1. 12 Apr, 2015 4 commits
  2. 21 Mar, 2015 1 commit
    • David Disseldorp's avatar
      cifs: fix use-after-free bug in find_writable_file · e1e9bda2
      David Disseldorp authored
      
      
      Under intermittent network outages, find_writable_file() is susceptible
      to the following race condition, which results in a user-after-free in
      the cifs_writepages code-path:
      
      Thread 1                                        Thread 2
      ========                                        ========
      
      inv_file = NULL
      refind = 0
      spin_lock(&cifs_file_list_lock)
      
      // invalidHandle found on openFileList
      
      inv_file = open_file
      // inv_file->count currently 1
      
      cifsFileInfo_get(inv_file)
      // inv_file->count = 2
      
      spin_unlock(&cifs_file_list_lock);
      
      cifs_reopen_file()                            cifs_close()
      // fails (rc != 0)                            ->cifsFileInfo_put()
                                             spin_lock(&cifs_file_list_lock)
                                             // inv_file->count = 1
                                             spin_unlock(&cifs_file_list_lock)
      
      spin_lock(&cifs_file_list_lock);
      list_move_tail(&inv_file->flist,
            &cifs_inode->openFileList);
      spin_unlock(&cifs_file_list_lock);
      
      cifsFileInfo_put(inv_file);
      ->spin_lock(&cifs_file_list_lock)
      
        // inv_file->count = 0
        list_del(&cifs_file->flist);
        // cleanup!!
        kfree(cifs_file);
      
        spin_unlock(&cifs_file_list_lock);
      
      spin_lock(&cifs_file_list_lock);
      ++refind;
      // refind = 1
      goto refind_writable;
      
      At this point we loop back through with an invalid inv_file pointer
      and a refind value of 1. On second pass, inv_file is not overwritten on
      openFileList traversal, and is subsequently dereferenced.
      Signed-off-by: default avatarDavid Disseldorp <ddiss@suse.de>
      Reviewed-by: default avatarJeff Layton <jlayton@samba.org>
      CC: <stable@vger.kernel.org>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      e1e9bda2
  3. 16 Feb, 2015 1 commit
  4. 10 Feb, 2015 1 commit
  5. 20 Jan, 2015 1 commit
    • Sachin Prabhu's avatar
      Complete oplock break jobs before closing file handle · ca7df8e0
      Sachin Prabhu authored
      Commit
      c11f1df5
      
      
      requires writers to wait for any pending oplock break handler to
      complete before proceeding to write. This is done by waiting on bit
      CIFS_INODE_PENDING_OPLOCK_BREAK in cifsFileInfo->flags. This bit is
      cleared by the oplock break handler job queued on the workqueue once it
      has completed handling the oplock break allowing writers to proceed with
      writing to the file.
      
      While testing, it was noticed that the filehandle could be closed while
      there is a pending oplock break which results in the oplock break
      handler on the cifsiod workqueue being cancelled before it has had a
      chance to execute and clear the CIFS_INODE_PENDING_OPLOCK_BREAK bit.
      Any subsequent attempt to write to this file hangs waiting for the
      CIFS_INODE_PENDING_OPLOCK_BREAK bit to be cleared.
      
      We fix this by ensuring that we also clear the bit
      CIFS_INODE_PENDING_OPLOCK_BREAK when we remove the oplock break handler
      from the workqueue.
      
      The bug was found by Red Hat QA while testing using ltp's fsstress
      command.
      Signed-off-by: default avatarSachin Prabhu <sprabhu@redhat.com>
      Acked-by: default avatarShirish Pargaonkar <shirishpargaonkar@gmail.com>
      Signed-off-by: default avatarJeff Layton <jlayton@samba.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSteve French <steve.french@primarydata.com>
      ca7df8e0
  6. 16 Jan, 2015 3 commits
  7. 11 Dec, 2014 1 commit
  8. 19 Nov, 2014 1 commit
  9. 16 Oct, 2014 1 commit
    • Steve French's avatar
      Allow mknod and mkfifo on SMB2/SMB3 mounts · db8b631d
      Steve French authored
      
      
      The "sfu" mount option did not work on SMB2/SMB3 mounts.
      With these changes when the "sfu" mount option is passed in
      on an smb2/smb2.1/smb3 mount the client can emulate (and
      recognize) fifo and device (character and device files).
      
      In addition the "sfu" mount option should not conflict
      with "mfsymlinks" (symlink emulation) as we will never
      create "sfu" style symlinks, but using "sfu" mount option
      will allow us to recognize existing symlinks, created with
      Microsoft "Services for Unix" (SFU and SUA).
      
      To enable the "sfu" mount option for SMB2/SMB3 the calling
      syntax of the generic cifs/smb2/smb3 sync_read and sync_write
      protocol dependent function needed to be changed (we
      don't have a file struct in all cases), but this actually
      ended up simplifying the code a little.
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      db8b631d
  10. 09 Oct, 2014 1 commit
  11. 02 Oct, 2014 1 commit
  12. 22 Aug, 2014 1 commit
  13. 17 Aug, 2014 1 commit
    • Pavel Shilovsky's avatar
      CIFS: Fix SMB2 readdir error handling · 52755808
      Pavel Shilovsky authored
      
      
      SMB2 servers indicates the end of a directory search with
      STATUS_NO_MORE_FILE error code that is not processed now.
      This causes generic/257 xfstest to fail. Fix this by triggering
      the end of search by this error code in SMB2_query_directory.
      
      Also when negotiating CIFS protocol we tell the server to close
      the search automatically at the end and there is no need to do
      it itself. In the case of SMB2 protocol, we need to close it
      explicitly - separate close directory checks for different
      protocols.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarPavel Shilovsky <pshilovsky@samba.org>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      52755808
  14. 02 Aug, 2014 22 commits