ksmbd: prevent connection release during oplock break notification

ksmbd_work could be freed when after connection release.
Increment r_count of ksmbd_conn to indicate that requests
are not finished

ksmbd: prevent connection release during oplock break notification

ksmbd_work could be freed when after connection release.
Increment r_count of ksmbd_conn to indicate that requests
are not finished yet and to not release the connection.

Cc: [email protected]
Reported-by: Norbert Szetei <[email protected]>
Tested-by: Norbert Szetei <[email protected]>
Signed-off-by: Namjae Jeon <[email protected]>
Signed-off-by: Steve French <[email protected]>

show more ...

ksmbd: fix broken transfers when exceeding max simultaneous operations

Since commit 0a77d947f599 ("ksmbd: check outstanding simultaneous SMB
operations"), ksmbd enforces a maximum number of simultan

ksmbd: fix broken transfers when exceeding max simultaneous operations

Since commit 0a77d947f599 ("ksmbd: check outstanding simultaneous SMB
operations"), ksmbd enforces a maximum number of simultaneous operations
for a connection. The problem is that reaching the limit causes ksmbd to
close the socket, and the client has no indication that it should have
slowed down.

This behaviour can be reproduced by setting "smb2 max credits = 128" (or
lower), and transferring a large file (25GB).

smbclient fails as below:

$ smbclient //192.168.1.254/testshare -U user%pass
smb: \> put file.bin
cli_push returned NT_STATUS_USER_SESSION_DELETED
putting file file.bin as \file.bin smb2cli_req_compound_submit:
Insufficient credits. 0 available, 1 needed
NT_STATUS_INTERNAL_ERROR closing remote file \file.bin
smb: \> smb2cli_req_compound_submit: Insufficient credits. 0 available,
1 needed

Windows clients fail with 0x8007003b (with smaller files even).

Fix this by delaying reading from the socket until there's room to
allocate a request. This effectively applies backpressure on the client,
so the transfer completes, albeit at a slower rate.

Fixes: 0a77d947f599 ("ksmbd: check outstanding simultaneous SMB operations")
Signed-off-by: Marios Makassikis <[email protected]>
Signed-off-by: Namjae Jeon <[email protected]>
Signed-off-by: Steve French <[email protected]>

show more ...

ksmbd: fix racy issue from session lookup and expire

Increment the session reference count within the lock for lookup to avoid
racy issue with session expire.

Cc: [email protected]
Reported-by

ksmbd: fix racy issue from session lookup and expire

Increment the session reference count within the lock for lookup to avoid
racy issue with session expire.

Cc: [email protected]
Reported-by: [email protected] # ZDI-CAN-25737
Signed-off-by: Namjae Jeon <[email protected]>
Signed-off-by: Steve French <[email protected]>

show more ...

ksmbd: fix use-after-free in SMB request handling

A race condition exists between SMB request handling in
`ksmbd_conn_handler_loop()` and the freeing of `ksmbd_conn` in the
workqueue handler `handle

ksmbd: fix use-after-free in SMB request handling

A race condition exists between SMB request handling in
`ksmbd_conn_handler_loop()` and the freeing of `ksmbd_conn` in the
workqueue handler `handle_ksmbd_work()`. This leads to a UAF.
- KASAN: slab-use-after-free Read in handle_ksmbd_work
- KASAN: slab-use-after-free in rtlock_slowlock_locked

This race condition arises as follows:
- `ksmbd_conn_handler_loop()` waits for `conn->r_count` to reach zero:
`wait_event(conn->r_count_q, atomic_read(&conn->r_count) == 0);`
- Meanwhile, `handle_ksmbd_work()` decrements `conn->r_count` using
`atomic_dec_return(&conn->r_count)`, and if it reaches zero, calls
`ksmbd_conn_free()`, which frees `conn`.
- However, after `handle_ksmbd_work()` decrements `conn->r_count`,
it may still access `conn->r_count_q` in the following line:
`waitqueue_active(&conn->r_count_q)` or `wake_up(&conn->r_count_q)`
This results in a UAF, as `conn` has already been freed.

The discovery of this UAF can be referenced in the following PR for
syzkaller's support for SMB requests.
Link: https://github.com/google/syzkaller/pull/5524

Fixes: ee426bfb9d09 ("ksmbd: add refcnt to ksmbd_conn struct")
Cc: [email protected]
Cc: [email protected] # v6.6.55+, v6.10.14+, v6.11.3+
Cc: [email protected]
Signed-off-by: Yunseong Kim <[email protected]>
Acked-by: Namjae Jeon <[email protected]>
Signed-off-by: Steve French <[email protected]>

show more ...

ksmbd: use __GFP_RETRY_MAYFAIL

Prefer to report ENOMEM rather than incur the oom for allocations in
ksmbd. __GFP_NORETRY could not achieve that, It would fail the allocations
just too easily. __GFP_

ksmbd: use __GFP_RETRY_MAYFAIL

Prefer to report ENOMEM rather than incur the oom for allocations in
ksmbd. __GFP_NORETRY could not achieve that, It would fail the allocations
just too easily. __GFP_RETRY_MAYFAIL will keep retrying the allocation
until there is no more progress and fail the allocation instead go OOM
and let the caller to deal with it.

Signed-off-by: Namjae Jeon <[email protected]>
Signed-off-by: Steve French <[email protected]>

show more ...

ksmbd: check outstanding simultaneous SMB operations

If Client send simultaneous SMB operations to ksmbd, It exhausts too much
memory through the "ksmbd_work_cache”. It will cause OOM issue.
ksmbd h

ksmbd: check outstanding simultaneous SMB operations

If Client send simultaneous SMB operations to ksmbd, It exhausts too much
memory through the "ksmbd_work_cache”. It will cause OOM issue.
ksmbd has a credit mechanism but it can't handle this problem. This patch
add the check if it exceeds max credits to prevent this problem by assuming
that one smb request consumes at least one credit.

Cc: [email protected] # v5.15+
Reported-by: Norbert Szetei <[email protected]>
Tested-by: Norbert Szetei <[email protected]>
Signed-off-by: Namjae Jeon <[email protected]>
Signed-off-by: Steve French <[email protected]>

show more ...

ksmbd: fix slab-use-after-free in smb3_preauth_hash_rsp

ksmbd_user_session_put should be called under smb3_preauth_hash_rsp().
It will avoid freeing session before calling smb3_preauth_hash_rsp().

ksmbd: fix slab-use-after-free in smb3_preauth_hash_rsp

ksmbd_user_session_put should be called under smb3_preauth_hash_rsp().
It will avoid freeing session before calling smb3_preauth_hash_rsp().

Cc: [email protected] # v5.15+
Reported-by: Norbert Szetei <[email protected]>
Tested-by: Norbert Szetei <[email protected]>
Signed-off-by: Namjae Jeon <[email protected]>
Signed-off-by: Steve French <[email protected]>

show more ...

ksmbd: fix user-after-free from session log off

There is racy issue between smb2 session log off and smb2 session setup.
It will cause user-after-free from session log off.
This add session_lock whe

ksmbd: fix user-after-free from session log off

There is racy issue between smb2 session log off and smb2 session setup.
It will cause user-after-free from session log off.
This add session_lock when setting SMB2_SESSION_EXPIRED and referece
count to session struct not to free session while it is being used.

Cc: [email protected] # v5.15+
Reported-by: [email protected] # ZDI-CAN-25282
Signed-off-by: Namjae Jeon <[email protected]>
Signed-off-by: Steve French <[email protected]>

show more ...

ksmbd: Correct typos in multiple comments across various files

Fixed some confusing typos that were currently identified witch codespell,
the details are as follows:

-in the code comments:
fs/smb/c

ksmbd: Correct typos in multiple comments across various files

Fixed some confusing typos that were currently identified witch codespell,
the details are as follows:

-in the code comments:
fs/smb/common/smb2pdu.h:9: specfication ==> specification
fs/smb/common/smb2pdu.h:494: usally ==> usually
fs/smb/common/smb2pdu.h:1064: Attrubutes ==> Attributes
fs/smb/server/connection.c:28: cleand ==> cleaned
fs/smb/server/ksmbd_netlink.h:216: struture ==> structure
fs/smb/server/oplock.c:799: conains ==> contains
fs/smb/server/oplock.c:1487: containted ==> contained
fs/smb/server/server.c:282: proccessing ==> processing
fs/smb/server/smb_common.c:491: comforms ==> conforms
fs/smb/server/xattr.h:102: ATTRIBUITE ==> ATTRIBUTE

Signed-off-by: Shen Lichuan <[email protected]>
Acked-by: Namjae Jeon <[email protected]>
Signed-off-by: Steve French <[email protected]>

show more ...

smb: move SMB2 Status code to common header file

There are only 4 different definitions between the client and server:

- STATUS_SERVER_UNAVAILABLE: from client/smb2status.h
- STATUS_FILE_NOT_AV

smb: move SMB2 Status code to common header file

There are only 4 different definitions between the client and server:

- STATUS_SERVER_UNAVAILABLE: from client/smb2status.h
- STATUS_FILE_NOT_AVAILABLE: from client/smb2status.h
- STATUS_NO_PREAUTH_INTEGRITY_HASH_OVERLAP: from server/smbstatus.h
- STATUS_INVALID_LOCK_RANGE: from server/smbstatus.h

Rename client/smb2status.h to common/smb2status.h, and merge the
2 different definitions of server to common header file.

Signed-off-by: ChenXiaoSong <[email protected]>
Acked-by: Namjae Jeon <[email protected]>
Signed-off-by: Steve French <[email protected]>

show more ...

ksmbd: add durable scavenger timer

Launch ksmbd-durable-scavenger kernel thread to scan durable fps that
have not been reclaimed by a client within the configured time.

Signed-off-by: Namjae Jeon <

ksmbd: add durable scavenger timer

Launch ksmbd-durable-scavenger kernel thread to scan durable fps that
have not been reclaimed by a client within the configured time.

Signed-off-by: Namjae Jeon <[email protected]>
Signed-off-by: Steve French <[email protected]>

show more ...

ksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf

If ->ProtocolId is SMB2_TRANSFORM_PROTO_NUM, smb2 request size
validation could be skipped. if request size is smaller than
sizeof(struct smb2_

ksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf

If ->ProtocolId is SMB2_TRANSFORM_PROTO_NUM, smb2 request size
validation could be skipped. if request size is smaller than
sizeof(struct smb2_query_info_req), slab-out-of-bounds read can happen in
smb2_allocate_rsp_buf(). This patch allocate response buffer after
decrypting transform request. smb3_decrypt_req() will validate transform
request size and avoid slab-out-of-bound in smb2_allocate_rsp_buf().

Reported-by: Norbert Szetei <[email protected]>
Cc: [email protected]
Signed-off-by: Namjae Jeon <[email protected]>
Signed-off-by: Steve French <[email protected]>

show more ...

ksmbd: remove module version

ksmbd module version marking is not needed. Since there is a
Linux kernel version, there is no point in increasing it anymore.

Signed-off-by: Namjae Jeon <linkinjeon@ke

ksmbd: remove module version

ksmbd module version marking is not needed. Since there is a
Linux kernel version, there is no point in increasing it anymore.

Signed-off-by: Namjae Jeon <[email protected]>
Signed-off-by: Steve French <[email protected]>

show more ...

ksmbd: fix race condition between tree conn lookup and disconnect

if thread A in smb2_write is using work-tcon, other thread B use
smb2_tree_disconnect free the tcon, then thread A will use free'd t

ksmbd: fix race condition between tree conn lookup and disconnect

if thread A in smb2_write is using work-tcon, other thread B use
smb2_tree_disconnect free the tcon, then thread A will use free'd tcon.

Time
+
Thread A | Thread A
smb2_write | smb2_tree_disconnect
|
|
| kfree(tree_conn)
|
// UAF! |
work->tcon->share_conf |
+

This patch add state, reference count and lock for tree conn to fix race
condition issue.

Reported-by: luosili <[email protected]>
Signed-off-by: Namjae Jeon <[email protected]>
Signed-off-by: Steve French <[email protected]>

show more ...

ksmbd: return invalid parameter error response if smb2 request is invalid

If smb2 request from client is invalid, The following kernel oops could
happen. The patch e2b76ab8b5c9: "ksmbd: add support

ksmbd: return invalid parameter error response if smb2 request is invalid

If smb2 request from client is invalid, The following kernel oops could
happen. The patch e2b76ab8b5c9: "ksmbd: add support for read compound"
leads this issue. When request is invalid, It doesn't set anything in
the response buffer. This patch add missing set invalid parameter error
response.

[ 673.085542] ksmbd: cli req too short, len 184 not 142. cmd:5 mid:109
[ 673.085580] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 673.085591] #PF: supervisor read access in kernel mode
[ 673.085600] #PF: error_code(0x0000) - not-present page
[ 673.085608] PGD 0 P4D 0
[ 673.085620] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ 673.085631] CPU: 3 PID: 1039 Comm: kworker/3:0 Not tainted 6.6.0-rc2-tmt #16
[ 673.085643] Hardware name: AZW U59/U59, BIOS JTKT001 05/05/2022
[ 673.085651] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd]
[ 673.085719] RIP: 0010:ksmbd_conn_write+0x68/0xc0 [ksmbd]
[ 673.085808] RAX: 0000000000000000 RBX: ffff88811ade4f00 RCX: 0000000000000000
[ 673.085817] RDX: 0000000000000000 RSI: ffff88810c2a9780 RDI: ffff88810c2a9ac0
[ 673.085826] RBP: ffffc900005e3e00 R08: 0000000000000000 R09: 0000000000000000
[ 673.085834] R10: ffffffffa3168160 R11: 63203a64626d736b R12: ffff8881057c8800
[ 673.085842] R13: ffff8881057c8820 R14: ffff8882781b2380 R15: ffff8881057c8800
[ 673.085852] FS: 0000000000000000(0000) GS:ffff888278180000(0000) knlGS:0000000000000000
[ 673.085864] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 673.085872] CR2: 0000000000000000 CR3: 000000015b63c000 CR4: 0000000000350ee0
[ 673.085883] Call Trace:
[ 673.085890] <TASK>
[ 673.085900] ? show_regs+0x6a/0x80
[ 673.085916] ? __die+0x25/0x70
[ 673.085926] ? page_fault_oops+0x154/0x4b0
[ 673.085938] ? tick_nohz_tick_stopped+0x18/0x50
[ 673.085954] ? __irq_work_queue_local+0xba/0x140
[ 673.085967] ? do_user_addr_fault+0x30f/0x6c0
[ 673.085979] ? exc_page_fault+0x79/0x180
[ 673.085992] ? asm_exc_page_fault+0x27/0x30
[ 673.086009] ? ksmbd_conn_write+0x68/0xc0 [ksmbd]
[ 673.086067] ? ksmbd_conn_write+0x46/0xc0 [ksmbd]
[ 673.086123] handle_ksmbd_work+0x28d/0x4b0 [ksmbd]
[ 673.086177] process_one_work+0x178/0x350
[ 673.086193] ? __pfx_worker_thread+0x10/0x10
[ 673.086202] worker_thread+0x2f3/0x420
[ 673.086210] ? _raw_spin_unlock_irqrestore+0x27/0x50
[ 673.086222] ? __pfx_worker_thread+0x10/0x10
[ 673.086230] kthread+0x103/0x140
[ 673.086242] ? __pfx_kthread+0x10/0x10
[ 673.086253] ret_from_fork+0x39/0x60
[ 673.086263] ? __pfx_kthread+0x10/0x10
[ 673.086274] ret_from_fork_asm+0x1b/0x30

Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound")
Reported-by: Tom Talpey <[email protected]>
Signed-off-by: Namjae Jeon <[email protected]>
Signed-off-by: Steve French <[email protected]>

show more ...

ksmbd: remove experimental warning

ksmbd has made significant improvements over the past two
years and is regularly tested and used. Remove the experimental
warning.

Acked-by: Namjae Jeon <linkinj

ksmbd: remove experimental warning

ksmbd has made significant improvements over the past two
years and is regularly tested and used. Remove the experimental
warning.

Acked-by: Namjae Jeon <[email protected]>
Signed-off-by: Steve French <[email protected]>

show more ...

ksmbd: add support for read compound

MacOS sends a compound request including read to the server
(e.g. open-read-close). So far, ksmbd has not handled read as
a compound request. For compatibility b

ksmbd: add support for read compound

MacOS sends a compound request including read to the server
(e.g. open-read-close). So far, ksmbd has not handled read as
a compound request. For compatibility between ksmbd and an OS that
supports SMB, This patch provides compound support for read requests.

Signed-off-by: Namjae Jeon <[email protected]>
Signed-off-by: Steve French <[email protected]>

show more ...

ksmbd: fix out of bounds in init_smb2_rsp_hdr()

If client send smb2 negotiate request and then send smb1 negotiate
request, init_smb2_rsp_hdr is called for smb1 negotiate request since
need_neg is s

ksmbd: fix out of bounds in init_smb2_rsp_hdr()

If client send smb2 negotiate request and then send smb1 negotiate
request, init_smb2_rsp_hdr is called for smb1 negotiate request since
need_neg is set to false. This patch ignore smb1 packets after ->need_neg
is set to false.

Reported-by: [email protected] # ZDI-CAN-21541
Signed-off-by: Namjae Jeon <[email protected]>
Signed-off-by: Steve French <[email protected]>

show more ...

ksmbd: validate session id and tree id in the compound request

This patch validate session id and tree id in compound request.
If first operation in the compound is SMB2 ECHO request, ksmbd bypass
s

ksmbd: validate session id and tree id in the compound request

This patch validate session id and tree id in compound request.
If first operation in the compound is SMB2 ECHO request, ksmbd bypass
session and tree validation. So work->sess and work->tcon could be NULL.
If secound request in the compound access work->sess or tcon, It cause
NULL pointer dereferecing error.

Cc: [email protected]
Reported-by: [email protected] # ZDI-CAN-21165
Signed-off-by: Namjae Jeon <[email protected]>
Signed-off-by: Steve French <[email protected]>

show more ...

smb: move client and server files to common directory fs/smb

Move CIFS/SMB3 related client and server files (cifs.ko and ksmbd.ko
and helper modules) to new fs/smb subdirectory:

fs/cifs --> fs/s

smb: move client and server files to common directory fs/smb

Move CIFS/SMB3 related client and server files (cifs.ko and ksmbd.ko
and helper modules) to new fs/smb subdirectory:

fs/cifs --> fs/smb/client
fs/ksmbd --> fs/smb/server
fs/smbfs_common --> fs/smb/common

Suggested-by: Linus Torvalds <[email protected]>
Acked-by: Namjae Jeon <[email protected]>
Signed-off-by: Steve French <[email protected]>

show more ...