From: Meetakshi Setiya msetiya@microsoft.com
MS-SMB2 section 2.2.13.2.10 specifies that 'epoch' should be a 16-bit unsigned integer used to track lease state changes. Change the data type of all instances of 'epoch' from unsigned int to __u16. This simplifies the epoch change comparisons and makes the code more compliant with the protocol spec.
Cc: stable@vger.kernel.org Signed-off-by: Meetakshi Setiya msetiya@microsoft.com Reviewed-by: Shyam Prasad N sprasad@microsoft.com --- fs/smb/client/cifsglob.h | 12 ++++++------ fs/smb/client/smb1ops.c | 2 +- fs/smb/client/smb2ops.c | 18 +++++++++--------- fs/smb/client/smb2pdu.c | 2 +- fs/smb/client/smb2proto.h | 2 +- 5 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/fs/smb/client/cifsglob.h b/fs/smb/client/cifsglob.h index a68434ad744a..2c1b0438fe7d 100644 --- a/fs/smb/client/cifsglob.h +++ b/fs/smb/client/cifsglob.h @@ -357,7 +357,7 @@ struct smb_version_operations { int (*handle_cancelled_mid)(struct mid_q_entry *, struct TCP_Server_Info *); void (*downgrade_oplock)(struct TCP_Server_Info *server, struct cifsInodeInfo *cinode, __u32 oplock, - unsigned int epoch, bool *purge_cache); + __u16 epoch, bool *purge_cache); /* process transaction2 response */ bool (*check_trans2)(struct mid_q_entry *, struct TCP_Server_Info *, char *, int); @@ -552,12 +552,12 @@ struct smb_version_operations { /* if we can do cache read operations */ bool (*is_read_op)(__u32); /* set oplock level for the inode */ - void (*set_oplock_level)(struct cifsInodeInfo *, __u32, unsigned int, + void (*set_oplock_level)(struct cifsInodeInfo *, __u32, __u16, bool *); /* create lease context buffer for CREATE request */ char * (*create_lease_buf)(u8 *lease_key, u8 oplock); /* parse lease context buffer and return oplock/epoch info */ - __u8 (*parse_lease_buf)(void *buf, unsigned int *epoch, char *lkey); + __u8 (*parse_lease_buf)(void *buf, __u16 *epoch, char *lkey); ssize_t (*copychunk_range)(const unsigned int, struct cifsFileInfo *src_file, struct cifsFileInfo *target_file, @@ -1447,7 +1447,7 @@ struct cifs_fid { __u8 create_guid[16]; __u32 access; struct cifs_pending_open *pending_open; - unsigned int epoch; + __u16 epoch; #ifdef CONFIG_CIFS_DEBUG2 __u64 mid; #endif /* CIFS_DEBUG2 */ @@ -1480,7 +1480,7 @@ struct cifsFileInfo { bool oplock_break_cancelled:1; bool status_file_deleted:1; /* file has been deleted */ bool offload:1; /* offload final part of _put to a wq */ - unsigned int oplock_epoch; /* epoch from the lease break */ + __u16 oplock_epoch; /* epoch from the lease break */ __u32 oplock_level; /* oplock/lease level from the lease break */ int count; spinlock_t file_info_lock; /* protects four flag/count fields above */ @@ -1577,7 +1577,7 @@ struct cifsInodeInfo { spinlock_t open_file_lock; /* protects openFileList */ __u32 cifsAttrs; /* e.g. DOS archive bit, sparse, compressed, system */ unsigned int oplock; /* oplock/lease level we have */ - unsigned int epoch; /* used to track lease state changes */ + __u16 epoch; /* used to track lease state changes */ #define CIFS_INODE_PENDING_OPLOCK_BREAK (0) /* oplock break in progress */ #define CIFS_INODE_PENDING_WRITERS (1) /* Writes in progress */ #define CIFS_INODE_FLAG_UNUSED (2) /* Unused flag */ diff --git a/fs/smb/client/smb1ops.c b/fs/smb/client/smb1ops.c index 9756b876a75e..d6e2fb669c40 100644 --- a/fs/smb/client/smb1ops.c +++ b/fs/smb/client/smb1ops.c @@ -377,7 +377,7 @@ coalesce_t2(char *second_buf, struct smb_hdr *target_hdr) static void cifs_downgrade_oplock(struct TCP_Server_Info *server, struct cifsInodeInfo *cinode, __u32 oplock, - unsigned int epoch, bool *purge_cache) + __u16 epoch, bool *purge_cache) { cifs_set_oplock_level(cinode, oplock); } diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c index 77309217dab4..ec36bed54b0b 100644 --- a/fs/smb/client/smb2ops.c +++ b/fs/smb/client/smb2ops.c @@ -3904,22 +3904,22 @@ static long smb3_fallocate(struct file *file, struct cifs_tcon *tcon, int mode, static void smb2_downgrade_oplock(struct TCP_Server_Info *server, struct cifsInodeInfo *cinode, __u32 oplock, - unsigned int epoch, bool *purge_cache) + __u16 epoch, bool *purge_cache) { server->ops->set_oplock_level(cinode, oplock, 0, NULL); }
static void smb21_set_oplock_level(struct cifsInodeInfo *cinode, __u32 oplock, - unsigned int epoch, bool *purge_cache); + __u16 epoch, bool *purge_cache);
static void smb3_downgrade_oplock(struct TCP_Server_Info *server, struct cifsInodeInfo *cinode, __u32 oplock, - unsigned int epoch, bool *purge_cache) + __u16 epoch, bool *purge_cache) { unsigned int old_state = cinode->oplock; - unsigned int old_epoch = cinode->epoch; + __u16 old_epoch = cinode->epoch; unsigned int new_state;
if (epoch > old_epoch) { @@ -3939,7 +3939,7 @@ smb3_downgrade_oplock(struct TCP_Server_Info *server,
static void smb2_set_oplock_level(struct cifsInodeInfo *cinode, __u32 oplock, - unsigned int epoch, bool *purge_cache) + __u16 epoch, bool *purge_cache) { oplock &= 0xFF; cinode->lease_granted = false; @@ -3963,7 +3963,7 @@ smb2_set_oplock_level(struct cifsInodeInfo *cinode, __u32 oplock,
static void smb21_set_oplock_level(struct cifsInodeInfo *cinode, __u32 oplock, - unsigned int epoch, bool *purge_cache) + __u16 epoch, bool *purge_cache) { char message[5] = {0}; unsigned int new_oplock = 0; @@ -4000,7 +4000,7 @@ smb21_set_oplock_level(struct cifsInodeInfo *cinode, __u32 oplock,
static void smb3_set_oplock_level(struct cifsInodeInfo *cinode, __u32 oplock, - unsigned int epoch, bool *purge_cache) + __u16 epoch, bool *purge_cache) { unsigned int old_oplock = cinode->oplock;
@@ -4114,7 +4114,7 @@ smb3_create_lease_buf(u8 *lease_key, u8 oplock) }
static __u8 -smb2_parse_lease_buf(void *buf, unsigned int *epoch, char *lease_key) +smb2_parse_lease_buf(void *buf, __u16 *epoch, char *lease_key) { struct create_lease *lc = (struct create_lease *)buf;
@@ -4125,7 +4125,7 @@ smb2_parse_lease_buf(void *buf, unsigned int *epoch, char *lease_key) }
static __u8 -smb3_parse_lease_buf(void *buf, unsigned int *epoch, char *lease_key) +smb3_parse_lease_buf(void *buf, __u16 *epoch, char *lease_key) { struct create_lease_v2 *lc = (struct create_lease_v2 *)buf;
diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c index 40ad9e79437a..51204ff58bf6 100644 --- a/fs/smb/client/smb2pdu.c +++ b/fs/smb/client/smb2pdu.c @@ -2329,7 +2329,7 @@ parse_posix_ctxt(struct create_context *cc, struct smb2_file_all_info *info,
int smb2_parse_contexts(struct TCP_Server_Info *server, struct kvec *rsp_iov, - unsigned int *epoch, + __u16 *epoch, char *lease_key, __u8 *oplock, struct smb2_file_all_info *buf, struct create_posix_rsp *posix) diff --git a/fs/smb/client/smb2proto.h b/fs/smb/client/smb2proto.h index 2336dfb23f36..4662c7e2d259 100644 --- a/fs/smb/client/smb2proto.h +++ b/fs/smb/client/smb2proto.h @@ -283,7 +283,7 @@ extern enum securityEnum smb2_select_sectype(struct TCP_Server_Info *, enum securityEnum); int smb2_parse_contexts(struct TCP_Server_Info *server, struct kvec *rsp_iov, - unsigned int *epoch, + __u16 *epoch, char *lease_key, __u8 *oplock, struct smb2_file_all_info *buf, struct create_posix_rsp *posix);
From: Meetakshi Setiya msetiya@microsoft.com
MS-SMB2 section 3.2.5.7.5 specifies that client must evaluate delta_epoch to compare the old and new epoch values. This delta_epoch takes care of lease epoch wraparounds (e.g. when the server resets the epoch from 65535 to 0). Currently, we just check if the old epoch is numerically less than the new epoch, which can cause problems when the server resets its epoch counter from 65535 to 0 - like causing the client (with current epoch > 0) to not change its lease state. This patch uses delta_epoch based comparisons while comparing lease epochs in smb3_downgrade_oplock and smb3_set_oplock_level.
Also, in the current code for smb3_set_oplock_level, the client changes the lease state for a file without comparing the epoch. This patch adds the delta_epoch comparision before updating the lease state, so that when the change in epoch is negative, the new lease state is invalid too. This can protect the client from having an inconsistent lease state because of a stale lease state change response.
This patch also adds additional validations to check if the lease state change is valid or not, before going through smb3_set_oplock_level.
Cc: stable@vger.kernel.org Signed-off-by: Meetakshi Setiya msetiya@microsoft.com Reviewed-by: Shyam Prasad N sprasad@microsoft.com --- fs/smb/client/cifsglob.h | 6 +++ fs/smb/client/smb2ops.c | 95 +++++++++++++++++++++++++++++++--------- 2 files changed, 80 insertions(+), 21 deletions(-)
diff --git a/fs/smb/client/cifsglob.h b/fs/smb/client/cifsglob.h index 2c1b0438fe7d..4417fa46885f 100644 --- a/fs/smb/client/cifsglob.h +++ b/fs/smb/client/cifsglob.h @@ -1558,6 +1558,12 @@ void cifsFileInfo_put(struct cifsFileInfo *cifs_file); #define CIFS_CACHE_HANDLE(cinode) (cinode->oplock & CIFS_CACHE_HANDLE_FLG) #define CIFS_CACHE_WRITE(cinode) ((cinode->oplock & CIFS_CACHE_WRITE_FLG) || (CIFS_SB(cinode->netfs.inode.i_sb)->mnt_cifs_flags & CIFS_MOUNT_RW_CACHE))
+#define IS_SAME_EPOCH(new, cur) ((__u16)new == (__u16)cur) +#define IS_NEWER_EPOCH(new, cur) (((short)((__u16)new - (__u16)cur) <= (short)32767) && ((__u16)new != (__u16)cur)) + +bool validate_lease_state_change(__u32 old_state, __u32 new_state, + __u16 old_epoch, __u16 new_epoch); + /* * One of these for each file inode */ diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c index ec36bed54b0b..6e0ce114fc08 100644 --- a/fs/smb/client/smb2ops.c +++ b/fs/smb/client/smb2ops.c @@ -3922,7 +3922,7 @@ smb3_downgrade_oplock(struct TCP_Server_Info *server, __u16 old_epoch = cinode->epoch; unsigned int new_state;
- if (epoch > old_epoch) { + if (IS_NEWER_EPOCH(epoch, old_epoch)) { smb21_set_oplock_level(cinode, oplock, 0, NULL); cinode->epoch = epoch; } @@ -3998,39 +3998,92 @@ smb21_set_oplock_level(struct cifsInodeInfo *cinode, __u32 oplock, &cinode->netfs.inode); }
+/* helper function to ascertain that the incoming lease state is valid */ +bool +validate_lease_state_change(__u32 old_state, __u32 new_state, + __u16 old_epoch, __u16 new_epoch) +{ + if (new_state == 0) + return true; + + if (old_state == CIFS_CACHE_RH_FLG && new_state == CIFS_CACHE_READ_FLG) + return false; + + if (old_state == CIFS_CACHE_RHW_FLG) { + if (new_state == CIFS_CACHE_READ_FLG || new_state == CIFS_CACHE_RH_FLG) + return false; + } + + // lease state changes should not be possible without a valid epoch change + if (old_state != new_state) { + if (IS_SAME_EPOCH(new_epoch, old_epoch)) + return false; + } else { + if ((old_state & new_state) == CIFS_CACHE_RHW_FLG) { + if (!IS_SAME_EPOCH(new_epoch, old_epoch)) + return false; + } + } + + return true; +} + static void smb3_set_oplock_level(struct cifsInodeInfo *cinode, __u32 oplock, __u16 epoch, bool *purge_cache) { unsigned int old_oplock = cinode->oplock; + unsigned int new_oplock = oplock; + + if (!validate_lease_state_change(cinode->oplock, oplock, cinode->epoch, epoch)) { + cifs_dbg(FYI, "Invalid lease state change on inode %p\n", &cinode->netfs.inode); + return; + }
- smb21_set_oplock_level(cinode, oplock, epoch, purge_cache); + /* if the epoch returned by the server is older than the current one, + * the new lease state is stale. + * In this case, just retain the existing lease level. + */ + if (IS_NEWER_EPOCH(cinode->epoch, epoch)) { + cifs_dbg(FYI, + "Stale lease epoch received for inode %p, ignoring state change\n", + &cinode->netfs.inode); + return; + }
- if (purge_cache) { + if (purge_cache && old_oplock != 0) { *purge_cache = false; - if (old_oplock == CIFS_CACHE_READ_FLG) { - if (cinode->oplock == CIFS_CACHE_READ_FLG && - (epoch - cinode->epoch > 0)) - *purge_cache = true; - else if (cinode->oplock == CIFS_CACHE_RH_FLG && - (epoch - cinode->epoch > 1)) - *purge_cache = true; - else if (cinode->oplock == CIFS_CACHE_RHW_FLG && - (epoch - cinode->epoch > 1)) - *purge_cache = true; - else if (cinode->oplock == 0 && - (epoch - cinode->epoch > 0)) + + /* case 1: lease state remained the same, + * - if epoch change is 0, no action + * - if epoch change is > 0, purge cache + */ + if (old_oplock == new_oplock) { + if (IS_NEWER_EPOCH(epoch, cinode->epoch)) *purge_cache = true; - } else if (old_oplock == CIFS_CACHE_RH_FLG) { - if (cinode->oplock == CIFS_CACHE_RH_FLG && - (epoch - cinode->epoch > 0)) + } + + /* case 2: lease state upgraded, + * - if epoch change is 1, upgrade + * - if epoch change is > 1, upgrade and purge cache + * we do not handle lease upgrades, so just purging the cache is ok. + */ + else if (old_oplock == (new_oplock & old_oplock)) { + if (IS_NEWER_EPOCH(epoch-1, cinode->epoch)) *purge_cache = true; - else if (cinode->oplock == CIFS_CACHE_RHW_FLG && - (epoch - cinode->epoch > 1)) + } + + /* case 3: lease state downgraded, + * - if epoch change > 0, purge cache + */ + else { + if (IS_NEWER_EPOCH(epoch, cinode->epoch)) *purge_cache = true; } - cinode->epoch = epoch; } + + smb21_set_oplock_level(cinode, new_oplock, epoch, purge_cache); + cinode->epoch = epoch; }
#ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY
On 2/5/2025 1:50 AM, meetakshisetiyaoss@gmail.com wrote:
From: Meetakshi Setiya msetiya@microsoft.com
MS-SMB2 section 3.2.5.7.5 specifies that client must evaluate delta_epoch to compare the old and new epoch values. This delta_epoch takes care of lease epoch wraparounds (e.g. when the server resets the epoch from 65535 to 0). Currently, we just check if the old epoch is numerically less than the new epoch, which can cause problems when the server resets its epoch counter from 65535 to 0 - like causing the client (with current epoch > 0) to not change its lease state. This patch uses delta_epoch based comparisons while comparing lease epochs in smb3_downgrade_oplock and smb3_set_oplock_level.
Also, in the current code for smb3_set_oplock_level, the client changes the lease state for a file without comparing the epoch. This patch adds the delta_epoch comparision before updating the lease state, so that when the change in epoch is negative, the new lease state is invalid too. This can protect the client from having an inconsistent lease state because of a stale lease state change response.
This patch also adds additional validations to check if the lease state change is valid or not, before going through smb3_set_oplock_level.
Cc: stable@vger.kernel.org Signed-off-by: Meetakshi Setiya msetiya@microsoft.com Reviewed-by: Shyam Prasad N sprasad@microsoft.com
These changes look promising, but how have they been tested? I'm especially concerned with the cases where a lease update is becoming ignored. Combined with the rather subtle wraparound logic, that doesn't sound like these should go straight to stable.
I'll attempt to find time to review in more detail next week.
Tom.
fs/smb/client/cifsglob.h | 6 +++ fs/smb/client/smb2ops.c | 95 +++++++++++++++++++++++++++++++--------- 2 files changed, 80 insertions(+), 21 deletions(-)
diff --git a/fs/smb/client/cifsglob.h b/fs/smb/client/cifsglob.h index 2c1b0438fe7d..4417fa46885f 100644 --- a/fs/smb/client/cifsglob.h +++ b/fs/smb/client/cifsglob.h @@ -1558,6 +1558,12 @@ void cifsFileInfo_put(struct cifsFileInfo *cifs_file); #define CIFS_CACHE_HANDLE(cinode) (cinode->oplock & CIFS_CACHE_HANDLE_FLG) #define CIFS_CACHE_WRITE(cinode) ((cinode->oplock & CIFS_CACHE_WRITE_FLG) || (CIFS_SB(cinode->netfs.inode.i_sb)->mnt_cifs_flags & CIFS_MOUNT_RW_CACHE)) +#define IS_SAME_EPOCH(new, cur) ((__u16)new == (__u16)cur) +#define IS_NEWER_EPOCH(new, cur) (((short)((__u16)new - (__u16)cur) <= (short)32767) && ((__u16)new != (__u16)cur))
+bool validate_lease_state_change(__u32 old_state, __u32 new_state,
__u16 old_epoch, __u16 new_epoch);- /*
*/
- One of these for each file inode
diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c index ec36bed54b0b..6e0ce114fc08 100644 --- a/fs/smb/client/smb2ops.c +++ b/fs/smb/client/smb2ops.c @@ -3922,7 +3922,7 @@ smb3_downgrade_oplock(struct TCP_Server_Info *server, __u16 old_epoch = cinode->epoch; unsigned int new_state;
- if (epoch > old_epoch) {
- if (IS_NEWER_EPOCH(epoch, old_epoch)) { smb21_set_oplock_level(cinode, oplock, 0, NULL); cinode->epoch = epoch; }
@@ -3998,39 +3998,92 @@ smb21_set_oplock_level(struct cifsInodeInfo *cinode, __u32 oplock, &cinode->netfs.inode); } +/* helper function to ascertain that the incoming lease state is valid */ +bool +validate_lease_state_change(__u32 old_state, __u32 new_state,
__u16 old_epoch, __u16 new_epoch)+{
- if (new_state == 0)
return true;- if (old_state == CIFS_CACHE_RH_FLG && new_state == CIFS_CACHE_READ_FLG)
return false;- if (old_state == CIFS_CACHE_RHW_FLG) {
if (new_state == CIFS_CACHE_READ_FLG || new_state == CIFS_CACHE_RH_FLG)return false;- }
- // lease state changes should not be possible without a valid epoch change
- if (old_state != new_state) {
if (IS_SAME_EPOCH(new_epoch, old_epoch))return false;- } else {
if ((old_state & new_state) == CIFS_CACHE_RHW_FLG) {if (!IS_SAME_EPOCH(new_epoch, old_epoch))return false;}- }
- return true;
+}
- static void smb3_set_oplock_level(struct cifsInodeInfo *cinode, __u32 oplock, __u16 epoch, bool *purge_cache) { unsigned int old_oplock = cinode->oplock;
- unsigned int new_oplock = oplock;
- if (!validate_lease_state_change(cinode->oplock, oplock, cinode->epoch, epoch)) {
cifs_dbg(FYI, "Invalid lease state change on inode %p\n", &cinode->netfs.inode);return;- }
- smb21_set_oplock_level(cinode, oplock, epoch, purge_cache);
- /* if the epoch returned by the server is older than the current one,
* the new lease state is stale.* In this case, just retain the existing lease level.*/- if (IS_NEWER_EPOCH(cinode->epoch, epoch)) {
cifs_dbg(FYI,"Stale lease epoch received for inode %p, ignoring state change\n",&cinode->netfs.inode);return;- }
- if (purge_cache) {
- if (purge_cache && old_oplock != 0) { *purge_cache = false;
if (old_oplock == CIFS_CACHE_READ_FLG) {if (cinode->oplock == CIFS_CACHE_READ_FLG &&(epoch - cinode->epoch > 0))*purge_cache = true;else if (cinode->oplock == CIFS_CACHE_RH_FLG &&(epoch - cinode->epoch > 1))*purge_cache = true;else if (cinode->oplock == CIFS_CACHE_RHW_FLG &&(epoch - cinode->epoch > 1))*purge_cache = true;else if (cinode->oplock == 0 &&(epoch - cinode->epoch > 0))
/* case 1: lease state remained the same,* - if epoch change is 0, no action* - if epoch change is > 0, purge cache*/if (old_oplock == new_oplock) {if (IS_NEWER_EPOCH(epoch, cinode->epoch)) *purge_cache = true;
} else if (old_oplock == CIFS_CACHE_RH_FLG) {if (cinode->oplock == CIFS_CACHE_RH_FLG &&(epoch - cinode->epoch > 0))
}/* case 2: lease state upgraded,* - if epoch change is 1, upgrade* - if epoch change is > 1, upgrade and purge cache* we do not handle lease upgrades, so just purging the cache is ok.*/else if (old_oplock == (new_oplock & old_oplock)) {if (IS_NEWER_EPOCH(epoch-1, cinode->epoch)) *purge_cache = true;
else if (cinode->oplock == CIFS_CACHE_RHW_FLG &&(epoch - cinode->epoch > 1))
}/* case 3: lease state downgraded,* - if epoch change > 0, purge cache*/else {if (IS_NEWER_EPOCH(epoch, cinode->epoch)) *purge_cache = true;
cinode->epoch = epoch;
- smb21_set_oplock_level(cinode, new_oplock, epoch, purge_cache);
- cinode->epoch = epoch; }
#ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY
linux-stable-mirror@lists.linaro.org
-
meetakshisetiyaoss@gmail.com -
Tom Talpey