronix.de> 2011-05-20 14:06:24 -0400
committer: Thomas Gleixner <tglx@linutronix.de> 2011-05-20 14:08:05 -0400
commit: 250f972d85effad5b6e10da4bbd877e6a4b503b6 (patch)
tree: 007393a6fc6439af7e0121dd99a6f9f9fb8405bc /fs/cifs
parent: 7372b0b122af0f6675f3ab65bfd91c8a438e0480 (diff)
parent: bbe7b8bef48c567f5ff3f6041c1fb011292e8f12 (diff)
3 files changed, 82 insertions, 76 deletions
diff --git a/fs/cifs/cifs_unicode.c b/fs/cifs/cifs_unicode.c
index 23d43cde4306..1b2e180b018d 100644
--- a/fs/cifs/cifs_unicode.c
+++ b/fs/cifs/cifs_unicode.c
@@ -277,6 +277,7 @@ cifsConvertToUCS(__le16 *target, const char *source, int srclen,
        for (i = 0, j = 0; i < srclen; j++) {
                src_char = source[i];
+                charlen = 1;
                switch (src_char) {
                case 0:
                        put_unaligned(0, &target[j]);
@@ -316,16 +317,13 @@ cifsConvertToUCS(__le16 *target, const char *source, int srclen,
                                dst_char = cpu_to_le16(0x003f);
                                charlen = 1;
                        }
-                        /*
-                         * character may take more than one byte in the source
-                         * string, but will take exactly two bytes in the
-                         * target string
-                         */
-                        i += charlen;
-                        continue;
                }
+                /*
+                 * character may take more than one byte in the source string,
+                 * but will take exactly two bytes in the target string
+                 */
+                i += charlen;
                put_unaligned(dst_char, &target[j]);
-                i++; /* move to next char in source string */
        }
 ctoUCS_out:
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 4bc862a80efa..277262a8e82f 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -274,7 +274,8 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB)
        char *data_area_of_target;
        char *data_area_of_buf2;
        int remaining;
-        __u16 byte_count, total_data_size, total_in_buf, total_in_buf2;
+        unsigned int byte_count, total_in_buf;
+        __u16 total_data_size, total_in_buf2;
        total_data_size = get_unaligned_le16(&pSMBt->t2_rsp.TotalDataCount);
@@ -287,7 +288,7 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB)
        remaining = total_data_size - total_in_buf;
        if (remaining < 0)
-                return -EINVAL;
+                return -EPROTO;
        if (remaining == 0) /* nothing to do, ignore */
                return 0;
@@ -308,20 +309,29 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB)
        data_area_of_target += total_in_buf;
        /* copy second buffer into end of first buffer */
-        memcpy(data_area_of_target, data_area_of_buf2, total_in_buf2);
        total_in_buf += total_in_buf2;
+        /* is the result too big for the field? */
+        if (total_in_buf > USHRT_MAX)
+                return -EPROTO;
        put_unaligned_le16(total_in_buf, &pSMBt->t2_rsp.DataCount);
+        /* fix up the BCC */
        byte_count = get_bcc_le(pTargetSMB);
        byte_count += total_in_buf2;
+        /* is the result too big for the field? */
+        if (byte_count > USHRT_MAX)
+                return -EPROTO;
        put_bcc_le(byte_count, pTargetSMB);
        byte_count = pTargetSMB->smb_buf_length;
        byte_count += total_in_buf2;
+        /* don't allow buffer to overflow */
-        /* BB also add check that we are not beyond maximum buffer size */
+        if (byte_count > CIFSMaxBufSize)
+                return -ENOBUFS;
        pTargetSMB->smb_buf_length = byte_count;
+        memcpy(data_area_of_target, data_area_of_buf2, total_in_buf2);
        if (remaining == total_in_buf2) {
                cFYI(1, "found the last secondary response");
                return 0; /* we are done */
@@ -607,59 +617,63 @@ incomplete_rcv:
                list_for_each_safe(tmp, tmp2, &server->pending_mid_q) {
                        mid_entry = list_entry(tmp, struct mid_q_entry, qhead);
-                        if ((mid_entry->mid == smb_buffer->Mid) &&
+                        if (mid_entry->mid != smb_buffer->Mid ||
-                            (mid_entry->midState == MID_REQUEST_SUBMITTED) &&
+                            mid_entry->midState != MID_REQUEST_SUBMITTED ||
-                            (mid_entry->command == smb_buffer->Command)) {
+                            mid_entry->command != smb_buffer->Command) {
-                                if (length == 0 &&
+                                mid_entry = NULL;
-                                   check2ndT2(smb_buffer, server->maxBuf) > 0) {
+                                continue;
-                                        /* We have a multipart transact2 resp */
+                        }
-                                        isMultiRsp = true;
-                                        if (mid_entry->resp_buf) {
+                        if (length == 0 &&
-                                                /* merge response - fix up 1st*/
+                            check2ndT2(smb_buffer, server->maxBuf) > 0) {
-                                                if (coalesce_t2(smb_buffer,
+                                /* We have a multipart transact2 resp */
-                                                        mid_entry->resp_buf)) {
+                                isMultiRsp = true;
-                                                        mid_entry->multiRsp =
+                                if (mid_entry->resp_buf) {
-                                                                 true;
+                                        /* merge response - fix up 1st*/
-                                                        break;
+                                        length = coalesce_t2(smb_buffer,
-                                                } else {
+                                                        mid_entry->resp_buf);
-                                                        /* all parts received */
+                                        if (length > 0) {
-                                                        mid_entry->multiEnd =
+                                                length = 0;
-                                                                 true;
+                                                mid_entry->multiRsp = true;
-                                                        goto multi_t2_fnd;
+                                                break;
-                                                }
                                        } else {
-                                                if (!isLargeBuf) {
+                                                /* all parts received or
-                                                        cERROR(1, "1st trans2 resp needs bigbuf");
+                                                 * packet is malformed
-                                        /* BB maybe we can fix this up,  switch
+                                                 */
-                                           to already allocated large buffer? */
+                                                mid_entry->multiEnd = true;
-                                                } else {
+                                                goto multi_t2_fnd;
-                                                        /* Have first buffer */
+                                        }
-                                                        mid_entry->resp_buf =
+                                } else {
-                                                                 smb_buffer;
+                                        if (!isLargeBuf) {
-                                                        mid_entry->largeBuf =
+                                                /*
-                                                                 true;
+                                                 * FIXME: switch to already
-                                                        bigbuf = NULL;
+                                                 *        allocated largebuf?
-                                                }
+                                                 */
+                                                cERROR(1, "1st trans2 resp "
+                                                          "needs bigbuf");
+                                        } else {
+                                                /* Have first buffer */
+                                                mid_entry->resp_buf =
+                                                         smb_buffer;
+                                                mid_entry->largeBuf = true;
+                                                bigbuf = NULL;
                                        }
-                                        break;
                                }
-                                mid_entry->resp_buf = smb_buffer;
+                                break;
-                                mid_entry->largeBuf = isLargeBuf;
+                        }
+                        mid_entry->resp_buf = smb_buffer;
+                        mid_entry->largeBuf = isLargeBuf;
 multi_t2_fnd:
-                                if (length == 0)
+                        if (length == 0)
-                                        mid_entry->midState =
+                                mid_entry->midState = MID_RESPONSE_RECEIVED;
-                                                        MID_RESPONSE_RECEIVED;
+                        else
-                                else
+                                mid_entry->midState = MID_RESPONSE_MALFORMED;
-                                        mid_entry->midState =
-                                                        MID_RESPONSE_MALFORMED;
 #ifdef CONFIG_CIFS_STATS2
-                                mid_entry->when_received = jiffies;
+                        mid_entry->when_received = jiffies;
 #endif
-                                list_del_init(&mid_entry->qhead);
+                        list_del_init(&mid_entry->qhead);
-                                mid_entry->callback(mid_entry);
+                        mid_entry->callback(mid_entry);
-                                break;
+                        break;
-                        }
-                        mid_entry = NULL;
                }
                spin_unlock(&GlobalMid_Lock);
@@ -2659,6 +2673,11 @@ is_path_accessible(int xid, struct cifsTconInfo *tcon,
                              0 /* not legacy */, cifs_sb->local_nls,
                              cifs_sb->mnt_cifs_flags &
                                CIFS_MOUNT_MAP_SPECIAL_CHR);
+        if (rc == -EOPNOTSUPP || rc == -EINVAL)
+                rc = SMBQueryInformation(xid, tcon, full_path, pfile_info,
+                                cifs_sb->local_nls, cifs_sb->mnt_cifs_flags &
+                                  CIFS_MOUNT_MAP_SPECIAL_CHR);
        kfree(pfile_info);
        return rc;
 }
diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index f6728eb6f4b9..645114ad0a10 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -276,7 +276,7 @@ static void ascii_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses,
 }
 static void
-decode_unicode_ssetup(char **pbcc_area, __u16 bleft, struct cifsSesInfo *ses,
+decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifsSesInfo *ses,
                      const struct nls_table *nls_cp)
 {
        int len;
@@ -284,19 +284,6 @@ decode_unicode_ssetup(char **pbcc_area, __u16 bleft, struct cifsSesInfo *ses,
        cFYI(1, "bleft %d", bleft);
-        /*
-         * Windows servers do not always double null terminate their final
-         * Unicode string. Check to see if there are an uneven number of bytes
-         * left. If so, then add an extra NULL pad byte to the end of the
-         * response.
-         *
-         * See section 2.7.2 in "Implementing CIFS" for details
-         */
-        if (bleft % 2) {
-                data[bleft] = 0;
-                ++bleft;
-        }
        kfree(ses->serverOS);
        ses->serverOS = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
        cFYI(1, "serverOS=%s", ses->serverOS);
@@ -929,7 +916,9 @@ ssetup_ntlmssp_authenticate:
        }
        /* BB check if Unicode and decode strings */
-        if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
+        if (bytes_remaining == 0) {
+                /* no string area to decode, do nothing */
+        } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
                /* unicode string area must be word-aligned */
                if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
                        ++bcc_ptr;
author	Thomas Gleixner <tglx@linutronix.de>	2011-05-20 14:06:24 -0400
committer	Thomas Gleixner <tglx@linutronix.de>	2011-05-20 14:08:05 -0400
commit	250f972d85effad5b6e10da4bbd877e6a4b503b6 (patch)
tree	007393a6fc6439af7e0121dd99a6f9f9fb8405bc /fs/cifs
parent	7372b0b122af0f6675f3ab65bfd91c8a438e0480 (diff)
parent	bbe7b8bef48c567f5ff3f6041c1fb011292e8f12 (diff)

diff --git a/fs/cifs/cifs_unicode.c b/fs/cifs/cifs_unicode.c index 23d43cde4306..1b2e180b018d 100644 --- a/fs/cifs/cifs_unicode.c +++ b/fs/cifs/cifs_unicode.c
@@ -277,6 +277,7 @@ cifsConvertToUCS(__le16 target, const char source, int srclen,
277		277
278	for (i = 0, j = 0; i < srclen; j++) {	278	for (i = 0, j = 0; i < srclen; j++) {
279	src_char = source[i];	279	src_char = source[i];
		280	charlen = 1;
280	switch (src_char) {	281	switch (src_char) {
281	case 0:	282	case 0:
282	put_unaligned(0, &target[j]);	283	put_unaligned(0, &target[j]);
@@ -316,16 +317,13 @@ cifsConvertToUCS(__le16 target, const char source, int srclen,
316	dst_char = cpu_to_le16(0x003f);	317	dst_char = cpu_to_le16(0x003f);
317	charlen = 1;	318	charlen = 1;
318	}	319	}
319	/*
320	* character may take more than one byte in the source
321	* string, but will take exactly two bytes in the
322	* target string
323	*/
324	i += charlen;
325	continue;
326	}	320	}
		321	/*
		322	* character may take more than one byte in the source string,
		323	* but will take exactly two bytes in the target string
		324	*/
		325	i += charlen;
327	put_unaligned(dst_char, &target[j]);	326	put_unaligned(dst_char, &target[j]);
328	i++; /* move to next char in source string */
329	}	327	}
330		328
331	ctoUCS_out:	329	ctoUCS_out:


diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index 4bc862a80efa..277262a8e82f 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c
@@ -274,7 +274,8 @@ static int coalesce_t2(struct smb_hdr psecond, struct smb_hdr pTargetSMB)
274	char *data_area_of_target;	274	char *data_area_of_target;
275	char *data_area_of_buf2;	275	char *data_area_of_buf2;
276	int remaining;	276	int remaining;
277	__u16 byte_count, total_data_size, total_in_buf, total_in_buf2;	277	unsigned int byte_count, total_in_buf;
		278	__u16 total_data_size, total_in_buf2;
278		279
279	total_data_size = get_unaligned_le16(&pSMBt->t2_rsp.TotalDataCount);	280	total_data_size = get_unaligned_le16(&pSMBt->t2_rsp.TotalDataCount);
280		281
@@ -287,7 +288,7 @@ static int coalesce_t2(struct smb_hdr psecond, struct smb_hdr pTargetSMB)
287	remaining = total_data_size - total_in_buf;	288	remaining = total_data_size - total_in_buf;
288		289
289	if (remaining < 0)	290	if (remaining < 0)
290	return -EINVAL;	291	return -EPROTO;
291		292
292	if (remaining == 0) /* nothing to do, ignore */	293	if (remaining == 0) /* nothing to do, ignore */
293	return 0;	294	return 0;
@@ -308,20 +309,29 @@ static int coalesce_t2(struct smb_hdr psecond, struct smb_hdr pTargetSMB)
308	data_area_of_target += total_in_buf;	309	data_area_of_target += total_in_buf;
309		310
310	/* copy second buffer into end of first buffer */	311	/* copy second buffer into end of first buffer */
311	memcpy(data_area_of_target, data_area_of_buf2, total_in_buf2);
312	total_in_buf += total_in_buf2;	312	total_in_buf += total_in_buf2;
		313	/* is the result too big for the field? */
		314	if (total_in_buf > USHRT_MAX)
		315	return -EPROTO;
313	put_unaligned_le16(total_in_buf, &pSMBt->t2_rsp.DataCount);	316	put_unaligned_le16(total_in_buf, &pSMBt->t2_rsp.DataCount);
		317
		318	/* fix up the BCC */
314	byte_count = get_bcc_le(pTargetSMB);	319	byte_count = get_bcc_le(pTargetSMB);
315	byte_count += total_in_buf2;	320	byte_count += total_in_buf2;
		321	/* is the result too big for the field? */
		322	if (byte_count > USHRT_MAX)
		323	return -EPROTO;
316	put_bcc_le(byte_count, pTargetSMB);	324	put_bcc_le(byte_count, pTargetSMB);
317		325
318	byte_count = pTargetSMB->smb_buf_length;	326	byte_count = pTargetSMB->smb_buf_length;
319	byte_count += total_in_buf2;	327	byte_count += total_in_buf2;
320		328	/* don't allow buffer to overflow */
321	/* BB also add check that we are not beyond maximum buffer size */	329	if (byte_count > CIFSMaxBufSize)
322		330	return -ENOBUFS;
323	pTargetSMB->smb_buf_length = byte_count;	331	pTargetSMB->smb_buf_length = byte_count;
324		332
		333	memcpy(data_area_of_target, data_area_of_buf2, total_in_buf2);
		334
325	if (remaining == total_in_buf2) {	335	if (remaining == total_in_buf2) {
326	cFYI(1, "found the last secondary response");	336	cFYI(1, "found the last secondary response");
327	return 0; /* we are done */	337	return 0; /* we are done */
@@ -607,59 +617,63 @@ incomplete_rcv:
607	list_for_each_safe(tmp, tmp2, &server->pending_mid_q) {	617	list_for_each_safe(tmp, tmp2, &server->pending_mid_q) {
608	mid_entry = list_entry(tmp, struct mid_q_entry, qhead);	618	mid_entry = list_entry(tmp, struct mid_q_entry, qhead);
609		619
610	if ((mid_entry->mid == smb_buffer->Mid) &&	620	if (mid_entry->mid != smb_buffer->Mid \|\|
611	(mid_entry->midState == MID_REQUEST_SUBMITTED) &&	621	mid_entry->midState != MID_REQUEST_SUBMITTED \|\|
612	(mid_entry->command == smb_buffer->Command)) {	622	mid_entry->command != smb_buffer->Command) {
613	if (length == 0 &&	623	mid_entry = NULL;
614	check2ndT2(smb_buffer, server->maxBuf) > 0) {	624	continue;
615	/* We have a multipart transact2 resp */	625	}
616	isMultiRsp = true;	626
617	if (mid_entry->resp_buf) {	627	if (length == 0 &&
618	/* merge response - fix up 1st*/	628	check2ndT2(smb_buffer, server->maxBuf) > 0) {
619	if (coalesce_t2(smb_buffer,	629	/* We have a multipart transact2 resp */
620	mid_entry->resp_buf)) {	630	isMultiRsp = true;
621	mid_entry->multiRsp =	631	if (mid_entry->resp_buf) {
622	true;	632	/* merge response - fix up 1st*/
623	break;	633	length = coalesce_t2(smb_buffer,
624	} else {	634	mid_entry->resp_buf);
625	/* all parts received */	635	if (length > 0) {
626	mid_entry->multiEnd =	636	length = 0;
627	true;	637	mid_entry->multiRsp = true;
628	goto multi_t2_fnd;	638	break;
629	}
630	} else {	639	} else {
631	if (!isLargeBuf) {	640	/* all parts received or
632	cERROR(1, "1st trans2 resp needs bigbuf");	641	* packet is malformed
633	/* BB maybe we can fix this up, switch	642	*/
634	to already allocated large buffer? */	643	mid_entry->multiEnd = true;
635	} else {	644	goto multi_t2_fnd;
636	/* Have first buffer */	645	}
637	mid_entry->resp_buf =	646	} else {
638	smb_buffer;	647	if (!isLargeBuf) {
639	mid_entry->largeBuf =	648	/*
640	true;	649	* FIXME: switch to already
641	bigbuf = NULL;	650	* allocated largebuf?
642	}	651	*/
		652	cERROR(1, "1st trans2 resp "
		653	"needs bigbuf");
		654	} else {
		655	/* Have first buffer */
		656	mid_entry->resp_buf =
		657	smb_buffer;
		658	mid_entry->largeBuf = true;
		659	bigbuf = NULL;
643	}	660	}
644	break;
645	}	661	}
646	mid_entry->resp_buf = smb_buffer;	662	break;
647	mid_entry->largeBuf = isLargeBuf;	663	}
		664	mid_entry->resp_buf = smb_buffer;
		665	mid_entry->largeBuf = isLargeBuf;
648	multi_t2_fnd:	666	multi_t2_fnd:
649	if (length == 0)	667	if (length == 0)
650	mid_entry->midState =	668	mid_entry->midState = MID_RESPONSE_RECEIVED;
651	MID_RESPONSE_RECEIVED;	669	else
652	else	670	mid_entry->midState = MID_RESPONSE_MALFORMED;
653	mid_entry->midState =
654	MID_RESPONSE_MALFORMED;
655	#ifdef CONFIG_CIFS_STATS2	671	#ifdef CONFIG_CIFS_STATS2
656	mid_entry->when_received = jiffies;	672	mid_entry->when_received = jiffies;
657	#endif	673	#endif
658	list_del_init(&mid_entry->qhead);	674	list_del_init(&mid_entry->qhead);
659	mid_entry->callback(mid_entry);	675	mid_entry->callback(mid_entry);
660	break;	676	break;
661	}
662	mid_entry = NULL;
663	}	677	}
664	spin_unlock(&GlobalMid_Lock);	678	spin_unlock(&GlobalMid_Lock);
665		679
@@ -2659,6 +2673,11 @@ is_path_accessible(int xid, struct cifsTconInfo *tcon,
2659	0 /* not legacy */, cifs_sb->local_nls,	2673	0 /* not legacy */, cifs_sb->local_nls,
2660	cifs_sb->mnt_cifs_flags &	2674	cifs_sb->mnt_cifs_flags &
2661	CIFS_MOUNT_MAP_SPECIAL_CHR);	2675	CIFS_MOUNT_MAP_SPECIAL_CHR);
		2676
		2677	if (rc == -EOPNOTSUPP \|\| rc == -EINVAL)
		2678	rc = SMBQueryInformation(xid, tcon, full_path, pfile_info,
		2679	cifs_sb->local_nls, cifs_sb->mnt_cifs_flags &
		2680	CIFS_MOUNT_MAP_SPECIAL_CHR);
2662	kfree(pfile_info);	2681	kfree(pfile_info);
2663	return rc;	2682	return rc;
2664	}	2683	}


diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c index f6728eb6f4b9..645114ad0a10 100644 --- a/fs/cifs/sess.c +++ b/fs/cifs/sess.c
@@ -276,7 +276,7 @@ static void ascii_ssetup_strings(char *pbcc_area, struct cifsSesInfo ses,
276	}	276	}
277		277
278	static void	278	static void
279	decode_unicode_ssetup(char *pbcc_area, __u16 bleft, struct cifsSesInfo ses,	279	decode_unicode_ssetup(char *pbcc_area, int bleft, struct cifsSesInfo ses,
280	const struct nls_table *nls_cp)	280	const struct nls_table *nls_cp)
281	{	281	{
282	int len;	282	int len;
@@ -284,19 +284,6 @@ decode_unicode_ssetup(char *pbcc_area, __u16 bleft, struct cifsSesInfo ses,
284		284
285	cFYI(1, "bleft %d", bleft);	285	cFYI(1, "bleft %d", bleft);
286		286
287	/*
288	* Windows servers do not always double null terminate their final
289	* Unicode string. Check to see if there are an uneven number of bytes
290	* left. If so, then add an extra NULL pad byte to the end of the
291	* response.
292	*
293	* See section 2.7.2 in "Implementing CIFS" for details
294	*/
295	if (bleft % 2) {
296	data[bleft] = 0;
297	++bleft;
298	}
299
300	kfree(ses->serverOS);	287	kfree(ses->serverOS);
301	ses->serverOS = cifs_strndup_from_ucs(data, bleft, true, nls_cp);	288	ses->serverOS = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
302	cFYI(1, "serverOS=%s", ses->serverOS);	289	cFYI(1, "serverOS=%s", ses->serverOS);
@@ -929,7 +916,9 @@ ssetup_ntlmssp_authenticate:
929	}	916	}
930		917
931	/* BB check if Unicode and decode strings */	918	/* BB check if Unicode and decode strings */
932	if (smb_buf->Flags2 & SMBFLG2_UNICODE) {	919	if (bytes_remaining == 0) {
		920	/* no string area to decode, do nothing */
		921	} else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
933	/* unicode string area must be word-aligned */	922	/* unicode string area must be word-aligned */
934	if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {	923	if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
935	++bcc_ptr;	924	++bcc_ptr;