From: Jeff Layton <jlayton@redhat.com>
Date: Tue, 11 Dec 2007 10:05:52 -0500
Subject: [fs] cifs: buffer overflow due to corrupt response
Message-id: 1197385560-21991-8-git-send-email-jlayton@redhat.com
O-Subject: [RHEL5.2 PATCH 07/15] BZ#373001: [CIFS] Fix buffer overflow if server sends corrupt response to small request
Bugzilla: 373001
In SendReceive() function in transport.c - it memcpy's
message payload into a buffer passed via out_buf param. The function
assumes that all buffers are of size (CIFSMaxBufSize +
MAX_CIFS_HDR_SIZE) , unfortunately it is also called with smaller
(MAX_CIFS_SMALL_BUFFER_SIZE) buffers. There are eight callers
(SMB worker functions) which are primarily affected by this change:
TreeDisconnect, uLogoff, Close, findClose, SetFileSize, SetFileTimes,
Lock and PosixLock
CC: Dave Kleikamp <shaggy@austin.ibm.com>
CC: Przemyslaw Wegrzyn <czajnik@czajsoft.pl>
Acked-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index e75aa07..2cbe966 100644
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -487,6 +487,17 @@ struct dir_notify_req {
#define CIFS_LARGE_BUFFER 2
#define CIFS_IOVEC 4 /* array of response buffers */
+/* Type of Request to SendReceive2 */
+#define CIFS_STD_OP 0 /* normal request timeout */
+#define CIFS_LONG_OP 1 /* long op (up to 45 sec, oplock time) */
+#define CIFS_VLONG_OP 2 /* sloow op - can take up to 180 seconds */
+#define CIFS_BLOCKING_OP 4 /* operation can block */
+#define CIFS_ASYNC_OP 8 /* do not wait for response */
+#define CIFS_TIMEOUT_MASK 0x00F /* only one of 5 above set in req */
+#define CIFS_LOG_ERROR 0x010 /* log NT STATUS if non-zero */
+#define CIFS_LARGE_BUF_OP 0x020 /* large request buffer */
+#define CIFS_NO_RESP 0x040 /* no response buffer required */
+
/* Security Flags: indicate type of session setup needed */
#define CIFSSEC_MAY_SIGN 0x00001
#define CIFSSEC_MAY_NTLM 0x00002
diff --git a/fs/cifs/cifsproto.h b/fs/cifs/cifsproto.h
index 063b604..24880ff 100644
--- a/fs/cifs/cifsproto.h
+++ b/fs/cifs/cifsproto.h
@@ -61,10 +61,11 @@ extern int SendReceive(const unsigned int /* xid */ , struct cifsSesInfo *,
struct smb_hdr * /* input */ ,
struct smb_hdr * /* out */ ,
int * /* bytes returned */ , const int long_op);
+extern int SendReceiveNoRsp(const unsigned int xid, struct cifsSesInfo *ses,
+ struct smb_hdr *in_buf, int flags);
extern int SendReceive2(const unsigned int /* xid */ , struct cifsSesInfo *,
struct kvec *, int /* nvec to send */,
- int * /* type of buf returned */ , const int long_op,
- const int logError /* whether to log status code*/ );
+ int * /* type of buf returned */ , const int flags);
extern int SendReceiveBlockingLock(const unsigned int /* xid */ ,
struct cifsTconInfo *,
struct smb_hdr * /* input */ ,
diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
index e62b2b7..d6e503d 100644
--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -693,9 +693,7 @@ int
CIFSSMBTDis(const int xid, struct cifsTconInfo *tcon)
{
struct smb_hdr *smb_buffer;
- struct smb_hdr *smb_buffer_response; /* BB removeme BB */
int rc = 0;
- int length;
cFYI(1, ("In tree disconnect"));
/*
@@ -732,16 +730,12 @@ CIFSSMBTDis(const int xid, struct cifsTconInfo *tcon)
if (rc) {
up(&tcon->tconSem);
return rc;
- } else {
- smb_buffer_response = smb_buffer; /* BB removeme BB */
}
- rc = SendReceive(xid, tcon->ses, smb_buffer, smb_buffer_response,
- &length, 0);
+
+ rc = SendReceiveNoRsp(xid, tcon->ses, smb_buffer, 0);
if (rc)
cFYI(1, ("Tree disconnect failed %d", rc));
- if (smb_buffer)
- cifs_small_buf_release(smb_buffer);
up(&tcon->tconSem);
/* No need to return error on this operation if tid invalidated and
@@ -755,10 +749,8 @@ CIFSSMBTDis(const int xid, struct cifsTconInfo *tcon)
int
CIFSSMBLogoff(const int xid, struct cifsSesInfo *ses)
{
- struct smb_hdr *smb_buffer_response;
LOGOFF_ANDX_REQ *pSMB;
int rc = 0;
- int length;
cFYI(1, ("In SMBLogoff for session disconnect"));
if (ses)
@@ -777,8 +769,6 @@ CIFSSMBLogoff(const int xid, struct cifsSesInfo *ses)
return rc;
}
- smb_buffer_response = (struct smb_hdr *)pSMB; /* BB removeme BB */
-
if (ses->server) {
pSMB->hdr.Mid = GetNextMid(ses->server);
@@ -790,8 +780,7 @@ CIFSSMBLogoff(const int xid, struct cifsSesInfo *ses)
pSMB->hdr.Uid = ses->Suid;
pSMB->AndXCommand = 0xFF;
- rc = SendReceive(xid, ses, (struct smb_hdr *) pSMB,
- smb_buffer_response, &length, 0);
+ rc = SendReceiveNoRsp(xid, ses, (struct smb_hdr *) pSMB, 0);
if (ses->server) {
atomic_dec(&ses->server->socketUseCount);
if (atomic_read(&ses->server->socketUseCount) == 0) {
@@ -802,7 +791,6 @@ CIFSSMBLogoff(const int xid, struct cifsSesInfo *ses)
}
}
up(&ses->sesSem);
- cifs_small_buf_release(pSMB);
/* if session dead then we do not need to do ulogoff,
since server closed smb session, no sense reporting
@@ -1250,7 +1238,7 @@ OldOpenRetry:
pSMB->ByteCount = cpu_to_le16(count);
/* long_op set to 1 to allow for oplock break timeouts */
rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
- (struct smb_hdr *) pSMBr, &bytes_returned, 1);
+ (struct smb_hdr *)pSMBr, &bytes_returned, CIFS_LONG_OP);
cifs_stats_inc(&tcon->num_opens);
if (rc) {
cFYI(1, ("Error in Open = %d", rc));
@@ -1363,7 +1351,7 @@ openRetry:
pSMB->ByteCount = cpu_to_le16(count);
/* long_op set to 1 to allow for oplock break timeouts */
rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
- (struct smb_hdr *) pSMBr, &bytes_returned, 1);
+ (struct smb_hdr *)pSMBr, &bytes_returned, CIFS_LONG_OP);
cifs_stats_inc(&tcon->num_opens);
if (rc) {
cFYI(1, ("Error in Open = %d", rc));
@@ -1441,7 +1429,7 @@ CIFSSMBRead(const int xid, struct cifsTconInfo *tcon, const int netfid,
iov[0].iov_base = (char *)pSMB;
iov[0].iov_len = pSMB->hdr.smb_buf_length + 4;
rc = SendReceive2(xid, tcon->ses, iov, 1 /* num iovecs */,
- &resp_buf_type, 0 /* not long op */, 1 /* log err */ );
+ &resp_buf_type, CIFS_STD_OP | CIFS_LOG_ERROR);
cifs_stats_inc(&tcon->num_reads);
pSMBr = (READ_RSP *)iov[0].iov_base;
if (rc) {
@@ -1660,7 +1648,7 @@ CIFSSMBWrite2(const int xid, struct cifsTconInfo *tcon,
rc = SendReceive2(xid, tcon->ses, iov, n_vec + 1, &resp_buf_type,
- long_op, 0 /* do not log STATUS code */ );
+ long_op);
cifs_stats_inc(&tcon->num_writes);
if (rc) {
cFYI(1, ("Send error Write2 = %d", rc));
@@ -1702,7 +1690,7 @@ CIFSSMBLock(const int xid, struct cifsTconInfo *tcon,
int timeout = 0;
__u16 count;
- cFYI(1, ("In CIFSSMBLock - timeout %d numLock %d", waitFlag, numLock));
+ cFYI(1, ("CIFSSMBLock timeout %d numLock %d", waitFlag, numLock));
rc = small_smb_init(SMB_COM_LOCKING_ANDX, 8, tcon, (void **) &pSMB);
if (rc)
@@ -1711,10 +1699,10 @@ CIFSSMBLock(const int xid, struct cifsTconInfo *tcon,
pSMBr = (LOCK_RSP *)pSMB; /* BB removeme BB */
if (lockType == LOCKING_ANDX_OPLOCK_RELEASE) {
- timeout = -1; /* no response expected */
+ timeout = CIFS_ASYNC_OP; /* no response expected */
pSMB->Timeout = 0;
} else if (waitFlag == TRUE) {
- timeout = 3; /* blocking operation, no timeout */
+ timeout = CIFS_BLOCKING_OP; /* blocking operation, no timeout */
pSMB->Timeout = cpu_to_le32(-1);/* blocking - do not time out */
} else {
pSMB->Timeout = 0;
@@ -1744,15 +1732,16 @@ CIFSSMBLock(const int xid, struct cifsTconInfo *tcon,
if (waitFlag) {
rc = SendReceiveBlockingLock(xid, tcon, (struct smb_hdr *) pSMB,
(struct smb_hdr *) pSMBr, &bytes_returned);
+ cifs_small_buf_release(pSMB);
} else {
- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
- (struct smb_hdr *) pSMBr, &bytes_returned, timeout);
+ rc = SendReceiveNoRsp(xid, tcon->ses, (struct smb_hdr *)pSMB,
+ timeout);
+ /* SMB buffer freed by function above */
}
cifs_stats_inc(&tcon->num_locks);
if (rc) {
cFYI(1, ("Send error in Lock = %d", rc));
}
- cifs_small_buf_release(pSMB);
/* Note: On -EAGAIN error only caller can retry on handle based calls
since file handle passed in no longer valid */
@@ -1771,7 +1760,9 @@ CIFSSMBPosixLock(const int xid, struct cifsTconInfo *tcon,
int rc = 0;
int timeout = 0;
int bytes_returned = 0;
+ int resp_buf_type = 0;
__u16 params, param_offset, offset, byte_count, count;
+ struct kvec iov[1];
cFYI(1, ("Posix Lock"));
@@ -1813,7 +1804,7 @@ CIFSSMBPosixLock(const int xid, struct cifsTconInfo *tcon,
parm_data->lock_type = cpu_to_le16(lock_type);
if (waitFlag) {
- timeout = 3; /* blocking operation, no timeout */
+ timeout = CIFS_BLOCKING_OP; /* blocking operation, no timeout */
parm_data->lock_flags = cpu_to_le16(1);
pSMB->Timeout = cpu_to_le32(-1);
} else
@@ -1833,8 +1824,13 @@ CIFSSMBPosixLock(const int xid, struct cifsTconInfo *tcon,
rc = SendReceiveBlockingLock(xid, tcon, (struct smb_hdr *) pSMB,
(struct smb_hdr *) pSMBr, &bytes_returned);
} else {
- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
- (struct smb_hdr *) pSMBr, &bytes_returned, timeout);
+ iov[0].iov_base = (char *)pSMB;
+ iov[0].iov_len = pSMB->hdr.smb_buf_length + 4;
+ rc = SendReceive2(xid, tcon->ses, iov, 1 /* num iovecs */,
+ &resp_buf_type, timeout);
+ pSMB = NULL; /* request buf already freed by SendReceive2. Do
+ not try to free it twice below on exit */
+ pSMBr = (struct smb_com_transaction2_sfi_rsp *)iov[0].iov_base;
}
if (rc) {
@@ -1869,6 +1865,11 @@ plk_err_exit:
if (pSMB)
cifs_small_buf_release(pSMB);
+ if (resp_buf_type == CIFS_SMALL_BUFFER)
+ cifs_small_buf_release(iov[0].iov_base);
+ else if (resp_buf_type == CIFS_LARGE_BUFFER)
+ cifs_buf_release(iov[0].iov_base);
+
/* Note: On -EAGAIN error only caller can retry on handle based calls
since file handle passed in no longer valid */
@@ -1881,8 +1882,6 @@ CIFSSMBClose(const int xid, struct cifsTconInfo *tcon, int smb_file_id)
{
int rc = 0;
CLOSE_REQ *pSMB = NULL;
- CLOSE_RSP *pSMBr = NULL;
- int bytes_returned;
cFYI(1, ("In CIFSSMBClose"));
/* do not retry on dead session on close */
@@ -1892,13 +1891,10 @@ CIFSSMBClose(const int xid, struct cifsTconInfo *tcon, int smb_file_id)
if (rc)
return rc;
- pSMBr = (CLOSE_RSP *)pSMB; /* BB removeme BB */
-
pSMB->FileID = (__u16) smb_file_id;
pSMB->LastWriteTime = 0xFFFFFFFF;
pSMB->ByteCount = 0;
- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
- (struct smb_hdr *) pSMBr, &bytes_returned, 0);
+ rc = SendReceiveNoRsp(xid, tcon->ses, (struct smb_hdr *) pSMB, 0);
cifs_stats_inc(&tcon->num_closes);
if (rc) {
if (rc != -EINTR) {
@@ -1907,8 +1903,6 @@ CIFSSMBClose(const int xid, struct cifsTconInfo *tcon, int smb_file_id)
}
}
- cifs_small_buf_release(pSMB);
-
/* Since session is dead, file will be closed on server already */
if (rc == -EAGAIN)
rc = 0;
@@ -3102,7 +3096,7 @@ CIFSSMBGetCIFSACL(const int xid, struct cifsTconInfo *tcon, __u16 fid,
iov[0].iov_len = pSMB->hdr.smb_buf_length + 4;
rc = SendReceive2(xid, tcon->ses, iov, 1 /* num iovec */, &buf_type,
- 0 /* not long op */, 0 /* do not log STATUS codes */ );
+ CIFS_STD_OP);
cifs_stats_inc(&tcon->num_acl_get);
if (rc) {
cFYI(1, ("Send error in QuerySecDesc = %d", rc));
@@ -3746,8 +3740,6 @@ CIFSFindClose(const int xid, struct cifsTconInfo *tcon,
{
int rc = 0;
FINDCLOSE_REQ *pSMB = NULL;
- CLOSE_RSP *pSMBr = NULL; /* BB removeme BB */
- int bytes_returned;
cFYI(1, ("In CIFSSMBFindClose"));
rc = small_smb_init(SMB_COM_FIND_CLOSE2, 1, tcon, (void **)&pSMB);
@@ -3759,16 +3751,13 @@ CIFSFindClose(const int xid, struct cifsTconInfo *tcon,
if (rc)
return rc;
- pSMBr = (CLOSE_RSP *)pSMB; /* BB removeme BB */
pSMB->FileID = searchHandle;
pSMB->ByteCount = 0;
- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
- (struct smb_hdr *) pSMBr, &bytes_returned, 0);
+ rc = SendReceiveNoRsp(xid, tcon->ses, (struct smb_hdr *) pSMB, 0);
if (rc) {
cERROR(1, ("Send error in FindClose = %d", rc));
}
cifs_stats_inc(&tcon->num_fclose);
- cifs_small_buf_release(pSMB);
/* Since session is dead, search handle closed on server already */
if (rc == -EAGAIN)
@@ -4706,11 +4695,9 @@ CIFSSMBSetFileSize(const int xid, struct cifsTconInfo *tcon, __u64 size,
__u16 fid, __u32 pid_of_opener, int SetAllocation)
{
struct smb_com_transaction2_sfi_req *pSMB = NULL;
- struct smb_com_transaction2_sfi_rsp *pSMBr = NULL;
char *data_offset;
struct file_end_of_file_info *parm_data;
int rc = 0;
- int bytes_returned = 0;
__u16 params, param_offset, offset, byte_count, count;
cFYI(1, ("SetFileSize (via SetFileInfo) %lld",
@@ -4720,8 +4707,6 @@ CIFSSMBSetFileSize(const int xid, struct cifsTconInfo *tcon, __u64 size,
if (rc)
return rc;
- pSMBr = (struct smb_com_transaction2_sfi_rsp *)pSMB;
-
pSMB->hdr.Pid = cpu_to_le16((__u16)pid_of_opener);
pSMB->hdr.PidHigh = cpu_to_le16((__u16)(pid_of_opener >> 16));
@@ -4772,17 +4757,13 @@ CIFSSMBSetFileSize(const int xid, struct cifsTconInfo *tcon, __u64 size,
pSMB->Reserved4 = 0;
pSMB->hdr.smb_buf_length += byte_count;
pSMB->ByteCount = cpu_to_le16(byte_count);
- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
- (struct smb_hdr *) pSMBr, &bytes_returned, 0);
+ rc = SendReceiveNoRsp(xid, tcon->ses, (struct smb_hdr *) pSMB, 0);
if (rc) {
cFYI(1,
("Send error in SetFileInfo (SetFileSize) = %d",
rc));
}
- if (pSMB)
- cifs_small_buf_release(pSMB);
-
/* Note: On -EAGAIN error only caller can retry on handle based calls
since file handle passed in no longer valid */
@@ -4800,10 +4781,8 @@ CIFSSMBSetFileTimes(const int xid, struct cifsTconInfo *tcon,
const FILE_BASIC_INFO *data, __u16 fid)
{
struct smb_com_transaction2_sfi_req *pSMB = NULL;
- struct smb_com_transaction2_sfi_rsp *pSMBr = NULL;
char *data_offset;
int rc = 0;
- int bytes_returned = 0;
__u16 params, param_offset, offset, byte_count, count;
cFYI(1, ("Set Times (via SetFileInfo)"));
@@ -4812,8 +4791,6 @@ CIFSSMBSetFileTimes(const int xid, struct cifsTconInfo *tcon,
if (rc)
return rc;
- pSMBr = (struct smb_com_transaction2_sfi_rsp *)pSMB;
-
/* At this point there is no need to override the current pid
with the pid of the opener, but that could change if we someday
use an existing handle (rather than opening one on the fly) */
@@ -4853,14 +4830,11 @@ CIFSSMBSetFileTimes(const int xid, struct cifsTconInfo *tcon,
pSMB->hdr.smb_buf_length += byte_count;
pSMB->ByteCount = cpu_to_le16(byte_count);
memcpy(data_offset, data, sizeof(FILE_BASIC_INFO));
- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
- (struct smb_hdr *) pSMBr, &bytes_returned, 0);
+ rc = SendReceiveNoRsp(xid, tcon->ses, (struct smb_hdr *) pSMB, 0);
if (rc) {
cFYI(1, ("Send error in Set Time (SetFileInfo) = %d", rc));
}
- cifs_small_buf_release(pSMB);
-
/* Note: On -EAGAIN error only caller can retry on handle based calls
since file handle passed in no longer valid */
@@ -5151,7 +5125,8 @@ int CIFSSMBNotify(const int xid, struct cifsTconInfo *tcon,
pSMB->ByteCount = 0;
rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
- (struct smb_hdr *) pSMBr, &bytes_returned, -1);
+ (struct smb_hdr *)pSMBr, &bytes_returned,
+ CIFS_ASYNC_OP);
if (rc) {
cFYI(1, ("Error in Notify = %d", rc));
} else {
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 60dc369..3b0aab6 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -2464,7 +2464,7 @@ CIFSSessSetup(unsigned int xid, struct cifsSesInfo *ses,
pSMB->req_no_secext.ByteCount = cpu_to_le16(count);
rc = SendReceive(xid, ses, smb_buffer, smb_buffer_response,
- &bytes_returned, 1);
+ &bytes_returned, CIFS_LONG_OP);
if (rc) {
/* rc = map_smb_to_linux_error(smb_buffer_response); now done in SendReceive */
} else if ((smb_buffer_response->WordCount == 3)
@@ -2779,7 +2779,7 @@ CIFSNTLMSSPNegotiateSessSetup(unsigned int xid,
pSMB->req.ByteCount = cpu_to_le16(count);
rc = SendReceive(xid, ses, smb_buffer, smb_buffer_response,
- &bytes_returned, 1);
+ &bytes_returned, CIFS_LONG_OP);
if (smb_buffer_response->Status.CifsError ==
cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED))
@@ -3218,7 +3218,7 @@ CIFSNTLMSSPAuthSessSetup(unsigned int xid, struct cifsSesInfo *ses,
pSMB->req.ByteCount = cpu_to_le16(count);
rc = SendReceive(xid, ses, smb_buffer, smb_buffer_response,
- &bytes_returned, 1);
+ &bytes_returned, CIFS_LONG_OP);
if (rc) {
/* rc = map_smb_to_linux_error(smb_buffer_response); *//* done in SendReceive now */
} else if ((smb_buffer_response->WordCount == 3)
@@ -3499,7 +3499,8 @@ CIFSTCon(unsigned int xid, struct cifsSesInfo *ses,
pSMB->hdr.smb_buf_length += count;
pSMB->ByteCount = cpu_to_le16(count);
- rc = SendReceive(xid, ses, smb_buffer, smb_buffer_response, &length, 0);
+ rc = SendReceive(xid, ses, smb_buffer, smb_buffer_response, &length,
+ CIFS_STD_OP);
/* if (rc) rc = map_smb_to_linux_error(smb_buffer_response); */
/* above now done in SendReceive */
diff --git a/fs/cifs/file.c b/fs/cifs/file.c
index b72bba1..482aba3 100644
--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -955,9 +955,9 @@ ssize_t cifs_user_write(struct file *file, const char __user *write_data,
#else
if (*poffset > file->f_path.dentry->d_inode->i_size)
#endif
- long_op = 2; /* writes past end of file can take a long time */
+ long_op = CIFS_VLONG_OP; /* writes past EOF can be slow */
else
- long_op = 1;
+ long_op = CIFS_LONG_OP;
for (total_written = 0; write_size > total_written;
total_written += bytes_written) {
@@ -1004,7 +1004,7 @@ ssize_t cifs_user_write(struct file *file, const char __user *write_data,
}
} else
*poffset += bytes_written;
- long_op = FALSE; /* subsequent writes fast -
+ long_op = CIFS_STD_OP; /* subsequent writes fast -
15 seconds is plenty */
}
@@ -1087,9 +1087,9 @@ static ssize_t cifs_write(struct file *file, const char *write_data,
if (*poffset > file->f_path.dentry->d_inode->i_size)
#endif
- long_op = 2; /* writes past end of file can take a long time */
+ long_op = CIFS_VLONG_OP; /* writes past EOF take long time */
else
- long_op = 1;
+ long_op = CIFS_LONG_OP;
for (total_written = 0; write_size > total_written;
total_written += bytes_written) {
@@ -1155,7 +1155,7 @@ static ssize_t cifs_write(struct file *file, const char *write_data,
}
} else
*poffset += bytes_written;
- long_op = FALSE; /* subsequent writes fast -
+ long_op = CIFS_STD_OP; /* subsequent writes fast -
15 seconds is plenty */
}
@@ -1501,7 +1501,7 @@ retry:
open_file->netfid,
bytes_to_write, offset,
&bytes_written, iov, n_iov,
- 1);
+ CIFS_LONG_OP);
atomic_dec(&open_file->wrtPending);
if (rc || bytes_written < bytes_to_write) {
cERROR(1, ("Write2 ret %d, wrote %d",
diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index a63e61d..e1f6b34 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -501,7 +501,7 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
iov[1].iov_base = str_area;
iov[1].iov_len = count;
rc = SendReceive2(xid, ses, iov, 2 /* num_iovecs */, &resp_buf_type,
- 0 /* not long op */, 1 /* log NT STATUS if any */ );
+ CIFS_STD_OP /* not long */ | CIFS_LOG_ERROR);
/* SMB request buf freed in SendReceive2 */
cFYI(1, ("ssetup rc from sendrecv2 is %d", rc));
diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c
index 06e5e0c..d02e373 100644
--- a/fs/cifs/transport.c
+++ b/fs/cifs/transport.c
@@ -358,7 +358,7 @@ smb_send2(struct socket *ssocket, struct kvec *iov, int n_vec,
static int wait_for_free_request(struct cifsSesInfo *ses, const int long_op)
{
- if (long_op == -1) {
+ if (long_op == CIFS_ASYNC_OP) {
/* oplock breaks must not be held up */
atomic_inc(&ses->server->inFlight);
} else {
@@ -387,7 +387,7 @@ static int wait_for_free_request(struct cifsSesInfo *ses, const int long_op)
as they are allowed to block on server */
/* update # of requests on the wire to server */
- if (long_op < 3)
+ if (long_op != CIFS_BLOCKING_OP)
atomic_inc(&ses->server->inFlight);
spin_unlock(&GlobalMid_Lock);
break;
@@ -465,17 +465,48 @@ static int wait_for_response(struct cifsSesInfo *ses,
}
}
+
+/*
+ *
+ * Send an SMB Request. No response info (other than return code)
+ * needs to be parsed.
+ *
+ * flags indicate the type of request buffer and how long to wait
+ * and whether to log NT STATUS code (error) before mapping it to POSIX error
+ *
+ */
+int
+SendReceiveNoRsp(const unsigned int xid, struct cifsSesInfo *ses,
+ struct smb_hdr *in_buf, int flags)
+{
+ int rc;
+ struct kvec iov[1];
+ int resp_buf_type;
+
+ iov[0].iov_base = (char *)in_buf;
+ iov[0].iov_len = in_buf->smb_buf_length + 4;
+ flags |= CIFS_NO_RESP;
+ rc = SendReceive2(xid, ses, iov, 1, &resp_buf_type, flags);
+#ifdef CONFIG_CIFS_DEBUG2
+ cFYI(1, ("SendRcvNoR flags %d rc %d", flags, rc));
+#endif
+ return rc;
+}
+
int
SendReceive2(const unsigned int xid, struct cifsSesInfo *ses,
struct kvec *iov, int n_vec, int *pRespBufType /* ret */,
- const int long_op, const int logError)
+ const int flags)
{
int rc = 0;
+ int long_op;
unsigned int receive_len;
unsigned long timeout;
struct mid_q_entry *midQ;
struct smb_hdr *in_buf = iov[0].iov_base;
+ long_op = flags & CIFS_TIMEOUT_MASK;
+
*pRespBufType = CIFS_NO_BUFFER; /* no response buf yet */
if ((ses == NULL) || (ses->server == NULL)) {
@@ -533,15 +564,22 @@ SendReceive2(const unsigned int xid, struct cifsSesInfo *ses,
if (rc < 0)
goto out;
- if (long_op == -1)
- goto out;
- else if (long_op == 2) /* writes past end of file can take loong time */
+ if (long_op == CIFS_STD_OP)
+ timeout = 15 * HZ;
+ else if (long_op == CIFS_VLONG_OP) /* e.g. slow writes past EOF */
timeout = 180 * HZ;
- else if (long_op == 1)
+ else if (long_op == CIFS_LONG_OP)
timeout = 45 * HZ; /* should be greater than
servers oplock break timeout (about 43 seconds) */
- else
- timeout = 15 * HZ;
+ else if (long_op == CIFS_ASYNC_OP)
+ goto out;
+ else if (long_op == CIFS_BLOCKING_OP)
+ timeout = 0x7FFFFFFF; /* large, but not so large as to wrap */
+ else {
+ cERROR(1, ("unknown timeout flag %d", long_op));
+ rc = -EIO;
+ goto out;
+ }
/* wait for 15 seconds or until woken up due to response arriving or
due to last connection to this server being unmounted */
@@ -616,7 +654,8 @@ SendReceive2(const unsigned int xid, struct cifsSesInfo *ses,
}
/* BB special case reconnect tid and uid here? */
- rc = map_smb_to_linux_error(midQ->resp_buf, logError);
+ rc = map_smb_to_linux_error(midQ->resp_buf,
+ flags & CIFS_LOG_ERROR);
/* convert ByteCount if necessary */
if (receive_len >= sizeof(struct smb_hdr) - 4
@@ -624,8 +663,10 @@ SendReceive2(const unsigned int xid, struct cifsSesInfo *ses,
(2 * midQ->resp_buf->WordCount) + 2 /* bcc */ )
BCC(midQ->resp_buf) =
le16_to_cpu(BCC_LE(midQ->resp_buf));
- midQ->resp_buf = NULL; /* mark it so will not be freed
- by DeleteMidQEntry */
+ if ((flags & CIFS_NO_RESP) == 0)
+ midQ->resp_buf = NULL; /* mark it so buf will
+ not be freed by
+ DeleteMidQEntry */
} else {
rc = -EIO;
cFYI(1, ("Bad MID state?"));
@@ -713,17 +754,25 @@ SendReceive(const unsigned int xid, struct cifsSesInfo *ses,
if (rc < 0)
goto out;
- if (long_op == -1)
+ if (long_op == CIFS_STD_OP)
+ timeout = 15 * HZ;
+ /* wait for 15 seconds or until woken up due to response arriving or
+ due to last connection to this server being unmounted */
+ else if (long_op == CIFS_ASYNC_OP)
goto out;
- else if (long_op == 2) /* writes past end of file can take loong time */
+ else if (long_op == CIFS_VLONG_OP) /* writes past EOF can be slow */
timeout = 180 * HZ;
- else if (long_op == 1)
+ else if (long_op == CIFS_LONG_OP)
timeout = 45 * HZ; /* should be greater than
servers oplock break timeout (about 43 seconds) */
- else
- timeout = 15 * HZ;
- /* wait for 15 seconds or until woken up due to response arriving or
- due to last connection to this server being unmounted */
+ else if (long_op == CIFS_BLOCKING_OP)
+ timeout = 0x7FFFFFFF; /* large but no so large as to wrap */
+ else {
+ cERROR(1, ("unknown timeout flag %d", long_op));
+ rc = -EIO;
+ goto out;
+ }
+
if (signal_pending(current)) {
/* if signal pending do not hold up user for full smb timeout
but we still give response a chance to complete */
@@ -862,7 +911,7 @@ send_lock_cancel(const unsigned int xid, struct cifsTconInfo *tcon,
pSMB->hdr.Mid = GetNextMid(ses->server);
return SendReceive(xid, ses, in_buf, out_buf,
- &bytes_returned, 0);
+ &bytes_returned, CIFS_STD_OP);
}
int
@@ -894,7 +943,7 @@ SendReceiveBlockingLock(const unsigned int xid, struct cifsTconInfo *tcon,
to the same server. We may make this configurable later or
use ses->maxReq */
- rc = wait_for_free_request(ses, 3);
+ rc = wait_for_free_request(ses, CIFS_BLOCKING_OP);
if (rc)
return rc;
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
27922b4260f65d317aabda37e42bbbff
>
files
>
882
