Merge branch 'for-next' of git://git.samba.org/sfrench/cifs-2.6

Pull SMB3 fixes from Steve French:
 "Some small bug fixes as well as SMB2.1/SMB3 enablement for DFS (global
  namespace) which previously was only enabled for CIFS"

* 'for-next' of git://git.samba.org/sfrench/cifs-2.6:
  smb2: Enforce sec= mount option
  CIFS: Fix sparse warnings
  CIFS: implement get_dfs_refer for SMB2+
  CIFS: use DFS pathnames in SMB2+ Create requests
  CIFS: set signing flag in SMB2+ TreeConnect if needed
  CIFS: let ses->ipc_tid hold smb2 TreeIds
  CIFS: add use_ipc flag to SMB2_ioctl()
  CIFS: add build_path_from_dentry_optional_prefix()
  CIFS: move DFS response parsing out of SMB1 code
  CIFS: Fix possible use after free in demultiplex thread

16 files changed, 447 insertions, 168 deletions

diff --git a/fs/cifs/cifs_dfs_ref.c b/fs/cifs/cifs_dfs_ref.c
index 9156be545b0f..6b61df117fd4 100644
--- a/fs/cifs/cifs_dfs_ref.c
+++ b/fs/cifs/cifs_dfs_ref.c
@@ -303,7 +303,9 @@ static struct vfsmount *cifs_dfs_do_automount(struct dentry *mntpt)
          * gives us the latter, so we must adjust the result.
          */
         mnt = ERR_PTR(-ENOMEM);
-        full_path = build_path_from_dentry(mntpt);
+
+        /* always use tree name prefix */
+        full_path = build_path_from_dentry_optional_prefix(mntpt, true);
         if (full_path == NULL)
                 goto cdda_exit;
 
diff --git a/fs/cifs/cifs_unicode.h b/fs/cifs/cifs_unicode.h
index 479bc0a941f3..3d7298cc0aeb 100644
--- a/fs/cifs/cifs_unicode.h
+++ b/fs/cifs/cifs_unicode.h
@@ -130,10 +130,10 @@ wchar_t cifs_toupper(wchar_t in);
  * Returns:
  *     Address of the first string
  */
-static inline wchar_t *
-UniStrcat(wchar_t *ucs1, const wchar_t *ucs2)
+static inline __le16 *
+UniStrcat(__le16 *ucs1, const __le16 *ucs2)
 {
-        wchar_t *anchor = ucs1; /* save a pointer to start of ucs1 */
+        __le16 *anchor = ucs1;  /* save a pointer to start of ucs1 */
 
         while (*ucs1++) ;       /* To end of first string */
         ucs1--;                 /* Return to the null */
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index 1a90bb3e2986..d42dd3288647 100644
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -443,6 +443,9 @@ struct smb_version_operations {
         int (*is_transform_hdr)(void *buf);
         int (*receive_transform)(struct TCP_Server_Info *,
                                  struct mid_q_entry **);
+        enum securityEnum (*select_sectype)(struct TCP_Server_Info *,
+                            enum securityEnum);
+
 };
 
 struct smb_version_values {
@@ -822,7 +825,7 @@ struct cifs_ses {
         int ses_count;          /* reference counter */
         enum statusEnum status;
         unsigned overrideSecFlg;  /* if non-zero override global sec flags */
-        __u16 ipc_tid;          /* special tid for connection to IPC share */
+        __u32 ipc_tid;          /* special tid for connection to IPC share */
         char *serverOS;         /* name of operating system underlying server */
         char *serverNOS;        /* name of network operating system of server */
         char *serverDomain;     /* security realm of server */
diff --git a/fs/cifs/cifspdu.h b/fs/cifs/cifspdu.h
index f5b87303ce46..1ce733f3582f 100644
--- a/fs/cifs/cifspdu.h
+++ b/fs/cifs/cifspdu.h
@@ -2086,17 +2086,21 @@ typedef struct dfs_referral_level_3 { /* version 4 is same, + one flag bit */
         __u8   ServiceSiteGuid[16];  /* MBZ, ignored */
 } __attribute__((packed)) REFERRAL3;
 
-typedef struct smb_com_transaction_get_dfs_refer_rsp {
-        struct smb_hdr hdr;     /* wct = 10 */
-        struct trans2_resp t2;
-        __u16 ByteCount;
-        __u8 Pad;
+struct get_dfs_referral_rsp {
         __le16 PathConsumed;
         __le16 NumberOfReferrals;
         __le32 DFSFlags;
         REFERRAL3 referrals[1]; /* array of level 3 dfs_referral structures */
         /* followed by the strings pointed to by the referral structures */
-} __attribute__((packed)) TRANSACTION2_GET_DFS_REFER_RSP;
+} __packed;
+
+typedef struct smb_com_transaction_get_dfs_refer_rsp {
+        struct smb_hdr hdr;     /* wct = 10 */
+        struct trans2_resp t2;
+        __u16 ByteCount;
+        __u8 Pad;
+        struct get_dfs_referral_rsp dfs_data;
+} __packed TRANSACTION2_GET_DFS_REFER_RSP;
 
 /* DFS Flags */
 #define DFSREF_REFERRAL_SERVER  0x00000001 /* all targets are DFS roots */
diff --git a/fs/cifs/cifsproto.h b/fs/cifs/cifsproto.h
index 406d2c10ba78..97e5d236d265 100644
--- a/fs/cifs/cifsproto.h
+++ b/fs/cifs/cifsproto.h
@@ -61,6 +61,8 @@ extern void exit_cifs_idmap(void);
 extern int init_cifs_spnego(void);
 extern void exit_cifs_spnego(void);
 extern char *build_path_from_dentry(struct dentry *);
+extern char *build_path_from_dentry_optional_prefix(struct dentry *direntry,
+                                                    bool prefix);
 extern char *cifs_build_path_to_root(struct smb_vol *vol,
                                      struct cifs_sb_info *cifs_sb,
                                      struct cifs_tcon *tcon,
@@ -284,6 +286,11 @@ extern int get_dfs_path(const unsigned int xid, struct cifs_ses *ses,
                         const struct nls_table *nls_codepage,
                         unsigned int *num_referrals,
                         struct dfs_info3_param **referrals, int remap);
+extern int parse_dfs_referrals(struct get_dfs_referral_rsp *rsp, u32 rsp_size,
+                               unsigned int *num_of_nodes,
+                               struct dfs_info3_param **target_nodes,
+                               const struct nls_table *nls_codepage, int remap,
+                               const char *searchName, bool is_unicode);
 extern void reset_cifs_unix_caps(unsigned int xid, struct cifs_tcon *tcon,
                                  struct cifs_sb_info *cifs_sb,
                                  struct smb_vol *vol);
@@ -526,4 +533,6 @@ int cifs_create_mf_symlink(unsigned int xid, struct cifs_tcon *tcon,
 int __cifs_calc_signature(struct smb_rqst *rqst,
                         struct TCP_Server_Info *server, char *signature,
                         struct shash_desc *shash);
+enum securityEnum cifs_select_sectype(struct TCP_Server_Info *,
+                                        enum securityEnum);
 #endif                  /* _CIFSPROTO_H */
diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
index f5099fb8a22f..066950671929 100644
--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -4786,117 +4786,6 @@ GetInodeNumOut:
         return rc;
 }
 
-/* parses DFS refferal V3 structure
- * caller is responsible for freeing target_nodes
- * returns:
- *      on success - 0
- *      on failure - errno
- */
-static int
-parse_DFS_referrals(TRANSACTION2_GET_DFS_REFER_RSP *pSMBr,
-                unsigned int *num_of_nodes,
-                struct dfs_info3_param **target_nodes,
-                const struct nls_table *nls_codepage, int remap,
-                const char *searchName)
-{
-        int i, rc = 0;
-        char *data_end;
-        bool is_unicode;
-        struct dfs_referral_level_3 *ref;
-
-        if (pSMBr->hdr.Flags2 & SMBFLG2_UNICODE)
-                is_unicode = true;
-        else
-                is_unicode = false;
-        *num_of_nodes = le16_to_cpu(pSMBr->NumberOfReferrals);
-
-        if (*num_of_nodes < 1) {
-                cifs_dbg(VFS, "num_referrals: must be at least > 0, but we get num_referrals = %d\n",
-                         *num_of_nodes);
-                rc = -EINVAL;
-                goto parse_DFS_referrals_exit;
-        }
-
-        ref = (struct dfs_referral_level_3 *) &(pSMBr->referrals);
-        if (ref->VersionNumber != cpu_to_le16(3)) {
-                cifs_dbg(VFS, "Referrals of V%d version are not supported, should be V3\n",
-                         le16_to_cpu(ref->VersionNumber));
-                rc = -EINVAL;
-                goto parse_DFS_referrals_exit;
-        }
-
-        /* get the upper boundary of the resp buffer */
-        data_end = (char *)(&(pSMBr->PathConsumed)) +
-                                le16_to_cpu(pSMBr->t2.DataCount);
-
-        cifs_dbg(FYI, "num_referrals: %d dfs flags: 0x%x ...\n",
-                 *num_of_nodes, le32_to_cpu(pSMBr->DFSFlags));
-
-        *target_nodes = kcalloc(*num_of_nodes, sizeof(struct dfs_info3_param),
-                                GFP_KERNEL);
-        if (*target_nodes == NULL) {
-                rc = -ENOMEM;
-                goto parse_DFS_referrals_exit;
-        }
-
-        /* collect necessary data from referrals */
-        for (i = 0; i < *num_of_nodes; i++) {
-                char *temp;
-                int max_len;
-                struct dfs_info3_param *node = (*target_nodes)+i;
-
-                node->flags = le32_to_cpu(pSMBr->DFSFlags);
-                if (is_unicode) {
-                        __le16 *tmp = kmalloc(strlen(searchName)*2 + 2,
-                                                GFP_KERNEL);
-                        if (tmp == NULL) {
-                                rc = -ENOMEM;
-                                goto parse_DFS_referrals_exit;
-                        }
-                        cifsConvertToUTF16((__le16 *) tmp, searchName,
-                                           PATH_MAX, nls_codepage, remap);
-                        node->path_consumed = cifs_utf16_bytes(tmp,
-                                        le16_to_cpu(pSMBr->PathConsumed),
-                                        nls_codepage);
-                        kfree(tmp);
-                } else
-                        node->path_consumed = le16_to_cpu(pSMBr->PathConsumed);
-
-                node->server_type = le16_to_cpu(ref->ServerType);
-                node->ref_flag = le16_to_cpu(ref->ReferralEntryFlags);
-
-                /* copy DfsPath */
-                temp = (char *)ref + le16_to_cpu(ref->DfsPathOffset);
-                max_len = data_end - temp;
-                node->path_name = cifs_strndup_from_utf16(temp, max_len,
-                                                is_unicode, nls_codepage);
-                if (!node->path_name) {
-                        rc = -ENOMEM;
-                        goto parse_DFS_referrals_exit;
-                }
-
-                /* copy link target UNC */
-                temp = (char *)ref + le16_to_cpu(ref->NetworkAddressOffset);
-                max_len = data_end - temp;
-                node->node_name = cifs_strndup_from_utf16(temp, max_len,
-                                                is_unicode, nls_codepage);
-                if (!node->node_name) {
-                        rc = -ENOMEM;
-                        goto parse_DFS_referrals_exit;
-                }
-
-                ref++;
-        }
-
-parse_DFS_referrals_exit:
-        if (rc) {
-                free_dfs_info_array(*target_nodes, *num_of_nodes);
-                *target_nodes = NULL;
-                *num_of_nodes = 0;
-        }
-        return rc;
-}
-
 int
 CIFSGetDFSRefer(const unsigned int xid, struct cifs_ses *ses,
                 const char *search_name, struct dfs_info3_param **target_nodes,
@@ -4993,9 +4882,11 @@ getDFSRetry:
                  get_bcc(&pSMBr->hdr), le16_to_cpu(pSMBr->t2.DataOffset));
 
         /* parse returned result into more usable form */
-        rc = parse_DFS_referrals(pSMBr, num_of_nodes,
-                                 target_nodes, nls_codepage, remap,
-                                 search_name);
+        rc = parse_dfs_referrals(&pSMBr->dfs_data,
+                                 le16_to_cpu(pSMBr->t2.DataCount),
+                                 num_of_nodes, target_nodes, nls_codepage,
+                                 remap, search_name,
+                                 (pSMBr->hdr.Flags2 & SMBFLG2_UNICODE) != 0);
 
 GetDFSRefExit:
         cifs_buf_release(pSMB);
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 3aa457f83214..9ae695ae3ed7 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -2074,7 +2074,8 @@ match_security(struct TCP_Server_Info *server, struct smb_vol *vol)
          * that was specified, or "Unspecified" if that sectype was not
          * compatible with the given NEGOTIATE request.
          */
-        if (select_sectype(server, vol->sectype) == Unspecified)
+        if (server->ops->select_sectype(server, vol->sectype)
+             == Unspecified)
                 return false;
 
         /*
diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
index 2c227a99f369..56366e984076 100644
--- a/fs/cifs/dir.c
+++ b/fs/cifs/dir.c
@@ -81,6 +81,17 @@ cifs_build_path_to_root(struct smb_vol *vol, struct cifs_sb_info *cifs_sb,
 char *
 build_path_from_dentry(struct dentry *direntry)
 {
+        struct cifs_sb_info *cifs_sb = CIFS_SB(direntry->d_sb);
+        struct cifs_tcon *tcon = cifs_sb_master_tcon(cifs_sb);
+        bool prefix = tcon->Flags & SMB_SHARE_IS_IN_DFS;
+
+        return build_path_from_dentry_optional_prefix(direntry,
+                                                      prefix);
+}
+
+char *
+build_path_from_dentry_optional_prefix(struct dentry *direntry, bool prefix)
+{
         struct dentry *temp;
         int namelen;
         int dfsplen;
@@ -92,7 +103,7 @@ build_path_from_dentry(struct dentry *direntry)
         unsigned seq;
 
         dirsep = CIFS_DIR_SEP(cifs_sb);
-        if (tcon->Flags & SMB_SHARE_IS_IN_DFS)
+        if (prefix)
                 dfsplen = strnlen(tcon->treeName, MAX_TREE_SIZE + 1);
         else
                 dfsplen = 0;
diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c
index c6729156f9a0..d3fb11529ed9 100644
--- a/fs/cifs/misc.c
+++ b/fs/cifs/misc.c
@@ -640,3 +640,108 @@ cifs_add_pending_open(struct cifs_fid *fid, struct tcon_link *tlink,
         cifs_add_pending_open_locked(fid, tlink, open);
         spin_unlock(&tlink_tcon(open->tlink)->open_file_lock);
 }
+
+/* parses DFS refferal V3 structure
+ * caller is responsible for freeing target_nodes
+ * returns:
+ * - on success - 0
+ * - on failure - errno
+ */
+int
+parse_dfs_referrals(struct get_dfs_referral_rsp *rsp, u32 rsp_size,
+                    unsigned int *num_of_nodes,
+                    struct dfs_info3_param **target_nodes,
+                    const struct nls_table *nls_codepage, int remap,
+                    const char *searchName, bool is_unicode)
+{
+        int i, rc = 0;
+        char *data_end;
+        struct dfs_referral_level_3 *ref;
+
+        *num_of_nodes = le16_to_cpu(rsp->NumberOfReferrals);
+
+        if (*num_of_nodes < 1) {
+                cifs_dbg(VFS, "num_referrals: must be at least > 0, but we get num_referrals = %d\n",
+                         *num_of_nodes);
+                rc = -EINVAL;
+                goto parse_DFS_referrals_exit;
+        }
+
+        ref = (struct dfs_referral_level_3 *) &(rsp->referrals);
+        if (ref->VersionNumber != cpu_to_le16(3)) {
+                cifs_dbg(VFS, "Referrals of V%d version are not supported, should be V3\n",
+                         le16_to_cpu(ref->VersionNumber));
+                rc = -EINVAL;
+                goto parse_DFS_referrals_exit;
+        }
+
+        /* get the upper boundary of the resp buffer */
+        data_end = (char *)rsp + rsp_size;
+
+        cifs_dbg(FYI, "num_referrals: %d dfs flags: 0x%x ...\n",
+                 *num_of_nodes, le32_to_cpu(rsp->DFSFlags));
+
+        *target_nodes = kcalloc(*num_of_nodes, sizeof(struct dfs_info3_param),
+                                GFP_KERNEL);
+        if (*target_nodes == NULL) {
+                rc = -ENOMEM;
+                goto parse_DFS_referrals_exit;
+        }
+
+        /* collect necessary data from referrals */
+        for (i = 0; i < *num_of_nodes; i++) {
+                char *temp;
+                int max_len;
+                struct dfs_info3_param *node = (*target_nodes)+i;
+
+                node->flags = le32_to_cpu(rsp->DFSFlags);
+                if (is_unicode) {
+                        __le16 *tmp = kmalloc(strlen(searchName)*2 + 2,
+                                                GFP_KERNEL);
+                        if (tmp == NULL) {
+                                rc = -ENOMEM;
+                                goto parse_DFS_referrals_exit;
+                        }
+                        cifsConvertToUTF16((__le16 *) tmp, searchName,
+                                           PATH_MAX, nls_codepage, remap);
+                        node->path_consumed = cifs_utf16_bytes(tmp,
+                                        le16_to_cpu(rsp->PathConsumed),
+                                        nls_codepage);
+                        kfree(tmp);
+                } else
+                        node->path_consumed = le16_to_cpu(rsp->PathConsumed);
+
+                node->server_type = le16_to_cpu(ref->ServerType);
+                node->ref_flag = le16_to_cpu(ref->ReferralEntryFlags);
+
+                /* copy DfsPath */
+                temp = (char *)ref + le16_to_cpu(ref->DfsPathOffset);
+                max_len = data_end - temp;
+                node->path_name = cifs_strndup_from_utf16(temp, max_len,
+                                                is_unicode, nls_codepage);
+                if (!node->path_name) {
+                        rc = -ENOMEM;
+                        goto parse_DFS_referrals_exit;
+                }
+
+                /* copy link target UNC */
+                temp = (char *)ref + le16_to_cpu(ref->NetworkAddressOffset);
+                max_len = data_end - temp;
+                node->node_name = cifs_strndup_from_utf16(temp, max_len,
+                                                is_unicode, nls_codepage);
+                if (!node->node_name) {
+                        rc = -ENOMEM;
+                        goto parse_DFS_referrals_exit;
+                }
+
+                ref++;
+        }
+
+parse_DFS_referrals_exit:
+        if (rc) {
+                free_dfs_info_array(*target_nodes, *num_of_nodes);
+                *target_nodes = NULL;
+                *num_of_nodes = 0;
+        }
+        return rc;
+}
diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index dcbcc927399a..8b0502cd39af 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -498,7 +498,7 @@ setup_ntlmv2_ret:
 }
 
 enum securityEnum
-select_sectype(struct TCP_Server_Info *server, enum securityEnum requested)
+cifs_select_sectype(struct TCP_Server_Info *server, enum securityEnum requested)
 {
         switch (server->negflavor) {
         case CIFS_NEGFLAVOR_EXTENDED:
@@ -1391,7 +1391,7 @@ static int select_sec(struct cifs_ses *ses, struct sess_data *sess_data)
 {
         int type;
 
-        type = select_sectype(ses->server, ses->sectype);
+        type = cifs_select_sectype(ses->server, ses->sectype);
         cifs_dbg(FYI, "sess setup type %d\n", type);
         if (type == Unspecified) {
                 cifs_dbg(VFS,
diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c
index 67a987e4d026..cc93ba4da9b5 100644
--- a/fs/cifs/smb1ops.c
+++ b/fs/cifs/smb1ops.c
@@ -1087,6 +1087,7 @@ struct smb_version_operations smb1_operations = {
         .is_read_op = cifs_is_read_op,
         .wp_retry_size = cifs_wp_retry_size,
         .dir_needs_close = cifs_dir_needs_close,
+        .select_sectype = cifs_select_sectype,
 #ifdef CONFIG_CIFS_XATTR
         .query_all_EAs = CIFSSMBQAllEAs,
         .set_EA = CIFSSMBSetEA,
diff --git a/fs/cifs/smb2file.c b/fs/cifs/smb2file.c
index b2aff0c6f22c..b4b1f0305f29 100644
--- a/fs/cifs/smb2file.c
+++ b/fs/cifs/smb2file.c
@@ -73,7 +73,8 @@ smb2_open_file(const unsigned int xid, struct cifs_open_parms *oparms,
                 nr_ioctl_req.Timeout = 0; /* use server default (120 seconds) */
                 nr_ioctl_req.Reserved = 0;
                 rc = SMB2_ioctl(xid, oparms->tcon, fid->persistent_fid,
-                        fid->volatile_fid, FSCTL_LMR_REQUEST_RESILIENCY, true,
+                        fid->volatile_fid, FSCTL_LMR_REQUEST_RESILIENCY,
+                        true /* is_fsctl */, false /* use_ipc */,
                         (char *)&nr_ioctl_req, sizeof(nr_ioctl_req),
                         NULL, NULL /* no return info */);
                 if (rc == -EOPNOTSUPP) {
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
index a44b4dbe4aae..0231108d9387 100644
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -282,6 +282,7 @@ SMB3_request_interfaces(const unsigned int xid, struct cifs_tcon *tcon)
 
         rc = SMB2_ioctl(xid, tcon, NO_FILE_ID, NO_FILE_ID,
                         FSCTL_QUERY_NETWORK_INTERFACE_INFO, true /* is_fsctl */,
+                        false /* use_ipc */,
                         NULL /* no data input */, 0 /* no data input */,
                         (char **)&out_buf, &ret_data_len);
         if (rc != 0)
@@ -571,6 +572,7 @@ SMB2_request_res_key(const unsigned int xid, struct cifs_tcon *tcon,
 
         rc = SMB2_ioctl(xid, tcon, persistent_fid, volatile_fid,
                         FSCTL_SRV_REQUEST_RESUME_KEY, true /* is_fsctl */,
+                        false /* use_ipc */,
                         NULL, 0 /* no input */,
                         (char **)&res_key, &ret_data_len);
 
@@ -635,7 +637,8 @@ smb2_clone_range(const unsigned int xid,
                 /* Request server copy to target from src identified by key */
                 rc = SMB2_ioctl(xid, tcon, trgtfile->fid.persistent_fid,
                         trgtfile->fid.volatile_fid, FSCTL_SRV_COPYCHUNK_WRITE,
-                        true /* is_fsctl */, (char *)pcchunk,
+                        true /* is_fsctl */, false /* use_ipc */,
+                        (char *)pcchunk,
                         sizeof(struct copychunk_ioctl), (char **)&retbuf,
                         &ret_data_len);
                 if (rc == 0) {
@@ -787,7 +790,8 @@ static bool smb2_set_sparse(const unsigned int xid, struct cifs_tcon *tcon,
 
         rc = SMB2_ioctl(xid, tcon, cfile->fid.persistent_fid,
                         cfile->fid.volatile_fid, FSCTL_SET_SPARSE,
-                        true /* is_fctl */, &setsparse, 1, NULL, NULL);
+                        true /* is_fctl */, false /* use_ipc */,
+                        &setsparse, 1, NULL, NULL);
         if (rc) {
                 tcon->broken_sparse_sup = true;
                 cifs_dbg(FYI, "set sparse rc = %d\n", rc);
@@ -857,7 +861,8 @@ smb2_duplicate_extents(const unsigned int xid,
         rc = SMB2_ioctl(xid, tcon, trgtfile->fid.persistent_fid,
                         trgtfile->fid.volatile_fid,
                         FSCTL_DUPLICATE_EXTENTS_TO_FILE,
-                        true /* is_fsctl */, (char *)&dup_ext_buf,
+                        true /* is_fsctl */, false /* use_ipc */,
+                        (char *)&dup_ext_buf,
                         sizeof(struct duplicate_extents_to_file),
                         NULL,
                         &ret_data_len);
@@ -891,7 +896,8 @@ smb3_set_integrity(const unsigned int xid, struct cifs_tcon *tcon,
         return SMB2_ioctl(xid, tcon, cfile->fid.persistent_fid,
                         cfile->fid.volatile_fid,
                         FSCTL_SET_INTEGRITY_INFORMATION,
-                        true /* is_fsctl */, (char *)&integr_info,
+                        true /* is_fsctl */, false /* use_ipc */,
+                        (char *)&integr_info,
                         sizeof(struct fsctl_set_integrity_information_req),
                         NULL,
                         &ret_data_len);
@@ -910,7 +916,8 @@ smb3_enum_snapshots(const unsigned int xid, struct cifs_tcon *tcon,
         rc = SMB2_ioctl(xid, tcon, cfile->fid.persistent_fid,
                         cfile->fid.volatile_fid,
                         FSCTL_SRV_ENUMERATE_SNAPSHOTS,
-                        true /* is_fsctl */, NULL, 0 /* no input data */,
+                        true /* is_fsctl */, false /* use_ipc */,
+                        NULL, 0 /* no input data */,
                         (char **)&retbuf,
                         &ret_data_len);
         cifs_dbg(FYI, "enum snaphots ioctl returned %d and ret buflen is %d\n",
@@ -1097,6 +1104,103 @@ smb2_new_lease_key(struct cifs_fid *fid)
         generate_random_uuid(fid->lease_key);
 }
 
+static int
+smb2_get_dfs_refer(const unsigned int xid, struct cifs_ses *ses,
+                   const char *search_name,
+                   struct dfs_info3_param **target_nodes,
+                   unsigned int *num_of_nodes,
+                   const struct nls_table *nls_codepage, int remap)
+{
+        int rc;
+        __le16 *utf16_path = NULL;
+        int utf16_path_len = 0;
+        struct cifs_tcon *tcon;
+        struct fsctl_get_dfs_referral_req *dfs_req = NULL;
+        struct get_dfs_referral_rsp *dfs_rsp = NULL;
+        u32 dfs_req_size = 0, dfs_rsp_size = 0;
+
+        cifs_dbg(FYI, "smb2_get_dfs_refer path <%s>\n", search_name);
+
+        /*
+         * Use any tcon from the current session. Here, the first one.
+         */
+        spin_lock(&cifs_tcp_ses_lock);
+        tcon = list_first_entry_or_null(&ses->tcon_list, struct cifs_tcon,
+                                        tcon_list);
+        if (tcon)
+                tcon->tc_count++;
+        spin_unlock(&cifs_tcp_ses_lock);
+
+        if (!tcon) {
+                cifs_dbg(VFS, "session %p has no tcon available for a dfs referral request\n",
+                         ses);
+                rc = -ENOTCONN;
+                goto out;
+        }
+
+        utf16_path = cifs_strndup_to_utf16(search_name, PATH_MAX,
+                                           &utf16_path_len,
+                                           nls_codepage, remap);
+        if (!utf16_path) {
+                rc = -ENOMEM;
+                goto out;
+        }
+
+        dfs_req_size = sizeof(*dfs_req) + utf16_path_len;
+        dfs_req = kzalloc(dfs_req_size, GFP_KERNEL);
+        if (!dfs_req) {
+                rc = -ENOMEM;
+                goto out;
+        }
+
+        /* Highest DFS referral version understood */
+        dfs_req->MaxReferralLevel = DFS_VERSION;
+
+        /* Path to resolve in an UTF-16 null-terminated string */
+        memcpy(dfs_req->RequestFileName, utf16_path, utf16_path_len);
+
+        do {
+                /* try first with IPC */
+                rc = SMB2_ioctl(xid, tcon, NO_FILE_ID, NO_FILE_ID,
+                                FSCTL_DFS_GET_REFERRALS,
+                                true /* is_fsctl */, true /* use_ipc */,
+                                (char *)dfs_req, dfs_req_size,
+                                (char **)&dfs_rsp, &dfs_rsp_size);
+                if (rc == -ENOTCONN) {
+                        /* try with normal tcon */
+                        rc = SMB2_ioctl(xid, tcon, NO_FILE_ID, NO_FILE_ID,
+                                        FSCTL_DFS_GET_REFERRALS,
+                                        true /* is_fsctl */, false /*use_ipc*/,
+                                        (char *)dfs_req, dfs_req_size,
+                                        (char **)&dfs_rsp, &dfs_rsp_size);
+                }
+        } while (rc == -EAGAIN);
+
+        if (rc) {
+                cifs_dbg(VFS, "ioctl error in smb2_get_dfs_refer rc=%d\n", rc);
+                goto out;
+        }
+
+        rc = parse_dfs_referrals(dfs_rsp, dfs_rsp_size,
+                                 num_of_nodes, target_nodes,
+                                 nls_codepage, remap, search_name,
+                                 true /* is_unicode */);
+        if (rc) {
+                cifs_dbg(VFS, "parse error in smb2_get_dfs_refer rc=%d\n", rc);
+                goto out;
+        }
+
+ out:
+        if (tcon) {
+                spin_lock(&cifs_tcp_ses_lock);
+                tcon->tc_count--;
+                spin_unlock(&cifs_tcp_ses_lock);
+        }
+        kfree(utf16_path);
+        kfree(dfs_req);
+        kfree(dfs_rsp);
+        return rc;
+}
 #define SMB2_SYMLINK_STRUCT_SIZE \
         (sizeof(struct smb2_err_rsp) - 1 + sizeof(struct smb2_symlink_err_rsp))
 
@@ -1220,7 +1324,8 @@ static long smb3_zero_range(struct file *file, struct cifs_tcon *tcon,
 
         rc = SMB2_ioctl(xid, tcon, cfile->fid.persistent_fid,
                         cfile->fid.volatile_fid, FSCTL_SET_ZERO_DATA,
-                        true /* is_fctl */, (char *)&fsctl_buf,
+                        true /* is_fctl */, false /* use_ipc */,
+                        (char *)&fsctl_buf,
                         sizeof(struct file_zero_data_information), NULL, NULL);
         free_xid(xid);
         return rc;
@@ -1254,7 +1359,8 @@ static long smb3_punch_hole(struct file *file, struct cifs_tcon *tcon,
 
         rc = SMB2_ioctl(xid, tcon, cfile->fid.persistent_fid,
                         cfile->fid.volatile_fid, FSCTL_SET_ZERO_DATA,
-                        true /* is_fctl */, (char *)&fsctl_buf,
+                        true /* is_fctl */, false /* use_ipc */,
+                        (char *)&fsctl_buf,
                         sizeof(struct file_zero_data_information), NULL, NULL);
         free_xid(xid);
         return rc;
@@ -1609,6 +1715,26 @@ static void cifs_crypt_complete(struct crypto_async_request *req, int err)
         complete(&res->completion);
 }
 
+static int
+smb2_get_enc_key(struct TCP_Server_Info *server, __u64 ses_id, int enc, u8 *key)
+{
+        struct cifs_ses *ses;
+        u8 *ses_enc_key;
+
+        spin_lock(&cifs_tcp_ses_lock);
+        list_for_each_entry(ses, &server->smb_ses_list, smb_ses_list) {
+                if (ses->Suid != ses_id)
+                        continue;
+                ses_enc_key = enc ? ses->smb3encryptionkey :
+                                                        ses->smb3decryptionkey;
+                memcpy(key, ses_enc_key, SMB3_SIGN_KEY_SIZE);
+                spin_unlock(&cifs_tcp_ses_lock);
+                return 0;
+        }
+        spin_unlock(&cifs_tcp_ses_lock);
+
+        return 1;
+}
 /*
  * Encrypt or decrypt @rqst message. @rqst has the following format:
  * iov[0] - transform header (associate data),
@@ -1622,10 +1748,10 @@ crypt_message(struct TCP_Server_Info *server, struct smb_rqst *rqst, int enc)
         struct smb2_transform_hdr *tr_hdr =
                         (struct smb2_transform_hdr *)rqst->rq_iov[0].iov_base;
         unsigned int assoc_data_len = sizeof(struct smb2_transform_hdr) - 24;
-        struct cifs_ses *ses;
         int rc = 0;
         struct scatterlist *sg;
         u8 sign[SMB2_SIGNATURE_SIZE] = {};
+        u8 key[SMB3_SIGN_KEY_SIZE];
         struct aead_request *req;
         char *iv;
         unsigned int iv_len;
@@ -1635,9 +1761,10 @@ crypt_message(struct TCP_Server_Info *server, struct smb_rqst *rqst, int enc)
 
         init_completion(&result.completion);
 
-        ses = smb2_find_smb_ses(server, tr_hdr->SessionId);
-        if (!ses) {
-                cifs_dbg(VFS, "%s: Could not find session\n", __func__);
+        rc = smb2_get_enc_key(server, tr_hdr->SessionId, enc, key);
+        if (rc) {
+                cifs_dbg(VFS, "%s: Could not get %scryption key\n", __func__,
+                         enc ? "en" : "de");
                 return 0;
         }
 
@@ -1649,8 +1776,7 @@ crypt_message(struct TCP_Server_Info *server, struct smb_rqst *rqst, int enc)
 
         tfm = enc ? server->secmech.ccmaesencrypt :
                                                 server->secmech.ccmaesdecrypt;
-        rc = crypto_aead_setkey(tfm, enc ? ses->smb3encryptionkey :
-                                ses->smb3decryptionkey, SMB3_SIGN_KEY_SIZE);
+        rc = crypto_aead_setkey(tfm, key, SMB3_SIGN_KEY_SIZE);
         if (rc) {
                 cifs_dbg(VFS, "%s: Failed to set aead key %d\n", __func__, rc);
                 return rc;
@@ -2254,6 +2380,8 @@ struct smb_version_operations smb20_operations = {
         .clone_range = smb2_clone_range,
         .wp_retry_size = smb2_wp_retry_size,
         .dir_needs_close = smb2_dir_needs_close,
+        .get_dfs_refer = smb2_get_dfs_refer,
+        .select_sectype = smb2_select_sectype,
 };
 
 struct smb_version_operations smb21_operations = {
@@ -2335,6 +2463,8 @@ struct smb_version_operations smb21_operations = {
         .wp_retry_size = smb2_wp_retry_size,
         .dir_needs_close = smb2_dir_needs_close,
         .enum_snapshots = smb3_enum_snapshots,
+        .get_dfs_refer = smb2_get_dfs_refer,
+        .select_sectype = smb2_select_sectype,
 };
 
 struct smb_version_operations smb30_operations = {
@@ -2426,6 +2556,8 @@ struct smb_version_operations smb30_operations = {
         .free_transform_rq = smb3_free_transform_rq,
         .is_transform_hdr = smb3_is_transform_hdr,
         .receive_transform = smb3_receive_transform,
+        .get_dfs_refer = smb2_get_dfs_refer,
+        .select_sectype = smb2_select_sectype,
 };
 
 #ifdef CONFIG_CIFS_SMB311
@@ -2518,6 +2650,8 @@ struct smb_version_operations smb311_operations = {
         .free_transform_rq = smb3_free_transform_rq,
         .is_transform_hdr = smb3_is_transform_hdr,
         .receive_transform = smb3_receive_transform,
+        .get_dfs_refer = smb2_get_dfs_refer,
+        .select_sectype = smb2_select_sectype,
 };
 #endif /* CIFS_SMB311 */
 
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index ad83b3db2840..7446496850a3 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -620,6 +620,7 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)
 
         rc = SMB2_ioctl(xid, tcon, NO_FILE_ID, NO_FILE_ID,
                 FSCTL_VALIDATE_NEGOTIATE_INFO, true /* is_fsctl */,
+                false /* use_ipc */,
                 (char *)&vneg_inbuf, sizeof(struct validate_negotiate_info_req),
                 (char **)&pneg_rsp, &rsplen);
 
@@ -656,6 +657,28 @@ vneg_out:
         return -EIO;
 }
 
+enum securityEnum
+smb2_select_sectype(struct TCP_Server_Info *server, enum securityEnum requested)
+{
+        switch (requested) {
+        case Kerberos:
+        case RawNTLMSSP:
+                return requested;
+        case NTLMv2:
+                return RawNTLMSSP;
+        case Unspecified:
+                if (server->sec_ntlmssp &&
+                        (global_secflags & CIFSSEC_MAY_NTLMSSP))
+                        return RawNTLMSSP;
+                if ((server->sec_kerberos || server->sec_mskerberos) &&
+                        (global_secflags & CIFSSEC_MAY_KRB5))
+                        return Kerberos;
+                /* Fallthrough */
+        default:
+                return Unspecified;
+        }
+}
+
 struct SMB2_sess_data {
         unsigned int xid;
         struct cifs_ses *ses;
@@ -1008,10 +1031,17 @@ out:
 static int
 SMB2_select_sec(struct cifs_ses *ses, struct SMB2_sess_data *sess_data)
 {
-        if (ses->sectype != Kerberos && ses->sectype != RawNTLMSSP)
-                ses->sectype = RawNTLMSSP;
+        int type;
+
+        type = smb2_select_sectype(ses->server, ses->sectype);
+        cifs_dbg(FYI, "sess setup type %d\n", type);
+        if (type == Unspecified) {
+                cifs_dbg(VFS,
+                        "Unable to select appropriate authentication method!");
+                return -EINVAL;
+        }
 
-        switch (ses->sectype) {
+        switch (type) {
         case Kerberos:
                 sess_data->func = SMB2_auth_kerberos;
                 break;
@@ -1019,7 +1049,7 @@ SMB2_select_sec(struct cifs_ses *ses, struct SMB2_sess_data *sess_data)
                 sess_data->func = SMB2_sess_auth_rawntlmssp_negotiate;
                 break;
         default:
-                cifs_dbg(VFS, "secType %d not supported!\n", ses->sectype);
+                cifs_dbg(VFS, "secType %d not supported!\n", type);
                 return -EOPNOTSUPP;
         }
 
@@ -1167,8 +1197,8 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree,
 
                 /* since no tcon, smb2_init can not do this, so do here */
                 req->hdr.sync_hdr.SessionId = ses->Suid;
-                /* if (ses->server->sec_mode & SECMODE_SIGN_REQUIRED)
-                        req->hdr.Flags |= SMB2_FLAGS_SIGNED; */
+                if (ses->server->sign)
+                        req->hdr.sync_hdr.Flags |= SMB2_FLAGS_SIGNED;
         } else if (encryption_required(tcon))
                 flags |= CIFS_TRANSFORM_REQ;
 
@@ -1527,6 +1557,51 @@ add_durable_context(struct kvec *iov, unsigned int *num_iovec,
         return 0;
 }
 
+static int
+alloc_path_with_tree_prefix(__le16 **out_path, int *out_size, int *out_len,
+                            const char *treename, const __le16 *path)
+{
+        int treename_len, path_len;
+        struct nls_table *cp;
+        const __le16 sep[] = {cpu_to_le16('\\'), cpu_to_le16(0x0000)};
+
+        /*
+         * skip leading "\\"
+         */
+        treename_len = strlen(treename);
+        if (treename_len < 2 || !(treename[0] == '\\' && treename[1] == '\\'))
+                return -EINVAL;
+
+        treename += 2;
+        treename_len -= 2;
+
+        path_len = UniStrnlen((wchar_t *)path, PATH_MAX);
+
+        /*
+         * make room for one path separator between the treename and
+         * path
+         */
+        *out_len = treename_len + 1 + path_len;
+
+        /*
+         * final path needs to be null-terminated UTF16 with a
+         * size aligned to 8
+         */
+
+        *out_size = roundup((*out_len+1)*2, 8);
+        *out_path = kzalloc(*out_size, GFP_KERNEL);
+        if (!*out_path)
+                return -ENOMEM;
+
+        cp = load_nls_default();
+        cifs_strtoUTF16(*out_path, treename, treename_len, cp);
+        UniStrcat(*out_path, sep);
+        UniStrcat(*out_path, path);
+        unload_nls(cp);
+
+        return 0;
+}
+
 int
 SMB2_open(const unsigned int xid, struct cifs_open_parms *oparms, __le16 *path,
           __u8 *oplock, struct smb2_file_all_info *buf,
@@ -1575,30 +1650,49 @@ SMB2_open(const unsigned int xid, struct cifs_open_parms *oparms, __le16 *path,
         req->ShareAccess = FILE_SHARE_ALL_LE;
         req->CreateDisposition = cpu_to_le32(oparms->disposition);
         req->CreateOptions = cpu_to_le32(oparms->create_options & CREATE_OPTIONS_MASK);
-        uni_path_len = (2 * UniStrnlen((wchar_t *)path, PATH_MAX)) + 2;
-        /* do not count rfc1001 len field */
-        req->NameOffset = cpu_to_le16(sizeof(struct smb2_create_req) - 4);
 
         iov[0].iov_base = (char *)req;
         /* 4 for rfc1002 length field */
         iov[0].iov_len = get_rfc1002_length(req) + 4;
-
-        /* MUST set path len (NameLength) to 0 opening root of share */
-        req->NameLength = cpu_to_le16(uni_path_len - 2);
         /* -1 since last byte is buf[0] which is sent below (path) */
         iov[0].iov_len--;
-        if (uni_path_len % 8 != 0) {
-                copy_size = uni_path_len / 8 * 8;
-                if (copy_size < uni_path_len)
-                        copy_size += 8;
-
-                copy_path = kzalloc(copy_size, GFP_KERNEL);
-                if (!copy_path)
-                        return -ENOMEM;
-                memcpy((char *)copy_path, (const char *)path,
-                        uni_path_len);
+
+        req->NameOffset = cpu_to_le16(sizeof(struct smb2_create_req) - 4);
+
+        /* [MS-SMB2] 2.2.13 NameOffset:
+         * If SMB2_FLAGS_DFS_OPERATIONS is set in the Flags field of
+         * the SMB2 header, the file name includes a prefix that will
+         * be processed during DFS name normalization as specified in
+         * section 3.3.5.9. Otherwise, the file name is relative to
+         * the share that is identified by the TreeId in the SMB2
+         * header.
+         */
+        if (tcon->share_flags & SHI1005_FLAGS_DFS) {
+                int name_len;
+
+                req->hdr.sync_hdr.Flags |= SMB2_FLAGS_DFS_OPERATIONS;
+                rc = alloc_path_with_tree_prefix(&copy_path, &copy_size,
+                                                 &name_len,
+                                                 tcon->treeName, path);
+                if (rc)
+                        return rc;
+                req->NameLength = cpu_to_le16(name_len * 2);
                 uni_path_len = copy_size;
                 path = copy_path;
+        } else {
+                uni_path_len = (2 * UniStrnlen((wchar_t *)path, PATH_MAX)) + 2;
+                /* MUST set path len (NameLength) to 0 opening root of share */
+                req->NameLength = cpu_to_le16(uni_path_len - 2);
+                if (uni_path_len % 8 != 0) {
+                        copy_size = roundup(uni_path_len, 8);
+                        copy_path = kzalloc(copy_size, GFP_KERNEL);
+                        if (!copy_path)
+                                return -ENOMEM;
+                        memcpy((char *)copy_path, (const char *)path,
+                               uni_path_len);
+                        uni_path_len = copy_size;
+                        path = copy_path;
+                }
         }
 
         iov[1].iov_len = uni_path_len;
@@ -1683,8 +1777,9 @@ creat_exit:
  */
 int
 SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
-           u64 volatile_fid, u32 opcode, bool is_fsctl, char *in_data,
-           u32 indatalen, char **out_data, u32 *plen /* returned data len */)
+           u64 volatile_fid, u32 opcode, bool is_fsctl, bool use_ipc,
+           char *in_data, u32 indatalen,
+           char **out_data, u32 *plen /* returned data len */)
 {
         struct smb2_ioctl_req *req;
         struct smb2_ioctl_rsp *rsp;
@@ -1721,6 +1816,16 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
         if (rc)
                 return rc;
 
+        if (use_ipc) {
+                if (ses->ipc_tid == 0) {
+                        cifs_small_buf_release(req);
+                        return -ENOTCONN;
+                }
+
+                cifs_dbg(FYI, "replacing tid 0x%x with IPC tid 0x%x\n",
+                         req->hdr.sync_hdr.TreeId, ses->ipc_tid);
+                req->hdr.sync_hdr.TreeId = ses->ipc_tid;
+        }
         if (encryption_required(tcon))
                 flags |= CIFS_TRANSFORM_REQ;
 
@@ -1843,6 +1948,7 @@ SMB2_set_compression(const unsigned int xid, struct cifs_tcon *tcon,
 
         rc = SMB2_ioctl(xid, tcon, persistent_fid, volatile_fid,
                         FSCTL_SET_COMPRESSION, true /* is_fsctl */,
+                        false /* use_ipc */,
                         (char *)&fsctl_input /* data input */,
                         2 /* in data len */, &ret_data /* out data */, NULL);
 
diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h
index c03b252501a1..18700fd25a0b 100644
--- a/fs/cifs/smb2pdu.h
+++ b/fs/cifs/smb2pdu.h
@@ -695,6 +695,14 @@ struct fsctl_get_integrity_information_rsp {
 /* Integrity flags for above */
 #define FSCTL_INTEGRITY_FLAG_CHECKSUM_ENFORCEMENT_OFF   0x00000001
 
+/* See MS-DFSC 2.2.2 */
+struct fsctl_get_dfs_referral_req {
+        __le16 MaxReferralLevel;
+        __u8 RequestFileName[];
+} __packed;
+
+/* DFS response is struct get_dfs_refer_rsp */
+
 /* See MS-SMB2 2.2.31.3 */
 struct network_resiliency_req {
         __le32 Timeout;
diff --git a/fs/cifs/smb2proto.h b/fs/cifs/smb2proto.h
index 85fc7a789334..69e35873b1de 100644
--- a/fs/cifs/smb2proto.h
+++ b/fs/cifs/smb2proto.h
@@ -121,7 +121,8 @@ extern int SMB2_open(const unsigned int xid, struct cifs_open_parms *oparms,
                      struct smb2_err_rsp **err_buf);
 extern int SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon,
                      u64 persistent_fid, u64 volatile_fid, u32 opcode,
-                     bool is_fsctl, char *in_data, u32 indatalen,
+                     bool is_fsctl, bool use_ipc,
+                     char *in_data, u32 indatalen,
                      char **out_data, u32 *plen /* returned data len */);
 extern int SMB2_close(const unsigned int xid, struct cifs_tcon *tcon,
                       u64 persistent_file_id, u64 volatile_file_id);
@@ -180,4 +181,6 @@ extern int SMB2_lease_break(const unsigned int xid, struct cifs_tcon *tcon,
                             __u8 *lease_key, const __le32 lease_state);
 extern int smb3_validate_negotiate(const unsigned int, struct cifs_tcon *);
 
+extern enum securityEnum smb2_select_sectype(struct TCP_Server_Info *,
+                                        enum securityEnum);
 #endif                  /* _SMB2PROTO_H */