Merge tag 'v7.1-rc-part2-ksmbd-fixes' of git://git.samba.org/ksmbd

Pull more smb server updates from Steve French:

 - move fs/smb/common/smbdirect to fs/smb/smbdirect

 - change signature calc to use AES-CMAC library, simpler and faster

 - invalid signature fix

 - multichannel fix

 - open create options fix

 - fix durable handle leak

 - cap maximum lock count to avoid potential denial of service

 - four connection fixes: connection free and session destroy IDA fixes,
   refcount fix, connection leak fix, max_connections off by one fix

 - IPC validation fix

 - fix out of bounds write in getting xattrs

 - fix use after free in durable handle reconnect

 - three ACL fixes: fix potential ACL overflow, harden num_aces check,
   and fix minimum ACE size check

* tag 'v7.1-rc-part2-ksmbd-fixes' of git://git.samba.org/ksmbd:
  smb: smbdirect: move fs/smb/common/smbdirect/ to fs/smb/smbdirect/
  smb: server: stop sending fake security descriptors
  ksmbd: scope conn->binding slowpath to bound sessions only
  ksmbd: fix CreateOptions sanitization clobbering the whole field
  ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open
  ksmbd: fix O(N^2) DoS in smb2_lock via unbounded LockCount
  ksmbd: destroy async_ida in ksmbd_conn_free()
  ksmbd: destroy tree_conn_ida in ksmbd_session_destroy()
  ksmbd: Use AES-CMAC library for SMB3 signature calculation
  ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id()
  ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment
  ksmbd: use check_add_overflow() to prevent u16 DACL size overflow
  ksmbd: fix use-after-free in smb2_open during durable reconnect
  ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()
  smb: server: fix max_connections off-by-one in tcp accept path
  ksmbd: require minimum ACE size in smb_check_perm_dacl()
  ksmbd: validate response sizes in ipc_validate_msg()
  smb: server: fix active_num_conn leak on transport allocation failure

Author: torvalds

MAINTAINERS

@@ -24662,7 +24662,7 @@ L:	[email protected]
 L:	[email protected] (moderated for non-subscribers)
 S:	Maintained
 F:	fs/smb/client/smbdirect.*
-F:	fs/smb/common/smbdirect/
+F:	fs/smb/smbdirect/
 F:	fs/smb/server/transport_rdma.*
 
 SMC91x ETHERNET DRIVER

fs/smb/Kconfig

@@ -4,7 +4,7 @@
 
 source "fs/smb/client/Kconfig"
 source "fs/smb/server/Kconfig"
-source "fs/smb/common/smbdirect/Kconfig"
+source "fs/smb/smbdirect/Kconfig"
 
 config SMBFS
 	tristate

fs/smb/Makefile

@@ -1,5 +1,6 @@
 # SPDX-License-Identifier: GPL-2.0
 
 obj-$(CONFIG_SMBFS)		+= common/
+obj-$(CONFIG_SMBDIRECT)		+= smbdirect/
 obj-$(CONFIG_CIFS)		+= client/
 obj-$(CONFIG_SMB_SERVER)	+= server/

fs/smb/client/Kconfig

@@ -182,7 +182,7 @@ config CIFS_SMB_DIRECT
 	bool "SMB Direct support"
 	depends on CIFS && INFINIBAND && INFINIBAND_ADDR_TRANS
 	depends on CIFS=m || INFINIBAND=y
-	select SMB_COMMON_SMBDIRECT
+	select SMBDIRECT
 	help
 	  Enables SMB Direct support for SMB 3.0, 3.02 and 3.1.1.
 	  SMB Direct allows transferring SMB packets over RDMA. If unsure,

fs/smb/client/smbdirect.c

@@ -9,7 +9,7 @@
 #include "cifs_debug.h"
 #include "cifsproto.h"
 #include "smb2proto.h"
-#include "../common/smbdirect/smbdirect_public.h"
+#include "../smbdirect/public.h"
 
 /* Port numbers for SMBD transport */
 #define SMB_PORT	445

fs/smb/client/smbdirect.h

@@ -12,7 +12,7 @@
 
 #include "cifsglob.h"
 
-#include "../common/smbdirect/smbdirect.h"
+#include "../smbdirect/smbdirect.h"
 
 extern int rdma_readwrite_threshold;
 extern int smbd_max_frmr_depth;

fs/smb/common/Makefile

@@ -4,4 +4,3 @@
 #
 
 obj-$(CONFIG_SMBFS) += cifs_md4.o
-obj-$(CONFIG_SMB_COMMON_SMBDIRECT) += smbdirect/

fs/smb/common/smbdirect/Makefile

@@ -7,13 +7,13 @@ config SMB_SERVER
 	select NLS_UTF8
 	select NLS_UCS2_UTILS
 	select CRYPTO
+	select CRYPTO_LIB_AES_CBC_MACS
 	select CRYPTO_LIB_ARC4
 	select CRYPTO_LIB_DES
 	select CRYPTO_LIB_MD5
 	select CRYPTO_LIB_SHA256
 	select CRYPTO_LIB_SHA512
 	select CRYPTO_LIB_UTILS
-	select CRYPTO_CMAC
 	select CRYPTO_AEAD2
 	select CRYPTO_CCM
 	select CRYPTO_GCM
@@ -49,7 +49,7 @@ config SMB_SERVER_SMBDIRECT
 	bool "Support for SMB Direct protocol"
 	depends on SMB_SERVER && INFINIBAND && INFINIBAND_ADDR_TRANS
 	depends on SMB_SERVER=m || INFINIBAND=y
-	select SMB_COMMON_SMBDIRECT
+	select SMBDIRECT
 	default n
 
 	help

fs/smb/server/Kconfig

@@ -11,8 +11,8 @@
 #include <linux/writeback.h>
 #include <linux/uio.h>
 #include <linux/xattr.h>
-#include <crypto/hash.h>
 #include <crypto/aead.h>
+#include <crypto/aes-cbc-macs.h>
 #include <crypto/md5.h>
 #include <crypto/sha2.h>
 #include <crypto/utils.h>
@@ -490,46 +490,21 @@ void ksmbd_sign_smb2_pdu(struct ksmbd_conn *conn, char *key, struct kvec *iov,
  * @sig:	signature value generated for client request packet
  *
  */
-int ksmbd_sign_smb3_pdu(struct ksmbd_conn *conn, char *key, struct kvec *iov,
-			int n_vec, char *sig)
+void ksmbd_sign_smb3_pdu(struct ksmbd_conn *conn, char *key, struct kvec *iov,
+			 int n_vec, char *sig)
 {
-	struct ksmbd_crypto_ctx *ctx;
-	int rc, i;
-
-	ctx = ksmbd_crypto_ctx_find_cmacaes();
-	if (!ctx) {
-		ksmbd_debug(AUTH, "could not crypto alloc cmac\n");
-		return -ENOMEM;
-	}
-
-	rc = crypto_shash_setkey(CRYPTO_CMACAES_TFM(ctx),
-				 key,
-				 SMB2_CMACAES_SIZE);
-	if (rc)
-		goto out;
-
-	rc = crypto_shash_init(CRYPTO_CMACAES(ctx));
-	if (rc) {
-		ksmbd_debug(AUTH, "cmaces init error %d\n", rc);
-		goto out;
-	}
+	struct aes_cmac_key cmac_key;
+	struct aes_cmac_ctx cmac_ctx;
+	int i;
 
-	for (i = 0; i < n_vec; i++) {
-		rc = crypto_shash_update(CRYPTO_CMACAES(ctx),
-					 iov[i].iov_base,
-					 iov[i].iov_len);
-		if (rc) {
-			ksmbd_debug(AUTH, "cmaces update error %d\n", rc);
-			goto out;
-		}
-	}
+	/* This cannot fail, since we always pass a valid key length. */
+	static_assert(SMB2_CMACAES_SIZE == AES_KEYSIZE_128);
+	aes_cmac_preparekey(&cmac_key, key, SMB2_CMACAES_SIZE);
 
-	rc = crypto_shash_final(CRYPTO_CMACAES(ctx), sig);
-	if (rc)
-		ksmbd_debug(AUTH, "cmaces generation error %d\n", rc);
-out:
-	ksmbd_release_crypto_ctx(ctx);
-	return rc;
+	aes_cmac_init(&cmac_ctx, &cmac_key);
+	for (i = 0; i < n_vec; i++)
+		aes_cmac_update(&cmac_ctx, iov[i].iov_base, iov[i].iov_len);
+	aes_cmac_final(&cmac_ctx, sig);
 }
 
 struct derivation {