release 6.14.2
This commit is contained in:
@@ -1,4 +1,4 @@
|
||||
From c1a019d5fef8266e444159bc2bdaf9a5c9c7ef76 Mon Sep 17 00:00:00 2001
|
||||
From c78ab32399be35eed11e986293804eab75bfbe21 Mon Sep 17 00:00:00 2001
|
||||
From: Alexandra Diupina <adiupina@astralinux.ru>
|
||||
Date: Wed, 19 Mar 2025 17:28:58 +0300
|
||||
Subject: cifs: avoid NULL pointer dereference in dbg call
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
From 419b06f0ca7662c17a026ab0117ba9887dbd0477 Mon Sep 17 00:00:00 2001
|
||||
From 53f2beb3fafc1395f502390f04ad876a0dd2102d Mon Sep 17 00:00:00 2001
|
||||
From: Aman <aman1@microsoft.com>
|
||||
Date: Thu, 6 Mar 2025 17:46:43 +0000
|
||||
Subject: CIFS: Propagate min offload along with other parameters from primary
|
||||
@@ -33,7 +33,7 @@ Signed-off-by: Steve French <stfrench@microsoft.com>
|
||||
|
||||
--- a/fs/smb/client/connect.c
|
||||
+++ b/fs/smb/client/connect.c
|
||||
@@ -1676,6 +1676,7 @@ cifs_get_tcp_session(struct smb3_fs_cont
|
||||
@@ -1677,6 +1677,7 @@ cifs_get_tcp_session(struct smb3_fs_cont
|
||||
/* Grab netns reference for this server. */
|
||||
cifs_set_net_ns(tcp_ses, get_net(current->nsproxy->net_ns));
|
||||
|
||||
@@ -1,60 +0,0 @@
|
||||
From 750b72183e7f3d9dc775540cee41c0c06d2c1da4 Mon Sep 17 00:00:00 2001
|
||||
From: Namjae Jeon <linkinjeon@kernel.org>
|
||||
Date: Fri, 14 Mar 2025 18:21:47 +0900
|
||||
Subject: ksmbd: add bounds check for durable handle context
|
||||
|
||||
Add missing bounds check for durable handle context.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Reported-by: Norbert Szetei <norbert@doyensec.com>
|
||||
Tested-by: Norbert Szetei <norbert@doyensec.com>
|
||||
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
|
||||
Signed-off-by: Steve French <stfrench@microsoft.com>
|
||||
---
|
||||
fs/smb/server/smb2pdu.c | 21 +++++++++++++++++++++
|
||||
1 file changed, 21 insertions(+)
|
||||
|
||||
--- a/fs/smb/server/smb2pdu.c
|
||||
+++ b/fs/smb/server/smb2pdu.c
|
||||
@@ -2708,6 +2708,13 @@ static int parse_durable_handle_context(
|
||||
goto out;
|
||||
}
|
||||
|
||||
+ if (le16_to_cpu(context->DataOffset) +
|
||||
+ le32_to_cpu(context->DataLength) <
|
||||
+ sizeof(struct create_durable_reconn_v2_req)) {
|
||||
+ err = -EINVAL;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
recon_v2 = (struct create_durable_reconn_v2_req *)context;
|
||||
persistent_id = recon_v2->Fid.PersistentFileId;
|
||||
dh_info->fp = ksmbd_lookup_durable_fd(persistent_id);
|
||||
@@ -2741,6 +2748,13 @@ static int parse_durable_handle_context(
|
||||
goto out;
|
||||
}
|
||||
|
||||
+ if (le16_to_cpu(context->DataOffset) +
|
||||
+ le32_to_cpu(context->DataLength) <
|
||||
+ sizeof(struct create_durable_reconn_req)) {
|
||||
+ err = -EINVAL;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
recon = (struct create_durable_reconn_req *)context;
|
||||
persistent_id = recon->Data.Fid.PersistentFileId;
|
||||
dh_info->fp = ksmbd_lookup_durable_fd(persistent_id);
|
||||
@@ -2765,6 +2779,13 @@ static int parse_durable_handle_context(
|
||||
err = -EINVAL;
|
||||
goto out;
|
||||
}
|
||||
+
|
||||
+ if (le16_to_cpu(context->DataOffset) +
|
||||
+ le32_to_cpu(context->DataLength) <
|
||||
+ sizeof(struct create_durable_req_v2)) {
|
||||
+ err = -EINVAL;
|
||||
+ goto out;
|
||||
+ }
|
||||
|
||||
durable_v2_blob =
|
||||
(struct create_durable_req_v2 *)context;
|
||||
@@ -1,4 +1,4 @@
|
||||
From 87a17042db9d288d1c5bf3eac2a31bd3315a8cd0 Mon Sep 17 00:00:00 2001
|
||||
From 6b8b436fbb92dff7d6bc8d6c977b01814a541ec0 Mon Sep 17 00:00:00 2001
|
||||
From: Roman Smirnov <r.smirnov@omp.ru>
|
||||
Date: Mon, 31 Mar 2025 11:22:49 +0300
|
||||
Subject: cifs: fix integer overflow in match_server()
|
||||
@@ -1,41 +0,0 @@
|
||||
From df179d4868b57eb8bcd7587559164178f17f0747 Mon Sep 17 00:00:00 2001
|
||||
From: Norbert Szetei <norbert@doyensec.com>
|
||||
Date: Sat, 15 Mar 2025 12:19:28 +0900
|
||||
Subject: ksmbd: add bounds check for create lease context
|
||||
|
||||
Add missing bounds check for create lease context.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Reported-by: Norbert Szetei <norbert@doyensec.com>
|
||||
Tested-by: Norbert Szetei <norbert@doyensec.com>
|
||||
Signed-off-by: Norbert Szetei <norbert@doyensec.com>
|
||||
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
|
||||
Signed-off-by: Steve French <stfrench@microsoft.com>
|
||||
---
|
||||
fs/smb/server/oplock.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
--- a/fs/smb/server/oplock.c
|
||||
+++ b/fs/smb/server/oplock.c
|
||||
@@ -1505,6 +1505,10 @@ struct lease_ctx_info *parse_lease_state
|
||||
if (sizeof(struct lease_context_v2) == le32_to_cpu(cc->DataLength)) {
|
||||
struct create_lease_v2 *lc = (struct create_lease_v2 *)cc;
|
||||
|
||||
+ if (le16_to_cpu(cc->DataOffset) + le32_to_cpu(cc->DataLength) <
|
||||
+ sizeof(struct create_lease_v2) - 4)
|
||||
+ return NULL;
|
||||
+
|
||||
memcpy(lreq->lease_key, lc->lcontext.LeaseKey, SMB2_LEASE_KEY_SIZE);
|
||||
lreq->req_state = lc->lcontext.LeaseState;
|
||||
lreq->flags = lc->lcontext.LeaseFlags;
|
||||
@@ -1517,6 +1521,10 @@ struct lease_ctx_info *parse_lease_state
|
||||
} else {
|
||||
struct create_lease *lc = (struct create_lease *)cc;
|
||||
|
||||
+ if (le16_to_cpu(cc->DataOffset) + le32_to_cpu(cc->DataLength) <
|
||||
+ sizeof(struct create_lease))
|
||||
+ return NULL;
|
||||
+
|
||||
memcpy(lreq->lease_key, lc->lcontext.LeaseKey, SMB2_LEASE_KEY_SIZE);
|
||||
lreq->req_state = lc->lcontext.LeaseState;
|
||||
lreq->flags = lc->lcontext.LeaseFlags;
|
||||
@@ -1,31 +0,0 @@
|
||||
From d72853120541d47779616db780a15a42afe4ad9b Mon Sep 17 00:00:00 2001
|
||||
From: Namjae Jeon <linkinjeon@kernel.org>
|
||||
Date: Sat, 22 Mar 2025 09:20:19 +0900
|
||||
Subject: ksmbd: fix use-after-free in ksmbd_sessions_deregister()
|
||||
|
||||
In multichannel mode, UAF issue can occur in session_deregister
|
||||
when the second channel sets up a session through the connection of
|
||||
the first channel. session that is freed through the global session
|
||||
table can be accessed again through ->sessions of connection.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Reported-by: Norbert Szetei <norbert@doyensec.com>
|
||||
Tested-by: Norbert Szetei <norbert@doyensec.com>
|
||||
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
|
||||
Signed-off-by: Steve French <stfrench@microsoft.com>
|
||||
---
|
||||
fs/smb/server/mgmt/user_session.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
--- a/fs/smb/server/mgmt/user_session.c
|
||||
+++ b/fs/smb/server/mgmt/user_session.c
|
||||
@@ -230,6 +230,9 @@ void ksmbd_sessions_deregister(struct ks
|
||||
if (!ksmbd_chann_del(conn, sess) &&
|
||||
xa_empty(&sess->ksmbd_chann_list)) {
|
||||
hash_del(&sess->hlist);
|
||||
+ down_write(&conn->session_lock);
|
||||
+ xa_erase(&conn->sessions, sess->id);
|
||||
+ up_write(&conn->session_lock);
|
||||
ksmbd_session_destroy(sess);
|
||||
}
|
||||
}
|
||||
@@ -1,105 +0,0 @@
|
||||
From 13cf611fba8e4bcb60b66abb0c2a2456d7863c18 Mon Sep 17 00:00:00 2001
|
||||
From: Namjae Jeon <linkinjeon@kernel.org>
|
||||
Date: Thu, 27 Mar 2025 21:22:51 +0900
|
||||
Subject: ksmbd: fix session use-after-free in multichannel connection
|
||||
|
||||
There is a race condition between session setup and
|
||||
ksmbd_sessions_deregister. The session can be freed before the connection
|
||||
is added to channel list of session.
|
||||
This patch check reference count of session before freeing it.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Reported-by: Sean Heelan <seanheelan@gmail.com>
|
||||
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
|
||||
Signed-off-by: Steve French <stfrench@microsoft.com>
|
||||
---
|
||||
fs/smb/server/auth.c | 4 ++--
|
||||
fs/smb/server/mgmt/user_session.c | 14 ++++++++------
|
||||
fs/smb/server/smb2pdu.c | 7 ++++---
|
||||
3 files changed, 14 insertions(+), 11 deletions(-)
|
||||
|
||||
--- a/fs/smb/server/auth.c
|
||||
+++ b/fs/smb/server/auth.c
|
||||
@@ -1016,9 +1016,9 @@ static int ksmbd_get_encryption_key(stru
|
||||
|
||||
ses_enc_key = enc ? sess->smb3encryptionkey :
|
||||
sess->smb3decryptionkey;
|
||||
- if (enc)
|
||||
- ksmbd_user_session_get(sess);
|
||||
memcpy(key, ses_enc_key, SMB3_ENC_DEC_KEY_SIZE);
|
||||
+ if (!enc)
|
||||
+ ksmbd_user_session_put(sess);
|
||||
|
||||
return 0;
|
||||
}
|
||||
--- a/fs/smb/server/mgmt/user_session.c
|
||||
+++ b/fs/smb/server/mgmt/user_session.c
|
||||
@@ -181,7 +181,7 @@ static void ksmbd_expire_session(struct
|
||||
down_write(&sessions_table_lock);
|
||||
down_write(&conn->session_lock);
|
||||
xa_for_each(&conn->sessions, id, sess) {
|
||||
- if (atomic_read(&sess->refcnt) == 0 &&
|
||||
+ if (atomic_read(&sess->refcnt) <= 1 &&
|
||||
(sess->state != SMB2_SESSION_VALID ||
|
||||
time_after(jiffies,
|
||||
sess->last_active + SMB2_SESSION_TIMEOUT))) {
|
||||
@@ -233,7 +233,8 @@ void ksmbd_sessions_deregister(struct ks
|
||||
down_write(&conn->session_lock);
|
||||
xa_erase(&conn->sessions, sess->id);
|
||||
up_write(&conn->session_lock);
|
||||
- ksmbd_session_destroy(sess);
|
||||
+ if (atomic_dec_and_test(&sess->refcnt))
|
||||
+ ksmbd_session_destroy(sess);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -252,7 +253,8 @@ void ksmbd_sessions_deregister(struct ks
|
||||
if (xa_empty(&sess->ksmbd_chann_list)) {
|
||||
xa_erase(&conn->sessions, sess->id);
|
||||
hash_del(&sess->hlist);
|
||||
- ksmbd_session_destroy(sess);
|
||||
+ if (atomic_dec_and_test(&sess->refcnt))
|
||||
+ ksmbd_session_destroy(sess);
|
||||
}
|
||||
}
|
||||
up_write(&conn->session_lock);
|
||||
@@ -312,8 +314,8 @@ void ksmbd_user_session_put(struct ksmbd
|
||||
|
||||
if (atomic_read(&sess->refcnt) <= 0)
|
||||
WARN_ON(1);
|
||||
- else
|
||||
- atomic_dec(&sess->refcnt);
|
||||
+ else if (atomic_dec_and_test(&sess->refcnt))
|
||||
+ ksmbd_session_destroy(sess);
|
||||
}
|
||||
|
||||
struct preauth_session *ksmbd_preauth_session_alloc(struct ksmbd_conn *conn,
|
||||
@@ -420,7 +422,7 @@ static struct ksmbd_session *__session_c
|
||||
xa_init(&sess->rpc_handle_list);
|
||||
sess->sequence_number = 1;
|
||||
rwlock_init(&sess->tree_conns_lock);
|
||||
- atomic_set(&sess->refcnt, 1);
|
||||
+ atomic_set(&sess->refcnt, 2);
|
||||
|
||||
ret = __init_smb2_session(sess);
|
||||
if (ret)
|
||||
--- a/fs/smb/server/smb2pdu.c
|
||||
+++ b/fs/smb/server/smb2pdu.c
|
||||
@@ -2239,13 +2239,14 @@ int smb2_session_logoff(struct ksmbd_wor
|
||||
return -ENOENT;
|
||||
}
|
||||
|
||||
- ksmbd_destroy_file_table(&sess->file_table);
|
||||
down_write(&conn->session_lock);
|
||||
sess->state = SMB2_SESSION_EXPIRED;
|
||||
up_write(&conn->session_lock);
|
||||
|
||||
- ksmbd_free_user(sess->user);
|
||||
- sess->user = NULL;
|
||||
+ if (sess->user) {
|
||||
+ ksmbd_free_user(sess->user);
|
||||
+ sess->user = NULL;
|
||||
+ }
|
||||
ksmbd_all_conn_set_status(sess_id, KSMBD_SESS_NEED_NEGOTIATE);
|
||||
|
||||
rsp->StructureSize = cpu_to_le16(4);
|
||||
@@ -1,70 +0,0 @@
|
||||
From 3fe0cc7e4d24b0a152798ec17ceed4156fe96033 Mon Sep 17 00:00:00 2001
|
||||
From: Norbert Szetei <norbert@doyensec.com>
|
||||
Date: Sat, 29 Mar 2025 06:58:15 +0000
|
||||
Subject: ksmbd: fix overflow in dacloffset bounds check
|
||||
|
||||
The dacloffset field was originally typed as int and used in an
|
||||
unchecked addition, which could overflow and bypass the existing
|
||||
bounds check in both smb_check_perm_dacl() and smb_inherit_dacl().
|
||||
|
||||
This could result in out-of-bounds memory access and a kernel crash
|
||||
when dereferencing the DACL pointer.
|
||||
|
||||
This patch converts dacloffset to unsigned int and uses
|
||||
check_add_overflow() to validate access to the DACL.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Norbert Szetei <norbert@doyensec.com>
|
||||
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
|
||||
Signed-off-by: Steve French <stfrench@microsoft.com>
|
||||
---
|
||||
fs/smb/server/smbacl.c | 16 ++++++++++++----
|
||||
1 file changed, 12 insertions(+), 4 deletions(-)
|
||||
|
||||
--- a/fs/smb/server/smbacl.c
|
||||
+++ b/fs/smb/server/smbacl.c
|
||||
@@ -1026,7 +1026,9 @@ int smb_inherit_dacl(struct ksmbd_conn *
|
||||
struct dentry *parent = path->dentry->d_parent;
|
||||
struct mnt_idmap *idmap = mnt_idmap(path->mnt);
|
||||
int inherited_flags = 0, flags = 0, i, nt_size = 0, pdacl_size;
|
||||
- int rc = 0, dacloffset, pntsd_type, pntsd_size, acl_len, aces_size;
|
||||
+ int rc = 0, pntsd_type, pntsd_size, acl_len, aces_size;
|
||||
+ unsigned int dacloffset;
|
||||
+ size_t dacl_struct_end;
|
||||
u16 num_aces, ace_cnt = 0;
|
||||
char *aces_base;
|
||||
bool is_dir = S_ISDIR(d_inode(path->dentry)->i_mode);
|
||||
@@ -1035,8 +1037,11 @@ int smb_inherit_dacl(struct ksmbd_conn *
|
||||
parent, &parent_pntsd);
|
||||
if (pntsd_size <= 0)
|
||||
return -ENOENT;
|
||||
+
|
||||
dacloffset = le32_to_cpu(parent_pntsd->dacloffset);
|
||||
- if (!dacloffset || (dacloffset + sizeof(struct smb_acl) > pntsd_size)) {
|
||||
+ if (!dacloffset ||
|
||||
+ check_add_overflow(dacloffset, sizeof(struct smb_acl), &dacl_struct_end) ||
|
||||
+ dacl_struct_end > (size_t)pntsd_size) {
|
||||
rc = -EINVAL;
|
||||
goto free_parent_pntsd;
|
||||
}
|
||||
@@ -1240,7 +1245,9 @@ int smb_check_perm_dacl(struct ksmbd_con
|
||||
struct smb_ntsd *pntsd = NULL;
|
||||
struct smb_acl *pdacl;
|
||||
struct posix_acl *posix_acls;
|
||||
- int rc = 0, pntsd_size, acl_size, aces_size, pdacl_size, dacl_offset;
|
||||
+ int rc = 0, pntsd_size, acl_size, aces_size, pdacl_size;
|
||||
+ unsigned int dacl_offset;
|
||||
+ size_t dacl_struct_end;
|
||||
struct smb_sid sid;
|
||||
int granted = le32_to_cpu(*pdaccess & ~FILE_MAXIMAL_ACCESS_LE);
|
||||
struct smb_ace *ace;
|
||||
@@ -1259,7 +1266,8 @@ int smb_check_perm_dacl(struct ksmbd_con
|
||||
|
||||
dacl_offset = le32_to_cpu(pntsd->dacloffset);
|
||||
if (!dacl_offset ||
|
||||
- (dacl_offset + sizeof(struct smb_acl) > pntsd_size))
|
||||
+ check_add_overflow(dacl_offset, sizeof(struct smb_acl), &dacl_struct_end) ||
|
||||
+ dacl_struct_end > (size_t)pntsd_size)
|
||||
goto err_out;
|
||||
|
||||
pdacl = (struct smb_acl *)((char *)pntsd + le32_to_cpu(pntsd->dacloffset));
|
||||
@@ -1,32 +0,0 @@
|
||||
From 0cf6aa54e0b5dbd9b1835a3b9f13a154216a7422 Mon Sep 17 00:00:00 2001
|
||||
From: Norbert Szetei <norbert@doyensec.com>
|
||||
Date: Sat, 29 Mar 2025 16:06:01 +0000
|
||||
Subject: ksmbd: validate zero num_subauth before sub_auth is accessed
|
||||
|
||||
Access psid->sub_auth[psid->num_subauth - 1] without checking
|
||||
if num_subauth is non-zero leads to an out-of-bounds read.
|
||||
This patch adds a validation step to ensure num_subauth != 0
|
||||
before sub_auth is accessed.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Norbert Szetei <norbert@doyensec.com>
|
||||
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
|
||||
Signed-off-by: Steve French <stfrench@microsoft.com>
|
||||
---
|
||||
fs/smb/server/smbacl.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
--- a/fs/smb/server/smbacl.c
|
||||
+++ b/fs/smb/server/smbacl.c
|
||||
@@ -270,6 +270,11 @@ static int sid_to_id(struct mnt_idmap *i
|
||||
return -EIO;
|
||||
}
|
||||
|
||||
+ if (psid->num_subauth == 0) {
|
||||
+ pr_err("%s: zero subauthorities!\n", __func__);
|
||||
+ return -EIO;
|
||||
+ }
|
||||
+
|
||||
if (sidtype == SIDOWNER) {
|
||||
kuid_t uid;
|
||||
uid_t id;
|
||||
@@ -1,125 +0,0 @@
|
||||
From 21715f2a6462476a4196725e436c4b0d968390ce Mon Sep 17 00:00:00 2001
|
||||
From: Namjae Jeon <linkinjeon@kernel.org>
|
||||
Date: Wed, 2 Apr 2025 09:11:23 +0900
|
||||
Subject: ksmbd: fix null pointer dereference in alloc_preauth_hash()
|
||||
|
||||
The Client send malformed smb2 negotiate request. ksmbd return error
|
||||
response. Subsequently, the client can send smb2 session setup even
|
||||
thought conn->preauth_info is not allocated.
|
||||
This patch add KSMBD_SESS_NEED_SETUP status of connection to ignore
|
||||
session setup request if smb2 negotiate phase is not complete.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Tested-by: Steve French <stfrench@microsoft.com>
|
||||
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-26505
|
||||
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
|
||||
Signed-off-by: Steve French <stfrench@microsoft.com>
|
||||
---
|
||||
fs/smb/server/connection.h | 11 +++++++++++
|
||||
fs/smb/server/mgmt/user_session.c | 4 ++--
|
||||
fs/smb/server/smb2pdu.c | 14 +++++++++++---
|
||||
3 files changed, 24 insertions(+), 5 deletions(-)
|
||||
|
||||
--- a/fs/smb/server/connection.h
|
||||
+++ b/fs/smb/server/connection.h
|
||||
@@ -27,6 +27,7 @@ enum {
|
||||
KSMBD_SESS_EXITING,
|
||||
KSMBD_SESS_NEED_RECONNECT,
|
||||
KSMBD_SESS_NEED_NEGOTIATE,
|
||||
+ KSMBD_SESS_NEED_SETUP,
|
||||
KSMBD_SESS_RELEASING
|
||||
};
|
||||
|
||||
@@ -187,6 +188,11 @@ static inline bool ksmbd_conn_need_negot
|
||||
return READ_ONCE(conn->status) == KSMBD_SESS_NEED_NEGOTIATE;
|
||||
}
|
||||
|
||||
+static inline bool ksmbd_conn_need_setup(struct ksmbd_conn *conn)
|
||||
+{
|
||||
+ return READ_ONCE(conn->status) == KSMBD_SESS_NEED_SETUP;
|
||||
+}
|
||||
+
|
||||
static inline bool ksmbd_conn_need_reconnect(struct ksmbd_conn *conn)
|
||||
{
|
||||
return READ_ONCE(conn->status) == KSMBD_SESS_NEED_RECONNECT;
|
||||
@@ -217,6 +223,11 @@ static inline void ksmbd_conn_set_need_n
|
||||
WRITE_ONCE(conn->status, KSMBD_SESS_NEED_NEGOTIATE);
|
||||
}
|
||||
|
||||
+static inline void ksmbd_conn_set_need_setup(struct ksmbd_conn *conn)
|
||||
+{
|
||||
+ WRITE_ONCE(conn->status, KSMBD_SESS_NEED_SETUP);
|
||||
+}
|
||||
+
|
||||
static inline void ksmbd_conn_set_need_reconnect(struct ksmbd_conn *conn)
|
||||
{
|
||||
WRITE_ONCE(conn->status, KSMBD_SESS_NEED_RECONNECT);
|
||||
--- a/fs/smb/server/mgmt/user_session.c
|
||||
+++ b/fs/smb/server/mgmt/user_session.c
|
||||
@@ -358,13 +358,13 @@ void destroy_previous_session(struct ksm
|
||||
ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_RECONNECT);
|
||||
err = ksmbd_conn_wait_idle_sess_id(conn, id);
|
||||
if (err) {
|
||||
- ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_NEGOTIATE);
|
||||
+ ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_SETUP);
|
||||
goto out;
|
||||
}
|
||||
|
||||
ksmbd_destroy_file_table(&prev_sess->file_table);
|
||||
prev_sess->state = SMB2_SESSION_EXPIRED;
|
||||
- ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_NEGOTIATE);
|
||||
+ ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_SETUP);
|
||||
ksmbd_launch_ksmbd_durable_scavenger();
|
||||
out:
|
||||
up_write(&conn->session_lock);
|
||||
--- a/fs/smb/server/smb2pdu.c
|
||||
+++ b/fs/smb/server/smb2pdu.c
|
||||
@@ -1249,7 +1249,7 @@ int smb2_handle_negotiate(struct ksmbd_w
|
||||
}
|
||||
|
||||
conn->srv_sec_mode = le16_to_cpu(rsp->SecurityMode);
|
||||
- ksmbd_conn_set_need_negotiate(conn);
|
||||
+ ksmbd_conn_set_need_setup(conn);
|
||||
|
||||
err_out:
|
||||
ksmbd_conn_unlock(conn);
|
||||
@@ -1271,6 +1271,9 @@ static int alloc_preauth_hash(struct ksm
|
||||
if (sess->Preauth_HashValue)
|
||||
return 0;
|
||||
|
||||
+ if (!conn->preauth_info)
|
||||
+ return -ENOMEM;
|
||||
+
|
||||
sess->Preauth_HashValue = kmemdup(conn->preauth_info->Preauth_HashValue,
|
||||
PREAUTH_HASHVALUE_SIZE, KSMBD_DEFAULT_GFP);
|
||||
if (!sess->Preauth_HashValue)
|
||||
@@ -1674,6 +1677,11 @@ int smb2_sess_setup(struct ksmbd_work *w
|
||||
|
||||
ksmbd_debug(SMB, "Received smb2 session setup request\n");
|
||||
|
||||
+ if (!ksmbd_conn_need_setup(conn) && !ksmbd_conn_good(conn)) {
|
||||
+ work->send_no_response = 1;
|
||||
+ return rc;
|
||||
+ }
|
||||
+
|
||||
WORK_BUFFERS(work, req, rsp);
|
||||
|
||||
rsp->StructureSize = cpu_to_le16(9);
|
||||
@@ -1913,7 +1921,7 @@ out_err:
|
||||
if (try_delay) {
|
||||
ksmbd_conn_set_need_reconnect(conn);
|
||||
ssleep(5);
|
||||
- ksmbd_conn_set_need_negotiate(conn);
|
||||
+ ksmbd_conn_set_need_setup(conn);
|
||||
}
|
||||
}
|
||||
smb2_set_err_rsp(work);
|
||||
@@ -2247,7 +2255,7 @@ int smb2_session_logoff(struct ksmbd_wor
|
||||
ksmbd_free_user(sess->user);
|
||||
sess->user = NULL;
|
||||
}
|
||||
- ksmbd_all_conn_set_status(sess_id, KSMBD_SESS_NEED_NEGOTIATE);
|
||||
+ ksmbd_all_conn_set_status(sess_id, KSMBD_SESS_NEED_SETUP);
|
||||
|
||||
rsp->StructureSize = cpu_to_le16(4);
|
||||
err = ksmbd_iov_pin_rsp(work, rsp, sizeof(struct smb2_logoff_rsp));
|
||||
Reference in New Issue
Block a user