From 55d86b4c2e93efd4510c0e1b2d13f477a33b791d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 14 Aug 2019 18:32:45 +0200 Subject: [PATCH] 4.9-stable patches added patches: alsa-firewire-fix-a-memory-leak-bug.patch alsa-hda-don-t-override-global-pcm-hw-info-flag.patch can-peak_usb-pcan_usb_fd-fix-info-leaks-to-usb-devices.patch can-peak_usb-pcan_usb_pro-fix-info-leaks-to-usb-devices.patch hwmon-nct7802-fix-wrong-detection-of-in4-presence.patch iwlwifi-don-t-unmap-as-page-memory-that-was-mapped-as-single.patch mac80211-don-t-warn-on-short-wmm-parameters-from-ap.patch mwifiex-fix-802.11n-wpa-detection.patch smb3-fix-deadlock-in-validate-negotiate-hits-reconnect.patch smb3-send-cap_dfs-capability-during-session-setup.patch --- .../alsa-firewire-fix-a-memory-leak-bug.patch | 39 +++++++++++++ ...n-t-override-global-pcm-hw-info-flag.patch | 42 ++++++++++++++ ...usb_fd-fix-info-leaks-to-usb-devices.patch | 35 ++++++++++++ ...sb_pro-fix-info-leaks-to-usb-devices.patch | 35 ++++++++++++ ...-fix-wrong-detection-of-in4-presence.patch | 56 +++++++++++++++++++ ...age-memory-that-was-mapped-as-single.patch | 37 ++++++++++++ ...warn-on-short-wmm-parameters-from-ap.patch | 53 ++++++++++++++++++ .../mwifiex-fix-802.11n-wpa-detection.patch | 52 +++++++++++++++++ queue-4.9/series | 10 ++++ ...in-validate-negotiate-hits-reconnect.patch | 38 +++++++++++++ ..._dfs-capability-during-session-setup.patch | 40 +++++++++++++ 11 files changed, 437 insertions(+) create mode 100644 queue-4.9/alsa-firewire-fix-a-memory-leak-bug.patch create mode 100644 queue-4.9/alsa-hda-don-t-override-global-pcm-hw-info-flag.patch create mode 100644 queue-4.9/can-peak_usb-pcan_usb_fd-fix-info-leaks-to-usb-devices.patch create mode 100644 queue-4.9/can-peak_usb-pcan_usb_pro-fix-info-leaks-to-usb-devices.patch create mode 100644 queue-4.9/hwmon-nct7802-fix-wrong-detection-of-in4-presence.patch create mode 100644 queue-4.9/iwlwifi-don-t-unmap-as-page-memory-that-was-mapped-as-single.patch create mode 100644 queue-4.9/mac80211-don-t-warn-on-short-wmm-parameters-from-ap.patch create mode 100644 queue-4.9/mwifiex-fix-802.11n-wpa-detection.patch create mode 100644 queue-4.9/smb3-fix-deadlock-in-validate-negotiate-hits-reconnect.patch create mode 100644 queue-4.9/smb3-send-cap_dfs-capability-during-session-setup.patch diff --git a/queue-4.9/alsa-firewire-fix-a-memory-leak-bug.patch b/queue-4.9/alsa-firewire-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000000..05ca846644c --- /dev/null +++ b/queue-4.9/alsa-firewire-fix-a-memory-leak-bug.patch @@ -0,0 +1,39 @@ +From 1be3c1fae6c1e1f5bb982b255d2034034454527a Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Thu, 8 Aug 2019 00:50:58 -0500 +Subject: ALSA: firewire: fix a memory leak bug + +From: Wenwen Wang + +commit 1be3c1fae6c1e1f5bb982b255d2034034454527a upstream. + +In iso_packets_buffer_init(), 'b->packets' is allocated through +kmalloc_array(). Then, the aligned packet size is checked. If it is +larger than PAGE_SIZE, -EINVAL will be returned to indicate the error. +However, the allocated 'b->packets' is not deallocated on this path, +leading to a memory leak. + +To fix the above issue, free 'b->packets' before returning the error code. + +Fixes: 31ef9134eb52 ("ALSA: add LaCie FireWire Speakers/Griffin FireWave Surround driver") +Signed-off-by: Wenwen Wang +Reviewed-by: Takashi Sakamoto +Cc: # v2.6.39+ +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/packets-buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/firewire/packets-buffer.c ++++ b/sound/firewire/packets-buffer.c +@@ -37,7 +37,7 @@ int iso_packets_buffer_init(struct iso_p + packets_per_page = PAGE_SIZE / packet_size; + if (WARN_ON(!packets_per_page)) { + err = -EINVAL; +- goto error; ++ goto err_packets; + } + pages = DIV_ROUND_UP(count, packets_per_page); + diff --git a/queue-4.9/alsa-hda-don-t-override-global-pcm-hw-info-flag.patch b/queue-4.9/alsa-hda-don-t-override-global-pcm-hw-info-flag.patch new file mode 100644 index 00000000000..f99af04e7bd --- /dev/null +++ b/queue-4.9/alsa-hda-don-t-override-global-pcm-hw-info-flag.patch @@ -0,0 +1,42 @@ +From c1c6c877b0c79fd7e05c931435aa42211eaeebaf Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 6 Aug 2019 14:03:56 +0200 +Subject: ALSA: hda - Don't override global PCM hw info flag + +From: Takashi Iwai + +commit c1c6c877b0c79fd7e05c931435aa42211eaeebaf upstream. + +The commit bfcba288b97f ("ALSA - hda: Add support for link audio time +reporting") introduced the conditional PCM hw info setup, but it +overwrites the global azx_pcm_hw object. This will cause a problem if +any other HD-audio controller, as it'll inherit the same bit flag +although another controller doesn't support that feature. + +Fix the bug by setting the PCM hw info flag locally. + +Fixes: bfcba288b97f ("ALSA - hda: Add support for link audio time reporting") +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_controller.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/sound/pci/hda/hda_controller.c ++++ b/sound/pci/hda/hda_controller.c +@@ -609,11 +609,9 @@ static int azx_pcm_open(struct snd_pcm_s + } + runtime->private_data = azx_dev; + +- if (chip->gts_present) +- azx_pcm_hw.info = azx_pcm_hw.info | +- SNDRV_PCM_INFO_HAS_LINK_SYNCHRONIZED_ATIME; +- + runtime->hw = azx_pcm_hw; ++ if (chip->gts_present) ++ runtime->hw.info |= SNDRV_PCM_INFO_HAS_LINK_SYNCHRONIZED_ATIME; + runtime->hw.channels_min = hinfo->channels_min; + runtime->hw.channels_max = hinfo->channels_max; + runtime->hw.formats = hinfo->formats; diff --git a/queue-4.9/can-peak_usb-pcan_usb_fd-fix-info-leaks-to-usb-devices.patch b/queue-4.9/can-peak_usb-pcan_usb_fd-fix-info-leaks-to-usb-devices.patch new file mode 100644 index 00000000000..ee07119f360 --- /dev/null +++ b/queue-4.9/can-peak_usb-pcan_usb_fd-fix-info-leaks-to-usb-devices.patch @@ -0,0 +1,35 @@ +From 30a8beeb3042f49d0537b7050fd21b490166a3d9 Mon Sep 17 00:00:00 2001 +From: Tomas Bortoli +Date: Wed, 31 Jul 2019 10:54:47 -0400 +Subject: can: peak_usb: pcan_usb_fd: Fix info-leaks to USB devices + +From: Tomas Bortoli + +commit 30a8beeb3042f49d0537b7050fd21b490166a3d9 upstream. + +Uninitialized Kernel memory can leak to USB devices. + +Fix by using kzalloc() instead of kmalloc() on the affected buffers. + +Signed-off-by: Tomas Bortoli +Reported-by: syzbot+513e4d0985298538bf9b@syzkaller.appspotmail.com +Fixes: 0a25e1f4f185 ("can: peak_usb: add support for PEAK new CANFD USB adapters") +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c +@@ -851,7 +851,7 @@ static int pcan_usb_fd_init(struct peak_ + goto err_out; + + /* allocate command buffer once for all for the interface */ +- pdev->cmd_buffer_addr = kmalloc(PCAN_UFD_CMD_BUFFER_SIZE, ++ pdev->cmd_buffer_addr = kzalloc(PCAN_UFD_CMD_BUFFER_SIZE, + GFP_KERNEL); + if (!pdev->cmd_buffer_addr) + goto err_out_1; diff --git a/queue-4.9/can-peak_usb-pcan_usb_pro-fix-info-leaks-to-usb-devices.patch b/queue-4.9/can-peak_usb-pcan_usb_pro-fix-info-leaks-to-usb-devices.patch new file mode 100644 index 00000000000..0de45982150 --- /dev/null +++ b/queue-4.9/can-peak_usb-pcan_usb_pro-fix-info-leaks-to-usb-devices.patch @@ -0,0 +1,35 @@ +From ead16e53c2f0ed946d82d4037c630e2f60f4ab69 Mon Sep 17 00:00:00 2001 +From: Tomas Bortoli +Date: Wed, 31 Jul 2019 10:54:47 -0400 +Subject: can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices + +From: Tomas Bortoli + +commit ead16e53c2f0ed946d82d4037c630e2f60f4ab69 upstream. + +Uninitialized Kernel memory can leak to USB devices. + +Fix by using kzalloc() instead of kmalloc() on the affected buffers. + +Signed-off-by: Tomas Bortoli +Reported-by: syzbot+d6a5a1a3657b596ef132@syzkaller.appspotmail.com +Fixes: f14e22435a27 ("net: can: peak_usb: Do not do dma on the stack") +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/peak_usb/pcan_usb_pro.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/usb/peak_usb/pcan_usb_pro.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb_pro.c +@@ -500,7 +500,7 @@ static int pcan_usb_pro_drv_loaded(struc + u8 *buffer; + int err; + +- buffer = kmalloc(PCAN_USBPRO_FCT_DRVLD_REQ_LEN, GFP_KERNEL); ++ buffer = kzalloc(PCAN_USBPRO_FCT_DRVLD_REQ_LEN, GFP_KERNEL); + if (!buffer) + return -ENOMEM; + diff --git a/queue-4.9/hwmon-nct7802-fix-wrong-detection-of-in4-presence.patch b/queue-4.9/hwmon-nct7802-fix-wrong-detection-of-in4-presence.patch new file mode 100644 index 00000000000..b46483cfbd3 --- /dev/null +++ b/queue-4.9/hwmon-nct7802-fix-wrong-detection-of-in4-presence.patch @@ -0,0 +1,56 @@ +From 38ada2f406a9b81fb1249c5c9227fa657e7d5671 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Fri, 26 Jul 2019 08:00:49 -0700 +Subject: hwmon: (nct7802) Fix wrong detection of in4 presence + +From: Guenter Roeck + +commit 38ada2f406a9b81fb1249c5c9227fa657e7d5671 upstream. + +The code to detect if in4 is present is wrong; if in4 is not present, +the in4_input sysfs attribute is still present. + +In detail: + +- Ihen RTD3_MD=11 (VSEN3 present), everything is as expected (no bug). +- If we have RTD3_MD!=11 (no VSEN3), we unexpectedly have a in4_input + file under /sys and the "sensors" command displays in4_input. + But as expected, we have no in4_min, in4_max, in4_alarm, in4_beep. + +Fix is_visible function to detect and report in4_input visibility +as expected. + +Reported-by: Gilles Buloz +Cc: Gilles Buloz +Cc: stable@vger.kernel.org +Fixes: 3434f37835804 ("hwmon: Driver for Nuvoton NCT7802Y") +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/nct7802.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/hwmon/nct7802.c ++++ b/drivers/hwmon/nct7802.c +@@ -768,7 +768,7 @@ static struct attribute *nct7802_in_attr + &sensor_dev_attr_in3_alarm.dev_attr.attr, + &sensor_dev_attr_in3_beep.dev_attr.attr, + +- &sensor_dev_attr_in4_input.dev_attr.attr, /* 17 */ ++ &sensor_dev_attr_in4_input.dev_attr.attr, /* 16 */ + &sensor_dev_attr_in4_min.dev_attr.attr, + &sensor_dev_attr_in4_max.dev_attr.attr, + &sensor_dev_attr_in4_alarm.dev_attr.attr, +@@ -794,9 +794,9 @@ static umode_t nct7802_in_is_visible(str + + if (index >= 6 && index < 11 && (reg & 0x03) != 0x03) /* VSEN1 */ + return 0; +- if (index >= 11 && index < 17 && (reg & 0x0c) != 0x0c) /* VSEN2 */ ++ if (index >= 11 && index < 16 && (reg & 0x0c) != 0x0c) /* VSEN2 */ + return 0; +- if (index >= 17 && (reg & 0x30) != 0x30) /* VSEN3 */ ++ if (index >= 16 && (reg & 0x30) != 0x30) /* VSEN3 */ + return 0; + + return attr->mode; diff --git a/queue-4.9/iwlwifi-don-t-unmap-as-page-memory-that-was-mapped-as-single.patch b/queue-4.9/iwlwifi-don-t-unmap-as-page-memory-that-was-mapped-as-single.patch new file mode 100644 index 00000000000..7a7a01659e9 --- /dev/null +++ b/queue-4.9/iwlwifi-don-t-unmap-as-page-memory-that-was-mapped-as-single.patch @@ -0,0 +1,37 @@ +From 87e7e25aee6b59fef740856f4e86d4b60496c9e1 Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Sun, 21 Jul 2019 14:02:27 +0300 +Subject: iwlwifi: don't unmap as page memory that was mapped as single + +From: Emmanuel Grumbach + +commit 87e7e25aee6b59fef740856f4e86d4b60496c9e1 upstream. + +In order to remember how to unmap a memory (as single or +as page), we maintain a bit per Transmit Buffer (TBs) in +the meta data (structure iwl_cmd_meta). +We maintain a bitmap: 1 bit per TB. +If the TB is set, we will free the memory as a page. +This bitmap was never cleared. Fix this. + +Cc: stable@vger.kernel.org +Fixes: 3cd1980b0cdf ("iwlwifi: pcie: introduce new tfd and tb formats") +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/pcie/tx.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c +@@ -439,6 +439,8 @@ static void iwl_pcie_tfd_unmap(struct iw + DMA_TO_DEVICE); + } + ++ meta->tbs = 0; ++ + if (trans->cfg->use_tfh) { + struct iwl_tfh_tfd *tfd_fh = (void *)tfd; + diff --git a/queue-4.9/mac80211-don-t-warn-on-short-wmm-parameters-from-ap.patch b/queue-4.9/mac80211-don-t-warn-on-short-wmm-parameters-from-ap.patch new file mode 100644 index 00000000000..e3b711438ee --- /dev/null +++ b/queue-4.9/mac80211-don-t-warn-on-short-wmm-parameters-from-ap.patch @@ -0,0 +1,53 @@ +From 05aaa5c97dce4c10a9e7eae2f1569a684e0c5ced Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Fri, 26 Jul 2019 15:47:58 -0700 +Subject: mac80211: don't WARN on short WMM parameters from AP + +From: Brian Norris + +commit 05aaa5c97dce4c10a9e7eae2f1569a684e0c5ced upstream. + +In a very similar spirit to commit c470bdc1aaf3 ("mac80211: don't WARN +on bad WMM parameters from buggy APs"), an AP may not transmit a +fully-formed WMM IE. For example, it may miss or repeat an Access +Category. The above loop won't catch that and will instead leave one of +the four ACs zeroed out. This triggers the following warning in +drv_conf_tx() + + wlan0: invalid CW_min/CW_max: 0/0 + +and it may leave one of the hardware queues unconfigured. If we detect +such a case, let's just print a warning and fall back to the defaults. + +Tested with a hacked version of hostapd, intentionally corrupting the +IEs in hostapd_eid_wmm(). + +Cc: stable@vger.kernel.org +Signed-off-by: Brian Norris +Link: https://lore.kernel.org/r/20190726224758.210953-1-briannorris@chromium.org +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/mlme.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -1873,6 +1873,16 @@ static bool ieee80211_sta_wmm_params(str + } + } + ++ /* WMM specification requires all 4 ACIs. */ ++ for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) { ++ if (params[ac].cw_min == 0) { ++ sdata_info(sdata, ++ "AP has invalid WMM params (missing AC %d), using defaults\n", ++ ac); ++ return false; ++ } ++ } ++ + for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) { + mlme_dbg(sdata, + "WMM AC=%d acm=%d aifs=%d cWmin=%d cWmax=%d txop=%d uapsd=%d, downgraded=%d\n", diff --git a/queue-4.9/mwifiex-fix-802.11n-wpa-detection.patch b/queue-4.9/mwifiex-fix-802.11n-wpa-detection.patch new file mode 100644 index 00000000000..7693f476c2c --- /dev/null +++ b/queue-4.9/mwifiex-fix-802.11n-wpa-detection.patch @@ -0,0 +1,52 @@ +From df612421fe2566654047769c6852ffae1a31df16 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Wed, 24 Jul 2019 12:46:34 -0700 +Subject: mwifiex: fix 802.11n/WPA detection + +From: Brian Norris + +commit df612421fe2566654047769c6852ffae1a31df16 upstream. + +Commit 63d7ef36103d ("mwifiex: Don't abort on small, spec-compliant +vendor IEs") adjusted the ieee_types_vendor_header struct, which +inadvertently messed up the offsets used in +mwifiex_is_wpa_oui_present(). Add that offset back in, mirroring +mwifiex_is_rsn_oui_present(). + +As it stands, commit 63d7ef36103d breaks compatibility with WPA (not +WPA2) 802.11n networks, since we hit the "info: Disable 11n if AES is +not supported by AP" case in mwifiex_is_network_compatible(). + +Fixes: 63d7ef36103d ("mwifiex: Don't abort on small, spec-compliant vendor IEs") +Cc: +Signed-off-by: Brian Norris +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/marvell/mwifiex/main.h | 1 + + drivers/net/wireless/marvell/mwifiex/scan.c | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/marvell/mwifiex/main.h ++++ b/drivers/net/wireless/marvell/mwifiex/main.h +@@ -120,6 +120,7 @@ enum { + + #define MWIFIEX_MAX_TOTAL_SCAN_TIME (MWIFIEX_TIMER_10S - MWIFIEX_TIMER_1S) + ++#define WPA_GTK_OUI_OFFSET 2 + #define RSN_GTK_OUI_OFFSET 2 + + #define MWIFIEX_OUI_NOT_PRESENT 0 +--- a/drivers/net/wireless/marvell/mwifiex/scan.c ++++ b/drivers/net/wireless/marvell/mwifiex/scan.c +@@ -181,7 +181,8 @@ mwifiex_is_wpa_oui_present(struct mwifie + u8 ret = MWIFIEX_OUI_NOT_PRESENT; + + if (has_vendor_hdr(bss_desc->bcn_wpa_ie, WLAN_EID_VENDOR_SPECIFIC)) { +- iebody = (struct ie_body *) bss_desc->bcn_wpa_ie->data; ++ iebody = (struct ie_body *)((u8 *)bss_desc->bcn_wpa_ie->data + ++ WPA_GTK_OUI_OFFSET); + oui = &mwifiex_wpa_oui[cipher][0]; + ret = mwifiex_search_oui_in_ie(iebody, oui); + if (ret) diff --git a/queue-4.9/series b/queue-4.9/series index 86675d50985..91804076082 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -28,3 +28,13 @@ scsi-ibmvfc-fix-warn_on-during-event-pool-release.patch scsi-scsi_dh_alua-always-use-a-2-second-delay-before.patch tty-ldsem-locking-rwsem-add-missing-acquire-to-read_.patch perf-core-fix-creating-kernel-counters-for-pmus-that.patch +can-peak_usb-pcan_usb_pro-fix-info-leaks-to-usb-devices.patch +can-peak_usb-pcan_usb_fd-fix-info-leaks-to-usb-devices.patch +hwmon-nct7802-fix-wrong-detection-of-in4-presence.patch +alsa-firewire-fix-a-memory-leak-bug.patch +alsa-hda-don-t-override-global-pcm-hw-info-flag.patch +mac80211-don-t-warn-on-short-wmm-parameters-from-ap.patch +smb3-fix-deadlock-in-validate-negotiate-hits-reconnect.patch +smb3-send-cap_dfs-capability-during-session-setup.patch +mwifiex-fix-802.11n-wpa-detection.patch +iwlwifi-don-t-unmap-as-page-memory-that-was-mapped-as-single.patch diff --git a/queue-4.9/smb3-fix-deadlock-in-validate-negotiate-hits-reconnect.patch b/queue-4.9/smb3-fix-deadlock-in-validate-negotiate-hits-reconnect.patch new file mode 100644 index 00000000000..567c2a1406c --- /dev/null +++ b/queue-4.9/smb3-fix-deadlock-in-validate-negotiate-hits-reconnect.patch @@ -0,0 +1,38 @@ +From e99c63e4d86d3a94818693147b469fa70de6f945 Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Mon, 22 Jul 2019 11:34:59 -0700 +Subject: SMB3: Fix deadlock in validate negotiate hits reconnect + +From: Pavel Shilovsky + +commit e99c63e4d86d3a94818693147b469fa70de6f945 upstream. + +Currently we skip SMB2_TREE_CONNECT command when checking during +reconnect because Tree Connect happens when establishing +an SMB session. For SMB 3.0 protocol version the code also calls +validate negotiate which results in SMB2_IOCL command being sent +over the wire. This may deadlock on trying to acquire a mutex when +checking for reconnect. Fix this by skipping SMB2_IOCL command +when doing the reconnect check. + +Signed-off-by: Pavel Shilovsky +Signed-off-by: Steve French +Reviewed-by: Ronnie Sahlberg +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -168,7 +168,7 @@ smb2_reconnect(__le16 smb2_command, stru + if (tcon == NULL) + return 0; + +- if (smb2_command == SMB2_TREE_CONNECT) ++ if (smb2_command == SMB2_TREE_CONNECT || smb2_command == SMB2_IOCTL) + return 0; + + if (tcon->tidStatus == CifsExiting) { diff --git a/queue-4.9/smb3-send-cap_dfs-capability-during-session-setup.patch b/queue-4.9/smb3-send-cap_dfs-capability-during-session-setup.patch new file mode 100644 index 00000000000..cb752e10777 --- /dev/null +++ b/queue-4.9/smb3-send-cap_dfs-capability-during-session-setup.patch @@ -0,0 +1,40 @@ +From 8d33096a460d5b9bd13300f01615df5bb454db10 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Thu, 25 Jul 2019 18:13:10 -0500 +Subject: smb3: send CAP_DFS capability during session setup + +From: Steve French + +commit 8d33096a460d5b9bd13300f01615df5bb454db10 upstream. + +We had a report of a server which did not do a DFS referral +because the session setup Capabilities field was set to 0 +(unlike negotiate protocol where we set CAP_DFS). Better to +send it session setup in the capabilities as well (this also +more closely matches Windows client behavior). + +Signed-off-by: Steve French +Reviewed-off-by: Ronnie Sahlberg +Reviewed-by: Pavel Shilovsky +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -660,7 +660,12 @@ SMB2_sess_alloc_buffer(struct SMB2_sess_ + else + req->SecurityMode = 0; + ++#ifdef CONFIG_CIFS_DFS_UPCALL ++ req->Capabilities = cpu_to_le32(SMB2_GLOBAL_CAP_DFS); ++#else + req->Capabilities = 0; ++#endif /* DFS_UPCALL */ ++ + req->Channel = 0; /* MBZ */ + + sess_data->iov[0].iov_base = (char *)req; -- 2.47.3