From 637a1c1c0abb02015d05c1240a1471968002b433 Mon Sep 17 00:00:00 2001 From: Wang Zhaolong Date: Thu, 17 Apr 2025 17:01:21 +0800 Subject: [PATCH 1/4] Revert "cifs: Prevent NULL pointer dereference caused by cifs_sb->rsize is 0" hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IC1OPD CVE: NA -------------------------------- This reverts commit 799fe5b5c36147d8f7eaadbe982efffcb85eddfc. There is already a community solution, so choose to revert this temporary solution and adopt the community solution. Fixes: 799fe5b5c361 ("cifs: Prevent NULL pointer dereference caused by cifs_sb->rsize is 0") Signed-off-by: Wang Zhaolong --- fs/cifs/connect.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index b6db874d19d5..fd4ec5bd35f6 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c @@ -4244,11 +4244,6 @@ cifs_mount(struct cifs_sb_info *cifs_sb, struct smb_vol *volume_info) cifs_sb->wsize = server->ops->negotiate_wsize(tcon, volume_info); cifs_sb->rsize = server->ops->negotiate_rsize(tcon, volume_info); - if (cifs_sb->rsize == 0) { - cifs_dbg(VFS, "Negotiated rsize is 0, mount failed\n"); - rc = -EINVAL; - goto mount_fail_check; - } remote_path_check: #ifdef CONFIG_CIFS_DFS_UPCALL -- Gitee From 6f1080c4eb44c5aa386cbbebf1b70da870a7eabc Mon Sep 17 00:00:00 2001 From: Wang Zhaolong Date: Thu, 17 Apr 2025 17:01:22 +0800 Subject: [PATCH 2/4] smb:client: smb: client: Add reverse mapping from tcon to superblocks mainline inclusion from mainline-v6.15-rc1 commit a091d9711bdee46a76fa14fad31cb261a6dad74a category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IC1OPD CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a091d9711bdee46a76fa14fad31cb261a6dad74a -------------------------------- Currently, when a SMB connection is reset and renegotiated with the server, there's no way to update all related mount points with new negotiated sizes. This is because while superblocks (cifs_sb_info) maintain references to tree connections (tcon) through tcon_link structures, there is no reverse mapping from a tcon back to all the superblocks using it. This patch adds a bidirectional relationship between tcon and cifs_sb_info structures by: 1. Adding a cifs_sb_list to tcon structure with appropriate locking 2. Adding tcon_sb_link to cifs_sb_info to join the list 3. Managing the list entries during mount and umount operations The bidirectional relationship enables future functionality to locate and update all superblocks connected to a specific tree connection, such as: - Updating negotiated parameters after reconnection - Efficiently notifying all affected mounts of capability changes This is the first part of a series to improve connection resilience by keeping all mount parameters in sync with server capabilities after reconnection. Signed-off-by: Wang Zhaolong Signed-off-by: Steve French Conflicts: fs/cifs/cifs_fs_sb.h fs/cifs/cifsglob.h fs/cifs/connect.c fs/cifs/misc.c fs/smb/client/cifs_fs_sb.h fs/smb/client/cifsglob.h fs/smb/client/connect.c fs/smb/client/misc.c [The mainline code has already undergone multiple refactoring sessions.] Signed-off-by: Wang Zhaolong --- fs/cifs/cifs_fs_sb.h | 1 + fs/cifs/cifsglob.h | 3 ++- fs/cifs/connect.c | 15 +++++++++++++++ fs/cifs/misc.c | 2 ++ 4 files changed, 20 insertions(+), 1 deletion(-) diff --git a/fs/cifs/cifs_fs_sb.h b/fs/cifs/cifs_fs_sb.h index aba2b48d4da1..790347e16841 100644 --- a/fs/cifs/cifs_fs_sb.h +++ b/fs/cifs/cifs_fs_sb.h @@ -54,6 +54,7 @@ struct cifs_sb_info { struct rb_root tlink_tree; + struct list_head tcon_sb_link; spinlock_t tlink_tree_lock; struct tcon_link *master_tlink; struct nls_table *local_nls; diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h index f9abe37c549c..3bd4e369f91a 100644 --- a/fs/cifs/cifsglob.h +++ b/fs/cifs/cifsglob.h @@ -1023,7 +1023,8 @@ struct cifs_tcon { #endif struct list_head pending_opens; /* list of incomplete opens */ struct cached_fid crfid; /* Cached root fid */ - /* BB add field for back pointer to sb struct(s)? */ + struct list_head cifs_sb_list; + spinlock_t sb_list_lock; }; /* diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index fd4ec5bd35f6..2861dd569d41 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c @@ -3837,6 +3837,7 @@ int cifs_setup_cifs_sb(struct smb_vol *pvolume_info, struct cifs_sb_info *cifs_sb) { INIT_DELAYED_WORK(&cifs_sb->prune_tlinks, cifs_prune_tlinks); + INIT_LIST_HEAD(&cifs_sb->tcon_sb_link); spin_lock_init(&cifs_sb->tlink_tree_lock); cifs_sb->tlink_tree = RB_ROOT; @@ -4347,6 +4348,10 @@ cifs_mount(struct cifs_sb_info *cifs_sb, struct smb_vol *volume_info) tlink_rb_insert(&cifs_sb->tlink_tree, tlink); spin_unlock(&cifs_sb->tlink_tree_lock); + spin_lock(&tcon->sb_list_lock); + list_add(&cifs_sb->tcon_sb_link, &tcon->cifs_sb_list); + spin_unlock(&tcon->sb_list_lock); + queue_delayed_work(cifsiod_wq, &cifs_sb->prune_tlinks, TLINK_IDLE_EXPIRE); @@ -4544,9 +4549,19 @@ cifs_umount(struct cifs_sb_info *cifs_sb) struct rb_root *root = &cifs_sb->tlink_tree; struct rb_node *node; struct tcon_link *tlink; + struct cifs_tcon *tcon = NULL; cancel_delayed_work_sync(&cifs_sb->prune_tlinks); + if (cifs_sb->master_tlink) { + tcon = cifs_sb->master_tlink->tl_tcon; + if (tcon) { + spin_lock(&tcon->sb_list_lock); + list_del_init(&cifs_sb->tcon_sb_link); + spin_unlock(&tcon->sb_list_lock); + } + } + spin_lock(&cifs_sb->tlink_tree_lock); while ((node = rb_first(root))) { tlink = rb_entry(node, struct tcon_link, tl_rbnode); diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c index a1563987de48..006f05ad2b80 100644 --- a/fs/cifs/misc.c +++ b/fs/cifs/misc.c @@ -126,7 +126,9 @@ tconInfoAlloc(void) ++ret_buf->tc_count; INIT_LIST_HEAD(&ret_buf->openFileList); INIT_LIST_HEAD(&ret_buf->tcon_list); + INIT_LIST_HEAD(&ret_buf->cifs_sb_list); spin_lock_init(&ret_buf->open_file_lock); + spin_lock_init(&ret_buf->sb_list_lock); mutex_init(&ret_buf->crfid.fid_mutex); spin_lock_init(&ret_buf->stat_lock); -- Gitee From 0bdd8f55af6b7cb75565f528a6ef2950feb40169 Mon Sep 17 00:00:00 2001 From: Wang Zhaolong Date: Thu, 17 Apr 2025 17:01:23 +0800 Subject: [PATCH 3/4] smb: client: Store original IO parameters and prevent zero IO sizes mainline inclusion from mainline-v6.15-rc1 commit 287906b20035a04a234d1a3c64f760a5678387be category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IC1OPD CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=287906b20035a04a234d1a3c64f760a5678387be -------------------------------- During mount option processing and negotiation with the server, the original user-specified rsize/wsize values were being modified directly. This makes it impossible to recover these values after a connection reset, leading to potential degraded performance after reconnection. The other problem is that When negotiating read and write sizes, there are cases where the negotiated values might calculate to zero, especially during reconnection when server->max_read or server->max_write might be reset. In general, these values come from the negotiation response. According to MS-SMB2 specification, these values should be at least 65536 bytes. This patch improves IO parameter handling: 1. Adds vol_rsize and vol_wsize fields to store the original user-specified values separately from the negotiated values 2. Uses got_rsize/got_wsize flags to determine if values were user-specified rather than checking for non-zero values, which is more reliable 3. Adds a prevent_zero_iosize() helper function to ensure IO sizes are never negotiated down to zero, which could happen in edge cases like when server->max_read/write is zero The changes make the CIFS client more resilient to unusual server responses and reconnection scenarios, preventing potential failures when IO sizes are calculated to be zero. Signed-off-by: Wang Zhaolong Signed-off-by: Steve French Conflicts: fs/cifs/fs_context.c fs/cifs/fs_context.h fs/cifs/smb1ops.c fs/cifs/smb2ops.c fs/cifs/cifsglob.h fs/cifs/connect.c fs/cifs/cifs_fs_sb.h fs/smb/client/fs_context.c fs/smb/client/fs_context.h fs/smb/client/smb1ops.c fs/smb/client/smb2ops.c fs/smb/common/smb2pdu.h [The mainline code has already undergone multiple refactoring sessions.] Signed-off-by: Wang Zhaolong --- fs/cifs/cifs_fs_sb.h | 2 ++ fs/cifs/cifsglob.h | 9 +++++++-- fs/cifs/connect.c | 7 +++++-- fs/cifs/smb1ops.c | 10 +++++----- fs/cifs/smb2ops.c | 23 +++++++++++++++++------ 5 files changed, 36 insertions(+), 15 deletions(-) diff --git a/fs/cifs/cifs_fs_sb.h b/fs/cifs/cifs_fs_sb.h index 790347e16841..dca293d67f5b 100644 --- a/fs/cifs/cifs_fs_sb.h +++ b/fs/cifs/cifs_fs_sb.h @@ -60,6 +60,8 @@ struct cifs_sb_info { struct nls_table *local_nls; unsigned int rsize; unsigned int wsize; + unsigned int vol_rsize; + unsigned int vol_wsize; unsigned long actimeo; /* attribute cache timeout (jiffies) */ atomic_t active; kuid_t mnt_uid; diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h index 3bd4e369f91a..08e9edbd8337 100644 --- a/fs/cifs/cifsglob.h +++ b/fs/cifs/cifsglob.h @@ -269,9 +269,11 @@ struct smb_version_operations { /* negotiate to the server */ int (*negotiate)(const unsigned int, struct cifs_ses *); /* set negotiated write size */ - unsigned int (*negotiate_wsize)(struct cifs_tcon *, struct smb_vol *); + unsigned int (*negotiate_wsize)(struct cifs_tcon *tcon, + unsigned int vol_wsize); /* set negotiated read size */ - unsigned int (*negotiate_rsize)(struct cifs_tcon *, struct smb_vol *); + unsigned int (*negotiate_rsize)(struct cifs_tcon *tcon, + unsigned int vol_rsize); /* setup smb sessionn */ int (*sess_setup)(const unsigned int, struct cifs_ses *, const struct nls_table *); @@ -818,6 +820,9 @@ compare_mid(__u16 mid, const struct smb_hdr *smb) */ #define CIFS_DEFAULT_IOSIZE (1024 * 1024) +/* According to MS-SMB2 specification The minimum recommended value is 65536.*/ +#define CIFS_MIN_DEFAULT_IOSIZE (65536) + /* * Windows only supports a max of 60kb reads and 65535 byte writes. Default to * those values when posix extensions aren't in force. In actuality here, we diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index 2861dd569d41..4f4889b8992d 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c @@ -3849,6 +3849,9 @@ int cifs_setup_cifs_sb(struct smb_vol *pvolume_info, cifs_sb->rsize = pvolume_info->rsize; cifs_sb->wsize = pvolume_info->wsize; + cifs_sb->vol_rsize = pvolume_info->rsize; + cifs_sb->vol_wsize = pvolume_info->wsize; + cifs_sb->mnt_uid = pvolume_info->linux_uid; cifs_sb->mnt_gid = pvolume_info->linux_gid; cifs_sb->mnt_file_mode = pvolume_info->file_mode; @@ -4243,8 +4246,8 @@ cifs_mount(struct cifs_sb_info *cifs_sb, struct smb_vol *volume_info) if (!tcon->pipe && server->ops->qfs_tcon) server->ops->qfs_tcon(xid, tcon); - cifs_sb->wsize = server->ops->negotiate_wsize(tcon, volume_info); - cifs_sb->rsize = server->ops->negotiate_rsize(tcon, volume_info); + cifs_sb->wsize = server->ops->negotiate_wsize(tcon, cifs_sb->vol_wsize); + cifs_sb->rsize = server->ops->negotiate_rsize(tcon, cifs_sb->vol_rsize); remote_path_check: #ifdef CONFIG_CIFS_DFS_UPCALL diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c index c7f0c8566442..774043781e85 100644 --- a/fs/cifs/smb1ops.c +++ b/fs/cifs/smb1ops.c @@ -442,15 +442,15 @@ cifs_negotiate(const unsigned int xid, struct cifs_ses *ses) } static unsigned int -cifs_negotiate_wsize(struct cifs_tcon *tcon, struct smb_vol *volume_info) +cifs_negotiate_wsize(struct cifs_tcon *tcon, unsigned int vol_wsize) { __u64 unix_cap = le64_to_cpu(tcon->fsUnixInfo.Capability); struct TCP_Server_Info *server = tcon->ses->server; unsigned int wsize; /* start with specified wsize, or default */ - if (volume_info->wsize) - wsize = volume_info->wsize; + if (vol_wsize) + wsize = vol_wsize; else if (tcon->unix_ext && (unix_cap & CIFS_UNIX_LARGE_WRITE_CAP)) wsize = CIFS_DEFAULT_IOSIZE; else @@ -477,7 +477,7 @@ cifs_negotiate_wsize(struct cifs_tcon *tcon, struct smb_vol *volume_info) } static unsigned int -cifs_negotiate_rsize(struct cifs_tcon *tcon, struct smb_vol *volume_info) +cifs_negotiate_rsize(struct cifs_tcon *tcon, unsigned int vol_rsize) { __u64 unix_cap = le64_to_cpu(tcon->fsUnixInfo.Capability); struct TCP_Server_Info *server = tcon->ses->server; @@ -502,7 +502,7 @@ cifs_negotiate_rsize(struct cifs_tcon *tcon, struct smb_vol *volume_info) else defsize = server->maxBuf - sizeof(READ_RSP); - rsize = volume_info->rsize ? volume_info->rsize : defsize; + rsize = vol_rsize ? vol_rsize : defsize; /* * no CAP_LARGE_READ_X? Then MS-CIFS states that we must limit this to diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c index 58d9554e74ce..193bfdc9d1d7 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -273,14 +273,25 @@ smb2_negotiate(const unsigned int xid, struct cifs_ses *ses) return rc; } +static inline unsigned int +prevent_zero_iosize(unsigned int size, const char *type) +{ + if (size == 0) { + cifs_dbg(VFS, "SMB: Zero %ssize calculated, using minimum value %u\n", + type, CIFS_MIN_DEFAULT_IOSIZE); + return CIFS_MIN_DEFAULT_IOSIZE; + } + return size; +} + static unsigned int -smb2_negotiate_wsize(struct cifs_tcon *tcon, struct smb_vol *volume_info) +smb2_negotiate_wsize(struct cifs_tcon *tcon, unsigned int vol_wsize) { struct TCP_Server_Info *server = tcon->ses->server; unsigned int wsize; /* start with specified wsize, or default */ - wsize = volume_info->wsize ? volume_info->wsize : CIFS_DEFAULT_IOSIZE; + wsize = vol_wsize ? vol_wsize : CIFS_DEFAULT_IOSIZE; wsize = min_t(unsigned int, wsize, server->max_write); #ifdef CONFIG_CIFS_SMB_DIRECT if (server->rdma) { @@ -295,17 +306,17 @@ smb2_negotiate_wsize(struct cifs_tcon *tcon, struct smb_vol *volume_info) if (!(server->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU)) wsize = min_t(unsigned int, wsize, SMB2_MAX_BUFFER_SIZE); - return wsize; + return prevent_zero_iosize(wsize, "w"); } static unsigned int -smb2_negotiate_rsize(struct cifs_tcon *tcon, struct smb_vol *volume_info) +smb2_negotiate_rsize(struct cifs_tcon *tcon, unsigned int vol_rsize) { struct TCP_Server_Info *server = tcon->ses->server; unsigned int rsize; /* start with specified rsize, or default */ - rsize = volume_info->rsize ? volume_info->rsize : CIFS_DEFAULT_IOSIZE; + rsize = vol_rsize ? vol_rsize : CIFS_DEFAULT_IOSIZE; rsize = min_t(unsigned int, rsize, server->max_read); #ifdef CONFIG_CIFS_SMB_DIRECT if (server->rdma) { @@ -321,7 +332,7 @@ smb2_negotiate_rsize(struct cifs_tcon *tcon, struct smb_vol *volume_info) if (!(server->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU)) rsize = min_t(unsigned int, rsize, SMB2_MAX_BUFFER_SIZE); - return rsize; + return prevent_zero_iosize(rsize, "r"); } -- Gitee From f416230223880e17e309e6ef21b7908673441ed9 Mon Sep 17 00:00:00 2001 From: Wang Zhaolong Date: Thu, 17 Apr 2025 17:01:24 +0800 Subject: [PATCH 4/4] smb: client: Update IO sizes after reconnection mainline inclusion from mainline-v6.15-rc1 commit 764da2fff399756d09b02db7fa7bd05e57928cc0 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IC1OPD CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=764da2fff399756d09b02db7fa7bd05e57928cc0 -------------------------------- When a SMB connection is reset and reconnected, the negotiated IO parameters (rsize/wsize) can become out of sync with the server's current capabilities. This can lead to suboptimal performance or even IO failures if the server's limits have changed. This patch implements automatic IO size renegotiation: 1. Adds cifs_renegotiate_iosize() function to update all superblocks associated with a tree connection 2. Updates each mount's rsize/wsize based on current server capabilities 3. Calls this function after successful tree connection reconnection With this change, all mount points will automatically maintain optimal and reliable IO parameters after network disruptions, using the bidirectional mapping added in previous patches. This completes the series improving connection resilience by keeping mount parameters synchronized with server capabilities. Signed-off-by: Wang Zhaolong Signed-off-by: Steve French Conflicts: fs/cifs/smb2pdu.c fs/smb/client/smb2pdu.c [The mainline code has already undergone multiple refactoring sessions.] Signed-off-by: Wang Zhaolong --- fs/cifs/smb2pdu.c | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index a115db50be85..e8304a44d9d8 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -152,6 +152,24 @@ smb2_hdr_assemble(struct smb2_sync_hdr *shdr, __le16 smb2_cmd, return; } +static void cifs_renegotiate_iosize(struct TCP_Server_Info *server, + struct cifs_tcon *tcon) +{ + struct cifs_sb_info *cifs_sb; + + if (server == NULL || tcon == NULL) + return; + + spin_lock(&tcon->sb_list_lock); + list_for_each_entry(cifs_sb, &tcon->cifs_sb_list, tcon_sb_link) { + cifs_sb->rsize = + server->ops->negotiate_rsize(tcon, cifs_sb->rsize); + cifs_sb->wsize = + server->ops->negotiate_wsize(tcon, cifs_sb->wsize); + } + spin_unlock(&tcon->sb_list_lock); +} + static int smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon) { @@ -2942,10 +2960,12 @@ void smb2_reconnect_server(struct work_struct *work) list_for_each_entry_safe(tcon, tcon2, &tmp_list, rlist) { rc = smb2_reconnect(SMB2_INTERNAL_CMD, tcon); - if (!rc) + if (!rc) { + cifs_renegotiate_iosize(server, tcon); cifs_reopen_persistent_handles(tcon); - else + } else { resched = true; + } list_del_init(&tcon->rlist); if (tcon->ipc) cifs_put_smb_ses(tcon->ses); -- Gitee