--- /dev/null
+From stable-bounces@linux.kernel.org Mon Dec 17 12:35:33 2007
+From: Steve French <sfrench@us.ibm.com>
+Date: Mon, 17 Dec 2007 21:01:23 +0100
+Subject: CIFS: Fix buffer overflow if server sends corrupt response to small request (CVE-2007-5904)
+To: stable@kernel.org
+Cc: Steve French <sfrench@us.ibm.com>
+Message-ID: <20071217200123.GE17669@stro.at>
+Content-Disposition: inline
+
+From: Steve French <sfrench@us.ibm.com>
+
+patch 133672efbc1085f9af990bdc145e1822ea93bcf3 in mainline.
+
+[CIFS] Fix buffer overflow if server sends corrupt response to small request
+
+In SendReceive() function in transport.c - it memcpy's
+message payload into a buffer passed via out_buf param. The function
+assumes that all buffers are of size (CIFSMaxBufSize +
+MAX_CIFS_HDR_SIZE) , unfortunately it is also called with smaller
+(MAX_CIFS_SMALL_BUFFER_SIZE) buffers. There are eight callers
+(SMB worker functions) which are primarily affected by this change:
+
+TreeDisconnect, uLogoff, Close, findClose, SetFileSize, SetFileTimes,
+Lock and PosixLock
+
+CC: Dave Kleikamp <shaggy@austin.ibm.com>
+CC: Przemyslaw Wegrzyn <czajnik@czajsoft.pl>
+Cc: maximilian attems <max@stro.at>
+Acked-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Steve French <sfrench@us.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+--- a/fs/cifs/cifsglob.h
++++ b/fs/cifs/cifsglob.h
+@@ -471,6 +471,17 @@ struct dir_notify_req {
+ #define CIFS_LARGE_BUFFER 2
+ #define CIFS_IOVEC 4 /* array of response buffers */
+
++/* Type of Request to SendReceive2 */
++#define CIFS_STD_OP 0 /* normal request timeout */
++#define CIFS_LONG_OP 1 /* long op (up to 45 sec, oplock time) */
++#define CIFS_VLONG_OP 2 /* sloow op - can take up to 180 seconds */
++#define CIFS_BLOCKING_OP 4 /* operation can block */
++#define CIFS_ASYNC_OP 8 /* do not wait for response */
++#define CIFS_TIMEOUT_MASK 0x00F /* only one of 5 above set in req */
++#define CIFS_LOG_ERROR 0x010 /* log NT STATUS if non-zero */
++#define CIFS_LARGE_BUF_OP 0x020 /* large request buffer */
++#define CIFS_NO_RESP 0x040 /* no response buffer required */
++
+ /* Security Flags: indicate type of session setup needed */
+ #define CIFSSEC_MAY_SIGN 0x00001
+ #define CIFSSEC_MAY_NTLM 0x00002
+diff --git a/fs/cifs/cifsproto.h b/fs/cifs/cifsproto.h
+index dd1d7c2..0c55dff 100644
+--- a/fs/cifs/cifsproto.h
++++ b/fs/cifs/cifsproto.h
+@@ -48,10 +48,11 @@ extern int SendReceive(const unsigned int /* xid */ , struct cifsSesInfo *,
+ struct smb_hdr * /* input */ ,
+ struct smb_hdr * /* out */ ,
+ int * /* bytes returned */ , const int long_op);
++extern int SendReceiveNoRsp(const unsigned int xid, struct cifsSesInfo *ses,
++ struct smb_hdr *in_buf, int flags);
+ extern int SendReceive2(const unsigned int /* xid */ , struct cifsSesInfo *,
+ struct kvec *, int /* nvec to send */,
+- int * /* type of buf returned */ , const int long_op,
+- const int logError /* whether to log status code*/ );
++ int * /* type of buf returned */ , const int flags);
+ extern int SendReceiveBlockingLock(const unsigned int /* xid */ ,
+ struct cifsTconInfo *,
+ struct smb_hdr * /* input */ ,
+diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
+index 59d7b7c..9e8a6be 100644
+--- a/fs/cifs/cifssmb.c
++++ b/fs/cifs/cifssmb.c
+@@ -698,9 +698,7 @@ int
+ CIFSSMBTDis(const int xid, struct cifsTconInfo *tcon)
+ {
+ struct smb_hdr *smb_buffer;
+- struct smb_hdr *smb_buffer_response; /* BB removeme BB */
+ int rc = 0;
+- int length;
+
+ cFYI(1, ("In tree disconnect"));
+ /*
+@@ -737,16 +735,12 @@ CIFSSMBTDis(const int xid, struct cifsTconInfo *tcon)
+ if (rc) {
+ up(&tcon->tconSem);
+ return rc;
+- } else {
+- smb_buffer_response = smb_buffer; /* BB removeme BB */
+ }
+- rc = SendReceive(xid, tcon->ses, smb_buffer, smb_buffer_response,
+- &length, 0);
++
++ rc = SendReceiveNoRsp(xid, tcon->ses, smb_buffer, 0);
+ if (rc)
+ cFYI(1, ("Tree disconnect failed %d", rc));
+
+- if (smb_buffer)
+- cifs_small_buf_release(smb_buffer);
+ up(&tcon->tconSem);
+
+ /* No need to return error on this operation if tid invalidated and
+@@ -760,10 +754,8 @@ CIFSSMBTDis(const int xid, struct cifsTconInfo *tcon)
+ int
+ CIFSSMBLogoff(const int xid, struct cifsSesInfo *ses)
+ {
+- struct smb_hdr *smb_buffer_response;
+ LOGOFF_ANDX_REQ *pSMB;
+ int rc = 0;
+- int length;
+
+ cFYI(1, ("In SMBLogoff for session disconnect"));
+ if (ses)
+@@ -782,8 +774,6 @@ CIFSSMBLogoff(const int xid, struct cifsSesInfo *ses)
+ return rc;
+ }
+
+- smb_buffer_response = (struct smb_hdr *)pSMB; /* BB removeme BB */
+-
+ if (ses->server) {
+ pSMB->hdr.Mid = GetNextMid(ses->server);
+
+@@ -795,8 +785,7 @@ CIFSSMBLogoff(const int xid, struct cifsSesInfo *ses)
+ pSMB->hdr.Uid = ses->Suid;
+
+ pSMB->AndXCommand = 0xFF;
+- rc = SendReceive(xid, ses, (struct smb_hdr *) pSMB,
+- smb_buffer_response, &length, 0);
++ rc = SendReceiveNoRsp(xid, ses, (struct smb_hdr *) pSMB, 0);
+ if (ses->server) {
+ atomic_dec(&ses->server->socketUseCount);
+ if (atomic_read(&ses->server->socketUseCount) == 0) {
+@@ -807,7 +796,6 @@ CIFSSMBLogoff(const int xid, struct cifsSesInfo *ses)
+ }
+ }
+ up(&ses->sesSem);
+- cifs_small_buf_release(pSMB);
+
+ /* if session dead then we do not need to do ulogoff,
+ since server closed smb session, no sense reporting
+@@ -1255,7 +1243,7 @@ OldOpenRetry:
+ pSMB->ByteCount = cpu_to_le16(count);
+ /* long_op set to 1 to allow for oplock break timeouts */
+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
+- (struct smb_hdr *) pSMBr, &bytes_returned, 1);
++ (struct smb_hdr *)pSMBr, &bytes_returned, CIFS_LONG_OP);
+ cifs_stats_inc(&tcon->num_opens);
+ if (rc) {
+ cFYI(1, ("Error in Open = %d", rc));
+@@ -1368,7 +1356,7 @@ openRetry:
+ pSMB->ByteCount = cpu_to_le16(count);
+ /* long_op set to 1 to allow for oplock break timeouts */
+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
+- (struct smb_hdr *) pSMBr, &bytes_returned, 1);
++ (struct smb_hdr *)pSMBr, &bytes_returned, CIFS_LONG_OP);
+ cifs_stats_inc(&tcon->num_opens);
+ if (rc) {
+ cFYI(1, ("Error in Open = %d", rc));
+@@ -1446,7 +1434,7 @@ CIFSSMBRead(const int xid, struct cifsTconInfo *tcon, const int netfid,
+ iov[0].iov_base = (char *)pSMB;
+ iov[0].iov_len = pSMB->hdr.smb_buf_length + 4;
+ rc = SendReceive2(xid, tcon->ses, iov, 1 /* num iovecs */,
+- &resp_buf_type, 0 /* not long op */, 1 /* log err */ );
++ &resp_buf_type, CIFS_STD_OP | CIFS_LOG_ERROR);
+ cifs_stats_inc(&tcon->num_reads);
+ pSMBr = (READ_RSP *)iov[0].iov_base;
+ if (rc) {
+@@ -1665,7 +1653,7 @@ CIFSSMBWrite2(const int xid, struct cifsTconInfo *tcon,
+
+
+ rc = SendReceive2(xid, tcon->ses, iov, n_vec + 1, &resp_buf_type,
+- long_op, 0 /* do not log STATUS code */ );
++ long_op);
+ cifs_stats_inc(&tcon->num_writes);
+ if (rc) {
+ cFYI(1, ("Send error Write2 = %d", rc));
+@@ -1707,7 +1695,7 @@ CIFSSMBLock(const int xid, struct cifsTconInfo *tcon,
+ int timeout = 0;
+ __u16 count;
+
+- cFYI(1, ("In CIFSSMBLock - timeout %d numLock %d", waitFlag, numLock));
++ cFYI(1, ("CIFSSMBLock timeout %d numLock %d", waitFlag, numLock));
+ rc = small_smb_init(SMB_COM_LOCKING_ANDX, 8, tcon, (void **) &pSMB);
+
+ if (rc)
+@@ -1716,10 +1704,10 @@ CIFSSMBLock(const int xid, struct cifsTconInfo *tcon,
+ pSMBr = (LOCK_RSP *)pSMB; /* BB removeme BB */
+
+ if (lockType == LOCKING_ANDX_OPLOCK_RELEASE) {
+- timeout = -1; /* no response expected */
++ timeout = CIFS_ASYNC_OP; /* no response expected */
+ pSMB->Timeout = 0;
+ } else if (waitFlag == TRUE) {
+- timeout = 3; /* blocking operation, no timeout */
++ timeout = CIFS_BLOCKING_OP; /* blocking operation, no timeout */
+ pSMB->Timeout = cpu_to_le32(-1);/* blocking - do not time out */
+ } else {
+ pSMB->Timeout = 0;
+@@ -1749,15 +1737,16 @@ CIFSSMBLock(const int xid, struct cifsTconInfo *tcon,
+ if (waitFlag) {
+ rc = SendReceiveBlockingLock(xid, tcon, (struct smb_hdr *) pSMB,
+ (struct smb_hdr *) pSMBr, &bytes_returned);
++ cifs_small_buf_release(pSMB);
+ } else {
+- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
+- (struct smb_hdr *) pSMBr, &bytes_returned, timeout);
++ rc = SendReceiveNoRsp(xid, tcon->ses, (struct smb_hdr *)pSMB,
++ timeout);
++ /* SMB buffer freed by function above */
+ }
+ cifs_stats_inc(&tcon->num_locks);
+ if (rc) {
+ cFYI(1, ("Send error in Lock = %d", rc));
+ }
+- cifs_small_buf_release(pSMB);
+
+ /* Note: On -EAGAIN error only caller can retry on handle based calls
+ since file handle passed in no longer valid */
+@@ -1776,7 +1765,9 @@ CIFSSMBPosixLock(const int xid, struct cifsTconInfo *tcon,
+ int rc = 0;
+ int timeout = 0;
+ int bytes_returned = 0;
++ int resp_buf_type = 0;
+ __u16 params, param_offset, offset, byte_count, count;
++ struct kvec iov[1];
+
+ cFYI(1, ("Posix Lock"));
+
+@@ -1818,7 +1809,7 @@ CIFSSMBPosixLock(const int xid, struct cifsTconInfo *tcon,
+
+ parm_data->lock_type = cpu_to_le16(lock_type);
+ if (waitFlag) {
+- timeout = 3; /* blocking operation, no timeout */
++ timeout = CIFS_BLOCKING_OP; /* blocking operation, no timeout */
+ parm_data->lock_flags = cpu_to_le16(1);
+ pSMB->Timeout = cpu_to_le32(-1);
+ } else
+@@ -1838,8 +1829,13 @@ CIFSSMBPosixLock(const int xid, struct cifsTconInfo *tcon,
+ rc = SendReceiveBlockingLock(xid, tcon, (struct smb_hdr *) pSMB,
+ (struct smb_hdr *) pSMBr, &bytes_returned);
+ } else {
+- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
+- (struct smb_hdr *) pSMBr, &bytes_returned, timeout);
++ iov[0].iov_base = (char *)pSMB;
++ iov[0].iov_len = pSMB->hdr.smb_buf_length + 4;
++ rc = SendReceive2(xid, tcon->ses, iov, 1 /* num iovecs */,
++ &resp_buf_type, timeout);
++ pSMB = NULL; /* request buf already freed by SendReceive2. Do
++ not try to free it twice below on exit */
++ pSMBr = (struct smb_com_transaction2_sfi_rsp *)iov[0].iov_base;
+ }
+
+ if (rc) {
+@@ -1874,6 +1870,11 @@ plk_err_exit:
+ if (pSMB)
+ cifs_small_buf_release(pSMB);
+
++ if (resp_buf_type == CIFS_SMALL_BUFFER)
++ cifs_small_buf_release(iov[0].iov_base);
++ else if (resp_buf_type == CIFS_LARGE_BUFFER)
++ cifs_buf_release(iov[0].iov_base);
++
+ /* Note: On -EAGAIN error only caller can retry on handle based calls
+ since file handle passed in no longer valid */
+
+@@ -1886,8 +1887,6 @@ CIFSSMBClose(const int xid, struct cifsTconInfo *tcon, int smb_file_id)
+ {
+ int rc = 0;
+ CLOSE_REQ *pSMB = NULL;
+- CLOSE_RSP *pSMBr = NULL;
+- int bytes_returned;
+ cFYI(1, ("In CIFSSMBClose"));
+
+ /* do not retry on dead session on close */
+@@ -1897,13 +1896,10 @@ CIFSSMBClose(const int xid, struct cifsTconInfo *tcon, int smb_file_id)
+ if (rc)
+ return rc;
+
+- pSMBr = (CLOSE_RSP *)pSMB; /* BB removeme BB */
+-
+ pSMB->FileID = (__u16) smb_file_id;
+ pSMB->LastWriteTime = 0xFFFFFFFF;
+ pSMB->ByteCount = 0;
+- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
+- (struct smb_hdr *) pSMBr, &bytes_returned, 0);
++ rc = SendReceiveNoRsp(xid, tcon->ses, (struct smb_hdr *) pSMB, 0);
+ cifs_stats_inc(&tcon->num_closes);
+ if (rc) {
+ if (rc != -EINTR) {
+@@ -1912,8 +1908,6 @@ CIFSSMBClose(const int xid, struct cifsTconInfo *tcon, int smb_file_id)
+ }
+ }
+
+- cifs_small_buf_release(pSMB);
+-
+ /* Since session is dead, file will be closed on server already */
+ if (rc == -EAGAIN)
+ rc = 0;
+@@ -3102,7 +3096,7 @@ CIFSSMBGetCIFSACL(const int xid, struct cifsTconInfo *tcon, __u16 fid,
+ iov[0].iov_len = pSMB->hdr.smb_buf_length + 4;
+
+ rc = SendReceive2(xid, tcon->ses, iov, 1 /* num iovec */, &buf_type,
+- 0 /* not long op */, 0 /* do not log STATUS codes */ );
++ CIFS_STD_OP);
+ cifs_stats_inc(&tcon->num_acl_get);
+ if (rc) {
+ cFYI(1, ("Send error in QuerySecDesc = %d", rc));
+@@ -3763,8 +3757,6 @@ CIFSFindClose(const int xid, struct cifsTconInfo *tcon,
+ {
+ int rc = 0;
+ FINDCLOSE_REQ *pSMB = NULL;
+- CLOSE_RSP *pSMBr = NULL; /* BB removeme BB */
+- int bytes_returned;
+
+ cFYI(1, ("In CIFSSMBFindClose"));
+ rc = small_smb_init(SMB_COM_FIND_CLOSE2, 1, tcon, (void **)&pSMB);
+@@ -3776,16 +3768,13 @@ CIFSFindClose(const int xid, struct cifsTconInfo *tcon,
+ if (rc)
+ return rc;
+
+- pSMBr = (CLOSE_RSP *)pSMB; /* BB removeme BB */
+ pSMB->FileID = searchHandle;
+ pSMB->ByteCount = 0;
+- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
+- (struct smb_hdr *) pSMBr, &bytes_returned, 0);
++ rc = SendReceiveNoRsp(xid, tcon->ses, (struct smb_hdr *) pSMB, 0);
+ if (rc) {
+ cERROR(1, ("Send error in FindClose = %d", rc));
+ }
+ cifs_stats_inc(&tcon->num_fclose);
+- cifs_small_buf_release(pSMB);
+
+ /* Since session is dead, search handle closed on server already */
+ if (rc == -EAGAIN)
+@@ -4707,11 +4696,9 @@ CIFSSMBSetFileSize(const int xid, struct cifsTconInfo *tcon, __u64 size,
+ __u16 fid, __u32 pid_of_opener, int SetAllocation)
+ {
+ struct smb_com_transaction2_sfi_req *pSMB = NULL;
+- struct smb_com_transaction2_sfi_rsp *pSMBr = NULL;
+ char *data_offset;
+ struct file_end_of_file_info *parm_data;
+ int rc = 0;
+- int bytes_returned = 0;
+ __u16 params, param_offset, offset, byte_count, count;
+
+ cFYI(1, ("SetFileSize (via SetFileInfo) %lld",
+@@ -4721,8 +4708,6 @@ CIFSSMBSetFileSize(const int xid, struct cifsTconInfo *tcon, __u64 size,
+ if (rc)
+ return rc;
+
+- pSMBr = (struct smb_com_transaction2_sfi_rsp *)pSMB;
+-
+ pSMB->hdr.Pid = cpu_to_le16((__u16)pid_of_opener);
+ pSMB->hdr.PidHigh = cpu_to_le16((__u16)(pid_of_opener >> 16));
+
+@@ -4773,17 +4758,13 @@ CIFSSMBSetFileSize(const int xid, struct cifsTconInfo *tcon, __u64 size,
+ pSMB->Reserved4 = 0;
+ pSMB->hdr.smb_buf_length += byte_count;
+ pSMB->ByteCount = cpu_to_le16(byte_count);
+- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
+- (struct smb_hdr *) pSMBr, &bytes_returned, 0);
++ rc = SendReceiveNoRsp(xid, tcon->ses, (struct smb_hdr *) pSMB, 0);
+ if (rc) {
+ cFYI(1,
+ ("Send error in SetFileInfo (SetFileSize) = %d",
+ rc));
+ }
+
+- if (pSMB)
+- cifs_small_buf_release(pSMB);
+-
+ /* Note: On -EAGAIN error only caller can retry on handle based calls
+ since file handle passed in no longer valid */
+
+@@ -4801,10 +4782,8 @@ CIFSSMBSetFileTimes(const int xid, struct cifsTconInfo *tcon,
+ const FILE_BASIC_INFO *data, __u16 fid)
+ {
+ struct smb_com_transaction2_sfi_req *pSMB = NULL;
+- struct smb_com_transaction2_sfi_rsp *pSMBr = NULL;
+ char *data_offset;
+ int rc = 0;
+- int bytes_returned = 0;
+ __u16 params, param_offset, offset, byte_count, count;
+
+ cFYI(1, ("Set Times (via SetFileInfo)"));
+@@ -4813,8 +4792,6 @@ CIFSSMBSetFileTimes(const int xid, struct cifsTconInfo *tcon,
+ if (rc)
+ return rc;
+
+- pSMBr = (struct smb_com_transaction2_sfi_rsp *)pSMB;
+-
+ /* At this point there is no need to override the current pid
+ with the pid of the opener, but that could change if we someday
+ use an existing handle (rather than opening one on the fly) */
+@@ -4854,14 +4831,11 @@ CIFSSMBSetFileTimes(const int xid, struct cifsTconInfo *tcon,
+ pSMB->hdr.smb_buf_length += byte_count;
+ pSMB->ByteCount = cpu_to_le16(byte_count);
+ memcpy(data_offset, data, sizeof(FILE_BASIC_INFO));
+- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
+- (struct smb_hdr *) pSMBr, &bytes_returned, 0);
++ rc = SendReceiveNoRsp(xid, tcon->ses, (struct smb_hdr *) pSMB, 0);
+ if (rc) {
+ cFYI(1, ("Send error in Set Time (SetFileInfo) = %d", rc));
+ }
+
+- cifs_small_buf_release(pSMB);
+-
+ /* Note: On -EAGAIN error only caller can retry on handle based calls
+ since file handle passed in no longer valid */
+
+@@ -5152,7 +5126,8 @@ int CIFSSMBNotify(const int xid, struct cifsTconInfo *tcon,
+ pSMB->ByteCount = 0;
+
+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
+- (struct smb_hdr *) pSMBr, &bytes_returned, -1);
++ (struct smb_hdr *)pSMBr, &bytes_returned,
++ CIFS_ASYNC_OP);
+ if (rc) {
+ cFYI(1, ("Error in Notify = %d", rc));
+ } else {
+diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
+index c52a76f..26e1087 100644
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -2374,7 +2374,7 @@ CIFSSessSetup(unsigned int xid, struct cifsSesInfo *ses,
+ pSMB->req_no_secext.ByteCount = cpu_to_le16(count);
+
+ rc = SendReceive(xid, ses, smb_buffer, smb_buffer_response,
+- &bytes_returned, 1);
++ &bytes_returned, CIFS_LONG_OP);
+ if (rc) {
+ /* rc = map_smb_to_linux_error(smb_buffer_response); now done in SendReceive */
+ } else if ((smb_buffer_response->WordCount == 3)
+@@ -2678,7 +2678,7 @@ CIFSNTLMSSPNegotiateSessSetup(unsigned int xid,
+ pSMB->req.ByteCount = cpu_to_le16(count);
+
+ rc = SendReceive(xid, ses, smb_buffer, smb_buffer_response,
+- &bytes_returned, 1);
++ &bytes_returned, CIFS_LONG_OP);
+
+ if (smb_buffer_response->Status.CifsError ==
+ cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED))
+@@ -3105,7 +3105,7 @@ CIFSNTLMSSPAuthSessSetup(unsigned int xid, struct cifsSesInfo *ses,
+ pSMB->req.ByteCount = cpu_to_le16(count);
+
+ rc = SendReceive(xid, ses, smb_buffer, smb_buffer_response,
+- &bytes_returned, 1);
++ &bytes_returned, CIFS_LONG_OP);
+ if (rc) {
+ /* rc = map_smb_to_linux_error(smb_buffer_response) done in SendReceive now */
+ } else if ((smb_buffer_response->WordCount == 3) ||
+@@ -3381,7 +3381,8 @@ CIFSTCon(unsigned int xid, struct cifsSesInfo *ses,
+ pSMB->hdr.smb_buf_length += count;
+ pSMB->ByteCount = cpu_to_le16(count);
+
+- rc = SendReceive(xid, ses, smb_buffer, smb_buffer_response, &length, 0);
++ rc = SendReceive(xid, ses, smb_buffer, smb_buffer_response, &length,
++ CIFS_STD_OP);
+
+ /* if (rc) rc = map_smb_to_linux_error(smb_buffer_response); */
+ /* above now done in SendReceive */
+diff --git a/fs/cifs/file.c b/fs/cifs/file.c
+index 68ad4ca..82326d2 100644
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -835,9 +835,9 @@ ssize_t cifs_user_write(struct file *file, const char __user *write_data,
+ xid = GetXid();
+
+ if (*poffset > file->f_path.dentry->d_inode->i_size)
+- long_op = 2; /* writes past end of file can take a long time */
++ long_op = CIFS_VLONG_OP; /* writes past EOF take long time */
+ else
+- long_op = 1;
++ long_op = CIFS_LONG_OP;
+
+ for (total_written = 0; write_size > total_written;
+ total_written += bytes_written) {
+@@ -884,7 +884,7 @@ ssize_t cifs_user_write(struct file *file, const char __user *write_data,
+ }
+ } else
+ *poffset += bytes_written;
+- long_op = FALSE; /* subsequent writes fast -
++ long_op = CIFS_STD_OP; /* subsequent writes fast -
+ 15 seconds is plenty */
+ }
+
+@@ -934,9 +934,9 @@ static ssize_t cifs_write(struct file *file, const char *write_data,
+ xid = GetXid();
+
+ if (*poffset > file->f_path.dentry->d_inode->i_size)
+- long_op = 2; /* writes past end of file can take a long time */
++ long_op = CIFS_VLONG_OP; /* writes past EOF can be slow */
+ else
+- long_op = 1;
++ long_op = CIFS_LONG_OP;
+
+ for (total_written = 0; write_size > total_written;
+ total_written += bytes_written) {
+@@ -1002,7 +1002,7 @@ static ssize_t cifs_write(struct file *file, const char *write_data,
+ }
+ } else
+ *poffset += bytes_written;
+- long_op = FALSE; /* subsequent writes fast -
++ long_op = CIFS_STD_OP; /* subsequent writes fast -
+ 15 seconds is plenty */
+ }
+
+@@ -1360,7 +1360,7 @@ retry:
+ open_file->netfid,
+ bytes_to_write, offset,
+ &bytes_written, iov, n_iov,
+- 1);
++ CIFS_LONG_OP);
+ atomic_dec(&open_file->wrtPending);
+ if (rc || bytes_written < bytes_to_write) {
+ cERROR(1, ("Write2 ret %d, wrote %d",
+diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
+index 899dc60..ed01ef3 100644
+--- a/fs/cifs/sess.c
++++ b/fs/cifs/sess.c
+@@ -514,7 +514,7 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
+ iov[1].iov_base = str_area;
+ iov[1].iov_len = count;
+ rc = SendReceive2(xid, ses, iov, 2 /* num_iovecs */, &resp_buf_type,
+- 0 /* not long op */, 1 /* log NT STATUS if any */ );
++ CIFS_STD_OP /* not long */ | CIFS_LOG_ERROR);
+ /* SMB request buf freed in SendReceive2 */
+
+ cFYI(1, ("ssetup rc from sendrecv2 is %d", rc));
+diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c
+index 7ed32b3..50b623a 100644
+--- a/fs/cifs/transport.c
++++ b/fs/cifs/transport.c
+@@ -308,7 +308,7 @@ smb_send2(struct socket *ssocket, struct kvec *iov, int n_vec,
+
+ static int wait_for_free_request(struct cifsSesInfo *ses, const int long_op)
+ {
+- if (long_op == -1) {
++ if (long_op == CIFS_ASYNC_OP) {
+ /* oplock breaks must not be held up */
+ atomic_inc(&ses->server->inFlight);
+ } else {
+@@ -337,7 +337,7 @@ static int wait_for_free_request(struct cifsSesInfo *ses, const int long_op)
+ as they are allowed to block on server */
+
+ /* update # of requests on the wire to server */
+- if (long_op < 3)
++ if (long_op != CIFS_BLOCKING_OP)
+ atomic_inc(&ses->server->inFlight);
+ spin_unlock(&GlobalMid_Lock);
+ break;
+@@ -415,17 +415,48 @@ static int wait_for_response(struct cifsSesInfo *ses,
+ }
+ }
+
++
++/*
++ *
++ * Send an SMB Request. No response info (other than return code)
++ * needs to be parsed.
++ *
++ * flags indicate the type of request buffer and how long to wait
++ * and whether to log NT STATUS code (error) before mapping it to POSIX error
++ *
++ */
++int
++SendReceiveNoRsp(const unsigned int xid, struct cifsSesInfo *ses,
++ struct smb_hdr *in_buf, int flags)
++{
++ int rc;
++ struct kvec iov[1];
++ int resp_buf_type;
++
++ iov[0].iov_base = (char *)in_buf;
++ iov[0].iov_len = in_buf->smb_buf_length + 4;
++ flags |= CIFS_NO_RESP;
++ rc = SendReceive2(xid, ses, iov, 1, &resp_buf_type, flags);
++#ifdef CONFIG_CIFS_DEBUG2
++ cFYI(1, ("SendRcvNoR flags %d rc %d", flags, rc));
++#endif
++ return rc;
++}
++
+ int
+ SendReceive2(const unsigned int xid, struct cifsSesInfo *ses,
+ struct kvec *iov, int n_vec, int *pRespBufType /* ret */,
+- const int long_op, const int logError)
++ const int flags)
+ {
+ int rc = 0;
++ int long_op;
+ unsigned int receive_len;
+ unsigned long timeout;
+ struct mid_q_entry *midQ;
+ struct smb_hdr *in_buf = iov[0].iov_base;
+
++ long_op = flags & CIFS_TIMEOUT_MASK;
++
+ *pRespBufType = CIFS_NO_BUFFER; /* no response buf yet */
+
+ if ((ses == NULL) || (ses->server == NULL)) {
+@@ -483,15 +514,22 @@ SendReceive2(const unsigned int xid, struct cifsSesInfo *ses,
+ if (rc < 0)
+ goto out;
+
+- if (long_op == -1)
+- goto out;
+- else if (long_op == 2) /* writes past end of file can take loong time */
++ if (long_op == CIFS_STD_OP)
++ timeout = 15 * HZ;
++ else if (long_op == CIFS_VLONG_OP) /* e.g. slow writes past EOF */
+ timeout = 180 * HZ;
+- else if (long_op == 1)
++ else if (long_op == CIFS_LONG_OP)
+ timeout = 45 * HZ; /* should be greater than
+ servers oplock break timeout (about 43 seconds) */
+- else
+- timeout = 15 * HZ;
++ else if (long_op == CIFS_ASYNC_OP)
++ goto out;
++ else if (long_op == CIFS_BLOCKING_OP)
++ timeout = 0x7FFFFFFF; /* large, but not so large as to wrap */
++ else {
++ cERROR(1, ("unknown timeout flag %d", long_op));
++ rc = -EIO;
++ goto out;
++ }
+
+ /* wait for 15 seconds or until woken up due to response arriving or
+ due to last connection to this server being unmounted */
+@@ -566,7 +604,8 @@ SendReceive2(const unsigned int xid, struct cifsSesInfo *ses,
+ }
+
+ /* BB special case reconnect tid and uid here? */
+- rc = map_smb_to_linux_error(midQ->resp_buf, logError);
++ rc = map_smb_to_linux_error(midQ->resp_buf,
++ flags & CIFS_LOG_ERROR);
+
+ /* convert ByteCount if necessary */
+ if (receive_len >= sizeof(struct smb_hdr) - 4
+@@ -574,8 +613,10 @@ SendReceive2(const unsigned int xid, struct cifsSesInfo *ses,
+ (2 * midQ->resp_buf->WordCount) + 2 /* bcc */ )
+ BCC(midQ->resp_buf) =
+ le16_to_cpu(BCC_LE(midQ->resp_buf));
+- midQ->resp_buf = NULL; /* mark it so will not be freed
+- by DeleteMidQEntry */
++ if ((flags & CIFS_NO_RESP) == 0)
++ midQ->resp_buf = NULL; /* mark it so buf will
++ not be freed by
++ DeleteMidQEntry */
+ } else {
+ rc = -EIO;
+ cFYI(1, ("Bad MID state?"));
+@@ -663,17 +704,25 @@ SendReceive(const unsigned int xid, struct cifsSesInfo *ses,
+ if (rc < 0)
+ goto out;
+
+- if (long_op == -1)
++ if (long_op == CIFS_STD_OP)
++ timeout = 15 * HZ;
++ /* wait for 15 seconds or until woken up due to response arriving or
++ due to last connection to this server being unmounted */
++ else if (long_op == CIFS_ASYNC_OP)
+ goto out;
+- else if (long_op == 2) /* writes past end of file can take loong time */
++ else if (long_op == CIFS_VLONG_OP) /* writes past EOF can be slow */
+ timeout = 180 * HZ;
+- else if (long_op == 1)
++ else if (long_op == CIFS_LONG_OP)
+ timeout = 45 * HZ; /* should be greater than
+ servers oplock break timeout (about 43 seconds) */
+- else
+- timeout = 15 * HZ;
+- /* wait for 15 seconds or until woken up due to response arriving or
+- due to last connection to this server being unmounted */
++ else if (long_op == CIFS_BLOCKING_OP)
++ timeout = 0x7FFFFFFF; /* large but no so large as to wrap */
++ else {
++ cERROR(1, ("unknown timeout flag %d", long_op));
++ rc = -EIO;
++ goto out;
++ }
++
+ if (signal_pending(current)) {
+ /* if signal pending do not hold up user for full smb timeout
+ but we still give response a chance to complete */
+@@ -812,7 +861,7 @@ send_lock_cancel(const unsigned int xid, struct cifsTconInfo *tcon,
+ pSMB->hdr.Mid = GetNextMid(ses->server);
+
+ return SendReceive(xid, ses, in_buf, out_buf,
+- &bytes_returned, 0);
++ &bytes_returned, CIFS_STD_OP);
+ }
+
+ int
+@@ -844,7 +893,7 @@ SendReceiveBlockingLock(const unsigned int xid, struct cifsTconInfo *tcon,
+ to the same server. We may make this configurable later or
+ use ses->maxReq */
+
+- rc = wait_for_free_request(ses, 3);
++ rc = wait_for_free_request(ses, CIFS_BLOCKING_OP);
+ if (rc)
+ return rc;
+
+-
+To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
+the body of a message to majordomo@vger.kernel.org
+More majordomo info at http://vger.kernel.org/majordomo-info.html
+
+----- End forwarded message -----
+--
+maks
+
+_______________________________________________
+stable mailing list
+stable@linux.kernel.org
+http://linux.kernel.org/mailman/listinfo/stable
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
