From: Greg Kroah-Hartman Date: Thu, 24 Jan 2019 18:03:14 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.20.5~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ed2a9d67bb81117fee2e947ce258bd0c694aca2d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: cifs-allow-disabling-insecure-dialects-in-the-config.patch ipmi-pci-blacklist-a-realtek-ipmi-device.patch nfs-fix-a-deadlock-in-nfs-client-initialization.patch --- diff --git a/queue-4.14/cifs-allow-disabling-insecure-dialects-in-the-config.patch b/queue-4.14/cifs-allow-disabling-insecure-dialects-in-the-config.patch new file mode 100644 index 00000000000..9527b57f4b0 --- /dev/null +++ b/queue-4.14/cifs-allow-disabling-insecure-dialects-in-the-config.patch @@ -0,0 +1,77 @@ +From 7420451f6a109f7f8f1bf283f34d08eba3259fb3 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Tue, 19 Jun 2018 14:34:08 -0500 +Subject: cifs: allow disabling insecure dialects in the config + +From: Steve French + +commit 7420451f6a109f7f8f1bf283f34d08eba3259fb3 upstream. + +allow disabling cifs (SMB1 ie vers=1.0) and vers=2.0 in the +config for the build of cifs.ko if want to always prevent mounting +with these less secure dialects. + +Signed-off-by: Steve French +Reviewed-by: Aurelien Aptel +Reviewed-by: Jeremy Allison +Cc: Alakesh Haloi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/Kconfig | 17 ++++++++++++++++- + fs/cifs/connect.c | 9 +++++++++ + 2 files changed, 25 insertions(+), 1 deletion(-) + +--- a/fs/cifs/Kconfig ++++ b/fs/cifs/Kconfig +@@ -66,9 +66,24 @@ config CIFS_STATS2 + Unless you are a developer or are doing network performance analysis + or tuning, say N. + ++config CIFS_ALLOW_INSECURE_LEGACY ++ bool "Support legacy servers which use less secure dialects" ++ depends on CIFS ++ default y ++ help ++ Modern dialects, SMB2.1 and later (including SMB3 and 3.1.1), have ++ additional security features, including protection against ++ man-in-the-middle attacks and stronger crypto hashes, so the use ++ of legacy dialects (SMB1/CIFS and SMB2.0) is discouraged. ++ ++ Disabling this option prevents users from using vers=1.0 or vers=2.0 ++ on mounts with cifs.ko ++ ++ If unsure, say Y. ++ + config CIFS_WEAK_PW_HASH + bool "Support legacy servers which use weaker LANMAN security" +- depends on CIFS ++ depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY + help + Modern CIFS servers including Samba and most Windows versions + (since 1997) support stronger NTLM (and even NTLMv2 and Kerberos) +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -1130,6 +1130,7 @@ cifs_parse_smb_version(char *value, stru + substring_t args[MAX_OPT_ARGS]; + + switch (match_token(value, cifs_smb_version_tokens, args)) { ++#ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY + case Smb_1: + vol->ops = &smb1_operations; + vol->vals = &smb1_values; +@@ -1138,6 +1139,14 @@ cifs_parse_smb_version(char *value, stru + vol->ops = &smb20_operations; + vol->vals = &smb20_values; + break; ++#else ++ case Smb_1: ++ cifs_dbg(VFS, "vers=1.0 (cifs) mount not permitted when legacy dialects disabled\n"); ++ return 1; ++ case Smb_20: ++ cifs_dbg(VFS, "vers=2.0 mount not permitted when legacy dialects disabled\n"); ++ return 1; ++#endif /* CIFS_ALLOW_INSECURE_LEGACY */ + case Smb_21: + vol->ops = &smb21_operations; + vol->vals = &smb21_values; diff --git a/queue-4.14/ipmi-pci-blacklist-a-realtek-ipmi-device.patch b/queue-4.14/ipmi-pci-blacklist-a-realtek-ipmi-device.patch new file mode 100644 index 00000000000..77656832508 --- /dev/null +++ b/queue-4.14/ipmi-pci-blacklist-a-realtek-ipmi-device.patch @@ -0,0 +1,58 @@ +From bc48fa1b9d3b04106055b27078da824cd209865a Mon Sep 17 00:00:00 2001 +From: Corey Minyard +Date: Thu, 15 Feb 2018 16:58:26 -0600 +Subject: ipmi:pci: Blacklist a Realtek "IPMI" device + +From: Corey Minyard + +commit bc48fa1b9d3b04106055b27078da824cd209865a upstream. + +Realtek has some sort of "Virtual" IPMI device on the PCI bus as a +KCS controller, but whatever it is, it's not one. Ignore it if seen. + +[ Commit 13d0b35c (ipmi_si: Move PCI setup to another file) from Linux + 4.15-rc1 has not been back ported, so the PCI code is still in + `drivers/char/ipmi/ipmi_si_intf.c`, requiring to apply the commit + manually. + + This fixes a 100 s boot delay on the HP EliteDesk 705 G4 MT with Linux + 4.14.94. ] + +Reported-by: Chris Chiu +Signed-off-by: Corey Minyard +Tested-by: Daniel Drake +Signed-off-by: Paul Menzel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/ipmi/ipmi_si_intf.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/char/ipmi/ipmi_si_intf.c ++++ b/drivers/char/ipmi/ipmi_si_intf.c +@@ -2447,6 +2447,15 @@ static int ipmi_pci_probe_regspacing(str + return DEFAULT_REGSPACING; + } + ++static struct pci_device_id ipmi_pci_blacklist[] = { ++ /* ++ * This is a "Virtual IPMI device", whatever that is. It appears ++ * as a KCS device by the class, but it is not one. ++ */ ++ { PCI_VDEVICE(REALTEK, 0x816c) }, ++ { 0, } ++}; ++ + static int ipmi_pci_probe(struct pci_dev *pdev, + const struct pci_device_id *ent) + { +@@ -2454,6 +2463,9 @@ static int ipmi_pci_probe(struct pci_dev + int class_type = pdev->class & PCI_ERMC_CLASSCODE_TYPE_MASK; + struct smi_info *info; + ++ if (pci_match_id(ipmi_pci_blacklist, pdev)) ++ return -ENODEV; ++ + info = smi_info_alloc(); + if (!info) + return -ENOMEM; diff --git a/queue-4.14/nfs-fix-a-deadlock-in-nfs-client-initialization.patch b/queue-4.14/nfs-fix-a-deadlock-in-nfs-client-initialization.patch new file mode 100644 index 00000000000..fa8a8d005b0 --- /dev/null +++ b/queue-4.14/nfs-fix-a-deadlock-in-nfs-client-initialization.patch @@ -0,0 +1,122 @@ +From c156618e15101a9cc8c815108fec0300a0ec6637 Mon Sep 17 00:00:00 2001 +From: Scott Mayhew +Date: Tue, 5 Dec 2017 13:55:44 -0500 +Subject: nfs: fix a deadlock in nfs client initialization + +From: Scott Mayhew + +commit c156618e15101a9cc8c815108fec0300a0ec6637 upstream. + +The following deadlock can occur between a process waiting for a client +to initialize in while walking the client list during nfsv4 server trunking +detection and another process waiting for the nfs_clid_init_mutex so it +can initialize that client: + +Process 1 Process 2 +--------- --------- +spin_lock(&nn->nfs_client_lock); +list_add_tail(&CLIENTA->cl_share_link, + &nn->nfs_client_list); +spin_unlock(&nn->nfs_client_lock); + spin_lock(&nn->nfs_client_lock); + list_add_tail(&CLIENTB->cl_share_link, + &nn->nfs_client_list); + spin_unlock(&nn->nfs_client_lock); + mutex_lock(&nfs_clid_init_mutex); + nfs41_walk_client_list(clp, result, cred); + nfs_wait_client_init_complete(CLIENTA); +(waiting for nfs_clid_init_mutex) + +Make sure nfs_match_client() only evaluates clients that have completed +initialization in order to prevent that deadlock. + +This patch also fixes v4.0 trunking behavior by not marking the client +NFS_CS_READY until the clientid has been confirmed. + +Signed-off-by: Scott Mayhew +Signed-off-by: Anna Schumaker +Signed-off-by: Qian Lu +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/client.c | 11 +++++++++++ + fs/nfs/nfs4client.c | 17 +++++++++++++---- + 2 files changed, 24 insertions(+), 4 deletions(-) + +--- a/fs/nfs/client.c ++++ b/fs/nfs/client.c +@@ -291,12 +291,23 @@ static struct nfs_client *nfs_match_clie + const struct sockaddr *sap = data->addr; + struct nfs_net *nn = net_generic(data->net, nfs_net_id); + ++again: + list_for_each_entry(clp, &nn->nfs_client_list, cl_share_link) { + const struct sockaddr *clap = (struct sockaddr *)&clp->cl_addr; + /* Don't match clients that failed to initialise properly */ + if (clp->cl_cons_state < 0) + continue; + ++ /* If a client is still initializing then we need to wait */ ++ if (clp->cl_cons_state > NFS_CS_READY) { ++ atomic_inc(&clp->cl_count); ++ spin_unlock(&nn->nfs_client_lock); ++ nfs_wait_client_init_complete(clp); ++ nfs_put_client(clp); ++ spin_lock(&nn->nfs_client_lock); ++ goto again; ++ } ++ + /* Different NFS versions cannot share the same nfs_client */ + if (clp->rpc_ops != data->nfs_mod->rpc_ops) + continue; +--- a/fs/nfs/nfs4client.c ++++ b/fs/nfs/nfs4client.c +@@ -404,15 +404,19 @@ struct nfs_client *nfs4_init_client(stru + if (error < 0) + goto error; + +- if (!nfs4_has_session(clp)) +- nfs_mark_client_ready(clp, NFS_CS_READY); +- + error = nfs4_discover_server_trunking(clp, &old); + if (error < 0) + goto error; + +- if (clp != old) ++ if (clp != old) { + clp->cl_preserve_clid = true; ++ /* ++ * Mark the client as having failed initialization so other ++ * processes walking the nfs_client_list in nfs_match_client() ++ * won't try to use it. ++ */ ++ nfs_mark_client_ready(clp, -EPERM); ++ } + nfs_put_client(clp); + clear_bit(NFS_CS_TSM_POSSIBLE, &clp->cl_flags); + return old; +@@ -539,6 +543,9 @@ int nfs40_walk_client_list(struct nfs_cl + spin_lock(&nn->nfs_client_lock); + list_for_each_entry(pos, &nn->nfs_client_list, cl_share_link) { + ++ if (pos == new) ++ goto found; ++ + status = nfs4_match_client(pos, new, &prev, nn); + if (status < 0) + goto out_unlock; +@@ -559,6 +566,7 @@ int nfs40_walk_client_list(struct nfs_cl + * way that a SETCLIENTID_CONFIRM to pos can succeed is + * if new and pos point to the same server: + */ ++found: + atomic_inc(&pos->cl_count); + spin_unlock(&nn->nfs_client_lock); + +@@ -572,6 +580,7 @@ int nfs40_walk_client_list(struct nfs_cl + case 0: + nfs4_swap_callback_idents(pos, new); + pos->cl_confirm = new->cl_confirm; ++ nfs_mark_client_ready(pos, NFS_CS_READY); + + prev = NULL; + *result = pos; diff --git a/queue-4.14/series b/queue-4.14/series index ab6db1359fd..7386b6af8cf 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -55,3 +55,6 @@ ocfs2-fix-panic-due-to-unrecovered-local-alloc.patch mm-page-writeback.c-don-t-break-integrity-writeback-.patch mm-swap-use-nr_node_ids-for-avail_lists-in-swap_info.patch mm-proc-be-more-verbose-about-unstable-vma-flags-in-.patch +nfs-fix-a-deadlock-in-nfs-client-initialization.patch +ipmi-pci-blacklist-a-realtek-ipmi-device.patch +cifs-allow-disabling-insecure-dialects-in-the-config.patch