--- /dev/null
+From d8949aad3eab5d396f4fefcd581773bf07b9a79e Mon Sep 17 00:00:00 2001
+From: Johan Hedberg <johan.hedberg@intel.com>
+Date: Fri, 4 Sep 2015 12:22:46 +0300
+Subject: Bluetooth: Delay check for conn->smp in smp_conn_security()
+
+From: Johan Hedberg <johan.hedberg@intel.com>
+
+commit d8949aad3eab5d396f4fefcd581773bf07b9a79e upstream.
+
+There are several actions that smp_conn_security() might make that do
+not require a valid SMP context (conn->smp pointer). One of these
+actions is to encrypt the link with an existing LTK. If the SMP
+context wasn't initialized properly we should still allow the
+independent actions to be done, i.e. the check for the context should
+only be done at the last possible moment.
+
+Reported-by: Chuck Ebbert <cebbert.lkml@gmail.com>
+Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/smp.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/net/bluetooth/smp.c
++++ b/net/bluetooth/smp.c
+@@ -2294,12 +2294,6 @@ int smp_conn_security(struct hci_conn *h
+ if (!conn)
+ return 1;
+
+- chan = conn->smp;
+- if (!chan) {
+- BT_ERR("SMP security requested but not available");
+- return 1;
+- }
+-
+ if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
+ return 1;
+
+@@ -2313,6 +2307,12 @@ int smp_conn_security(struct hci_conn *h
+ if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
+ return 0;
+
++ chan = conn->smp;
++ if (!chan) {
++ BT_ERR("SMP security requested but not available");
++ return 1;
++ }
++
+ l2cap_chan_lock(chan);
+
+ /* If SMP is already in progress ignore this request */
--- /dev/null
+From e0ddde9d44e37fbc21ce893553094ecf1a633ab5 Mon Sep 17 00:00:00 2001
+From: Steve French <smfrench@gmail.com>
+Date: Tue, 22 Sep 2015 09:29:38 -0500
+Subject: disabling oplocks/leases via module parm enable_oplocks broken for SMB3
+
+From: Steve French <smfrench@gmail.com>
+
+commit e0ddde9d44e37fbc21ce893553094ecf1a633ab5 upstream.
+
+leases (oplocks) were always requested for SMB2/SMB3 even when oplocks
+disabled in the cifs.ko module.
+
+Signed-off-by: Steve French <steve.french@primarydata.com>
+Reviewed-by: Chandrika Srinivasan <chandrika.srinivasan@citrix.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2ops.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -50,9 +50,13 @@ change_conf(struct TCP_Server_Info *serv
+ break;
+ default:
+ server->echoes = true;
+- server->oplocks = true;
++ if (enable_oplocks) {
++ server->oplocks = true;
++ server->oplock_credits = 1;
++ } else
++ server->oplocks = false;
++
+ server->echo_credits = 1;
+- server->oplock_credits = 1;
+ }
+ server->credits -= server->echo_credits + server->oplock_credits;
+ return 0;
--- /dev/null
+From 646200a041203f440fb6fcf9cacd9efeda9de74c Mon Sep 17 00:00:00 2001
+From: Steve French <smfrench@gmail.com>
+Date: Mon, 28 Sep 2015 17:21:07 -0500
+Subject: [SMB3] Do not fall back to SMBWriteX in set_file_size error cases
+
+From: Steve French <smfrench@gmail.com>
+
+commit 646200a041203f440fb6fcf9cacd9efeda9de74c upstream.
+
+The error paths in set_file_size for cifs and smb3 are incorrect.
+
+In the unlikely event that a server did not support set file info
+of the file size, the code incorrectly falls back to trying SMBWriteX
+(note that only the original core SMB Write, used for example by DOS,
+can set the file size this way - this actually does not work for the more
+recent SMBWriteX). The idea was since the old DOS SMB Write could set
+the file size if you write zero bytes at that offset then use that if
+server rejects the normal set file info call.
+
+Fortunately the SMBWriteX will never be sent on the wire (except when
+file size is zero) since the length and offset fields were reversed
+in the two places in this function that call SMBWriteX causing
+the fall back path to return an error. It is also important to never call
+an SMB request from an SMB2/sMB3 session (which theoretically would
+be possible, and can cause a brief session drop, although the client
+recovers) so this should be fixed. In practice this path does not happen
+with modern servers but the error fall back to SMBWriteX is clearly wrong.
+
+Removing the calls to SMBWriteX in the error paths in cifs_set_file_size
+
+Pointed out by PaX/grsecurity team
+
+Signed-off-by: Steve French <steve.french@primarydata.com>
+Reported-by: PaX Team <pageexec@freemail.hu>
+CC: Emese Revfy <re.emese@gmail.com>
+CC: Brad Spengler <spender@grsecurity.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/inode.c | 36 +-----------------------------------
+ 1 file changed, 1 insertion(+), 35 deletions(-)
+
+--- a/fs/cifs/inode.c
++++ b/fs/cifs/inode.c
+@@ -2034,7 +2034,6 @@ cifs_set_file_size(struct inode *inode,
+ struct tcon_link *tlink = NULL;
+ struct cifs_tcon *tcon = NULL;
+ struct TCP_Server_Info *server;
+- struct cifs_io_parms io_parms;
+
+ /*
+ * To avoid spurious oplock breaks from server, in the case of
+@@ -2056,18 +2055,6 @@ cifs_set_file_size(struct inode *inode,
+ rc = -ENOSYS;
+ cifsFileInfo_put(open_file);
+ cifs_dbg(FYI, "SetFSize for attrs rc = %d\n", rc);
+- if ((rc == -EINVAL) || (rc == -EOPNOTSUPP)) {
+- unsigned int bytes_written;
+-
+- io_parms.netfid = open_file->fid.netfid;
+- io_parms.pid = open_file->pid;
+- io_parms.tcon = tcon;
+- io_parms.offset = 0;
+- io_parms.length = attrs->ia_size;
+- rc = CIFSSMBWrite(xid, &io_parms, &bytes_written,
+- NULL, NULL, 1);
+- cifs_dbg(FYI, "Wrt seteof rc %d\n", rc);
+- }
+ } else
+ rc = -EINVAL;
+
+@@ -2093,28 +2080,7 @@ cifs_set_file_size(struct inode *inode,
+ else
+ rc = -ENOSYS;
+ cifs_dbg(FYI, "SetEOF by path (setattrs) rc = %d\n", rc);
+- if ((rc == -EINVAL) || (rc == -EOPNOTSUPP)) {
+- __u16 netfid;
+- int oplock = 0;
+-
+- rc = SMBLegacyOpen(xid, tcon, full_path, FILE_OPEN,
+- GENERIC_WRITE, CREATE_NOT_DIR, &netfid,
+- &oplock, NULL, cifs_sb->local_nls,
+- cifs_remap(cifs_sb));
+- if (rc == 0) {
+- unsigned int bytes_written;
+-
+- io_parms.netfid = netfid;
+- io_parms.pid = current->tgid;
+- io_parms.tcon = tcon;
+- io_parms.offset = 0;
+- io_parms.length = attrs->ia_size;
+- rc = CIFSSMBWrite(xid, &io_parms, &bytes_written, NULL,
+- NULL, 1);
+- cifs_dbg(FYI, "wrt seteof rc %d\n", rc);
+- CIFSSMBClose(xid, tcon, netfid);
+- }
+- }
++
+ if (tlink)
+ cifs_put_tlink(tlink);
+
--- /dev/null
+From ceb1b0b9b4d1089e9f2731a314689ae17784c861 Mon Sep 17 00:00:00 2001
+From: Steve French <smfrench@gmail.com>
+Date: Thu, 24 Sep 2015 00:52:37 -0500
+Subject: [SMB3] Fix sec=krb5 on smb3 mounts
+
+From: Steve French <smfrench@gmail.com>
+
+commit ceb1b0b9b4d1089e9f2731a314689ae17784c861 upstream.
+
+Kerberos, which is very important for security, was only enabled for
+CIFS not SMB2/SMB3 mounts (e.g. vers=3.0)
+
+Patch based on the information detailed in
+http://thread.gmane.org/gmane.linux.kernel.cifs/10081/focus=10307
+to enable Kerberized SMB2/SMB3
+
+a) SMB2_negotiate: enable/use decode_negTokenInit in SMB2_negotiate
+b) SMB2_sess_setup: handle Kerberos sectype and replicate Kerberos
+ SMB1 processing done in sess_auth_kerberos
+
+Signed-off-by: Noel Power <noel.power@suse.com>
+Signed-off-by: Jim McDonough <jmcd@samba.org>
+Signed-off-by: Steve French <steve.french@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c | 76 +++++++++++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 61 insertions(+), 15 deletions(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -46,6 +46,7 @@
+ #include "smb2status.h"
+ #include "smb2glob.h"
+ #include "cifspdu.h"
++#include "cifs_spnego.h"
+
+ /*
+ * The following table defines the expected "StructureSize" of SMB2 requests
+@@ -427,19 +428,15 @@ SMB2_negotiate(const unsigned int xid, s
+ cifs_dbg(FYI, "missing security blob on negprot\n");
+
+ rc = cifs_enable_signing(server, ses->sign);
+-#ifdef CONFIG_SMB2_ASN1 /* BB REMOVEME when updated asn1.c ready */
+ if (rc)
+ goto neg_exit;
+- if (blob_length)
++ if (blob_length) {
+ rc = decode_negTokenInit(security_blob, blob_length, server);
+- if (rc == 1)
+- rc = 0;
+- else if (rc == 0) {
+- rc = -EIO;
+- goto neg_exit;
++ if (rc == 1)
++ rc = 0;
++ else if (rc == 0)
++ rc = -EIO;
+ }
+-#endif
+-
+ neg_exit:
+ free_rsp_buf(resp_buftype, rsp);
+ return rc;
+@@ -533,7 +530,8 @@ SMB2_sess_setup(const unsigned int xid,
+ __le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */
+ struct TCP_Server_Info *server = ses->server;
+ u16 blob_length = 0;
+- char *security_blob;
++ struct key *spnego_key = NULL;
++ char *security_blob = NULL;
+ char *ntlmssp_blob = NULL;
+ bool use_spnego = false; /* else use raw ntlmssp */
+
+@@ -561,7 +559,8 @@ SMB2_sess_setup(const unsigned int xid,
+ ses->ntlmssp->sesskey_per_smbsess = true;
+
+ /* FIXME: allow for other auth types besides NTLMSSP (e.g. krb5) */
+- ses->sectype = RawNTLMSSP;
++ if (ses->sectype != Kerberos && ses->sectype != RawNTLMSSP)
++ ses->sectype = RawNTLMSSP;
+
+ ssetup_ntlmssp_authenticate:
+ if (phase == NtLmChallenge)
+@@ -590,7 +589,48 @@ ssetup_ntlmssp_authenticate:
+ iov[0].iov_base = (char *)req;
+ /* 4 for rfc1002 length field and 1 for pad */
+ iov[0].iov_len = get_rfc1002_length(req) + 4 - 1;
+- if (phase == NtLmNegotiate) {
++
++ if (ses->sectype == Kerberos) {
++#ifdef CONFIG_CIFS_UPCALL
++ struct cifs_spnego_msg *msg;
++
++ spnego_key = cifs_get_spnego_key(ses);
++ if (IS_ERR(spnego_key)) {
++ rc = PTR_ERR(spnego_key);
++ spnego_key = NULL;
++ goto ssetup_exit;
++ }
++
++ msg = spnego_key->payload.data;
++ /*
++ * check version field to make sure that cifs.upcall is
++ * sending us a response in an expected form
++ */
++ if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) {
++ cifs_dbg(VFS,
++ "bad cifs.upcall version. Expected %d got %d",
++ CIFS_SPNEGO_UPCALL_VERSION, msg->version);
++ rc = -EKEYREJECTED;
++ goto ssetup_exit;
++ }
++ ses->auth_key.response = kmemdup(msg->data, msg->sesskey_len,
++ GFP_KERNEL);
++ if (!ses->auth_key.response) {
++ cifs_dbg(VFS,
++ "Kerberos can't allocate (%u bytes) memory",
++ msg->sesskey_len);
++ rc = -ENOMEM;
++ goto ssetup_exit;
++ }
++ ses->auth_key.len = msg->sesskey_len;
++ blob_length = msg->secblob_len;
++ iov[1].iov_base = msg->data + msg->sesskey_len;
++ iov[1].iov_len = blob_length;
++#else
++ rc = -EOPNOTSUPP;
++ goto ssetup_exit;
++#endif /* CONFIG_CIFS_UPCALL */
++ } else if (phase == NtLmNegotiate) { /* if not krb5 must be ntlmssp */
+ ntlmssp_blob = kmalloc(sizeof(struct _NEGOTIATE_MESSAGE),
+ GFP_KERNEL);
+ if (ntlmssp_blob == NULL) {
+@@ -613,6 +653,8 @@ ssetup_ntlmssp_authenticate:
+ /* with raw NTLMSSP we don't encapsulate in SPNEGO */
+ security_blob = ntlmssp_blob;
+ }
++ iov[1].iov_base = security_blob;
++ iov[1].iov_len = blob_length;
+ } else if (phase == NtLmAuthenticate) {
+ req->hdr.SessionId = ses->Suid;
+ ntlmssp_blob = kzalloc(sizeof(struct _NEGOTIATE_MESSAGE) + 500,
+@@ -640,6 +682,8 @@ ssetup_ntlmssp_authenticate:
+ } else {
+ security_blob = ntlmssp_blob;
+ }
++ iov[1].iov_base = security_blob;
++ iov[1].iov_len = blob_length;
+ } else {
+ cifs_dbg(VFS, "illegal ntlmssp phase\n");
+ rc = -EIO;
+@@ -651,8 +695,6 @@ ssetup_ntlmssp_authenticate:
+ cpu_to_le16(sizeof(struct smb2_sess_setup_req) -
+ 1 /* pad */ - 4 /* rfc1001 len */);
+ req->SecurityBufferLength = cpu_to_le16(blob_length);
+- iov[1].iov_base = security_blob;
+- iov[1].iov_len = blob_length;
+
+ inc_rfc1001_len(req, blob_length - 1 /* pad */);
+
+@@ -663,6 +705,7 @@ ssetup_ntlmssp_authenticate:
+
+ kfree(security_blob);
+ rsp = (struct smb2_sess_setup_rsp *)iov[0].iov_base;
++ ses->Suid = rsp->hdr.SessionId;
+ if (resp_buftype != CIFS_NO_BUFFER &&
+ rsp->hdr.Status == STATUS_MORE_PROCESSING_REQUIRED) {
+ if (phase != NtLmNegotiate) {
+@@ -680,7 +723,6 @@ ssetup_ntlmssp_authenticate:
+ /* NTLMSSP Negotiate sent now processing challenge (response) */
+ phase = NtLmChallenge; /* process ntlmssp challenge */
+ rc = 0; /* MORE_PROCESSING is not an error here but expected */
+- ses->Suid = rsp->hdr.SessionId;
+ rc = decode_ntlmssp_challenge(rsp->Buffer,
+ le16_to_cpu(rsp->SecurityBufferLength), ses);
+ }
+@@ -737,6 +779,10 @@ keygen_exit:
+ kfree(ses->auth_key.response);
+ ses->auth_key.response = NULL;
+ }
++ if (spnego_key) {
++ key_invalidate(spnego_key);
++ key_put(spnego_key);
++ }
+ kfree(ses->ntlmssp);
+
+ return rc;
--- /dev/null
+From 6f29b9bba7b08c6b1d6f2cc4cf750b342fc1946c Mon Sep 17 00:00:00 2001
+From: Kinglong Mee <kinglongmee@gmail.com>
+Date: Sun, 20 Sep 2015 23:03:28 +0800
+Subject: NFS: Do cleanup before resetting pageio read/write to mds
+
+From: Kinglong Mee <kinglongmee@gmail.com>
+
+commit 6f29b9bba7b08c6b1d6f2cc4cf750b342fc1946c upstream.
+
+There is a reference leak of layout segment after resetting
+pageio read/write to mds.
+
+Signed-off-by: Kinglong Mee <kinglongmee@gmail.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/read.c | 3 +++
+ fs/nfs/write.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+--- a/fs/nfs/read.c
++++ b/fs/nfs/read.c
+@@ -72,6 +72,9 @@ void nfs_pageio_reset_read_mds(struct nf
+ {
+ struct nfs_pgio_mirror *mirror;
+
++ if (pgio->pg_ops && pgio->pg_ops->pg_cleanup)
++ pgio->pg_ops->pg_cleanup(pgio);
++
+ pgio->pg_ops = &nfs_pgio_rw_ops;
+
+ /* read path should never have more than one mirror */
+--- a/fs/nfs/write.c
++++ b/fs/nfs/write.c
+@@ -1331,6 +1331,9 @@ void nfs_pageio_reset_write_mds(struct n
+ {
+ struct nfs_pgio_mirror *mirror;
+
++ if (pgio->pg_ops && pgio->pg_ops->pg_cleanup)
++ pgio->pg_ops->pg_cleanup(pgio);
++
+ pgio->pg_ops = &nfs_pgio_rw_ops;
+
+ nfs_pageio_stop_mirroring(pgio);
--- /dev/null
+From 8fa4592a14ebb3c22a21d846d1e4f65dab7d1a7c Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Thu, 1 Oct 2015 18:38:27 -0400
+Subject: NFS: Fix a write performance regression
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit 8fa4592a14ebb3c22a21d846d1e4f65dab7d1a7c upstream.
+
+If all other conditions in nfs_can_extend_write() are met, and there
+are no locks, then we should be able to assume close-to-open semantics
+and the ability to extend our write to cover the whole page.
+
+With this patch, the xfstests generic/074 test completes in 242s instead
+of >1400s on my test rig.
+
+Fixes: bd61e0a9c852 ("locks: convert posix locks to file_lock_context")
+Cc: Jeff Layton <jlayton@primarydata.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/write.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/write.c
++++ b/fs/nfs/write.c
+@@ -1203,7 +1203,7 @@ static int nfs_can_extend_write(struct f
+ return 1;
+ if (!flctx || (list_empty_careful(&flctx->flc_flock) &&
+ list_empty_careful(&flctx->flc_posix)))
+- return 0;
++ return 1;
+
+ /* Check to see if there are whole file write locks */
+ ret = 0;
--- /dev/null
+From 048883e0b934d9a5103d40e209cb14b7f33d2933 Mon Sep 17 00:00:00 2001
+From: Peng Tao <tao.peng@primarydata.com>
+Date: Fri, 11 Sep 2015 11:14:06 +0800
+Subject: nfs: fix pg_test page count calculation
+
+From: Peng Tao <tao.peng@primarydata.com>
+
+commit 048883e0b934d9a5103d40e209cb14b7f33d2933 upstream.
+
+We really want sizeof(struct page *) instead. Otherwise we limit
+maximum IO size to 64 pages rather than 512 pages on a 64bit system.
+
+Fixes 2e11f829(nfs: cap request size to fit a kmalloced page array).
+
+Cc: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Peng Tao <tao.peng@primarydata.com>
+Fixes: 2e11f8296d22 ("nfs: cap request size to fit a kmalloced page array")
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/pagelist.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/pagelist.c
++++ b/fs/nfs/pagelist.c
+@@ -508,7 +508,7 @@ size_t nfs_generic_pg_test(struct nfs_pa
+ * for it without upsetting the slab allocator.
+ */
+ if (((mirror->pg_count + req->wb_bytes) >> PAGE_SHIFT) *
+- sizeof(struct page) > PAGE_SIZE)
++ sizeof(struct page *) > PAGE_SIZE)
+ return 0;
+
+ return min(mirror->pg_bsize - mirror->pg_count, (size_t)req->wb_bytes);
netfilter-nf_log-wait-for-rcu-grace-after-logger-unregistration.patch
netfilter-nft_compat-skip-family-comparison-in-case-of-nfproto_unspec.patch
netfilter-nf_log-don-t-zap-all-loggers-on-unregister.patch
+bluetooth-delay-check-for-conn-smp-in-smp_conn_security.patch
+nfs-do-cleanup-before-resetting-pageio-read-write-to-mds.patch
+nfs-fix-pg_test-page-count-calculation.patch
+nfs-fix-a-write-performance-regression.patch
+fix-sec-krb5-on-smb3-mounts.patch
+disabling-oplocks-leases-via-module-parm-enable_oplocks-broken-for-smb3.patch
+do-not-fall-back-to-smbwritex-in-set_file_size-error-cases.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
