Attachment 283201 Details for Bug 417961 – patch 11 -- Fix cifsd so shuts down when signing fails during mount

[patch] patch 11 -- Fix cifsd so shuts down when signing fails during mount

0011-BZ-417961-CIFS-Fix-cifsd-so-shuts-down-when-signi.patch (text/plain), 5.07 KB, created by Jeff Layton on 2007-12-10 20:22:39 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Jeff Layton

Created: 2007-12-10 20:22:39 UTC

Size: 5.07 KB

patch

obsolete

>From adc1adcdd37e0f8c31de01c75161e0e8506c758f Mon Sep 17 00:00:00 2001
>From: Steve French <sfrench@us.ibm.com>
>Date: Thu, 4 Oct 2007 20:05:09 +0000
>Subject: [RHEL5.2 PATCH 11/16] BZ#417961: [CIFS] Fix cifsd so shuts down when signing fails during mount
>
>Fixes two problems:
>1) we dropped down to negotiating lanman if we did not recognize the
>mechanism (krb5 e.g.)
>2) we did not stop cifsd (thus will fail when doing rmod cifs with
>slab free errors) when we fail tcon but have a bad session (which is
>the case in which signing is required but we don't allow signing on
>the client)
>
>It also turns on extended security flag in the header when passing
>"sec=krb5" on mount command (although kerberos support is not done of
>course)
>
>Acked-by: Jeff Layton <jlayton@redhat.com>
>CC: Shaggy <shaggy@us.ibm.com>
>Signed-off-by: Steve French <sfrench@us.ibm.com>
>---
> fs/cifs/cifs_debug.c |   11 ++++++++---
> fs/cifs/cifsglob.h   |    4 +++-
> fs/cifs/cifssmb.c    |   23 ++++++++++++++++++++---
> fs/cifs/connect.c    |   12 +++++++++++-
> 4 files changed, 42 insertions(+), 8 deletions(-)
>
>diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c
>index 56c5d91..73c4c41 100644
>--- a/fs/cifs/cifs_debug.c
>+++ b/fs/cifs/cifs_debug.c
>@@ -879,11 +879,16 @@ security_flags_write(struct file *file, const char __user *buffer,
> 	if (count < 3) {
> 		/* single char or single char followed by null */
> 		c = flags_string[0];
>-		if (c == '0' || c == 'n' || c == 'N')
>+		if (c == '0' || c == 'n' || c == 'N') {
> 			extended_security = CIFSSEC_DEF; /* default */
>-		else if (c == '1' || c == 'y' || c == 'Y')
>+			return count;
>+		} else if (c == '1' || c == 'y' || c == 'Y') {
> 			extended_security = CIFSSEC_MAX;
>-		return count;
>+			return count;
>+		} else if (!isdigit(c)) {
>+			cERROR(1, ("invalid flag %c", c));
>+			return -EINVAL;
>+		}
> 	}
> 	/* else we have a number */
> 
>diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
>index 2cbe966..aa250a6 100644
>--- a/fs/cifs/cifsglob.h
>+++ b/fs/cifs/cifsglob.h
>@@ -98,7 +98,8 @@ enum statusEnum {
> };
> 
> enum securityEnum {
>-	LANMAN = 0,             /* Legacy LANMAN auth */
>+	PLAINTXT = 0, 		/* Legacy with Plaintext passwords */
>+	LANMAN,			/* Legacy LANMAN auth */
> 	NTLM,			/* Legacy NTLM012 auth with NTLM hash */
> 	NTLMv2,			/* Legacy NTLM auth with NTLMv2 hash */
> 	RawNTLMSSP,		/* NTLMSSP without SPNEGO */
>@@ -527,6 +528,7 @@ require use of the stronger protocol */
> 
> #define   CIFSSEC_DEF  CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLM | CIFSSEC_MAY_NTLMV2
> #define   CIFSSEC_MAX  CIFSSEC_MUST_SIGN | CIFSSEC_MUST_NTLMV2
>+#define   CIFSSEC_AUTH_MASK (CIFSSEC_MAY_NTLM | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_LANMAN | CIFSSEC_MAY_PLNTXT | CIFSSEC_MAY_KRB5)
> /*
>  *****************************************************************
>  * All constants go here
>diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
>index ecd8cd0..0f2f789 100644
>--- a/fs/cifs/cifssmb.c
>+++ b/fs/cifs/cifssmb.c
>@@ -456,8 +456,13 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses)
> 
> 	pSMB->hdr.Mid = GetNextMid(server);
> 	pSMB->hdr.Flags2 |= (SMBFLG2_UNICODE | SMBFLG2_ERR_STATUS);
>+
> 	if ((secFlags & CIFSSEC_MUST_KRB5) == CIFSSEC_MUST_KRB5)
> 		pSMB->hdr.Flags2 |= SMBFLG2_EXT_SEC;
>+	else if ((secFlags & CIFSSEC_AUTH_MASK) == CIFSSEC_MAY_KRB5) {
>+		cFYI(1, ("Kerberos only mechanism, enable extended security"));
>+		pSMB->hdr.Flags2 |= SMBFLG2_EXT_SEC;
>+	}
> 
> 	count = 0;
> 	for (i = 0; i < CIFS_NUM_PROT; i++) {
>@@ -591,7 +596,20 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses)
> 		server->secType = NTLM;
> 	else if (secFlags & CIFSSEC_MAY_NTLMV2)
> 		server->secType = NTLMv2;
>-	/* else krb5 ... any others ... */
>+	else if (secFlags & CIFSSEC_MAY_KRB5)
>+		server->secType = Kerberos;
>+	else if (secFlags & CIFSSEC_MAY_LANMAN)
>+		server->secType = LANMAN;
>+/* #ifdef CONFIG_CIFS_EXPERIMENTAL
>+	else if (secFlags & CIFSSEC_MAY_PLNTXT)
>+		server->secType = ??
>+#endif */
>+	else {
>+		rc = -EOPNOTSUPP;
>+		cERROR(1, ("Invalid security type"));
>+		goto neg_err_exit;
>+	}
>+	/* else ... any others ...? */
> 
> 	/* one byte, so no need to convert this or EncryptionKeyLen from
> 	   little endian */
>@@ -3116,8 +3134,7 @@ CIFSSMBGetCIFSACL(const int xid, struct cifsTconInfo *tcon, __u16 fid,
> 			goto qsec_out;
> 		pSMBr = (struct smb_com_ntransact_rsp *)iov[0].iov_base;
> 
>-		cERROR(1, ("smb %p parm %p data %p",
>-			  pSMBr, parm, psec_desc));  /* BB removeme BB */
>+		cFYI(1, ("smb %p parm %p data %p", pSMBr, parm, psec_desc));
> 
> 		if (le32_to_cpu(pSMBr->ParameterCount) != 4) {
> 			rc = -EIO;      /* bad smb */
>diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
>index 3b0aab6..1396f37 100644
>--- a/fs/cifs/connect.c
>+++ b/fs/cifs/connect.c
>@@ -2268,8 +2268,18 @@ cifs_mount(struct super_block *sb, struct cifs_sb_info *cifs_sb,
> 						if (tsk)
> 							kthread_stop(tsk);
> 					}
>-				} else
>+				} else {
> 					cFYI(1, ("No session or bad tcon"));
>+					if ((pSesInfo->server) &&
>+					    (pSesInfo->server->tsk)) {
>+						struct task_struct *tsk;
>+						force_sig(SIGKILL,
>+							pSesInfo->server->tsk);
>+						tsk = pSesInfo->server->tsk;
>+						if (tsk)
>+							kthread_stop(tsk);
>+					}
>+				}
> 				sesInfoFree(pSesInfo);
> 				/* pSesInfo = NULL; */
> 			}
>-- 
>1.5.3.3
>

Actions: View | Diff

Attachments on bug 417961: 283091 | 283101 | 283111 | 283121 | 283131 | 283141 | 283151 | 283161 | 283171 | 283181 | 283191 | 283201 | 283211 | 283221 | 283231 | 283241 | 283251