7 files changed, 43 insertions, 25 deletions
diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c
index 1e7636b145a8..beeebf194234 100644
--- a/fs/cifs/cifsacl.c
+++ b/fs/cifs/cifsacl.c
@@ -372,6 +372,10 @@ static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl,
                ppace = kmalloc(num_aces * sizeof(struct cifs_ace *),
                                GFP_KERNEL);
+                if (!ppace) {
+                        cERROR(1, "DACL memory allocation error");
+                        return;
+                }
                for (i = 0; i < num_aces; ++i) {
                        ppace[i] = (struct cifs_ace *) (acl_base + acl_size);
diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
index 46c66ed01af4..904aa47e3515 100644
--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -136,9 +136,6 @@ cifs_reconnect_tcon(struct cifsTconInfo *tcon, int smb_command)
                }
        }
-        if (ses->status == CifsExiting)
-                return -EIO;
        /*
         * Give demultiplex thread up to 10 seconds to reconnect, should be
         * greater than cifs socket timeout which is 7 seconds
@@ -156,7 +153,7 @@ cifs_reconnect_tcon(struct cifsTconInfo *tcon, int smb_command)
                 * retrying until process is killed or server comes
                 * back on-line
                 */
-                if (!tcon->retry || ses->status == CifsExiting) {
+                if (!tcon->retry) {
                        cFYI(1, "gave up waiting on reconnect in smb_init");
                        return -EHOSTDOWN;
                }
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 47d8ff623683..257b6d895e20 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -337,8 +337,12 @@ cifs_echo_request(struct work_struct *work)
        struct TCP_Server_Info *server = container_of(work,
                                        struct TCP_Server_Info, echo.work);
-        /* no need to ping if we got a response recently */
+        /*
-        if (time_before(jiffies, server->lstrp + SMB_ECHO_INTERVAL - HZ))
+         * We cannot send an echo until the NEGOTIATE_PROTOCOL request is done.
+         * Also, no need to ping if we got a response recently
+         */
+        if (server->tcpStatus != CifsGood ||
+            time_before(jiffies, server->lstrp + SMB_ECHO_INTERVAL - HZ))
                goto requeue_echo;
        rc = CIFSSMBEcho(server);
@@ -578,12 +582,12 @@ incomplete_rcv:
                else if (reconnect == 1)
                        continue;
-                length += 4; /* account for rfc1002 hdr */
+                total_read += 4; /* account for rfc1002 hdr */
+                dump_smb(smb_buffer, total_read);
-                dump_smb(smb_buffer, length);
+                if (checkSMB(smb_buffer, smb_buffer->Mid, total_read)) {
-                if (checkSMB(smb_buffer, smb_buffer->Mid, total_read+4)) {
+                        cifs_dump_mem("Bad SMB: ", smb_buffer,
-                        cifs_dump_mem("Bad SMB: ", smb_buffer, 48);
+                                        total_read < 48 ? total_read : 48);
                        continue;
                }
@@ -633,11 +637,11 @@ incomplete_rcv:
                                mid_entry->largeBuf = isLargeBuf;
 multi_t2_fnd:
                                mid_entry->midState = MID_RESPONSE_RECEIVED;
-                                list_del_init(&mid_entry->qhead);
-                                mid_entry->callback(mid_entry);
 #ifdef CONFIG_CIFS_STATS2
                                mid_entry->when_received = jiffies;
 #endif
+                                list_del_init(&mid_entry->qhead);
+                                mid_entry->callback(mid_entry);
                                break;
                        }
                        mid_entry = NULL;
diff --git a/fs/cifs/file.c b/fs/cifs/file.c
index 74c0a282d012..e964b1cd5dd0 100644
--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -1662,10 +1662,10 @@ static ssize_t
 cifs_iovec_write(struct file *file, const struct iovec *iov,
                 unsigned long nr_segs, loff_t *poffset)
 {
-        size_t total_written = 0;
+        unsigned int written;
-        unsigned int written = 0;
+        unsigned long num_pages, npages, i;
-        unsigned long num_pages, npages;
+        size_t copied, len, cur_len;
-        size_t copied, len, cur_len, i;
+        ssize_t total_written = 0;
        struct kvec *to_send;
        struct page **pages;
        struct iov_iter it;
@@ -1821,7 +1821,8 @@ cifs_iovec_read(struct file *file, const struct iovec *iov,
 {
        int rc;
        int xid;
-        unsigned int total_read, bytes_read = 0;
+        ssize_t total_read;
+        unsigned int bytes_read = 0;
        size_t len, cur_len;
        int iov_offset = 0;
        struct cifs_sb_info *cifs_sb;
diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c
index b8c5e2eb43d0..fbc5aace54b1 100644
--- a/fs/cifs/transport.c
+++ b/fs/cifs/transport.c
@@ -359,6 +359,10 @@ cifs_call_async(struct TCP_Server_Info *server, struct smb_hdr *in_buf,
        if (rc)
                return rc;
+        /* enable signing if server requires it */
+        if (server->secMode & (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
+                in_buf->Flags2 |= SMBFLG2_SECURITY_SIGNATURE;
        mutex_lock(&server->srv_mutex);
        mid = AllocMidQEntry(in_buf, server);
        if (mid == NULL) {
diff --git a/kernel/cred.c b/kernel/cred.c
index 6a1aa004e376..3a9d6dd53a6c 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -252,13 +252,13 @@ struct cred *cred_alloc_blank(void)
 #endif
        atomic_set(&new->usage, 1);
+#ifdef CONFIG_DEBUG_CREDENTIALS
+        new->magic = CRED_MAGIC;
+#endif
        if (security_cred_alloc_blank(new, GFP_KERNEL) < 0)
                goto error;
-#ifdef CONFIG_DEBUG_CREDENTIALS
-        new->magic = CRED_MAGIC;
-#endif
        return new;
 error:
@@ -657,6 +657,8 @@ struct cred *prepare_kernel_cred(struct task_struct *daemon)
        validate_creds(old);
        *new = *old;
+        atomic_set(&new->usage, 1);
+        set_cred_subscribers(new, 0);
        get_uid(new->user);
        get_group_info(new->group_info);
@@ -674,8 +676,6 @@ struct cred *prepare_kernel_cred(struct task_struct *daemon)
        if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
                goto error;
-        atomic_set(&new->usage, 1);
-        set_cred_subscribers(new, 0);
        put_cred(old);
        validate_creds(new);
        return new;
@@ -748,7 +748,11 @@ bool creds_are_invalid(const struct cred *cred)
        if (cred->magic != CRED_MAGIC)
                return true;
 #ifdef CONFIG_SECURITY_SELINUX
-        if (selinux_is_enabled()) {
+        /*
+         * cred->security == NULL if security_cred_alloc_blank() or
+         * security_prepare_creds() returned an error.
+         */
+        if (selinux_is_enabled() && cred->security) {
                if ((unsigned long) cred->security < PAGE_SIZE)
                        return true;
                if ((*(u32 *)cred->security & 0xffffff00) ==
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e276eb468536..c8d699270687 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3198,7 +3198,11 @@ static void selinux_cred_free(struct cred *cred)
 {
        struct task_security_struct *tsec = cred->security;
-        BUG_ON((unsigned long) cred->security < PAGE_SIZE);
+        /*
+         * cred->security == NULL if security_cred_alloc_blank() or
+         * security_prepare_creds() returned an error.
+         */
+        BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
        cred->security = (void *) 0x7UL;
        kfree(tsec);
 }

diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c index 1e7636b145a8..beeebf194234 100644 --- a/fs/cifs/cifsacl.c +++ b/fs/cifs/cifsacl.c
@@ -372,6 +372,10 @@ static void parse_dacl(struct cifs_acl pdacl, char end_of_acl,
372		372
373	ppace = kmalloc(num_aces * sizeof(struct cifs_ace *),	373	ppace = kmalloc(num_aces * sizeof(struct cifs_ace *),
374	GFP_KERNEL);	374	GFP_KERNEL);
		375	if (!ppace) {
		376	cERROR(1, "DACL memory allocation error");
		377	return;
		378	}
375		379
376	for (i = 0; i < num_aces; ++i) {	380	for (i = 0; i < num_aces; ++i) {
377	ppace[i] = (struct cifs_ace *) (acl_base + acl_size);	381	ppace[i] = (struct cifs_ace *) (acl_base + acl_size);


diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c index 46c66ed01af4..904aa47e3515 100644 --- a/fs/cifs/cifssmb.c +++ b/fs/cifs/cifssmb.c
@@ -136,9 +136,6 @@ cifs_reconnect_tcon(struct cifsTconInfo *tcon, int smb_command)
136	}	136	}
137	}	137	}
138		138
139	if (ses->status == CifsExiting)
140	return -EIO;
141
142	/*	139	/*
143	* Give demultiplex thread up to 10 seconds to reconnect, should be	140	* Give demultiplex thread up to 10 seconds to reconnect, should be
144	* greater than cifs socket timeout which is 7 seconds	141	* greater than cifs socket timeout which is 7 seconds
@@ -156,7 +153,7 @@ cifs_reconnect_tcon(struct cifsTconInfo *tcon, int smb_command)
156	* retrying until process is killed or server comes	153	* retrying until process is killed or server comes
157	* back on-line	154	* back on-line
158	*/	155	*/
159	if (!tcon->retry \|\| ses->status == CifsExiting) {	156	if (!tcon->retry) {
160	cFYI(1, "gave up waiting on reconnect in smb_init");	157	cFYI(1, "gave up waiting on reconnect in smb_init");
161	return -EHOSTDOWN;	158	return -EHOSTDOWN;
162	}	159	}


diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index 47d8ff623683..257b6d895e20 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c
@@ -337,8 +337,12 @@ cifs_echo_request(struct work_struct *work)
337	struct TCP_Server_Info *server = container_of(work,	337	struct TCP_Server_Info *server = container_of(work,
338	struct TCP_Server_Info, echo.work);	338	struct TCP_Server_Info, echo.work);
339		339
340	/* no need to ping if we got a response recently */	340	/*
341	if (time_before(jiffies, server->lstrp + SMB_ECHO_INTERVAL - HZ))	341	* We cannot send an echo until the NEGOTIATE_PROTOCOL request is done.
		342	* Also, no need to ping if we got a response recently
		343	*/
		344	if (server->tcpStatus != CifsGood \|\|
		345	time_before(jiffies, server->lstrp + SMB_ECHO_INTERVAL - HZ))
342	goto requeue_echo;	346	goto requeue_echo;
343		347
344	rc = CIFSSMBEcho(server);	348	rc = CIFSSMBEcho(server);
@@ -578,12 +582,12 @@ incomplete_rcv:
578	else if (reconnect == 1)	582	else if (reconnect == 1)
579	continue;	583	continue;
580		584
581	length += 4; /* account for rfc1002 hdr */	585	total_read += 4; /* account for rfc1002 hdr */
582		586
583		587	dump_smb(smb_buffer, total_read);
584	dump_smb(smb_buffer, length);	588	if (checkSMB(smb_buffer, smb_buffer->Mid, total_read)) {
585	if (checkSMB(smb_buffer, smb_buffer->Mid, total_read+4)) {	589	cifs_dump_mem("Bad SMB: ", smb_buffer,
586	cifs_dump_mem("Bad SMB: ", smb_buffer, 48);	590	total_read < 48 ? total_read : 48);
587	continue;	591	continue;
588	}	592	}
589		593
@@ -633,11 +637,11 @@ incomplete_rcv:
633	mid_entry->largeBuf = isLargeBuf;	637	mid_entry->largeBuf = isLargeBuf;
634	multi_t2_fnd:	638	multi_t2_fnd:
635	mid_entry->midState = MID_RESPONSE_RECEIVED;	639	mid_entry->midState = MID_RESPONSE_RECEIVED;
636	list_del_init(&mid_entry->qhead);
637	mid_entry->callback(mid_entry);
638	#ifdef CONFIG_CIFS_STATS2	640	#ifdef CONFIG_CIFS_STATS2
639	mid_entry->when_received = jiffies;	641	mid_entry->when_received = jiffies;
640	#endif	642	#endif
		643	list_del_init(&mid_entry->qhead);
		644	mid_entry->callback(mid_entry);
641	break;	645	break;
642	}	646	}
643	mid_entry = NULL;	647	mid_entry = NULL;


diff --git a/fs/cifs/file.c b/fs/cifs/file.c index 74c0a282d012..e964b1cd5dd0 100644 --- a/fs/cifs/file.c +++ b/fs/cifs/file.c
@@ -1662,10 +1662,10 @@ static ssize_t
1662	cifs_iovec_write(struct file file, const struct iovec iov,	1662	cifs_iovec_write(struct file file, const struct iovec iov,
1663	unsigned long nr_segs, loff_t *poffset)	1663	unsigned long nr_segs, loff_t *poffset)
1664	{	1664	{
1665	size_t total_written = 0;	1665	unsigned int written;
1666	unsigned int written = 0;	1666	unsigned long num_pages, npages, i;
1667	unsigned long num_pages, npages;	1667	size_t copied, len, cur_len;
1668	size_t copied, len, cur_len, i;	1668	ssize_t total_written = 0;
1669	struct kvec *to_send;	1669	struct kvec *to_send;
1670	struct page **pages;	1670	struct page **pages;
1671	struct iov_iter it;	1671	struct iov_iter it;
@@ -1821,7 +1821,8 @@ cifs_iovec_read(struct file file, const struct iovec iov,
1821	{	1821	{
1822	int rc;	1822	int rc;
1823	int xid;	1823	int xid;
1824	unsigned int total_read, bytes_read = 0;	1824	ssize_t total_read;
		1825	unsigned int bytes_read = 0;
1825	size_t len, cur_len;	1826	size_t len, cur_len;
1826	int iov_offset = 0;	1827	int iov_offset = 0;
1827	struct cifs_sb_info *cifs_sb;	1828	struct cifs_sb_info *cifs_sb;


diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c index b8c5e2eb43d0..fbc5aace54b1 100644 --- a/fs/cifs/transport.c +++ b/fs/cifs/transport.c
@@ -359,6 +359,10 @@ cifs_call_async(struct TCP_Server_Info server, struct smb_hdr in_buf,
359	if (rc)	359	if (rc)
360	return rc;	360	return rc;
361		361
		362	/* enable signing if server requires it */
		363	if (server->secMode & (SECMODE_SIGN_REQUIRED \| SECMODE_SIGN_ENABLED))
		364	in_buf->Flags2 \|= SMBFLG2_SECURITY_SIGNATURE;
		365
362	mutex_lock(&server->srv_mutex);	366	mutex_lock(&server->srv_mutex);
363	mid = AllocMidQEntry(in_buf, server);	367	mid = AllocMidQEntry(in_buf, server);
364	if (mid == NULL) {	368	if (mid == NULL) {


diff --git a/kernel/cred.c b/kernel/cred.c index 6a1aa004e376..3a9d6dd53a6c 100644 --- a/kernel/cred.c +++ b/kernel/cred.c
@@ -252,13 +252,13 @@ struct cred *cred_alloc_blank(void)
252	#endif	252	#endif
253		253
254	atomic_set(&new->usage, 1);	254	atomic_set(&new->usage, 1);
		255	#ifdef CONFIG_DEBUG_CREDENTIALS
		256	new->magic = CRED_MAGIC;
		257	#endif
255		258
256	if (security_cred_alloc_blank(new, GFP_KERNEL) < 0)	259	if (security_cred_alloc_blank(new, GFP_KERNEL) < 0)
257	goto error;	260	goto error;
258		261
259	#ifdef CONFIG_DEBUG_CREDENTIALS
260	new->magic = CRED_MAGIC;
261	#endif
262	return new;	262	return new;
263		263
264	error:	264	error:
@@ -657,6 +657,8 @@ struct cred prepare_kernel_cred(struct task_struct daemon)
657	validate_creds(old);	657	validate_creds(old);
658		658
659	new = old;	659	new = old;
		660	atomic_set(&new->usage, 1);
		661	set_cred_subscribers(new, 0);
660	get_uid(new->user);	662	get_uid(new->user);
661	get_group_info(new->group_info);	663	get_group_info(new->group_info);
662		664
@@ -674,8 +676,6 @@ struct cred prepare_kernel_cred(struct task_struct daemon)
674	if (security_prepare_creds(new, old, GFP_KERNEL) < 0)	676	if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
675	goto error;	677	goto error;
676		678
677	atomic_set(&new->usage, 1);
678	set_cred_subscribers(new, 0);
679	put_cred(old);	679	put_cred(old);
680	validate_creds(new);	680	validate_creds(new);
681	return new;	681	return new;
@@ -748,7 +748,11 @@ bool creds_are_invalid(const struct cred *cred)
748	if (cred->magic != CRED_MAGIC)	748	if (cred->magic != CRED_MAGIC)
749	return true;	749	return true;
750	#ifdef CONFIG_SECURITY_SELINUX	750	#ifdef CONFIG_SECURITY_SELINUX
751	if (selinux_is_enabled()) {	751	/*
		752	* cred->security == NULL if security_cred_alloc_blank() or
		753	* security_prepare_creds() returned an error.
		754	*/
		755	if (selinux_is_enabled() && cred->security) {
752	if ((unsigned long) cred->security < PAGE_SIZE)	756	if ((unsigned long) cred->security < PAGE_SIZE)
753	return true;	757	return true;
754	if (((u32 )cred->security & 0xffffff00) ==	758	if (((u32 )cred->security & 0xffffff00) ==


diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index e276eb468536..c8d699270687 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -3198,7 +3198,11 @@ static void selinux_cred_free(struct cred *cred)
3198	{	3198	{
3199	struct task_security_struct *tsec = cred->security;	3199	struct task_security_struct *tsec = cred->security;
3200		3200
3201	BUG_ON((unsigned long) cred->security < PAGE_SIZE);	3201	/*
		3202	* cred->security == NULL if security_cred_alloc_blank() or
		3203	* security_prepare_creds() returned an error.
		3204	*/
		3205	BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3202	cred->security = (void *) 0x7UL;	3206	cred->security = (void *) 0x7UL;
3203	kfree(tsec);	3207	kfree(tsec);
3204	}	3208	}