Merge tag '6.7-rc5-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6

	oparms.fid->mid = le64_to_cpu(o_rsp->hdr.MessageId);

#endif /* CIFS_DEBUG2 */

	rc = -EINVAL;

	if (o_rsp->OplockLevel != SMB2_OPLOCK_LEVEL_LEASE) {

		spin_unlock(&cfids->cfid_list_lock);

		rc = -EINVAL;

		goto oshr_free;

	}

	smb2_parse_contexts(server, o_rsp,

	rc = smb2_parse_contexts(server, rsp_iov,

				 &oparms.fid->epoch,

			    oparms.fid->lease_key, &oplock,

			    NULL, NULL);

				 oparms.fid->lease_key,

				 &oplock, NULL, NULL);

	if (rc) {

		spin_unlock(&cfids->cfid_list_lock);

		goto oshr_free;

	}

	rc = -EINVAL;

	if (!(oplock & SMB2_LEASE_READ_CACHING_HE)) {

		spin_unlock(&cfids->cfid_list_lock);

		goto oshr_free;

char *

smb2_get_data_area_len(int *off, int *len, struct smb2_hdr *shdr)

{

	const int max_off = 4096;

	const int max_len = 128 * 1024;

	*off = 0;

	*len = 0;

	 * Invalid length or offset probably means data area is invalid, but

	 * we have little choice but to ignore the data area in this case.

	 */

	if (*off > 4096) {

		cifs_dbg(VFS, "offset %d too large, data area ignored\n", *off);

		*len = 0;

		*off = 0;

	} else if (*off < 0) {

		cifs_dbg(VFS, "negative offset %d to data invalid ignore data area\n",

			 *off);

	if (unlikely(*off < 0 || *off > max_off ||

		     *len < 0 || *len > max_len)) {

		cifs_dbg(VFS, "%s: invalid data area (off=%d len=%d)\n",

			 __func__, *off, *len);

		*off = 0;

		*len = 0;

	} else if (*len < 0) {

		cifs_dbg(VFS, "negative data length %d invalid, data area ignored\n",

			 *len);

		*len = 0;

	} else if (*len > 128 * 1024) {

		cifs_dbg(VFS, "data area larger than 128K: %d\n", *len);

	} else if (*off == 0) {

		*len = 0;

	}

	/* return pointer to beginning of data area, ie offset from SMB start */

	if ((*off != 0) && (*len != 0))

	if (*off > 0 && *len > 0)

		return (char *)shdr + *off;

	else

	return NULL;

}

	struct kvec *rsp_iov;

	struct smb2_ioctl_rsp *ioctl_rsp;

	struct reparse_data_buffer *reparse_buf;

	u32 plen;

	u32 off, count, len;

	cifs_dbg(FYI, "%s: path: %s\n", __func__, full_path);

	 */

	if (rc == 0) {

		/* See MS-FSCC 2.3.23 */

		off = le32_to_cpu(ioctl_rsp->OutputOffset);

		count = le32_to_cpu(ioctl_rsp->OutputCount);

		if (check_add_overflow(off, count, &len) ||

		    len > rsp_iov[1].iov_len) {

			cifs_tcon_dbg(VFS, "%s: invalid ioctl: off=%d count=%d\n",

				      __func__, off, count);

			rc = -EIO;

			goto query_rp_exit;

		}

		reparse_buf = (struct reparse_data_buffer *)

			((char *)ioctl_rsp +

			 le32_to_cpu(ioctl_rsp->OutputOffset));

		plen = le32_to_cpu(ioctl_rsp->OutputCount);

		if (plen + le32_to_cpu(ioctl_rsp->OutputOffset) >

		    rsp_iov[1].iov_len) {

			cifs_tcon_dbg(FYI, "srv returned invalid ioctl len: %d\n",

				 plen);

		reparse_buf = (void *)((u8 *)ioctl_rsp + off);

		len = sizeof(*reparse_buf);

		if (count < len ||

		    count < le16_to_cpu(reparse_buf->ReparseDataLength) + len) {

			cifs_tcon_dbg(VFS, "%s: invalid ioctl: off=%d count=%d\n",

				      __func__, off, count);

			rc = -EIO;

			goto query_rp_exit;

		}

	struct smb2_hdr *shdr;

	unsigned int pdu_length = server->pdu_size;

	unsigned int buf_size;

	unsigned int next_cmd;

	struct mid_q_entry *mid_entry;

	int next_is_large;

	char *next_buffer = NULL;

	next_is_large = server->large_buf;

one_more:

	shdr = (struct smb2_hdr *)buf;

	if (shdr->NextCommand) {

	next_cmd = le32_to_cpu(shdr->NextCommand);

	if (next_cmd) {

		if (WARN_ON_ONCE(next_cmd > pdu_length))

			return -1;

		if (next_is_large)

			next_buffer = (char *)cifs_buf_get();

		else

			next_buffer = (char *)cifs_small_buf_get();

		memcpy(next_buffer,

		       buf + le32_to_cpu(shdr->NextCommand),

		       pdu_length - le32_to_cpu(shdr->NextCommand));

		memcpy(next_buffer, buf + next_cmd, pdu_length - next_cmd);

	}

	mid_entry = smb2_find_mid(server, buf);

	else

		ret = cifs_handle_standard(server, mid_entry);

	if (ret == 0 && shdr->NextCommand) {

		pdu_length -= le32_to_cpu(shdr->NextCommand);

	if (ret == 0 && next_cmd) {

		pdu_length -= next_cmd;

		server->large_buf = next_is_large;

		if (next_is_large)

			server->bigbuf = buf = next_buffer;

		 posix->nlink, posix->mode, posix->reparse_tag);

}

void

smb2_parse_contexts(struct TCP_Server_Info *server,

		    struct smb2_create_rsp *rsp,

		    unsigned int *epoch, char *lease_key, __u8 *oplock,

int smb2_parse_contexts(struct TCP_Server_Info *server,

			struct kvec *rsp_iov,

			unsigned int *epoch,

			char *lease_key, __u8 *oplock,

			struct smb2_file_all_info *buf,

			struct create_posix_rsp *posix)

{

	char *data_offset;

	struct smb2_create_rsp *rsp = rsp_iov->iov_base;

	struct create_context *cc;

	unsigned int next;

	unsigned int remaining;

	size_t rem, off, len;

	size_t doff, dlen;

	size_t noff, nlen;

	char *name;

	static const char smb3_create_tag_posix[] = {

		0x93, 0xAD, 0x25, 0x50, 0x9C,

	};

	*oplock = 0;

	data_offset = (char *)rsp + le32_to_cpu(rsp->CreateContextsOffset);

	remaining = le32_to_cpu(rsp->CreateContextsLength);

	cc = (struct create_context *)data_offset;

	off = le32_to_cpu(rsp->CreateContextsOffset);

	rem = le32_to_cpu(rsp->CreateContextsLength);

	if (check_add_overflow(off, rem, &len) || len > rsp_iov->iov_len)

		return -EINVAL;

	cc = (struct create_context *)((u8 *)rsp + off);

	/* Initialize inode number to 0 in case no valid data in qfid context */

	if (buf)

		buf->IndexNumber = 0;

	while (remaining >= sizeof(struct create_context)) {

		name = le16_to_cpu(cc->NameOffset) + (char *)cc;

		if (le16_to_cpu(cc->NameLength) == 4 &&

		    strncmp(name, SMB2_CREATE_REQUEST_LEASE, 4) == 0)

	while (rem >= sizeof(*cc)) {

		doff = le16_to_cpu(cc->DataOffset);

		dlen = le32_to_cpu(cc->DataLength);

		if (check_add_overflow(doff, dlen, &len) || len > rem)

			return -EINVAL;

		noff = le16_to_cpu(cc->NameOffset);

		nlen = le16_to_cpu(cc->NameLength);

		if (noff + nlen >= doff)

			return -EINVAL;

		name = (char *)cc + noff;

		switch (nlen) {

		case 4:

			if (!strncmp(name, SMB2_CREATE_REQUEST_LEASE, 4)) {

				*oplock = server->ops->parse_lease_buf(cc, epoch,

								       lease_key);

		else if (buf && (le16_to_cpu(cc->NameLength) == 4) &&

		    strncmp(name, SMB2_CREATE_QUERY_ON_DISK_ID, 4) == 0)

			} else if (buf &&

				   !strncmp(name, SMB2_CREATE_QUERY_ON_DISK_ID, 4)) {

				parse_query_id_ctxt(cc, buf);

		else if ((le16_to_cpu(cc->NameLength) == 16)) {

			if (posix &&

			    memcmp(name, smb3_create_tag_posix, 16) == 0)

			}

			break;

		case 16:

			if (posix && !memcmp(name, smb3_create_tag_posix, 16))

				parse_posix_ctxt(cc, buf, posix);

			break;

		default:

			cifs_dbg(FYI, "%s: unhandled context (nlen=%zu dlen=%zu)\n",

				 __func__, nlen, dlen);

			if (IS_ENABLED(CONFIG_CIFS_DEBUG2))

				cifs_dump_mem("context data: ", cc, dlen);

			break;

		}

		/* else {

			cifs_dbg(FYI, "Context not matched with len %d\n",

				le16_to_cpu(cc->NameLength));

			cifs_dump_mem("Cctxt name: ", name, 4);

		} */

		next = le32_to_cpu(cc->Next);

		if (!next)

		off = le32_to_cpu(cc->Next);

		if (!off)

			break;

		remaining -= next;

		cc = (struct create_context *)((char *)cc + next);

		if (check_sub_overflow(rem, off, &rem))

			return -EINVAL;

		cc = (struct create_context *)((u8 *)cc + off);

	}

	if (rsp->OplockLevel != SMB2_OPLOCK_LEVEL_LEASE)

		*oplock = rsp->OplockLevel;

	return;

	return 0;

}

static int

	}

	smb2_parse_contexts(server, rsp, &oparms->fid->epoch,

	rc = smb2_parse_contexts(server, &rsp_iov, &oparms->fid->epoch,

				 oparms->fid->lease_key, oplock, buf, posix);

creat_exit:

	SMB2_open_free(&rqst);

extern enum securityEnum smb2_select_sectype(struct TCP_Server_Info *,

					enum securityEnum);

extern void smb2_parse_contexts(struct TCP_Server_Info *server,

				struct smb2_create_rsp *rsp,

				unsigned int *epoch, char *lease_key,

				__u8 *oplock, struct smb2_file_all_info *buf,

int smb2_parse_contexts(struct TCP_Server_Info *server,

			struct kvec *rsp_iov,

			unsigned int *epoch,

			char *lease_key, __u8 *oplock,

			struct smb2_file_all_info *buf,

			struct create_posix_rsp *posix);

extern int smb3_encryption_required(const struct cifs_tcon *tcon);

extern int smb2_validate_iov(unsigned int offset, unsigned int buffer_length,

			     struct kvec *iov, unsigned int min_buf_size);