--- /dev/null
+From 7420451f6a109f7f8f1bf283f34d08eba3259fb3 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Tue, 19 Jun 2018 14:34:08 -0500
+Subject: cifs: allow disabling insecure dialects in the config
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 7420451f6a109f7f8f1bf283f34d08eba3259fb3 upstream.
+
+allow disabling cifs (SMB1 ie vers=1.0) and vers=2.0 in the
+config for the build of cifs.ko if want to always prevent mounting
+with these less secure dialects.
+
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+Cc: Alakesh Haloi <alakeshh@amazon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/Kconfig | 17 ++++++++++++++++-
+ fs/cifs/connect.c | 9 +++++++++
+ 2 files changed, 25 insertions(+), 1 deletion(-)
+
+--- a/fs/cifs/Kconfig
++++ b/fs/cifs/Kconfig
+@@ -66,9 +66,24 @@ config CIFS_STATS2
+ Unless you are a developer or are doing network performance analysis
+ or tuning, say N.
+
++config CIFS_ALLOW_INSECURE_LEGACY
++ bool "Support legacy servers which use less secure dialects"
++ depends on CIFS
++ default y
++ help
++ Modern dialects, SMB2.1 and later (including SMB3 and 3.1.1), have
++ additional security features, including protection against
++ man-in-the-middle attacks and stronger crypto hashes, so the use
++ of legacy dialects (SMB1/CIFS and SMB2.0) is discouraged.
++
++ Disabling this option prevents users from using vers=1.0 or vers=2.0
++ on mounts with cifs.ko
++
++ If unsure, say Y.
++
+ config CIFS_WEAK_PW_HASH
+ bool "Support legacy servers which use weaker LANMAN security"
+- depends on CIFS
++ depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY
+ help
+ Modern CIFS servers including Samba and most Windows versions
+ (since 1997) support stronger NTLM (and even NTLMv2 and Kerberos)
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -1130,6 +1130,7 @@ cifs_parse_smb_version(char *value, stru
+ substring_t args[MAX_OPT_ARGS];
+
+ switch (match_token(value, cifs_smb_version_tokens, args)) {
++#ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY
+ case Smb_1:
+ vol->ops = &smb1_operations;
+ vol->vals = &smb1_values;
+@@ -1138,6 +1139,14 @@ cifs_parse_smb_version(char *value, stru
+ vol->ops = &smb20_operations;
+ vol->vals = &smb20_values;
+ break;
++#else
++ case Smb_1:
++ cifs_dbg(VFS, "vers=1.0 (cifs) mount not permitted when legacy dialects disabled\n");
++ return 1;
++ case Smb_20:
++ cifs_dbg(VFS, "vers=2.0 mount not permitted when legacy dialects disabled\n");
++ return 1;
++#endif /* CIFS_ALLOW_INSECURE_LEGACY */
+ case Smb_21:
+ vol->ops = &smb21_operations;
+ vol->vals = &smb21_values;
--- /dev/null
+From bc48fa1b9d3b04106055b27078da824cd209865a Mon Sep 17 00:00:00 2001
+From: Corey Minyard <cminyard@mvista.com>
+Date: Thu, 15 Feb 2018 16:58:26 -0600
+Subject: ipmi:pci: Blacklist a Realtek "IPMI" device
+
+From: Corey Minyard <cminyard@mvista.com>
+
+commit bc48fa1b9d3b04106055b27078da824cd209865a upstream.
+
+Realtek has some sort of "Virtual" IPMI device on the PCI bus as a
+KCS controller, but whatever it is, it's not one. Ignore it if seen.
+
+[ Commit 13d0b35c (ipmi_si: Move PCI setup to another file) from Linux
+ 4.15-rc1 has not been back ported, so the PCI code is still in
+ `drivers/char/ipmi/ipmi_si_intf.c`, requiring to apply the commit
+ manually.
+
+ This fixes a 100 s boot delay on the HP EliteDesk 705 G4 MT with Linux
+ 4.14.94. ]
+
+Reported-by: Chris Chiu <chiu@endlessm.com>
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Tested-by: Daniel Drake <drake@endlessm.com>
+Signed-off-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/ipmi/ipmi_si_intf.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/char/ipmi/ipmi_si_intf.c
++++ b/drivers/char/ipmi/ipmi_si_intf.c
+@@ -2447,6 +2447,15 @@ static int ipmi_pci_probe_regspacing(str
+ return DEFAULT_REGSPACING;
+ }
+
++static struct pci_device_id ipmi_pci_blacklist[] = {
++ /*
++ * This is a "Virtual IPMI device", whatever that is. It appears
++ * as a KCS device by the class, but it is not one.
++ */
++ { PCI_VDEVICE(REALTEK, 0x816c) },
++ { 0, }
++};
++
+ static int ipmi_pci_probe(struct pci_dev *pdev,
+ const struct pci_device_id *ent)
+ {
+@@ -2454,6 +2463,9 @@ static int ipmi_pci_probe(struct pci_dev
+ int class_type = pdev->class & PCI_ERMC_CLASSCODE_TYPE_MASK;
+ struct smi_info *info;
+
++ if (pci_match_id(ipmi_pci_blacklist, pdev))
++ return -ENODEV;
++
+ info = smi_info_alloc();
+ if (!info)
+ return -ENOMEM;
--- /dev/null
+From c156618e15101a9cc8c815108fec0300a0ec6637 Mon Sep 17 00:00:00 2001
+From: Scott Mayhew <smayhew@redhat.com>
+Date: Tue, 5 Dec 2017 13:55:44 -0500
+Subject: nfs: fix a deadlock in nfs client initialization
+
+From: Scott Mayhew <smayhew@redhat.com>
+
+commit c156618e15101a9cc8c815108fec0300a0ec6637 upstream.
+
+The following deadlock can occur between a process waiting for a client
+to initialize in while walking the client list during nfsv4 server trunking
+detection and another process waiting for the nfs_clid_init_mutex so it
+can initialize that client:
+
+Process 1 Process 2
+--------- ---------
+spin_lock(&nn->nfs_client_lock);
+list_add_tail(&CLIENTA->cl_share_link,
+ &nn->nfs_client_list);
+spin_unlock(&nn->nfs_client_lock);
+ spin_lock(&nn->nfs_client_lock);
+ list_add_tail(&CLIENTB->cl_share_link,
+ &nn->nfs_client_list);
+ spin_unlock(&nn->nfs_client_lock);
+ mutex_lock(&nfs_clid_init_mutex);
+ nfs41_walk_client_list(clp, result, cred);
+ nfs_wait_client_init_complete(CLIENTA);
+(waiting for nfs_clid_init_mutex)
+
+Make sure nfs_match_client() only evaluates clients that have completed
+initialization in order to prevent that deadlock.
+
+This patch also fixes v4.0 trunking behavior by not marking the client
+NFS_CS_READY until the clientid has been confirmed.
+
+Signed-off-by: Scott Mayhew <smayhew@redhat.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Qian Lu <luqia@amazon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/client.c | 11 +++++++++++
+ fs/nfs/nfs4client.c | 17 +++++++++++++----
+ 2 files changed, 24 insertions(+), 4 deletions(-)
+
+--- a/fs/nfs/client.c
++++ b/fs/nfs/client.c
+@@ -291,12 +291,23 @@ static struct nfs_client *nfs_match_clie
+ const struct sockaddr *sap = data->addr;
+ struct nfs_net *nn = net_generic(data->net, nfs_net_id);
+
++again:
+ list_for_each_entry(clp, &nn->nfs_client_list, cl_share_link) {
+ const struct sockaddr *clap = (struct sockaddr *)&clp->cl_addr;
+ /* Don't match clients that failed to initialise properly */
+ if (clp->cl_cons_state < 0)
+ continue;
+
++ /* If a client is still initializing then we need to wait */
++ if (clp->cl_cons_state > NFS_CS_READY) {
++ atomic_inc(&clp->cl_count);
++ spin_unlock(&nn->nfs_client_lock);
++ nfs_wait_client_init_complete(clp);
++ nfs_put_client(clp);
++ spin_lock(&nn->nfs_client_lock);
++ goto again;
++ }
++
+ /* Different NFS versions cannot share the same nfs_client */
+ if (clp->rpc_ops != data->nfs_mod->rpc_ops)
+ continue;
+--- a/fs/nfs/nfs4client.c
++++ b/fs/nfs/nfs4client.c
+@@ -404,15 +404,19 @@ struct nfs_client *nfs4_init_client(stru
+ if (error < 0)
+ goto error;
+
+- if (!nfs4_has_session(clp))
+- nfs_mark_client_ready(clp, NFS_CS_READY);
+-
+ error = nfs4_discover_server_trunking(clp, &old);
+ if (error < 0)
+ goto error;
+
+- if (clp != old)
++ if (clp != old) {
+ clp->cl_preserve_clid = true;
++ /*
++ * Mark the client as having failed initialization so other
++ * processes walking the nfs_client_list in nfs_match_client()
++ * won't try to use it.
++ */
++ nfs_mark_client_ready(clp, -EPERM);
++ }
+ nfs_put_client(clp);
+ clear_bit(NFS_CS_TSM_POSSIBLE, &clp->cl_flags);
+ return old;
+@@ -539,6 +543,9 @@ int nfs40_walk_client_list(struct nfs_cl
+ spin_lock(&nn->nfs_client_lock);
+ list_for_each_entry(pos, &nn->nfs_client_list, cl_share_link) {
+
++ if (pos == new)
++ goto found;
++
+ status = nfs4_match_client(pos, new, &prev, nn);
+ if (status < 0)
+ goto out_unlock;
+@@ -559,6 +566,7 @@ int nfs40_walk_client_list(struct nfs_cl
+ * way that a SETCLIENTID_CONFIRM to pos can succeed is
+ * if new and pos point to the same server:
+ */
++found:
+ atomic_inc(&pos->cl_count);
+ spin_unlock(&nn->nfs_client_lock);
+
+@@ -572,6 +580,7 @@ int nfs40_walk_client_list(struct nfs_cl
+ case 0:
+ nfs4_swap_callback_idents(pos, new);
+ pos->cl_confirm = new->cl_confirm;
++ nfs_mark_client_ready(pos, NFS_CS_READY);
+
+ prev = NULL;
+ *result = pos;
mm-page-writeback.c-don-t-break-integrity-writeback-.patch
mm-swap-use-nr_node_ids-for-avail_lists-in-swap_info.patch
mm-proc-be-more-verbose-about-unstable-vma-flags-in-.patch
+nfs-fix-a-deadlock-in-nfs-client-initialization.patch
+ipmi-pci-blacklist-a-realtek-ipmi-device.patch
+cifs-allow-disabling-insecure-dialects-in-the-config.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
