[PATCH v4 00/10] cifsd: introduce new SMB3 kernel server
From: Namjae Jeon
Date: Tue Jun 01 2021 - 23:58:27 EST
This is the patch series for cifsd(ksmbd) kernel server.
What is cifsd(ksmbd) ?
======================
The SMB family of protocols is the most widely deployed
network filesystem protocol, the default on Windows and Macs (and even
on many phones and tablets), with clients and servers on all major
operating systems, but lacked a kernel server for Linux. For many
cases the current userspace server choices were suboptimal
either due to memory footprint, performance or difficulty integrating
well with advanced Linux features.
ksmbd is a new kernel module which implements the server-side of the SMB3 protocol.
The target is to provide optimized performance, GPLv2 SMB server, better
lease handling (distributed caching). The bigger goal is to add new
features more rapidly (e.g. RDMA aka "smbdirect", and recent encryption
and signing improvements to the protocol) which are easier to develop
on a smaller, more tightly optimized kernel server than for example
in Samba. The Samba project is much broader in scope (tools, security services,
LDAP, Active Directory Domain Controller, and a cross platform file server
for a wider variety of purposes) but the user space file server portion
of Samba has proved hard to optimize for some Linux workloads, including
for smaller devices. This is not meant to replace Samba, but rather be
an extension to allow better optimizing for Linux, and will continue to
integrate well with Samba user space tools and libraries where appropriate.
Working with the Samba team we have already made sure that the configuration
files and xattrs are in a compatible format between the kernel and
user space server.
Architecture
============
|--- ...
--------|--- ksmbd/3 - Client 3
|-------|--- ksmbd/2 - Client 2
| | ____________________________________________________
| | |- Client 1 |
<--- Socket ---|--- ksmbd/1 <<= Authentication : NTLM/NTLM2, Kerberos |
| | | | <<= SMB engine : SMB2, SMB2.1, SMB3, SMB3.0.2, |
| | | | SMB3.1.1 |
| | | |____________________________________________________|
| | |
| | |--- VFS --- Local Filesystem
| |
KERNEL |--- ksmbd/0(forker kthread)
---------------||---------------------------------------------------------------
USER ||
|| communication using NETLINK
|| ______________________________________________
|| | |
ksmbd.mountd <<= DCE/RPC(srvsvc, wkssvc, samr, lsarpc) |
^ | <<= configure shares setting, user accounts |
| |______________________________________________|
|
|------ smb.conf(config file)
|
|------ ksmbdpwd.db(user account/password file)
^
ksmbd.adduser ------------|
The subset of performance related operations(open/read/write/close etc.) belong
in kernelspace(ksmbd) and the other subset which belong to operations(DCE/RPC,
user account/share database) which are not really related with performance are
handled in userspace(ksmbd.mountd).
When the ksmbd.mountd is started, It starts up a forker thread at initialization
time and opens a dedicated port 445 for listening to SMB requests. Whenever new
clients make request, Forker thread will accept the client connection and fork
a new thread for dedicated communication channel between the client and
the server.
ksmbd feature status
====================
============================== =================================================
Feature name Status
============================== =================================================
Dialects Supported. SMB2.1 SMB3.0, SMB3.1.1 dialects
(intentionally excludes security vulnerable SMB1 dialect).
Auto Negotiation Supported.
Compound Request Supported.
Oplock Cache Mechanism Supported.
SMB2 leases(v1 lease) Supported.
Directory leases(v2 lease) Planned for future.
Multi-credits Supported.
NTLM/NTLMv2 Supported.
HMAC-SHA256 Signing Supported.
Secure negotiate Supported.
Signing Update Supported.
Pre-authentication integrity Supported.
SMB3 encryption(CCM, GCM) Supported. (CCM and GCM128 supported, GCM256 in progress)
SMB direct(RDMA) Partially Supported. SMB3 Multi-channel is required
to connect to Windows client.
SMB3 Multi-channel In Progress.
SMB3.1.1 POSIX extension Supported.
ACLs Partially Supported. only DACLs available, SACLs
(auditing) is planned for the future. For
ownership (SIDs) ksmbd generates random subauth
values(then store it to disk) and use uid/gid
get from inode as RID for local domain SID.
The current acl implementation is limited to
standalone server, not a domain member.
Integration with Samba tools is being worked on to
allow future support for running as a domain member.
Kerberos Supported.
Durable handle v1,v2 Planned for future.
Persistent handle Planned for future.
SMB2 notify Planned for future.
Sparse file support Supported.
DCE/RPC support Partially Supported. a few calls(NetShareEnumAll,
NetServerGetInfo, SAMR, LSARPC) that are needed
for file server handled via netlink interface from
ksmbd.mountd. Additional integration with Samba
tools and libraries via upcall is being investigated
to allow support for additional DCE/RPC management
calls (and future support for Witness protocol e.g.)
ksmbd/nfsd interoperability Planned for future. The features that ksmbd
support are Leases, Notify, ACLs and Share modes.
============================== =================================================
All features required as file server are currently implemented in ksmbd.
In particular, the implementation of SMB Direct(RDMA) is only currently
possible with ksmbd (among Linux servers)
Stability
=========
It has been proved to be stable. A significant amount of xfstests pass and
are run regularly from Linux to Linux:
http://smb3-test-rhel-75.southcentralus.cloudapp.azure.com/#/builders/8/builds/43
In addition regression tests using the broadest SMB3 functional test suite
(Samba's "smbtorture") are run on every checkin.
It has already been used by many other open source toolkits and commercial companies
that need NAS functionality. Their issues have been fixed and contributions are
applied into ksmbd. Ksmbd has been well tested and verified in the field and market.
Mailing list and repositories
=============================
- linux-cifsd-devel@xxxxxxxxxxxxxxxxxxxxx
- https://github.com/smfrench/smb3-kernel/tree/cifsd-for-next
- https://github.com/cifsd-team/cifsd (out-of-tree)
- https://github.com/cifsd-team/ksmbd-tools
How to run ksmbd
================
a. Download ksmbd-tools and compile them.
- https://github.com/cifsd-team/ksmbd-tools
b. Create user/password for SMB share.
# mkdir /etc/ksmbd/
# ksmbd.adduser -a <Enter USERNAME for SMB share access>
c. Create /etc/ksmbd/smb.conf file, add SMB share in smb.conf file
- Refer smb.conf.example and Documentation/configuration.txt
in ksmbd-tools
d. Insert ksmbd.ko module
# insmod ksmbd.ko
e. Start ksmbd user space daemon
# ksmbd.mountd
f. Access share from Windows or Linux using SMB
e.g. "mount -t cifs //server/share /mnt ..."
v4:
- add goto fail in asn1_oid_decode() (Dan Carpenter)
- use memcmp instead of for loop check in oid_eq(). (Dan Carpenter)
- add goto fail in neg_token_init_mech_type(). (Dan Carpenter)
- move fips_enabled check before the str_to_key(). (Dan Carpenter)
- just return smbhash() instead of using rc return value. (Dan Carpenter)
- move ret check before the out label. (Dan Carpenter)
- simplify error handling in ksmbd_auth_ntlm(). (Dan Carpenter)
- remove unneeded type casting. (Dan Carpenter)
- set error return value for memcmp() difference. (Dan Carpenter)
- return zero in always success case. (Dan Carpenter)
- never return 1 on failure. (Dan Carpenter)
- add the check if nvec is zero. (Dan Carpenter)
- len can never be negative in ksmbd_init_sg(). (Dan Carpenter)
- remove unneeded initialization of rc variable in ksmbd_crypt_message(). (Dan Carpenter)
- fix wrong return value in ksmbd_crypt_message(). (Dan Carpenter)
- change success handling to failure handling. (Dan Carpenter)
- add default case in switch statment in alloc_shash_desc().(Dan Carpenter)
- call kzalloc() directly instead of wrapper. (Dan Carpenter)
- simplify error handling in ksmbd_gen_preauth_integrity_hash(). (Dan Carpenter)
- return -ENOMEM about error from ksmbd_crypto_ctx_find_xxx calls. (Dan Carpenter)
- alignment match open parenthesis. (Dan Carpenter)
- add the check to prevent potential overflow with smb_strtoUTF16() and
UNICODE_LEN(). (Dan Carpenter)
- braces {} should be used on all arms of this statement.
- spaces preferred around that '/'.
- don't use multiple blank lines.
- No space is necessary after a cast.
- Blank lines aren't necessary after an open brace '{'.
- remove unnecessary parentheses around.
- Prefer kernel type 'u16' over 'uint16_t'.
- lookup a file with LOOKUP_FOLLOW only if 'follow symlinks = yes'.
- fix Control flow issues in ksmbd_build_ntlmssp_challenge_blob().
- fix memleak in ksmbd_vfs_stream_write(). (Yang Yingliang)
- fix memleak in ksmbd_vfs_stream_read(). (Yang Yingliang)
- check return value of ksmbd_vfs_getcasexattr() correctly.
- fix potential read overflow in ksmbd_vfs_stream_read().
v3:
- fix boolreturn.cocci warnings. (kernel test robot)
- fix xfstests generic/504 test failure.
- do not use 0 or 0xFFFFFFFF for TreeID. (Marios Makassikis)
- add support for FSCTL_DUPLICATE_EXTENTS_TO_FILE.
- fix build error without CONFIG_OID_REGISTRY. (Wei Yongjun)
- fix invalid memory access in smb2_write(). (Coverity Scan)
- add support for AES256 encryption.
- fix potential null-ptr-deref in destroy_previous_session(). (Marios Makassikis).
- update out_buf_len in smb2_populate_readdir_entry(). (Marios Makassikis)
- handle ksmbd_session_rpc_open() failure in create_smb2_pipe(). (Marios Makassikis)
- call smb2_set_err_rsp() in smb2_read/smb2_write error path. (Marios Makassikis)
- add ksmbd/nfsd interoperability to feature table. (Amir Goldstein)
- fix regression in smb2_get_info. (Sebastian Gottschall)
- remove is_attributes_write_allowed() wrapper. (Marios Makassikis)
- update access check in set_file_allocation_info/set_end_of_file_info. (Marios Makassikis)
v2:
- fix an error code in smb2_read(). (Dan Carpenter)
- fix error handling in ksmbd_server_init() (Dan Carpenter)
- remove redundant assignment to variable err. (Colin Ian King)
- remove unneeded macros.
- fix wrong use of rw semaphore in __session_create().
- use kmalloc() for small allocations.
- add the check to work file lock and rename behaviors like Windows
unless POSIX extensions are negotiated.
- clean-up codes using chechpatch.pl --strict.
- merge time_wrappers.h into smb_common.h.
- fix wrong prototype in comment (kernel test robot).
- fix implicit declaration of function 'groups_alloc' (kernel test robot).
- fix implicit declaration of function 'locks_alloc_lock' (kernel test robot).
- remove smack inherit leftovers.
- remove calling d_path in error paths.
- handle unhashed dentry in ksmbd_vfs_mkdir.
- use file_inode() instead of d_inode().
- remove useless error handling in ksmbd_vfs_read.
- use xarray instead of linked list for tree connect list.
- remove stale prototype and variables.
- fix memory leak when loop ends (coverity-bot, Muhammad Usama Anjum).
- use kfree to free memory allocated by kmalloc or kzalloc (Muhammad Usama Anjum).
- fix memdup.cocci warnings (kernel test robot)
- remove wrappers of kvmalloc/kvfree.
- change the reference to configuration.txt (Mauro Carvalho Chehab).
- prevent a integer overflow in wm_alloc().
- select SG_POOL for SMB_SERVER_SMBDIRECT. (Zhang Xiaoxu).
- remove unused including <linux/version.h> (Tian Tao).
- declare ida statically.
- add the check if parent is stable by unexpected rename.
- get parent dentry from child in ksmbd_vfs_remove_file().
- re-implement ksmbd_vfs_kern_path.
- fix reference count decrement of unclaimed file in __ksmbd_lookup_fd.
- remove smb2_put_name(). (Marios Makassikis).
- remove unused smberr.h, nterr.c and netmisc.c.
- fix potential null-ptr-deref in smb2_open() (Marios Makassikis).
- use d_inode().
- remove the dead code of unimplemented durable handle.
- use the generic one in lib/asn1_decoder.c
v1:
- fix a handful of spelling mistakes (Colin Ian King)
- fix a precedence bug in parse_dacl() (Dan Carpenter)
- fix a IS_ERR() vs NULL bug (Dan Carpenter)
- fix a use after free on error path (Dan Carpenter)
- update cifsd.rst Documentation
- remove unneeded FIXME comments
- fix static checker warnings (Dan Carpenter)
- fix WARNING: unmet direct dependencies detected for CRYPTO_ARC4 (Randy Dunlap)
- uniquify extract_sharename() (Stephen Rothwell)
- fix WARNING: document isn't included in any toctree (Stephen Rothwell)
- fix WARNING: Title overline too short (Stephen Rothwell)
- fix warning: variable 'total_ace_size' and 'posix_ccontext'set but not used (kernel test rotbot)
- fix incorrect function comments (kernel test robot)
Namjae Jeon (10):
cifsd: add document
cifsd: add server handler
cifsd: add trasport layers
cifsd: add authentication
cifsd: add smb3 engine part 1
cifsd: add smb3 engine part 2
cifsd: add oplock/lease cache mechanism
cifsd: add file operations
cifsd: add Kconfig and Makefile
MAINTAINERS: add cifsd kernel server
Documentation/filesystems/cifs/cifsd.rst | 164 +
Documentation/filesystems/cifs/index.rst | 10 +
Documentation/filesystems/index.rst | 2 +-
MAINTAINERS | 12 +-
fs/Kconfig | 1 +
fs/Makefile | 1 +
fs/cifsd/Kconfig | 68 +
fs/cifsd/Makefile | 17 +
fs/cifsd/asn1.c | 339 +
fs/cifsd/asn1.h | 21 +
fs/cifsd/auth.c | 1355 ++++
fs/cifsd/auth.h | 65 +
fs/cifsd/buffer_pool.c | 265 +
fs/cifsd/buffer_pool.h | 17 +
fs/cifsd/connection.c | 411 ++
fs/cifsd/connection.h | 204 +
fs/cifsd/crypto_ctx.c | 283 +
fs/cifsd/crypto_ctx.h | 74 +
fs/cifsd/glob.h | 64 +
fs/cifsd/ksmbd_server.h | 283 +
fs/cifsd/ksmbd_work.c | 93 +
fs/cifsd/ksmbd_work.h | 110 +
fs/cifsd/mgmt/ksmbd_ida.c | 46 +
fs/cifsd/mgmt/ksmbd_ida.h | 34 +
fs/cifsd/mgmt/share_config.c | 239 +
fs/cifsd/mgmt/share_config.h | 81 +
fs/cifsd/mgmt/tree_connect.c | 122 +
fs/cifsd/mgmt/tree_connect.h | 56 +
fs/cifsd/mgmt/user_config.c | 70 +
fs/cifsd/mgmt/user_config.h | 66 +
fs/cifsd/mgmt/user_session.c | 328 +
fs/cifsd/mgmt/user_session.h | 101 +
fs/cifsd/misc.c | 338 +
fs/cifsd/misc.h | 35 +
fs/cifsd/ndr.c | 348 +
fs/cifsd/ndr.h | 22 +
fs/cifsd/nterr.h | 543 ++
fs/cifsd/ntlmssp.h | 169 +
fs/cifsd/oplock.c | 1661 +++++
fs/cifsd/oplock.h | 132 +
fs/cifsd/server.c | 627 ++
fs/cifsd/server.h | 60 +
fs/cifsd/smb2misc.c | 435 ++
fs/cifsd/smb2ops.c | 300 +
fs/cifsd/smb2pdu.c | 8166 ++++++++++++++++++++++
fs/cifsd/smb2pdu.h | 1664 +++++
fs/cifsd/smb_common.c | 655 ++
fs/cifsd/smb_common.h | 544 ++
fs/cifsd/smbacl.c | 1321 ++++
fs/cifsd/smbacl.h | 202 +
fs/cifsd/smbfsctl.h | 91 +
fs/cifsd/smbstatus.h | 1822 +++++
fs/cifsd/spnego_negtokeninit.asn1 | 43 +
fs/cifsd/spnego_negtokentarg.asn1 | 19 +
fs/cifsd/transport_ipc.c | 880 +++
fs/cifsd/transport_ipc.h | 47 +
fs/cifsd/transport_rdma.c | 2040 ++++++
fs/cifsd/transport_rdma.h | 61 +
fs/cifsd/transport_tcp.c | 620 ++
fs/cifsd/transport_tcp.h | 13 +
fs/cifsd/unicode.c | 384 +
fs/cifsd/unicode.h | 357 +
fs/cifsd/uniupr.h | 268 +
fs/cifsd/vfs.c | 2015 ++++++
fs/cifsd/vfs.h | 275 +
fs/cifsd/vfs_cache.c | 685 ++
fs/cifsd/vfs_cache.h | 185 +
67 files changed, 32027 insertions(+), 2 deletions(-)
create mode 100644 Documentation/filesystems/cifs/cifsd.rst
create mode 100644 Documentation/filesystems/cifs/index.rst
create mode 100644 fs/cifsd/Kconfig
create mode 100644 fs/cifsd/Makefile
create mode 100644 fs/cifsd/asn1.c
create mode 100644 fs/cifsd/asn1.h
create mode 100644 fs/cifsd/auth.c
create mode 100644 fs/cifsd/auth.h
create mode 100644 fs/cifsd/buffer_pool.c
create mode 100644 fs/cifsd/buffer_pool.h
create mode 100644 fs/cifsd/connection.c
create mode 100644 fs/cifsd/connection.h
create mode 100644 fs/cifsd/crypto_ctx.c
create mode 100644 fs/cifsd/crypto_ctx.h
create mode 100644 fs/cifsd/glob.h
create mode 100644 fs/cifsd/ksmbd_server.h
create mode 100644 fs/cifsd/ksmbd_work.c
create mode 100644 fs/cifsd/ksmbd_work.h
create mode 100644 fs/cifsd/mgmt/ksmbd_ida.c
create mode 100644 fs/cifsd/mgmt/ksmbd_ida.h
create mode 100644 fs/cifsd/mgmt/share_config.c
create mode 100644 fs/cifsd/mgmt/share_config.h
create mode 100644 fs/cifsd/mgmt/tree_connect.c
create mode 100644 fs/cifsd/mgmt/tree_connect.h
create mode 100644 fs/cifsd/mgmt/user_config.c
create mode 100644 fs/cifsd/mgmt/user_config.h
create mode 100644 fs/cifsd/mgmt/user_session.c
create mode 100644 fs/cifsd/mgmt/user_session.h
create mode 100644 fs/cifsd/misc.c
create mode 100644 fs/cifsd/misc.h
create mode 100644 fs/cifsd/ndr.c
create mode 100644 fs/cifsd/ndr.h
create mode 100644 fs/cifsd/nterr.h
create mode 100644 fs/cifsd/ntlmssp.h
create mode 100644 fs/cifsd/oplock.c
create mode 100644 fs/cifsd/oplock.h
create mode 100644 fs/cifsd/server.c
create mode 100644 fs/cifsd/server.h
create mode 100644 fs/cifsd/smb2misc.c
create mode 100644 fs/cifsd/smb2ops.c
create mode 100644 fs/cifsd/smb2pdu.c
create mode 100644 fs/cifsd/smb2pdu.h
create mode 100644 fs/cifsd/smb_common.c
create mode 100644 fs/cifsd/smb_common.h
create mode 100644 fs/cifsd/smbacl.c
create mode 100644 fs/cifsd/smbacl.h
create mode 100644 fs/cifsd/smbfsctl.h
create mode 100644 fs/cifsd/smbstatus.h
create mode 100644 fs/cifsd/spnego_negtokeninit.asn1
create mode 100644 fs/cifsd/spnego_negtokentarg.asn1
create mode 100644 fs/cifsd/transport_ipc.c
create mode 100644 fs/cifsd/transport_ipc.h
create mode 100644 fs/cifsd/transport_rdma.c
create mode 100644 fs/cifsd/transport_rdma.h
create mode 100644 fs/cifsd/transport_tcp.c
create mode 100644 fs/cifsd/transport_tcp.h
create mode 100644 fs/cifsd/unicode.c
create mode 100644 fs/cifsd/unicode.h
create mode 100644 fs/cifsd/uniupr.h
create mode 100644 fs/cifsd/vfs.c
create mode 100644 fs/cifsd/vfs.h
create mode 100644 fs/cifsd/vfs_cache.c
create mode 100644 fs/cifsd/vfs_cache.h
--
2.17.1