3 smb3 server fixes

-----BEGIN PGP SIGNATURE-----
 
 iQGzBAABCgAdFiEE6fsu8pdIjtWE/DpLiiy9cAdyT1EFAmO8s+MACgkQiiy9cAdy
 T1FguAv/VtubPYJ5BgPjXSWY7dXlHAjjd6gZ6qkggwy6me3OLlG5px2+izLoEzBV
 q1hYWe4paQViZD/A4DpzSZTk4C5pJ8ZH3akjioKN1dwnDUyfMV/8bZKny768SpaN
 FUv8c/7X1sySiJGLhj1uhk+JHphwbiGd71VchwowdEE3HuTlQAE8TWp03v6bPI/I
 8o9pLJiWlFFxiM7hIxH9O5xFNVnarojjOnMfMvultCexQd/YQ3xlk/T2CzmAvhOw
 /kaNWLmnWt1rOvjiAiiy4qUMMO04difpb9v54P2th108nxOzTLCAlS87pW0NPtZK
 5CKm4UsjZ+Z4JWXy7YIfA8Qskf2rEpDZfBmydQkTLW09eawecgJC5Zg7JUZfRa2j
 ZcGNkxC3syJ6j1kSPiB5aWspaqegc0dFyIXlsylYLNOGnbapDvrvnUCeA7lCirTJ
 oI2fx+ibSERF8n4s5LSneYf9W00THF8F772o3t8gXqih9HQX3N/R30EaJLgG5mXS
 nNtE15be
 =leg1
 -----END PGP SIGNATURE-----

Merge tag '6.2-rc3-ksmbd-server-fixes' of git://git.samba.org/ksmbd

Pull ksmb server fixes from Steve French:

 - fix possible infinite loop in socket handler

 - fix possible panic in ntlmv2 authentication

 - fix error handling on tree connect

* tag '6.2-rc3-ksmbd-server-fixes' of git://git.samba.org/ksmbd:
  ksmbd: fix infinite loop in ksmbd_conn_handler_loop()
  ksmbd: check nt_len to be at least CIFS_ENCPWD_SIZE in ksmbd_decode_ntlmssp_auth_blob
  ksmbd: send proper error response in smb2_tree_connect()

fs/ksmbd/auth.c

@@ -322,7 +322,8 @@ int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob,
 	dn_off = le32_to_cpu(authblob->DomainName.BufferOffset);
 	dn_len = le16_to_cpu(authblob->DomainName.Length);
 
-	if (blob_len < (u64)dn_off + dn_len || blob_len < (u64)nt_off + nt_len)
+	if (blob_len < (u64)dn_off + dn_len || blob_len < (u64)nt_off + nt_len ||
+	    nt_len < CIFS_ENCPWD_SIZE)
 		return -EINVAL;
 
 	/* TODO : use domain name that imported from configuration file */

fs/ksmbd/connection.c

@@ -316,9 +316,12 @@ int ksmbd_conn_handler_loop(void *p)
 
 		/* 4 for rfc1002 length field */
 		size = pdu_size + 4;
-		conn->request_buf = kvmalloc(size, GFP_KERNEL);
+		conn->request_buf = kvmalloc(size,
+					     GFP_KERNEL |
+					     __GFP_NOWARN |
+					     __GFP_NORETRY);
 		if (!conn->request_buf)
-			continue;
+			break;
 
 		memcpy(conn->request_buf, hdr_buf, sizeof(hdr_buf));
 		if (!ksmbd_smb_request(conn))

fs/ksmbd/smb2pdu.c

@@ -1928,13 +1928,13 @@ int smb2_tree_connect(struct ksmbd_work *work)
 	if (conn->posix_ext_supported)
 		status.tree_conn->posix_extensions = true;
 
-out_err1:
 	rsp->StructureSize = cpu_to_le16(16);
+	inc_rfc1001_len(work->response_buf, 16);
+out_err1:
 	rsp->Capabilities = 0;
 	rsp->Reserved = 0;
 	/* default manual caching */
 	rsp->ShareFlags = SMB2_SHAREFLAG_MANUAL_CACHING;
-	inc_rfc1001_len(work->response_buf, 16);
 
 	if (!IS_ERR(treename))
 		kfree(treename);
@@ -1967,6 +1967,9 @@ out_err1:
 		rsp->hdr.Status = STATUS_ACCESS_DENIED;
 	}
 
+	if (status.ret != KSMBD_TREE_CONN_STATUS_OK)
+		smb2_set_err_rsp(work);
+
 	return rc;
 }
 

fs/ksmbd/transport_tcp.c

@@ -295,6 +295,7 @@ static int ksmbd_tcp_readv(struct tcp_transport *t, struct kvec *iov_orig,
 	struct msghdr ksmbd_msg;
 	struct kvec *iov;
 	struct ksmbd_conn *conn = KSMBD_TRANS(t)->conn;
+	int max_retry = 2;
 
 	iov = get_conn_iovec(t, nr_segs);
 	if (!iov)
@@ -321,9 +322,11 @@ static int ksmbd_tcp_readv(struct tcp_transport *t, struct kvec *iov_orig,
 		} else if (conn->status == KSMBD_SESS_NEED_RECONNECT) {
 			total_read = -EAGAIN;
 			break;
-		} else if (length == -ERESTARTSYS || length == -EAGAIN) {
+		} else if ((length == -ERESTARTSYS || length == -EAGAIN) &&
+			   max_retry) {
 			usleep_range(1000, 2000);
 			length = 0;
+			max_retry--;
 			continue;
 		} else if (length <= 0) {
 			total_read = -EAGAIN;