[PATCH 4.13 00/43] 4.13.11-stable review

[PATCH 4.13 00/43] 4.13.11-stable review

[Greg Kroah-Hartman]

This is the start of the stable review cycle for the 4.13.11 release.
There are 43 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Thu Nov  2 09:55:17 UTC 2017.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.13.11-rc1.gz
or in the git tree and branch at:
  git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.13.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 4.13.11-rc1

Cédric Le Goater <clg@kaod.org>
    powerpc/xive: Fix the size of the cpumask used in xive_find_target_in_mask()

Guillaume Tucker <guillaume.tucker@collabora.com>
    regulator: fan53555: fix I2C device ids

Herbert Xu <herbert@gondor.apana.org.au>
    ipsec: Fix aborted xfrm policy dump crash

Johannes Berg <johannes.berg@intel.com>
    cfg80211: fix connect/disconnect edge cases

Jimmy Assarsson <jimmyassarsson@gmail.com>
    can: kvaser_usb: Ignore CMD_FLUSH_QUEUE_REPLY messages

Jimmy Assarsson <jimmyassarsson@gmail.com>
    can: kvaser_usb: Correct return value in printout

Gerhard Bertelsmann <info@gerhard-bertelsmann.de>
    can: sun4i: fix loopback mode

Lionel Landwerlin <lionel.g.landwerlin@intel.com>
    drm/i915/perf: fix perf enable/disable ioctls with 32bits userspace

Rex Zhu <Rex.Zhu@amd.com>
    drm/amd/powerplay: fix uninitialized variable

Borislav Petkov <bp@suse.de>
    x86/cpu/AMD: Apply the Erratum 688 fix when the BIOS doesn't

Ben Hutchings <ben.hutchings@codethink.co.uk>
    scsi: sg: Re-fix off by one in sg_fill_request_table()

Himanshu Madhani <himanshu.madhani@cavium.com>
    scsi: qla2xxx: Initialize Work element before requesting IRQs

Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
    scsi: aacraid: Fix controller initialization failure

Steffen Maier <maier@linux.vnet.ibm.com>
    scsi: zfcp: fix erp_action use-before-initialize in REC action trace

David Howells <dhowells@redhat.com>
    assoc_array: Fix a buggy node-splitting case

Steve French <smfrench@gmail.com>
    SMB3: Validate negotiate request must always be signed

Steve French <smfrench@gmail.com>
    Fix encryption labels and lengths for SMB3.1.1

Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Input: gtco - fix potential out-of-bound access

Kai-Heng Feng <kai.heng.feng@canonical.com>
    Input: elan_i2c - add ELAN0611 to the ACPI table

Aurélien Aptel <aaptel@suse.com>
    CIFS: Fix NULL pointer deref on SMB2_tcon() failure

Benjamin Gilbert <benjamin.gilbert@coreos.com>
    cifs: Select all required crypto modules

Juergen Gross <jgross@suse.com>
    xen: fix booting ballooned down hvm guest

Juergen Gross <jgross@suse.com>
    xen/gntdev: avoid out of bounds access in case of partial gntdev_mmap()

Miklos Szeredi <mszeredi@redhat.com>
    fuse: fix READDIRPLUS skipping an entry

Amir Goldstein <amir73il@gmail.com>
    ovl: do not cleanup unsupported index entries

Amir Goldstein <amir73il@gmail.com>
    ovl: handle ENOENT on index lookup

Amir Goldstein <amir73il@gmail.com>
    ovl: fix EIO from lookup of non-indexed upper

Hirofumi Nakagawa <nklabs@gmail.com>
    ovl: add NULL check in ovl_alloc_inode

Miquel Raynal <miquel.raynal@free-electrons.com>
    spi: armada-3700: Fix failing commands with quad-SPI

Florian Fainelli <f.fainelli@gmail.com>
    spi: bcm-qspi: Fix use after free in bcm_qspi_probe() in error path

Maxime Chevallier <maxime.chevallier@smile.fr>
    spi: a3700: Return correct value on timeout detection

Baruch Siach <baruch@tkos.co.il>
    spi: uapi: spidev: add missing ioctl header

Josef Bacik <jbacik@fb.com>
    nbd: handle interrupted sendmsg with a sndtimeo set

Martin Schwidefsky <schwidefsky@de.ibm.com>
    s390/kvm: fix detection of guest machine checks

Alexey Kardashevskiy <aik@ozlabs.ru>
    KVM: PPC: Book3S: Protect kvmppc_gpa_to_ua() with SRCU

Nicholas Piggin <npiggin@gmail.com>
    KVM: PPC: Book3S HV: POWER9 more doorbell fixes

Greg Kurz <groug@kaod.org>
    KVM: PPC: Fix oops when checking KVM_CAP_PPC_HTM

Linus Torvalds <torvalds@linux-foundation.org>
    Fix tracing sample code warning.

Jeff Layton <jlayton@redhat.com>
    ceph: unlock dangling spinlock in try_flush_caps()

Hui Wang <hui.wang@canonical.com>
    ALSA: hda - fix headset mic problem for Dell machines with alc236

Kailang Yang <kailang@realtek.com>
    ALSA: hda/realtek - Add support for ALC236/ALC3204

James Smart <jsmart2021@gmail.com>
    nvme-fc: fix iowait hang

Tejun Heo <tj@kernel.org>
    workqueue: replace pool->manager_arb mutex with a flag


-------------

Diffstat:

 Makefile                                         |  4 +-
 arch/powerpc/kvm/book3s_64_vio.c                 | 23 ++++++-----
 arch/powerpc/kvm/book3s_hv_rmhandlers.S          |  5 +++
 arch/powerpc/kvm/powerpc.c                       |  3 +-
 arch/powerpc/sysdev/xive/common.c                |  2 +-
 arch/s390/kernel/entry.S                         |  7 +++-
 arch/x86/kernel/amd_nb.c                         | 41 +++++++++++++++++++
 drivers/block/nbd.c                              | 13 +++++-
 drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c |  6 +--
 drivers/gpu/drm/i915/i915_perf.c                 |  4 ++
 drivers/input/mouse/elan_i2c_core.c              |  1 +
 drivers/input/tablet/gtco.c                      | 17 ++++----
 drivers/net/can/sun4i_can.c                      |  3 +-
 drivers/net/can/usb/kvaser_usb.c                 |  9 ++++-
 drivers/nvme/host/fc.c                           |  5 ++-
 drivers/regulator/fan53555.c                     |  5 ++-
 drivers/s390/scsi/zfcp_aux.c                     |  5 +++
 drivers/s390/scsi/zfcp_erp.c                     | 18 +++++----
 drivers/s390/scsi/zfcp_scsi.c                    |  5 +++
 drivers/scsi/aacraid/comminit.c                  |  8 ++--
 drivers/scsi/aacraid/linit.c                     |  7 +++-
 drivers/scsi/qla2xxx/qla_os.c                    |  4 +-
 drivers/scsi/sg.c                                |  2 +-
 drivers/spi/spi-armada-3700.c                    | 10 +++--
 drivers/spi/spi-bcm-qspi.c                       |  9 +++--
 drivers/xen/gntdev.c                             |  2 +-
 drivers/xen/xen-balloon.c                        | 19 ++++++---
 fs/ceph/caps.c                                   |  5 ++-
 fs/cifs/Kconfig                                  |  5 +++
 fs/cifs/cifsglob.h                               |  8 +++-
 fs/cifs/smb2pdu.c                                |  7 +++-
 fs/cifs/smb2transport.c                          | 26 ++++++------
 fs/fuse/dir.c                                    |  3 +-
 fs/overlayfs/inode.c                             | 20 ++++++++--
 fs/overlayfs/namei.c                             | 31 +++++++-------
 fs/overlayfs/overlayfs.h                         |  3 +-
 fs/overlayfs/readdir.c                           | 11 +++--
 fs/overlayfs/super.c                             |  3 ++
 include/uapi/linux/spi/spidev.h                  |  1 +
 kernel/workqueue.c                               | 37 +++++++----------
 lib/assoc_array.c                                | 51 ++++++++----------------
 net/wireless/sme.c                               | 50 ++++++++++++++++++-----
 net/xfrm/xfrm_user.c                             | 25 +++++++-----
 samples/trace_events/trace-events-sample.c       |  2 +-
 sound/pci/hda/patch_realtek.c                    | 19 +++++++++
 45 files changed, 361 insertions(+), 183 deletions(-)

[PATCH 4.13 01/43] workqueue: replace pool->manager_arb mutex with a flag

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tejun Heo <tj@kernel.org>

commit 692b48258dda7c302e777d7d5f4217244478f1f6 upstream.

Josef reported a HARDIRQ-safe -> HARDIRQ-unsafe lock order detected by
lockdep:

 [ 1270.472259] WARNING: HARDIRQ-safe -> HARDIRQ-unsafe lock order detected
 [ 1270.472783] 4.14.0-rc1-xfstests-12888-g76833e8 #110 Not tainted
 [ 1270.473240] -----------------------------------------------------
 [ 1270.473710] kworker/u5:2/5157 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire:
 [ 1270.474239]  (&(&lock->wait_lock)->rlock){+.+.}, at: [<ffffffff8da253d2>] __mutex_unlock_slowpath+0xa2/0x280
 [ 1270.474994]
 [ 1270.474994] and this task is already holding:
 [ 1270.475440]  (&pool->lock/1){-.-.}, at: [<ffffffff8d2992f6>] worker_thread+0x366/0x3c0
 [ 1270.476046] which would create a new lock dependency:
 [ 1270.476436]  (&pool->lock/1){-.-.} -> (&(&lock->wait_lock)->rlock){+.+.}
 [ 1270.476949]
 [ 1270.476949] but this new dependency connects a HARDIRQ-irq-safe lock:
 [ 1270.477553]  (&pool->lock/1){-.-.}
 ...
 [ 1270.488900] to a HARDIRQ-irq-unsafe lock:
 [ 1270.489327]  (&(&lock->wait_lock)->rlock){+.+.}
 ...
 [ 1270.494735]  Possible interrupt unsafe locking scenario:
 [ 1270.494735]
 [ 1270.495250]        CPU0                    CPU1
 [ 1270.495600]        ----                    ----
 [ 1270.495947]   lock(&(&lock->wait_lock)->rlock);
 [ 1270.496295]                                local_irq_disable();
 [ 1270.496753]                                lock(&pool->lock/1);
 [ 1270.497205]                                lock(&(&lock->wait_lock)->rlock);
 [ 1270.497744]   <Interrupt>
 [ 1270.497948]     lock(&pool->lock/1);

, which will cause a irq inversion deadlock if the above lock scenario
happens.

The root cause of this safe -> unsafe lock order is the
mutex_unlock(pool->manager_arb) in manage_workers() with pool->lock
held.

Unlocking mutex while holding an irq spinlock was never safe and this
problem has been around forever but it never got noticed because the
only time the mutex is usually trylocked while holding irqlock making
actual failures very unlikely and lockdep annotation missed the
condition until the recent b9c16a0e1f73 ("locking/mutex: Fix
lockdep_assert_held() fail").

Using mutex for pool->manager_arb has always been a bit of stretch.
It primarily is an mechanism to arbitrate managership between workers
which can easily be done with a pool flag.  The only reason it became
a mutex is that pool destruction path wants to exclude parallel
managing operations.

This patch replaces the mutex with a new pool flag POOL_MANAGER_ACTIVE
and make the destruction path wait for the current manager on a wait
queue.

v2: Drop unnecessary flag clearing before pool destruction as
    suggested by Boqun.

Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: Lai Jiangshan <jiangshanlai@gmail.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Boqun Feng <boqun.feng@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/workqueue.c |   37 +++++++++++++++----------------------
 1 file changed, 15 insertions(+), 22 deletions(-)

--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -68,6 +68,7 @@ enum {
 	 * attach_mutex to avoid changing binding state while
 	 * worker_attach_to_pool() is in progress.
 	 */
+	POOL_MANAGER_ACTIVE	= 1 << 0,	/* being managed */
 	POOL_DISASSOCIATED	= 1 << 2,	/* cpu can't serve workers */
 
 	/* worker flags */
@@ -165,7 +166,6 @@ struct worker_pool {
 						/* L: hash of busy workers */
 
 	/* see manage_workers() for details on the two manager mutexes */
-	struct mutex		manager_arb;	/* manager arbitration */
 	struct worker		*manager;	/* L: purely informational */
 	struct mutex		attach_mutex;	/* attach/detach exclusion */
 	struct list_head	workers;	/* A: attached workers */
@@ -299,6 +299,7 @@ static struct workqueue_attrs *wq_update
 
 static DEFINE_MUTEX(wq_pool_mutex);	/* protects pools and workqueues list */
 static DEFINE_SPINLOCK(wq_mayday_lock);	/* protects wq->maydays list */
+static DECLARE_WAIT_QUEUE_HEAD(wq_manager_wait); /* wait for manager to go away */
 
 static LIST_HEAD(workqueues);		/* PR: list of all workqueues */
 static bool workqueue_freezing;		/* PL: have wqs started freezing? */
@@ -801,7 +802,7 @@ static bool need_to_create_worker(struct
 /* Do we have too many workers and should some go away? */
 static bool too_many_workers(struct worker_pool *pool)
 {
-	bool managing = mutex_is_locked(&pool->manager_arb);
+	bool managing = pool->flags & POOL_MANAGER_ACTIVE;
 	int nr_idle = pool->nr_idle + managing; /* manager is considered idle */
 	int nr_busy = pool->nr_workers - nr_idle;
 
@@ -1980,24 +1981,17 @@ static bool manage_workers(struct worker
 {
 	struct worker_pool *pool = worker->pool;
 
-	/*
-	 * Anyone who successfully grabs manager_arb wins the arbitration
-	 * and becomes the manager.  mutex_trylock() on pool->manager_arb
-	 * failure while holding pool->lock reliably indicates that someone
-	 * else is managing the pool and the worker which failed trylock
-	 * can proceed to executing work items.  This means that anyone
-	 * grabbing manager_arb is responsible for actually performing
-	 * manager duties.  If manager_arb is grabbed and released without
-	 * actual management, the pool may stall indefinitely.
-	 */
-	if (!mutex_trylock(&pool->manager_arb))
+	if (pool->flags & POOL_MANAGER_ACTIVE)
 		return false;
+
+	pool->flags |= POOL_MANAGER_ACTIVE;
 	pool->manager = worker;
 
 	maybe_create_worker(pool);
 
 	pool->manager = NULL;
-	mutex_unlock(&pool->manager_arb);
+	pool->flags &= ~POOL_MANAGER_ACTIVE;
+	wake_up(&wq_manager_wait);
 	return true;
 }
 
@@ -3215,7 +3209,6 @@ static int init_worker_pool(struct worke
 	setup_timer(&pool->mayday_timer, pool_mayday_timeout,
 		    (unsigned long)pool);
 
-	mutex_init(&pool->manager_arb);
 	mutex_init(&pool->attach_mutex);
 	INIT_LIST_HEAD(&pool->workers);
 
@@ -3285,13 +3278,15 @@ static void put_unbound_pool(struct work
 	hash_del(&pool->hash_node);
 
 	/*
-	 * Become the manager and destroy all workers.  Grabbing
-	 * manager_arb prevents @pool's workers from blocking on
-	 * attach_mutex.
+	 * Become the manager and destroy all workers.  This prevents
+	 * @pool's workers from blocking on attach_mutex.  We're the last
+	 * manager and @pool gets freed with the flag set.
 	 */
-	mutex_lock(&pool->manager_arb);
-
 	spin_lock_irq(&pool->lock);
+	wait_event_lock_irq(wq_manager_wait,
+			    !(pool->flags & POOL_MANAGER_ACTIVE), pool->lock);
+	pool->flags |= POOL_MANAGER_ACTIVE;
+
 	while ((worker = first_idle_worker(pool)))
 		destroy_worker(worker);
 	WARN_ON(pool->nr_workers || pool->nr_idle);
@@ -3305,8 +3300,6 @@ static void put_unbound_pool(struct work
 	if (pool->detach_completion)
 		wait_for_completion(pool->detach_completion);
 
-	mutex_unlock(&pool->manager_arb);
-
 	/* shut down the timers */
 	del_timer_sync(&pool->idle_timer);
 	del_timer_sync(&pool->mayday_timer);

[PATCH 4.13 03/43] ALSA: hda/realtek - Add support for ALC236/ALC3204

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kailang Yang <kailang@realtek.com>

commit 736f20a7060857ff569e9e9586ae6c1204a73e07 upstream.

Add support for ALC236/ALC3204.
Add headset mode support for ALC236/ALC3204.

Signed-off-by: Kailang Yang <kailang@realtek.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |   11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -327,6 +327,7 @@ static void alc_fill_eapd_coef(struct hd
 	case 0x10ec0215:
 	case 0x10ec0225:
 	case 0x10ec0233:
+	case 0x10ec0236:
 	case 0x10ec0255:
 	case 0x10ec0256:
 	case 0x10ec0282:
@@ -911,6 +912,7 @@ static struct alc_codec_rename_pci_table
 	{ 0x10ec0275, 0x1028, 0, "ALC3260" },
 	{ 0x10ec0899, 0x1028, 0, "ALC3861" },
 	{ 0x10ec0298, 0x1028, 0, "ALC3266" },
+	{ 0x10ec0236, 0x1028, 0, "ALC3204" },
 	{ 0x10ec0256, 0x1028, 0, "ALC3246" },
 	{ 0x10ec0225, 0x1028, 0, "ALC3253" },
 	{ 0x10ec0295, 0x1028, 0, "ALC3254" },
@@ -3930,6 +3932,7 @@ static void alc_headset_mode_unplugged(s
 		alc_process_coef_fw(codec, coef0255_1);
 		alc_process_coef_fw(codec, coef0255);
 		break;
+	case 0x10ec0236:
 	case 0x10ec0256:
 		alc_process_coef_fw(codec, coef0256);
 		alc_process_coef_fw(codec, coef0255);
@@ -4028,6 +4031,7 @@ static void alc_headset_mode_mic_in(stru
 	};
 
 	switch (codec->core.vendor_id) {
+	case 0x10ec0236:
 	case 0x10ec0255:
 	case 0x10ec0256:
 		alc_write_coef_idx(codec, 0x45, 0xc489);
@@ -4160,6 +4164,7 @@ static void alc_headset_mode_default(str
 		alc_process_coef_fw(codec, alc225_pre_hsmode);
 		alc_process_coef_fw(codec, coef0225);
 		break;
+	case 0x10ec0236:
 	case 0x10ec0255:
 	case 0x10ec0256:
 		alc_process_coef_fw(codec, coef0255);
@@ -4256,6 +4261,7 @@ static void alc_headset_mode_ctia(struct
 	case 0x10ec0255:
 		alc_process_coef_fw(codec, coef0255);
 		break;
+	case 0x10ec0236:
 	case 0x10ec0256:
 		alc_process_coef_fw(codec, coef0256);
 		break;
@@ -4366,6 +4372,7 @@ static void alc_headset_mode_omtp(struct
 	case 0x10ec0255:
 		alc_process_coef_fw(codec, coef0255);
 		break;
+	case 0x10ec0236:
 	case 0x10ec0256:
 		alc_process_coef_fw(codec, coef0256);
 		break;
@@ -4451,6 +4458,7 @@ static void alc_determine_headset_type(s
 	};
 
 	switch (codec->core.vendor_id) {
+	case 0x10ec0236:
 	case 0x10ec0255:
 	case 0x10ec0256:
 		alc_process_coef_fw(codec, coef0255);
@@ -4705,6 +4713,7 @@ static void alc255_set_default_jack_type
 	case 0x10ec0255:
 		alc_process_coef_fw(codec, alc255fw);
 		break;
+	case 0x10ec0236:
 	case 0x10ec0256:
 		alc_process_coef_fw(codec, alc256fw);
 		break;
@@ -6789,6 +6798,7 @@ static int patch_alc269(struct hda_codec
 	case 0x10ec0255:
 		spec->codec_variant = ALC269_TYPE_ALC255;
 		break;
+	case 0x10ec0236:
 	case 0x10ec0256:
 		spec->codec_variant = ALC269_TYPE_ALC256;
 		spec->shutup = alc256_shutup;
@@ -7840,6 +7850,7 @@ static const struct hda_device_id snd_hd
 	HDA_CODEC_ENTRY(0x10ec0233, "ALC233", patch_alc269),
 	HDA_CODEC_ENTRY(0x10ec0234, "ALC234", patch_alc269),
 	HDA_CODEC_ENTRY(0x10ec0235, "ALC233", patch_alc269),
+	HDA_CODEC_ENTRY(0x10ec0236, "ALC236", patch_alc269),
 	HDA_CODEC_ENTRY(0x10ec0255, "ALC255", patch_alc269),
 	HDA_CODEC_ENTRY(0x10ec0256, "ALC256", patch_alc269),
 	HDA_CODEC_ENTRY(0x10ec0260, "ALC260", patch_alc260),

[PATCH 4.13 04/43] ALSA: hda - fix headset mic problem for Dell machines with alc236

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hui Wang <hui.wang@canonical.com>

commit f265788c336979090ac80b9ae173aa817c4fe40d upstream.

We have several Dell laptops which use the codec alc236, the headset
mic can't work on these machines. Following the commit 736f20a70, we
add the pin cfg table to make the headset mic work.

Signed-off-by: Hui Wang <hui.wang@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -6411,6 +6411,14 @@ static const struct snd_hda_pin_quirk al
 		ALC225_STANDARD_PINS,
 		{0x12, 0xb7a60130},
 		{0x1b, 0x90170110}),
+	SND_HDA_PIN_QUIRK(0x10ec0236, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
+		{0x12, 0x90a60140},
+		{0x14, 0x90170110},
+		{0x21, 0x02211020}),
+	SND_HDA_PIN_QUIRK(0x10ec0236, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
+		{0x12, 0x90a60140},
+		{0x14, 0x90170150},
+		{0x21, 0x02211020}),
 	SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL2_MIC_NO_PRESENCE,
 		{0x14, 0x90170110},
 		{0x21, 0x02211020}),

[PATCH 4.13 05/43] ceph: unlock dangling spinlock in try_flush_caps()

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jeff Layton <jlayton@redhat.com>

commit 6c2838fbdedb9b72a81c931d49e56b229b6cdbca upstream.

sparse warns:

  fs/ceph/caps.c:2042:9: warning: context imbalance in 'try_flush_caps' - wrong count at exit

We need to exit this function with the lock unlocked, but a couple of
cases leave it locked.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ceph/caps.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/fs/ceph/caps.c
+++ b/fs/ceph/caps.c
@@ -1985,6 +1985,7 @@ static int try_flush_caps(struct inode *
 retry:
 	spin_lock(&ci->i_ceph_lock);
 	if (ci->i_ceph_flags & CEPH_I_NOFLUSH) {
+		spin_unlock(&ci->i_ceph_lock);
 		dout("try_flush_caps skipping %p I_NOFLUSH set\n", inode);
 		goto out;
 	}
@@ -2002,8 +2003,10 @@ retry:
 			mutex_lock(&session->s_mutex);
 			goto retry;
 		}
-		if (cap->session->s_state < CEPH_MDS_SESSION_OPEN)
+		if (cap->session->s_state < CEPH_MDS_SESSION_OPEN) {
+			spin_unlock(&ci->i_ceph_lock);
 			goto out;
+		}
 
 		flushing = __mark_caps_flushing(inode, session, true,
 						&flush_tid, &oldest_flush_tid);

[PATCH 4.13 06/43] Fix tracing sample code warning.

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Linus Torvalds <torvalds@linux-foundation.org>

commit a0cb2b5c390151837b08e5f7bca4a6ecddbcd39c upstream.

Commit 6575257c60e1 ("tracing/samples: Fix creation and deletion of
simple_thread_fn creation") introduced a new warning due to using a
boolean as a counter.

Just make it "int".

Fixes: 6575257c60e1 ("tracing/samples: Fix creation and deletion of simple_thread_fn creation")
Cc: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 samples/trace_events/trace-events-sample.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/samples/trace_events/trace-events-sample.c
+++ b/samples/trace_events/trace-events-sample.c
@@ -78,7 +78,7 @@ static int simple_thread_fn(void *arg)
 }
 
 static DEFINE_MUTEX(thread_mutex);
-static bool simple_thread_cnt;
+static int simple_thread_cnt;
 
 int foo_bar_reg(void)
 {

[PATCH 4.13 07/43] KVM: PPC: Fix oops when checking KVM_CAP_PPC_HTM

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Greg Kurz <groug@kaod.org>

commit ac64115a66c18c01745bbd3c47a36b124e5fd8c0 upstream.

The following program causes a kernel oops:

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <linux/kvm.h>

main()
{
    int fd = open("/dev/kvm", O_RDWR);
    ioctl(fd, KVM_CHECK_EXTENSION, KVM_CAP_PPC_HTM);
}

This happens because when using the global KVM fd with
KVM_CHECK_EXTENSION, kvm_vm_ioctl_check_extension() gets
called with a NULL kvm argument, which gets dereferenced
in is_kvmppc_hv_enabled(). Spotted while reading the code.

Let's use the hv_enabled fallback variable, like everywhere
else in this function.

Fixes: 23528bb21ee2 ("KVM: PPC: Introduce KVM_CAP_PPC_HTM")
Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/kvm/powerpc.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/arch/powerpc/kvm/powerpc.c
+++ b/arch/powerpc/kvm/powerpc.c
@@ -639,8 +639,7 @@ int kvm_vm_ioctl_check_extension(struct
 		break;
 #endif
 	case KVM_CAP_PPC_HTM:
-		r = cpu_has_feature(CPU_FTR_TM_COMP) &&
-		    is_kvmppc_hv_enabled(kvm);
+		r = cpu_has_feature(CPU_FTR_TM_COMP) && hv_enabled;
 		break;
 	default:
 		r = 0;

[PATCH 4.13 08/43] KVM: PPC: Book3S HV: POWER9 more doorbell fixes

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nicholas Piggin <npiggin@gmail.com>

commit 2cde3716321ec64a1faeaf567bd94100c7b4160f upstream.

- Add another case where msgsync is required.
- Required barrier sequence for global doorbells is msgsync ; lwsync

When msgsnd is used for IPIs to other cores, msgsync must be executed by
the target to order stores performed on the source before its msgsnd
(provided the source executes the appropriate sync).

Fixes: 1704a81ccebc ("KVM: PPC: Book3S HV: Use msgsnd for IPIs to other cores on POWER9")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/kvm/book3s_hv_rmhandlers.S |    5 +++++
 1 file changed, 5 insertions(+)

--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S
+++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
@@ -1296,6 +1296,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR)
 	bne	3f
 BEGIN_FTR_SECTION
 	PPC_MSGSYNC
+	lwsync
 END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300)
 	lbz	r0, HSTATE_HOST_IPI(r13)
 	cmpwi	r0, 0
@@ -2767,6 +2768,10 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S)
 	PPC_MSGCLR(6)
 	/* see if it's a host IPI */
 	li	r3, 1
+BEGIN_FTR_SECTION
+	PPC_MSGSYNC
+	lwsync
+END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300)
 	lbz	r0, HSTATE_HOST_IPI(r13)
 	cmpwi	r0, 0
 	bnelr

[PATCH 4.13 09/43] KVM: PPC: Book3S: Protect kvmppc_gpa_to_ua() with SRCU

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexey Kardashevskiy <aik@ozlabs.ru>

commit 8f6a9f0d0604817f7c8d4376fd51718f1bf192ee upstream.

kvmppc_gpa_to_ua() accesses KVM memory slot array via
srcu_dereference_check() and this produces warnings from RCU like below.

This extends the existing srcu_read_lock/unlock to cover that
kvmppc_gpa_to_ua() as well.

We did not hit this before as this lock is not needed for the realmode
handlers and hash guests would use the realmode path all the time;
however the radix guests are always redirected to the virtual mode
handlers and hence the warning.

[   68.253798] ./include/linux/kvm_host.h:575 suspicious rcu_dereference_check() usage!
[   68.253799]
               other info that might help us debug this:

[   68.253802]
               rcu_scheduler_active = 2, debug_locks = 1
[   68.253804] 1 lock held by qemu-system-ppc/6413:
[   68.253806]  #0:  (&vcpu->mutex){+.+.}, at: [<c00800000e3c22f4>] vcpu_load+0x3c/0xc0 [kvm]
[   68.253826]
               stack backtrace:
[   68.253830] CPU: 92 PID: 6413 Comm: qemu-system-ppc Tainted: G        W       4.14.0-rc3-00553-g432dcba58e9c-dirty #72
[   68.253833] Call Trace:
[   68.253839] [c000000fd3d9f790] [c000000000b7fcc8] dump_stack+0xe8/0x160 (unreliable)
[   68.253845] [c000000fd3d9f7d0] [c0000000001924c0] lockdep_rcu_suspicious+0x110/0x180
[   68.253851] [c000000fd3d9f850] [c0000000000e825c] kvmppc_gpa_to_ua+0x26c/0x2b0
[   68.253858] [c000000fd3d9f8b0] [c00800000e3e1984] kvmppc_h_put_tce+0x12c/0x2a0 [kvm]

Fixes: 121f80ba68f1 ("KVM: PPC: VFIO: Add in-kernel acceleration for VFIO")
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/kvm/book3s_64_vio.c |   23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

--- a/arch/powerpc/kvm/book3s_64_vio.c
+++ b/arch/powerpc/kvm/book3s_64_vio.c
@@ -479,28 +479,30 @@ long kvmppc_h_put_tce(struct kvm_vcpu *v
 		return ret;
 
 	dir = iommu_tce_direction(tce);
+
+	idx = srcu_read_lock(&vcpu->kvm->srcu);
+
 	if ((dir != DMA_NONE) && kvmppc_gpa_to_ua(vcpu->kvm,
-			tce & ~(TCE_PCI_READ | TCE_PCI_WRITE), &ua, NULL))
-		return H_PARAMETER;
+			tce & ~(TCE_PCI_READ | TCE_PCI_WRITE), &ua, NULL)) {
+		ret = H_PARAMETER;
+		goto unlock_exit;
+	}
 
 	entry = ioba >> stt->page_shift;
 
 	list_for_each_entry_lockless(stit, &stt->iommu_tables, next) {
-		if (dir == DMA_NONE) {
+		if (dir == DMA_NONE)
 			ret = kvmppc_tce_iommu_unmap(vcpu->kvm,
 					stit->tbl, entry);
-		} else {
-			idx = srcu_read_lock(&vcpu->kvm->srcu);
+		else
 			ret = kvmppc_tce_iommu_map(vcpu->kvm, stit->tbl,
 					entry, ua, dir);
-			srcu_read_unlock(&vcpu->kvm->srcu, idx);
-		}
 
 		if (ret == H_SUCCESS)
 			continue;
 
 		if (ret == H_TOO_HARD)
-			return ret;
+			goto unlock_exit;
 
 		WARN_ON_ONCE(1);
 		kvmppc_clear_tce(stit->tbl, entry);
@@ -508,7 +510,10 @@ long kvmppc_h_put_tce(struct kvm_vcpu *v
 
 	kvmppc_tce_put(stt, entry, tce);
 
-	return H_SUCCESS;
+unlock_exit:
+	srcu_read_unlock(&vcpu->kvm->srcu, idx);
+
+	return ret;
 }
 EXPORT_SYMBOL_GPL(kvmppc_h_put_tce);
 

[PATCH 4.13 10/43] s390/kvm: fix detection of guest machine checks

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Martin Schwidefsky <schwidefsky@de.ibm.com>

commit 0a5e2ec2647737907d267c09dc9a25fab1468865 upstream.

The new detection code for guest machine checks added a check based
on %r11 to .Lcleanup_sie to distinguish between normal asynchronous
interrupts and machine checks. But the funtion is called from the
program check handler as well with an undefined value in %r11.

The effect is that all program exceptions pointing to the SIE instruction
will set the CIF_MCCK_GUEST bit. The bit stays set for the CPU until the
 next machine check comes in which will incorrectly be interpreted as a
guest machine check.

The simplest fix is to stop using .Lcleanup_sie in the program check
handler and duplicate a few instructions.

Fixes: c929500d7a5a ("s390/nmi: s390: New low level handling for machine check happening in guest")
Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/s390/kernel/entry.S |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/arch/s390/kernel/entry.S
+++ b/arch/s390/kernel/entry.S
@@ -521,12 +521,15 @@ ENTRY(pgm_check_handler)
 	tmhh	%r8,0x0001		# test problem state bit
 	jnz	2f			# -> fault in user space
 #if IS_ENABLED(CONFIG_KVM)
-	# cleanup critical section for sie64a
+	# cleanup critical section for program checks in sie64a
 	lgr	%r14,%r9
 	slg	%r14,BASED(.Lsie_critical_start)
 	clg	%r14,BASED(.Lsie_critical_length)
 	jhe	0f
-	brasl	%r14,.Lcleanup_sie
+	lg	%r14,__SF_EMPTY(%r15)		# get control block pointer
+	ni	__SIE_PROG0C+3(%r14),0xfe	# no longer in SIE
+	lctlg	%c1,%c1,__LC_USER_ASCE		# load primary asce
+	larl	%r9,sie_exit			# skip forward to sie_exit
 #endif
 0:	tmhh	%r8,0x4000		# PER bit set in old PSW ?
 	jnz	1f			# -> enabled, can't be a double fault

[PATCH 4.13 11/43] nbd: handle interrupted sendmsg with a sndtimeo set

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Josef Bacik <jbacik@fb.com>

commit 32e67a3a06b88904155170560b7a63d372b320bd upstream.

If you do not set sk_sndtimeo you will get -ERESTARTSYS if there is a
pending signal when you enter sendmsg, which we handle properly.
However if you set a timeout for your commands we'll set sk_sndtimeo to
that timeout, which means that sendmsg will start returning -EINTR
instead of -ERESTARTSYS.  Fix this by checking either cases and doing
the correct thing.

Fixes: dc88e34d69d8 ("nbd: set sk->sk_sndtimeo for our sockets")
Reported-and-tested-by: Daniel Xu <dlxu@fb.com>
Signed-off-by: Josef Bacik <jbacik@fb.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/block/nbd.c |   13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -386,6 +386,15 @@ static int sock_xmit(struct nbd_device *
 	return result;
 }
 
+/*
+ * Different settings for sk->sk_sndtimeo can result in different return values
+ * if there is a signal pending when we enter sendmsg, because reasons?
+ */
+static inline int was_interrupted(int result)
+{
+	return result == -ERESTARTSYS || result == -EINTR;
+}
+
 /* always call with the tx_lock held */
 static int nbd_send_cmd(struct nbd_device *nbd, struct nbd_cmd *cmd, int index)
 {
@@ -458,7 +467,7 @@ static int nbd_send_cmd(struct nbd_devic
 	result = sock_xmit(nbd, index, 1, &from,
 			(type == NBD_CMD_WRITE) ? MSG_MORE : 0, &sent);
 	if (result <= 0) {
-		if (result == -ERESTARTSYS) {
+		if (was_interrupted(result)) {
 			/* If we havne't sent anything we can just return BUSY,
 			 * however if we have sent something we need to make
 			 * sure we only allow this req to be sent until we are
@@ -502,7 +511,7 @@ send_pages:
 			}
 			result = sock_xmit(nbd, index, 1, &from, flags, &sent);
 			if (result <= 0) {
-				if (result == -ERESTARTSYS) {
+				if (was_interrupted(result)) {
 					/* We've already sent the header, we
 					 * have no choice but to set pending and
 					 * return BUSY.

[PATCH 4.13 12/43] spi: uapi: spidev: add missing ioctl header

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Baruch Siach <baruch@tkos.co.il>

commit a2b4a79b88b24c49d98d45a06a014ffd22ada1a4 upstream.

The SPI_IOC_MESSAGE() macro references _IOC_SIZEBITS. Add linux/ioctl.h
to make sure this macro is defined. This fixes the following build
failure of lcdproc with the musl libc:

In file included from .../sysroot/usr/include/sys/ioctl.h:7:0,
                 from hd44780-spi.c:31:
hd44780-spi.c: In function 'spi_transfer':
hd44780-spi.c:89:24: error: '_IOC_SIZEBITS' undeclared (first use in this function)
  status = ioctl(p->fd, SPI_IOC_MESSAGE(1), &xfer);
                        ^

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/uapi/linux/spi/spidev.h |    1 +
 1 file changed, 1 insertion(+)

--- a/include/uapi/linux/spi/spidev.h
+++ b/include/uapi/linux/spi/spidev.h
@@ -23,6 +23,7 @@
 #define SPIDEV_H
 
 #include <linux/types.h>
+#include <linux/ioctl.h>
 
 /* User space versions of kernel symbols for SPI clocking modes,
  * matching <linux/spi/spi.h>

[PATCH 4.13 13/43] spi: a3700: Return correct value on timeout detection

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Maxime Chevallier <maxime.chevallier@smile.fr>

commit 5a866ec0014b2baa4ecbb1eaa19c835482829d08 upstream.

When waiting for transfer completion, a3700_spi_wait_completion
returns a boolean indicating if a timeout occurred.

The function was returning 'true' everytime, failing to detect any
timeout.

This patch makes it return 'false' when a timeout is reached.

Signed-off-by: Maxime Chevallier <maxime.chevallier@smile.fr>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/spi/spi-armada-3700.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/spi/spi-armada-3700.c
+++ b/drivers/spi/spi-armada-3700.c
@@ -392,7 +392,8 @@ static bool a3700_spi_wait_completion(st
 
 	spireg_write(a3700_spi, A3700_SPI_INT_MASK_REG, 0);
 
-	return true;
+	/* Timeout was reached */
+	return false;
 }
 
 static bool a3700_spi_transfer_wait(struct spi_device *spi,

[PATCH 4.13 14/43] spi: bcm-qspi: Fix use after free in bcm_qspi_probe() in error path

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Fainelli <f.fainelli@gmail.com>

commit c0368e4db4a3e8a3dce40f3f621c06e14c560d79 upstream.

There was an inversion in how the error path in bcm_qspi_probe() is done
which would make us trip over a KASAN use-after-free report. Turns out
that qspi->dev_ids does not get allocated until later in the probe
process. Fix this by introducing a new lable: qspi_resource_err which
takes care of cleaning up the SPI master instance.

Fixes: fa236a7ef240 ("spi: bcm-qspi: Add Broadcom MSPI driver")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/spi/spi-bcm-qspi.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/drivers/spi/spi-bcm-qspi.c
+++ b/drivers/spi/spi-bcm-qspi.c
@@ -1278,7 +1278,7 @@ int bcm_qspi_probe(struct platform_devic
 			goto qspi_probe_err;
 		}
 	} else {
-		goto qspi_probe_err;
+		goto qspi_resource_err;
 	}
 
 	res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "bspi");
@@ -1300,7 +1300,7 @@ int bcm_qspi_probe(struct platform_devic
 		qspi->base[CHIP_SELECT]  = devm_ioremap_resource(dev, res);
 		if (IS_ERR(qspi->base[CHIP_SELECT])) {
 			ret = PTR_ERR(qspi->base[CHIP_SELECT]);
-			goto qspi_probe_err;
+			goto qspi_resource_err;
 		}
 	}
 
@@ -1308,7 +1308,7 @@ int bcm_qspi_probe(struct platform_devic
 				GFP_KERNEL);
 	if (!qspi->dev_ids) {
 		ret = -ENOMEM;
-		goto qspi_probe_err;
+		goto qspi_resource_err;
 	}
 
 	for (val = 0; val < num_irqs; val++) {
@@ -1397,8 +1397,9 @@ qspi_reg_err:
 	bcm_qspi_hw_uninit(qspi);
 	clk_disable_unprepare(qspi->clk);
 qspi_probe_err:
-	spi_master_put(master);
 	kfree(qspi->dev_ids);
+qspi_resource_err:
+	spi_master_put(master);
 	return ret;
 }
 /* probe function to be called by SoC specific platform driver probe */

[PATCH 4.13 15/43] spi: armada-3700: Fix failing commands with quad-SPI

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Miquel Raynal <miquel.raynal@free-electrons.com>

commit 747e1f60470b975363cbbfcde0c41a3166391be5 upstream.

A3700 SPI controller datasheet states that only the first line (IO0) is
used to receive and send instructions, addresses and dummy bytes,
unless for addresses during an RX operation in a quad SPI configuration
(see p.821 of the Armada-3720-DB datasheet). Otherwise, some commands
such as SPI NOR commands like READ_FROM_CACHE_DUAL_IO(0xeb) and
READ_FROM_CACHE_DUAL_IO(0xbb) will fail because these commands must send
address bytes through the four pins. Data transfer always use the four
bytes with this setup.

Thus, in quad SPI configuration, the A3700_SPI_ADDR_PIN bit must be set
only in this case to inform the controller that it must use the number
of pins indicated in the {A3700_SPI_DATA_PIN1,A3700_SPI_DATA_PIN0} field
during the address cycles of an RX operation.

Suggested-by: Ken Ma <make@marvell.com>
Signed-off-by: Miquel Raynal <miquel.raynal@free-electrons.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/spi/spi-armada-3700.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/drivers/spi/spi-armada-3700.c
+++ b/drivers/spi/spi-armada-3700.c
@@ -161,7 +161,7 @@ static void a3700_spi_deactivate_cs(stru
 }
 
 static int a3700_spi_pin_mode_set(struct a3700_spi *a3700_spi,
-				  unsigned int pin_mode)
+				  unsigned int pin_mode, bool receiving)
 {
 	u32 val;
 
@@ -177,6 +177,9 @@ static int a3700_spi_pin_mode_set(struct
 		break;
 	case SPI_NBITS_QUAD:
 		val |= A3700_SPI_DATA_PIN1;
+		/* RX during address reception uses 4-pin */
+		if (receiving)
+			val |= A3700_SPI_ADDR_PIN;
 		break;
 	default:
 		dev_err(&a3700_spi->master->dev, "wrong pin mode %u", pin_mode);
@@ -654,7 +657,7 @@ static int a3700_spi_transfer_one(struct
 	else if (xfer->rx_buf)
 		nbits = xfer->rx_nbits;
 
-	a3700_spi_pin_mode_set(a3700_spi, nbits);
+	a3700_spi_pin_mode_set(a3700_spi, nbits, xfer->rx_buf ? true : false);
 
 	if (xfer->rx_buf) {
 		/* Set read data length */

[PATCH 4.13 16/43] ovl: add NULL check in ovl_alloc_inode

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hirofumi Nakagawa <nklabs@gmail.com>

commit b3885bd6edb41b91a0e3976469f72ae31bfb8d95 upstream.

This was detected by fault injection test

Signed-off-by: Hirofumi Nakagawa <nklabs@gmail.com>
Fixes: 13cf199d0088 ("ovl: allocate an ovl_inode struct")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/overlayfs/super.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@@ -174,6 +174,9 @@ static struct inode *ovl_alloc_inode(str
 {
 	struct ovl_inode *oi = kmem_cache_alloc(ovl_inode_cachep, GFP_KERNEL);
 
+	if (!oi)
+		return NULL;
+
 	oi->cache = NULL;
 	oi->redirect = NULL;
 	oi->version = 0;

[PATCH 4.13 17/43] ovl: fix EIO from lookup of non-indexed upper

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Amir Goldstein <amir73il@gmail.com>

commit 6eaf011144af10cad34c0d46f82e50d382c8e926 upstream.

Commit fbaf94ee3cd5 ("ovl: don't set origin on broken lower hardlink")
attempt to avoid the condition of non-indexed upper inode with lower
hardlink as origin. If this condition is found, lookup returns EIO.

The protection of commit mentioned above does not cover the case of lower
that is not a hardlink when it is copied up (with either index=off/on)
and then lower is hardlinked while overlay is offline.

Changes to lower layer while overlayfs is offline should not result in
unexpected behavior, so a permanent EIO error after creating a link in
lower layer should not be considered as correct behavior.

This fix replaces EIO error with success in cases where upper has origin
but no index is found, or index is found that does not match upper
inode. In those cases, lookup will not fail and the returned overlay inode
will be hashed by upper inode instead of by lower origin inode.

Fixes: 359f392ca53e ("ovl: lookup index entry for copy up origin")
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/overlayfs/inode.c     |   20 ++++++++++++++++----
 fs/overlayfs/namei.c     |   20 ++++++++------------
 fs/overlayfs/overlayfs.h |    3 ++-
 3 files changed, 26 insertions(+), 17 deletions(-)

--- a/fs/overlayfs/inode.c
+++ b/fs/overlayfs/inode.c
@@ -595,18 +595,30 @@ static bool ovl_verify_inode(struct inod
 	return true;
 }
 
-struct inode *ovl_get_inode(struct dentry *dentry, struct dentry *upperdentry)
+struct inode *ovl_get_inode(struct dentry *dentry, struct dentry *upperdentry,
+			    struct dentry *index)
 {
 	struct dentry *lowerdentry = ovl_dentry_lower(dentry);
 	struct inode *realinode = upperdentry ? d_inode(upperdentry) : NULL;
 	struct inode *inode;
+	/* Already indexed or could be indexed on copy up? */
+	bool indexed = (index || (ovl_indexdir(dentry->d_sb) && !upperdentry));
+
+	if (WARN_ON(upperdentry && indexed && !lowerdentry))
+		return ERR_PTR(-EIO);
 
 	if (!realinode)
 		realinode = d_inode(lowerdentry);
 
-	if (!S_ISDIR(realinode->i_mode) &&
-	    (upperdentry || (lowerdentry && ovl_indexdir(dentry->d_sb)))) {
-		struct inode *key = d_inode(lowerdentry ?: upperdentry);
+	/*
+	 * Copy up origin (lower) may exist for non-indexed upper, but we must
+	 * not use lower as hash key in that case.
+	 * Hash inodes that are or could be indexed by origin inode and
+	 * non-indexed upper inodes that could be hard linked by upper inode.
+	 */
+	if (!S_ISDIR(realinode->i_mode) && (upperdentry || indexed)) {
+		struct inode *key = d_inode(indexed ? lowerdentry :
+						      upperdentry);
 		unsigned int nlink;
 
 		inode = iget5_locked(dentry->d_sb, (unsigned long) key,
--- a/fs/overlayfs/namei.c
+++ b/fs/overlayfs/namei.c
@@ -516,18 +516,9 @@ static struct dentry *ovl_lookup_index(s
 
 	inode = d_inode(index);
 	if (d_is_negative(index)) {
-		if (upper && d_inode(origin)->i_nlink > 1) {
-			pr_warn_ratelimited("overlayfs: hard link with origin but no index (ino=%lu).\n",
-					    d_inode(origin)->i_ino);
-			goto fail;
-		}
-
-		dput(index);
-		index = NULL;
+		goto out_dput;
 	} else if (upper && d_inode(upper) != inode) {
-		pr_warn_ratelimited("overlayfs: wrong index found (index=%pd2, ino=%lu, upper ino=%lu).\n",
-				    index, inode->i_ino, d_inode(upper)->i_ino);
-		goto fail;
+		goto out_dput;
 	} else if (ovl_dentry_weird(index) || ovl_is_whiteout(index) ||
 		   ((inode->i_mode ^ d_inode(origin)->i_mode) & S_IFMT)) {
 		/*
@@ -547,6 +538,11 @@ out:
 	kfree(name.name);
 	return index;
 
+out_dput:
+	dput(index);
+	index = NULL;
+	goto out;
+
 fail:
 	dput(index);
 	index = ERR_PTR(-EIO);
@@ -709,7 +705,7 @@ struct dentry *ovl_lookup(struct inode *
 		upperdentry = dget(index);
 
 	if (upperdentry || ctr) {
-		inode = ovl_get_inode(dentry, upperdentry);
+		inode = ovl_get_inode(dentry, upperdentry, index);
 		err = PTR_ERR(inode);
 		if (IS_ERR(inode))
 			goto out_free_oe;
--- a/fs/overlayfs/overlayfs.h
+++ b/fs/overlayfs/overlayfs.h
@@ -284,7 +284,8 @@ int ovl_update_time(struct inode *inode,
 bool ovl_is_private_xattr(const char *name);
 
 struct inode *ovl_new_inode(struct super_block *sb, umode_t mode, dev_t rdev);
-struct inode *ovl_get_inode(struct dentry *dentry, struct dentry *upperdentry);
+struct inode *ovl_get_inode(struct dentry *dentry, struct dentry *upperdentry,
+			    struct dentry *index);
 static inline void ovl_copyattr(struct inode *from, struct inode *to)
 {
 	to->i_uid = from->i_uid;

[PATCH 4.13 18/43] ovl: handle ENOENT on index lookup

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Amir Goldstein <amir73il@gmail.com>

commit 7937a56fdf0b064c2ffa33025210f725a4ebc822 upstream.

Treat ENOENT from index entry lookup the same way as treating a returned
negative dentry. Apparently, either could be returned if file is not
found, depending on the underlying file system.

Fixes: 359f392ca53e ("ovl: lookup index entry for copy up origin")
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/overlayfs/namei.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/fs/overlayfs/namei.c
+++ b/fs/overlayfs/namei.c
@@ -507,6 +507,10 @@ static struct dentry *ovl_lookup_index(s
 	index = lookup_one_len_unlocked(name.name, ofs->indexdir, name.len);
 	if (IS_ERR(index)) {
 		err = PTR_ERR(index);
+		if (err == -ENOENT) {
+			index = NULL;
+			goto out;
+		}
 		pr_warn_ratelimited("overlayfs: failed inode index lookup (ino=%lu, key=%*s, err=%i);\n"
 				    "overlayfs: mount with '-o index=off' to disable inodes index.\n",
 				    d_inode(origin)->i_ino, name.len, name.name,

[PATCH 4.13 19/43] ovl: do not cleanup unsupported index entries

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Amir Goldstein <amir73il@gmail.com>

commit fa0096e3bad69ed6f34843fd7ae1c45ca987012a upstream.

With index=on, ovl_indexdir_cleanup() tries to cleanup invalid index
entries (e.g. bad index name). This behavior could result in cleaning of
entries created by newer kernels and is therefore undesirable.
Instead, abort mount if such entries are encountered. We still cleanup
'stale' entries and 'orphan' entries, both those cases can be a result
of offline changes to lower and upper dirs.

When encoutering an index entry of type directory or whiteout, kernel
was supposed to fallback to read-only mount, but the fill_super()
operation returns EROFS in this case instead of returning success with
read-only mount flag, so mount fails when encoutering directory or
whiteout index entries. Bless this behavior by returning -EINVAL on
directory and whiteout index entries as we do for all unsupported index
entries.

Fixes: 61b674710cd9 ("ovl: do not cleanup directory and whiteout index..")
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/overlayfs/namei.c   |    7 +++----
 fs/overlayfs/readdir.c |   11 +++++------
 2 files changed, 8 insertions(+), 10 deletions(-)

--- a/fs/overlayfs/namei.c
+++ b/fs/overlayfs/namei.c
@@ -405,14 +405,13 @@ int ovl_verify_index(struct dentry *inde
 	 * be treated as stale (i.e. after unlink of the overlay inode).
 	 * We don't know the verification rules for directory and whiteout
 	 * index entries, because they have not been implemented yet, so return
-	 * EROFS if those entries are found to avoid corrupting an index that
-	 * was created by a newer kernel.
+	 * EINVAL if those entries are found to abort the mount to avoid
+	 * corrupting an index that was created by a newer kernel.
 	 */
-	err = -EROFS;
+	err = -EINVAL;
 	if (d_is_dir(index) || ovl_is_whiteout(index))
 		goto fail;
 
-	err = -EINVAL;
 	if (index->d_name.len < sizeof(struct ovl_fh)*2)
 		goto fail;
 
--- a/fs/overlayfs/readdir.c
+++ b/fs/overlayfs/readdir.c
@@ -704,13 +704,12 @@ int ovl_indexdir_cleanup(struct dentry *
 			break;
 		}
 		err = ovl_verify_index(index, lowerstack, numlower);
-		if (err) {
-			if (err == -EROFS)
-				break;
+		/* Cleanup stale and orphan index entries */
+		if (err && (err == -ESTALE || err == -ENOENT))
 			err = ovl_cleanup(dir, index);
-			if (err)
-				break;
-		}
+		if (err)
+			break;
+
 		dput(index);
 		index = NULL;
 	}

[PATCH 4.13 20/43] fuse: fix READDIRPLUS skipping an entry

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Miklos Szeredi <mszeredi@redhat.com>

commit c6cdd51404b7ac12dd95173ddfc548c59ecf037f upstream.

Marios Titas running a Haskell program noticed a problem with fuse's
readdirplus: when it is interrupted by a signal, it skips one directory
entry.

The reason is that fuse erronously updates ctx->pos after a failed
dir_emit().

The issue originates from the patch adding readdirplus support.

Reported-by: Jakob Unterwurzacher <jakobunt@gmail.com>
Tested-by: Marios Titas <redneb@gmx.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: 0b05b18381ee ("fuse: implement NFS-like readdirplus support")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/dir.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1312,7 +1312,8 @@ static int parse_dirplusfile(char *buf,
 			*/
 			over = !dir_emit(ctx, dirent->name, dirent->namelen,
 				       dirent->ino, dirent->type);
-			ctx->pos = dirent->off;
+			if (!over)
+				ctx->pos = dirent->off;
 		}
 
 		buf += reclen;

[PATCH 4.13 21/43] xen/gntdev: avoid out of bounds access in case of partial gntdev_mmap()

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Juergen Gross <jgross@suse.com>

commit 298d275d4d9bea3524ff4bc76678c140611d8a8d upstream.

In case gntdev_mmap() succeeds only partially in mapping grant pages
it will leave some vital information uninitialized needed later for
cleanup. This will lead to an out of bounds array access when unmapping
the already mapped pages.

So just initialize the data needed for unmapping the pages a little bit
earlier.

Reported-by: Arthur Borsboom <arthurborsboom@gmail.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/xen/gntdev.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/xen/gntdev.c
+++ b/drivers/xen/gntdev.c
@@ -1024,6 +1024,7 @@ static int gntdev_mmap(struct file *flip
 	mutex_unlock(&priv->lock);
 
 	if (use_ptemod) {
+		map->pages_vm_start = vma->vm_start;
 		err = apply_to_page_range(vma->vm_mm, vma->vm_start,
 					  vma->vm_end - vma->vm_start,
 					  find_grant_ptes, map);
@@ -1061,7 +1062,6 @@ static int gntdev_mmap(struct file *flip
 					    set_grant_ptes_as_special, NULL);
 		}
 #endif
-		map->pages_vm_start = vma->vm_start;
 	}
 
 	return 0;

[PATCH 4.13 22/43] xen: fix booting ballooned down hvm guest

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Juergen Gross <jgross@suse.com>

commit 5266b8e4445cc836c46689d80a9ff539fa3bfbda upstream.

Commit 96edd61dcf44362d3ef0bed1a5361e0ac7886a63 ("xen/balloon: don't
online new memory initially") introduced a regression when booting a
HVM domain with memory less than mem-max: instead of ballooning down
immediately the system would try to use the memory up to mem-max
resulting in Xen crashing the domain.

For HVM domains the current size will be reflected in Xenstore node
memory/static-max instead of memory/target.

Additionally we have to trigger the ballooning process at once.

Fixes: 96edd61dcf44362d3ef0bed1a5361e0ac7886a63 ("xen/balloon: don't online new memory initially")
Reported-by: Simon Gaiser <hw42@ipsumj.de>
Suggested-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/xen/xen-balloon.c |   19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

--- a/drivers/xen/xen-balloon.c
+++ b/drivers/xen/xen-balloon.c
@@ -57,7 +57,7 @@ static int register_balloon(struct devic
 static void watch_target(struct xenbus_watch *watch,
 			 const char *path, const char *token)
 {
-	unsigned long long new_target;
+	unsigned long long new_target, static_max;
 	int err;
 	static bool watch_fired;
 	static long target_diff;
@@ -72,13 +72,20 @@ static void watch_target(struct xenbus_w
 	 * pages. PAGE_SHIFT converts bytes to pages, hence PAGE_SHIFT - 10.
 	 */
 	new_target >>= PAGE_SHIFT - 10;
-	if (watch_fired) {
-		balloon_set_new_target(new_target - target_diff);
-		return;
+
+	if (!watch_fired) {
+		watch_fired = true;
+		err = xenbus_scanf(XBT_NIL, "memory", "static-max", "%llu",
+				   &static_max);
+		if (err != 1)
+			static_max = new_target;
+		else
+			static_max >>= PAGE_SHIFT - 10;
+		target_diff = xen_pv_domain() ? 0
+				: static_max - balloon_stats.target_pages;
 	}
 
-	watch_fired = true;
-	target_diff = new_target - balloon_stats.target_pages;
+	balloon_set_new_target(new_target - target_diff);
 }
 static struct xenbus_watch target_watch = {
 	.node = "memory/target",

[PATCH 4.13 23/43] cifs: Select all required crypto modules

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Benjamin Gilbert <benjamin.gilbert@coreos.com>

commit 5b454a64555055aaa5769b3ba877bd911d375d5a upstream.

Some dependencies were lost when CIFS_SMB2 was merged into CIFS.

Fixes: 2a38e12053b7 ("[SMB3] Remove ifdef since SMB3 (and later) now STRONGLY preferred")
Signed-off-by: Benjamin Gilbert <benjamin.gilbert@coreos.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/Kconfig |    5 +++++
 1 file changed, 5 insertions(+)

--- a/fs/cifs/Kconfig
+++ b/fs/cifs/Kconfig
@@ -5,9 +5,14 @@ config CIFS
 	select CRYPTO
 	select CRYPTO_MD4
 	select CRYPTO_MD5
+	select CRYPTO_SHA256
+	select CRYPTO_CMAC
 	select CRYPTO_HMAC
 	select CRYPTO_ARC4
+	select CRYPTO_AEAD2
+	select CRYPTO_CCM
 	select CRYPTO_ECB
+	select CRYPTO_AES
 	select CRYPTO_DES
 	help
 	  This is the client VFS module for the SMB3 family of NAS protocols,

[PATCH 4.13 25/43] Input: elan_i2c - add ELAN0611 to the ACPI table

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kai-Heng Feng <kai.heng.feng@canonical.com>

commit 57a95b41869b8f0d1949c24df2a9dac1ca7082ee upstream.

ELAN0611 touchpad uses elan_i2c as its driver. It can be found
on Lenovo ideapad 320-15IKB.

So add it to ACPI table to enable the touchpad.

[Ido Adiv <idoad123@gmail.com> reports that the same ACPI ID is used for
Elan touchpad in ideapad 520].

BugLink: https://bugs.launchpad.net/bugs/1723736
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/mouse/elan_i2c_core.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/input/mouse/elan_i2c_core.c
+++ b/drivers/input/mouse/elan_i2c_core.c
@@ -1253,6 +1253,7 @@ static const struct acpi_device_id elan_
 	{ "ELAN0605", 0 },
 	{ "ELAN0609", 0 },
 	{ "ELAN060B", 0 },
+	{ "ELAN0611", 0 },
 	{ "ELAN1000", 0 },
 	{ }
 };

[PATCH 4.13 26/43] Input: gtco - fix potential out-of-bound access

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Torokhov <dmitry.torokhov@gmail.com>

commit a50829479f58416a013a4ccca791336af3c584c7 upstream.

parse_hid_report_descriptor() has a while (i < length) loop, which
only guarantees that there's at least 1 byte in the buffer, but the
loop body can read multiple bytes which causes out-of-bounds access.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/tablet/gtco.c |   17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

--- a/drivers/input/tablet/gtco.c
+++ b/drivers/input/tablet/gtco.c
@@ -230,13 +230,17 @@ static void parse_hid_report_descriptor(
 
 	/* Walk  this report and pull out the info we need */
 	while (i < length) {
-		prefix = report[i];
-
-		/* Skip over prefix */
-		i++;
+		prefix = report[i++];
 
 		/* Determine data size and save the data in the proper variable */
-		size = PREF_SIZE(prefix);
+		size = (1U << PREF_SIZE(prefix)) >> 1;
+		if (i + size > length) {
+			dev_err(ddev,
+				"Not enough data (need %d, have %d)\n",
+				i + size, length);
+			break;
+		}
+
 		switch (size) {
 		case 1:
 			data = report[i];
@@ -244,8 +248,7 @@ static void parse_hid_report_descriptor(
 		case 2:
 			data16 = get_unaligned_le16(&report[i]);
 			break;
-		case 3:
-			size = 4;
+		case 4:
 			data32 = get_unaligned_le32(&report[i]);
 			break;
 		}

[PATCH 4.13 27/43] Fix encryption labels and lengths for SMB3.1.1

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steve French <smfrench@gmail.com>

commit 06e2290844fa408d3295ac03a1647f0798518ebe upstream.

SMB3.1.1 is most secure and recent dialect. Fixup labels and lengths
for sMB3.1.1 signing and encryption.

Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/cifsglob.h      |    8 ++++++--
 fs/cifs/smb2transport.c |   26 ++++++++++++++------------
 2 files changed, 20 insertions(+), 14 deletions(-)

--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -661,7 +661,9 @@ struct TCP_Server_Info {
 #endif
 	unsigned int	max_read;
 	unsigned int	max_write;
-	__u8		preauth_hash[512];
+#ifdef CONFIG_CIFS_SMB311
+	__u8	preauth_sha_hash[64]; /* save initital negprot hash */
+#endif /* 3.1.1 */
 	struct delayed_work reconnect; /* reconnect workqueue job */
 	struct mutex reconnect_mutex; /* prevent simultaneous reconnects */
 	unsigned long echo_interval;
@@ -849,7 +851,9 @@ struct cifs_ses {
 	__u8 smb3signingkey[SMB3_SIGN_KEY_SIZE];
 	__u8 smb3encryptionkey[SMB3_SIGN_KEY_SIZE];
 	__u8 smb3decryptionkey[SMB3_SIGN_KEY_SIZE];
-	__u8 preauth_hash[512];
+#ifdef CONFIG_CIFS_SMB311
+	__u8 preauth_sha_hash[64];
+#endif /* 3.1.1 */
 };
 
 static inline bool
--- a/fs/cifs/smb2transport.c
+++ b/fs/cifs/smb2transport.c
@@ -390,6 +390,7 @@ generate_smb30signingkey(struct cifs_ses
 	return generate_smb3signingkey(ses, &triplet);
 }
 
+#ifdef CONFIG_CIFS_SMB311
 int
 generate_smb311signingkey(struct cifs_ses *ses)
 
@@ -398,25 +399,26 @@ generate_smb311signingkey(struct cifs_se
 	struct derivation *d;
 
 	d = &triplet.signing;
-	d->label.iov_base = "SMB2AESCMAC";
-	d->label.iov_len = 12;
-	d->context.iov_base = "SmbSign";
-	d->context.iov_len = 8;
+	d->label.iov_base = "SMBSigningKey";
+	d->label.iov_len = 14;
+	d->context.iov_base = ses->preauth_sha_hash;
+	d->context.iov_len = 64;
 
 	d = &triplet.encryption;
-	d->label.iov_base = "SMB2AESCCM";
-	d->label.iov_len = 11;
-	d->context.iov_base = "ServerIn ";
-	d->context.iov_len = 10;
+	d->label.iov_base = "SMBC2SCipherKey";
+	d->label.iov_len = 16;
+	d->context.iov_base = ses->preauth_sha_hash;
+	d->context.iov_len = 64;
 
 	d = &triplet.decryption;
-	d->label.iov_base = "SMB2AESCCM";
-	d->label.iov_len = 11;
-	d->context.iov_base = "ServerOut";
-	d->context.iov_len = 10;
+	d->label.iov_base = "SMBS2CCipherKey";
+	d->label.iov_len = 16;
+	d->context.iov_base = ses->preauth_sha_hash;
+	d->context.iov_len = 64;
 
 	return generate_smb3signingkey(ses, &triplet);
 }
+#endif /* 311 */
 
 int
 smb3_calc_signature(struct smb_rqst *rqst, struct TCP_Server_Info *server)

[PATCH 4.13 28/43] SMB3: Validate negotiate request must always be signed

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steve French <smfrench@gmail.com>

commit 4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd upstream.

According to MS-SMB2 3.2.55 validate_negotiate request must
always be signed. Some Windows can fail the request if you send it unsigned

See kernel bugzilla bug 197311

Acked-by: Ronnie Sahlberg <lsahlber.redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/smb2pdu.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1963,6 +1963,9 @@ SMB2_ioctl(const unsigned int xid, struc
 	} else
 		iov[0].iov_len = get_rfc1002_length(req) + 4;
 
+	/* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
+	if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
+		req->hdr.sync_hdr.Flags |= SMB2_FLAGS_SIGNED;
 
 	rc = SendReceive2(xid, ses, iov, n_iov, &resp_buftype, flags, &rsp_iov);
 	cifs_small_buf_release(req);

[PATCH 4.13 29/43] assoc_array: Fix a buggy node-splitting case

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Howells <dhowells@redhat.com>

commit ea6789980fdaa610d7eb63602c746bf6ec70cd2b upstream.

This fixes CVE-2017-12193.

Fix a case in the assoc_array implementation in which a new leaf is
added that needs to go into a node that happens to be full, where the
existing leaves in that node cluster together at that level to the
exclusion of new leaf.

What needs to happen is that the existing leaves get moved out to a new
node, N1, at level + 1 and the existing node needs replacing with one,
N0, that has pointers to the new leaf and to N1.

The code that tries to do this gets this wrong in two ways:

 (1) The pointer that should've pointed from N0 to N1 is set to point
     recursively to N0 instead.

 (2) The backpointer from N0 needs to be set correctly in the case N0 is
     either the root node or reached through a shortcut.

Fix this by removing this path and using the split_node path instead,
which achieves the same end, but in a more general way (thanks to Eric
Biggers for spotting the redundancy).

The problem manifests itself as:

  BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
  IP: assoc_array_apply_edit+0x59/0xe5

Fixes: 3cb989501c26 ("Add a generic associative array implementation.")
Reported-and-tested-by: WU Fan <u3536072@connect.hku.hk>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 lib/assoc_array.c |   51 +++++++++++++++++----------------------------------
 1 file changed, 17 insertions(+), 34 deletions(-)

--- a/lib/assoc_array.c
+++ b/lib/assoc_array.c
@@ -598,21 +598,31 @@ static bool assoc_array_insert_into_term
 		if ((edit->segment_cache[ASSOC_ARRAY_FAN_OUT] ^ base_seg) == 0)
 			goto all_leaves_cluster_together;
 
-		/* Otherwise we can just insert a new node ahead of the old
-		 * one.
+		/* Otherwise all the old leaves cluster in the same slot, but
+		 * the new leaf wants to go into a different slot - so we
+		 * create a new node (n0) to hold the new leaf and a pointer to
+		 * a new node (n1) holding all the old leaves.
+		 *
+		 * This can be done by falling through to the node splitting
+		 * path.
 		 */
-		goto present_leaves_cluster_but_not_new_leaf;
+		pr_devel("present leaves cluster but not new leaf\n");
 	}
 
 split_node:
 	pr_devel("split node\n");
 
-	/* We need to split the current node; we know that the node doesn't
-	 * simply contain a full set of leaves that cluster together (it
-	 * contains meta pointers and/or non-clustering leaves).
+	/* We need to split the current node.  The node must contain anything
+	 * from a single leaf (in the one leaf case, this leaf will cluster
+	 * with the new leaf) and the rest meta-pointers, to all leaves, some
+	 * of which may cluster.
+	 *
+	 * It won't contain the case in which all the current leaves plus the
+	 * new leaves want to cluster in the same slot.
 	 *
 	 * We need to expel at least two leaves out of a set consisting of the
-	 * leaves in the node and the new leaf.
+	 * leaves in the node and the new leaf.  The current meta pointers can
+	 * just be copied as they shouldn't cluster with any of the leaves.
 	 *
 	 * We need a new node (n0) to replace the current one and a new node to
 	 * take the expelled nodes (n1).
@@ -717,33 +727,6 @@ found_slot_for_multiple_occupancy:
 	pr_devel("<--%s() = ok [split node]\n", __func__);
 	return true;
 
-present_leaves_cluster_but_not_new_leaf:
-	/* All the old leaves cluster in the same slot, but the new leaf wants
-	 * to go into a different slot, so we create a new node to hold the new
-	 * leaf and a pointer to a new node holding all the old leaves.
-	 */
-	pr_devel("present leaves cluster but not new leaf\n");
-
-	new_n0->back_pointer = node->back_pointer;
-	new_n0->parent_slot = node->parent_slot;
-	new_n0->nr_leaves_on_branch = node->nr_leaves_on_branch;
-	new_n1->back_pointer = assoc_array_node_to_ptr(new_n0);
-	new_n1->parent_slot = edit->segment_cache[0];
-	new_n1->nr_leaves_on_branch = node->nr_leaves_on_branch;
-	edit->adjust_count_on = new_n0;
-
-	for (i = 0; i < ASSOC_ARRAY_FAN_OUT; i++)
-		new_n1->slots[i] = node->slots[i];
-
-	new_n0->slots[edit->segment_cache[0]] = assoc_array_node_to_ptr(new_n0);
-	edit->leaf_p = &new_n0->slots[edit->segment_cache[ASSOC_ARRAY_FAN_OUT]];
-
-	edit->set[0].ptr = &assoc_array_ptr_to_node(node->back_pointer)->slots[node->parent_slot];
-	edit->set[0].to = assoc_array_node_to_ptr(new_n0);
-	edit->excised_meta[0] = assoc_array_node_to_ptr(node);
-	pr_devel("<--%s() = ok [insert node before]\n", __func__);
-	return true;
-
 all_leaves_cluster_together:
 	/* All the leaves, new and old, want to cluster together in this node
 	 * in the same slot, so we have to replace this node with a shortcut to

[PATCH 4.13 30/43] scsi: zfcp: fix erp_action use-before-initialize in REC action trace

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steffen Maier <maier@linux.vnet.ibm.com>

commit ab31fd0ce65ec93828b617123792c1bb7c6dcc42 upstream.

v4.10 commit 6f2ce1c6af37 ("scsi: zfcp: fix rport unblock race with LUN
recovery") extended accessing parent pointer fields of struct
zfcp_erp_action for tracing.  If an erp_action has never been enqueued
before, these parent pointer fields are uninitialized and NULL. Examples
are zfcp objects freshly added to the parent object's children list,
before enqueueing their first recovery subsequently. In
zfcp_erp_try_rport_unblock(), we iterate such list. Accessing erp_action
fields can cause a NULL pointer dereference.  Since the kernel can read
from lowcore on s390, it does not immediately cause a kernel page
fault. Instead it can cause hangs on trying to acquire the wrong
erp_action->adapter->dbf->rec_lock in zfcp_dbf_rec_action_lvl()
                      ^bogus^
while holding already other locks with IRQs disabled.

Real life example from attaching lots of LUNs in parallel on many CPUs:

crash> bt 17723
PID: 17723  TASK: ...               CPU: 25  COMMAND: "zfcperp0.0.1800"
 LOWCORE INFO:
  -psw      : 0x0404300180000000 0x000000000038e424
  -function : _raw_spin_lock_wait_flags at 38e424
...
 #0 [fdde8fc90] zfcp_dbf_rec_action_lvl at 3e0004e9862 [zfcp]
 #1 [fdde8fce8] zfcp_erp_try_rport_unblock at 3e0004dfddc [zfcp]
 #2 [fdde8fd38] zfcp_erp_strategy at 3e0004e0234 [zfcp]
 #3 [fdde8fda8] zfcp_erp_thread at 3e0004e0a12 [zfcp]
 #4 [fdde8fe60] kthread at 173550
 #5 [fdde8feb8] kernel_thread_starter at 10add2

zfcp_adapter
 zfcp_port
  zfcp_unit <address>, 0x404040d600000000
  scsi_device NULL, returning early!
zfcp_scsi_dev.status = 0x40000000
0x40000000 ZFCP_STATUS_COMMON_RUNNING

crash> zfcp_unit <address>
struct zfcp_unit {
  erp_action = {
    adapter = 0x0,
    port = 0x0,
    unit = 0x0,
  },
}

zfcp_erp_action is always fully embedded into its container object. Such
container object is never moved in its object tree (only add or delete).
Hence, erp_action parent pointers can never change.

To fix the issue, initialize the erp_action parent pointers before
adding the erp_action container to any list and thus before it becomes
accessible from outside of its initializing function.

In order to also close the time window between zfcp_erp_setup_act()
memsetting the entire erp_action to zero and setting the parent pointers
again, drop the memset and instead explicitly initialize individually
all erp_action fields except for parent pointers. To be extra careful
not to introduce any other unintended side effect, even keep zeroing the
erp_action fields for list and timer. Also double-check with
WARN_ON_ONCE that erp_action parent pointers never change, so we get to
know when we would deviate from previous behavior.

Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com>
Fixes: 6f2ce1c6af37 ("scsi: zfcp: fix rport unblock race with LUN recovery")
Reviewed-by: Benjamin Block <bblock@linux.vnet.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/s390/scsi/zfcp_aux.c  |    5 +++++
 drivers/s390/scsi/zfcp_erp.c  |   18 +++++++++++-------
 drivers/s390/scsi/zfcp_scsi.c |    5 +++++
 3 files changed, 21 insertions(+), 7 deletions(-)

--- a/drivers/s390/scsi/zfcp_aux.c
+++ b/drivers/s390/scsi/zfcp_aux.c
@@ -358,6 +358,8 @@ struct zfcp_adapter *zfcp_adapter_enqueu
 
 	adapter->next_port_scan = jiffies;
 
+	adapter->erp_action.adapter = adapter;
+
 	if (zfcp_qdio_setup(adapter))
 		goto failed;
 
@@ -514,6 +516,9 @@ struct zfcp_port *zfcp_port_enqueue(stru
 	port->dev.groups = zfcp_port_attr_groups;
 	port->dev.release = zfcp_port_release;
 
+	port->erp_action.adapter = adapter;
+	port->erp_action.port = port;
+
 	if (dev_set_name(&port->dev, "0x%016llx", (unsigned long long)wwpn)) {
 		kfree(port);
 		goto err_out;
--- a/drivers/s390/scsi/zfcp_erp.c
+++ b/drivers/s390/scsi/zfcp_erp.c
@@ -193,9 +193,8 @@ static struct zfcp_erp_action *zfcp_erp_
 		atomic_or(ZFCP_STATUS_COMMON_ERP_INUSE,
 				&zfcp_sdev->status);
 		erp_action = &zfcp_sdev->erp_action;
-		memset(erp_action, 0, sizeof(struct zfcp_erp_action));
-		erp_action->port = port;
-		erp_action->sdev = sdev;
+		WARN_ON_ONCE(erp_action->port != port);
+		WARN_ON_ONCE(erp_action->sdev != sdev);
 		if (!(atomic_read(&zfcp_sdev->status) &
 		      ZFCP_STATUS_COMMON_RUNNING))
 			act_status |= ZFCP_STATUS_ERP_CLOSE_ONLY;
@@ -208,8 +207,8 @@ static struct zfcp_erp_action *zfcp_erp_
 		zfcp_erp_action_dismiss_port(port);
 		atomic_or(ZFCP_STATUS_COMMON_ERP_INUSE, &port->status);
 		erp_action = &port->erp_action;
-		memset(erp_action, 0, sizeof(struct zfcp_erp_action));
-		erp_action->port = port;
+		WARN_ON_ONCE(erp_action->port != port);
+		WARN_ON_ONCE(erp_action->sdev != NULL);
 		if (!(atomic_read(&port->status) & ZFCP_STATUS_COMMON_RUNNING))
 			act_status |= ZFCP_STATUS_ERP_CLOSE_ONLY;
 		break;
@@ -219,7 +218,8 @@ static struct zfcp_erp_action *zfcp_erp_
 		zfcp_erp_action_dismiss_adapter(adapter);
 		atomic_or(ZFCP_STATUS_COMMON_ERP_INUSE, &adapter->status);
 		erp_action = &adapter->erp_action;
-		memset(erp_action, 0, sizeof(struct zfcp_erp_action));
+		WARN_ON_ONCE(erp_action->port != NULL);
+		WARN_ON_ONCE(erp_action->sdev != NULL);
 		if (!(atomic_read(&adapter->status) &
 		      ZFCP_STATUS_COMMON_RUNNING))
 			act_status |= ZFCP_STATUS_ERP_CLOSE_ONLY;
@@ -229,7 +229,11 @@ static struct zfcp_erp_action *zfcp_erp_
 		return NULL;
 	}
 
-	erp_action->adapter = adapter;
+	WARN_ON_ONCE(erp_action->adapter != adapter);
+	memset(&erp_action->list, 0, sizeof(erp_action->list));
+	memset(&erp_action->timer, 0, sizeof(erp_action->timer));
+	erp_action->step = ZFCP_ERP_STEP_UNINITIALIZED;
+	erp_action->fsf_req_id = 0;
 	erp_action->action = need;
 	erp_action->status = act_status;
 
--- a/drivers/s390/scsi/zfcp_scsi.c
+++ b/drivers/s390/scsi/zfcp_scsi.c
@@ -115,10 +115,15 @@ static int zfcp_scsi_slave_alloc(struct
 	struct zfcp_unit *unit;
 	int npiv = adapter->connection_features & FSF_FEATURE_NPIV_MODE;
 
+	zfcp_sdev->erp_action.adapter = adapter;
+	zfcp_sdev->erp_action.sdev = sdev;
+
 	port = zfcp_get_port_by_wwpn(adapter, rport->port_name);
 	if (!port)
 		return -ENXIO;
 
+	zfcp_sdev->erp_action.port = port;
+
 	unit = zfcp_unit_find(port, zfcp_scsi_dev_lun(sdev));
 	if (unit)
 		put_device(&unit->dev);

[PATCH 4.13 31/43] scsi: aacraid: Fix controller initialization failure

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>

commit 45348de2c8a7a1e64c5be27b22c9786b4152dd41 upstream.

This is a fix to an issue where the driver sends its periodic WELLNESS
command to the controller after the driver shut it down.This causes the
controller to crash. The window where this can happen is small, but it
can be hit at around 4 hours of constant resets.

Fixes: fbd185986eba (aacraid: Fix AIF triggered IOP_RESET)
Signed-off-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
Reviewed-by: Dave Carroll <david.carroll@microsemi.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/aacraid/comminit.c |    8 +++++---
 drivers/scsi/aacraid/linit.c    |    7 ++++++-
 2 files changed, 11 insertions(+), 4 deletions(-)

--- a/drivers/scsi/aacraid/comminit.c
+++ b/drivers/scsi/aacraid/comminit.c
@@ -302,9 +302,11 @@ int aac_send_shutdown(struct aac_dev * d
 		return -ENOMEM;
 	aac_fib_init(fibctx);
 
-	mutex_lock(&dev->ioctl_mutex);
-	dev->adapter_shutdown = 1;
-	mutex_unlock(&dev->ioctl_mutex);
+	if (!dev->adapter_shutdown) {
+		mutex_lock(&dev->ioctl_mutex);
+		dev->adapter_shutdown = 1;
+		mutex_unlock(&dev->ioctl_mutex);
+	}
 
 	cmd = (struct aac_close *) fib_data(fibctx);
 	cmd->command = cpu_to_le32(VM_CloseAll);
--- a/drivers/scsi/aacraid/linit.c
+++ b/drivers/scsi/aacraid/linit.c
@@ -1401,8 +1401,9 @@ static void __aac_shutdown(struct aac_de
 {
 	int i;
 
+	mutex_lock(&aac->ioctl_mutex);
 	aac->adapter_shutdown = 1;
-	aac_send_shutdown(aac);
+	mutex_unlock(&aac->ioctl_mutex);
 
 	if (aac->aif_thread) {
 		int i;
@@ -1415,7 +1416,11 @@ static void __aac_shutdown(struct aac_de
 		}
 		kthread_stop(aac->thread);
 	}
+
+	aac_send_shutdown(aac);
+
 	aac_adapter_disable_int(aac);
+
 	if (aac_is_src(aac)) {
 		if (aac->max_msix > 1) {
 			for (i = 0; i < aac->max_msix; i++) {

[PATCH 4.13 32/43] scsi: qla2xxx: Initialize Work element before requesting IRQs

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Himanshu Madhani <himanshu.madhani@cavium.com>

commit 1010f21ecf8ac43be676d498742de18fa6c20987 upstream.

commit a9e170e28636 ("scsi: qla2xxx: Fix uninitialized work element")
moved initializiation of work element earlier in the probe to fix call
stack. However, it still leaves a window where interrupt can be
generated before work element is initialized. Fix that window by
initializing work element before we are requesting IRQs.

[mkp: fixed typos]

Fixes: a9e170e28636 ("scsi: qla2xxx: Fix uninitialized work element")
Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
Signed-off-by: Quinn Tran <quinn.tran@cavium.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/qla2xxx/qla_os.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -3051,6 +3051,8 @@ qla2x00_probe_one(struct pci_dev *pdev,
 	    host->max_cmd_len, host->max_channel, host->max_lun,
 	    host->transportt, sht->vendor_id);
 
+	INIT_WORK(&base_vha->iocb_work, qla2x00_iocb_work_fn);
+
 	/* Set up the irqs */
 	ret = qla2x00_request_irqs(ha, rsp);
 	if (ret)
@@ -3165,8 +3167,6 @@ qla2x00_probe_one(struct pci_dev *pdev,
 	    host->can_queue, base_vha->req,
 	    base_vha->mgmt_svr_loop_id, host->sg_tablesize);
 
-	INIT_WORK(&base_vha->iocb_work, qla2x00_iocb_work_fn);
-
 	if (ha->mqenable) {
 		bool mq = false;
 		bool startit = false;

[PATCH 4.13 33/43] scsi: sg: Re-fix off by one in sg_fill_request_table()

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben.hutchings@codethink.co.uk>

commit 587c3c9f286cee5c9cac38d28c8ae1875f4ec85b upstream.

Commit 109bade9c625 ("scsi: sg: use standard lists for sg_requests")
introduced an off-by-one error in sg_ioctl(), which was fixed by commit
bd46fc406b30 ("scsi: sg: off by one in sg_ioctl()").

Unfortunately commit 4759df905a47 ("scsi: sg: factor out
sg_fill_request_table()") moved that code, and reintroduced the
bug (perhaps due to a botched rebase).  Fix it again.

Fixes: 4759df905a47 ("scsi: sg: factor out sg_fill_request_table()")
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/sg.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -837,7 +837,7 @@ sg_fill_request_table(Sg_fd *sfp, sg_req
 
 	val = 0;
 	list_for_each_entry(srp, &sfp->rq_list, entry) {
-		if (val > SG_MAX_QUEUE)
+		if (val >= SG_MAX_QUEUE)
 			break;
 		rinfo[val].req_state = srp->done + 1;
 		rinfo[val].problem =

[PATCH 4.13 34/43] x86/cpu/AMD: Apply the Erratum 688 fix when the BIOS doesnt

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Borislav Petkov <bp@suse.de>

commit bfc1168de949cd3e9ca18c3480b5085deff1ea7c upstream.

Some F14h machines have an erratum which, "under a highly specific
and detailed set of internal timing conditions" can lead to skipping
instructions and RIP corruption.

Add the fix for those machines when their BIOS doesn't apply it or
there simply isn't BIOS update for them.

Tested-by: <mirh@protonmail.ch>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sherry Hurwitz <sherry.hurwitz@amd.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Yazen Ghannam <Yazen.Ghannam@amd.com>
Link: http://lkml.kernel.org/r/20171022104731.28249-1-bp@alien8.de
Link: https://bugzilla.kernel.org/show_bug.cgi?id=197285
[ Added pr_info() that we activated the workaround. ]
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/amd_nb.c |   41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

--- a/arch/x86/kernel/amd_nb.c
+++ b/arch/x86/kernel/amd_nb.c
@@ -27,6 +27,8 @@ static const struct pci_device_id amd_ro
 	{}
 };
 
+#define PCI_DEVICE_ID_AMD_CNB17H_F4     0x1704
+
 const struct pci_device_id amd_nb_misc_ids[] = {
 	{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_K8_NB_MISC) },
 	{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_10H_NB_MISC) },
@@ -37,6 +39,7 @@ const struct pci_device_id amd_nb_misc_i
 	{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_NB_F3) },
 	{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_M30H_NB_F3) },
 	{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_17H_DF_F3) },
+	{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_CNB17H_F3) },
 	{}
 };
 EXPORT_SYMBOL_GPL(amd_nb_misc_ids);
@@ -48,6 +51,7 @@ static const struct pci_device_id amd_nb
 	{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_NB_F4) },
 	{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_M30H_NB_F4) },
 	{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_17H_DF_F4) },
+	{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_CNB17H_F4) },
 	{}
 };
 
@@ -402,11 +406,48 @@ void amd_flush_garts(void)
 }
 EXPORT_SYMBOL_GPL(amd_flush_garts);
 
+static void __fix_erratum_688(void *info)
+{
+#define MSR_AMD64_IC_CFG 0xC0011021
+
+	msr_set_bit(MSR_AMD64_IC_CFG, 3);
+	msr_set_bit(MSR_AMD64_IC_CFG, 14);
+}
+
+/* Apply erratum 688 fix so machines without a BIOS fix work. */
+static __init void fix_erratum_688(void)
+{
+	struct pci_dev *F4;
+	u32 val;
+
+	if (boot_cpu_data.x86 != 0x14)
+		return;
+
+	if (!amd_northbridges.num)
+		return;
+
+	F4 = node_to_amd_nb(0)->link;
+	if (!F4)
+		return;
+
+	if (pci_read_config_dword(F4, 0x164, &val))
+		return;
+
+	if (val & BIT(2))
+		return;
+
+	on_each_cpu(__fix_erratum_688, NULL, 0);
+
+	pr_info("x86/cpu/AMD: CPU erratum 688 worked around\n");
+}
+
 static __init int init_amd_nbs(void)
 {
 	amd_cache_northbridges();
 	amd_cache_gart();
 
+	fix_erratum_688();
+
 	return 0;
 }
 

[PATCH 4.13 35/43] drm/amd/powerplay: fix uninitialized variable

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Rex Zhu <Rex.Zhu@amd.com>

commit 8b95f4f730cba02ef6febbdc4ca7e55ca045b00e upstream.

refresh_rate was not initialized when program
display gap.
this patch can fix vce ring test failed
when do S3 on Polaris10.

bug: https://bugs.freedesktop.org/show_bug.cgi?id=103102
bug: https://bugzilla.kernel.org/show_bug.cgi?id=196615
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Rex Zhu <Rex.Zhu@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c
+++ b/drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c
@@ -830,7 +830,7 @@ uint32_t smu7_get_xclk(struct pp_hwmgr *
 {
 	uint32_t reference_clock, tmp;
 	struct cgs_display_info info = {0};
-	struct cgs_mode_info mode_info;
+	struct cgs_mode_info mode_info = {0};
 
 	info.mode_info = &mode_info;
 
@@ -3951,10 +3951,9 @@ static int smu7_program_display_gap(stru
 	uint32_t ref_clock;
 	uint32_t refresh_rate = 0;
 	struct cgs_display_info info = {0};
-	struct cgs_mode_info mode_info;
+	struct cgs_mode_info mode_info = {0};
 
 	info.mode_info = &mode_info;
-
 	cgs_get_active_displays_info(hwmgr->device, &info);
 	num_active_displays = info.display_count;
 
@@ -3970,6 +3969,7 @@ static int smu7_program_display_gap(stru
 	frame_time_in_us = 1000000 / refresh_rate;
 
 	pre_vbi_time_in_us = frame_time_in_us - 200 - mode_info.vblank_time_us;
+
 	data->frame_time_x2 = frame_time_in_us * 2 / 100;
 
 	display_gap2 = pre_vbi_time_in_us * (ref_clock / 100);

[PATCH 4.13 36/43] drm/i915/perf: fix perf enable/disable ioctls with 32bits userspace

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Lionel Landwerlin <lionel.g.landwerlin@intel.com>

commit 7277f755048da562eb2489becacd38d0d05e1e06 upstream.

The compat callback was missing and triggered failures in 32bits
userspace when enabling/disable the perf stream. We don't require any
particular processing here as these ioctls don't take any argument.

Signed-off-by: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
Fixes: eec688e1420 ("drm/i915: Add i915 perf infrastructure")
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Link: https://patchwork.freedesktop.org/patch/msgid/20171024152728.4873-1-lionel.g.landwerlin@intel.com
(cherry picked from commit 191f896085cf3b5d85920d58a759da4eea141721)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/i915/i915_perf.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/gpu/drm/i915/i915_perf.c
+++ b/drivers/gpu/drm/i915/i915_perf.c
@@ -2480,6 +2480,10 @@ static const struct file_operations fops
 	.poll		= i915_perf_poll,
 	.read		= i915_perf_read,
 	.unlocked_ioctl	= i915_perf_ioctl,
+	/* Our ioctl have no arguments, so it's safe to use the same function
+	 * to handle 32bits compatibility.
+	 */
+	.compat_ioctl   = i915_perf_ioctl,
 };
 
 

[PATCH 4.13 37/43] can: sun4i: fix loopback mode

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Gerhard Bertelsmann <info@gerhard-bertelsmann.de>

commit 3a379f5b36ae039dfeb6f73316e47ab1af4945df upstream.

Fix loopback mode by setting the right flag and remove presume mode.

Signed-off-by: Gerhard Bertelsmann <info@gerhard-bertelsmann.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/sun4i_can.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/net/can/sun4i_can.c
+++ b/drivers/net/can/sun4i_can.c
@@ -342,7 +342,7 @@ static int sun4i_can_start(struct net_de
 
 	/* enter the selected mode */
 	mod_reg_val = readl(priv->base + SUN4I_REG_MSEL_ADDR);
-	if (priv->can.ctrlmode & CAN_CTRLMODE_PRESUME_ACK)
+	if (priv->can.ctrlmode & CAN_CTRLMODE_LOOPBACK)
 		mod_reg_val |= SUN4I_MSEL_LOOPBACK_MODE;
 	else if (priv->can.ctrlmode & CAN_CTRLMODE_LISTENONLY)
 		mod_reg_val |= SUN4I_MSEL_LISTEN_ONLY_MODE;
@@ -811,7 +811,6 @@ static int sun4ican_probe(struct platfor
 	priv->can.ctrlmode_supported = CAN_CTRLMODE_BERR_REPORTING |
 				       CAN_CTRLMODE_LISTENONLY |
 				       CAN_CTRLMODE_LOOPBACK |
-				       CAN_CTRLMODE_PRESUME_ACK |
 				       CAN_CTRLMODE_3_SAMPLES;
 	priv->base = addr;
 	priv->clk = clk;

[PATCH 4.13 38/43] can: kvaser_usb: Correct return value in printout

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jimmy Assarsson <jimmyassarsson@gmail.com>

commit 8f65a923e6b628e187d5e791cf49393dd5e8c2f9 upstream.

If the return value from kvaser_usb_send_simple_msg() was non-zero, the
return value from kvaser_usb_flush_queue() was printed in the kernel
warning.

Signed-off-by: Jimmy Assarsson <jimmyassarsson@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/usb/kvaser_usb.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/net/can/usb/kvaser_usb.c
+++ b/drivers/net/can/usb/kvaser_usb.c
@@ -1609,7 +1609,8 @@ static int kvaser_usb_close(struct net_d
 	if (err)
 		netdev_warn(netdev, "Cannot flush queue, error %d\n", err);
 
-	if (kvaser_usb_send_simple_msg(dev, CMD_RESET_CHIP, priv->channel))
+	err = kvaser_usb_send_simple_msg(dev, CMD_RESET_CHIP, priv->channel);
+	if (err)
 		netdev_warn(netdev, "Cannot reset card, error %d\n", err);
 
 	err = kvaser_usb_stop_chip(priv);

[PATCH 4.13 39/43] can: kvaser_usb: Ignore CMD_FLUSH_QUEUE_REPLY messages

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jimmy Assarsson <jimmyassarsson@gmail.com>

commit e1d2d1329a5722dbecc9c278303fcc4aa01f8790 upstream.

To avoid kernel warning "Unhandled message (68)", ignore the
CMD_FLUSH_QUEUE_REPLY message for now.

As of Leaf v2 firmware version v4.1.844 (2017-02-15), flush tx queue is
synchronous. There is a capability bit indicating whether flushing tx
queue is synchronous or asynchronous.

A proper solution would be to query the device for capabilities. If the
synchronous tx flush capability bit is set, we should wait for
CMD_FLUSH_QUEUE_REPLY message, while flushing the tx queue.

Signed-off-by: Jimmy Assarsson <jimmyassarsson@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/usb/kvaser_usb.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/net/can/usb/kvaser_usb.c
+++ b/drivers/net/can/usb/kvaser_usb.c
@@ -137,6 +137,7 @@ static inline bool kvaser_is_usbcan(cons
 #define CMD_RESET_ERROR_COUNTER		49
 #define CMD_TX_ACKNOWLEDGE		50
 #define CMD_CAN_ERROR_EVENT		51
+#define CMD_FLUSH_QUEUE_REPLY		68
 
 #define CMD_LEAF_USB_THROTTLE		77
 #define CMD_LEAF_LOG_MESSAGE		106
@@ -1301,6 +1302,11 @@ static void kvaser_usb_handle_message(co
 			goto warn;
 		break;
 
+	case CMD_FLUSH_QUEUE_REPLY:
+		if (dev->family != KVASER_LEAF)
+			goto warn;
+		break;
+
 	default:
 warn:		dev_warn(dev->udev->dev.parent,
 			 "Unhandled message (%d)\n", msg->id);

[PATCH 4.13 40/43] cfg80211: fix connect/disconnect edge cases

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johannes Berg <johannes.berg@intel.com>

commit 51e13359cd5ea34acc62c90627603352956380af upstream.

If we try to connect while already connected/connecting, but
this fails, we set ssid_len=0 but leave current_bss hanging,
leading to errors.

Check all of this better, first of all ensuring that we can't
try to connect to a different SSID while connected/ing; ensure
that prev_bssid is set for re-association attempts even in the
case of the driver supporting the connect() method, and don't
reset ssid_len in the failure cases.

While at it, also reset ssid_len while disconnecting unless we
were connected and expect a disconnected event, and warn on a
successful connection without ssid_len being set.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/wireless/sme.c |   50 +++++++++++++++++++++++++++++++++++++++++---------
 1 file changed, 41 insertions(+), 9 deletions(-)

--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -522,11 +522,6 @@ static int cfg80211_sme_connect(struct w
 		return -EOPNOTSUPP;
 
 	if (wdev->current_bss) {
-		if (!prev_bssid)
-			return -EALREADY;
-		if (prev_bssid &&
-		    !ether_addr_equal(prev_bssid, wdev->current_bss->pub.bssid))
-			return -ENOTCONN;
 		cfg80211_unhold_bss(wdev->current_bss);
 		cfg80211_put_bss(wdev->wiphy, &wdev->current_bss->pub);
 		wdev->current_bss = NULL;
@@ -1063,11 +1058,35 @@ int cfg80211_connect(struct cfg80211_reg
 
 	ASSERT_WDEV_LOCK(wdev);
 
-	if (WARN_ON(wdev->connect_keys)) {
-		kzfree(wdev->connect_keys);
-		wdev->connect_keys = NULL;
+	/*
+	 * If we have an ssid_len, we're trying to connect or are
+	 * already connected, so reject a new SSID unless it's the
+	 * same (which is the case for re-association.)
+	 */
+	if (wdev->ssid_len &&
+	    (wdev->ssid_len != connect->ssid_len ||
+	     memcmp(wdev->ssid, connect->ssid, wdev->ssid_len)))
+		return -EALREADY;
+
+	/*
+	 * If connected, reject (re-)association unless prev_bssid
+	 * matches the current BSSID.
+	 */
+	if (wdev->current_bss) {
+		if (!prev_bssid)
+			return -EALREADY;
+		if (!ether_addr_equal(prev_bssid, wdev->current_bss->pub.bssid))
+			return -ENOTCONN;
 	}
 
+	/*
+	 * Reject if we're in the process of connecting with WEP,
+	 * this case isn't very interesting and trying to handle
+	 * it would make the code much more complex.
+	 */
+	if (wdev->connect_keys)
+		return -EINPROGRESS;
+
 	cfg80211_oper_and_ht_capa(&connect->ht_capa_mask,
 				  rdev->wiphy.ht_capa_mod_mask);
 
@@ -1118,7 +1137,12 @@ int cfg80211_connect(struct cfg80211_reg
 
 	if (err) {
 		wdev->connect_keys = NULL;
-		wdev->ssid_len = 0;
+		/*
+		 * This could be reassoc getting refused, don't clear
+		 * ssid_len in that case.
+		 */
+		if (!wdev->current_bss)
+			wdev->ssid_len = 0;
 		return err;
 	}
 
@@ -1145,6 +1169,14 @@ int cfg80211_disconnect(struct cfg80211_
 	else if (wdev->ssid_len)
 		err = rdev_disconnect(rdev, dev, reason);
 
+	/*
+	 * Clear ssid_len unless we actually were fully connected,
+	 * in which case cfg80211_disconnected() will take care of
+	 * this later.
+	 */
+	if (!wdev->current_bss)
+		wdev->ssid_len = 0;
+
 	return err;
 }
 

[PATCH 4.13 41/43] ipsec: Fix aborted xfrm policy dump crash

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Herbert Xu <herbert@gondor.apana.org.au>

commit 1137b5e2529a8f5ca8ee709288ecba3e68044df2 upstream.

An independent security researcher, Mohamed Ghannam, has reported
this vulnerability to Beyond Security's SecuriTeam Secure Disclosure
program.

The xfrm_dump_policy_done function expects xfrm_dump_policy to
have been called at least once or it will crash.  This can be
triggered if a dump fails because the target socket's receive
buffer is full.

This patch fixes it by using the cb->start mechanism to ensure that
the initialisation is always done regardless of the buffer situation.

Fixes: 12a169e7d8f4 ("ipsec: Put dumpers on the dump list")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/xfrm/xfrm_user.c |   25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1684,32 +1684,34 @@ static int dump_one_policy(struct xfrm_p
 
 static int xfrm_dump_policy_done(struct netlink_callback *cb)
 {
-	struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];
+	struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;
 	struct net *net = sock_net(cb->skb->sk);
 
 	xfrm_policy_walk_done(walk, net);
 	return 0;
 }
 
+static int xfrm_dump_policy_start(struct netlink_callback *cb)
+{
+	struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;
+
+	BUILD_BUG_ON(sizeof(*walk) > sizeof(cb->args));
+
+	xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY);
+	return 0;
+}
+
 static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb)
 {
 	struct net *net = sock_net(skb->sk);
-	struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];
+	struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;
 	struct xfrm_dump_info info;
 
-	BUILD_BUG_ON(sizeof(struct xfrm_policy_walk) >
-		     sizeof(cb->args) - sizeof(cb->args[0]));
-
 	info.in_skb = cb->skb;
 	info.out_skb = skb;
 	info.nlmsg_seq = cb->nlh->nlmsg_seq;
 	info.nlmsg_flags = NLM_F_MULTI;
 
-	if (!cb->args[0]) {
-		cb->args[0] = 1;
-		xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY);
-	}
-
 	(void) xfrm_policy_walk(net, walk, dump_one_policy, &info);
 
 	return skb->len;
@@ -2467,6 +2469,7 @@ static const struct nla_policy xfrma_spd
 
 static const struct xfrm_link {
 	int (*doit)(struct sk_buff *, struct nlmsghdr *, struct nlattr **);
+	int (*start)(struct netlink_callback *);
 	int (*dump)(struct sk_buff *, struct netlink_callback *);
 	int (*done)(struct netlink_callback *);
 	const struct nla_policy *nla_pol;
@@ -2480,6 +2483,7 @@ static const struct xfrm_link {
 	[XFRM_MSG_NEWPOLICY   - XFRM_MSG_BASE] = { .doit = xfrm_add_policy    },
 	[XFRM_MSG_DELPOLICY   - XFRM_MSG_BASE] = { .doit = xfrm_get_policy    },
 	[XFRM_MSG_GETPOLICY   - XFRM_MSG_BASE] = { .doit = xfrm_get_policy,
+						   .start = xfrm_dump_policy_start,
 						   .dump = xfrm_dump_policy,
 						   .done = xfrm_dump_policy_done },
 	[XFRM_MSG_ALLOCSPI    - XFRM_MSG_BASE] = { .doit = xfrm_alloc_userspi },
@@ -2532,6 +2536,7 @@ static int xfrm_user_rcv_msg(struct sk_b
 
 		{
 			struct netlink_dump_control c = {
+				.start = link->start,
 				.dump = link->dump,
 				.done = link->done,
 			};

[PATCH 4.13 42/43] regulator: fan53555: fix I2C device ids

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Guillaume Tucker <guillaume.tucker@collabora.com>

commit fc1111b885437f374ed54aadda44d8b241ebd2a3 upstream.

The device tree nodes all correctly describe the regulators as
syr827 or syr828, but the I2C device id is currently set to the
wildcard value of syr82x in the driver.  This causes udev to fail
to match the driver module with the modalias data from sysfs.

Fix this by replacing the I2C device ids with ones that match the
device tree descriptions, with syr827 and syr828.  Tested on
Firefly rk3288 board.  The syr82x id was not used anywhere.

Fixes: e80c47bd738b (regulator: fan53555: Export I2C module alias information)
Signed-off-by: Guillaume Tucker <guillaume.tucker@collabora.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/regulator/fan53555.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/regulator/fan53555.c
+++ b/drivers/regulator/fan53555.c
@@ -476,7 +476,10 @@ static const struct i2c_device_id fan535
 		.name = "fan53555",
 		.driver_data = FAN53555_VENDOR_FAIRCHILD
 	}, {
-		.name = "syr82x",
+		.name = "syr827",
+		.driver_data = FAN53555_VENDOR_SILERGY
+	}, {
+		.name = "syr828",
 		.driver_data = FAN53555_VENDOR_SILERGY
 	},
 	{ },

Re: [PATCH 4.13 28/43] SMB3: Validate negotiate request must always be signed

[Thomas Backlund]

Den 31.10.2017 kl. 11:55, skrev Greg Kroah-Hartman:
> 4.13-stable review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Steve French <smfrench@gmail.com>
> 
> commit 4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd upstream.
> 
> According to MS-SMB2 3.2.55 validate_negotiate request must
> always be signed. Some Windows can fail the request if you send it unsigned
> 
> See kernel bugzilla bug 197311
> 
> Acked-by: Ronnie Sahlberg <lsahlber.redhat.com>
> Signed-off-by: Steve French <smfrench@gmail.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> ---
>   fs/cifs/smb2pdu.c |    3 +++
>   1 file changed, 3 insertions(+)
> 
> --- a/fs/cifs/smb2pdu.c
> +++ b/fs/cifs/smb2pdu.c
> @@ -1963,6 +1963,9 @@ SMB2_ioctl(const unsigned int xid, struc
>   	} else
>   		iov[0].iov_len = get_rfc1002_length(req) + 4;
>   
> +	/* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
> +	if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
> +		req->hdr.sync_hdr.Flags |= SMB2_FLAGS_SIGNED;
>   
>   	rc = SendReceive2(xid, ses, iov, n_iov, &resp_buftype, flags, &rsp_iov);
>   	cifs_small_buf_release(req);
> 
> 
> 

This one needs to be backported to all stable kernels as the commit that 
introduced the regression:
'
0603c96f3af50e2f9299fa410c224ab1d465e0f9
SMB: Validate negotiate (to protect against downgrade) even if signing off

is backported in stable trees as of: 4.9.53, 4.4.90, 3.18.73


--
Thomas

Re: [PATCH 4.13 00/43] 4.13.11-stable review

[Guenter Roeck]

On Tue, Oct 31, 2017 at 10:55:20AM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.13.11 release.
> There are 43 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Thu Nov  2 09:55:17 UTC 2017.
> Anything received after that time might be too late.
> 

Build results:
	total: 145 pass: 145 fail: 0
Qemu test results:
	total: 123 pass: 123 fail: 0

Details are available at http://kerneltests.org/builders.

Guenter

Re: [PATCH 4.13 00/43] 4.13.11-stable review

[Shuah Khan]

On 10/31/2017 03:55 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.13.11 release.
> There are 43 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Thu Nov  2 09:55:17 UTC 2017.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.13.11-rc1.gz
> or in the git tree and branch at:
>   git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.13.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Compiled and booted on my test system. No dmesg and kselftest regressions.

thanks,
-- Shuah

Re: [PATCH 4.13 28/43] SMB3: Validate negotiate request must always be signed

[Greg Kroah-Hartman]

On Tue, Oct 31, 2017 at 03:02:11PM +0200, Thomas Backlund wrote:
> Den 31.10.2017 kl. 11:55, skrev Greg Kroah-Hartman:
> > 4.13-stable review patch.  If anyone has any objections, please let me know.
> > 
> > ------------------
> > 
> > From: Steve French <smfrench@gmail.com>
> > 
> > commit 4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd upstream.
> > 
> > According to MS-SMB2 3.2.55 validate_negotiate request must
> > always be signed. Some Windows can fail the request if you send it unsigned
> > 
> > See kernel bugzilla bug 197311
> > 
> > Acked-by: Ronnie Sahlberg <lsahlber.redhat.com>
> > Signed-off-by: Steve French <smfrench@gmail.com>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > 
> > ---
> >   fs/cifs/smb2pdu.c |    3 +++
> >   1 file changed, 3 insertions(+)
> > 
> > --- a/fs/cifs/smb2pdu.c
> > +++ b/fs/cifs/smb2pdu.c
> > @@ -1963,6 +1963,9 @@ SMB2_ioctl(const unsigned int xid, struc
> >   	} else
> >   		iov[0].iov_len = get_rfc1002_length(req) + 4;
> > +	/* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
> > +	if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
> > +		req->hdr.sync_hdr.Flags |= SMB2_FLAGS_SIGNED;
> >   	rc = SendReceive2(xid, ses, iov, n_iov, &resp_buftype, flags, &rsp_iov);
> >   	cifs_small_buf_release(req);
> > 
> > 
> > 
> 
> This one needs to be backported to all stable kernels as the commit that
> introduced the regression:
> '
> 0603c96f3af50e2f9299fa410c224ab1d465e0f9
> SMB: Validate negotiate (to protect against downgrade) even if signing off
> 
> is backported in stable trees as of: 4.9.53, 4.4.90, 3.18.73

Thanks, I originally tried to backport this, but it applied in an odd
way.  I've fixed it up by hand now.

greg k-h

Re: [PATCH 4.13 28/43] SMB3: Validate negotiate request must always be signed

[Greg Kroah-Hartman]

On Tue, Oct 31, 2017 at 03:02:11PM +0200, Thomas Backlund wrote:
> Den 31.10.2017 kl. 11:55, skrev Greg Kroah-Hartman:
> > 4.13-stable review patch.  If anyone has any objections, please let me know.
> > 
> > ------------------
> > 
> > From: Steve French <smfrench@gmail.com>
> > 
> > commit 4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd upstream.
> > 
> > According to MS-SMB2 3.2.55 validate_negotiate request must
> > always be signed. Some Windows can fail the request if you send it unsigned
> > 
> > See kernel bugzilla bug 197311
> > 
> > Acked-by: Ronnie Sahlberg <lsahlber.redhat.com>
> > Signed-off-by: Steve French <smfrench@gmail.com>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > 
> > ---
> >   fs/cifs/smb2pdu.c |    3 +++
> >   1 file changed, 3 insertions(+)
> > 
> > --- a/fs/cifs/smb2pdu.c
> > +++ b/fs/cifs/smb2pdu.c
> > @@ -1963,6 +1963,9 @@ SMB2_ioctl(const unsigned int xid, struc
> >   	} else
> >   		iov[0].iov_len = get_rfc1002_length(req) + 4;
> > +	/* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
> > +	if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
> > +		req->hdr.sync_hdr.Flags |= SMB2_FLAGS_SIGNED;
> >   	rc = SendReceive2(xid, ses, iov, n_iov, &resp_buftype, flags, &rsp_iov);
> >   	cifs_small_buf_release(req);
> > 
> > 
> > 
> 
> This one needs to be backported to all stable kernels as the commit that
> introduced the regression:
> '
> 0603c96f3af50e2f9299fa410c224ab1d465e0f9
> SMB: Validate negotiate (to protect against downgrade) even if signing off
> 
> is backported in stable trees as of: 4.9.53, 4.4.90, 3.18.73

Oh wait, it breaks the builds on older kernels, that's why I didn't
apply it :)

Can you provide me with a working backport?

thanks,

greg k-h

Re: [PATCH 4.13 00/43] 4.13.11-stable review

[Greg Kroah-Hartman]

On Tue, Oct 31, 2017 at 10:20:49AM -0700, Guenter Roeck wrote:
> On Tue, Oct 31, 2017 at 10:55:20AM +0100, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 4.13.11 release.
> > There are 43 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Thu Nov  2 09:55:17 UTC 2017.
> > Anything received after that time might be too late.
> > 
> 
> Build results:
> 	total: 145 pass: 145 fail: 0
> Qemu test results:
> 	total: 123 pass: 123 fail: 0
> 
> Details are available at http://kerneltests.org/builders.

Great, thanks for testing all of these and letting me know.

greg k-h

Re: [PATCH 4.13 28/43] SMB3: Validate negotiate request must always be signed

[Srivatsa S. Bhat]

On 11/1/17 8:18 AM, Greg Kroah-Hartman wrote:
> On Tue, Oct 31, 2017 at 03:02:11PM +0200, Thomas Backlund wrote:
>> Den 31.10.2017 kl. 11:55, skrev Greg Kroah-Hartman:
>>> 4.13-stable review patch.  If anyone has any objections, please let me know.
>>>
>>> ------------------
>>>
>>> From: Steve French <smfrench@gmail.com>
>>>
>>> commit 4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd upstream.
>>>
>>> According to MS-SMB2 3.2.55 validate_negotiate request must
>>> always be signed. Some Windows can fail the request if you send it unsigned
>>>
>>> See kernel bugzilla bug 197311
>>>
>>> Acked-by: Ronnie Sahlberg <lsahlber.redhat.com>
>>> Signed-off-by: Steve French <smfrench@gmail.com>
>>> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>>
>>> ---
>>>   fs/cifs/smb2pdu.c |    3 +++
>>>   1 file changed, 3 insertions(+)
>>>
>>> --- a/fs/cifs/smb2pdu.c
>>> +++ b/fs/cifs/smb2pdu.c
>>> @@ -1963,6 +1963,9 @@ SMB2_ioctl(const unsigned int xid, struc
>>>   	} else
>>>   		iov[0].iov_len = get_rfc1002_length(req) + 4;
>>> +	/* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
>>> +	if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
>>> +		req->hdr.sync_hdr.Flags |= SMB2_FLAGS_SIGNED;
>>>   	rc = SendReceive2(xid, ses, iov, n_iov, &resp_buftype, flags, &rsp_iov);
>>>   	cifs_small_buf_release(req);
>>>
>>>
>>>
>>
>> This one needs to be backported to all stable kernels as the commit that
>> introduced the regression:
>> '
>> 0603c96f3af50e2f9299fa410c224ab1d465e0f9
>> SMB: Validate negotiate (to protect against downgrade) even if signing off
>>
>> is backported in stable trees as of: 4.9.53, 4.4.90, 3.18.73
> 
> Oh wait, it breaks the builds on older kernels, that's why I didn't
> apply it :)
> 
> Can you provide me with a working backport?
> 

Hi Steve,

Is there a version of this fix available for stable kernels?

I tried applying this patch to 4.4.109 (and a similar one for 4.9.74),
but it didn't fix the problem.  Instead, I actually got a NULL pointer
dereference when I tried to mount an SMB3 share.

Here is the patch I tried on 4.4.109:

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index f2ff60e..3963bd2 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1559,6 +1559,9 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
        } else
                iov[0].iov_len = get_rfc1002_length(req) + 4;
 
+       /* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
+       if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
+               req->hdr.Flags |= SMB2_FLAGS_SIGNED;
 
        rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0);
        rsp = (struct smb2_ioctl_rsp *)iov[0].iov_base;


This results in the following NULL pointer dereference when I try
mounting:

# mount -vvv -t cifs -o vers=3.0,credentials=.smbcred //<ip_addr>/TestSMB/ testdir

[   53.073057] BUG: unable to handle kernel NULL pointer dereference at 0000000000000050
[   53.073511] IP: [<ffffffff8138ee9a>] crypto_shash_setkey+0x1a/0xc0
[   53.073973] PGD 0 
[   53.074427] Oops: 0000 [#1] SMP 
[   53.074946] Modules linked in: arc4(E) ecb(E) md4(E) cifs(E) dns_resolver(E) vmw_vsock_vmci_transport(E) vsock(E) hid_generic(E) usbhid(E) hid(E) xt_conntrack(E) mousedev(E) iptable_nat(E) nf_conntrack_ipv4(E) nf_defrag_ipv4(E) nf_nat_ipv4(E) nf_nat(E) iptable_filter(E) ip_tables(E) crc32c_intel(E) xt_LOG(E) nf_conntrack(E) jitterentropy_rng(E) hmac(E) sha256_ssse3(E) sha256_generic(E) drbg(E) vmw_balloon(E) ansi_cprng(E) aesni_intel(E) aes_x86_64(E) glue_helper(E) lrw(E) gf128mul(E) ablk_helper(E) cryptd(E) psmouse(E) evdev(E) uhci_hcd(E) ehci_pci(E) ehci_hcd(E) usbcore(E) intel_agp(E) usb_common(E) vmw_vmci(E) i2c_piix4(E) intel_gtt(E) nfit(E) battery(E) tpm_tis(E) tpm(E) ac(E) button(E) sch_fq_codel(E) autofs4(E)
[   53.079435] CPU: 3 PID: 829 Comm: mount.cifs Tainted: G            E   4.4.109-possible-fix1+ #21
[   53.079983] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016
[   53.081086] task: ffff8800b4f41940 ti: ffff8800b92ac000 task.ti: ffff8800b92ac000
[   53.081667] RIP: 0010:[<ffffffff8138ee9a>]  [<ffffffff8138ee9a>] crypto_shash_setkey+0x1a/0xc0
[   53.082247] RSP: 0018:ffff8800b92af9a8  EFLAGS: 00010282
[   53.082604] systemd-journald[284]: Compressed data object 721 -> 468 using XZ
[   53.083419] RAX: ffff8800af5943c0 RBX: ffff8800b484a800 RCX: 00000000ffff0ec7
[   53.084001] RDX: 0000000000000010 RSI: ffff8800b900af18 RDI: 0000000000000000
[   53.084602] RBP: ffff8800b92af9e0 R08: ffff8800b92afb64 R09: 0000000000000000
[   53.085184] R10: 3031322e3030312e R11: 00000000000007f5 R12: 0000000000000002
[   53.085755] R13: 0000000000000000 R14: ffff8800b900af18 R15: 0000000000000010
[   53.086333] FS:  00007fb659b45740(0000) GS:ffff88013fcc0000(0000) knlGS:0000000000000000
[   53.086907] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   53.087480] CR2: 0000000000000050 CR3: 00000000b7970000 CR4: 00000000001606e0
[   53.088107] Stack:
[   53.088681]  ffff8800bba5d8c0 ffff8800b92afa08 ffff8800b484a800 0000000000000002
[   53.089281]  ffff8800b92afac8 000008012400007d ffff8800b484a800 ffff8800b92afa50
[   53.089871]  ffffffffa02194a6 ffff8800b92afb70 ffff8800af5943c0 ffff8800b7a2f800
[   53.090457] Call Trace:
[   53.091054]  [<ffffffffa02194a6>] smb3_calc_signature+0xb6/0x290 [cifs]
[   53.091650]  [<ffffffffa0218b5b>] smb2_sign_rqst+0x2b/0x40 [cifs]
[   53.092244]  [<ffffffffa0219981>] smb2_setup_request+0xd1/0x170 [cifs]
[   53.092838]  [<ffffffffa02082a7>] SendReceive2+0xc7/0x450 [cifs]
[   53.093435]  [<ffffffffa02057d5>] ? cifs_small_buf_get+0x15/0x30 [cifs]
[   53.094030]  [<ffffffffa021b83f>] ? small_smb2_init+0xdf/0x200 [cifs]
[   53.094616]  [<ffffffffa021d6d7>] SMB2_ioctl+0x147/0x310 [cifs]
[   53.095203]  [<ffffffffa021d99e>] smb3_validate_negotiate+0xfe/0x2d0 [cifs]
[   53.095792]  [<ffffffffa021b196>] SMB2_tcon+0x296/0x500 [cifs]
[   53.096362]  [<ffffffff817d7b49>] ? _raw_spin_unlock_irqrestore+0x9/0x10
[   53.096930]  [<ffffffffa01efe0b>] cifs_get_tcon+0x1bb/0x560 [cifs]
[   53.097486]  [<ffffffffa01f2b10>] cifs_mount+0x690/0xde0 [cifs]
[   53.098032]  [<ffffffff817d7b49>] ? _raw_spin_unlock_irqrestore+0x9/0x10
[   53.098570]  [<ffffffffa01de6eb>] cifs_do_mount+0xcb/0x5a0 [cifs]
[   53.099089]  [<ffffffff81193ef7>] ? alloc_pages_current+0x87/0x110
[   53.099598]  [<ffffffff811b7b03>] mount_fs+0x33/0x160
[   53.100091]  [<ffffffff811d1b62>] vfs_kern_mount+0x62/0x100
[   53.100574]  [<ffffffff811d3f1b>] do_mount+0x21b/0xd30
[   53.101050]  [<ffffffff81193ef7>] ? alloc_pages_current+0x87/0x110
[   53.101511]  [<ffffffff811d4d47>] SyS_mount+0x87/0xd0
[   53.101959]  [<ffffffff817d806e>] entry_SYSCALL_64_fastpath+0x12/0x71
[   53.102400] Code: 89 e5 8b 12 e8 78 d2 04 00 31 c0 5d c3 0f 1f 40 00 55 48 89 e5 41 57 41 56 41 55 41 54 49 89 fd 53 49 89 f6 41 89 d7 48 83 ec 10 <4c> 8b 67 50 41 8b 5c 24 2c 48 85 de 75 14 41 ff 54 24 e8 48 83 
[   53.103820] RIP  [<ffffffff8138ee9a>] crypto_shash_setkey+0x1a/0xc0
[   53.104288]  RSP <ffff8800b92af9a8>
[   53.104745] CR2: 0000000000000050
[   53.105225] ---[ end trace fc2de0ad7f229314 ]---


The CIFS config options enabled are:

CONFIG_CIFS=m
CONFIG_CIFS_STATS=y
CONFIG_CIFS_STATS2=y
CONFIG_CIFS_WEAK_PW_HASH=y
CONFIG_CIFS_UPCALL=y
CONFIG_CIFS_XATTR=y
CONFIG_CIFS_POSIX=y
CONFIG_CIFS_ACL=y
CONFIG_CIFS_DEBUG=y
CONFIG_CIFS_DEBUG2=y
CONFIG_CIFS_DFS_UPCALL=y
CONFIG_CIFS_SMB2=y
# CONFIG_CIFS_SMB311 is not set
# CONFIG_CIFS_FSCACHE is not set


The problem seems to be that crypto_shash_setkey() is called without
calling smb3_crypto_shash_allocate() first.  So I looked up how mainline
avoids this issue, and it looks like the following commit makes a call
to generate_signingkey() even when server->sign == false, and this path
eventually calls smb3_crytpto_shash_allocate()), thus avoiding the NULL
pointer dereference.

cabfb3680f78 (CIFS: Enable encryption during session setup phase)


So, I adopted this change, and now my resulting patch looks like this:

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index f2ff60e..19cc92c 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -833,7 +833,7 @@ ssetup_exit:
 
        if (!rc) {
                mutex_lock(&server->srv_mutex);
-               if (server->sign && server->ops->generate_signingkey) {
+               if (server->ops->generate_signingkey) {
                        rc = server->ops->generate_signingkey(ses);
                        kfree(ses->auth_key.response);
                        ses->auth_key.response = NULL;
@@ -1559,6 +1559,9 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
        } else
                iov[0].iov_len = get_rfc1002_length(req) + 4;
 
+       /* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
+       if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
+               req->hdr.Flags |= SMB2_FLAGS_SIGNED;
 
        rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0);
        rsp = (struct smb2_ioctl_rsp *)iov[0].iov_base;



This fixes the NULL pointer dereference, but the mount still fails, but
this time for a different reason -- due to STATUS_ACCESS_DENIED:


# mount -vvv -t cifs -o vers=3.0,credentials=.smbcred //<ip_addr>/TestSMB/ testdir

mount.cifs kernel mount options: ip=<ip_addr>,unc=\\<ip_addr>\TestSMB,vers=3.0,user=srivatsa,pass=********
mount error(5): Input/output error
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

Here is the dmesg output:

[   48.192141] fs/cifs/cifsfs.c: Devname: //<ip_addr>/TestSMB/ flags: 0
[   48.192178] address conversion returned 1 for <ip_addr>
[   48.192205] fs/cifs/connect.c: Username: srivatsa
[   48.192222] fs/cifs/connect.c: file mode: 0x1ed  dir mode: 0x1ed
[   48.192280] fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 0 with uid: 0
[   48.192302] fs/cifs/connect.c: UNC: \\<ip_addr>\TestSMB
[   48.192335] fs/cifs/connect.c: Socket created
[   48.192349] fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380 rcvtimeo 0x6d6
[   48.193453] fs/cifs/connect.c: CIFS VFS: in cifs_get_smb_ses as Xid: 1 with uid: 0
[   48.193462] fs/cifs/connect.c: Demultiplex PID: 829
[   48.193492] fs/cifs/connect.c: Existing smb sess not found
[   48.193510] fs/cifs/smb2pdu.c: Negotiate protocol
[   48.193531] fs/cifs/transport.c: Sending smb: smb_len=102
[   48.194301] fs/cifs/connect.c: RFC1002 header 0xaa
[   48.194321] fs/cifs/smb2misc.c: smb2_check_message length: 0xae, smb_buf_length: 0xaa
[   48.194349] fs/cifs/smb2misc.c: SMB2 data length 42 offset 128
[   48.194367] fs/cifs/smb2misc.c: SMB2 len 174
[   48.194393] fs/cifs/transport.c: cifs_sync_mid_result: cmd=0 mid=0 state=4
[   48.194415] fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
[   48.194436] fs/cifs/smb2pdu.c: mode 0x1
[   48.194448] fs/cifs/smb2pdu.c: negotiated smb3.0 dialect
[   48.194466] fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1
[   48.194484] fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1
[   48.194502] fs/cifs/connect.c: Security Mode: 0x1 Capabilities: 0x300007 TimeAdjust: 0
[   48.194525] fs/cifs/smb2pdu.c: Session Setup
[   48.194539] fs/cifs/transport.c: Sending smb: smb_len=120
[   48.194817] fs/cifs/connect.c: RFC1002 header 0x136
[   48.194836] fs/cifs/smb2misc.c: smb2_check_message length: 0x13a, smb_buf_length: 0x136
[   48.194859] fs/cifs/smb2misc.c: SMB2 data length 238 offset 72
[   48.195306] fs/cifs/smb2misc.c: SMB2 len 314
[   48.195740] fs/cifs/transport.c: cifs_sync_mid_result: cmd=1 mid=1 state=4
[   48.196174] Status code returned 0xc0000016 STATUS_MORE_PROCESSING_REQUIRED
[   48.196605] fs/cifs/smb2maperror.c: Mapping SMB2 status code -1073741802 to POSIX err -5
[   48.197043] fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
[   48.210008] fs/cifs/transport.c: Sending smb: smb_len=412
[   48.211625] fs/cifs/connect.c: RFC1002 header 0x48
[   48.212060] fs/cifs/smb2misc.c: smb2_check_message length: 0x4c, smb_buf_length: 0x48
[   48.212494] fs/cifs/smb2misc.c: SMB2 data length 0 offset 72
[   48.212919] fs/cifs/smb2misc.c: SMB2 len 77
[   48.213364] fs/cifs/smb2misc.c: Calculated size 77 length 76 mismatch mid 2
[   48.213807] fs/cifs/transport.c: cifs_sync_mid_result: cmd=1 mid=2 state=4
[   48.214242] fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
[   48.219385] fs/cifs/smb2pdu.c: SMB2/3 session established successfully
[   48.219831] fs/cifs/connect.c: CIFS VFS: leaving cifs_get_smb_ses (xid = 1) rc = 0
[   48.220276] fs/cifs/connect.c: CIFS VFS: in cifs_get_tcon as Xid: 2 with uid: 0
[   48.220724] fs/cifs/smb2pdu.c: TCON
[   48.221182] fs/cifs/transport.c: Sending smb: smb_len=122
[   48.221830] fs/cifs/connect.c: RFC1002 header 0x50
[   48.222280] fs/cifs/smb2misc.c: smb2_check_message length: 0x54, smb_buf_length: 0x50
[   48.222734] fs/cifs/smb2misc.c: SMB2 len 84
[   48.223199] fs/cifs/transport.c: cifs_sync_mid_result: cmd=3 mid=3 state=4
[   48.223656] fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
[   48.224107] fs/cifs/smb2pdu.c: connection to disk share
[   48.224560] fs/cifs/smb2pdu.c: validate negotiate
[   48.225015] fs/cifs/smb2pdu.c: SMB2 IOCTL
[   48.225456] fs/cifs/transport.c: Sending smb: smb_len=146
[   48.226049] fs/cifs/connect.c: RFC1002 header 0x49
[   48.226498] fs/cifs/smb2misc.c: smb2_check_message length: 0x4d, smb_buf_length: 0x49
[   48.226951] fs/cifs/smb2misc.c: SMB2 data length 0 offset 0
[   48.227408] fs/cifs/smb2misc.c: SMB2 len 77
[   48.227863] fs/cifs/transport.c: cifs_sync_mid_result: cmd=11 mid=4 state=4
[   48.228318] Status code returned 0xc0000022 STATUS_ACCESS_DENIED
[   48.228780] fs/cifs/smb2maperror.c: Mapping SMB2 status code -1073741790 to POSIX err -13
[   48.229265] fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
[   48.229732] CIFS VFS: validate protocol negotiate failed: -13
[   48.230197] fs/cifs/connect.c: CIFS VFS: leaving cifs_get_tcon (xid = 2) rc = -5
[   48.230681] fs/cifs/connect.c: Tcon rc = -5
[   48.231150] fs/cifs/connect.c: build_unc_path_to_root: full_path=\\<ip_addr>\TestSMB
[   48.231634] fs/cifs/connect.c: cifs_put_smb_ses: ses_count=1
[   48.232101] fs/cifs/connect.c: CIFS VFS: in cifs_put_smb_ses as Xid: 3 with uid: 0
[   48.232569] fs/cifs/smb2pdu.c: disconnect session ffff8800b9189e00
[   48.233053] fs/cifs/transport.c: Sending smb: smb_len=68
[   48.233651] fs/cifs/connect.c: RFC1002 header 0x44
[   48.234116] fs/cifs/smb2misc.c: smb2_check_message length: 0x48, smb_buf_length: 0x44
[   48.234585] fs/cifs/smb2misc.c: SMB2 len 72
[   48.235063] fs/cifs/transport.c: cifs_sync_mid_result: cmd=2 mid=5 state=4
[   48.235541] SendRcvNoRsp flags 64 rc 0
[   48.236075] fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 0) rc = -5
[   48.236556] CIFS VFS: cifs_mount failed w/return code = -5


Any thoughts on what is the right fix for stable kernels? Mounting SMB3
shares works great on mainline (v4.15-rc5). It also works on 4.4.109 if
I pass the sec=ntlmsspi option to the mount command (as opposed to the
default: sec=ntlmssp). Please let me know if you need any other info.

Thank you!

Regards,
Srivatsa

Re: [PATCH 4.13 28/43] SMB3: Validate negotiate request must always be signed

[Srivatsa S. Bhat]

On 1/3/18 6:15 PM, Srivatsa S. Bhat wrote:
> On 11/1/17 8:18 AM, Greg Kroah-Hartman wrote:
>> On Tue, Oct 31, 2017 at 03:02:11PM +0200, Thomas Backlund wrote:
>>> Den 31.10.2017 kl. 11:55, skrev Greg Kroah-Hartman:
>>>> 4.13-stable review patch.  If anyone has any objections, please let me know.
>>>>
>>>> ------------------
>>>>
>>>> From: Steve French <smfrench@gmail.com>
>>>>
>>>> commit 4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd upstream.
>>>>
>>>> According to MS-SMB2 3.2.55 validate_negotiate request must
>>>> always be signed. Some Windows can fail the request if you send it unsigned
>>>>
>>>> See kernel bugzilla bug 197311
>>>>
>>>> Acked-by: Ronnie Sahlberg <lsahlber.redhat.com>
>>>> Signed-off-by: Steve French <smfrench@gmail.com>
>>>> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>>>
>>>> ---
>>>>   fs/cifs/smb2pdu.c |    3 +++
>>>>   1 file changed, 3 insertions(+)
>>>>
>>>> --- a/fs/cifs/smb2pdu.c
>>>> +++ b/fs/cifs/smb2pdu.c
>>>> @@ -1963,6 +1963,9 @@ SMB2_ioctl(const unsigned int xid, struc
>>>>   	} else
>>>>   		iov[0].iov_len = get_rfc1002_length(req) + 4;
>>>> +	/* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
>>>> +	if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
>>>> +		req->hdr.sync_hdr.Flags |= SMB2_FLAGS_SIGNED;
>>>>   	rc = SendReceive2(xid, ses, iov, n_iov, &resp_buftype, flags, &rsp_iov);
>>>>   	cifs_small_buf_release(req);
>>>>
>>>>
>>>>
>>>
>>> This one needs to be backported to all stable kernels as the commit that
>>> introduced the regression:
>>> '
>>> 0603c96f3af50e2f9299fa410c224ab1d465e0f9
>>> SMB: Validate negotiate (to protect against downgrade) even if signing off
>>>
>>> is backported in stable trees as of: 4.9.53, 4.4.90, 3.18.73
>>
>> Oh wait, it breaks the builds on older kernels, that's why I didn't
>> apply it :)
>>
>> Can you provide me with a working backport?
>>
> 
> Hi Steve,
> 
> Is there a version of this fix available for stable kernels?
> 

Any thoughts on this?

Regards,
Srivatsa

> I tried applying this patch to 4.4.109 (and a similar one for 4.9.74),
> but it didn't fix the problem.  Instead, I actually got a NULL pointer
> dereference when I tried to mount an SMB3 share.
> 
> Here is the patch I tried on 4.4.109:
> 
> diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
> index f2ff60e..3963bd2 100644
> --- a/fs/cifs/smb2pdu.c
> +++ b/fs/cifs/smb2pdu.c
> @@ -1559,6 +1559,9 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
>         } else
>                 iov[0].iov_len = get_rfc1002_length(req) + 4;
>  
> +       /* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
> +       if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
> +               req->hdr.Flags |= SMB2_FLAGS_SIGNED;
>  
>         rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0);
>         rsp = (struct smb2_ioctl_rsp *)iov[0].iov_base;
> 
> 
> This results in the following NULL pointer dereference when I try
> mounting:
> 
> # mount -vvv -t cifs -o vers=3.0,credentials=.smbcred //<ip_addr>/TestSMB/ testdir
> 
> [   53.073057] BUG: unable to handle kernel NULL pointer dereference at 0000000000000050
> [   53.073511] IP: [<ffffffff8138ee9a>] crypto_shash_setkey+0x1a/0xc0
> [   53.073973] PGD 0 
> [   53.074427] Oops: 0000 [#1] SMP 
> [   53.074946] Modules linked in: arc4(E) ecb(E) md4(E) cifs(E) dns_resolver(E) vmw_vsock_vmci_transport(E) vsock(E) hid_generic(E) usbhid(E) hid(E) xt_conntrack(E) mousedev(E) iptable_nat(E) nf_conntrack_ipv4(E) nf_defrag_ipv4(E) nf_nat_ipv4(E) nf_nat(E) iptable_filter(E) ip_tables(E) crc32c_intel(E) xt_LOG(E) nf_conntrack(E) jitterentropy_rng(E) hmac(E) sha256_ssse3(E) sha256_generic(E) drbg(E) vmw_balloon(E) ansi_cprng(E) aesni_intel(E) aes_x86_64(E) glue_helper(E) lrw(E) gf128mul(E) ablk_helper(E) cryptd(E) psmouse(E) evdev(E) uhci_hcd(E) ehci_pci(E) ehci_hcd(E) usbcore(E) intel_agp(E) usb_common(E) vmw_vmci(E) i2c_piix4(E) intel_gtt(E) nfit(E) battery(E) tpm_tis(E) tpm(E) ac(E) button(E) sch_fq_codel(E) autofs4(E)
> [   53.079435] CPU: 3 PID: 829 Comm: mount.cifs Tainted: G            E   4.4.109-possible-fix1+ #21
> [   53.079983] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016
> [   53.081086] task: ffff8800b4f41940 ti: ffff8800b92ac000 task.ti: ffff8800b92ac000
> [   53.081667] RIP: 0010:[<ffffffff8138ee9a>]  [<ffffffff8138ee9a>] crypto_shash_setkey+0x1a/0xc0
> [   53.082247] RSP: 0018:ffff8800b92af9a8  EFLAGS: 00010282
> [   53.082604] systemd-journald[284]: Compressed data object 721 -> 468 using XZ
> [   53.083419] RAX: ffff8800af5943c0 RBX: ffff8800b484a800 RCX: 00000000ffff0ec7
> [   53.084001] RDX: 0000000000000010 RSI: ffff8800b900af18 RDI: 0000000000000000
> [   53.084602] RBP: ffff8800b92af9e0 R08: ffff8800b92afb64 R09: 0000000000000000
> [   53.085184] R10: 3031322e3030312e R11: 00000000000007f5 R12: 0000000000000002
> [   53.085755] R13: 0000000000000000 R14: ffff8800b900af18 R15: 0000000000000010
> [   53.086333] FS:  00007fb659b45740(0000) GS:ffff88013fcc0000(0000) knlGS:0000000000000000
> [   53.086907] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   53.087480] CR2: 0000000000000050 CR3: 00000000b7970000 CR4: 00000000001606e0
> [   53.088107] Stack:
> [   53.088681]  ffff8800bba5d8c0 ffff8800b92afa08 ffff8800b484a800 0000000000000002
> [   53.089281]  ffff8800b92afac8 000008012400007d ffff8800b484a800 ffff8800b92afa50
> [   53.089871]  ffffffffa02194a6 ffff8800b92afb70 ffff8800af5943c0 ffff8800b7a2f800
> [   53.090457] Call Trace:
> [   53.091054]  [<ffffffffa02194a6>] smb3_calc_signature+0xb6/0x290 [cifs]
> [   53.091650]  [<ffffffffa0218b5b>] smb2_sign_rqst+0x2b/0x40 [cifs]
> [   53.092244]  [<ffffffffa0219981>] smb2_setup_request+0xd1/0x170 [cifs]
> [   53.092838]  [<ffffffffa02082a7>] SendReceive2+0xc7/0x450 [cifs]
> [   53.093435]  [<ffffffffa02057d5>] ? cifs_small_buf_get+0x15/0x30 [cifs]
> [   53.094030]  [<ffffffffa021b83f>] ? small_smb2_init+0xdf/0x200 [cifs]
> [   53.094616]  [<ffffffffa021d6d7>] SMB2_ioctl+0x147/0x310 [cifs]
> [   53.095203]  [<ffffffffa021d99e>] smb3_validate_negotiate+0xfe/0x2d0 [cifs]
> [   53.095792]  [<ffffffffa021b196>] SMB2_tcon+0x296/0x500 [cifs]
> [   53.096362]  [<ffffffff817d7b49>] ? _raw_spin_unlock_irqrestore+0x9/0x10
> [   53.096930]  [<ffffffffa01efe0b>] cifs_get_tcon+0x1bb/0x560 [cifs]
> [   53.097486]  [<ffffffffa01f2b10>] cifs_mount+0x690/0xde0 [cifs]
> [   53.098032]  [<ffffffff817d7b49>] ? _raw_spin_unlock_irqrestore+0x9/0x10
> [   53.098570]  [<ffffffffa01de6eb>] cifs_do_mount+0xcb/0x5a0 [cifs]
> [   53.099089]  [<ffffffff81193ef7>] ? alloc_pages_current+0x87/0x110
> [   53.099598]  [<ffffffff811b7b03>] mount_fs+0x33/0x160
> [   53.100091]  [<ffffffff811d1b62>] vfs_kern_mount+0x62/0x100
> [   53.100574]  [<ffffffff811d3f1b>] do_mount+0x21b/0xd30
> [   53.101050]  [<ffffffff81193ef7>] ? alloc_pages_current+0x87/0x110
> [   53.101511]  [<ffffffff811d4d47>] SyS_mount+0x87/0xd0
> [   53.101959]  [<ffffffff817d806e>] entry_SYSCALL_64_fastpath+0x12/0x71
> [   53.102400] Code: 89 e5 8b 12 e8 78 d2 04 00 31 c0 5d c3 0f 1f 40 00 55 48 89 e5 41 57 41 56 41 55 41 54 49 89 fd 53 49 89 f6 41 89 d7 48 83 ec 10 <4c> 8b 67 50 41 8b 5c 24 2c 48 85 de 75 14 41 ff 54 24 e8 48 83 
> [   53.103820] RIP  [<ffffffff8138ee9a>] crypto_shash_setkey+0x1a/0xc0
> [   53.104288]  RSP <ffff8800b92af9a8>
> [   53.104745] CR2: 0000000000000050
> [   53.105225] ---[ end trace fc2de0ad7f229314 ]---
> 
> 
> The CIFS config options enabled are:
> 
> CONFIG_CIFS=m
> CONFIG_CIFS_STATS=y
> CONFIG_CIFS_STATS2=y
> CONFIG_CIFS_WEAK_PW_HASH=y
> CONFIG_CIFS_UPCALL=y
> CONFIG_CIFS_XATTR=y
> CONFIG_CIFS_POSIX=y
> CONFIG_CIFS_ACL=y
> CONFIG_CIFS_DEBUG=y
> CONFIG_CIFS_DEBUG2=y
> CONFIG_CIFS_DFS_UPCALL=y
> CONFIG_CIFS_SMB2=y
> # CONFIG_CIFS_SMB311 is not set
> # CONFIG_CIFS_FSCACHE is not set
> 
> 
> The problem seems to be that crypto_shash_setkey() is called without
> calling smb3_crypto_shash_allocate() first.  So I looked up how mainline
> avoids this issue, and it looks like the following commit makes a call
> to generate_signingkey() even when server->sign == false, and this path
> eventually calls smb3_crytpto_shash_allocate()), thus avoiding the NULL
> pointer dereference.
> 
> cabfb3680f78 (CIFS: Enable encryption during session setup phase)
> 
> 
> So, I adopted this change, and now my resulting patch looks like this:
> 
> diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
> index f2ff60e..19cc92c 100644
> --- a/fs/cifs/smb2pdu.c
> +++ b/fs/cifs/smb2pdu.c
> @@ -833,7 +833,7 @@ ssetup_exit:
>  
>         if (!rc) {
>                 mutex_lock(&server->srv_mutex);
> -               if (server->sign && server->ops->generate_signingkey) {
> +               if (server->ops->generate_signingkey) {
>                         rc = server->ops->generate_signingkey(ses);
>                         kfree(ses->auth_key.response);
>                         ses->auth_key.response = NULL;
> @@ -1559,6 +1559,9 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
>         } else
>                 iov[0].iov_len = get_rfc1002_length(req) + 4;
>  
> +       /* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
> +       if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
> +               req->hdr.Flags |= SMB2_FLAGS_SIGNED;
>  
>         rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0);
>         rsp = (struct smb2_ioctl_rsp *)iov[0].iov_base;
> 
> 
> 
> This fixes the NULL pointer dereference, but the mount still fails, but
> this time for a different reason -- due to STATUS_ACCESS_DENIED:
> 
> 
> # mount -vvv -t cifs -o vers=3.0,credentials=.smbcred //<ip_addr>/TestSMB/ testdir
> 
> mount.cifs kernel mount options: ip=<ip_addr>,unc=\\<ip_addr>\TestSMB,vers=3.0,user=srivatsa,pass=********
> mount error(5): Input/output error
> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
> 
> Here is the dmesg output:
> 
> [   48.192141] fs/cifs/cifsfs.c: Devname: //<ip_addr>/TestSMB/ flags: 0
> [   48.192178] address conversion returned 1 for <ip_addr>
> [   48.192205] fs/cifs/connect.c: Username: srivatsa
> [   48.192222] fs/cifs/connect.c: file mode: 0x1ed  dir mode: 0x1ed
> [   48.192280] fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 0 with uid: 0
> [   48.192302] fs/cifs/connect.c: UNC: \\<ip_addr>\TestSMB
> [   48.192335] fs/cifs/connect.c: Socket created
> [   48.192349] fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380 rcvtimeo 0x6d6
> [   48.193453] fs/cifs/connect.c: CIFS VFS: in cifs_get_smb_ses as Xid: 1 with uid: 0
> [   48.193462] fs/cifs/connect.c: Demultiplex PID: 829
> [   48.193492] fs/cifs/connect.c: Existing smb sess not found
> [   48.193510] fs/cifs/smb2pdu.c: Negotiate protocol
> [   48.193531] fs/cifs/transport.c: Sending smb: smb_len=102
> [   48.194301] fs/cifs/connect.c: RFC1002 header 0xaa
> [   48.194321] fs/cifs/smb2misc.c: smb2_check_message length: 0xae, smb_buf_length: 0xaa
> [   48.194349] fs/cifs/smb2misc.c: SMB2 data length 42 offset 128
> [   48.194367] fs/cifs/smb2misc.c: SMB2 len 174
> [   48.194393] fs/cifs/transport.c: cifs_sync_mid_result: cmd=0 mid=0 state=4
> [   48.194415] fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
> [   48.194436] fs/cifs/smb2pdu.c: mode 0x1
> [   48.194448] fs/cifs/smb2pdu.c: negotiated smb3.0 dialect
> [   48.194466] fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1
> [   48.194484] fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1
> [   48.194502] fs/cifs/connect.c: Security Mode: 0x1 Capabilities: 0x300007 TimeAdjust: 0
> [   48.194525] fs/cifs/smb2pdu.c: Session Setup
> [   48.194539] fs/cifs/transport.c: Sending smb: smb_len=120
> [   48.194817] fs/cifs/connect.c: RFC1002 header 0x136
> [   48.194836] fs/cifs/smb2misc.c: smb2_check_message length: 0x13a, smb_buf_length: 0x136
> [   48.194859] fs/cifs/smb2misc.c: SMB2 data length 238 offset 72
> [   48.195306] fs/cifs/smb2misc.c: SMB2 len 314
> [   48.195740] fs/cifs/transport.c: cifs_sync_mid_result: cmd=1 mid=1 state=4
> [   48.196174] Status code returned 0xc0000016 STATUS_MORE_PROCESSING_REQUIRED
> [   48.196605] fs/cifs/smb2maperror.c: Mapping SMB2 status code -1073741802 to POSIX err -5
> [   48.197043] fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
> [   48.210008] fs/cifs/transport.c: Sending smb: smb_len=412
> [   48.211625] fs/cifs/connect.c: RFC1002 header 0x48
> [   48.212060] fs/cifs/smb2misc.c: smb2_check_message length: 0x4c, smb_buf_length: 0x48
> [   48.212494] fs/cifs/smb2misc.c: SMB2 data length 0 offset 72
> [   48.212919] fs/cifs/smb2misc.c: SMB2 len 77
> [   48.213364] fs/cifs/smb2misc.c: Calculated size 77 length 76 mismatch mid 2
> [   48.213807] fs/cifs/transport.c: cifs_sync_mid_result: cmd=1 mid=2 state=4
> [   48.214242] fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
> [   48.219385] fs/cifs/smb2pdu.c: SMB2/3 session established successfully
> [   48.219831] fs/cifs/connect.c: CIFS VFS: leaving cifs_get_smb_ses (xid = 1) rc = 0
> [   48.220276] fs/cifs/connect.c: CIFS VFS: in cifs_get_tcon as Xid: 2 with uid: 0
> [   48.220724] fs/cifs/smb2pdu.c: TCON
> [   48.221182] fs/cifs/transport.c: Sending smb: smb_len=122
> [   48.221830] fs/cifs/connect.c: RFC1002 header 0x50
> [   48.222280] fs/cifs/smb2misc.c: smb2_check_message length: 0x54, smb_buf_length: 0x50
> [   48.222734] fs/cifs/smb2misc.c: SMB2 len 84
> [   48.223199] fs/cifs/transport.c: cifs_sync_mid_result: cmd=3 mid=3 state=4
> [   48.223656] fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
> [   48.224107] fs/cifs/smb2pdu.c: connection to disk share
> [   48.224560] fs/cifs/smb2pdu.c: validate negotiate
> [   48.225015] fs/cifs/smb2pdu.c: SMB2 IOCTL
> [   48.225456] fs/cifs/transport.c: Sending smb: smb_len=146
> [   48.226049] fs/cifs/connect.c: RFC1002 header 0x49
> [   48.226498] fs/cifs/smb2misc.c: smb2_check_message length: 0x4d, smb_buf_length: 0x49
> [   48.226951] fs/cifs/smb2misc.c: SMB2 data length 0 offset 0
> [   48.227408] fs/cifs/smb2misc.c: SMB2 len 77
> [   48.227863] fs/cifs/transport.c: cifs_sync_mid_result: cmd=11 mid=4 state=4
> [   48.228318] Status code returned 0xc0000022 STATUS_ACCESS_DENIED
> [   48.228780] fs/cifs/smb2maperror.c: Mapping SMB2 status code -1073741790 to POSIX err -13
> [   48.229265] fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
> [   48.229732] CIFS VFS: validate protocol negotiate failed: -13
> [   48.230197] fs/cifs/connect.c: CIFS VFS: leaving cifs_get_tcon (xid = 2) rc = -5
> [   48.230681] fs/cifs/connect.c: Tcon rc = -5
> [   48.231150] fs/cifs/connect.c: build_unc_path_to_root: full_path=\\<ip_addr>\TestSMB
> [   48.231634] fs/cifs/connect.c: cifs_put_smb_ses: ses_count=1
> [   48.232101] fs/cifs/connect.c: CIFS VFS: in cifs_put_smb_ses as Xid: 3 with uid: 0
> [   48.232569] fs/cifs/smb2pdu.c: disconnect session ffff8800b9189e00
> [   48.233053] fs/cifs/transport.c: Sending smb: smb_len=68
> [   48.233651] fs/cifs/connect.c: RFC1002 header 0x44
> [   48.234116] fs/cifs/smb2misc.c: smb2_check_message length: 0x48, smb_buf_length: 0x44
> [   48.234585] fs/cifs/smb2misc.c: SMB2 len 72
> [   48.235063] fs/cifs/transport.c: cifs_sync_mid_result: cmd=2 mid=5 state=4
> [   48.235541] SendRcvNoRsp flags 64 rc 0
> [   48.236075] fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 0) rc = -5
> [   48.236556] CIFS VFS: cifs_mount failed w/return code = -5
> 
> 
> Any thoughts on what is the right fix for stable kernels? Mounting SMB3
> shares works great on mainline (v4.15-rc5). It also works on 4.4.109 if
> I pass the sec=ntlmsspi option to the mount command (as opposed to the
> default: sec=ntlmssp). Please let me know if you need any other info.
> 
> Thank you!
> 
> Regards,
> Srivatsa
>

Re: [PATCH 4.13 28/43] SMB3: Validate negotiate request must always be signed

[Aurélien Aptel]

Hi,

"Srivatsa S. Bhat" <srivatsa@csail.mit.edu> writes:
>> Any thoughts on what is the right fix for stable kernels? Mounting SMB3
>> shares works great on mainline (v4.15-rc5). It also works on 4.4.109 if
>> I pass the sec=ntlmsspi option to the mount command (as opposed to the
>> default: sec=ntlmssp). Please let me know if you need any other info.

Make sure you have (in that order):

db3b5474f462 ("CIFS: Fix NULL pointer deref on SMB2_tcon() failure")
fe83bebc0522 ("SMB: fix leak of validate negotiate info response buffer")
a2d9daad1d2d ("SMB: fix validate negotiate info uninitialised memory use")
4587eee04e2a ("SMB3: Validate negotiate request must always be signed")
a821df3f1af7 ("cifs: fix NULL deref in SMB2_read")

Does enabling CIFS_SMB311 changes anything?

I also suspect some things assume encryption patches are in.

-- 
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)

Re: [PATCH 4.13 28/43] SMB3: Validate negotiate request must always be signed

[Srivatsa S. Bhat]

Hi Aurélien,

On 1/19/18 5:23 AM, Aurélien Aptel wrote:
> Hi,
> 
> "Srivatsa S. Bhat" <srivatsa@csail.mit.edu> writes:
>>> Any thoughts on what is the right fix for stable kernels? Mounting SMB3
>>> shares works great on mainline (v4.15-rc5). It also works on 4.4.109 if
>>> I pass the sec=ntlmsspi option to the mount command (as opposed to the
>>> default: sec=ntlmssp). Please let me know if you need any other info.
> 
> Make sure you have (in that order):
> 
> db3b5474f462 ("CIFS: Fix NULL pointer deref on SMB2_tcon() failure")
> fe83bebc0522 ("SMB: fix leak of validate negotiate info response buffer")
> a2d9daad1d2d ("SMB: fix validate negotiate info uninitialised memory use")
> 4587eee04e2a ("SMB3: Validate negotiate request must always be signed")
> a821df3f1af7 ("cifs: fix NULL deref in SMB2_read")
> 
> Does enabling CIFS_SMB311 changes anything?
> 

Thank you for looking into this. I tried applying these patches on top 
of 4.4.113 and 4.9.78, but that didn't fix the problem on either kernel,
with or without CONFIG_CIFS_SMB311 enabled.

(By the way, shouldn't these patches be applied to stable kernels anyway?
I was a bit surprised that none of them are present in 4.4.113 and 4.9.78).

> I also suspect some things assume encryption patches are in.
> 

Do you happen to know which patches they might be? In any case, I'm using
the latest (unmodified) 4.4 and 4.9 stable kernels, so I hope the necessary
support is already present in them.

The 5 patches you suggested above needed a bit of fixup by hand for 4.4.113,
so I have shared my combined patch below for reference, which applies
cleanly on top of 4.4.113. (The same patch applies on 4.9.78 as well, with
some minor line-number differences).

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index f2ff60e..92abb8b9 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -519,7 +519,7 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)
 {
 	int rc = 0;
 	struct validate_negotiate_info_req vneg_inbuf;
-	struct validate_negotiate_info_rsp *pneg_rsp;
+	struct validate_negotiate_info_rsp *pneg_rsp = NULL;
 	u32 rsplen;
 
 	cifs_dbg(FYI, "validate negotiate\n");
@@ -575,8 +575,9 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)
 			 rsplen);
 
 		/* relax check since Mac returns max bufsize allowed on ioctl */
-		if (rsplen > CIFSMaxBufSize)
-			return -EIO;
+		if ((rsplen > CIFSMaxBufSize)
+			|| (rsplen < sizeof(struct validate_negotiate_info_rsp)))
+			goto err_rsp_free;
 	}
 
 	/* check validate negotiate info response matches what we got earlier */
@@ -595,10 +596,13 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)
 
 	/* validate negotiate successful */
 	cifs_dbg(FYI, "validate negotiate info successful\n");
+	kfree(pneg_rsp);
 	return 0;
 
 vneg_out:
 	cifs_dbg(VFS, "protocol revalidation - security settings mismatch\n");
+err_rsp_free:
+	kfree(pneg_rsp);
 	return -EIO;
 }
 
@@ -1042,7 +1046,7 @@ tcon_exit:
 	return rc;
 
 tcon_error_exit:
-	if (rsp->hdr.Status == STATUS_BAD_NETWORK_NAME) {
+	if (rsp && rsp->hdr.Status == STATUS_BAD_NETWORK_NAME) {
 		cifs_dbg(VFS, "BAD_NETWORK_NAME: %s\n", tree);
 	}
 	goto tcon_exit;
@@ -1559,6 +1563,9 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
 	} else
 		iov[0].iov_len = get_rfc1002_length(req) + 4;
 
+	/* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
+	if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
+		req->hdr.Flags |= SMB2_FLAGS_SIGNED;
 
 	rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0);
 	rsp = (struct smb2_ioctl_rsp *)iov[0].iov_base;
@@ -2159,23 +2166,22 @@ SMB2_read(const unsigned int xid, struct cifs_io_parms *io_parms,
 
 	rsp = (struct smb2_read_rsp *)iov[0].iov_base;
 
-	if (rsp->hdr.Status == STATUS_END_OF_FILE) {
+	if (rc) {
+		if (rc != -ENODATA) {
+			cifs_stats_fail_inc(io_parms->tcon, SMB2_READ_HE);
+			cifs_dbg(VFS, "Send error in read = %d\n", rc);
+		}
 		free_rsp_buf(resp_buftype, iov[0].iov_base);
-		return 0;
+		return rc == -ENODATA ? 0 : rc;
 	}
 
-	if (rc) {
-		cifs_stats_fail_inc(io_parms->tcon, SMB2_READ_HE);
-		cifs_dbg(VFS, "Send error in read = %d\n", rc);
-	} else {
-		*nbytes = le32_to_cpu(rsp->DataLength);
-		if ((*nbytes > CIFS_MAX_MSGSIZE) ||
-		    (*nbytes > io_parms->length)) {
-			cifs_dbg(FYI, "bad length %d for count %d\n",
-				 *nbytes, io_parms->length);
-			rc = -EIO;
-			*nbytes = 0;
-		}
+	*nbytes = le32_to_cpu(rsp->DataLength);
+	if ((*nbytes > CIFS_MAX_MSGSIZE) ||
+	    (*nbytes > io_parms->length)) {
+		cifs_dbg(FYI, "bad length %d for count %d\n",
+			 *nbytes, io_parms->length);
+		rc = -EIO;
+		*nbytes = 0;
 	}
 
 	if (*buf) {



With this patch (and CONFIG_CIFS_SMB311 enabled), the 4.4.113 kernel crashes as
shown below when I try:

# mount -vvv -t cifs -o vers=3.0,credentials=.smbcred //<ip_addr>/TestSMB/ testdir

[   14.638907] BUG: unable to handle kernel NULL pointer dereference at 0000000000000050
[   14.638940] IP: [<ffffffff8139221a>] crypto_shash_setkey+0x1a/0xc0
[   14.638964] PGD 0 
[   14.638972] Oops: 0000 [#1] SMP 
[   14.638985] Modules linked in: arc4(E) ecb(E) md4(E) cifs(E) dns_resolver(E) vmw_vsock_vmci_transport(E) vsock(E) xt_conntrack(E) iptable_nat(E) nf_conntrack_ipv4(E) nf_defrag_ipv4(E) nf_nat_ipv4(E) nf_nat(E) iptable_filter(E) ip_tables(E) xt_LOG(E) nf_conntrack(E) hid_generic(E) usbhid(E) hid(E) mousedev(E) crc32c_intel(E) jitterentropy_rng(E) hmac(E) sha256_ssse3(E) sha256_generic(E) uhci_hcd(E) drbg(E) ansi_cprng(E) aesni_intel(E) ehci_pci(E) aes_x86_64(E) glue_helper(E) ehci_hcd(E) lrw(E) gf128mul(E) usbcore(E) ablk_helper(E) psmouse(E) cryptd(E) vmw_balloon(E) evdev(E) intel_agp(E) vmw_vmci(E) usb_common(E) i2c_piix4(E) intel_gtt(E) nfit(E) battery(E) tpm_tis(E) tpm(E) ac(E) button(E) sch_fq_codel(E) autofs4(E)
[   14.639237] CPU: 0 PID: 841 Comm: mount.cifs Tainted: G            E   4.4.113-fixes-smb311+ #33
[   14.639263] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016
[   14.639294] task: ffff8800ae811440 ti: ffff8800b9d4c000 task.ti: ffff8800b9d4c000
[   14.639315] RIP: 0010:[<ffffffff8139221a>]  [<ffffffff8139221a>] crypto_shash_setkey+0x1a/0xc0
[   14.639343] RSP: 0018:ffff8800b9d4f9a8  EFLAGS: 00010282
[   14.639358] RAX: ffff88013305d580 RBX: ffff8800ba2ed000 RCX: 00000000fffee93f
[   14.639379] RDX: 0000000000000010 RSI: ffff8800b9f58d18 RDI: 0000000000000000
[   14.639399] RBP: ffff8800b9d4f9e0 R08: ffff8800b9d4fb64 R09: 0000000000000000
[   14.639420] R10: 3036312e3130312e R11: 424d53747365545c R12: 0000000000000002
[   14.639440] R13: 0000000000000000 R14: ffff8800b9f58d18 R15: 0000000000000010
[   14.639461] FS:  00007f02bcb74740(0000) GS:ffff88013fc00000(0000) knlGS:0000000000000000
[   14.639484] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   14.639501] CR2: 0000000000000050 CR3: 00000000ae9f8000 CR4: 0000000000160670
[   14.639558] Stack:
[   14.639566]  ffff8800b66789c0 ffff8800b9d4fa08 ffff8800ba2ed000 0000000000000002
[   14.639592]  ffff8800b9d4fac8 00000c0094000029 ffff8800ba2ed000 ffff8800b9d4fa50
[   14.639618]  ffffffffa02594f6 ffff8800b9d4fb70 ffff88013305d580 0000000000000002
[   14.639644] Call Trace:
[   14.639669]  [<ffffffffa02594f6>] smb3_calc_signature+0xb6/0x290 [cifs]
[   14.639699]  [<ffffffffa0258bab>] smb2_sign_rqst+0x2b/0x40 [cifs]
[   14.639726]  [<ffffffffa02599d1>] smb2_setup_request+0xd1/0x170 [cifs]
[   14.640347]  [<ffffffffa0248be7>] SendReceive2+0xc7/0x450 [cifs]
[   14.640958]  [<ffffffffa02461b5>] ? cifs_small_buf_get+0x15/0x30 [cifs]
[   14.641582]  [<ffffffffa025b89f>] ? small_smb2_init+0xdf/0x200 [cifs]
[   14.642172]  [<ffffffffa025d867>] SMB2_ioctl+0x147/0x310 [cifs]
[   14.642753]  [<ffffffffa025db37>] smb3_validate_negotiate+0x107/0x2e0 [cifs]
[   14.643336]  [<ffffffffa025b1eb>] SMB2_tcon+0x29b/0x510 [cifs]
[   14.643921]  [<ffffffffa0230c5b>] cifs_get_tcon+0x1bb/0x560 [cifs]
[   14.644501]  [<ffffffffa02335f0>] cifs_mount+0x690/0xde0 [cifs]
[   14.645061]  [<ffffffffa021f6eb>] cifs_do_mount+0xcb/0x5a0 [cifs]
[   14.645618]  [<ffffffff81196057>] ? alloc_pages_current+0x87/0x110
[   14.646149]  [<ffffffff811baa83>] mount_fs+0x33/0x160
[   14.646663]  [<ffffffff811d4b22>] vfs_kern_mount+0x62/0x100
[   14.647163]  [<ffffffff811d6edb>] do_mount+0x21b/0xd30
[   14.647653]  [<ffffffff81196057>] ? alloc_pages_current+0x87/0x110
[   14.648128]  [<ffffffff811d7d07>] SyS_mount+0x87/0xd0
[   14.648591]  [<ffffffff817db31b>] entry_SYSCALL_64_fastpath+0x18/0x93
[   14.649047] Code: 89 e5 8b 12 e8 a8 cd 04 00 31 c0 5d c3 0f 1f 40 00 55 48 89 e5 41 57 41 56 41 55 41 54 49 89 fd 53 49 89 f6 41 89 d7 48 83 ec 10 <4c> 8b 67 50 41 8b 5c 24 2c 48 85 de 75 14 41 ff 54 24 e8 48 83 
[   14.650496] RIP  [<ffffffff8139221a>] crypto_shash_setkey+0x1a/0xc0
[   14.650953]  RSP <ffff8800b9d4f9a8>
[   14.651397] CR2: 0000000000000050
[   14.651861] ---[ end trace c98f651d4ccb0d7d ]---


Regards,
Srivatsa

Re: [PATCH 4.13 28/43] SMB3: Validate negotiate request must always be signed

[Srivatsa S. Bhat]

On 1/3/18 6:15 PM, Srivatsa S. Bhat wrote:
> On 11/1/17 8:18 AM, Greg Kroah-Hartman wrote:
>> On Tue, Oct 31, 2017 at 03:02:11PM +0200, Thomas Backlund wrote:
>>> Den 31.10.2017 kl. 11:55, skrev Greg Kroah-Hartman:
>>>> 4.13-stable review patch.  If anyone has any objections, please let me know.
>>>>
>>>> ------------------
>>>>
>>>> From: Steve French <smfrench@gmail.com>
>>>>
>>>> commit 4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd upstream.
>>>>
>>>> According to MS-SMB2 3.2.55 validate_negotiate request must
>>>> always be signed. Some Windows can fail the request if you send it unsigned
>>>>
>>>> See kernel bugzilla bug 197311
>>>>
>>>> Acked-by: Ronnie Sahlberg <lsahlber.redhat.com>
>>>> Signed-off-by: Steve French <smfrench@gmail.com>
>>>> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>>>
>>>> ---
>>>>   fs/cifs/smb2pdu.c |    3 +++
>>>>   1 file changed, 3 insertions(+)
>>>>
>>>> --- a/fs/cifs/smb2pdu.c
>>>> +++ b/fs/cifs/smb2pdu.c
>>>> @@ -1963,6 +1963,9 @@ SMB2_ioctl(const unsigned int xid, struc
>>>>   	} else
>>>>   		iov[0].iov_len = get_rfc1002_length(req) + 4;
>>>> +	/* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
>>>> +	if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
>>>> +		req->hdr.sync_hdr.Flags |= SMB2_FLAGS_SIGNED;
>>>>   	rc = SendReceive2(xid, ses, iov, n_iov, &resp_buftype, flags, &rsp_iov);
>>>>   	cifs_small_buf_release(req);
>>>>
>>>>
>>>>
>>>
>>> This one needs to be backported to all stable kernels as the commit that
>>> introduced the regression:
>>> '
>>> 0603c96f3af50e2f9299fa410c224ab1d465e0f9
>>> SMB: Validate negotiate (to protect against downgrade) even if signing off
>>>
>>> is backported in stable trees as of: 4.9.53, 4.4.90, 3.18.73
>>
>> Oh wait, it breaks the builds on older kernels, that's why I didn't
>> apply it :)
>>
>> Can you provide me with a working backport?
>>
> 
> Hi Steve,
> 
> Is there a version of this fix available for stable kernels?
> 

Hi Greg,

Mounting SMB3 shares continues to fail for me on 4.4.118 and 4.9.84
due to the issues that I have described in detail on this mail thread.

Since there is no apparent fix for this bug on stable kernels, could
you please consider reverting the original commit that caused this
regression?

That commit was intended to enhance security, which is probably why it
was backported to stable kernels in the first place; but instead it
ends up breaking basic functionality itself (mounting). So in the
absence of a proper fix, I don't see much of an option but to revert
that commit.

So, please consider reverting the following:

commit 02ef29f9cbb616bf419 "SMB: Validate negotiate (to protect
against downgrade) even if signing off" on 4.4.118

commit 0e1b85a41a25ac888fb "SMB: Validate negotiate (to protect
against downgrade) even if signing off" on 4.9.84

They correspond to commit 0603c96f3af50e2f9299fa410c224ab1d465e0f9
upstream. Both these patches should revert cleanly. 

Thank you!

Regards,
Srivatsa

Re: [PATCH 4.13 28/43] SMB3: Validate negotiate request must always be signed

[Greg Kroah-Hartman]

On Mon, Feb 26, 2018 at 07:44:28PM -0800, Srivatsa S. Bhat wrote:
> On 1/3/18 6:15 PM, Srivatsa S. Bhat wrote:
> > On 11/1/17 8:18 AM, Greg Kroah-Hartman wrote:
> >> On Tue, Oct 31, 2017 at 03:02:11PM +0200, Thomas Backlund wrote:
> >>> Den 31.10.2017 kl. 11:55, skrev Greg Kroah-Hartman:
> >>>> 4.13-stable review patch.  If anyone has any objections, please let me know.
> >>>>
> >>>> ------------------
> >>>>
> >>>> From: Steve French <smfrench@gmail.com>
> >>>>
> >>>> commit 4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd upstream.
> >>>>
> >>>> According to MS-SMB2 3.2.55 validate_negotiate request must
> >>>> always be signed. Some Windows can fail the request if you send it unsigned
> >>>>
> >>>> See kernel bugzilla bug 197311
> >>>>
> >>>> Acked-by: Ronnie Sahlberg <lsahlber.redhat.com>
> >>>> Signed-off-by: Steve French <smfrench@gmail.com>
> >>>> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> >>>>
> >>>> ---
> >>>>   fs/cifs/smb2pdu.c |    3 +++
> >>>>   1 file changed, 3 insertions(+)
> >>>>
> >>>> --- a/fs/cifs/smb2pdu.c
> >>>> +++ b/fs/cifs/smb2pdu.c
> >>>> @@ -1963,6 +1963,9 @@ SMB2_ioctl(const unsigned int xid, struc
> >>>>   	} else
> >>>>   		iov[0].iov_len = get_rfc1002_length(req) + 4;
> >>>> +	/* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
> >>>> +	if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
> >>>> +		req->hdr.sync_hdr.Flags |= SMB2_FLAGS_SIGNED;
> >>>>   	rc = SendReceive2(xid, ses, iov, n_iov, &resp_buftype, flags, &rsp_iov);
> >>>>   	cifs_small_buf_release(req);
> >>>>
> >>>>
> >>>>
> >>>
> >>> This one needs to be backported to all stable kernels as the commit that
> >>> introduced the regression:
> >>> '
> >>> 0603c96f3af50e2f9299fa410c224ab1d465e0f9
> >>> SMB: Validate negotiate (to protect against downgrade) even if signing off
> >>>
> >>> is backported in stable trees as of: 4.9.53, 4.4.90, 3.18.73
> >>
> >> Oh wait, it breaks the builds on older kernels, that's why I didn't
> >> apply it :)
> >>
> >> Can you provide me with a working backport?
> >>
> > 
> > Hi Steve,
> > 
> > Is there a version of this fix available for stable kernels?
> > 
> 
> Hi Greg,
> 
> Mounting SMB3 shares continues to fail for me on 4.4.118 and 4.9.84
> due to the issues that I have described in detail on this mail thread.
> 
> Since there is no apparent fix for this bug on stable kernels, could
> you please consider reverting the original commit that caused this
> regression?
> 
> That commit was intended to enhance security, which is probably why it
> was backported to stable kernels in the first place; but instead it
> ends up breaking basic functionality itself (mounting). So in the
> absence of a proper fix, I don't see much of an option but to revert
> that commit.
> 
> So, please consider reverting the following:
> 
> commit 02ef29f9cbb616bf419 "SMB: Validate negotiate (to protect
> against downgrade) even if signing off" on 4.4.118
> 
> commit 0e1b85a41a25ac888fb "SMB: Validate negotiate (to protect
> against downgrade) even if signing off" on 4.9.84
> 
> They correspond to commit 0603c96f3af50e2f9299fa410c224ab1d465e0f9
> upstream. Both these patches should revert cleanly. 

Do you still have this same problem on 4.14 and 4.15?  If so, the issue
needs to get fixed there, not papered-over by reverting these old
changes, as you will hit the issue again in the future when you update
to a newer kernel version.

thanks,

greg k-h

Re: [PATCH 4.13 28/43] SMB3: Validate negotiate request must always be signed

[Srivatsa S. Bhat]

On 2/27/18 12:54 AM, Greg Kroah-Hartman wrote:
> On Mon, Feb 26, 2018 at 07:44:28PM -0800, Srivatsa S. Bhat wrote:
>> On 1/3/18 6:15 PM, Srivatsa S. Bhat wrote:
>>> On 11/1/17 8:18 AM, Greg Kroah-Hartman wrote:
>>>> On Tue, Oct 31, 2017 at 03:02:11PM +0200, Thomas Backlund wrote:
>>>>> Den 31.10.2017 kl. 11:55, skrev Greg Kroah-Hartman:
>>>>>> 4.13-stable review patch.  If anyone has any objections, please let me know.
>>>>>>
>>>>>> ------------------
>>>>>>
>>>>>> From: Steve French <smfrench@gmail.com>
>>>>>>
>>>>>> commit 4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd upstream.
>>>>>>
>>>>>> According to MS-SMB2 3.2.55 validate_negotiate request must
>>>>>> always be signed. Some Windows can fail the request if you send it unsigned
>>>>>>
>>>>>> See kernel bugzilla bug 197311
>>>>>>
>>>>>> Acked-by: Ronnie Sahlberg <lsahlber.redhat.com>
>>>>>> Signed-off-by: Steve French <smfrench@gmail.com>
>>>>>> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>>>>>
>>>>>> ---
>>>>>>   fs/cifs/smb2pdu.c |    3 +++
>>>>>>   1 file changed, 3 insertions(+)
>>>>>>
>>>>>> --- a/fs/cifs/smb2pdu.c
>>>>>> +++ b/fs/cifs/smb2pdu.c
>>>>>> @@ -1963,6 +1963,9 @@ SMB2_ioctl(const unsigned int xid, struc
>>>>>>   	} else
>>>>>>   		iov[0].iov_len = get_rfc1002_length(req) + 4;
>>>>>> +	/* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
>>>>>> +	if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
>>>>>> +		req->hdr.sync_hdr.Flags |= SMB2_FLAGS_SIGNED;
>>>>>>   	rc = SendReceive2(xid, ses, iov, n_iov, &resp_buftype, flags, &rsp_iov);
>>>>>>   	cifs_small_buf_release(req);
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> This one needs to be backported to all stable kernels as the commit that
>>>>> introduced the regression:
>>>>> '
>>>>> 0603c96f3af50e2f9299fa410c224ab1d465e0f9
>>>>> SMB: Validate negotiate (to protect against downgrade) even if signing off
>>>>>
>>>>> is backported in stable trees as of: 4.9.53, 4.4.90, 3.18.73
>>>>
>>>> Oh wait, it breaks the builds on older kernels, that's why I didn't
>>>> apply it :)
>>>>
>>>> Can you provide me with a working backport?
>>>>
>>>
>>> Hi Steve,
>>>
>>> Is there a version of this fix available for stable kernels?
>>>
>>
>> Hi Greg,
>>
>> Mounting SMB3 shares continues to fail for me on 4.4.118 and 4.9.84
>> due to the issues that I have described in detail on this mail thread.
>>
>> Since there is no apparent fix for this bug on stable kernels, could
>> you please consider reverting the original commit that caused this
>> regression?
>>
>> That commit was intended to enhance security, which is probably why it
>> was backported to stable kernels in the first place; but instead it
>> ends up breaking basic functionality itself (mounting). So in the
>> absence of a proper fix, I don't see much of an option but to revert
>> that commit.
>>
>> So, please consider reverting the following:
>>
>> commit 02ef29f9cbb616bf419 "SMB: Validate negotiate (to protect
>> against downgrade) even if signing off" on 4.4.118
>>
>> commit 0e1b85a41a25ac888fb "SMB: Validate negotiate (to protect
>> against downgrade) even if signing off" on 4.9.84
>>
>> They correspond to commit 0603c96f3af50e2f9299fa410c224ab1d465e0f9
>> upstream. Both these patches should revert cleanly. 
> 
> Do you still have this same problem on 4.14 and 4.15?  If so, the issue
> needs to get fixed there, not papered-over by reverting these old
> changes, as you will hit the issue again in the future when you update
> to a newer kernel version.
> 

4.14 and 4.15 work great! (I had mentioned this is in my original bug
report but forgot to summarize it here, sorry).

Thank you!

Regards,
Srivatsa

Re: [PATCH 4.13 28/43] SMB3: Validate negotiate request must always be signed

[Greg Kroah-Hartman]

On Tue, Feb 27, 2018 at 01:22:31AM -0800, Srivatsa S. Bhat wrote:
> On 2/27/18 12:54 AM, Greg Kroah-Hartman wrote:
> > On Mon, Feb 26, 2018 at 07:44:28PM -0800, Srivatsa S. Bhat wrote:
> >> On 1/3/18 6:15 PM, Srivatsa S. Bhat wrote:
> >>> On 11/1/17 8:18 AM, Greg Kroah-Hartman wrote:
> >>>> On Tue, Oct 31, 2017 at 03:02:11PM +0200, Thomas Backlund wrote:
> >>>>> Den 31.10.2017 kl. 11:55, skrev Greg Kroah-Hartman:
> >>>>>> 4.13-stable review patch.  If anyone has any objections, please let me know.
> >>>>>>
> >>>>>> ------------------
> >>>>>>
> >>>>>> From: Steve French <smfrench@gmail.com>
> >>>>>>
> >>>>>> commit 4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd upstream.
> >>>>>>
> >>>>>> According to MS-SMB2 3.2.55 validate_negotiate request must
> >>>>>> always be signed. Some Windows can fail the request if you send it unsigned
> >>>>>>
> >>>>>> See kernel bugzilla bug 197311
> >>>>>>
> >>>>>> Acked-by: Ronnie Sahlberg <lsahlber.redhat.com>
> >>>>>> Signed-off-by: Steve French <smfrench@gmail.com>
> >>>>>> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> >>>>>>
> >>>>>> ---
> >>>>>>   fs/cifs/smb2pdu.c |    3 +++
> >>>>>>   1 file changed, 3 insertions(+)
> >>>>>>
> >>>>>> --- a/fs/cifs/smb2pdu.c
> >>>>>> +++ b/fs/cifs/smb2pdu.c
> >>>>>> @@ -1963,6 +1963,9 @@ SMB2_ioctl(const unsigned int xid, struc
> >>>>>>   	} else
> >>>>>>   		iov[0].iov_len = get_rfc1002_length(req) + 4;
> >>>>>> +	/* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
> >>>>>> +	if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
> >>>>>> +		req->hdr.sync_hdr.Flags |= SMB2_FLAGS_SIGNED;
> >>>>>>   	rc = SendReceive2(xid, ses, iov, n_iov, &resp_buftype, flags, &rsp_iov);
> >>>>>>   	cifs_small_buf_release(req);
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>>> This one needs to be backported to all stable kernels as the commit that
> >>>>> introduced the regression:
> >>>>> '
> >>>>> 0603c96f3af50e2f9299fa410c224ab1d465e0f9
> >>>>> SMB: Validate negotiate (to protect against downgrade) even if signing off
> >>>>>
> >>>>> is backported in stable trees as of: 4.9.53, 4.4.90, 3.18.73
> >>>>
> >>>> Oh wait, it breaks the builds on older kernels, that's why I didn't
> >>>> apply it :)
> >>>>
> >>>> Can you provide me with a working backport?
> >>>>
> >>>
> >>> Hi Steve,
> >>>
> >>> Is there a version of this fix available for stable kernels?
> >>>
> >>
> >> Hi Greg,
> >>
> >> Mounting SMB3 shares continues to fail for me on 4.4.118 and 4.9.84
> >> due to the issues that I have described in detail on this mail thread.
> >>
> >> Since there is no apparent fix for this bug on stable kernels, could
> >> you please consider reverting the original commit that caused this
> >> regression?
> >>
> >> That commit was intended to enhance security, which is probably why it
> >> was backported to stable kernels in the first place; but instead it
> >> ends up breaking basic functionality itself (mounting). So in the
> >> absence of a proper fix, I don't see much of an option but to revert
> >> that commit.
> >>
> >> So, please consider reverting the following:
> >>
> >> commit 02ef29f9cbb616bf419 "SMB: Validate negotiate (to protect
> >> against downgrade) even if signing off" on 4.4.118
> >>
> >> commit 0e1b85a41a25ac888fb "SMB: Validate negotiate (to protect
> >> against downgrade) even if signing off" on 4.9.84
> >>
> >> They correspond to commit 0603c96f3af50e2f9299fa410c224ab1d465e0f9
> >> upstream. Both these patches should revert cleanly. 
> > 
> > Do you still have this same problem on 4.14 and 4.15?  If so, the issue
> > needs to get fixed there, not papered-over by reverting these old
> > changes, as you will hit the issue again in the future when you update
> > to a newer kernel version.
> > 
> 
> 4.14 and 4.15 work great! (I had mentioned this is in my original bug
> report but forgot to summarize it here, sorry).


Then what is the bugfix that should be applied here in order to keep
things working with these patches applied?

thanks,

greg k-h

Re: [PATCH 4.13 28/43] SMB3: Validate negotiate request must always be signed

[Srivatsa S. Bhat]

On 2/27/18 4:40 AM, Greg Kroah-Hartman wrote:
> On Tue, Feb 27, 2018 at 01:22:31AM -0800, Srivatsa S. Bhat wrote:
>> On 2/27/18 12:54 AM, Greg Kroah-Hartman wrote:
>>> On Mon, Feb 26, 2018 at 07:44:28PM -0800, Srivatsa S. Bhat wrote:
>>>> On 1/3/18 6:15 PM, Srivatsa S. Bhat wrote:
>>>>> On 11/1/17 8:18 AM, Greg Kroah-Hartman wrote:
>>>>>> On Tue, Oct 31, 2017 at 03:02:11PM +0200, Thomas Backlund wrote:
>>>>>>> Den 31.10.2017 kl. 11:55, skrev Greg Kroah-Hartman:
>>>>>>>> 4.13-stable review patch.  If anyone has any objections, please let me know.
>>>>>>>>
>>>>>>>> ------------------
>>>>>>>>
>>>>>>>> From: Steve French <smfrench@gmail.com>
>>>>>>>>
>>>>>>>> commit 4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd upstream.
>>>>>>>>
>>>>>>>> According to MS-SMB2 3.2.55 validate_negotiate request must
>>>>>>>> always be signed. Some Windows can fail the request if you send it unsigned
>>>>>>>>
>>>>>>>> See kernel bugzilla bug 197311
>>>>>>>>
>>>>>>>> Acked-by: Ronnie Sahlberg <lsahlber.redhat.com>
>>>>>>>> Signed-off-by: Steve French <smfrench@gmail.com>
>>>>>>>> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>>>>>>>
>>>>>>>> ---
>>>>>>>>   fs/cifs/smb2pdu.c |    3 +++
>>>>>>>>   1 file changed, 3 insertions(+)
>>>>>>>>
>>>>>>>> --- a/fs/cifs/smb2pdu.c
>>>>>>>> +++ b/fs/cifs/smb2pdu.c
>>>>>>>> @@ -1963,6 +1963,9 @@ SMB2_ioctl(const unsigned int xid, struc
>>>>>>>>   	} else
>>>>>>>>   		iov[0].iov_len = get_rfc1002_length(req) + 4;
>>>>>>>> +	/* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
>>>>>>>> +	if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
>>>>>>>> +		req->hdr.sync_hdr.Flags |= SMB2_FLAGS_SIGNED;
>>>>>>>>   	rc = SendReceive2(xid, ses, iov, n_iov, &resp_buftype, flags, &rsp_iov);
>>>>>>>>   	cifs_small_buf_release(req);
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> This one needs to be backported to all stable kernels as the commit that
>>>>>>> introduced the regression:
>>>>>>> '
>>>>>>> 0603c96f3af50e2f9299fa410c224ab1d465e0f9
>>>>>>> SMB: Validate negotiate (to protect against downgrade) even if signing off
>>>>>>>
>>>>>>> is backported in stable trees as of: 4.9.53, 4.4.90, 3.18.73
>>>>>>
>>>>>> Oh wait, it breaks the builds on older kernels, that's why I didn't
>>>>>> apply it :)
>>>>>>
>>>>>> Can you provide me with a working backport?
>>>>>>
>>>>>
>>>>> Hi Steve,
>>>>>
>>>>> Is there a version of this fix available for stable kernels?
>>>>>
>>>>
>>>> Hi Greg,
>>>>
>>>> Mounting SMB3 shares continues to fail for me on 4.4.118 and 4.9.84
>>>> due to the issues that I have described in detail on this mail thread.
>>>>
>>>> Since there is no apparent fix for this bug on stable kernels, could
>>>> you please consider reverting the original commit that caused this
>>>> regression?
>>>>
>>>> That commit was intended to enhance security, which is probably why it
>>>> was backported to stable kernels in the first place; but instead it
>>>> ends up breaking basic functionality itself (mounting). So in the
>>>> absence of a proper fix, I don't see much of an option but to revert
>>>> that commit.
>>>>
>>>> So, please consider reverting the following:
>>>>
>>>> commit 02ef29f9cbb616bf419 "SMB: Validate negotiate (to protect
>>>> against downgrade) even if signing off" on 4.4.118
>>>>
>>>> commit 0e1b85a41a25ac888fb "SMB: Validate negotiate (to protect
>>>> against downgrade) even if signing off" on 4.9.84
>>>>
>>>> They correspond to commit 0603c96f3af50e2f9299fa410c224ab1d465e0f9
>>>> upstream. Both these patches should revert cleanly. 
>>>
>>> Do you still have this same problem on 4.14 and 4.15?  If so, the issue
>>> needs to get fixed there, not papered-over by reverting these old
>>> changes, as you will hit the issue again in the future when you update
>>> to a newer kernel version.
>>>
>>
>> 4.14 and 4.15 work great! (I had mentioned this is in my original bug
>> report but forgot to summarize it here, sorry).
> 
> 
> Then what is the bugfix that should be applied here in order to keep
> things working with these patches applied?
> 

That would be the one mentioned in the subject line of this thread :)
However, a working backport of that fix is not available for 4.4 and
4.9, hence the trouble.

It looks like we are reconstructing elements of this email thread all
over again, so let me quickly summarize the status so far:

In 4.14/4.15/mainline,
- commit 0603c96f3af50e2f9 (SMB: Validate negotiate (to protect against
  downgrade) even if signing off) caused mount regression with SMB v3.

- commit 4587eee04e2ac7ac3 (SMB3: Validate negotiate request must
  always be signed) fixed the issue.

- [ There was a lot of code churn in the CIFS/SMB codebase between
    these two commits in mainline. ]

In this email thread, you backported the fix to stable 4.13. Thomas
noticed that the problematic commit had also made it to stable series
such as 4.4 and 4.9, and requested a backport of the fix to those
trees as well. However, a straight-forward backport of the fix to 4.4
and 4.9 breaks the build, so no fix was available for those kernels.

I investigated this and tried to produce a working backport of the fix
to 4.4 and 4.9, but didn't succeed, despite trying several variations
as well as suggestions from Aurelien [1][2]. So, given that there is
still no known fix for the mount regression on 4.4 and 4.9 stable
series at this point, I decided to request a revert of the problematic
commit that caused the regression in those kernels.

[1]. https://lkml.org/lkml/2018/1/3/892
[2]. https://lkml.org/lkml/2018/1/29/1009

Regards,
Srivatsa

Re: [PATCH 4.13 28/43] SMB3: Validate negotiate request must always be signed

[Steve French]

[-- Attachment #1: Type: text/plain, Size: 6277 bytes --]

This shouldn't be too hard to figure out if willing to backport a slightly
larger set of fixes to the older stable, but I don't have a system running
4.9 stable.

Is this the correct stable tree branch?
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/log/?h=linux-4.9.y



On Tue, Feb 27, 2018 at 11:45 AM, Srivatsa S. Bhat <srivatsa@csail.mit.edu>
wrote:

> On 2/27/18 4:40 AM, Greg Kroah-Hartman wrote:
> > On Tue, Feb 27, 2018 at 01:22:31AM -0800, Srivatsa S. Bhat wrote:
> >> On 2/27/18 12:54 AM, Greg Kroah-Hartman wrote:
> >>> On Mon, Feb 26, 2018 at 07:44:28PM -0800, Srivatsa S. Bhat wrote:
> >>>> On 1/3/18 6:15 PM, Srivatsa S. Bhat wrote:
> >>>>> On 11/1/17 8:18 AM, Greg Kroah-Hartman wrote:
> >>>>>> On Tue, Oct 31, 2017 at 03:02:11PM +0200, Thomas Backlund wrote:
> >>>>>>> Den 31.10.2017 kl. 11:55, skrev Greg Kroah-Hartman:
> >>>>>>>> 4.13-stable review patch.  If anyone has any objections, please
> let me know.
> >>>>>>>>
> >>>>>>>> ------------------
> >>>>>>>>
> >>>>>>>> From: Steve French <smfrench@gmail.com>
> >>>>>>>>
> >>>>>>>> commit 4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd upstream.
> >>>>>>>>
> >>>>>>>> According to MS-SMB2 3.2.55 validate_negotiate request must
> >>>>>>>> always be signed. Some Windows can fail the request if you send
> it unsigned
> >>>>>>>>
> >>>>>>>> See kernel bugzilla bug 197311
> >>>>>>>>
> >>>>>>>> Acked-by: Ronnie Sahlberg <lsahlber.redhat.com>
> >>>>>>>> Signed-off-by: Steve French <smfrench@gmail.com>
> >>>>>>>> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> >>>>>>>>
> >>>>>>>> ---
> >>>>>>>>   fs/cifs/smb2pdu.c |    3 +++
> >>>>>>>>   1 file changed, 3 insertions(+)
> >>>>>>>>
> >>>>>>>> --- a/fs/cifs/smb2pdu.c
> >>>>>>>> +++ b/fs/cifs/smb2pdu.c
> >>>>>>>> @@ -1963,6 +1963,9 @@ SMB2_ioctl(const unsigned int xid, struc
> >>>>>>>>        } else
> >>>>>>>>                iov[0].iov_len = get_rfc1002_length(req) + 4;
> >>>>>>>> +      /* validate negotiate request must be signed - see MS-SMB2
> 3.2.5.5 */
> >>>>>>>> +      if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
> >>>>>>>> +              req->hdr.sync_hdr.Flags |= SMB2_FLAGS_SIGNED;
> >>>>>>>>        rc = SendReceive2(xid, ses, iov, n_iov, &resp_buftype,
> flags, &rsp_iov);
> >>>>>>>>        cifs_small_buf_release(req);
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>> This one needs to be backported to all stable kernels as the
> commit that
> >>>>>>> introduced the regression:
> >>>>>>> '
> >>>>>>> 0603c96f3af50e2f9299fa410c224ab1d465e0f9
> >>>>>>> SMB: Validate negotiate (to protect against downgrade) even if
> signing off
> >>>>>>>
> >>>>>>> is backported in stable trees as of: 4.9.53, 4.4.90, 3.18.73
> >>>>>>
> >>>>>> Oh wait, it breaks the builds on older kernels, that's why I didn't
> >>>>>> apply it :)
> >>>>>>
> >>>>>> Can you provide me with a working backport?
> >>>>>>
> >>>>>
> >>>>> Hi Steve,
> >>>>>
> >>>>> Is there a version of this fix available for stable kernels?
> >>>>>
> >>>>
> >>>> Hi Greg,
> >>>>
> >>>> Mounting SMB3 shares continues to fail for me on 4.4.118 and 4.9.84
> >>>> due to the issues that I have described in detail on this mail thread.
> >>>>
> >>>> Since there is no apparent fix for this bug on stable kernels, could
> >>>> you please consider reverting the original commit that caused this
> >>>> regression?
> >>>>
> >>>> That commit was intended to enhance security, which is probably why it
> >>>> was backported to stable kernels in the first place; but instead it
> >>>> ends up breaking basic functionality itself (mounting). So in the
> >>>> absence of a proper fix, I don't see much of an option but to revert
> >>>> that commit.
> >>>>
> >>>> So, please consider reverting the following:
> >>>>
> >>>> commit 02ef29f9cbb616bf419 "SMB: Validate negotiate (to protect
> >>>> against downgrade) even if signing off" on 4.4.118
> >>>>
> >>>> commit 0e1b85a41a25ac888fb "SMB: Validate negotiate (to protect
> >>>> against downgrade) even if signing off" on 4.9.84
> >>>>
> >>>> They correspond to commit 0603c96f3af50e2f9299fa410c224ab1d465e0f9
> >>>> upstream. Both these patches should revert cleanly.
> >>>
> >>> Do you still have this same problem on 4.14 and 4.15?  If so, the issue
> >>> needs to get fixed there, not papered-over by reverting these old
> >>> changes, as you will hit the issue again in the future when you update
> >>> to a newer kernel version.
> >>>
> >>
> >> 4.14 and 4.15 work great! (I had mentioned this is in my original bug
> >> report but forgot to summarize it here, sorry).
> >
> >
> > Then what is the bugfix that should be applied here in order to keep
> > things working with these patches applied?
> >
>
> That would be the one mentioned in the subject line of this thread :)
> However, a working backport of that fix is not available for 4.4 and
> 4.9, hence the trouble.
>
> It looks like we are reconstructing elements of this email thread all
> over again, so let me quickly summarize the status so far:
>
> In 4.14/4.15/mainline,
> - commit 0603c96f3af50e2f9 (SMB: Validate negotiate (to protect against
>   downgrade) even if signing off) caused mount regression with SMB v3.
>
> - commit 4587eee04e2ac7ac3 (SMB3: Validate negotiate request must
>   always be signed) fixed the issue.
>
> - [ There was a lot of code churn in the CIFS/SMB codebase between
>     these two commits in mainline. ]
>
> In this email thread, you backported the fix to stable 4.13. Thomas
> noticed that the problematic commit had also made it to stable series
> such as 4.4 and 4.9, and requested a backport of the fix to those
> trees as well. However, a straight-forward backport of the fix to 4.4
> and 4.9 breaks the build, so no fix was available for those kernels.
>
> I investigated this and tried to produce a working backport of the fix
> to 4.4 and 4.9, but didn't succeed, despite trying several variations
> as well as suggestions from Aurelien [1][2]. So, given that there is
> still no known fix for the mount regression on 4.4 and 4.9 stable
> series at this point, I decided to request a revert of the problematic
> commit that caused the regression in those kernels.
>
> [1]. https://lkml.org/lkml/2018/1/3/892
> [2]. https://lkml.org/lkml/2018/1/29/1009
>
> Regards,
> Srivatsa
>



-- 
Thanks,

Steve

[-- Attachment #2: Type: text/html, Size: 9470 bytes --]

Re: [PATCH 4.13 28/43] SMB3: Validate negotiate request must always be signed

[Steve French]

This shouldn't be too hard to figure out if willing to backport a
slightly larger set of fixes to the older stable, but I don't have a
system running 4.9 stable.

Is this the correct stable tree branch?
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/log/?h=linux-4.9.y

On Tue, Feb 27, 2018 at 11:45 AM, Srivatsa S. Bhat
<srivatsa@csail.mit.edu> wrote:
> On 2/27/18 4:40 AM, Greg Kroah-Hartman wrote:
>> On Tue, Feb 27, 2018 at 01:22:31AM -0800, Srivatsa S. Bhat wrote:
>>> On 2/27/18 12:54 AM, Greg Kroah-Hartman wrote:
>>>> On Mon, Feb 26, 2018 at 07:44:28PM -0800, Srivatsa S. Bhat wrote:
>>>>> On 1/3/18 6:15 PM, Srivatsa S. Bhat wrote:
>>>>>> On 11/1/17 8:18 AM, Greg Kroah-Hartman wrote:
>>>>>>> On Tue, Oct 31, 2017 at 03:02:11PM +0200, Thomas Backlund wrote:
>>>>>>>> Den 31.10.2017 kl. 11:55, skrev Greg Kroah-Hartman:
>>>>>>>>> 4.13-stable review patch.  If anyone has any objections, please let me know.
>>>>>>>>>
>>>>>>>>> ------------------
>>>>>>>>>
>>>>>>>>> From: Steve French <smfrench@gmail.com>
>>>>>>>>>
>>>>>>>>> commit 4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd upstream.
>>>>>>>>>
>>>>>>>>> According to MS-SMB2 3.2.55 validate_negotiate request must
>>>>>>>>> always be signed. Some Windows can fail the request if you send it unsigned
>>>>>>>>>
>>>>>>>>> See kernel bugzilla bug 197311
>>>>>>>>>
>>>>>>>>> Acked-by: Ronnie Sahlberg <lsahlber.redhat.com>
>>>>>>>>> Signed-off-by: Steve French <smfrench@gmail.com>
>>>>>>>>> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>>>>>>>>
>>>>>>>>> ---
>>>>>>>>>   fs/cifs/smb2pdu.c |    3 +++
>>>>>>>>>   1 file changed, 3 insertions(+)
>>>>>>>>>
>>>>>>>>> --- a/fs/cifs/smb2pdu.c
>>>>>>>>> +++ b/fs/cifs/smb2pdu.c
>>>>>>>>> @@ -1963,6 +1963,9 @@ SMB2_ioctl(const unsigned int xid, struc
>>>>>>>>>        } else
>>>>>>>>>                iov[0].iov_len = get_rfc1002_length(req) + 4;
>>>>>>>>> +      /* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
>>>>>>>>> +      if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
>>>>>>>>> +              req->hdr.sync_hdr.Flags |= SMB2_FLAGS_SIGNED;
>>>>>>>>>        rc = SendReceive2(xid, ses, iov, n_iov, &resp_buftype, flags, &rsp_iov);
>>>>>>>>>        cifs_small_buf_release(req);
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> This one needs to be backported to all stable kernels as the commit that
>>>>>>>> introduced the regression:
>>>>>>>> '
>>>>>>>> 0603c96f3af50e2f9299fa410c224ab1d465e0f9
>>>>>>>> SMB: Validate negotiate (to protect against downgrade) even if signing off
>>>>>>>>
>>>>>>>> is backported in stable trees as of: 4.9.53, 4.4.90, 3.18.73
>>>>>>>
>>>>>>> Oh wait, it breaks the builds on older kernels, that's why I didn't
>>>>>>> apply it :)
>>>>>>>
>>>>>>> Can you provide me with a working backport?
>>>>>>>
>>>>>>
>>>>>> Hi Steve,
>>>>>>
>>>>>> Is there a version of this fix available for stable kernels?
>>>>>>
>>>>>
>>>>> Hi Greg,
>>>>>
>>>>> Mounting SMB3 shares continues to fail for me on 4.4.118 and 4.9.84
>>>>> due to the issues that I have described in detail on this mail thread.
>>>>>
>>>>> Since there is no apparent fix for this bug on stable kernels, could
>>>>> you please consider reverting the original commit that caused this
>>>>> regression?
>>>>>
>>>>> That commit was intended to enhance security, which is probably why it
>>>>> was backported to stable kernels in the first place; but instead it
>>>>> ends up breaking basic functionality itself (mounting). So in the
>>>>> absence of a proper fix, I don't see much of an option but to revert
>>>>> that commit.
>>>>>
>>>>> So, please consider reverting the following:
>>>>>
>>>>> commit 02ef29f9cbb616bf419 "SMB: Validate negotiate (to protect
>>>>> against downgrade) even if signing off" on 4.4.118
>>>>>
>>>>> commit 0e1b85a41a25ac888fb "SMB: Validate negotiate (to protect
>>>>> against downgrade) even if signing off" on 4.9.84
>>>>>
>>>>> They correspond to commit 0603c96f3af50e2f9299fa410c224ab1d465e0f9
>>>>> upstream. Both these patches should revert cleanly.
>>>>
>>>> Do you still have this same problem on 4.14 and 4.15?  If so, the issue
>>>> needs to get fixed there, not papered-over by reverting these old
>>>> changes, as you will hit the issue again in the future when you update
>>>> to a newer kernel version.
>>>>
>>>
>>> 4.14 and 4.15 work great! (I had mentioned this is in my original bug
>>> report but forgot to summarize it here, sorry).
>>
>>
>> Then what is the bugfix that should be applied here in order to keep
>> things working with these patches applied?
>>
>
> That would be the one mentioned in the subject line of this thread :)
> However, a working backport of that fix is not available for 4.4 and
> 4.9, hence the trouble.
>
> It looks like we are reconstructing elements of this email thread all
> over again, so let me quickly summarize the status so far:
>
> In 4.14/4.15/mainline,
> - commit 0603c96f3af50e2f9 (SMB: Validate negotiate (to protect against
>   downgrade) even if signing off) caused mount regression with SMB v3.
>
> - commit 4587eee04e2ac7ac3 (SMB3: Validate negotiate request must
>   always be signed) fixed the issue.
>
> - [ There was a lot of code churn in the CIFS/SMB codebase between
>     these two commits in mainline. ]
>
> In this email thread, you backported the fix to stable 4.13. Thomas
> noticed that the problematic commit had also made it to stable series
> such as 4.4 and 4.9, and requested a backport of the fix to those
> trees as well. However, a straight-forward backport of the fix to 4.4
> and 4.9 breaks the build, so no fix was available for those kernels.
>
> I investigated this and tried to produce a working backport of the fix
> to 4.4 and 4.9, but didn't succeed, despite trying several variations
> as well as suggestions from Aurelien [1][2]. So, given that there is
> still no known fix for the mount regression on 4.4 and 4.9 stable
> series at this point, I decided to request a revert of the problematic
> commit that caused the regression in those kernels.
>
> [1]. https://lkml.org/lkml/2018/1/3/892
> [2]. https://lkml.org/lkml/2018/1/29/1009
>
> Regards,
> Srivatsa



-- 
Thanks,

Steve

Re: [PATCH 4.13 28/43] SMB3: Validate negotiate request must always be signed

[Srivatsa S. Bhat]

On 2/27/18 9:56 AM, Steve French wrote:
> This shouldn't be too hard to figure out if willing to backport a
> slightly larger set of fixes to the older stable, but I don't have a
> system running 4.9 stable.
> 

If you have the proposed patches that apply on 4.9, I'd be happy to
try them out!

[ I would have offered to backport the patches myself, but actually I
already tried doing that with a larger set of patches from mainline
(picking those commits between the regression and the fix that seemed
relevant), but I felt quite out-of-depth trying to adapt them to 4.9
and 4.4, as I'm not that familiar with the internals of SMB/CIFS. ]

> Is this the correct stable tree branch?
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/log/?h=linux-4.9.y
> 

Yep!

Regards,
Srivatsa

> On Tue, Feb 27, 2018 at 11:45 AM, Srivatsa S. Bhat
> <srivatsa@csail.mit.edu> wrote:
>> On 2/27/18 4:40 AM, Greg Kroah-Hartman wrote:
>>> On Tue, Feb 27, 2018 at 01:22:31AM -0800, Srivatsa S. Bhat wrote:
>>>> On 2/27/18 12:54 AM, Greg Kroah-Hartman wrote:
>>>>> On Mon, Feb 26, 2018 at 07:44:28PM -0800, Srivatsa S. Bhat wrote:
>>>>>> On 1/3/18 6:15 PM, Srivatsa S. Bhat wrote:
>>>>>>> On 11/1/17 8:18 AM, Greg Kroah-Hartman wrote:
>>>>>>>> On Tue, Oct 31, 2017 at 03:02:11PM +0200, Thomas Backlund wrote:
>>>>>>>>> Den 31.10.2017 kl. 11:55, skrev Greg Kroah-Hartman:
>>>>>>>>>> 4.13-stable review patch.  If anyone has any objections, please let me know.
>>>>>>>>>>
>>>>>>>>>> ------------------
>>>>>>>>>>
>>>>>>>>>> From: Steve French <smfrench@gmail.com>
>>>>>>>>>>
>>>>>>>>>> commit 4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd upstream.
>>>>>>>>>>
>>>>>>>>>> According to MS-SMB2 3.2.55 validate_negotiate request must
>>>>>>>>>> always be signed. Some Windows can fail the request if you send it unsigned
>>>>>>>>>>
>>>>>>>>>> See kernel bugzilla bug 197311
>>>>>>>>>>
>>>>>>>>>> Acked-by: Ronnie Sahlberg <lsahlber.redhat.com>
>>>>>>>>>> Signed-off-by: Steve French <smfrench@gmail.com>
>>>>>>>>>> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>>>>>>>>>
>>>>>>>>>> ---
>>>>>>>>>>   fs/cifs/smb2pdu.c |    3 +++
>>>>>>>>>>   1 file changed, 3 insertions(+)
>>>>>>>>>>
>>>>>>>>>> --- a/fs/cifs/smb2pdu.c
>>>>>>>>>> +++ b/fs/cifs/smb2pdu.c
>>>>>>>>>> @@ -1963,6 +1963,9 @@ SMB2_ioctl(const unsigned int xid, struc
>>>>>>>>>>        } else
>>>>>>>>>>                iov[0].iov_len = get_rfc1002_length(req) + 4;
>>>>>>>>>> +      /* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
>>>>>>>>>> +      if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
>>>>>>>>>> +              req->hdr.sync_hdr.Flags |= SMB2_FLAGS_SIGNED;
>>>>>>>>>>        rc = SendReceive2(xid, ses, iov, n_iov, &resp_buftype, flags, &rsp_iov);
>>>>>>>>>>        cifs_small_buf_release(req);
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> This one needs to be backported to all stable kernels as the commit that
>>>>>>>>> introduced the regression:
>>>>>>>>> '
>>>>>>>>> 0603c96f3af50e2f9299fa410c224ab1d465e0f9
>>>>>>>>> SMB: Validate negotiate (to protect against downgrade) even if signing off
>>>>>>>>>
>>>>>>>>> is backported in stable trees as of: 4.9.53, 4.4.90, 3.18.73
>>>>>>>>
>>>>>>>> Oh wait, it breaks the builds on older kernels, that's why I didn't
>>>>>>>> apply it :)
>>>>>>>>
>>>>>>>> Can you provide me with a working backport?
>>>>>>>>
>>>>>>>
>>>>>>> Hi Steve,
>>>>>>>
>>>>>>> Is there a version of this fix available for stable kernels?
>>>>>>>
>>>>>>
>>>>>> Hi Greg,
>>>>>>
>>>>>> Mounting SMB3 shares continues to fail for me on 4.4.118 and 4.9.84
>>>>>> due to the issues that I have described in detail on this mail thread.
>>>>>>
>>>>>> Since there is no apparent fix for this bug on stable kernels, could
>>>>>> you please consider reverting the original commit that caused this
>>>>>> regression?
>>>>>>
>>>>>> That commit was intended to enhance security, which is probably why it
>>>>>> was backported to stable kernels in the first place; but instead it
>>>>>> ends up breaking basic functionality itself (mounting). So in the
>>>>>> absence of a proper fix, I don't see much of an option but to revert
>>>>>> that commit.
>>>>>>
>>>>>> So, please consider reverting the following:
>>>>>>
>>>>>> commit 02ef29f9cbb616bf419 "SMB: Validate negotiate (to protect
>>>>>> against downgrade) even if signing off" on 4.4.118
>>>>>>
>>>>>> commit 0e1b85a41a25ac888fb "SMB: Validate negotiate (to protect
>>>>>> against downgrade) even if signing off" on 4.9.84
>>>>>>
>>>>>> They correspond to commit 0603c96f3af50e2f9299fa410c224ab1d465e0f9
>>>>>> upstream. Both these patches should revert cleanly.
>>>>>
>>>>> Do you still have this same problem on 4.14 and 4.15?  If so, the issue
>>>>> needs to get fixed there, not papered-over by reverting these old
>>>>> changes, as you will hit the issue again in the future when you update
>>>>> to a newer kernel version.
>>>>>
>>>>
>>>> 4.14 and 4.15 work great! (I had mentioned this is in my original bug
>>>> report but forgot to summarize it here, sorry).
>>>
>>>
>>> Then what is the bugfix that should be applied here in order to keep
>>> things working with these patches applied?
>>>
>>
>> That would be the one mentioned in the subject line of this thread :)
>> However, a working backport of that fix is not available for 4.4 and
>> 4.9, hence the trouble.
>>
>> It looks like we are reconstructing elements of this email thread all
>> over again, so let me quickly summarize the status so far:
>>
>> In 4.14/4.15/mainline,
>> - commit 0603c96f3af50e2f9 (SMB: Validate negotiate (to protect against
>>   downgrade) even if signing off) caused mount regression with SMB v3.
>>
>> - commit 4587eee04e2ac7ac3 (SMB3: Validate negotiate request must
>>   always be signed) fixed the issue.
>>
>> - [ There was a lot of code churn in the CIFS/SMB codebase between
>>     these two commits in mainline. ]
>>
>> In this email thread, you backported the fix to stable 4.13. Thomas
>> noticed that the problematic commit had also made it to stable series
>> such as 4.4 and 4.9, and requested a backport of the fix to those
>> trees as well. However, a straight-forward backport of the fix to 4.4
>> and 4.9 breaks the build, so no fix was available for those kernels.
>>
>> I investigated this and tried to produce a working backport of the fix
>> to 4.4 and 4.9, but didn't succeed, despite trying several variations
>> as well as suggestions from Aurelien [1][2]. So, given that there is
>> still no known fix for the mount regression on 4.4 and 4.9 stable
>> series at this point, I decided to request a revert of the problematic
>> commit that caused the regression in those kernels.
>>
>> [1]. https://lkml.org/lkml/2018/1/3/892
>> [2]. https://lkml.org/lkml/2018/1/29/1009
>>
>> Regards,
>> Srivatsa
> 
> 
> 

Re: [PATCH 4.13 28/43] SMB3: Validate negotiate request must always be signed

[Steve French]

So far I haven't been able to reproduce this on the current 4.9 stable
tree with vers=3.0 or with default (vers=1.0 for these older kernels).

On Tue, Feb 27, 2018 at 11:56 AM, Steve French <smfrench@gmail.com> wrote:
> This shouldn't be too hard to figure out if willing to backport a
> slightly larger set of fixes to the older stable, but I don't have a
> system running 4.9 stable.
>
> Is this the correct stable tree branch?
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/log/?h=linux-4.9.y
>
> On Tue, Feb 27, 2018 at 11:45 AM, Srivatsa S. Bhat
> <srivatsa@csail.mit.edu> wrote:
>> On 2/27/18 4:40 AM, Greg Kroah-Hartman wrote:
>>> On Tue, Feb 27, 2018 at 01:22:31AM -0800, Srivatsa S. Bhat wrote:
>>>> On 2/27/18 12:54 AM, Greg Kroah-Hartman wrote:
>>>>> On Mon, Feb 26, 2018 at 07:44:28PM -0800, Srivatsa S. Bhat wrote:
>>>>>> On 1/3/18 6:15 PM, Srivatsa S. Bhat wrote:
>>>>>>> On 11/1/17 8:18 AM, Greg Kroah-Hartman wrote:
>>>>>>>> On Tue, Oct 31, 2017 at 03:02:11PM +0200, Thomas Backlund wrote:
>>>>>>>>> Den 31.10.2017 kl. 11:55, skrev Greg Kroah-Hartman:
>>>>>>>>>> 4.13-stable review patch.  If anyone has any objections, please let me know.
>>>>>>>>>>
>>>>>>>>>> ------------------
>>>>>>>>>>
>>>>>>>>>> From: Steve French <smfrench@gmail.com>
>>>>>>>>>>
>>>>>>>>>> commit 4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd upstream.
>>>>>>>>>>
>>>>>>>>>> According to MS-SMB2 3.2.55 validate_negotiate request must
>>>>>>>>>> always be signed. Some Windows can fail the request if you send it unsigned
>>>>>>>>>>
>>>>>>>>>> See kernel bugzilla bug 197311
>>>>>>>>>>
>>>>>>>>>> Acked-by: Ronnie Sahlberg <lsahlber.redhat.com>
>>>>>>>>>> Signed-off-by: Steve French <smfrench@gmail.com>
>>>>>>>>>> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>>>>>>>>>
>>>>>>>>>> ---
>>>>>>>>>>   fs/cifs/smb2pdu.c |    3 +++
>>>>>>>>>>   1 file changed, 3 insertions(+)
>>>>>>>>>>
>>>>>>>>>> --- a/fs/cifs/smb2pdu.c
>>>>>>>>>> +++ b/fs/cifs/smb2pdu.c
>>>>>>>>>> @@ -1963,6 +1963,9 @@ SMB2_ioctl(const unsigned int xid, struc
>>>>>>>>>>        } else
>>>>>>>>>>                iov[0].iov_len = get_rfc1002_length(req) + 4;
>>>>>>>>>> +      /* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
>>>>>>>>>> +      if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
>>>>>>>>>> +              req->hdr.sync_hdr.Flags |= SMB2_FLAGS_SIGNED;
>>>>>>>>>>        rc = SendReceive2(xid, ses, iov, n_iov, &resp_buftype, flags, &rsp_iov);
>>>>>>>>>>        cifs_small_buf_release(req);
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> This one needs to be backported to all stable kernels as the commit that
>>>>>>>>> introduced the regression:
>>>>>>>>> '
>>>>>>>>> 0603c96f3af50e2f9299fa410c224ab1d465e0f9
>>>>>>>>> SMB: Validate negotiate (to protect against downgrade) even if signing off
>>>>>>>>>
>>>>>>>>> is backported in stable trees as of: 4.9.53, 4.4.90, 3.18.73
>>>>>>>>
>>>>>>>> Oh wait, it breaks the builds on older kernels, that's why I didn't
>>>>>>>> apply it :)
>>>>>>>>
>>>>>>>> Can you provide me with a working backport?
>>>>>>>>
>>>>>>>
>>>>>>> Hi Steve,
>>>>>>>
>>>>>>> Is there a version of this fix available for stable kernels?
>>>>>>>
>>>>>>
>>>>>> Hi Greg,
>>>>>>
>>>>>> Mounting SMB3 shares continues to fail for me on 4.4.118 and 4.9.84
>>>>>> due to the issues that I have described in detail on this mail thread.
>>>>>>
>>>>>> Since there is no apparent fix for this bug on stable kernels, could
>>>>>> you please consider reverting the original commit that caused this
>>>>>> regression?
>>>>>>
>>>>>> That commit was intended to enhance security, which is probably why it
>>>>>> was backported to stable kernels in the first place; but instead it
>>>>>> ends up breaking basic functionality itself (mounting). So in the
>>>>>> absence of a proper fix, I don't see much of an option but to revert
>>>>>> that commit.
>>>>>>
>>>>>> So, please consider reverting the following:
>>>>>>
>>>>>> commit 02ef29f9cbb616bf419 "SMB: Validate negotiate (to protect
>>>>>> against downgrade) even if signing off" on 4.4.118
>>>>>>
>>>>>> commit 0e1b85a41a25ac888fb "SMB: Validate negotiate (to protect
>>>>>> against downgrade) even if signing off" on 4.9.84
>>>>>>
>>>>>> They correspond to commit 0603c96f3af50e2f9299fa410c224ab1d465e0f9
>>>>>> upstream. Both these patches should revert cleanly.
>>>>>
>>>>> Do you still have this same problem on 4.14 and 4.15?  If so, the issue
>>>>> needs to get fixed there, not papered-over by reverting these old
>>>>> changes, as you will hit the issue again in the future when you update
>>>>> to a newer kernel version.
>>>>>
>>>>
>>>> 4.14 and 4.15 work great! (I had mentioned this is in my original bug
>>>> report but forgot to summarize it here, sorry).
>>>
>>>
>>> Then what is the bugfix that should be applied here in order to keep
>>> things working with these patches applied?
>>>
>>
>> That would be the one mentioned in the subject line of this thread :)
>> However, a working backport of that fix is not available for 4.4 and
>> 4.9, hence the trouble.
>>
>> It looks like we are reconstructing elements of this email thread all
>> over again, so let me quickly summarize the status so far:
>>
>> In 4.14/4.15/mainline,
>> - commit 0603c96f3af50e2f9 (SMB: Validate negotiate (to protect against
>>   downgrade) even if signing off) caused mount regression with SMB v3.
>>
>> - commit 4587eee04e2ac7ac3 (SMB3: Validate negotiate request must
>>   always be signed) fixed the issue.
>>
>> - [ There was a lot of code churn in the CIFS/SMB codebase between
>>     these two commits in mainline. ]
>>
>> In this email thread, you backported the fix to stable 4.13. Thomas
>> noticed that the problematic commit had also made it to stable series
>> such as 4.4 and 4.9, and requested a backport of the fix to those
>> trees as well. However, a straight-forward backport of the fix to 4.4
>> and 4.9 breaks the build, so no fix was available for those kernels.
>>
>> I investigated this and tried to produce a working backport of the fix
>> to 4.4 and 4.9, but didn't succeed, despite trying several variations
>> as well as suggestions from Aurelien [1][2]. So, given that there is
>> still no known fix for the mount regression on 4.4 and 4.9 stable
>> series at this point, I decided to request a revert of the problematic
>> commit that caused the regression in those kernels.
>>
>> [1]. https://lkml.org/lkml/2018/1/3/892
>> [2]. https://lkml.org/lkml/2018/1/29/1009
>>
>> Regards,
>> Srivatsa
>
>
>
> --
> Thanks,
>
> Steve



-- 
Thanks,

Steve

Re: [PATCH 4.13 28/43] SMB3: Validate negotiate request must always be signed

[Srivatsa S. Bhat]

On 3/1/18 12:12 PM, Steve French wrote:
> So far I haven't been able to reproduce this on the current 4.9 stable
> tree with vers=3.0 or with default (vers=1.0 for these older kernels).
> 

Maybe the problem also depends on the particular version of Windows
that hosts the SMB shares? I'm using Windows Server 2016 (Version
1607, OS Build 14393.693). With vers=3.0, the issue is reproducible
every time, but vers=1.0 works fine.

Regards,
Srivatsa

> On Tue, Feb 27, 2018 at 11:56 AM, Steve French <smfrench@gmail.com> wrote:
>> This shouldn't be too hard to figure out if willing to backport a
>> slightly larger set of fixes to the older stable, but I don't have a
>> system running 4.9 stable.
>>
>> Is this the correct stable tree branch?
>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/log/?h=linux-4.9.y
>>
>> On Tue, Feb 27, 2018 at 11:45 AM, Srivatsa S. Bhat
>> <srivatsa@csail.mit.edu> wrote:
>>> On 2/27/18 4:40 AM, Greg Kroah-Hartman wrote:
>>>> On Tue, Feb 27, 2018 at 01:22:31AM -0800, Srivatsa S. Bhat wrote:
>>>>> On 2/27/18 12:54 AM, Greg Kroah-Hartman wrote:
>>>>>> On Mon, Feb 26, 2018 at 07:44:28PM -0800, Srivatsa S. Bhat wrote:
>>>>>>> On 1/3/18 6:15 PM, Srivatsa S. Bhat wrote:
>>>>>>>> On 11/1/17 8:18 AM, Greg Kroah-Hartman wrote:
>>>>>>>>> On Tue, Oct 31, 2017 at 03:02:11PM +0200, Thomas Backlund wrote:
>>>>>>>>>> Den 31.10.2017 kl. 11:55, skrev Greg Kroah-Hartman:
>>>>>>>>>>> 4.13-stable review patch.  If anyone has any objections, please let me know.
>>>>>>>>>>>
>>>>>>>>>>> ------------------
>>>>>>>>>>>
>>>>>>>>>>> From: Steve French <smfrench@gmail.com>
>>>>>>>>>>>
>>>>>>>>>>> commit 4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd upstream.
>>>>>>>>>>>
>>>>>>>>>>> According to MS-SMB2 3.2.55 validate_negotiate request must
>>>>>>>>>>> always be signed. Some Windows can fail the request if you send it unsigned
>>>>>>>>>>>
>>>>>>>>>>> See kernel bugzilla bug 197311
>>>>>>>>>>>
>>>>>>>>>>> Acked-by: Ronnie Sahlberg <lsahlber.redhat.com>
>>>>>>>>>>> Signed-off-by: Steve French <smfrench@gmail.com>
>>>>>>>>>>> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>>>>>>>>>>
>>>>>>>>>>> ---
>>>>>>>>>>>   fs/cifs/smb2pdu.c |    3 +++
>>>>>>>>>>>   1 file changed, 3 insertions(+)
>>>>>>>>>>>
>>>>>>>>>>> --- a/fs/cifs/smb2pdu.c
>>>>>>>>>>> +++ b/fs/cifs/smb2pdu.c
>>>>>>>>>>> @@ -1963,6 +1963,9 @@ SMB2_ioctl(const unsigned int xid, struc
>>>>>>>>>>>        } else
>>>>>>>>>>>                iov[0].iov_len = get_rfc1002_length(req) + 4;
>>>>>>>>>>> +      /* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
>>>>>>>>>>> +      if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
>>>>>>>>>>> +              req->hdr.sync_hdr.Flags |= SMB2_FLAGS_SIGNED;
>>>>>>>>>>>        rc = SendReceive2(xid, ses, iov, n_iov, &resp_buftype, flags, &rsp_iov);
>>>>>>>>>>>        cifs_small_buf_release(req);
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> This one needs to be backported to all stable kernels as the commit that
>>>>>>>>>> introduced the regression:
>>>>>>>>>> '
>>>>>>>>>> 0603c96f3af50e2f9299fa410c224ab1d465e0f9
>>>>>>>>>> SMB: Validate negotiate (to protect against downgrade) even if signing off
>>>>>>>>>>
>>>>>>>>>> is backported in stable trees as of: 4.9.53, 4.4.90, 3.18.73
>>>>>>>>>
>>>>>>>>> Oh wait, it breaks the builds on older kernels, that's why I didn't
>>>>>>>>> apply it :)
>>>>>>>>>
>>>>>>>>> Can you provide me with a working backport?
>>>>>>>>>
>>>>>>>>
>>>>>>>> Hi Steve,
>>>>>>>>
>>>>>>>> Is there a version of this fix available for stable kernels?
>>>>>>>>
>>>>>>>
>>>>>>> Hi Greg,
>>>>>>>
>>>>>>> Mounting SMB3 shares continues to fail for me on 4.4.118 and 4.9.84
>>>>>>> due to the issues that I have described in detail on this mail thread.
>>>>>>>
>>>>>>> Since there is no apparent fix for this bug on stable kernels, could
>>>>>>> you please consider reverting the original commit that caused this
>>>>>>> regression?
>>>>>>>
>>>>>>> That commit was intended to enhance security, which is probably why it
>>>>>>> was backported to stable kernels in the first place; but instead it
>>>>>>> ends up breaking basic functionality itself (mounting). So in the
>>>>>>> absence of a proper fix, I don't see much of an option but to revert
>>>>>>> that commit.
>>>>>>>
>>>>>>> So, please consider reverting the following:
>>>>>>>
>>>>>>> commit 02ef29f9cbb616bf419 "SMB: Validate negotiate (to protect
>>>>>>> against downgrade) even if signing off" on 4.4.118
>>>>>>>
>>>>>>> commit 0e1b85a41a25ac888fb "SMB: Validate negotiate (to protect
>>>>>>> against downgrade) even if signing off" on 4.9.84
>>>>>>>
>>>>>>> They correspond to commit 0603c96f3af50e2f9299fa410c224ab1d465e0f9
>>>>>>> upstream. Both these patches should revert cleanly.
>>>>>>
>>>>>> Do you still have this same problem on 4.14 and 4.15?  If so, the issue
>>>>>> needs to get fixed there, not papered-over by reverting these old
>>>>>> changes, as you will hit the issue again in the future when you update
>>>>>> to a newer kernel version.
>>>>>>
>>>>>
>>>>> 4.14 and 4.15 work great! (I had mentioned this is in my original bug
>>>>> report but forgot to summarize it here, sorry).
>>>>
>>>>
>>>> Then what is the bugfix that should be applied here in order to keep
>>>> things working with these patches applied?
>>>>
>>>
>>> That would be the one mentioned in the subject line of this thread :)
>>> However, a working backport of that fix is not available for 4.4 and
>>> 4.9, hence the trouble.
>>>
>>> It looks like we are reconstructing elements of this email thread all
>>> over again, so let me quickly summarize the status so far:
>>>
>>> In 4.14/4.15/mainline,
>>> - commit 0603c96f3af50e2f9 (SMB: Validate negotiate (to protect against
>>>   downgrade) even if signing off) caused mount regression with SMB v3.
>>>
>>> - commit 4587eee04e2ac7ac3 (SMB3: Validate negotiate request must
>>>   always be signed) fixed the issue.
>>>
>>> - [ There was a lot of code churn in the CIFS/SMB codebase between
>>>     these two commits in mainline. ]
>>>
>>> In this email thread, you backported the fix to stable 4.13. Thomas
>>> noticed that the problematic commit had also made it to stable series
>>> such as 4.4 and 4.9, and requested a backport of the fix to those
>>> trees as well. However, a straight-forward backport of the fix to 4.4
>>> and 4.9 breaks the build, so no fix was available for those kernels.
>>>
>>> I investigated this and tried to produce a working backport of the fix
>>> to 4.4 and 4.9, but didn't succeed, despite trying several variations
>>> as well as suggestions from Aurelien [1][2]. So, given that there is
>>> still no known fix for the mount regression on 4.4 and 4.9 stable
>>> series at this point, I decided to request a revert of the problematic
>>> commit that caused the regression in those kernels.
>>>
>>> [1]. https://lkml.org/lkml/2018/1/3/892
>>> [2]. https://lkml.org/lkml/2018/1/29/1009
>>>
>>> Regards,
>>> Srivatsa
>>
>>
>>
>> --
>> Thanks,
>>
>> Steve
> 
> 
> 

Re: [PATCH 4.13 28/43] SMB3: Validate negotiate request must always be signed

[Steve French]

Just got a wireshark trace - this is a fairly trivial issue (missing
the validate negotiate must be signed patch) - I had some trouble
getting this version of the kernel running (unrelated issue) and on
systems with access to Windows 2016...



On Tue, Feb 27, 2018 at 10:33 AM, Srivatsa S. Bhat
<srivatsa@csail.mit.edu> wrote:
> On 2/27/18 9:56 AM, Steve French wrote:
>> This shouldn't be too hard to figure out if willing to backport a
>> slightly larger set of fixes to the older stable, but I don't have a
>> system running 4.9 stable.
>>
>
> If you have the proposed patches that apply on 4.9, I'd be happy to
> try them out!
>
> [ I would have offered to backport the patches myself, but actually I
> already tried doing that with a larger set of patches from mainline
> (picking those commits between the regression and the fix that seemed
> relevant), but I felt quite out-of-depth trying to adapt them to 4.9
> and 4.4, as I'm not that familiar with the internals of SMB/CIFS. ]
>
>> Is this the correct stable tree branch?
>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/log/?h=linux-4.9.y
>>
>
> Yep!
>
> Regards,
> Srivatsa
>
>> On Tue, Feb 27, 2018 at 11:45 AM, Srivatsa S. Bhat
>> <srivatsa@csail.mit.edu> wrote:
>>> On 2/27/18 4:40 AM, Greg Kroah-Hartman wrote:
>>>> On Tue, Feb 27, 2018 at 01:22:31AM -0800, Srivatsa S. Bhat wrote:
>>>>> On 2/27/18 12:54 AM, Greg Kroah-Hartman wrote:
>>>>>> On Mon, Feb 26, 2018 at 07:44:28PM -0800, Srivatsa S. Bhat wrote:
>>>>>>> On 1/3/18 6:15 PM, Srivatsa S. Bhat wrote:
>>>>>>>> On 11/1/17 8:18 AM, Greg Kroah-Hartman wrote:
>>>>>>>>> On Tue, Oct 31, 2017 at 03:02:11PM +0200, Thomas Backlund wrote:
>>>>>>>>>> Den 31.10.2017 kl. 11:55, skrev Greg Kroah-Hartman:
>>>>>>>>>>> 4.13-stable review patch.  If anyone has any objections, please let me know.
>>>>>>>>>>>
>>>>>>>>>>> ------------------
>>>>>>>>>>>
>>>>>>>>>>> From: Steve French <smfrench@gmail.com>
>>>>>>>>>>>
>>>>>>>>>>> commit 4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd upstream.
>>>>>>>>>>>
>>>>>>>>>>> According to MS-SMB2 3.2.55 validate_negotiate request must
>>>>>>>>>>> always be signed. Some Windows can fail the request if you send it unsigned
>>>>>>>>>>>
>>>>>>>>>>> See kernel bugzilla bug 197311
>>>>>>>>>>>
>>>>>>>>>>> Acked-by: Ronnie Sahlberg <lsahlber.redhat.com>
>>>>>>>>>>> Signed-off-by: Steve French <smfrench@gmail.com>
>>>>>>>>>>> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>>>>>>>>>>
>>>>>>>>>>> ---
>>>>>>>>>>>   fs/cifs/smb2pdu.c |    3 +++
>>>>>>>>>>>   1 file changed, 3 insertions(+)
>>>>>>>>>>>
>>>>>>>>>>> --- a/fs/cifs/smb2pdu.c
>>>>>>>>>>> +++ b/fs/cifs/smb2pdu.c
>>>>>>>>>>> @@ -1963,6 +1963,9 @@ SMB2_ioctl(const unsigned int xid, struc
>>>>>>>>>>>        } else
>>>>>>>>>>>                iov[0].iov_len = get_rfc1002_length(req) + 4;
>>>>>>>>>>> +      /* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
>>>>>>>>>>> +      if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
>>>>>>>>>>> +              req->hdr.sync_hdr.Flags |= SMB2_FLAGS_SIGNED;
>>>>>>>>>>>        rc = SendReceive2(xid, ses, iov, n_iov, &resp_buftype, flags, &rsp_iov);
>>>>>>>>>>>        cifs_small_buf_release(req);
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> This one needs to be backported to all stable kernels as the commit that
>>>>>>>>>> introduced the regression:
>>>>>>>>>> '
>>>>>>>>>> 0603c96f3af50e2f9299fa410c224ab1d465e0f9
>>>>>>>>>> SMB: Validate negotiate (to protect against downgrade) even if signing off
>>>>>>>>>>
>>>>>>>>>> is backported in stable trees as of: 4.9.53, 4.4.90, 3.18.73
>>>>>>>>>
>>>>>>>>> Oh wait, it breaks the builds on older kernels, that's why I didn't
>>>>>>>>> apply it :)
>>>>>>>>>
>>>>>>>>> Can you provide me with a working backport?
>>>>>>>>>
>>>>>>>>
>>>>>>>> Hi Steve,
>>>>>>>>
>>>>>>>> Is there a version of this fix available for stable kernels?
>>>>>>>>
>>>>>>>
>>>>>>> Hi Greg,
>>>>>>>
>>>>>>> Mounting SMB3 shares continues to fail for me on 4.4.118 and 4.9.84
>>>>>>> due to the issues that I have described in detail on this mail thread.
>>>>>>>
>>>>>>> Since there is no apparent fix for this bug on stable kernels, could
>>>>>>> you please consider reverting the original commit that caused this
>>>>>>> regression?
>>>>>>>
>>>>>>> That commit was intended to enhance security, which is probably why it
>>>>>>> was backported to stable kernels in the first place; but instead it
>>>>>>> ends up breaking basic functionality itself (mounting). So in the
>>>>>>> absence of a proper fix, I don't see much of an option but to revert
>>>>>>> that commit.
>>>>>>>
>>>>>>> So, please consider reverting the following:
>>>>>>>
>>>>>>> commit 02ef29f9cbb616bf419 "SMB: Validate negotiate (to protect
>>>>>>> against downgrade) even if signing off" on 4.4.118
>>>>>>>
>>>>>>> commit 0e1b85a41a25ac888fb "SMB: Validate negotiate (to protect
>>>>>>> against downgrade) even if signing off" on 4.9.84
>>>>>>>
>>>>>>> They correspond to commit 0603c96f3af50e2f9299fa410c224ab1d465e0f9
>>>>>>> upstream. Both these patches should revert cleanly.
>>>>>>
>>>>>> Do you still have this same problem on 4.14 and 4.15?  If so, the issue
>>>>>> needs to get fixed there, not papered-over by reverting these old
>>>>>> changes, as you will hit the issue again in the future when you update
>>>>>> to a newer kernel version.
>>>>>>
>>>>>
>>>>> 4.14 and 4.15 work great! (I had mentioned this is in my original bug
>>>>> report but forgot to summarize it here, sorry).
>>>>
>>>>
>>>> Then what is the bugfix that should be applied here in order to keep
>>>> things working with these patches applied?
>>>>
>>>
>>> That would be the one mentioned in the subject line of this thread :)
>>> However, a working backport of that fix is not available for 4.4 and
>>> 4.9, hence the trouble.
>>>
>>> It looks like we are reconstructing elements of this email thread all
>>> over again, so let me quickly summarize the status so far:
>>>
>>> In 4.14/4.15/mainline,
>>> - commit 0603c96f3af50e2f9 (SMB: Validate negotiate (to protect against
>>>   downgrade) even if signing off) caused mount regression with SMB v3.
>>>
>>> - commit 4587eee04e2ac7ac3 (SMB3: Validate negotiate request must
>>>   always be signed) fixed the issue.
>>>
>>> - [ There was a lot of code churn in the CIFS/SMB codebase between
>>>     these two commits in mainline. ]
>>>
>>> In this email thread, you backported the fix to stable 4.13. Thomas
>>> noticed that the problematic commit had also made it to stable series
>>> such as 4.4 and 4.9, and requested a backport of the fix to those
>>> trees as well. However, a straight-forward backport of the fix to 4.4
>>> and 4.9 breaks the build, so no fix was available for those kernels.
>>>
>>> I investigated this and tried to produce a working backport of the fix
>>> to 4.4 and 4.9, but didn't succeed, despite trying several variations
>>> as well as suggestions from Aurelien [1][2]. So, given that there is
>>> still no known fix for the mount regression on 4.4 and 4.9 stable
>>> series at this point, I decided to request a revert of the problematic
>>> commit that caused the regression in those kernels.
>>>
>>> [1]. https://lkml.org/lkml/2018/1/3/892
>>> [2]. https://lkml.org/lkml/2018/1/29/1009
>>>
>>> Regards,
>>> Srivatsa
>>
>>
>>
>



-- 
Thanks,

Steve

Re: [PATCH 4.13 28/43] SMB3: Validate negotiate request must always be signed

[Greg Kroah-Hartman]

On Sun, Mar 11, 2018 at 07:37:55PM -0700, Steve French wrote:
> Just got a wireshark trace - this is a fairly trivial issue (missing
> the validate negotiate must be signed patch) - I had some trouble
> getting this version of the kernel running (unrelated issue) and on
> systems with access to Windows 2016...

Ok, I have no idea what this means, or what I should do here because of
it :(

Any hints for what to do with the stable tree?

totally confused,

greg k-h

Re: [PATCH 4.13 28/43] SMB3: Validate negotiate request must always be signed

[Steve French]

There will be a fix needed to correct an oops in calc_signature,
besides the easy patch (smb3 validate negotiate patch).

On Tue, Mar 13, 2018 at 4:21 AM, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
> On Sun, Mar 11, 2018 at 07:37:55PM -0700, Steve French wrote:
>> Just got a wireshark trace - this is a fairly trivial issue (missing
>> the validate negotiate must be signed patch) - I had some trouble
>> getting this version of the kernel running (unrelated issue) and on
>> systems with access to Windows 2016...
>
> Ok, I have no idea what this means, or what I should do here because of
> it :(
>
> Any hints for what to do with the stable tree?
>
> totally confused,
>
> greg k-h



-- 
Thanks,

Steve

Re: [PATCH 4.13 28/43] SMB3: Validate negotiate request must always be signed

[Greg Kroah-Hartman]

On Tue, Mar 13, 2018 at 10:21:45AM -0500, Steve French wrote:
> There will be a fix needed to correct an oops in calc_signature,
> besides the easy patch (smb3 validate negotiate patch).

Ok, I still have no idea how to parse this for a stable tree submission.

So can someone please just send me a simple "apply these git ids to tree
X.X.y so we can fix the problem", otherwise I'm not going to do anything
here as I'm really confused,

greg k-h

Re: [PATCH 4.13 28/43] SMB3: Validate negotiate request must always be signed

[Steve French]

[-- Attachment #1: Type: text/plain, Size: 650 bytes --]

Am going through the list of patches one by one (just got back in town) to
find the missing one.

On Fri, Mar 16, 2018, 08:32 Greg Kroah-Hartman <gregkh@linuxfoundation.org>
wrote:

> On Tue, Mar 13, 2018 at 10:21:45AM -0500, Steve French wrote:
> > There will be a fix needed to correct an oops in calc_signature,
> > besides the easy patch (smb3 validate negotiate patch).
>
> Ok, I still have no idea how to parse this for a stable tree submission.
>
> So can someone please just send me a simple "apply these git ids to tree
> X.X.y so we can fix the problem", otherwise I'm not going to do anything
> here as I'm really confused,
>
> greg k-h
>

[-- Attachment #2: Type: text/html, Size: 957 bytes --]

Re: [PATCH 4.13 28/43] SMB3: Validate negotiate request must always be signed

[Steve French]

[-- Attachment #1: Type: text/plain, Size: 1692 bytes --]

Found a patch which solves the dependency issue.  In my testing (on
4.9, with Windows 2016, and also to Samba) as Pavel suggested this
appears to fix the problem, but I will let Srivatsa confirm that it
also fixes it for him.  The two attached patches for 4.9 should work.

As an aside which may help some in testing stable true problems (as a
point of comparison or alternative), I did a complete backport of all
relevant CIFS/SMB3 patches (ie all patches to cifs.ko that are not
dependent on a VFS changes or global kernel API changes) for kernels
4.9 through 4.15
https://github.com/smfrench/smb3-cifs-linux-stable-backports

The individual patches that were included (and in a distinct directory
all cifs patches that were rejected due to global/VFS dependencies)
are also checked in -
https://github.com/smfrench/smb3-backported-patches.

Given the focus on security, these two git trees may be useful for
those who want a cifs.ko which includes all security and functional
improvements and fixes that more closely matches mainline cifs.ko

Srivatsa,
Let us know if those two patches fix your issue as expected.

On Fri, Mar 16, 2018 at 8:32 AM, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
> On Tue, Mar 13, 2018 at 10:21:45AM -0500, Steve French wrote:
>> There will be a fix needed to correct an oops in calc_signature,
>> besides the easy patch (smb3 validate negotiate patch).
>
> Ok, I still have no idea how to parse this for a stable tree submission.
>
> So can someone please just send me a simple "apply these git ids to tree
> X.X.y so we can fix the problem", otherwise I'm not going to do anything
> here as I'm really confused,
>
> greg k-h



-- 
Thanks,

Steve

[-- Attachment #2: 0001-SMB3-Validate-negotiate-request-must-always-be-signe.patch --]
[-- Type: text/x-patch, Size: 1223 bytes --]

From 8ac7b1d15dc973e2092ab2b1b5b698eb92e1d1c3 Mon Sep 17 00:00:00 2001
From: Steve French <smfrench@gmail.com>
Date: Sun, 11 Mar 2018 20:00:27 -0700
Subject: [PATCH 1/2] SMB3: Validate negotiate request must always be signed

According to MS-SMB2 3.2.55 validate_negotiate request must
always be signed. Some Windows can fail the request if you send it unsigned

See kernel bugzilla bug 197311

[Patch fixed up for kernel version 4.9]

CC: Stable <stable@vger.kernel.org>
Acked-by: Ronnie Sahlberg <lsahlber.redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
---
 fs/cifs/smb2pdu.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 94c4c1901222..4c2eaf05a6a4 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1712,6 +1712,9 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
 	} else
 		iov[0].iov_len = get_rfc1002_length(req) + 4;
 
+	/* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
+	if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
+		req->hdr.Flags |= SMB2_FLAGS_SIGNED;
 
 	rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0);
 	rsp = (struct smb2_ioctl_rsp *)iov[0].iov_base;
-- 
2.14.1


[-- Attachment #3: 0002-CIFS-Enable-encryption-during-session-setup-phase.patch --]
[-- Type: text/x-patch, Size: 3310 bytes --]

From c5346223ca952a2868bd69a8888133251e517571 Mon Sep 17 00:00:00 2001
From: Pavel Shilovsky <pshilov@microsoft.com>
Date: Mon, 7 Nov 2016 18:20:50 -0800
Subject: [PATCH 2/2] CIFS: Enable encryption during session setup phase

In order to allow encryption on SMB connection we need to exchange
a session key and generate encryption and decryption keys.

Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
---
 fs/cifs/sess.c    | 22 ++++++++++------------
 fs/cifs/smb2pdu.c | 12 ++----------
 2 files changed, 12 insertions(+), 22 deletions(-)

diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index 538d9b55699a..c3db2a882aee 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -344,13 +344,12 @@ void build_ntlmssp_negotiate_blob(unsigned char *pbuffer,
 	/* BB is NTLMV2 session security format easier to use here? */
 	flags = NTLMSSP_NEGOTIATE_56 |	NTLMSSP_REQUEST_TARGET |
 		NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
-		NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
-	if (ses->server->sign) {
+		NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC |
+		NTLMSSP_NEGOTIATE_SEAL;
+	if (ses->server->sign)
 		flags |= NTLMSSP_NEGOTIATE_SIGN;
-		if (!ses->server->session_estab ||
-				ses->ntlmssp->sesskey_per_smbsess)
-			flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
-	}
+	if (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess)
+		flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
 
 	sec_blob->NegotiateFlags = cpu_to_le32(flags);
 
@@ -407,13 +406,12 @@ int build_ntlmssp_auth_blob(unsigned char **pbuffer,
 	flags = NTLMSSP_NEGOTIATE_56 |
 		NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_TARGET_INFO |
 		NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
-		NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
-	if (ses->server->sign) {
+		NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC |
+		NTLMSSP_NEGOTIATE_SEAL;
+	if (ses->server->sign)
 		flags |= NTLMSSP_NEGOTIATE_SIGN;
-		if (!ses->server->session_estab ||
-				ses->ntlmssp->sesskey_per_smbsess)
-			flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
-	}
+	if (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess)
+		flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
 
 	tmp = *pbuffer + sizeof(AUTHENTICATE_MESSAGE);
 	sec_blob->NegotiateFlags = cpu_to_le32(flags);
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 4c2eaf05a6a4..7c26286a525d 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -707,15 +707,13 @@ SMB2_sess_establish_session(struct SMB2_sess_data *sess_data)
 	struct cifs_ses *ses = sess_data->ses;
 
 	mutex_lock(&ses->server->srv_mutex);
-	if (ses->server->sign && ses->server->ops->generate_signingkey) {
+	if (ses->server->ops->generate_signingkey) {
 		rc = ses->server->ops->generate_signingkey(ses);
-		kfree(ses->auth_key.response);
-		ses->auth_key.response = NULL;
 		if (rc) {
 			cifs_dbg(FYI,
 				"SMB3 session key generation failed\n");
 			mutex_unlock(&ses->server->srv_mutex);
-			goto keygen_exit;
+			return rc;
 		}
 	}
 	if (!ses->server->session_estab) {
@@ -729,12 +727,6 @@ SMB2_sess_establish_session(struct SMB2_sess_data *sess_data)
 	ses->status = CifsGood;
 	ses->need_reconnect = false;
 	spin_unlock(&GlobalMid_Lock);
-
-keygen_exit:
-	if (!ses->server->sign) {
-		kfree(ses->auth_key.response);
-		ses->auth_key.response = NULL;
-	}
 	return rc;
 }
 
-- 
2.14.1

Re: [PATCH 4.13 28/43] SMB3: Validate negotiate request must always be signed

[Srivatsa S. Bhat]

[-- Attachment #1: Type: text/plain, Size: 828 bytes --]

On 3/21/18 7:02 PM, Steve French wrote:
> Found a patch which solves the dependency issue.  In my testing (on
> 4.9, with Windows 2016, and also to Samba) as Pavel suggested this
> appears to fix the problem, but I will let Srivatsa confirm that it
> also fixes it for him.  The two attached patches for 4.9 should work.
> 

Indeed, those two patches fix the problem for me on 4.9. Thanks a lot
Steve, Pavel and Aurelien for all your efforts in fixing this!

I was also interested in getting this fixed on 4.4, so I modified the
patches to apply on 4.4.88 and verified that they fix the mount
failure. I have attached my patches for 4.4 with this mail.

Steve, Pavel, could you kindly double-check the second patch for 4.4,
especially around the keygen_exit error path?

Thank you very much!

Regards,
Srivatsa
VMware Photon OS

[-- Attachment #2: v4.4-0001-SMB3-Validate-negotiate-request-must-always-be-signe.patch --]
[-- Type: text/plain, Size: 1324 bytes --]

From a01a7dfb60e2d5421a487a7b81fd8a1bf72d96d4 Mon Sep 17 00:00:00 2001
From: Steve French <smfrench@gmail.com>
Date: Sun, 11 Mar 2018 20:00:27 -0700
Subject: [PATCH 1/2] SMB3: Validate negotiate request must always be signed

commit 4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd upstream.

According to MS-SMB2 3.2.55 validate_negotiate request must
always be signed. Some Windows can fail the request if you send it unsigned

See kernel bugzilla bug 197311

[ Fixed up for kernel version 4.4 ]

CC: Stable <stable@vger.kernel.org>
Acked-by: Ronnie Sahlberg <lsahlber.redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
---
 fs/cifs/smb2pdu.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 84614a5..6dae5b8 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1558,6 +1558,9 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
 	} else
 		iov[0].iov_len = get_rfc1002_length(req) + 4;
 
+	/* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
+	if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
+		req->hdr.Flags |= SMB2_FLAGS_SIGNED;
 
 	rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0);
 	rsp = (struct smb2_ioctl_rsp *)iov[0].iov_base;
-- 
2.7.4


[-- Attachment #3: v4.4-0002-CIFS-Enable-encryption-during-session-setup-phase.patch --]
[-- Type: text/plain, Size: 3136 bytes --]

From d0178d8f096b29a88914787274bdc8ee8334ab07 Mon Sep 17 00:00:00 2001
From: Pavel Shilovsky <pshilov@microsoft.com>
Date: Mon, 7 Nov 2016 18:20:50 -0800
Subject: [PATCH 2/2] CIFS: Enable encryption during session setup phase

commit cabfb3680f78981d26c078a26e5c748531257ebb upstream.

In order to allow encryption on SMB connection we need to exchange
a session key and generate encryption and decryption keys.

[ Fixed up for kernel version 4.4 ]

Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
---
 fs/cifs/sess.c    | 22 ++++++++++------------
 fs/cifs/smb2pdu.c |  8 +-------
 2 files changed, 11 insertions(+), 19 deletions(-)

diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index e88ffe1..a035d1a 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -344,13 +344,12 @@ void build_ntlmssp_negotiate_blob(unsigned char *pbuffer,
 	/* BB is NTLMV2 session security format easier to use here? */
 	flags = NTLMSSP_NEGOTIATE_56 |	NTLMSSP_REQUEST_TARGET |
 		NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
-		NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
-	if (ses->server->sign) {
+		NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC |
+		NTLMSSP_NEGOTIATE_SEAL;
+	if (ses->server->sign)
 		flags |= NTLMSSP_NEGOTIATE_SIGN;
-		if (!ses->server->session_estab ||
-				ses->ntlmssp->sesskey_per_smbsess)
-			flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
-	}
+	if (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess)
+		flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
 
 	sec_blob->NegotiateFlags = cpu_to_le32(flags);
 
@@ -407,13 +406,12 @@ int build_ntlmssp_auth_blob(unsigned char **pbuffer,
 	flags = NTLMSSP_NEGOTIATE_56 |
 		NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_TARGET_INFO |
 		NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
-		NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
-	if (ses->server->sign) {
+		NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC |
+		NTLMSSP_NEGOTIATE_SEAL;
+	if (ses->server->sign)
 		flags |= NTLMSSP_NEGOTIATE_SIGN;
-		if (!ses->server->session_estab ||
-				ses->ntlmssp->sesskey_per_smbsess)
-			flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
-	}
+	if (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess)
+		flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
 
 	tmp = *pbuffer + sizeof(AUTHENTICATE_MESSAGE);
 	sec_blob->NegotiateFlags = cpu_to_le32(flags);
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 6dae5b8..33b1bc2 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -832,10 +832,8 @@ ssetup_exit:
 
 	if (!rc) {
 		mutex_lock(&server->srv_mutex);
-		if (server->sign && server->ops->generate_signingkey) {
+		if (server->ops->generate_signingkey) {
 			rc = server->ops->generate_signingkey(ses);
-			kfree(ses->auth_key.response);
-			ses->auth_key.response = NULL;
 			if (rc) {
 				cifs_dbg(FYI,
 					"SMB3 session key generation failed\n");
@@ -857,10 +855,6 @@ ssetup_exit:
 	}
 
 keygen_exit:
-	if (!server->sign) {
-		kfree(ses->auth_key.response);
-		ses->auth_key.response = NULL;
-	}
 	if (spnego_key) {
 		key_invalidate(spnego_key);
 		key_put(spnego_key);
-- 
2.7.4

Re: [PATCH 4.13 28/43] SMB3: Validate negotiate request must always be signed

[Srivatsa S. Bhat]

On 3/21/18 10:12 PM, Srivatsa S. Bhat wrote:
> On 3/21/18 7:02 PM, Steve French wrote:
>> Found a patch which solves the dependency issue.  In my testing (on
>> 4.9, with Windows 2016, and also to Samba) as Pavel suggested this
>> appears to fix the problem, but I will let Srivatsa confirm that it
>> also fixes it for him.  The two attached patches for 4.9 should work.
>>
> 
> Indeed, those two patches fix the problem for me on 4.9. Thanks a lot
> Steve, Pavel and Aurelien for all your efforts in fixing this!
> 
> I was also interested in getting this fixed on 4.4, so I modified the
> patches to apply on 4.4.88 and verified that they fix the mount

I meant to say 4.4.122 there (the latest stable 4.4 version at the moment).

Regards,
Srivatsa
VMware Photon OS

Re: [PATCH 4.13 28/43] SMB3: Validate negotiate request must always be signed

[Greg Kroah-Hartman]

On Wed, Mar 21, 2018 at 10:15:51PM -0700, Srivatsa S. Bhat wrote:
> On 3/21/18 10:12 PM, Srivatsa S. Bhat wrote:
> > On 3/21/18 7:02 PM, Steve French wrote:
> >> Found a patch which solves the dependency issue.  In my testing (on
> >> 4.9, with Windows 2016, and also to Samba) as Pavel suggested this
> >> appears to fix the problem, but I will let Srivatsa confirm that it
> >> also fixes it for him.  The two attached patches for 4.9 should work.
> >>
> > 
> > Indeed, those two patches fix the problem for me on 4.9. Thanks a lot
> > Steve, Pavel and Aurelien for all your efforts in fixing this!
> > 
> > I was also interested in getting this fixed on 4.4, so I modified the
> > patches to apply on 4.4.88 and verified that they fix the mount
> 
> I meant to say 4.4.122 there (the latest stable 4.4 version at the moment).

Thanks for these, all now queued up.

greg k-h

Re: [PATCH 4.13 28/43] SMB3: Validate negotiate request must always be signed

[Pavel Shilovsky]

2018-03-21 22:12 GMT-07:00 Srivatsa S. Bhat <srivatsa@csail.mit.edu>:
> On 3/21/18 7:02 PM, Steve French wrote:
>> Found a patch which solves the dependency issue.  In my testing (on
>> 4.9, with Windows 2016, and also to Samba) as Pavel suggested this
>> appears to fix the problem, but I will let Srivatsa confirm that it
>> also fixes it for him.  The two attached patches for 4.9 should work.
>>
>
> Indeed, those two patches fix the problem for me on 4.9. Thanks a lot
> Steve, Pavel and Aurelien for all your efforts in fixing this!
>
> I was also interested in getting this fixed on 4.4, so I modified the
> patches to apply on 4.4.88 and verified that they fix the mount
> failure. I have attached my patches for 4.4 with this mail.
>
> Steve, Pavel, could you kindly double-check the second patch for 4.4,
> especially around the keygen_exit error path?

The patch looks good. Thanks for the backport.

--
Best regards,
Pavel Shilovsky