From: Greg Kroah-Hartman Date: Sat, 17 Oct 2015 20:17:36 +0000 (-0700) Subject: 4.1-stable patches X-Git-Tag: v3.10.91~51 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c3bf53adc2bafc4429a97677a68b8adad9882dbc;p=thirdparty%2Fkernel%2Fstable-queue.git 4.1-stable patches added patches: bluetooth-delay-check-for-conn-smp-in-smp_conn_security.patch disabling-oplocks-leases-via-module-parm-enable_oplocks-broken-for-smb3.patch do-not-fall-back-to-smbwritex-in-set_file_size-error-cases.patch fix-sec-krb5-on-smb3-mounts.patch nfs-do-cleanup-before-resetting-pageio-read-write-to-mds.patch nfs-fix-a-write-performance-regression.patch nfs-fix-pg_test-page-count-calculation.patch --- diff --git a/queue-4.1/bluetooth-delay-check-for-conn-smp-in-smp_conn_security.patch b/queue-4.1/bluetooth-delay-check-for-conn-smp-in-smp_conn_security.patch new file mode 100644 index 00000000000..669784eef9d --- /dev/null +++ b/queue-4.1/bluetooth-delay-check-for-conn-smp-in-smp_conn_security.patch @@ -0,0 +1,53 @@ +From d8949aad3eab5d396f4fefcd581773bf07b9a79e Mon Sep 17 00:00:00 2001 +From: Johan Hedberg +Date: Fri, 4 Sep 2015 12:22:46 +0300 +Subject: Bluetooth: Delay check for conn->smp in smp_conn_security() + +From: Johan Hedberg + +commit d8949aad3eab5d396f4fefcd581773bf07b9a79e upstream. + +There are several actions that smp_conn_security() might make that do +not require a valid SMP context (conn->smp pointer). One of these +actions is to encrypt the link with an existing LTK. If the SMP +context wasn't initialized properly we should still allow the +independent actions to be done, i.e. the check for the context should +only be done at the last possible moment. + +Reported-by: Chuck Ebbert +Signed-off-by: Johan Hedberg +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/smp.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/net/bluetooth/smp.c ++++ b/net/bluetooth/smp.c +@@ -2294,12 +2294,6 @@ int smp_conn_security(struct hci_conn *h + if (!conn) + return 1; + +- chan = conn->smp; +- if (!chan) { +- BT_ERR("SMP security requested but not available"); +- return 1; +- } +- + if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) + return 1; + +@@ -2313,6 +2307,12 @@ int smp_conn_security(struct hci_conn *h + if (smp_ltk_encrypt(conn, hcon->pending_sec_level)) + return 0; + ++ chan = conn->smp; ++ if (!chan) { ++ BT_ERR("SMP security requested but not available"); ++ return 1; ++ } ++ + l2cap_chan_lock(chan); + + /* If SMP is already in progress ignore this request */ diff --git a/queue-4.1/disabling-oplocks-leases-via-module-parm-enable_oplocks-broken-for-smb3.patch b/queue-4.1/disabling-oplocks-leases-via-module-parm-enable_oplocks-broken-for-smb3.patch new file mode 100644 index 00000000000..edf573f9b82 --- /dev/null +++ b/queue-4.1/disabling-oplocks-leases-via-module-parm-enable_oplocks-broken-for-smb3.patch @@ -0,0 +1,38 @@ +From e0ddde9d44e37fbc21ce893553094ecf1a633ab5 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Tue, 22 Sep 2015 09:29:38 -0500 +Subject: disabling oplocks/leases via module parm enable_oplocks broken for SMB3 + +From: Steve French + +commit e0ddde9d44e37fbc21ce893553094ecf1a633ab5 upstream. + +leases (oplocks) were always requested for SMB2/SMB3 even when oplocks +disabled in the cifs.ko module. + +Signed-off-by: Steve French +Reviewed-by: Chandrika Srinivasan +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2ops.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -50,9 +50,13 @@ change_conf(struct TCP_Server_Info *serv + break; + default: + server->echoes = true; +- server->oplocks = true; ++ if (enable_oplocks) { ++ server->oplocks = true; ++ server->oplock_credits = 1; ++ } else ++ server->oplocks = false; ++ + server->echo_credits = 1; +- server->oplock_credits = 1; + } + server->credits -= server->echo_credits + server->oplock_credits; + return 0; diff --git a/queue-4.1/do-not-fall-back-to-smbwritex-in-set_file_size-error-cases.patch b/queue-4.1/do-not-fall-back-to-smbwritex-in-set_file_size-error-cases.patch new file mode 100644 index 00000000000..d92f176f1a7 --- /dev/null +++ b/queue-4.1/do-not-fall-back-to-smbwritex-in-set_file_size-error-cases.patch @@ -0,0 +1,101 @@ +From 646200a041203f440fb6fcf9cacd9efeda9de74c Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Mon, 28 Sep 2015 17:21:07 -0500 +Subject: [SMB3] Do not fall back to SMBWriteX in set_file_size error cases + +From: Steve French + +commit 646200a041203f440fb6fcf9cacd9efeda9de74c upstream. + +The error paths in set_file_size for cifs and smb3 are incorrect. + +In the unlikely event that a server did not support set file info +of the file size, the code incorrectly falls back to trying SMBWriteX +(note that only the original core SMB Write, used for example by DOS, +can set the file size this way - this actually does not work for the more +recent SMBWriteX). The idea was since the old DOS SMB Write could set +the file size if you write zero bytes at that offset then use that if +server rejects the normal set file info call. + +Fortunately the SMBWriteX will never be sent on the wire (except when +file size is zero) since the length and offset fields were reversed +in the two places in this function that call SMBWriteX causing +the fall back path to return an error. It is also important to never call +an SMB request from an SMB2/sMB3 session (which theoretically would +be possible, and can cause a brief session drop, although the client +recovers) so this should be fixed. In practice this path does not happen +with modern servers but the error fall back to SMBWriteX is clearly wrong. + +Removing the calls to SMBWriteX in the error paths in cifs_set_file_size + +Pointed out by PaX/grsecurity team + +Signed-off-by: Steve French +Reported-by: PaX Team +CC: Emese Revfy +CC: Brad Spengler +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/inode.c | 36 +----------------------------------- + 1 file changed, 1 insertion(+), 35 deletions(-) + +--- a/fs/cifs/inode.c ++++ b/fs/cifs/inode.c +@@ -2034,7 +2034,6 @@ cifs_set_file_size(struct inode *inode, + struct tcon_link *tlink = NULL; + struct cifs_tcon *tcon = NULL; + struct TCP_Server_Info *server; +- struct cifs_io_parms io_parms; + + /* + * To avoid spurious oplock breaks from server, in the case of +@@ -2056,18 +2055,6 @@ cifs_set_file_size(struct inode *inode, + rc = -ENOSYS; + cifsFileInfo_put(open_file); + cifs_dbg(FYI, "SetFSize for attrs rc = %d\n", rc); +- if ((rc == -EINVAL) || (rc == -EOPNOTSUPP)) { +- unsigned int bytes_written; +- +- io_parms.netfid = open_file->fid.netfid; +- io_parms.pid = open_file->pid; +- io_parms.tcon = tcon; +- io_parms.offset = 0; +- io_parms.length = attrs->ia_size; +- rc = CIFSSMBWrite(xid, &io_parms, &bytes_written, +- NULL, NULL, 1); +- cifs_dbg(FYI, "Wrt seteof rc %d\n", rc); +- } + } else + rc = -EINVAL; + +@@ -2093,28 +2080,7 @@ cifs_set_file_size(struct inode *inode, + else + rc = -ENOSYS; + cifs_dbg(FYI, "SetEOF by path (setattrs) rc = %d\n", rc); +- if ((rc == -EINVAL) || (rc == -EOPNOTSUPP)) { +- __u16 netfid; +- int oplock = 0; +- +- rc = SMBLegacyOpen(xid, tcon, full_path, FILE_OPEN, +- GENERIC_WRITE, CREATE_NOT_DIR, &netfid, +- &oplock, NULL, cifs_sb->local_nls, +- cifs_remap(cifs_sb)); +- if (rc == 0) { +- unsigned int bytes_written; +- +- io_parms.netfid = netfid; +- io_parms.pid = current->tgid; +- io_parms.tcon = tcon; +- io_parms.offset = 0; +- io_parms.length = attrs->ia_size; +- rc = CIFSSMBWrite(xid, &io_parms, &bytes_written, NULL, +- NULL, 1); +- cifs_dbg(FYI, "wrt seteof rc %d\n", rc); +- CIFSSMBClose(xid, tcon, netfid); +- } +- } ++ + if (tlink) + cifs_put_tlink(tlink); + diff --git a/queue-4.1/fix-sec-krb5-on-smb3-mounts.patch b/queue-4.1/fix-sec-krb5-on-smb3-mounts.patch new file mode 100644 index 00000000000..914342ef936 --- /dev/null +++ b/queue-4.1/fix-sec-krb5-on-smb3-mounts.patch @@ -0,0 +1,188 @@ +From ceb1b0b9b4d1089e9f2731a314689ae17784c861 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Thu, 24 Sep 2015 00:52:37 -0500 +Subject: [SMB3] Fix sec=krb5 on smb3 mounts + +From: Steve French + +commit ceb1b0b9b4d1089e9f2731a314689ae17784c861 upstream. + +Kerberos, which is very important for security, was only enabled for +CIFS not SMB2/SMB3 mounts (e.g. vers=3.0) + +Patch based on the information detailed in +http://thread.gmane.org/gmane.linux.kernel.cifs/10081/focus=10307 +to enable Kerberized SMB2/SMB3 + +a) SMB2_negotiate: enable/use decode_negTokenInit in SMB2_negotiate +b) SMB2_sess_setup: handle Kerberos sectype and replicate Kerberos + SMB1 processing done in sess_auth_kerberos + +Signed-off-by: Noel Power +Signed-off-by: Jim McDonough +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 76 +++++++++++++++++++++++++++++++++++++++++++----------- + 1 file changed, 61 insertions(+), 15 deletions(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -46,6 +46,7 @@ + #include "smb2status.h" + #include "smb2glob.h" + #include "cifspdu.h" ++#include "cifs_spnego.h" + + /* + * The following table defines the expected "StructureSize" of SMB2 requests +@@ -427,19 +428,15 @@ SMB2_negotiate(const unsigned int xid, s + cifs_dbg(FYI, "missing security blob on negprot\n"); + + rc = cifs_enable_signing(server, ses->sign); +-#ifdef CONFIG_SMB2_ASN1 /* BB REMOVEME when updated asn1.c ready */ + if (rc) + goto neg_exit; +- if (blob_length) ++ if (blob_length) { + rc = decode_negTokenInit(security_blob, blob_length, server); +- if (rc == 1) +- rc = 0; +- else if (rc == 0) { +- rc = -EIO; +- goto neg_exit; ++ if (rc == 1) ++ rc = 0; ++ else if (rc == 0) ++ rc = -EIO; + } +-#endif +- + neg_exit: + free_rsp_buf(resp_buftype, rsp); + return rc; +@@ -533,7 +530,8 @@ SMB2_sess_setup(const unsigned int xid, + __le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */ + struct TCP_Server_Info *server = ses->server; + u16 blob_length = 0; +- char *security_blob; ++ struct key *spnego_key = NULL; ++ char *security_blob = NULL; + char *ntlmssp_blob = NULL; + bool use_spnego = false; /* else use raw ntlmssp */ + +@@ -561,7 +559,8 @@ SMB2_sess_setup(const unsigned int xid, + ses->ntlmssp->sesskey_per_smbsess = true; + + /* FIXME: allow for other auth types besides NTLMSSP (e.g. krb5) */ +- ses->sectype = RawNTLMSSP; ++ if (ses->sectype != Kerberos && ses->sectype != RawNTLMSSP) ++ ses->sectype = RawNTLMSSP; + + ssetup_ntlmssp_authenticate: + if (phase == NtLmChallenge) +@@ -590,7 +589,48 @@ ssetup_ntlmssp_authenticate: + iov[0].iov_base = (char *)req; + /* 4 for rfc1002 length field and 1 for pad */ + iov[0].iov_len = get_rfc1002_length(req) + 4 - 1; +- if (phase == NtLmNegotiate) { ++ ++ if (ses->sectype == Kerberos) { ++#ifdef CONFIG_CIFS_UPCALL ++ struct cifs_spnego_msg *msg; ++ ++ spnego_key = cifs_get_spnego_key(ses); ++ if (IS_ERR(spnego_key)) { ++ rc = PTR_ERR(spnego_key); ++ spnego_key = NULL; ++ goto ssetup_exit; ++ } ++ ++ msg = spnego_key->payload.data; ++ /* ++ * check version field to make sure that cifs.upcall is ++ * sending us a response in an expected form ++ */ ++ if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) { ++ cifs_dbg(VFS, ++ "bad cifs.upcall version. Expected %d got %d", ++ CIFS_SPNEGO_UPCALL_VERSION, msg->version); ++ rc = -EKEYREJECTED; ++ goto ssetup_exit; ++ } ++ ses->auth_key.response = kmemdup(msg->data, msg->sesskey_len, ++ GFP_KERNEL); ++ if (!ses->auth_key.response) { ++ cifs_dbg(VFS, ++ "Kerberos can't allocate (%u bytes) memory", ++ msg->sesskey_len); ++ rc = -ENOMEM; ++ goto ssetup_exit; ++ } ++ ses->auth_key.len = msg->sesskey_len; ++ blob_length = msg->secblob_len; ++ iov[1].iov_base = msg->data + msg->sesskey_len; ++ iov[1].iov_len = blob_length; ++#else ++ rc = -EOPNOTSUPP; ++ goto ssetup_exit; ++#endif /* CONFIG_CIFS_UPCALL */ ++ } else if (phase == NtLmNegotiate) { /* if not krb5 must be ntlmssp */ + ntlmssp_blob = kmalloc(sizeof(struct _NEGOTIATE_MESSAGE), + GFP_KERNEL); + if (ntlmssp_blob == NULL) { +@@ -613,6 +653,8 @@ ssetup_ntlmssp_authenticate: + /* with raw NTLMSSP we don't encapsulate in SPNEGO */ + security_blob = ntlmssp_blob; + } ++ iov[1].iov_base = security_blob; ++ iov[1].iov_len = blob_length; + } else if (phase == NtLmAuthenticate) { + req->hdr.SessionId = ses->Suid; + ntlmssp_blob = kzalloc(sizeof(struct _NEGOTIATE_MESSAGE) + 500, +@@ -640,6 +682,8 @@ ssetup_ntlmssp_authenticate: + } else { + security_blob = ntlmssp_blob; + } ++ iov[1].iov_base = security_blob; ++ iov[1].iov_len = blob_length; + } else { + cifs_dbg(VFS, "illegal ntlmssp phase\n"); + rc = -EIO; +@@ -651,8 +695,6 @@ ssetup_ntlmssp_authenticate: + cpu_to_le16(sizeof(struct smb2_sess_setup_req) - + 1 /* pad */ - 4 /* rfc1001 len */); + req->SecurityBufferLength = cpu_to_le16(blob_length); +- iov[1].iov_base = security_blob; +- iov[1].iov_len = blob_length; + + inc_rfc1001_len(req, blob_length - 1 /* pad */); + +@@ -663,6 +705,7 @@ ssetup_ntlmssp_authenticate: + + kfree(security_blob); + rsp = (struct smb2_sess_setup_rsp *)iov[0].iov_base; ++ ses->Suid = rsp->hdr.SessionId; + if (resp_buftype != CIFS_NO_BUFFER && + rsp->hdr.Status == STATUS_MORE_PROCESSING_REQUIRED) { + if (phase != NtLmNegotiate) { +@@ -680,7 +723,6 @@ ssetup_ntlmssp_authenticate: + /* NTLMSSP Negotiate sent now processing challenge (response) */ + phase = NtLmChallenge; /* process ntlmssp challenge */ + rc = 0; /* MORE_PROCESSING is not an error here but expected */ +- ses->Suid = rsp->hdr.SessionId; + rc = decode_ntlmssp_challenge(rsp->Buffer, + le16_to_cpu(rsp->SecurityBufferLength), ses); + } +@@ -737,6 +779,10 @@ keygen_exit: + kfree(ses->auth_key.response); + ses->auth_key.response = NULL; + } ++ if (spnego_key) { ++ key_invalidate(spnego_key); ++ key_put(spnego_key); ++ } + kfree(ses->ntlmssp); + + return rc; diff --git a/queue-4.1/nfs-do-cleanup-before-resetting-pageio-read-write-to-mds.patch b/queue-4.1/nfs-do-cleanup-before-resetting-pageio-read-write-to-mds.patch new file mode 100644 index 00000000000..7356b9e6d44 --- /dev/null +++ b/queue-4.1/nfs-do-cleanup-before-resetting-pageio-read-write-to-mds.patch @@ -0,0 +1,45 @@ +From 6f29b9bba7b08c6b1d6f2cc4cf750b342fc1946c Mon Sep 17 00:00:00 2001 +From: Kinglong Mee +Date: Sun, 20 Sep 2015 23:03:28 +0800 +Subject: NFS: Do cleanup before resetting pageio read/write to mds + +From: Kinglong Mee + +commit 6f29b9bba7b08c6b1d6f2cc4cf750b342fc1946c upstream. + +There is a reference leak of layout segment after resetting +pageio read/write to mds. + +Signed-off-by: Kinglong Mee +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/read.c | 3 +++ + fs/nfs/write.c | 3 +++ + 2 files changed, 6 insertions(+) + +--- a/fs/nfs/read.c ++++ b/fs/nfs/read.c +@@ -72,6 +72,9 @@ void nfs_pageio_reset_read_mds(struct nf + { + struct nfs_pgio_mirror *mirror; + ++ if (pgio->pg_ops && pgio->pg_ops->pg_cleanup) ++ pgio->pg_ops->pg_cleanup(pgio); ++ + pgio->pg_ops = &nfs_pgio_rw_ops; + + /* read path should never have more than one mirror */ +--- a/fs/nfs/write.c ++++ b/fs/nfs/write.c +@@ -1331,6 +1331,9 @@ void nfs_pageio_reset_write_mds(struct n + { + struct nfs_pgio_mirror *mirror; + ++ if (pgio->pg_ops && pgio->pg_ops->pg_cleanup) ++ pgio->pg_ops->pg_cleanup(pgio); ++ + pgio->pg_ops = &nfs_pgio_rw_ops; + + nfs_pageio_stop_mirroring(pgio); diff --git a/queue-4.1/nfs-fix-a-write-performance-regression.patch b/queue-4.1/nfs-fix-a-write-performance-regression.patch new file mode 100644 index 00000000000..f312469ee63 --- /dev/null +++ b/queue-4.1/nfs-fix-a-write-performance-regression.patch @@ -0,0 +1,36 @@ +From 8fa4592a14ebb3c22a21d846d1e4f65dab7d1a7c Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Thu, 1 Oct 2015 18:38:27 -0400 +Subject: NFS: Fix a write performance regression + +From: Trond Myklebust + +commit 8fa4592a14ebb3c22a21d846d1e4f65dab7d1a7c upstream. + +If all other conditions in nfs_can_extend_write() are met, and there +are no locks, then we should be able to assume close-to-open semantics +and the ability to extend our write to cover the whole page. + +With this patch, the xfstests generic/074 test completes in 242s instead +of >1400s on my test rig. + +Fixes: bd61e0a9c852 ("locks: convert posix locks to file_lock_context") +Cc: Jeff Layton +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/write.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/write.c ++++ b/fs/nfs/write.c +@@ -1203,7 +1203,7 @@ static int nfs_can_extend_write(struct f + return 1; + if (!flctx || (list_empty_careful(&flctx->flc_flock) && + list_empty_careful(&flctx->flc_posix))) +- return 0; ++ return 1; + + /* Check to see if there are whole file write locks */ + ret = 0; diff --git a/queue-4.1/nfs-fix-pg_test-page-count-calculation.patch b/queue-4.1/nfs-fix-pg_test-page-count-calculation.patch new file mode 100644 index 00000000000..40e451bb4fb --- /dev/null +++ b/queue-4.1/nfs-fix-pg_test-page-count-calculation.patch @@ -0,0 +1,35 @@ +From 048883e0b934d9a5103d40e209cb14b7f33d2933 Mon Sep 17 00:00:00 2001 +From: Peng Tao +Date: Fri, 11 Sep 2015 11:14:06 +0800 +Subject: nfs: fix pg_test page count calculation + +From: Peng Tao + +commit 048883e0b934d9a5103d40e209cb14b7f33d2933 upstream. + +We really want sizeof(struct page *) instead. Otherwise we limit +maximum IO size to 64 pages rather than 512 pages on a 64bit system. + +Fixes 2e11f829(nfs: cap request size to fit a kmalloced page array). + +Cc: Christoph Hellwig +Signed-off-by: Peng Tao +Fixes: 2e11f8296d22 ("nfs: cap request size to fit a kmalloced page array") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/pagelist.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/pagelist.c ++++ b/fs/nfs/pagelist.c +@@ -508,7 +508,7 @@ size_t nfs_generic_pg_test(struct nfs_pa + * for it without upsetting the slab allocator. + */ + if (((mirror->pg_count + req->wb_bytes) >> PAGE_SHIFT) * +- sizeof(struct page) > PAGE_SIZE) ++ sizeof(struct page *) > PAGE_SIZE) + return 0; + + return min(mirror->pg_bsize - mirror->pg_count, (size_t)req->wb_bytes); diff --git a/queue-4.1/series b/queue-4.1/series index 2eba4c60630..00bc2f18b9b 100644 --- a/queue-4.1/series +++ b/queue-4.1/series @@ -92,3 +92,10 @@ netfilter-nftables-do-not-run-chains-in-the-wrong-network-namespace.patch netfilter-nf_log-wait-for-rcu-grace-after-logger-unregistration.patch netfilter-nft_compat-skip-family-comparison-in-case-of-nfproto_unspec.patch netfilter-nf_log-don-t-zap-all-loggers-on-unregister.patch +bluetooth-delay-check-for-conn-smp-in-smp_conn_security.patch +nfs-do-cleanup-before-resetting-pageio-read-write-to-mds.patch +nfs-fix-pg_test-page-count-calculation.patch +nfs-fix-a-write-performance-regression.patch +fix-sec-krb5-on-smb3-mounts.patch +disabling-oplocks-leases-via-module-parm-enable_oplocks-broken-for-smb3.patch +do-not-fall-back-to-smbwritex-in-set_file_size-error-cases.patch