From 43613b62e17e1dce8a661dc502fd9d1522c7786b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 2 Oct 2017 13:42:18 +0200 Subject: [PATCH] 4.13-stable patches added patches: brd-fix-overflow-in-__brd_direct_access.patch bsg-lib-don-t-free-job-in-bsg_prepare_job.patch fix-smb3.1.1-guest-authentication-to-samba.patch gfs2-fix-debugfs-glocks-dump.patch libceph-don-t-allow-bidirectional-swap-of-pg-upmap-items.patch libnvdimm-namespace-fix-btt-claim-class-crash.patch mips-fix-perf-event-init.patch nl80211-check-for-the-required-netlink-attributes-presence.patch pm-core-fix-device_pm_check_callbacks.patch powerpc-eeh-create-phb-pes-after-eeh-is-initialized.patch powerpc-pseries-fix-parent_dn-reference-leak-in-add_dt_node.patch powerpc-tm-flush-tm-only-if-cpu-has-tm-feature.patch revert-ib-ipoib-update-broadcast-object-if-pkey-value-was-changed-in-index-0.patch s390-mm-fix-write-access-check-in-gup_huge_pmd.patch s390-mm-make-pmdp_invalidate-do-invalidation-only.patch s390-perf-fix-bug-when-creating-per-thread-event.patch smb-validate-negotiate-to-protect-against-downgrade-even-if-signing-off.patch smb3-don-t-ignore-o_sync-o_dsync-and-o_direct-flags.patch smb3-fix-endian-warning.patch smb3-handle-new-statx-fields.patch smb3-warn-user-if-trying-to-sign-connection-that-authenticated-as-guest.patch vfs-return-enxio-for-negative-seek_hole-seek_data-offsets.patch --- ...-fix-overflow-in-__brd_direct_access.patch | 38 ++++++++ ...ib-don-t-free-job-in-bsg_prepare_job.patch | 31 +++++++ ...b3.1.1-guest-authentication-to-samba.patch | 32 +++++++ queue-4.13/gfs2-fix-debugfs-glocks-dump.patch | 87 ++++++++++++++++++ ...bidirectional-swap-of-pg-upmap-items.patch | 91 +++++++++++++++++++ ...-namespace-fix-btt-claim-class-crash.patch | 61 +++++++++++++ queue-4.13/mips-fix-perf-event-init.patch | 54 +++++++++++ ...required-netlink-attributes-presence.patch | 41 +++++++++ ...m-core-fix-device_pm_check_callbacks.patch | 43 +++++++++ ...ate-phb-pes-after-eeh-is-initialized.patch | 61 +++++++++++++ ...ent_dn-reference-leak-in-add_dt_node.patch | 39 ++++++++ ...-flush-tm-only-if-cpu-has-tm-feature.patch | 47 ++++++++++ ...if-pkey-value-was-changed-in-index-0.patch | 74 +++++++++++++++ ...x-write-access-check-in-gup_huge_pmd.patch | 45 +++++++++ ...pmdp_invalidate-do-invalidation-only.patch | 41 +++++++++ ...x-bug-when-creating-per-thread-event.patch | 58 ++++++++++++ queue-4.13/series | 22 +++++ ...gainst-downgrade-even-if-signing-off.patch | 56 ++++++++++++ ...re-o_sync-o_dsync-and-o_direct-flags.patch | 34 +++++++ queue-4.13/smb3-fix-endian-warning.patch | 35 +++++++ queue-4.13/smb3-handle-new-statx-fields.patch | 54 +++++++++++ ...nnection-that-authenticated-as-guest.patch | 32 +++++++ ...negative-seek_hole-seek_data-offsets.patch | 44 +++++++++ 23 files changed, 1120 insertions(+) create mode 100644 queue-4.13/brd-fix-overflow-in-__brd_direct_access.patch create mode 100644 queue-4.13/bsg-lib-don-t-free-job-in-bsg_prepare_job.patch create mode 100644 queue-4.13/fix-smb3.1.1-guest-authentication-to-samba.patch create mode 100644 queue-4.13/gfs2-fix-debugfs-glocks-dump.patch create mode 100644 queue-4.13/libceph-don-t-allow-bidirectional-swap-of-pg-upmap-items.patch create mode 100644 queue-4.13/libnvdimm-namespace-fix-btt-claim-class-crash.patch create mode 100644 queue-4.13/mips-fix-perf-event-init.patch create mode 100644 queue-4.13/nl80211-check-for-the-required-netlink-attributes-presence.patch create mode 100644 queue-4.13/pm-core-fix-device_pm_check_callbacks.patch create mode 100644 queue-4.13/powerpc-eeh-create-phb-pes-after-eeh-is-initialized.patch create mode 100644 queue-4.13/powerpc-pseries-fix-parent_dn-reference-leak-in-add_dt_node.patch create mode 100644 queue-4.13/powerpc-tm-flush-tm-only-if-cpu-has-tm-feature.patch create mode 100644 queue-4.13/revert-ib-ipoib-update-broadcast-object-if-pkey-value-was-changed-in-index-0.patch create mode 100644 queue-4.13/s390-mm-fix-write-access-check-in-gup_huge_pmd.patch create mode 100644 queue-4.13/s390-mm-make-pmdp_invalidate-do-invalidation-only.patch create mode 100644 queue-4.13/s390-perf-fix-bug-when-creating-per-thread-event.patch create mode 100644 queue-4.13/smb-validate-negotiate-to-protect-against-downgrade-even-if-signing-off.patch create mode 100644 queue-4.13/smb3-don-t-ignore-o_sync-o_dsync-and-o_direct-flags.patch create mode 100644 queue-4.13/smb3-fix-endian-warning.patch create mode 100644 queue-4.13/smb3-handle-new-statx-fields.patch create mode 100644 queue-4.13/smb3-warn-user-if-trying-to-sign-connection-that-authenticated-as-guest.patch create mode 100644 queue-4.13/vfs-return-enxio-for-negative-seek_hole-seek_data-offsets.patch diff --git a/queue-4.13/brd-fix-overflow-in-__brd_direct_access.patch b/queue-4.13/brd-fix-overflow-in-__brd_direct_access.patch new file mode 100644 index 00000000000..77c7214623f --- /dev/null +++ b/queue-4.13/brd-fix-overflow-in-__brd_direct_access.patch @@ -0,0 +1,38 @@ +From 02a4843618fb35f847cf8c31cd3893873aa0edde Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Wed, 13 Sep 2017 09:17:57 -0400 +Subject: brd: fix overflow in __brd_direct_access + +From: Mikulas Patocka + +commit 02a4843618fb35f847cf8c31cd3893873aa0edde upstream. + +The code in __brd_direct_access multiplies the pgoff variable by page size +and divides it by 512. It can cause overflow on 32-bit architectures. The +overflow happens if we create ramdisk larger than 4G and use it as a +sparse device. + +This patch replaces multiplication and division with multiplication by the +number of sectors per page. + +Reviewed-by: Dan Williams +Signed-off-by: Mikulas Patocka +Fixes: 1647b9b959c7 ("brd: add dax_operations support") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/brd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/block/brd.c ++++ b/drivers/block/brd.c +@@ -339,7 +339,7 @@ static long __brd_direct_access(struct b + + if (!brd) + return -ENODEV; +- page = brd_insert_page(brd, PFN_PHYS(pgoff) / 512); ++ page = brd_insert_page(brd, (sector_t)pgoff << PAGE_SECTORS_SHIFT); + if (!page) + return -ENOSPC; + *kaddr = page_address(page); diff --git a/queue-4.13/bsg-lib-don-t-free-job-in-bsg_prepare_job.patch b/queue-4.13/bsg-lib-don-t-free-job-in-bsg_prepare_job.patch new file mode 100644 index 00000000000..8459032a684 --- /dev/null +++ b/queue-4.13/bsg-lib-don-t-free-job-in-bsg_prepare_job.patch @@ -0,0 +1,31 @@ +From f507b54dccfd8000c517d740bc45f20c74532d18 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Thu, 7 Sep 2017 13:54:35 +0200 +Subject: bsg-lib: don't free job in bsg_prepare_job + +From: Christoph Hellwig + +commit f507b54dccfd8000c517d740bc45f20c74532d18 upstream. + +The job structure is allocated as part of the request, so we should not +free it in the error path of bsg_prepare_job. + +Signed-off-by: Christoph Hellwig +Reviewed-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/bsg-lib.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/block/bsg-lib.c ++++ b/block/bsg-lib.c +@@ -154,7 +154,6 @@ static int bsg_prepare_job(struct device + failjob_rls_rqst_payload: + kfree(job->request_payload.sg_list); + failjob_rls_job: +- kfree(job); + return -ENOMEM; + } + diff --git a/queue-4.13/fix-smb3.1.1-guest-authentication-to-samba.patch b/queue-4.13/fix-smb3.1.1-guest-authentication-to-samba.patch new file mode 100644 index 00000000000..2a41d5107ee --- /dev/null +++ b/queue-4.13/fix-smb3.1.1-guest-authentication-to-samba.patch @@ -0,0 +1,32 @@ +From 23586b66d84ba3184b8820277f3fc42761640f87 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Mon, 18 Sep 2017 18:18:45 -0500 +Subject: Fix SMB3.1.1 guest authentication to Samba + +From: Steve French + +commit 23586b66d84ba3184b8820277f3fc42761640f87 upstream. + +Samba rejects SMB3.1.1 dialect (vers=3.1.1) negotiate requests from +the kernel client due to the two byte pad at the end of the negotiate +contexts. + +Signed-off-by: Steve French +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -427,7 +427,7 @@ assemble_neg_contexts(struct smb2_negoti + build_encrypt_ctxt((struct smb2_encryption_neg_context *)pneg_ctxt); + req->NegotiateContextOffset = cpu_to_le32(OFFSET_OF_NEG_CONTEXT); + req->NegotiateContextCount = cpu_to_le16(2); +- inc_rfc1001_len(req, 4 + sizeof(struct smb2_preauth_neg_context) + 2 ++ inc_rfc1001_len(req, 4 + sizeof(struct smb2_preauth_neg_context) + + sizeof(struct smb2_encryption_neg_context)); /* calculate hash */ + } + #else diff --git a/queue-4.13/gfs2-fix-debugfs-glocks-dump.patch b/queue-4.13/gfs2-fix-debugfs-glocks-dump.patch new file mode 100644 index 00000000000..4c376d9b9c0 --- /dev/null +++ b/queue-4.13/gfs2-fix-debugfs-glocks-dump.patch @@ -0,0 +1,87 @@ +From 10201655b085df8e000822e496e5d4016a167a36 Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Tue, 19 Sep 2017 07:15:35 -0500 +Subject: gfs2: Fix debugfs glocks dump + +From: Andreas Gruenbacher + +commit 10201655b085df8e000822e496e5d4016a167a36 upstream. + +The switch to rhashtables (commit 88ffbf3e03) broke the debugfs glock +dump (/sys/kernel/debug/gfs2//glocks) for dumps bigger than a +single buffer: the right function for restarting an rhashtable iteration +from the beginning of the hash table is rhashtable_walk_enter; +rhashtable_walk_stop + rhashtable_walk_start will just resume from the +current position. + +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Bob Peterson +Signed-off-by: Greg Kroah-Hartman + +--- + fs/gfs2/glock.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +--- a/fs/gfs2/glock.c ++++ b/fs/gfs2/glock.c +@@ -1863,13 +1863,9 @@ static void *gfs2_glock_seq_start(struct + { + struct gfs2_glock_iter *gi = seq->private; + loff_t n = *pos; +- int ret; + +- if (gi->last_pos <= *pos) +- n = (*pos - gi->last_pos); +- +- ret = rhashtable_walk_start(&gi->hti); +- if (ret) ++ rhashtable_walk_enter(&gl_hash_table, &gi->hti); ++ if (rhashtable_walk_start(&gi->hti) != 0) + return NULL; + + do { +@@ -1877,6 +1873,7 @@ static void *gfs2_glock_seq_start(struct + } while (gi->gl && n--); + + gi->last_pos = *pos; ++ + return gi->gl; + } + +@@ -1888,6 +1885,7 @@ static void *gfs2_glock_seq_next(struct + (*pos)++; + gi->last_pos = *pos; + gfs2_glock_iter_next(gi); ++ + return gi->gl; + } + +@@ -1897,6 +1895,7 @@ static void gfs2_glock_seq_stop(struct s + + gi->gl = NULL; + rhashtable_walk_stop(&gi->hti); ++ rhashtable_walk_exit(&gi->hti); + } + + static int gfs2_glock_seq_show(struct seq_file *seq, void *iter_ptr) +@@ -1959,12 +1958,10 @@ static int __gfs2_glocks_open(struct ino + struct gfs2_glock_iter *gi = seq->private; + + gi->sdp = inode->i_private; +- gi->last_pos = 0; + seq->buf = kmalloc(GFS2_SEQ_GOODSIZE, GFP_KERNEL | __GFP_NOWARN); + if (seq->buf) + seq->size = GFS2_SEQ_GOODSIZE; + gi->gl = NULL; +- rhashtable_walk_enter(&gl_hash_table, &gi->hti); + } + return ret; + } +@@ -1980,7 +1977,6 @@ static int gfs2_glocks_release(struct in + struct gfs2_glock_iter *gi = seq->private; + + gi->gl = NULL; +- rhashtable_walk_exit(&gi->hti); + return seq_release_private(inode, file); + } + diff --git a/queue-4.13/libceph-don-t-allow-bidirectional-swap-of-pg-upmap-items.patch b/queue-4.13/libceph-don-t-allow-bidirectional-swap-of-pg-upmap-items.patch new file mode 100644 index 00000000000..cce5f17a8cf --- /dev/null +++ b/queue-4.13/libceph-don-t-allow-bidirectional-swap-of-pg-upmap-items.patch @@ -0,0 +1,91 @@ +From 29a0cfbf91ba997591535a4f7246835ce8328141 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Mon, 18 Sep 2017 12:21:37 +0200 +Subject: libceph: don't allow bidirectional swap of pg-upmap-items + +From: Ilya Dryomov + +commit 29a0cfbf91ba997591535a4f7246835ce8328141 upstream. + +This reverts most of commit f53b7665c8ce ("libceph: upmap semantic +changes"). + +We need to prevent duplicates in the final result. For example, we +can currently take + + [1,2,3] and apply [(1,2)] and get [2,2,3] + +or + + [1,2,3] and apply [(3,2)] and get [1,2,2] + +The rest of the system is not prepared to handle duplicates in the +result set like this. + +The reverted piece was intended to allow + + [1,2,3] and [(1,2),(2,1)] to get [2,1,3] + +to reorder primaries. First, this bidirectional swap is hard to +implement in a way that also prevents dups. For example, [1,2,3] and +[(1,4),(2,3),(3,4)] would give [4,3,4] but would we just drop the last +step we'd have [4,3,3] which is also invalid, etc. Simpler to just not +handle bidirectional swaps. In practice, they are not needed: if you +just want to choose a different primary then use primary_affinity, or +pg_upmap (not pg_upmap_items). + +Link: http://tracker.ceph.com/issues/21410 +Signed-off-by: Ilya Dryomov +Reviewed-by: Sage Weil +Signed-off-by: Greg Kroah-Hartman + +--- + net/ceph/osdmap.c | 33 ++++++++++++++++++++++++--------- + 1 file changed, 24 insertions(+), 9 deletions(-) + +--- a/net/ceph/osdmap.c ++++ b/net/ceph/osdmap.c +@@ -2445,19 +2445,34 @@ static void apply_upmap(struct ceph_osdm + + pg = lookup_pg_mapping(&osdmap->pg_upmap_items, pgid); + if (pg) { +- for (i = 0; i < raw->size; i++) { +- for (j = 0; j < pg->pg_upmap_items.len; j++) { +- int from = pg->pg_upmap_items.from_to[j][0]; +- int to = pg->pg_upmap_items.from_to[j][1]; ++ /* ++ * Note: this approach does not allow a bidirectional swap, ++ * e.g., [[1,2],[2,1]] applied to [0,1,2] -> [0,2,1]. ++ */ ++ for (i = 0; i < pg->pg_upmap_items.len; i++) { ++ int from = pg->pg_upmap_items.from_to[i][0]; ++ int to = pg->pg_upmap_items.from_to[i][1]; ++ int pos = -1; ++ bool exists = false; + +- if (from == raw->osds[i]) { +- if (!(to != CRUSH_ITEM_NONE && +- to < osdmap->max_osd && +- osdmap->osd_weight[to] == 0)) +- raw->osds[i] = to; ++ /* make sure replacement doesn't already appear */ ++ for (j = 0; j < raw->size; j++) { ++ int osd = raw->osds[j]; ++ ++ if (osd == to) { ++ exists = true; + break; + } ++ /* ignore mapping if target is marked out */ ++ if (osd == from && pos < 0 && ++ !(to != CRUSH_ITEM_NONE && ++ to < osdmap->max_osd && ++ osdmap->osd_weight[to] == 0)) { ++ pos = j; ++ } + } ++ if (!exists && pos >= 0) ++ raw->osds[pos] = to; + } + } + } diff --git a/queue-4.13/libnvdimm-namespace-fix-btt-claim-class-crash.patch b/queue-4.13/libnvdimm-namespace-fix-btt-claim-class-crash.patch new file mode 100644 index 00000000000..daa89d61028 --- /dev/null +++ b/queue-4.13/libnvdimm-namespace-fix-btt-claim-class-crash.patch @@ -0,0 +1,61 @@ +From 33a56086712561b8b9cdc881e0317f4c36861f72 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Mon, 18 Sep 2017 14:48:58 -0700 +Subject: libnvdimm, namespace: fix btt claim class crash + +From: Dan Williams + +commit 33a56086712561b8b9cdc881e0317f4c36861f72 upstream. + +Maurice reports: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 + IP: holder_class_store+0x253/0x2b0 [libnvdimm] + +...while trying to reconfigure an NVDIMM-N namespace into 'sector' / +'btt' mode. The crash points to this line: + + (gdb) li *(holder_class_store+0x253) + 0x7773 is in holder_class_store (drivers/nvdimm/namespace_devs.c:1420). + 1415 for (i = 0; i < nd_region->ndr_mappings; i++) { + 1416 struct nd_mapping *nd_mapping = &nd_region->mapping[i]; + 1417 struct nvdimm_drvdata *ndd = to_ndd(nd_mapping); + 1418 struct nd_namespace_index *nsindex; + 1419 + 1420 nsindex = to_namespace_index(ndd, ndd->ns_current); + +...where we are failing because ndd is NULL due to NVDIMM-N dimms not +supporting labels. + +Long story short, default to the BTTv1 format in the label-less / +NVDIMM-N case. + +Fixes: 14e494542636 ("libnvdimm, btt: BTT updates for UEFI 2.7 format") +Cc: Vishal Verma +Reported-by: Maurice A. Saldivar +Tested-by: Maurice A. Saldivar +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvdimm/namespace_devs.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/nvdimm/namespace_devs.c ++++ b/drivers/nvdimm/namespace_devs.c +@@ -1417,6 +1417,15 @@ static int btt_claim_class(struct device + struct nvdimm_drvdata *ndd = to_ndd(nd_mapping); + struct nd_namespace_index *nsindex; + ++ /* ++ * If any of the DIMMs do not support labels the only ++ * possible BTT format is v1. ++ */ ++ if (!ndd) { ++ loop_bitmask = 0; ++ break; ++ } ++ + nsindex = to_namespace_index(ndd, ndd->ns_current); + if (nsindex == NULL) + loop_bitmask |= 1; diff --git a/queue-4.13/mips-fix-perf-event-init.patch b/queue-4.13/mips-fix-perf-event-init.patch new file mode 100644 index 00000000000..5e3cca96958 --- /dev/null +++ b/queue-4.13/mips-fix-perf-event-init.patch @@ -0,0 +1,54 @@ +From fd0b19ed5389187829b854900511c9195875bb42 Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Tue, 19 Sep 2017 22:07:18 -0700 +Subject: MIPS: Fix perf event init + +From: Paul Burton + +commit fd0b19ed5389187829b854900511c9195875bb42 upstream. + +Commit c311c797998c ("cpumask: make "nr_cpumask_bits" unsigned") +modified mipspmu_event_init() to cast the struct perf_event cpu field to +an unsigned integer before it is compared with nr_cpumask_bits (and +*ahem* did so without copying the linux-mips mailing list or any MIPS +developers...). This is broken because the cpu field may be -1 for +events which follow a process rather than being affine to a particular +CPU. When this is the case the cast to an unsigned int results in a +value equal to ULONG_MAX, which is always greater than nr_cpumask_bits +so we always fail mipspmu_event_init() and return -ENODEV. + +The check against nr_cpumask_bits seems nonsensical anyway, so this +patch simply removes it. The cpu field is going to either be -1 or a +valid CPU number. Comparing it with nr_cpumask_bits is effectively +checking that it's a valid cpu number, but it seems safe to rely on the +core perf events code to ensure that's the case. + +The end result is that this fixes use of perf on MIPS when not +constraining events to a particular CPU, and fixes the "perf list hw" +command which fails to list any events without this. + +Signed-off-by: Paul Burton +Fixes: c311c797998c ("cpumask: make "nr_cpumask_bits" unsigned") +Cc: Alexey Dobriyan +Cc: Andrew Morton +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/17323/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/perf_event_mipsxx.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/mips/kernel/perf_event_mipsxx.c ++++ b/arch/mips/kernel/perf_event_mipsxx.c +@@ -618,8 +618,7 @@ static int mipspmu_event_init(struct per + return -ENOENT; + } + +- if ((unsigned int)event->cpu >= nr_cpumask_bits || +- (event->cpu >= 0 && !cpu_online(event->cpu))) ++ if (event->cpu >= 0 && !cpu_online(event->cpu)) + return -ENODEV; + + if (!atomic_inc_not_zero(&active_events)) { diff --git a/queue-4.13/nl80211-check-for-the-required-netlink-attributes-presence.patch b/queue-4.13/nl80211-check-for-the-required-netlink-attributes-presence.patch new file mode 100644 index 00000000000..c13ccc562f0 --- /dev/null +++ b/queue-4.13/nl80211-check-for-the-required-netlink-attributes-presence.patch @@ -0,0 +1,41 @@ +From e785fa0a164aa11001cba931367c7f94ffaff888 Mon Sep 17 00:00:00 2001 +From: Vladis Dronov +Date: Wed, 13 Sep 2017 00:21:21 +0200 +Subject: nl80211: check for the required netlink attributes presence + +From: Vladis Dronov + +commit e785fa0a164aa11001cba931367c7f94ffaff888 upstream. + +nl80211_set_rekey_data() does not check if the required attributes +NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing +NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by +users with CAP_NET_ADMIN privilege and may result in NULL dereference +and a system crash. Add a check for the required attributes presence. +This patch is based on the patch by bo Zhang. + +This fixes CVE-2017-12153. + +References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046 +Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload") +Reported-by: bo Zhang +Signed-off-by: Vladis Dronov +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/nl80211.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -10903,6 +10903,9 @@ static int nl80211_set_rekey_data(struct + if (err) + return err; + ++ if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] || ++ !tb[NL80211_REKEY_DATA_KCK]) ++ return -EINVAL; + if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN) + return -ERANGE; + if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN) diff --git a/queue-4.13/pm-core-fix-device_pm_check_callbacks.patch b/queue-4.13/pm-core-fix-device_pm_check_callbacks.patch new file mode 100644 index 00000000000..ce33c5270b8 --- /dev/null +++ b/queue-4.13/pm-core-fix-device_pm_check_callbacks.patch @@ -0,0 +1,43 @@ +From 157c460e10cb6eca29ccbd0f023db159d0c55ec7 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Tue, 19 Sep 2017 02:22:39 +0200 +Subject: PM: core: Fix device_pm_check_callbacks() + +From: Rafael J. Wysocki + +commit 157c460e10cb6eca29ccbd0f023db159d0c55ec7 upstream. + +The device_pm_check_callbacks() function doesn't check legacy +->suspend and ->resume callback pointers under the device's +bus type, class and driver, so in some cases it may set the +no_pm_callbacks flag for the device incorrectly and then the +callbacks may be skipped during system suspend/resume, which +shouldn't happen. + +Fixes: aa8e54b55947 (PM / sleep: Go direct_complete if driver has no callbacks) +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/power/main.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/base/power/main.c ++++ b/drivers/base/power/main.c +@@ -1835,10 +1835,13 @@ void device_pm_check_callbacks(struct de + { + spin_lock_irq(&dev->power.lock); + dev->power.no_pm_callbacks = +- (!dev->bus || pm_ops_is_empty(dev->bus->pm)) && +- (!dev->class || pm_ops_is_empty(dev->class->pm)) && ++ (!dev->bus || (pm_ops_is_empty(dev->bus->pm) && ++ !dev->bus->suspend && !dev->bus->resume)) && ++ (!dev->class || (pm_ops_is_empty(dev->class->pm) && ++ !dev->class->suspend && !dev->class->resume)) && + (!dev->type || pm_ops_is_empty(dev->type->pm)) && + (!dev->pm_domain || pm_ops_is_empty(&dev->pm_domain->ops)) && +- (!dev->driver || pm_ops_is_empty(dev->driver->pm)); ++ (!dev->driver || (pm_ops_is_empty(dev->driver->pm) && ++ !dev->driver->suspend && !dev->driver->resume)); + spin_unlock_irq(&dev->power.lock); + } diff --git a/queue-4.13/powerpc-eeh-create-phb-pes-after-eeh-is-initialized.patch b/queue-4.13/powerpc-eeh-create-phb-pes-after-eeh-is-initialized.patch new file mode 100644 index 00000000000..fac0b57cb9b --- /dev/null +++ b/queue-4.13/powerpc-eeh-create-phb-pes-after-eeh-is-initialized.patch @@ -0,0 +1,61 @@ +From 3e77adeea3c5393c9b624832f65441e92867f618 Mon Sep 17 00:00:00 2001 +From: Benjamin Herrenschmidt +Date: Thu, 7 Sep 2017 16:35:40 +1000 +Subject: powerpc/eeh: Create PHB PEs after EEH is initialized + +From: Benjamin Herrenschmidt + +commit 3e77adeea3c5393c9b624832f65441e92867f618 upstream. + +Otherwise we end up not yet having computed the right diag data size +on powernv where EEH initialization is delayed, thus causing memory +corruption later on when calling OPAL. + +Fixes: 5cb1f8fdddb7 ("powerpc/powernv/pci: Dynamically allocate PHB diag data") +Signed-off-by: Benjamin Herrenschmidt +Acked-by: Russell Currey +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/eeh.c | 4 ++++ + arch/powerpc/kernel/eeh_dev.c | 18 ------------------ + 2 files changed, 4 insertions(+), 18 deletions(-) + +--- a/arch/powerpc/kernel/eeh.c ++++ b/arch/powerpc/kernel/eeh.c +@@ -1018,6 +1018,10 @@ int eeh_init(void) + } else if ((ret = eeh_ops->init())) + return ret; + ++ /* Initialize PHB PEs */ ++ list_for_each_entry_safe(hose, tmp, &hose_list, list_node) ++ eeh_dev_phb_init_dynamic(hose); ++ + /* Initialize EEH event */ + ret = eeh_event_init(); + if (ret) +--- a/arch/powerpc/kernel/eeh_dev.c ++++ b/arch/powerpc/kernel/eeh_dev.c +@@ -83,21 +83,3 @@ void eeh_dev_phb_init_dynamic(struct pci + /* EEH PE for PHB */ + eeh_phb_pe_create(phb); + } +- +-/** +- * eeh_dev_phb_init - Create EEH devices for devices included in existing PHBs +- * +- * Scan all the existing PHBs and create EEH devices for their OF +- * nodes and their children OF nodes +- */ +-static int __init eeh_dev_phb_init(void) +-{ +- struct pci_controller *phb, *tmp; +- +- list_for_each_entry_safe(phb, tmp, &hose_list, list_node) +- eeh_dev_phb_init_dynamic(phb); +- +- return 0; +-} +- +-core_initcall(eeh_dev_phb_init); diff --git a/queue-4.13/powerpc-pseries-fix-parent_dn-reference-leak-in-add_dt_node.patch b/queue-4.13/powerpc-pseries-fix-parent_dn-reference-leak-in-add_dt_node.patch new file mode 100644 index 00000000000..186790ce5b5 --- /dev/null +++ b/queue-4.13/powerpc-pseries-fix-parent_dn-reference-leak-in-add_dt_node.patch @@ -0,0 +1,39 @@ +From b537ca6fede69a281dc524983e5e633d79a10a08 Mon Sep 17 00:00:00 2001 +From: Tyrel Datwyler +Date: Wed, 20 Sep 2017 17:02:52 -0400 +Subject: powerpc/pseries: Fix parent_dn reference leak in add_dt_node() + +From: Tyrel Datwyler + +commit b537ca6fede69a281dc524983e5e633d79a10a08 upstream. + +A reference to the parent device node is held by add_dt_node() for the +node to be added. If the call to dlpar_configure_connector() fails +add_dt_node() returns ENOENT and that reference is not freed. + +Add a call to of_node_put(parent_dn) prior to bailing out after a +failed dlpar_configure_connector() call. + +Fixes: 8d5ff320766f ("powerpc/pseries: Make dlpar_configure_connector parent node aware") +Signed-off-by: Tyrel Datwyler +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/pseries/mobility.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/pseries/mobility.c ++++ b/arch/powerpc/platforms/pseries/mobility.c +@@ -226,8 +226,10 @@ static int add_dt_node(__be32 parent_pha + return -ENOENT; + + dn = dlpar_configure_connector(drc_index, parent_dn); +- if (!dn) ++ if (!dn) { ++ of_node_put(parent_dn); + return -ENOENT; ++ } + + rc = dlpar_attach_node(dn); + if (rc) diff --git a/queue-4.13/powerpc-tm-flush-tm-only-if-cpu-has-tm-feature.patch b/queue-4.13/powerpc-tm-flush-tm-only-if-cpu-has-tm-feature.patch new file mode 100644 index 00000000000..16dab2a3873 --- /dev/null +++ b/queue-4.13/powerpc-tm-flush-tm-only-if-cpu-has-tm-feature.patch @@ -0,0 +1,47 @@ +From c1fa0768a8713b135848f78fd43ffc208d8ded70 Mon Sep 17 00:00:00 2001 +From: Gustavo Romero +Date: Wed, 13 Sep 2017 22:13:48 -0400 +Subject: powerpc/tm: Flush TM only if CPU has TM feature + +From: Gustavo Romero + +commit c1fa0768a8713b135848f78fd43ffc208d8ded70 upstream. + +Commit cd63f3c ("powerpc/tm: Fix saving of TM SPRs in core dump") +added code to access TM SPRs in flush_tmregs_to_thread(). However +flush_tmregs_to_thread() does not check if TM feature is available on +CPU before trying to access TM SPRs in order to copy live state to +thread structures. flush_tmregs_to_thread() is indeed guarded by +CONFIG_PPC_TRANSACTIONAL_MEM but it might be the case that kernel +was compiled with CONFIG_PPC_TRANSACTIONAL_MEM enabled and ran on +a CPU without TM feature available, thus rendering the execution +of TM instructions that are treated by the CPU as illegal instructions. + +The fix is just to add proper checking in flush_tmregs_to_thread() +if CPU has the TM feature before accessing any TM-specific resource, +returning immediately if TM is no available on the CPU. Adding +that checking in flush_tmregs_to_thread() instead of in places +where it is called, like in vsr_get() and vsr_set(), is better because +avoids the same problem cropping up elsewhere. + +Fixes: cd63f3c ("powerpc/tm: Fix saving of TM SPRs in core dump") +Signed-off-by: Gustavo Romero +Reviewed-by: Cyril Bur +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/ptrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/ptrace.c ++++ b/arch/powerpc/kernel/ptrace.c +@@ -131,7 +131,7 @@ static void flush_tmregs_to_thread(struc + * in the appropriate thread structures from live. + */ + +- if (tsk != current) ++ if ((!cpu_has_feature(CPU_FTR_TM)) || (tsk != current)) + return; + + if (MSR_TM_SUSPENDED(mfmsr())) { diff --git a/queue-4.13/revert-ib-ipoib-update-broadcast-object-if-pkey-value-was-changed-in-index-0.patch b/queue-4.13/revert-ib-ipoib-update-broadcast-object-if-pkey-value-was-changed-in-index-0.patch new file mode 100644 index 00000000000..c66bfc4e680 --- /dev/null +++ b/queue-4.13/revert-ib-ipoib-update-broadcast-object-if-pkey-value-was-changed-in-index-0.patch @@ -0,0 +1,74 @@ +From 612601d0013f03de9dc134809f242ba6da9ca252 Mon Sep 17 00:00:00 2001 +From: Alex Estrin +Date: Tue, 26 Sep 2017 06:06:22 -0700 +Subject: Revert "IB/ipoib: Update broadcast object if PKey value was changed in index 0" + +From: Alex Estrin + +commit 612601d0013f03de9dc134809f242ba6da9ca252 upstream. + +commit 9a9b8112699d will cause core to fail UD QP from being destroyed +on ipoib unload, therefore cause resources leakage. +On pkey change event above patch modifies mgid before calling underlying +driver to detach it from QP. Drivers' detach_mcast() will fail to find +modified mgid it was never given to attach in a first place. +Core qp->usecnt will never go down, so ib_destroy_qp() will fail. + +IPoIB driver actually does take care of new broadcast mgid based on new +pkey by destroying an old mcast object in ipoib_mcast_dev_flush()) +.... + if (priv->broadcast) { + rb_erase(&priv->broadcast->rb_node, &priv->multicast_tree); + list_add_tail(&priv->broadcast->list, &remove_list); + priv->broadcast = NULL; + } +... + +then in restarted ipoib_macst_join_task() creating a new broadcast mcast +object, sending join request and on completion tells the driver to attach +to reinitialized QP: +... +if (!priv->broadcast) { +... + broadcast = ipoib_mcast_alloc(dev, 0); +... + memcpy(broadcast->mcmember.mgid.raw, priv->dev->broadcast + 4, + sizeof (union ib_gid)); + priv->broadcast = broadcast; +... + +Fixes: 9a9b8112699d ("IB/ipoib: Update broadcast object if PKey value was changed in index 0") +Reviewed-by: Mike Marciniszyn +Reviewed-by: Dennis Dalessandro +Signed-off-by: Alex Estrin +Signed-off-by: Dennis Dalessandro +Reviewed-by: Feras Daoud +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/ipoib/ipoib_ib.c | 13 ------------- + 1 file changed, 13 deletions(-) + +--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c +@@ -1000,19 +1000,6 @@ static inline int update_parent_pkey(str + */ + priv->dev->broadcast[8] = priv->pkey >> 8; + priv->dev->broadcast[9] = priv->pkey & 0xff; +- +- /* +- * Update the broadcast address in the priv->broadcast object, +- * in case it already exists, otherwise no one will do that. +- */ +- if (priv->broadcast) { +- spin_lock_irq(&priv->lock); +- memcpy(priv->broadcast->mcmember.mgid.raw, +- priv->dev->broadcast + 4, +- sizeof(union ib_gid)); +- spin_unlock_irq(&priv->lock); +- } +- + return 0; + } + diff --git a/queue-4.13/s390-mm-fix-write-access-check-in-gup_huge_pmd.patch b/queue-4.13/s390-mm-fix-write-access-check-in-gup_huge_pmd.patch new file mode 100644 index 00000000000..5b441a63be8 --- /dev/null +++ b/queue-4.13/s390-mm-fix-write-access-check-in-gup_huge_pmd.patch @@ -0,0 +1,45 @@ +From ba385c0594e723d41790ecfb12c610e6f90c7785 Mon Sep 17 00:00:00 2001 +From: Gerald Schaefer +Date: Mon, 18 Sep 2017 16:51:51 +0200 +Subject: s390/mm: fix write access check in gup_huge_pmd() + +From: Gerald Schaefer + +commit ba385c0594e723d41790ecfb12c610e6f90c7785 upstream. + +The check for the _SEGMENT_ENTRY_PROTECT bit in gup_huge_pmd() is the +wrong way around. It must not be set for write==1, and not be checked for +write==0. Fix this similar to how it was fixed for ptes long time ago in +commit 25591b070336 ("[S390] fix get_user_pages_fast"). + +One impact of this bug would be unnecessarily using the gup slow path for +write==0 on r/w mappings. A potentially more severe impact would be that +gup_huge_pmd() will succeed for write==1 on r/o mappings. + +Signed-off-by: Gerald Schaefer +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/mm/gup.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/arch/s390/mm/gup.c ++++ b/arch/s390/mm/gup.c +@@ -56,13 +56,12 @@ static inline int gup_pte_range(pmd_t *p + static inline int gup_huge_pmd(pmd_t *pmdp, pmd_t pmd, unsigned long addr, + unsigned long end, int write, struct page **pages, int *nr) + { +- unsigned long mask, result; + struct page *head, *page; ++ unsigned long mask; + int refs; + +- result = write ? 0 : _SEGMENT_ENTRY_PROTECT; +- mask = result | _SEGMENT_ENTRY_INVALID; +- if ((pmd_val(pmd) & mask) != result) ++ mask = (write ? _SEGMENT_ENTRY_PROTECT : 0) | _SEGMENT_ENTRY_INVALID; ++ if ((pmd_val(pmd) & mask) != 0) + return 0; + VM_BUG_ON(!pfn_valid(pmd_val(pmd) >> PAGE_SHIFT)); + diff --git a/queue-4.13/s390-mm-make-pmdp_invalidate-do-invalidation-only.patch b/queue-4.13/s390-mm-make-pmdp_invalidate-do-invalidation-only.patch new file mode 100644 index 00000000000..4746dd257ae --- /dev/null +++ b/queue-4.13/s390-mm-make-pmdp_invalidate-do-invalidation-only.patch @@ -0,0 +1,41 @@ +From 91c575b335766effa6103eba42a82aea560c365f Mon Sep 17 00:00:00 2001 +From: Gerald Schaefer +Date: Mon, 18 Sep 2017 16:10:35 +0200 +Subject: s390/mm: make pmdp_invalidate() do invalidation only + +From: Gerald Schaefer + +commit 91c575b335766effa6103eba42a82aea560c365f upstream. + +Commit 227be799c39a ("s390/mm: uninline pmdp_xxx functions from pgtable.h") +inadvertently changed the behavior of pmdp_invalidate(), so that it now +clears the pmd instead of just marking it as invalid. Fix this by restoring +the original behavior. + +A possible impact of the misbehaving pmdp_invalidate() would be the +MADV_DONTNEED races (see commits ced10803 and 58ceeb6b), although we +should not have any negative impact on the related dirty/young flags, +since those flags are not set by the hardware on s390. + +Fixes: 227be799c39a ("s390/mm: uninline pmdp_xxx functions from pgtable.h") +Signed-off-by: Gerald Schaefer +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/include/asm/pgtable.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/s390/include/asm/pgtable.h ++++ b/arch/s390/include/asm/pgtable.h +@@ -1462,7 +1462,9 @@ static inline pmd_t pmdp_huge_clear_flus + static inline void pmdp_invalidate(struct vm_area_struct *vma, + unsigned long addr, pmd_t *pmdp) + { +- pmdp_xchg_direct(vma->vm_mm, addr, pmdp, __pmd(_SEGMENT_ENTRY_EMPTY)); ++ pmd_t pmd = __pmd(pmd_val(*pmdp) | _SEGMENT_ENTRY_INVALID); ++ ++ pmdp_xchg_direct(vma->vm_mm, addr, pmdp, pmd); + } + + #define __HAVE_ARCH_PMDP_SET_WRPROTECT diff --git a/queue-4.13/s390-perf-fix-bug-when-creating-per-thread-event.patch b/queue-4.13/s390-perf-fix-bug-when-creating-per-thread-event.patch new file mode 100644 index 00000000000..90191c1d62c --- /dev/null +++ b/queue-4.13/s390-perf-fix-bug-when-creating-per-thread-event.patch @@ -0,0 +1,58 @@ +From fc3100d64f0ae383ae8d845989103da06d62763b Mon Sep 17 00:00:00 2001 +From: Pu Hou +Date: Tue, 5 Sep 2017 05:17:24 +0200 +Subject: s390/perf: fix bug when creating per-thread event + +From: Pu Hou + +commit fc3100d64f0ae383ae8d845989103da06d62763b upstream. + +A per-thread event could not be created correctly like below: + + perf record --per-thread -e rB0000 -- sleep 1 + Error: + The sys_perf_event_open() syscall returned with 19 (No such device) for event (rB0000). + /bin/dmesg may provide additional information. + No CONFIG_PERF_EVENTS=y kernel support configured? + +This bug was introduced by: + + commit c311c797998c1e70eade463dd60b843da4f1a203 + Author: Alexey Dobriyan + Date: Mon May 8 15:56:15 2017 -0700 + + cpumask: make "nr_cpumask_bits" unsigned + +If a per-thread event is not attached to any CPU, the cpu field +in struct perf_event is -1. The above commit converts the CPU number +to unsigned int, which result in an illegal CPU number. + +Fixes: c311c797998c ("cpumask: make "nr_cpumask_bits" unsigned") +Cc: Alexey Dobriyan +Acked-by: Heiko Carstens +Signed-off-by: Pu Hou +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/perf_cpum_sf.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/arch/s390/kernel/perf_cpum_sf.c ++++ b/arch/s390/kernel/perf_cpum_sf.c +@@ -823,9 +823,12 @@ static int cpumsf_pmu_event_init(struct + } + + /* Check online status of the CPU to which the event is pinned */ +- if ((unsigned int)event->cpu >= nr_cpumask_bits || +- (event->cpu >= 0 && !cpu_online(event->cpu))) +- return -ENODEV; ++ if (event->cpu >= 0) { ++ if ((unsigned int)event->cpu >= nr_cpumask_bits) ++ return -ENODEV; ++ if (!cpu_online(event->cpu)) ++ return -ENODEV; ++ } + + /* Force reset of idle/hv excludes regardless of what the + * user requested. diff --git a/queue-4.13/series b/queue-4.13/series index 812861de9c3..205f0a2afea 100644 --- a/queue-4.13/series +++ b/queue-4.13/series @@ -42,3 +42,25 @@ security-keys-rewrite-all-of-big_key-crypto.patch keys-fix-writing-past-end-of-user-supplied-buffer-in-keyring_read.patch keys-prevent-creating-a-different-user-s-keyrings.patch keys-prevent-keyctl_read-on-negative-key.patch +libnvdimm-namespace-fix-btt-claim-class-crash.patch +powerpc-eeh-create-phb-pes-after-eeh-is-initialized.patch +powerpc-pseries-fix-parent_dn-reference-leak-in-add_dt_node.patch +powerpc-tm-flush-tm-only-if-cpu-has-tm-feature.patch +mips-fix-perf-event-init.patch +s390-perf-fix-bug-when-creating-per-thread-event.patch +s390-mm-make-pmdp_invalidate-do-invalidation-only.patch +s390-mm-fix-write-access-check-in-gup_huge_pmd.patch +pm-core-fix-device_pm_check_callbacks.patch +revert-ib-ipoib-update-broadcast-object-if-pkey-value-was-changed-in-index-0.patch +fix-smb3.1.1-guest-authentication-to-samba.patch +smb3-fix-endian-warning.patch +smb3-warn-user-if-trying-to-sign-connection-that-authenticated-as-guest.patch +smb-validate-negotiate-to-protect-against-downgrade-even-if-signing-off.patch +smb3-handle-new-statx-fields.patch +smb3-don-t-ignore-o_sync-o_dsync-and-o_direct-flags.patch +vfs-return-enxio-for-negative-seek_hole-seek_data-offsets.patch +libceph-don-t-allow-bidirectional-swap-of-pg-upmap-items.patch +nl80211-check-for-the-required-netlink-attributes-presence.patch +brd-fix-overflow-in-__brd_direct_access.patch +gfs2-fix-debugfs-glocks-dump.patch +bsg-lib-don-t-free-job-in-bsg_prepare_job.patch diff --git a/queue-4.13/smb-validate-negotiate-to-protect-against-downgrade-even-if-signing-off.patch b/queue-4.13/smb-validate-negotiate-to-protect-against-downgrade-even-if-signing-off.patch new file mode 100644 index 00000000000..97eff32f49a --- /dev/null +++ b/queue-4.13/smb-validate-negotiate-to-protect-against-downgrade-even-if-signing-off.patch @@ -0,0 +1,56 @@ +From 0603c96f3af50e2f9299fa410c224ab1d465e0f9 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Wed, 20 Sep 2017 19:57:18 -0500 +Subject: SMB: Validate negotiate (to protect against downgrade) even if signing off + +From: Steve French + +commit 0603c96f3af50e2f9299fa410c224ab1d465e0f9 upstream. + +As long as signing is supported (ie not a guest user connection) and +connection is SMB3 or SMB3.02, then validate negotiate (protect +against man in the middle downgrade attacks). We had been doing this +only when signing was required, not when signing was just enabled, +but this more closely matches recommended SMB3 behavior and is +better security. Suggested by Metze. + +Signed-off-by: Steve French +Reviewed-by: Jeremy Allison +Acked-by: Stefan Metzmacher +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -644,15 +644,22 @@ int smb3_validate_negotiate(const unsign + + /* + * validation ioctl must be signed, so no point sending this if we +- * can not sign it. We could eventually change this to selectively ++ * can not sign it (ie are not known user). Even if signing is not ++ * required (enabled but not negotiated), in those cases we selectively + * sign just this, the first and only signed request on a connection. +- * This is good enough for now since a user who wants better security +- * would also enable signing on the mount. Having validation of +- * negotiate info for signed connections helps reduce attack vectors ++ * Having validation of negotiate info helps reduce attack vectors. + */ +- if (tcon->ses->server->sign == false) ++ if (tcon->ses->session_flags & SMB2_SESSION_FLAG_IS_GUEST) + return 0; /* validation requires signing */ + ++ if (tcon->ses->user_name == NULL) { ++ cifs_dbg(FYI, "Can't validate negotiate: null user mount\n"); ++ return 0; /* validation requires signing */ ++ } ++ ++ if (tcon->ses->session_flags & SMB2_SESSION_FLAG_IS_NULL) ++ cifs_dbg(VFS, "Unexpected null user (anonymous) auth flag sent by server\n"); ++ + vneg_inbuf.Capabilities = + cpu_to_le32(tcon->ses->server->vals->req_capabilities); + memcpy(vneg_inbuf.Guid, tcon->ses->server->client_guid, diff --git a/queue-4.13/smb3-don-t-ignore-o_sync-o_dsync-and-o_direct-flags.patch b/queue-4.13/smb3-don-t-ignore-o_sync-o_dsync-and-o_direct-flags.patch new file mode 100644 index 00000000000..d63c58f4d79 --- /dev/null +++ b/queue-4.13/smb3-don-t-ignore-o_sync-o_dsync-and-o_direct-flags.patch @@ -0,0 +1,34 @@ +From 1013e760d10e614dc10b5624ce9fc41563ba2e65 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Fri, 22 Sep 2017 01:40:27 -0500 +Subject: SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags + +From: Steve French + +commit 1013e760d10e614dc10b5624ce9fc41563ba2e65 upstream. + +Signed-off-by: Steve French +Reviewed-by: Ronnie Sahlberg +Reviewed-by: Pavel Shilovsky +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/file.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -224,6 +224,13 @@ cifs_nt_open(char *full_path, struct ino + if (backup_cred(cifs_sb)) + create_options |= CREATE_OPEN_BACKUP_INTENT; + ++ /* O_SYNC also has bit for O_DSYNC so following check picks up either */ ++ if (f_flags & O_SYNC) ++ create_options |= CREATE_WRITE_THROUGH; ++ ++ if (f_flags & O_DIRECT) ++ create_options |= CREATE_NO_BUFFER; ++ + oparms.tcon = tcon; + oparms.cifs_sb = cifs_sb; + oparms.desired_access = desired_access; diff --git a/queue-4.13/smb3-fix-endian-warning.patch b/queue-4.13/smb3-fix-endian-warning.patch new file mode 100644 index 00000000000..d2e05b952ca --- /dev/null +++ b/queue-4.13/smb3-fix-endian-warning.patch @@ -0,0 +1,35 @@ +From 590d08d3da45e9fed423b08ab38d71886c07abc8 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Tue, 19 Sep 2017 11:43:47 -0500 +Subject: SMB3: Fix endian warning + +From: Steve French + +commit 590d08d3da45e9fed423b08ab38d71886c07abc8 upstream. + +Multi-dialect negotiate patch had a minor endian error. + +Signed-off-by: Steve French +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -558,10 +558,11 @@ SMB2_negotiate(const unsigned int xid, s + /* ops set to 3.0 by default for default so update */ + ses->server->ops = &smb21_operations; + } +- } else if (rsp->DialectRevision != ses->server->vals->protocol_id) { ++ } else if (le16_to_cpu(rsp->DialectRevision) != ++ ses->server->vals->protocol_id) { + /* if requested single dialect ensure returned dialect matched */ + cifs_dbg(VFS, "Illegal 0x%x dialect returned: not requested\n", +- cpu_to_le16(rsp->DialectRevision)); ++ le16_to_cpu(rsp->DialectRevision)); + return -EIO; + } + diff --git a/queue-4.13/smb3-handle-new-statx-fields.patch b/queue-4.13/smb3-handle-new-statx-fields.patch new file mode 100644 index 00000000000..711c39a473a --- /dev/null +++ b/queue-4.13/smb3-handle-new-statx-fields.patch @@ -0,0 +1,54 @@ +From 6e70e26dc52be62c1f39f81b5f71fa5e643677aa Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Thu, 21 Sep 2017 21:32:29 -0500 +Subject: SMB3: handle new statx fields + +From: Steve French + +commit 6e70e26dc52be62c1f39f81b5f71fa5e643677aa upstream. + +We weren't returning the creation time or the two easily supported +attributes (ENCRYPTED or COMPRESSED) for the getattr call to +allow statx to return these fields. + +Signed-off-by: Steve French +Reviewed-by: Ronnie Sahlberg \ +Acked-by: Jeff Layton +Reviewed-by: Pavel Shilovsky +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/inode.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/fs/cifs/inode.c ++++ b/fs/cifs/inode.c +@@ -234,6 +234,8 @@ cifs_unix_basic_to_fattr(struct cifs_fat + fattr->cf_atime = cifs_NTtimeToUnix(info->LastAccessTime); + fattr->cf_mtime = cifs_NTtimeToUnix(info->LastModificationTime); + fattr->cf_ctime = cifs_NTtimeToUnix(info->LastStatusChange); ++ /* old POSIX extensions don't get create time */ ++ + fattr->cf_mode = le64_to_cpu(info->Permissions); + + /* +@@ -2024,6 +2026,19 @@ int cifs_getattr(const struct path *path + stat->blksize = CIFS_MAX_MSGSIZE; + stat->ino = CIFS_I(inode)->uniqueid; + ++ /* old CIFS Unix Extensions doesn't return create time */ ++ if (CIFS_I(inode)->createtime) { ++ stat->result_mask |= STATX_BTIME; ++ stat->btime = ++ cifs_NTtimeToUnix(cpu_to_le64(CIFS_I(inode)->createtime)); ++ } ++ ++ stat->attributes_mask |= (STATX_ATTR_COMPRESSED | STATX_ATTR_ENCRYPTED); ++ if (CIFS_I(inode)->cifsAttrs & FILE_ATTRIBUTE_COMPRESSED) ++ stat->attributes |= STATX_ATTR_COMPRESSED; ++ if (CIFS_I(inode)->cifsAttrs & FILE_ATTRIBUTE_ENCRYPTED) ++ stat->attributes |= STATX_ATTR_ENCRYPTED; ++ + /* + * If on a multiuser mount without unix extensions or cifsacl being + * enabled, and the admin hasn't overridden them, set the ownership diff --git a/queue-4.13/smb3-warn-user-if-trying-to-sign-connection-that-authenticated-as-guest.patch b/queue-4.13/smb3-warn-user-if-trying-to-sign-connection-that-authenticated-as-guest.patch new file mode 100644 index 00000000000..52fcdab600c --- /dev/null +++ b/queue-4.13/smb3-warn-user-if-trying-to-sign-connection-that-authenticated-as-guest.patch @@ -0,0 +1,32 @@ +From c721c38957fb19982416f6be71aae7b30630d83b Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Tue, 19 Sep 2017 18:40:03 -0500 +Subject: SMB3: Warn user if trying to sign connection that authenticated as guest + +From: Steve French + +commit c721c38957fb19982416f6be71aae7b30630d83b upstream. + +It can be confusing if user ends up authenticated as guest but they +requested signing (server will return error validating signed packets) +so add log message for this. + +Signed-off-by: Steve French +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -1164,6 +1164,8 @@ SMB2_sess_setup(const unsigned int xid, + while (sess_data->func) + sess_data->func(sess_data); + ++ if ((ses->session_flags & SMB2_SESSION_FLAG_IS_GUEST) && (ses->sign)) ++ cifs_dbg(VFS, "signing requested but authenticated as guest\n"); + rc = sess_data->result; + out: + kfree(sess_data); diff --git a/queue-4.13/vfs-return-enxio-for-negative-seek_hole-seek_data-offsets.patch b/queue-4.13/vfs-return-enxio-for-negative-seek_hole-seek_data-offsets.patch new file mode 100644 index 00000000000..215e05fb6da --- /dev/null +++ b/queue-4.13/vfs-return-enxio-for-negative-seek_hole-seek_data-offsets.patch @@ -0,0 +1,44 @@ +From fc46820b27a2d9a46f7e90c9ceb4a64a1bc5fab8 Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Mon, 25 Sep 2017 12:23:03 +0200 +Subject: vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets + +From: Andreas Gruenbacher + +commit fc46820b27a2d9a46f7e90c9ceb4a64a1bc5fab8 upstream. + +In generic_file_llseek_size, return -ENXIO for negative offsets as well +as offsets beyond EOF. This affects filesystems which don't implement +SEEK_HOLE / SEEK_DATA internally, possibly because they don't support +holes. + +Fixes xfstest generic/448. + +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/read_write.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/read_write.c ++++ b/fs/read_write.c +@@ -112,7 +112,7 @@ generic_file_llseek_size(struct file *fi + * In the generic case the entire file is data, so as long as + * offset isn't at the end of the file then the offset is data. + */ +- if (offset >= eof) ++ if ((unsigned long long)offset >= eof) + return -ENXIO; + break; + case SEEK_HOLE: +@@ -120,7 +120,7 @@ generic_file_llseek_size(struct file *fi + * There is a virtual hole at the end of the file, so as long as + * offset isn't i_size or larger, return i_size. + */ +- if (offset >= eof) ++ if ((unsigned long long)offset >= eof) + return -ENXIO; + offset = eof; + break; -- 2.47.3