--- /dev/null
+From 98ce94c8df762d413b3ecb849e2b966b21606d04 Mon Sep 17 00:00:00 2001
+From: Peter Seiderer <ps.report@gmx.net>
+Date: Thu, 17 Sep 2015 21:40:12 +0200
+Subject: cifs: use server timestamp for ntlmv2 authentication
+
+From: Peter Seiderer <ps.report@gmx.net>
+
+commit 98ce94c8df762d413b3ecb849e2b966b21606d04 upstream.
+
+Linux cifs mount with ntlmssp against an Mac OS X (Yosemite
+10.10.5) share fails in case the clocks differ more than +/-2h:
+
+digest-service: digest-request: od failed with 2 proto=ntlmv2
+digest-service: digest-request: kdc failed with -1561745592 proto=ntlmv2
+
+Fix this by (re-)using the given server timestamp for the
+ntlmv2 authentication (as Windows 7 does).
+
+A related problem was also reported earlier by Namjae Jaen (see below):
+
+Windows machine has extended security feature which refuse to allow
+authentication when there is time difference between server time and
+client time when ntlmv2 negotiation is used. This problem is prevalent
+in embedded enviornment where system time is set to default 1970.
+
+Modern servers send the server timestamp in the TargetInfo Av_Pair
+structure in the challenge message [see MS-NLMP 2.2.2.1]
+In [MS-NLMP 3.1.5.1.2] it is explicitly mentioned that the client must
+use the server provided timestamp if present OR current time if it is
+not
+
+Reported-by: Namjae Jeon <namjae.jeon@samsung.com>
+Signed-off-by: Peter Seiderer <ps.report@gmx.net>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/cifsencrypt.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 51 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/cifsencrypt.c
++++ b/fs/cifs/cifsencrypt.c
+@@ -441,6 +441,48 @@ find_domain_name(struct cifs_ses *ses, c
+ return 0;
+ }
+
++/* Server has provided av pairs/target info in the type 2 challenge
++ * packet and we have plucked it and stored within smb session.
++ * We parse that blob here to find the server given timestamp
++ * as part of ntlmv2 authentication (or local current time as
++ * default in case of failure)
++ */
++static __le64
++find_timestamp(struct cifs_ses *ses)
++{
++ unsigned int attrsize;
++ unsigned int type;
++ unsigned int onesize = sizeof(struct ntlmssp2_name);
++ unsigned char *blobptr;
++ unsigned char *blobend;
++ struct ntlmssp2_name *attrptr;
++
++ if (!ses->auth_key.len || !ses->auth_key.response)
++ return 0;
++
++ blobptr = ses->auth_key.response;
++ blobend = blobptr + ses->auth_key.len;
++
++ while (blobptr + onesize < blobend) {
++ attrptr = (struct ntlmssp2_name *) blobptr;
++ type = le16_to_cpu(attrptr->type);
++ if (type == NTLMSSP_AV_EOL)
++ break;
++ blobptr += 2; /* advance attr type */
++ attrsize = le16_to_cpu(attrptr->length);
++ blobptr += 2; /* advance attr size */
++ if (blobptr + attrsize > blobend)
++ break;
++ if (type == NTLMSSP_AV_TIMESTAMP) {
++ if (attrsize == sizeof(u64))
++ return *((__le64 *)blobptr);
++ }
++ blobptr += attrsize; /* advance attr value */
++ }
++
++ return cpu_to_le64(cifs_UnixTimeToNT(CURRENT_TIME));
++}
++
+ static int calc_ntlmv2_hash(struct cifs_ses *ses, char *ntlmv2_hash,
+ const struct nls_table *nls_cp)
+ {
+@@ -637,6 +679,7 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, c
+ struct ntlmv2_resp *ntlmv2;
+ char ntlmv2_hash[16];
+ unsigned char *tiblob = NULL; /* target info blob */
++ __le64 rsp_timestamp;
+
+ if (ses->server->negflavor == CIFS_NEGFLAVOR_EXTENDED) {
+ if (!ses->domainName) {
+@@ -655,6 +698,12 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, c
+ }
+ }
+
++ /* Must be within 5 minutes of the server (or in range +/-2h
++ * in case of Mac OS X), so simply carry over server timestamp
++ * (as Windows 7 does)
++ */
++ rsp_timestamp = find_timestamp(ses);
++
+ baselen = CIFS_SESS_KEY_SIZE + sizeof(struct ntlmv2_resp);
+ tilen = ses->auth_key.len;
+ tiblob = ses->auth_key.response;
+@@ -671,8 +720,8 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, c
+ (ses->auth_key.response + CIFS_SESS_KEY_SIZE);
+ ntlmv2->blob_signature = cpu_to_le32(0x00000101);
+ ntlmv2->reserved = 0;
+- /* Must be within 5 minutes of the server */
+- ntlmv2->time = cpu_to_le64(cifs_UnixTimeToNT(CURRENT_TIME));
++ ntlmv2->time = rsp_timestamp;
++
+ get_random_bytes(&ntlmv2->client_chal, sizeof(ntlmv2->client_chal));
+ ntlmv2->reserved2 = 0;
+
--- /dev/null
+From bc3e00f04cc1fe033a289c2fc2e5c73c0168d360 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Antoine=20T=C3=A9nart?= <antoine.tenart@free-electrons.com>
+Date: Tue, 18 Aug 2015 10:59:10 +0200
+Subject: mtd: pxa3xx_nand: add a default chunk size
+
+From: =?UTF-8?q?Antoine=20T=C3=A9nart?= <antoine.tenart@free-electrons.com>
+
+commit bc3e00f04cc1fe033a289c2fc2e5c73c0168d360 upstream.
+
+When keeping the configuration set by the bootloader (by using
+the marvell,nand-keep-config property), the pxa3xx_nand_detect_config()
+function is called and set the chunk size to 512 as a default value if
+NDCR_PAGE_SZ is not set.
+
+In the other case, when not keeping the bootloader configuration, no
+chunk size is set. Fix this by adding a default chunk size of 512.
+
+Fixes: 70ed85232a93 ("mtd: nand: pxa3xx: Introduce multiple page I/O
+support")
+
+Signed-off-by: Antoine Tenart <antoine.tenart@free-electrons.com>
+Acked-by: Robert Jarzmik <robert.jarzmik@free>
+Signed-off-by: Brian Norris <computersforpeace@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/pxa3xx_nand.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/mtd/nand/pxa3xx_nand.c
++++ b/drivers/mtd/nand/pxa3xx_nand.c
+@@ -1463,6 +1463,9 @@ static int pxa3xx_nand_scan(struct mtd_i
+ if (pdata->keep_config && !pxa3xx_nand_detect_config(info))
+ goto KEEP_CONFIG;
+
++ /* Set a default chunk size */
++ info->chunk_size = 512;
++
+ ret = pxa3xx_nand_sensing(info);
+ if (ret) {
+ dev_info(&info->pdev->dev, "There is no chip on cs %d!\n",
--- /dev/null
+From 176fc2d5770a0990eebff903ba680d2edd32e718 Mon Sep 17 00:00:00 2001
+From: Mark Brown <broonie@kernel.org>
+Date: Sat, 19 Sep 2015 07:12:34 -0700
+Subject: regmap: debugfs: Don't bother actually printing when calculating max length
+
+From: Mark Brown <broonie@kernel.org>
+
+commit 176fc2d5770a0990eebff903ba680d2edd32e718 upstream.
+
+The in kernel snprintf() will conveniently return the actual length of
+the printed string even if not given an output beffer at all so just do
+that rather than relying on the user to pass in a suitable buffer,
+ensuring that we don't need to worry if the buffer was truncated due to
+the size of the buffer passed in.
+
+Reported-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/regmap/regmap-debugfs.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/base/regmap/regmap-debugfs.c
++++ b/drivers/base/regmap/regmap-debugfs.c
+@@ -32,8 +32,7 @@ static DEFINE_MUTEX(regmap_debugfs_early
+ /* Calculate the length of a fixed format */
+ static size_t regmap_calc_reg_len(int max_val, char *buf, size_t buf_size)
+ {
+- snprintf(buf, buf_size, "%x", max_val);
+- return strlen(buf);
++ return snprintf(NULL, 0, "%x", max_val);
+ }
+
+ static ssize_t regmap_name_read_file(struct file *file,
--- /dev/null
+From b763ec17ac762470eec5be8ebcc43e4f8b2c2b82 Mon Sep 17 00:00:00 2001
+From: Mark Brown <broonie@kernel.org>
+Date: Sat, 19 Sep 2015 07:00:18 -0700
+Subject: regmap: debugfs: Ensure we don't underflow when printing access masks
+
+From: Mark Brown <broonie@kernel.org>
+
+commit b763ec17ac762470eec5be8ebcc43e4f8b2c2b82 upstream.
+
+If a read is attempted which is smaller than the line length then we may
+underflow the subtraction we're doing with the unsigned size_t type so
+move some of the calculation to be additions on the right hand side
+instead in order to avoid this.
+
+Reported-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/regmap/regmap-debugfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/base/regmap/regmap-debugfs.c
++++ b/drivers/base/regmap/regmap-debugfs.c
+@@ -432,7 +432,7 @@ static ssize_t regmap_access_read_file(s
+ /* If we're in the region the user is trying to read */
+ if (p >= *ppos) {
+ /* ...but not beyond it */
+- if (buf_pos >= count - 1 - tot_len)
++ if (buf_pos + tot_len + 1 >= count)
+ break;
+
+ /* Format the register */
--- /dev/null
+From b7f76ea2ef6739ee484a165ffbac98deb855d3d3 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jann@thejh.net>
+Date: Fri, 18 Sep 2015 23:41:23 +0200
+Subject: security: fix typo in security_task_prctl
+
+From: Jann Horn <jann@thejh.net>
+
+commit b7f76ea2ef6739ee484a165ffbac98deb855d3d3 upstream.
+
+Signed-off-by: Jann Horn <jann@thejh.net>
+Reviewed-by: Andy Lutomirski <luto@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/security.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -2452,7 +2452,7 @@ static inline int security_task_prctl(in
+ unsigned long arg4,
+ unsigned long arg5)
+ {
+- return cap_task_prctl(option, arg2, arg3, arg3, arg5);
++ return cap_task_prctl(option, arg2, arg3, arg4, arg5);
+ }
+
+ static inline void security_task_to_inode(struct task_struct *p, struct inode *inode)
initialize-msg-shm-ipc-objects-before-doing-ipc_addid.patch
ipvs-do-not-use-random-local-source-address-for-tunnels.patch
ipvs-fix-crash-with-sync-protocol-v0-and-ftp.patch
+cifs-use-server-timestamp-for-ntlmv2-authentication.patch
+mtd-pxa3xx_nand-add-a-default-chunk-size.patch
+regmap-debugfs-ensure-we-don-t-underflow-when-printing-access-masks.patch
+regmap-debugfs-don-t-bother-actually-printing-when-calculating-max-length.patch
+security-fix-typo-in-security_task_prctl.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
