35 files changed, 1560 insertions, 1601 deletions
diff --git a/fs/cifs/AUTHORS b/fs/cifs/AUTHORS
index 7f7fa3c302af..ea940b1db77b 100644
--- a/fs/cifs/AUTHORS
+++ b/fs/cifs/AUTHORS
@@ -35,7 +35,7 @@ Adrian Bunk (kcalloc cleanups)
 Miklos Szeredi 
 Kazeon team for various fixes especially for 2.4 version.
 Asser Ferno (Change Notify support)
-Shaggy (Dave Kleikamp) for inumerable small fs suggestions and some good cleanup
+Shaggy (Dave Kleikamp) for innumerable small fs suggestions and some good cleanup
 Gunter Kukkukk (testing and suggestions for support of old servers)
 Igor Mammedov (DFS support)
 Jeff Layton (many, many fixes, as well as great work on the cifs Kerberos code)
diff --git a/fs/cifs/Kconfig b/fs/cifs/Kconfig
index ee45648b0d1a..7cb0f7f847e4 100644
--- a/fs/cifs/Kconfig
+++ b/fs/cifs/Kconfig
@@ -3,6 +3,7 @@ config CIFS
        depends on INET
        select NLS
        select CRYPTO
+        select CRYPTO_MD4
        select CRYPTO_MD5
        select CRYPTO_HMAC
        select CRYPTO_ARC4
diff --git a/fs/cifs/Makefile b/fs/cifs/Makefile
index 43b19dd39191..d87558448e3d 100644
--- a/fs/cifs/Makefile
+++ b/fs/cifs/Makefile
@@ -5,7 +5,7 @@ obj-$(CONFIG_CIFS) += cifs.o
 cifs-y := cifsfs.o cifssmb.o cifs_debug.o connect.o dir.o file.o inode.o \
          link.o misc.o netmisc.o smbdes.o smbencrypt.o transport.o asn1.o \
-          md4.o md5.o cifs_unicode.o nterr.o xattr.o cifsencrypt.o \
+          cifs_unicode.o nterr.o xattr.o cifsencrypt.o \
          readdir.o ioctl.o sess.o export.o
 cifs-$(CONFIG_CIFS_ACL) += cifsacl.o
diff --git a/fs/cifs/README b/fs/cifs/README
index 46af99ab3614..74ab165fc646 100644
--- a/fs/cifs/README
+++ b/fs/cifs/README
@@ -452,6 +452,11 @@ A partial list of the supported mount options follows:
                if oplock (caching token) is granted and held. Note that
                direct allows write operations larger than page size
                to be sent to the server.
+  strictcache   Use for switching on strict cache mode. In this mode the
+                client read from the cache all the time it has Oplock Level II,
+                otherwise - read from the server. All written data are stored
+                in the cache, but if the client doesn't have Exclusive Oplock,
+                it writes the data to the server.
  acl           Allow setfacl and getfacl to manage posix ACLs if server
                supports them.  (default)
  noacl         Do not allow setfacl and getfacl calls on this mount
@@ -680,22 +685,6 @@ LinuxExtensionsEnabled	If set to one then the client will attempt to
                        support and want to map the uid and gid fields 
                        to values supplied at mount (rather than the 
                        actual values, then set this to zero. (default 1)
-Experimental            When set to 1 used to enable certain experimental
-                        features (currently enables multipage writes
-                        when signing is enabled, the multipage write
-                        performance enhancement was disabled when
-                        signing turned on in case buffer was modified
-                        just before it was sent, also this flag will
-                        be used to use the new experimental directory change 
-                        notification code).  When set to 2 enables
-                        an additional experimental feature, "raw ntlmssp"
-                        session establishment support (which allows
-                        specifying "sec=ntlmssp" on mount). The Linux cifs
-                        module will use ntlmv2 authentication encapsulated
-                        in "raw ntlmssp" (not using SPNEGO) when
-                        "sec=ntlmssp" is specified on mount.
-                        This support also requires building cifs with
-                        the CONFIG_CIFS_EXPERIMENTAL configuration flag.
 These experimental features and tracing can be enabled by changing flags in 
 /proc/fs/cifs (after the cifs module has been installed or built into the 
diff --git a/fs/cifs/cache.c b/fs/cifs/cache.c
index e654dfd092c3..53d57a3fe427 100644
--- a/fs/cifs/cache.c
+++ b/fs/cifs/cache.c
@@ -50,7 +50,7 @@ void cifs_fscache_unregister(void)
 */
 struct cifs_server_key {
        uint16_t        family;         /* address family */
-        uint16_t        port;           /* IP port */
+        __be16          port;           /* IP port */
        union {
                struct in_addr  ipv4_addr;
                struct in6_addr ipv6_addr;
diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c
index ede98300a8cd..30d01bc90855 100644
--- a/fs/cifs/cifs_debug.c
+++ b/fs/cifs/cifs_debug.c
@@ -79,11 +79,11 @@ void cifs_dump_mids(struct TCP_Server_Info *server)
        spin_lock(&GlobalMid_Lock);
        list_for_each(tmp, &server->pending_mid_q) {
                mid_entry = list_entry(tmp, struct mid_q_entry, qhead);
-                cERROR(1, "State: %d Cmd: %d Pid: %d Tsk: %p Mid %d",
+                cERROR(1, "State: %d Cmd: %d Pid: %d Cbdata: %p Mid %d",
                        mid_entry->midState,
                        (int)mid_entry->command,
                        mid_entry->pid,
-                        mid_entry->tsk,
+                        mid_entry->callback_data,
                        mid_entry->mid);
 #ifdef CONFIG_CIFS_STATS2
                cERROR(1, "IsLarge: %d buf: %p time rcv: %ld now: %ld",
@@ -218,11 +218,11 @@ static int cifs_debug_data_proc_show(struct seq_file *m, void *v)
                                mid_entry = list_entry(tmp3, struct mid_q_entry,
                                        qhead);
                                seq_printf(m, "\tState: %d com: %d pid:"
-                                                " %d tsk: %p mid %d\n",
+                                                " %d cbdata: %p mid %d\n",
                                                mid_entry->midState,
                                                (int)mid_entry->command,
                                                mid_entry->pid,
-                                                mid_entry->tsk,
+                                                mid_entry->callback_data,
                                                mid_entry->mid);
                        }
                        spin_unlock(&GlobalMid_Lock);
@@ -331,7 +331,7 @@ static int cifs_stats_proc_show(struct seq_file *m, void *v)
                                atomic_read(&totSmBufAllocCount));
 #endif /* CONFIG_CIFS_STATS2 */
-        seq_printf(m, "Operations (MIDs): %d\n", midCount.counter);
+        seq_printf(m, "Operations (MIDs): %d\n", atomic_read(&midCount));
        seq_printf(m,
                "\n%d session %d share reconnects\n",
                tcpSesReconnectCount.counter, tconInfoReconnectCount.counter);
@@ -423,7 +423,6 @@ static const struct file_operations cifs_lookup_cache_proc_fops;
 static const struct file_operations traceSMB_proc_fops;
 static const struct file_operations cifs_multiuser_mount_proc_fops;
 static const struct file_operations cifs_security_flags_proc_fops;
-static const struct file_operations cifs_experimental_proc_fops;
 static const struct file_operations cifs_linux_ext_proc_fops;
 void
@@ -441,8 +440,6 @@ cifs_proc_init(void)
        proc_create("cifsFYI", 0, proc_fs_cifs, &cifsFYI_proc_fops);
        proc_create("traceSMB", 0, proc_fs_cifs, &traceSMB_proc_fops);
        proc_create("OplockEnabled", 0, proc_fs_cifs, &cifs_oplock_proc_fops);
-        proc_create("Experimental", 0, proc_fs_cifs,
-                    &cifs_experimental_proc_fops);
        proc_create("LinuxExtensionsEnabled", 0, proc_fs_cifs,
                    &cifs_linux_ext_proc_fops);
        proc_create("MultiuserMount", 0, proc_fs_cifs,
@@ -469,7 +466,6 @@ cifs_proc_clean(void)
        remove_proc_entry("OplockEnabled", proc_fs_cifs);
        remove_proc_entry("SecurityFlags", proc_fs_cifs);
        remove_proc_entry("LinuxExtensionsEnabled", proc_fs_cifs);
-        remove_proc_entry("Experimental", proc_fs_cifs);
        remove_proc_entry("LookupCacheEnabled", proc_fs_cifs);
        remove_proc_entry("fs/cifs", NULL);
 }
@@ -550,45 +546,6 @@ static const struct file_operations cifs_oplock_proc_fops = {
        .write          = cifs_oplock_proc_write,
 };
-static int cifs_experimental_proc_show(struct seq_file *m, void *v)
-{
-        seq_printf(m, "%d\n", experimEnabled);
-        return 0;
-}
-static int cifs_experimental_proc_open(struct inode *inode, struct file *file)
-{
-        return single_open(file, cifs_experimental_proc_show, NULL);
-}
-static ssize_t cifs_experimental_proc_write(struct file *file,
-                const char __user *buffer, size_t count, loff_t *ppos)
-{
-        char c;
-        int rc;
-        rc = get_user(c, buffer);
-        if (rc)
-                return rc;
-        if (c == '0' || c == 'n' || c == 'N')
-                experimEnabled = 0;
-        else if (c == '1' || c == 'y' || c == 'Y')
-                experimEnabled = 1;
-        else if (c == '2')
-                experimEnabled = 2;
-        return count;
-}
-static const struct file_operations cifs_experimental_proc_fops = {
-        .owner          = THIS_MODULE,
-        .open           = cifs_experimental_proc_open,
-        .read           = seq_read,
-        .llseek         = seq_lseek,
-        .release        = single_release,
-        .write          = cifs_experimental_proc_write,
-};
 static int cifs_linux_ext_proc_show(struct seq_file *m, void *v)
 {
        seq_printf(m, "%d\n", linuxExtEnabled);
diff --git a/fs/cifs/cifs_dfs_ref.c b/fs/cifs/cifs_dfs_ref.c
index 7ed36536e754..2b68ac57d97d 100644
--- a/fs/cifs/cifs_dfs_ref.c
+++ b/fs/cifs/cifs_dfs_ref.c
@@ -53,7 +53,7 @@ void cifs_dfs_release_automount_timer(void)
 *
 * Extracts sharename form full UNC.
 * i.e. strips from UNC trailing path that is not part of share
- * name and fixup missing '\' in the begining of DFS node refferal
+ * name and fixup missing '\' in the beginning of DFS node refferal
 * if necessary.
 * Returns pointer to share name on success or ERR_PTR on error.
 * Caller is responsible for freeing returned string.
@@ -282,8 +282,6 @@ static struct vfsmount *cifs_dfs_do_automount(struct dentry *mntpt)
        cFYI(1, "in %s", __func__);
        BUG_ON(IS_ROOT(mntpt));
-        xid = GetXid();
        /*
         * The MSDFS spec states that paths in DFS referral requests and
         * responses must be prefixed by a single '\' character instead of
@@ -293,20 +291,21 @@ static struct vfsmount *cifs_dfs_do_automount(struct dentry *mntpt)
        mnt = ERR_PTR(-ENOMEM);
        full_path = build_path_from_dentry(mntpt);
        if (full_path == NULL)
-                goto free_xid;
+                goto cdda_exit;
        cifs_sb = CIFS_SB(mntpt->d_inode->i_sb);
        tlink = cifs_sb_tlink(cifs_sb);
-        mnt = ERR_PTR(-EINVAL);
        if (IS_ERR(tlink)) {
                mnt = ERR_CAST(tlink);
                goto free_full_path;
        }
        ses = tlink_tcon(tlink)->ses;
+        xid = GetXid();
        rc = get_dfs_path(xid, ses, full_path + 1, cifs_sb->local_nls,
                &num_referrals, &referrals,
                cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MAP_SPECIAL_CHR);
+        FreeXid(xid);
        cifs_put_tlink(tlink);
@@ -339,8 +338,7 @@ success:
        free_dfs_info_array(referrals, num_referrals);
 free_full_path:
        kfree(full_path);
-free_xid:
+cdda_exit:
-        FreeXid(xid);
        cFYI(1, "leaving %s" , __func__);
        return mnt;
 }
diff --git a/fs/cifs/cifs_fs_sb.h b/fs/cifs/cifs_fs_sb.h
index 7852cd677051..ac51cd2d33ae 100644
--- a/fs/cifs/cifs_fs_sb.h
+++ b/fs/cifs/cifs_fs_sb.h
@@ -40,6 +40,7 @@
 #define CIFS_MOUNT_FSCACHE      0x8000 /* local caching enabled */
 #define CIFS_MOUNT_MF_SYMLINKS  0x10000 /* Minshall+French Symlinks enabled */
 #define CIFS_MOUNT_MULTIUSER    0x20000 /* multiuser mount */
+#define CIFS_MOUNT_STRICT_IO    0x40000 /* strict cache mode */
 struct cifs_sb_info {
        struct rb_root tlink_tree;
diff --git a/fs/cifs/cifs_spnego.c b/fs/cifs/cifs_spnego.c
index 4dfba8283165..33d221394aca 100644
--- a/fs/cifs/cifs_spnego.c
+++ b/fs/cifs/cifs_spnego.c
@@ -113,7 +113,7 @@ cifs_get_spnego_key(struct cifsSesInfo *sesInfo)
                   MAX_MECH_STR_LEN +
                   UID_KEY_LEN + (sizeof(uid_t) * 2) +
                   CREDUID_KEY_LEN + (sizeof(uid_t) * 2) +
-                   USER_KEY_LEN + strlen(sesInfo->userName) +
+                   USER_KEY_LEN + strlen(sesInfo->user_name) +
                   PID_KEY_LEN + (sizeof(pid_t) * 2) + 1;
        spnego_key = ERR_PTR(-ENOMEM);
@@ -153,7 +153,7 @@ cifs_get_spnego_key(struct cifsSesInfo *sesInfo)
        sprintf(dp, ";creduid=0x%x", sesInfo->cred_uid);
        dp = description + strlen(description);
-        sprintf(dp, ";user=%s", sesInfo->userName);
+        sprintf(dp, ";user=%s", sesInfo->user_name);
        dp = description + strlen(description);
        sprintf(dp, ";pid=0x%x", current->pid);
diff --git a/fs/cifs/cifs_unicode.c b/fs/cifs/cifs_unicode.c
index 430f510a1720..23d43cde4306 100644
--- a/fs/cifs/cifs_unicode.c
+++ b/fs/cifs/cifs_unicode.c
@@ -44,10 +44,14 @@ cifs_ucs2_bytes(const __le16 *from, int maxbytes,
        int charlen, outlen = 0;
        int maxwords = maxbytes / 2;
        char tmp[NLS_MAX_CHARSET_SIZE];
+        __u16 ftmp;
-        for (i = 0; i < maxwords && from[i]; i++) {
+        for (i = 0; i < maxwords; i++) {
-                charlen = codepage->uni2char(le16_to_cpu(from[i]), tmp,
+                ftmp = get_unaligned_le16(&from[i]);
-                                             NLS_MAX_CHARSET_SIZE);
+                if (ftmp == 0)
+                        break;
+                charlen = codepage->uni2char(ftmp, tmp, NLS_MAX_CHARSET_SIZE);
                if (charlen > 0)
                        outlen += charlen;
                else
@@ -58,9 +62,9 @@ cifs_ucs2_bytes(const __le16 *from, int maxbytes,
 }
 /*
- * cifs_mapchar - convert a little-endian char to proper char in codepage
+ * cifs_mapchar - convert a host-endian char to proper char in codepage
 * @target - where converted character should be copied
- * @src_char - 2 byte little-endian source character
+ * @src_char - 2 byte host-endian source character
 * @cp - codepage to which character should be converted
 * @mapchar - should character be mapped according to mapchars mount option?
 *
@@ -69,7 +73,7 @@ cifs_ucs2_bytes(const __le16 *from, int maxbytes,
 * enough to hold the result of the conversion (at least NLS_MAX_CHARSET_SIZE).
 */
 static int
-cifs_mapchar(char *target, const __le16 src_char, const struct nls_table *cp,
+cifs_mapchar(char *target, const __u16 src_char, const struct nls_table *cp,
             bool mapchar)
 {
        int len = 1;
@@ -82,11 +86,11 @@ cifs_mapchar(char *target, const __le16 src_char, const struct nls_table *cp,
         *     build_path_from_dentry are modified, as they use slash as
         *     separator.
         */
-        switch (le16_to_cpu(src_char)) {
+        switch (src_char) {
        case UNI_COLON:
                *target = ':';
                break;
-        case UNI_ASTERIK:
+        case UNI_ASTERISK:
                *target = '*';
                break;
        case UNI_QUESTION:
@@ -109,8 +113,7 @@ out:
        return len;
 cp_convert:
-        len = cp->uni2char(le16_to_cpu(src_char), target,
+        len = cp->uni2char(src_char, target, NLS_MAX_CHARSET_SIZE);
-                           NLS_MAX_CHARSET_SIZE);
        if (len <= 0) {
                *target = '?';
                len = 1;
@@ -149,6 +152,7 @@ cifs_from_ucs2(char *to, const __le16 *from, int tolen, int fromlen,
        int nullsize = nls_nullsize(codepage);
        int fromwords = fromlen / 2;
        char tmp[NLS_MAX_CHARSET_SIZE];
+        __u16 ftmp;
        /*
         * because the chars can be of varying widths, we need to take care
@@ -158,19 +162,23 @@ cifs_from_ucs2(char *to, const __le16 *from, int tolen, int fromlen,
         */
        safelen = tolen - (NLS_MAX_CHARSET_SIZE + nullsize);
-        for (i = 0; i < fromwords && from[i]; i++) {
+        for (i = 0; i < fromwords; i++) {
+                ftmp = get_unaligned_le16(&from[i]);
+                if (ftmp == 0)
+                        break;
                /*
                 * check to see if converting this character might make the
                 * conversion bleed into the null terminator
                 */
                if (outlen >= safelen) {
-                        charlen = cifs_mapchar(tmp, from[i], codepage, mapchar);
+                        charlen = cifs_mapchar(tmp, ftmp, codepage, mapchar);
                        if ((outlen + charlen) > (tolen - nullsize))
                                break;
                }
                /* put converted char into 'to' buffer */
-                charlen = cifs_mapchar(&to[outlen], from[i], codepage, mapchar);
+                charlen = cifs_mapchar(&to[outlen], ftmp, codepage, mapchar);
                outlen += charlen;
        }
@@ -193,24 +201,21 @@ cifs_strtoUCS(__le16 *to, const char *from, int len,
 {
        int charlen;
        int i;
-        wchar_t *wchar_to = (wchar_t *)to; /* needed to quiet sparse */
+        wchar_t wchar_to; /* needed to quiet sparse */
        for (i = 0; len && *from; i++, from += charlen, len -= charlen) {
+                charlen = codepage->char2uni(from, len, &wchar_to);
-                /* works for 2.4.0 kernel or later */
-                charlen = codepage->char2uni(from, len, &wchar_to[i]);
                if (charlen < 1) {
-                        cERROR(1, "strtoUCS: char2uni of %d returned %d",
+                        cERROR(1, "strtoUCS: char2uni of 0x%x returned %d",
-                                (int)*from, charlen);
+                                *from, charlen);
                        /* A question mark */
-                        to[i] = cpu_to_le16(0x003f);
+                        wchar_to = 0x003f;
                        charlen = 1;
-                } else
+                }
-                        to[i] = cpu_to_le16(wchar_to[i]);
+                put_unaligned_le16(wchar_to, &to[i]);
        }
-        to[i] = 0;
+        put_unaligned_le16(0, &to[i]);
        return i;
 }
@@ -252,3 +257,78 @@ cifs_strndup_from_ucs(const char *src, const int maxlen, const bool is_unicode,
        return dst;
 }
+/*
+ * Convert 16 bit Unicode pathname to wire format from string in current code
+ * page. Conversion may involve remapping up the six characters that are
+ * only legal in POSIX-like OS (if they are present in the string). Path
+ * names are little endian 16 bit Unicode on the wire
+ */
+int
+cifsConvertToUCS(__le16 *target, const char *source, int srclen,
+                 const struct nls_table *cp, int mapChars)
+{
+        int i, j, charlen;
+        char src_char;
+        __le16 dst_char;
+        wchar_t tmp;
+        if (!mapChars)
+                return cifs_strtoUCS(target, source, PATH_MAX, cp);
+        for (i = 0, j = 0; i < srclen; j++) {
+                src_char = source[i];
+                switch (src_char) {
+                case 0:
+                        put_unaligned(0, &target[j]);
+                        goto ctoUCS_out;
+                case ':':
+                        dst_char = cpu_to_le16(UNI_COLON);
+                        break;
+                case '*':
+                        dst_char = cpu_to_le16(UNI_ASTERISK);
+                        break;
+                case '?':
+                        dst_char = cpu_to_le16(UNI_QUESTION);
+                        break;
+                case '<':
+                        dst_char = cpu_to_le16(UNI_LESSTHAN);
+                        break;
+                case '>':
+                        dst_char = cpu_to_le16(UNI_GRTRTHAN);
+                        break;
+                case '|':
+                        dst_char = cpu_to_le16(UNI_PIPE);
+                        break;
+                /*
+                 * FIXME: We can not handle remapping backslash (UNI_SLASH)
+                 * until all the calls to build_path_from_dentry are modified,
+                 * as they use backslash as separator.
+                 */
+                default:
+                        charlen = cp->char2uni(source + i, srclen - i, &tmp);
+                        dst_char = cpu_to_le16(tmp);
+                        /*
+                         * if no match, use question mark, which at least in
+                         * some cases serves as wild card
+                         */
+                        if (charlen < 1) {
+                                dst_char = cpu_to_le16(0x003f);
+                                charlen = 1;
+                        }
+                        /*
+                         * character may take more than one byte in the source
+                         * string, but will take exactly two bytes in the
+                         * target string
+                         */
+                        i += charlen;
+                        continue;
+                }
+                put_unaligned(dst_char, &target[j]);
+                i++; /* move to next char in source string */
+        }
+ctoUCS_out:
+        return i;
+}
diff --git a/fs/cifs/cifs_unicode.h b/fs/cifs/cifs_unicode.h
index 7fe6b52df507..644dd882a560 100644
--- a/fs/cifs/cifs_unicode.h
+++ b/fs/cifs/cifs_unicode.h
@@ -44,7 +44,7 @@
 * reserved symbols (along with \ and /), otherwise illegal to store
 * in filenames in NTFS
 */
-#define UNI_ASTERIK     (__u16) ('*' + 0xF000)
+#define UNI_ASTERISK    (__u16) ('*' + 0xF000)
 #define UNI_QUESTION    (__u16) ('?' + 0xF000)
 #define UNI_COLON       (__u16) (':' + 0xF000)
 #define UNI_GRTRTHAN    (__u16) ('>' + 0xF000)
diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c
index a437ec391a01..beeebf194234 100644
--- a/fs/cifs/cifsacl.c
+++ b/fs/cifs/cifsacl.c
@@ -41,9 +41,12 @@ static struct cifs_wksid wksidarr[NUM_WK_SIDS] = {
 ;
-/* security id for everyone */
+/* security id for everyone/world system group */
 static const struct cifs_sid sid_everyone = {
        1, 1, {0, 0, 0, 0, 0, 1}, {0} };
+/* security id for Authenticated Users system group */
+static const struct cifs_sid sid_authusers = {
+        1, 1, {0, 0, 0, 0, 0, 5}, {11} };
 /* group users */
 static const struct cifs_sid sid_user = {1, 2 , {0, 0, 0, 0, 0, 5}, {} };
@@ -365,10 +368,14 @@ static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl,
        if (num_aces  > 0) {
                umode_t user_mask = S_IRWXU;
                umode_t group_mask = S_IRWXG;
-                umode_t other_mask = S_IRWXO;
+                umode_t other_mask = S_IRWXU | S_IRWXG | S_IRWXO;
                ppace = kmalloc(num_aces * sizeof(struct cifs_ace *),
                                GFP_KERNEL);
+                if (!ppace) {
+                        cERROR(1, "DACL memory allocation error");
+                        return;
+                }
                for (i = 0; i < num_aces; ++i) {
                        ppace[i] = (struct cifs_ace *) (acl_base + acl_size);
@@ -390,6 +397,12 @@ static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl,
                                                     ppace[i]->type,
                                                     &fattr->cf_mode,
                                                     &other_mask);
+                        if (compare_sids(&(ppace[i]->sid), &sid_authusers))
+                                access_flags_to_mode(ppace[i]->access_req,
+                                                     ppace[i]->type,
+                                                     &fattr->cf_mode,
+                                                     &other_mask);
 /*                      memcpy((void *)(&(cifscred->aces[i])),
                                (void *)ppace[i],
diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c
index 66f3d50d0676..d1a016be73ba 100644
--- a/fs/cifs/cifsencrypt.c
+++ b/fs/cifs/cifsencrypt.c
@@ -24,24 +24,19 @@
 #include "cifspdu.h"
 #include "cifsglob.h"
 #include "cifs_debug.h"
-#include "md5.h"
 #include "cifs_unicode.h"
 #include "cifsproto.h"
 #include "ntlmssp.h"
 #include <linux/ctype.h>
 #include <linux/random.h>
-/* Calculate and return the CIFS signature based on the mac key and SMB PDU */
+/*
-/* the 16 byte signature must be allocated by the caller  */
+ * Calculate and return the CIFS signature based on the mac key and SMB PDU.
-/* Note we only use the 1st eight bytes */
+ * The 16 byte signature must be allocated by the caller. Note we only use the
-/* Note that the smb header signature field on input contains the
+ * 1st eight bytes and that the smb header signature field on input contains
-        sequence number before this function is called */
+ * the sequence number before this function is called. Also, this function
+ * should be called with the server->srv_mutex held.
-extern void mdfour(unsigned char *out, unsigned char *in, int n);
+ */
-extern void E_md4hash(const unsigned char *passwd, unsigned char *p16);
-extern void SMBencrypt(unsigned char *passwd, const unsigned char *c8,
-                       unsigned char *p24);
 static int cifs_calculate_signature(const struct smb_hdr *cifs_pdu,
                                struct TCP_Server_Info *server, char *signature)
 {
@@ -215,8 +210,10 @@ int cifs_verify_signature(struct smb_hdr *cifs_pdu,
                                        cpu_to_le32(expected_sequence_number);
        cifs_pdu->Signature.Sequence.Reserved = 0;
+        mutex_lock(&server->srv_mutex);
        rc = cifs_calculate_signature(cifs_pdu, server,
                what_we_think_sig_should_be);
+        mutex_unlock(&server->srv_mutex);
        if (rc)
                return rc;
@@ -234,6 +231,7 @@ int cifs_verify_signature(struct smb_hdr *cifs_pdu,
 /* first calculate 24 bytes ntlm response and then 16 byte session key */
 int setup_ntlm_response(struct cifsSesInfo *ses)
 {
+        int rc = 0;
        unsigned int temp_len = CIFS_SESS_KEY_SIZE + CIFS_AUTH_RESP_SIZE;
        char temp_key[CIFS_SESS_KEY_SIZE];
@@ -247,13 +245,26 @@ int setup_ntlm_response(struct cifsSesInfo *ses)
        }
        ses->auth_key.len = temp_len;
-        SMBNTencrypt(ses->password, ses->server->cryptkey,
+        rc = SMBNTencrypt(ses->password, ses->server->cryptkey,
                        ses->auth_key.response + CIFS_SESS_KEY_SIZE);
+        if (rc) {
+                cFYI(1, "%s Can't generate NTLM response, error: %d",
+                        __func__, rc);
+                return rc;
+        }
-        E_md4hash(ses->password, temp_key);
+        rc = E_md4hash(ses->password, temp_key);
-        mdfour(ses->auth_key.response, temp_key, CIFS_SESS_KEY_SIZE);
+        if (rc) {
+                cFYI(1, "%s Can't generate NT hash, error: %d", __func__, rc);
+                return rc;
+        }
-        return 0;
+        rc = mdfour(ses->auth_key.response, temp_key, CIFS_SESS_KEY_SIZE);
+        if (rc)
+                cFYI(1, "%s Can't generate NTLM session key, error: %d",
+                        __func__, rc);
+        return rc;
 }
 #ifdef CONFIG_CIFS_WEAK_PW_HASH
@@ -461,15 +472,15 @@ static int calc_ntlmv2_hash(struct cifsSesInfo *ses, char *ntlmv2_hash,
                return rc;
        }
-        /* convert ses->userName to unicode and uppercase */
+        /* convert ses->user_name to unicode and uppercase */
-        len = strlen(ses->userName);
+        len = strlen(ses->user_name);
        user = kmalloc(2 + (len * 2), GFP_KERNEL);
        if (user == NULL) {
                cERROR(1, "calc_ntlmv2_hash: user mem alloc failure\n");
                rc = -ENOMEM;
                goto calc_exit_2;
        }
-        len = cifs_strtoUCS((__le16 *)user, ses->userName, len, nls_cp);
+        len = cifs_strtoUCS((__le16 *)user, ses->user_name, len, nls_cp);
        UniStrupr(user);
        crypto_shash_update(&ses->server->secmech.sdeschmacmd5->shash,
@@ -649,9 +660,10 @@ calc_seckey(struct cifsSesInfo *ses)
        get_random_bytes(sec_key, CIFS_SESS_KEY_SIZE);
        tfm_arc4 = crypto_alloc_blkcipher("ecb(arc4)", 0, CRYPTO_ALG_ASYNC);
-        if (!tfm_arc4 || IS_ERR(tfm_arc4)) {
+        if (IS_ERR(tfm_arc4)) {
+                rc = PTR_ERR(tfm_arc4);
                cERROR(1, "could not allocate crypto API arc4\n");
-                return PTR_ERR(tfm_arc4);
+                return rc;
        }
        desc.tfm = tfm_arc4;
@@ -700,14 +712,13 @@ cifs_crypto_shash_allocate(struct TCP_Server_Info *server)
        unsigned int size;
        server->secmech.hmacmd5 = crypto_alloc_shash("hmac(md5)", 0, 0);
-        if (!server->secmech.hmacmd5 ||
+        if (IS_ERR(server->secmech.hmacmd5)) {
-                        IS_ERR(server->secmech.hmacmd5)) {
                cERROR(1, "could not allocate crypto hmacmd5\n");
                return PTR_ERR(server->secmech.hmacmd5);
        }
        server->secmech.md5 = crypto_alloc_shash("md5", 0, 0);
-        if (!server->secmech.md5 || IS_ERR(server->secmech.md5)) {
+        if (IS_ERR(server->secmech.md5)) {
                cERROR(1, "could not allocate crypto md5\n");
                rc = PTR_ERR(server->secmech.md5);
                goto crypto_allocate_md5_fail;
diff --git a/fs/cifs/cifsencrypt.h b/fs/cifs/cifsencrypt.h
deleted file mode 100644
index 15d2ec006474..000000000000
--- a/fs/cifs/cifsencrypt.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- *   fs/cifs/cifsencrypt.h
- *
- *   Copyright (c) International Business Machines  Corp., 2005
- *   Author(s): Steve French (sfrench@us.ibm.com)
- *
- *   Externs for misc. small encryption routines
- *   so we do not have to put them in cifsproto.h
- *
- *   This library is free software; you can redistribute it and/or modify
- *   it under the terms of the GNU Lesser General Public License as published
- *   by the Free Software Foundation; either version 2.1 of the License, or
- *   (at your option) any later version.
- *
- *   This library is distributed in the hope that it will be useful,
- *   but WITHOUT ANY WARRANTY; without even the implied warranty of
- *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
- *   the GNU Lesser General Public License for more details.
- *
- *   You should have received a copy of the GNU Lesser General Public License
- *   along with this library; if not, write to the Free Software
- *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-/* md4.c */
-extern void mdfour(unsigned char *out, unsigned char *in, int n);
-/* smbdes.c */
-extern void E_P16(unsigned char *p14, unsigned char *p16);
-extern void E_P24(unsigned char *p21, const unsigned char *c8,
-                  unsigned char *p24);
diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
index d9f652a522a6..5c412b33cd7c 100644
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -53,7 +53,6 @@ int cifsFYI = 0;
 int cifsERROR = 1;
 int traceSMB = 0;
 unsigned int oplockEnabled = 1;
-unsigned int experimEnabled = 0;
 unsigned int linuxExtEnabled = 1;
 unsigned int lookupCacheEnabled = 1;
 unsigned int multiuser_mount = 0;
@@ -77,7 +76,11 @@ unsigned int cifs_max_pending = CIFS_MAX_REQ;
 module_param(cifs_max_pending, int, 0);
 MODULE_PARM_DESC(cifs_max_pending, "Simultaneous requests to server. "
                                   "Default: 50 Range: 2 to 256");
+unsigned short echo_retries = 5;
+module_param(echo_retries, ushort, 0644);
+MODULE_PARM_DESC(echo_retries, "Number of echo attempts before giving up and "
+                               "reconnecting server. Default: 5. 0 means "
+                               "never reconnect.");
 extern mempool_t *cifs_sm_req_poolp;
 extern mempool_t *cifs_req_poolp;
 extern mempool_t *cifs_mid_poolp;
@@ -123,6 +126,7 @@ cifs_read_super(struct super_block *sb, void *data,
                kfree(cifs_sb);
                return rc;
        }
+        cifs_sb->bdi.ra_pages = default_backing_dev_info.ra_pages;
 #ifdef CONFIG_CIFS_DFS_UPCALL
        /* copy mount params to sb for use in submounts */
@@ -405,8 +409,8 @@ cifs_show_options(struct seq_file *s, struct vfsmount *m)
        if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MULTIUSER)
                seq_printf(s, ",multiuser");
-        else if (tcon->ses->userName)
+        else if (tcon->ses->user_name)
-                seq_printf(s, ",username=%s", tcon->ses->userName);
+                seq_printf(s, ",username=%s", tcon->ses->user_name);
        if (tcon->ses->domainName)
                seq_printf(s, ",domain=%s", tcon->ses->domainName);
@@ -596,10 +600,17 @@ static ssize_t cifs_file_aio_write(struct kiocb *iocb, const struct iovec *iov,
 {
        struct inode *inode = iocb->ki_filp->f_path.dentry->d_inode;
        ssize_t written;
+        int rc;
        written = generic_file_aio_write(iocb, iov, nr_segs, pos);
-        if (!CIFS_I(inode)->clientCanCacheAll)
-                filemap_fdatawrite(inode->i_mapping);
+        if (CIFS_I(inode)->clientCanCacheAll)
+                return written;
+        rc = filemap_fdatawrite(inode->i_mapping);
+        if (rc)
+                cFYI(1, "cifs_file_aio_write: %d rc on %p inode", rc, inode);
        return written;
 }
@@ -729,6 +740,25 @@ const struct file_operations cifs_file_ops = {
        .setlease = cifs_setlease,
 };
+const struct file_operations cifs_file_strict_ops = {
+        .read = do_sync_read,
+        .write = do_sync_write,
+        .aio_read = cifs_strict_readv,
+        .aio_write = cifs_strict_writev,
+        .open = cifs_open,
+        .release = cifs_close,
+        .lock = cifs_lock,
+        .fsync = cifs_strict_fsync,
+        .flush = cifs_flush,
+        .mmap = cifs_file_strict_mmap,
+        .splice_read = generic_file_splice_read,
+        .llseek = cifs_llseek,
+#ifdef CONFIG_CIFS_POSIX
+        .unlocked_ioctl = cifs_ioctl,
+#endif /* CONFIG_CIFS_POSIX */
+        .setlease = cifs_setlease,
+};
 const struct file_operations cifs_file_direct_ops = {
        /* no aio, no readv -
           BB reevaluate whether they can be done with directio, no cache */
@@ -747,6 +777,7 @@ const struct file_operations cifs_file_direct_ops = {
        .llseek = cifs_llseek,
        .setlease = cifs_setlease,
 };
 const struct file_operations cifs_file_nobrl_ops = {
        .read = do_sync_read,
        .write = do_sync_write,
@@ -765,6 +796,24 @@ const struct file_operations cifs_file_nobrl_ops = {
        .setlease = cifs_setlease,
 };
+const struct file_operations cifs_file_strict_nobrl_ops = {
+        .read = do_sync_read,
+        .write = do_sync_write,
+        .aio_read = cifs_strict_readv,
+        .aio_write = cifs_strict_writev,
+        .open = cifs_open,
+        .release = cifs_close,
+        .fsync = cifs_strict_fsync,
+        .flush = cifs_flush,
+        .mmap = cifs_file_strict_mmap,
+        .splice_read = generic_file_splice_read,
+        .llseek = cifs_llseek,
+#ifdef CONFIG_CIFS_POSIX
+        .unlocked_ioctl = cifs_ioctl,
+#endif /* CONFIG_CIFS_POSIX */
+        .setlease = cifs_setlease,
+};
 const struct file_operations cifs_file_direct_nobrl_ops = {
        /* no mmap, no aio, no readv -
           BB reevaluate whether they can be done with directio, no cache */
diff --git a/fs/cifs/cifsfs.h b/fs/cifs/cifsfs.h
index 851030f74939..a9371b6578c0 100644
--- a/fs/cifs/cifsfs.h
+++ b/fs/cifs/cifsfs.h
@@ -61,6 +61,7 @@ extern int cifs_rename(struct inode *, struct dentry *, struct inode *,
                       struct dentry *);
 extern int cifs_revalidate_file(struct file *filp);
 extern int cifs_revalidate_dentry(struct dentry *);
+extern void cifs_invalidate_mapping(struct inode *inode);
 extern int cifs_getattr(struct vfsmount *, struct dentry *, struct kstat *);
 extern int cifs_setattr(struct dentry *, struct iattr *);
@@ -72,19 +73,27 @@ extern const struct inode_operations cifs_dfs_referral_inode_operations;
 /* Functions related to files and directories */
 extern const struct file_operations cifs_file_ops;
 extern const struct file_operations cifs_file_direct_ops; /* if directio mnt */
-extern const struct file_operations cifs_file_nobrl_ops;
+extern const struct file_operations cifs_file_strict_ops; /* if strictio mnt */
-extern const struct file_operations cifs_file_direct_nobrl_ops; /* no brlocks */
+extern const struct file_operations cifs_file_nobrl_ops; /* no brlocks */
+extern const struct file_operations cifs_file_direct_nobrl_ops;
+extern const struct file_operations cifs_file_strict_nobrl_ops;
 extern int cifs_open(struct inode *inode, struct file *file);
 extern int cifs_close(struct inode *inode, struct file *file);
 extern int cifs_closedir(struct inode *inode, struct file *file);
 extern ssize_t cifs_user_read(struct file *file, char __user *read_data,
-                         size_t read_size, loff_t *poffset);
+                              size_t read_size, loff_t *poffset);
+extern ssize_t cifs_strict_readv(struct kiocb *iocb, const struct iovec *iov,
+                                 unsigned long nr_segs, loff_t pos);
 extern ssize_t cifs_user_write(struct file *file, const char __user *write_data,
-                         size_t write_size, loff_t *poffset);
+                               size_t write_size, loff_t *poffset);
+extern ssize_t cifs_strict_writev(struct kiocb *iocb, const struct iovec *iov,
+                                  unsigned long nr_segs, loff_t pos);
 extern int cifs_lock(struct file *, int, struct file_lock *);
 extern int cifs_fsync(struct file *, int);
+extern int cifs_strict_fsync(struct file *, int);
 extern int cifs_flush(struct file *, fl_owner_t id);
 extern int cifs_file_mmap(struct file * , struct vm_area_struct *);
+extern int cifs_file_strict_mmap(struct file * , struct vm_area_struct *);
 extern const struct file_operations cifs_dir_ops;
 extern int cifs_dir_open(struct inode *inode, struct file *file);
 extern int cifs_readdir(struct file *file, void *direntry, filldir_t filldir);
@@ -118,5 +127,5 @@ extern long cifs_ioctl(struct file *filep, unsigned int cmd, unsigned long arg);
 extern const struct export_operations cifs_export_ops;
 #endif /* EXPERIMENTAL */
-#define CIFS_VERSION   "1.68"
+#define CIFS_VERSION   "1.71"
 #endif                          /* _CIFSFS_H */
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index 606ca8bb7102..a5d1106fcbde 100644
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -37,10 +37,9 @@
 #define MAX_TREE_SIZE (2 + MAX_SERVER_SIZE + 1 + MAX_SHARE_SIZE + 1)
 #define MAX_SERVER_SIZE 15
-#define MAX_SHARE_SIZE  64      /* used to be 20, this should still be enough */
+#define MAX_SHARE_SIZE 80
-#define MAX_USERNAME_SIZE 32    /* 32 is to allow for 15 char names + null
+#define MAX_USERNAME_SIZE 256   /* reasonable maximum for current servers */
-                                   termination then *2 for unicode versions */
+#define MAX_PASSWORD_SIZE 512   /* max for windows seems to be 256 wide chars */
-#define MAX_PASSWORD_SIZE 512  /* max for windows seems to be 256 wide chars */
 #define CIFS_MIN_RCV_POOL 4
@@ -92,7 +91,8 @@ enum statusEnum {
        CifsNew = 0,
        CifsGood,
        CifsExiting,
-        CifsNeedReconnect
+        CifsNeedReconnect,
+        CifsNeedNegotiate
 };
 enum securityEnum {
@@ -161,46 +161,41 @@ struct TCP_Server_Info {
        int srv_count; /* reference counter */
        /* 15 character server name + 0x20 16th byte indicating type = srv */
        char server_RFC1001_name[RFC1001_NAME_LEN_WITH_NULL];
+        enum statusEnum tcpStatus; /* what we think the status is */
        char *hostname; /* hostname portion of UNC string */
        struct socket *ssocket;
        struct sockaddr_storage dstaddr;
        struct sockaddr_storage srcaddr; /* locally bind to this IP */
+#ifdef CONFIG_NET_NS
+        struct net *net;
+#endif
        wait_queue_head_t response_q;
        wait_queue_head_t request_q; /* if more than maxmpx to srvr must block*/
        struct list_head pending_mid_q;
-        void *Server_NlsInfo;   /* BB - placeholder for future NLS info  */
-        unsigned short server_codepage; /* codepage for the server    */
-        enum protocolEnum protocolType;
-        char versionMajor;
-        char versionMinor;
-        bool svlocal:1;                 /* local server or remote */
        bool noblocksnd;                /* use blocking sendmsg */
        bool noautotune;                /* do not autotune send buf sizes */
        bool tcp_nodelay;
        atomic_t inFlight;  /* number of requests on the wire to server */
-#ifdef CONFIG_CIFS_STATS2
-        atomic_t inSend; /* requests trying to send */
-        atomic_t num_waiters;   /* blocked waiting to get in sendrecv */
-#endif
-        enum statusEnum tcpStatus; /* what we think the status is */
        struct mutex srv_mutex;
        struct task_struct *tsk;
        char server_GUID[16];
        char secMode;
+        bool session_estab; /* mark when very first sess is established */
+        u16 dialect; /* dialect index that server chose */
        enum securityEnum secType;
        unsigned int maxReq;    /* Clients should submit no more */
        /* than maxReq distinct unanswered SMBs to the server when using  */
        /* multiplexed reads or writes */
        unsigned int maxBuf;    /* maxBuf specifies the maximum */
        /* message size the server can send or receive for non-raw SMBs */
+        /* maxBuf is returned by SMB NegotiateProtocol so maxBuf is only 0 */
+        /* when socket is setup (and during reconnect) before NegProt sent */
        unsigned int max_rw;    /* maxRw specifies the maximum */
        /* message size the server can send or receive for */
        /* SMB_COM_WRITE_RAW or SMB_COM_READ_RAW. */
        unsigned int max_vcs;   /* maximum number of smb sessions, at least
                                   those that can be specified uniquely with
                                   vcnumbers */
-        char sessid[4];         /* unique token id for this session */
-        /* (returned on Negotiate */
        int capabilities; /* allow selective disabling of caps by smb sess */
        int timeAdj;  /* Adjust for difference in server time zone in sec */
        __u16 CurrentMid;         /* multiplex id - rotating counter */
@@ -210,20 +205,53 @@ struct TCP_Server_Info {
        __u32 sequence_number; /* for signing, protected by srv_mutex */
        struct session_key session_key;
        unsigned long lstrp; /* when we got last response from this server */
-        u16 dialect; /* dialect index that server chose */
        struct cifs_secmech secmech; /* crypto sec mech functs, descriptors */
        /* extended security flavors that server supports */
+        bool    sec_ntlmssp;            /* supports NTLMSSP */
+        bool    sec_kerberosu2u;        /* supports U2U Kerberos */
        bool    sec_kerberos;           /* supports plain Kerberos */
        bool    sec_mskerberos;         /* supports legacy MS Kerberos */
-        bool    sec_kerberosu2u;        /* supports U2U Kerberos */
+        struct delayed_work     echo; /* echo ping workqueue job */
-        bool    sec_ntlmssp;            /* supports NTLMSSP */
-        bool session_estab; /* mark when very first sess is established */
 #ifdef CONFIG_CIFS_FSCACHE
        struct fscache_cookie   *fscache; /* client index cache cookie */
 #endif
+#ifdef CONFIG_CIFS_STATS2
+        atomic_t inSend; /* requests trying to send */
+        atomic_t num_waiters;   /* blocked waiting to get in sendrecv */
+#endif
 };
 /*
+ * Macros to allow the TCP_Server_Info->net field and related code to drop out
+ * when CONFIG_NET_NS isn't set.
+ */
+#ifdef CONFIG_NET_NS
+static inline struct net *cifs_net_ns(struct TCP_Server_Info *srv)
+{
+        return srv->net;
+}
+static inline void cifs_set_net_ns(struct TCP_Server_Info *srv, struct net *net)
+{
+        srv->net = net;
+}
+#else
+static inline struct net *cifs_net_ns(struct TCP_Server_Info *srv)
+{
+        return &init_net;
+}
+static inline void cifs_set_net_ns(struct TCP_Server_Info *srv, struct net *net)
+{
+}
+#endif
+/*
 * Session structure.  One of these for each uid session with a particular host
 */
 struct cifsSesInfo {
@@ -246,7 +274,7 @@ struct cifsSesInfo {
        int capabilities;
        char serverName[SERVER_NAME_LEN_WITH_NULL * 2]; /* BB make bigger for
                                TCP names - will ipv6 and sctp addresses fit? */
-        char userName[MAX_USERNAME_SIZE + 1];
+        char *user_name;
        char *domainName;
        char *password;
        struct session_key auth_key;
@@ -446,11 +474,11 @@ struct cifsInodeInfo {
        /* BB add in lists for dirty pages i.e. write caching info for oplock */
        struct list_head openFileList;
        __u32 cifsAttrs; /* e.g. DOS archive bit, sparse, compressed, system */
-        unsigned long time;     /* jiffies of last update/check of inode */
+        bool clientCanCacheRead;        /* read oplock */
-        bool clientCanCacheRead:1;      /* read oplock */
+        bool clientCanCacheAll;         /* read and writebehind oplock */
-        bool clientCanCacheAll:1;       /* read and writebehind oplock */
+        bool delete_pending;            /* DELETE_ON_CLOSE is set */
-        bool delete_pending:1;          /* DELETE_ON_CLOSE is set */
+        bool invalid_mapping;           /* pagecache is invalid */
-        bool invalid_mapping:1;         /* pagecache is invalid */
+        unsigned long time;             /* jiffies of last update of inode */
        u64  server_eof;                /* current file size on server */
        u64  uniqueid;                  /* server inode number */
        u64  createtime;                /* creation time on server */
@@ -508,6 +536,18 @@ static inline void cifs_stats_bytes_read(struct cifsTconInfo *tcon,
 #endif
+struct mid_q_entry;
+/*
+ * This is the prototype for the mid callback function. When creating one,
+ * take special care to avoid deadlocks. Things to bear in mind:
+ *
+ * - it will be called by cifsd
+ * - the GlobalMid_Lock will be held
+ * - the mid will be removed from the pending_mid_q list
+ */
+typedef void (mid_callback_t)(struct mid_q_entry *mid);
 /* one of these for every pending CIFS request to the server */
 struct mid_q_entry {
        struct list_head qhead; /* mids waiting on reply from this server */
@@ -519,7 +559,8 @@ struct mid_q_entry {
        unsigned long when_sent; /* time when smb send finished */
        unsigned long when_received; /* when demux complete (taken off wire) */
 #endif
-        struct task_struct *tsk;        /* task waiting for response */
+        mid_callback_t *callback; /* call completion callback */
+        void *callback_data;      /* general purpose pointer for callback */
        struct smb_hdr *resp_buf;       /* response buffer */
        int midState;   /* wish this were enum but can not pass to wait_event */
        __u8 command;   /* smb command code */
@@ -613,7 +654,7 @@ static inline void free_dfs_info_array(struct dfs_info3_param *param,
 #define   MID_REQUEST_SUBMITTED 2
 #define   MID_RESPONSE_RECEIVED 4
 #define   MID_RETRY_NEEDED      8 /* session closed while this request out */
-#define   MID_NO_RESP_NEEDED 0x10
+#define   MID_RESPONSE_MALFORMED 0x10
 /* Types of response buffer returned from SendReceive2 */
 #define   CIFS_NO_BUFFER        0    /* Response buffer not returned */
@@ -622,12 +663,9 @@ static inline void free_dfs_info_array(struct dfs_info3_param *param,
 #define   CIFS_IOVEC            4    /* array of response buffers */
 /* Type of Request to SendReceive2 */
-#define   CIFS_STD_OP           0    /* normal request timeout */
+#define   CIFS_BLOCKING_OP      1    /* operation can block */
-#define   CIFS_LONG_OP          1    /* long op (up to 45 sec, oplock time) */
+#define   CIFS_ASYNC_OP         2    /* do not wait for response */
-#define   CIFS_VLONG_OP         2    /* sloow op - can take up to 180 seconds */
+#define   CIFS_TIMEOUT_MASK 0x003    /* only one of above set in req */
-#define   CIFS_BLOCKING_OP      4    /* operation can block */
-#define   CIFS_ASYNC_OP         8    /* do not wait for response */
-#define   CIFS_TIMEOUT_MASK 0x00F    /* only one of 5 above set in req */
 #define   CIFS_LOG_ERROR    0x010    /* log NT STATUS if non-zero */
 #define   CIFS_LARGE_BUF_OP 0x020    /* large request buffer */
 #define   CIFS_NO_RESP      0x040    /* no response buffer required */
@@ -779,7 +817,6 @@ GLOBAL_EXTERN unsigned int multiuser_mount; /* if enabled allows new sessions
                                have the uid/password or Kerberos credential
                                or equivalent for current user */
 GLOBAL_EXTERN unsigned int oplockEnabled;
-GLOBAL_EXTERN unsigned int experimEnabled;
 GLOBAL_EXTERN unsigned int lookupCacheEnabled;
 GLOBAL_EXTERN unsigned int global_secflags;     /* if on, session setup sent
                                with more secure ntlmssp2 challenge/resp */
@@ -790,6 +827,9 @@ GLOBAL_EXTERN unsigned int cifs_min_rcv;    /* min size of big ntwrk buf pool */
 GLOBAL_EXTERN unsigned int cifs_min_small;  /* min size of small buf pool */
 GLOBAL_EXTERN unsigned int cifs_max_pending; /* MAX requests at once to server*/
+/* reconnect after this many failed echo attempts */
+GLOBAL_EXTERN unsigned short echo_retries;
 void cifs_oplock_break(struct work_struct *work);
 void cifs_oplock_break_get(struct cifsFileInfo *cfile);
 void cifs_oplock_break_put(struct cifsFileInfo *cfile);
diff --git a/fs/cifs/cifspdu.h b/fs/cifs/cifspdu.h
index de36b09763a8..b5c8cc5d7a7f 100644
--- a/fs/cifs/cifspdu.h
+++ b/fs/cifs/cifspdu.h
@@ -23,6 +23,7 @@
 #define _CIFSPDU_H
 #include <net/sock.h>
+#include <asm/unaligned.h>
 #include "smbfsctl.h"
 #ifdef CONFIG_CIFS_WEAK_PW_HASH
@@ -50,6 +51,7 @@
 #define SMB_COM_SETATTR               0x09 /* trivial response */
 #define SMB_COM_LOCKING_ANDX          0x24 /* trivial response */
 #define SMB_COM_COPY                  0x29 /* trivial rsp, fail filename ignrd*/
+#define SMB_COM_ECHO                  0x2B /* echo request */
 #define SMB_COM_OPEN_ANDX             0x2D /* Legacy open for old servers */
 #define SMB_COM_READ_ANDX             0x2E
 #define SMB_COM_WRITE_ANDX            0x2F
@@ -425,11 +427,49 @@ struct smb_hdr {
        __u16 Mid;
        __u8 WordCount;
 } __attribute__((packed));
-/* given a pointer to an smb_hdr retrieve the value of byte count */
-#define BCC(smb_var) (*(__u16 *)((char *)(smb_var) + sizeof(struct smb_hdr) + (2 * (smb_var)->WordCount)))
+/* given a pointer to an smb_hdr retrieve a char pointer to the byte count */
-#define BCC_LE(smb_var) (*(__le16 *)((char *)(smb_var) + sizeof(struct smb_hdr) + (2 * (smb_var)->WordCount)))
+#define BCC(smb_var) ((unsigned char *)(smb_var) + sizeof(struct smb_hdr) + \
+                         (2 * (smb_var)->WordCount))
 /* given a pointer to an smb_hdr retrieve the pointer to the byte area */
-#define pByteArea(smb_var) ((unsigned char *)(smb_var) + sizeof(struct smb_hdr) + (2 * (smb_var)->WordCount) + 2)
+#define pByteArea(smb_var) (BCC(smb_var) + 2)
+/* get the converted ByteCount for a SMB packet and return it */
+static inline __u16
+get_bcc(struct smb_hdr *hdr)
+{
+        __u16 *bc_ptr = (__u16 *)BCC(hdr);
+        return get_unaligned(bc_ptr);
+}
+/* get the unconverted ByteCount for a SMB packet and return it */
+static inline __u16
+get_bcc_le(struct smb_hdr *hdr)
+{
+        __le16 *bc_ptr = (__le16 *)BCC(hdr);
+        return get_unaligned_le16(bc_ptr);
+}
+/* set the ByteCount for a SMB packet in host-byte order */
+static inline void
+put_bcc(__u16 count, struct smb_hdr *hdr)
+{
+        __u16 *bc_ptr = (__u16 *)BCC(hdr);
+        put_unaligned(count, bc_ptr);
+}
+/* set the ByteCount for a SMB packet in little-endian */
+static inline void
+put_bcc_le(__u16 count, struct smb_hdr *hdr)
+{
+        __le16 *bc_ptr = (__le16 *)BCC(hdr);
+        put_unaligned_le16(count, bc_ptr);
+}
 /*
 * Computer Name Length (since Netbios name was length 16 with last byte 0x20)
@@ -760,6 +800,20 @@ typedef struct smb_com_tconx_rsp_ext {
 *
 */
+typedef struct smb_com_echo_req {
+        struct  smb_hdr hdr;
+        __le16  EchoCount;
+        __le16  ByteCount;
+        char    Data[1];
+} __attribute__((packed)) ECHO_REQ;
+typedef struct smb_com_echo_rsp {
+        struct  smb_hdr hdr;
+        __le16  SequenceNumber;
+        __le16  ByteCount;
+        char    Data[1];
+} __attribute__((packed)) ECHO_RSP;
 typedef struct smb_com_logoff_andx_req {
        struct smb_hdr hdr;     /* wct = 2 */
        __u8 AndXCommand;
diff --git a/fs/cifs/cifsproto.h b/fs/cifs/cifsproto.h
index e6d1481b16c1..8096f27ad9a8 100644
--- a/fs/cifs/cifsproto.h
+++ b/fs/cifs/cifsproto.h
@@ -61,6 +61,12 @@ extern char *cifs_compose_mount_options(const char *sb_mountdata,
                const char *fullpath, const struct dfs_info3_param *ref,
                char **devname);
 /* extern void renew_parental_timestamps(struct dentry *direntry);*/
+extern struct mid_q_entry *AllocMidQEntry(const struct smb_hdr *smb_buffer,
+                                        struct TCP_Server_Info *server);
+extern void DeleteMidQEntry(struct mid_q_entry *midEntry);
+extern int cifs_call_async(struct TCP_Server_Info *server,
+                           struct smb_hdr *in_buf, mid_callback_t *callback,
+                           void *cbdata);
 extern int SendReceive(const unsigned int /* xid */ , struct cifsSesInfo *,
                        struct smb_hdr * /* input */ ,
                        struct smb_hdr * /* out */ ,
@@ -79,6 +85,8 @@ extern int checkSMB(struct smb_hdr *smb, __u16 mid, unsigned int length);
 extern bool is_valid_oplock_break(struct smb_hdr *smb,
                                  struct TCP_Server_Info *);
 extern bool is_size_safe_to_change(struct cifsInodeInfo *, __u64 eof);
+extern void cifs_update_eof(struct cifsInodeInfo *cifsi, loff_t offset,
+                            unsigned int bytes_written);
 extern struct cifsFileInfo *find_writable_file(struct cifsInodeInfo *, bool);
 extern struct cifsFileInfo *find_readable_file(struct cifsInodeInfo *, bool);
 extern unsigned int smbCalcSize(struct smb_hdr *ptr);
@@ -347,12 +355,13 @@ extern int CIFSSMBLock(const int xid, struct cifsTconInfo *tcon,
                        const __u16 netfid, const __u64 len,
                        const __u64 offset, const __u32 numUnlock,
                        const __u32 numLock, const __u8 lockType,
-                        const bool waitFlag);
+                        const bool waitFlag, const __u8 oplock_level);
 extern int CIFSSMBPosixLock(const int xid, struct cifsTconInfo *tcon,
                        const __u16 smb_file_id, const int get_flag,
                        const __u64 len, struct file_lock *,
                        const __u16 lock_type, const bool waitFlag);
 extern int CIFSSMBTDis(const int xid, struct cifsTconInfo *tcon);
+extern int CIFSSMBEcho(struct TCP_Server_Info *server);
 extern int CIFSSMBLogoff(const int xid, struct cifsSesInfo *ses);
 extern struct cifsSesInfo *sesInfoAlloc(void);
@@ -366,7 +375,7 @@ extern int cifs_sign_smb2(struct kvec *iov, int n_vec, struct TCP_Server_Info *,
 extern int cifs_verify_signature(struct smb_hdr *,
                                 struct TCP_Server_Info *server,
                                __u32 expected_sequence_number);
-extern void SMBNTencrypt(unsigned char *, unsigned char *, unsigned char *);
+extern int SMBNTencrypt(unsigned char *, unsigned char *, unsigned char *);
 extern int setup_ntlm_response(struct cifsSesInfo *);
 extern int setup_ntlmv2_rsp(struct cifsSesInfo *, const struct nls_table *);
 extern int cifs_crypto_shash_allocate(struct TCP_Server_Info *);
@@ -416,4 +425,11 @@ extern bool CIFSCouldBeMFSymlink(const struct cifs_fattr *fattr);
 extern int CIFSCheckMFSymlink(struct cifs_fattr *fattr,
                const unsigned char *path,
                struct cifs_sb_info *cifs_sb, int xid);
+extern int mdfour(unsigned char *, unsigned char *, int);
+extern int E_md4hash(const unsigned char *passwd, unsigned char *p16);
+extern void SMBencrypt(unsigned char *passwd, const unsigned char *c8,
+                        unsigned char *p24);
+extern void E_P16(unsigned char *p14, unsigned char *p16);
+extern void E_P24(unsigned char *p21, const unsigned char *c8,
+                        unsigned char *p24);
 #endif                  /* _CIFSPROTO_H */
diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
index 2f6795e524d3..df959bae6728 100644
--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -136,18 +136,15 @@ cifs_reconnect_tcon(struct cifsTconInfo *tcon, int smb_command)
                }
        }
-        if (ses->status == CifsExiting)
-                return -EIO;
        /*
         * Give demultiplex thread up to 10 seconds to reconnect, should be
         * greater than cifs socket timeout which is 7 seconds
         */
        while (server->tcpStatus == CifsNeedReconnect) {
                wait_event_interruptible_timeout(server->response_q,
-                        (server->tcpStatus == CifsGood), 10 * HZ);
+                        (server->tcpStatus != CifsNeedReconnect), 10 * HZ);
-                /* is TCP session is reestablished now ?*/
+                /* are we still trying to reconnect? */
                if (server->tcpStatus != CifsNeedReconnect)
                        break;
@@ -156,7 +153,7 @@ cifs_reconnect_tcon(struct cifsTconInfo *tcon, int smb_command)
                 * retrying until process is killed or server comes
                 * back on-line
                 */
-                if (!tcon->retry || ses->status == CifsExiting) {
+                if (!tcon->retry) {
                        cFYI(1, "gave up waiting on reconnect in smb_init");
                        return -EHOSTDOWN;
                }
@@ -331,37 +328,35 @@ smb_init_no_reconnect(int smb_command, int wct, struct cifsTconInfo *tcon,
 static int validate_t2(struct smb_t2_rsp *pSMB)
 {
-        int rc = -EINVAL;
+        unsigned int total_size;
-        int total_size;
-        char *pBCC;
+        /* check for plausible wct */
+        if (pSMB->hdr.WordCount < 10)
+                goto vt2_err;
-        /* check for plausible wct, bcc and t2 data and parm sizes */
        /* check for parm and data offset going beyond end of smb */
-        if (pSMB->hdr.WordCount >= 10) {
+        if (get_unaligned_le16(&pSMB->t2_rsp.ParameterOffset) > 1024 ||
-                if ((le16_to_cpu(pSMB->t2_rsp.ParameterOffset) <= 1024) &&
+            get_unaligned_le16(&pSMB->t2_rsp.DataOffset) > 1024)
-                   (le16_to_cpu(pSMB->t2_rsp.DataOffset) <= 1024)) {
+                goto vt2_err;
-                        /* check that bcc is at least as big as parms + data */
-                        /* check that bcc is less than negotiated smb buffer */
+        /* check that bcc is at least as big as parms + data */
-                        total_size = le16_to_cpu(pSMB->t2_rsp.ParameterCount);
+        /* check that bcc is less than negotiated smb buffer */
-                        if (total_size < 512) {
+        total_size = get_unaligned_le16(&pSMB->t2_rsp.ParameterCount);
-                                total_size +=
+        if (total_size >= 512)
-                                        le16_to_cpu(pSMB->t2_rsp.DataCount);
+                goto vt2_err;
-                                /* BCC le converted in SendReceive */
-                                pBCC = (pSMB->hdr.WordCount * 2) +
+        total_size += get_unaligned_le16(&pSMB->t2_rsp.DataCount);
-                                        sizeof(struct smb_hdr) +
+        if (total_size > get_bcc(&pSMB->hdr) ||
-                                        (char *)pSMB;
+            total_size >= CIFSMaxBufSize + MAX_CIFS_HDR_SIZE)
-                                if ((total_size <= (*(u16 *)pBCC)) &&
+                goto vt2_err;
-                                   (total_size <
-                                        CIFSMaxBufSize+MAX_CIFS_HDR_SIZE)) {
+        return 0;
-                                        return 0;
+vt2_err:
-                                }
-                        }
-                }
-        }
        cifs_dump_mem("Invalid transact2 SMB: ", (char *)pSMB,
                sizeof(struct smb_t2_rsp) + 16);
-        return rc;
+        return -EINVAL;
 }
 int
 CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses)
 {
@@ -452,7 +447,6 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses)
                server->maxBuf = min((__u32)le16_to_cpu(rsp->MaxBufSize),
                                (__u32)CIFSMaxBufSize + MAX_CIFS_HDR_SIZE);
                server->max_vcs = le16_to_cpu(rsp->MaxNumberVcs);
-                GETU32(server->sessid) = le32_to_cpu(rsp->SessionKey);
                /* even though we do not use raw we might as well set this
                accurately, in case we ever find a need for it */
                if ((le16_to_cpu(rsp->RawMode) & RAW_ENABLE) == RAW_ENABLE) {
@@ -566,7 +560,6 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses)
                        (__u32) CIFSMaxBufSize + MAX_CIFS_HDR_SIZE);
        server->max_rw = le32_to_cpu(pSMBr->MaxRawSize);
        cFYI(DBG2, "Max buf = %d", ses->server->maxBuf);
-        GETU32(ses->server->sessid) = le32_to_cpu(pSMBr->SessionKey);
        server->capabilities = le32_to_cpu(pSMBr->Capabilities);
        server->timeAdj = (int)(__s16)le16_to_cpu(pSMBr->ServerTimeZone);
        server->timeAdj *= 60;
@@ -706,6 +699,53 @@ CIFSSMBTDis(const int xid, struct cifsTconInfo *tcon)
        return rc;
 }
+/*
+ * This is a no-op for now. We're not really interested in the reply, but
+ * rather in the fact that the server sent one and that server->lstrp
+ * gets updated.
+ *
+ * FIXME: maybe we should consider checking that the reply matches request?
+ */
+static void
+cifs_echo_callback(struct mid_q_entry *mid)
+{
+        struct TCP_Server_Info *server = mid->callback_data;
+        DeleteMidQEntry(mid);
+        atomic_dec(&server->inFlight);
+        wake_up(&server->request_q);
+}
+int
+CIFSSMBEcho(struct TCP_Server_Info *server)
+{
+        ECHO_REQ *smb;
+        int rc = 0;
+        cFYI(1, "In echo request");
+        rc = small_smb_init(SMB_COM_ECHO, 0, NULL, (void **)&smb);
+        if (rc)
+                return rc;
+        /* set up echo request */
+        smb->hdr.Tid = 0xffff;
+        smb->hdr.WordCount = 1;
+        put_unaligned_le16(1, &smb->EchoCount);
+        put_bcc_le(1, &smb->hdr);
+        smb->Data[0] = 'a';
+        smb->hdr.smb_buf_length += 3;
+        rc = cifs_call_async(server, (struct smb_hdr *)smb,
+                                cifs_echo_callback, server);
+        if (rc)
+                cFYI(1, "Echo request failed: %d", rc);
+        cifs_small_buf_release(smb);
+        return rc;
+}
 int
 CIFSSMBLogoff(const int xid, struct cifsSesInfo *ses)
 {
@@ -1193,7 +1233,7 @@ OldOpenRetry:
        pSMB->ByteCount = cpu_to_le16(count);
        /* long_op set to 1 to allow for oplock break timeouts */
        rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
-                        (struct smb_hdr *)pSMBr, &bytes_returned, CIFS_LONG_OP);
+                        (struct smb_hdr *)pSMBr, &bytes_returned, 0);
        cifs_stats_inc(&tcon->num_opens);
        if (rc) {
                cFYI(1, "Error in Open = %d", rc);
@@ -1306,7 +1346,7 @@ openRetry:
        pSMB->ByteCount = cpu_to_le16(count);
        /* long_op set to 1 to allow for oplock break timeouts */
        rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
-                        (struct smb_hdr *)pSMBr, &bytes_returned, CIFS_LONG_OP);
+                        (struct smb_hdr *)pSMBr, &bytes_returned, 0);
        cifs_stats_inc(&tcon->num_opens);
        if (rc) {
                cFYI(1, "Error in Open = %d", rc);
@@ -1388,7 +1428,7 @@ CIFSSMBRead(const int xid, struct cifsTconInfo *tcon, const int netfid,
        iov[0].iov_base = (char *)pSMB;
        iov[0].iov_len = pSMB->hdr.smb_buf_length + 4;
        rc = SendReceive2(xid, tcon->ses, iov, 1 /* num iovecs */,
-                         &resp_buf_type, CIFS_STD_OP | CIFS_LOG_ERROR);
+                         &resp_buf_type, CIFS_LOG_ERROR);
        cifs_stats_inc(&tcon->num_reads);
        pSMBr = (READ_RSP *)iov[0].iov_base;
        if (rc) {
@@ -1663,7 +1703,8 @@ int
 CIFSSMBLock(const int xid, struct cifsTconInfo *tcon,
            const __u16 smb_file_id, const __u64 len,
            const __u64 offset, const __u32 numUnlock,
-            const __u32 numLock, const __u8 lockType, const bool waitFlag)
+            const __u32 numLock, const __u8 lockType,
+            const bool waitFlag, const __u8 oplock_level)
 {
        int rc = 0;
        LOCK_REQ *pSMB = NULL;
@@ -1691,6 +1732,7 @@ CIFSSMBLock(const int xid, struct cifsTconInfo *tcon,
        pSMB->NumberOfLocks = cpu_to_le16(numLock);
        pSMB->NumberOfUnlocks = cpu_to_le16(numUnlock);
        pSMB->LockType = lockType;
+        pSMB->OplockLevel = oplock_level;
        pSMB->AndXCommand = 0xFF;       /* none */
        pSMB->Fid = smb_file_id; /* netfid stays le */
@@ -1842,10 +1884,10 @@ CIFSSMBPosixLock(const int xid, struct cifsTconInfo *tcon,
                                        __constant_cpu_to_le16(CIFS_WRLCK))
                                pLockData->fl_type = F_WRLCK;
-                        pLockData->fl_start = parm_data->start;
+                        pLockData->fl_start = le64_to_cpu(parm_data->start);
-                        pLockData->fl_end = parm_data->start +
+                        pLockData->fl_end = pLockData->fl_start +
-                                                parm_data->length - 1;
+                                        le64_to_cpu(parm_data->length) - 1;
-                        pLockData->fl_pid = parm_data->pid;
+                        pLockData->fl_pid = le32_to_cpu(parm_data->pid);
                }
        }
@@ -3087,7 +3129,7 @@ CIFSSMBGetCIFSACL(const int xid, struct cifsTconInfo *tcon, __u16 fid,
        iov[0].iov_len = pSMB->hdr.smb_buf_length + 4;
        rc = SendReceive2(xid, tcon->ses, iov, 1 /* num iovec */, &buf_type,
-                         CIFS_STD_OP);
+                         0);
        cifs_stats_inc(&tcon->num_acl_get);
        if (rc) {
                cFYI(1, "Send error in QuerySecDesc = %d", rc);
@@ -4869,7 +4911,6 @@ CIFSSMBSetFileSize(const int xid, struct cifsTconInfo *tcon, __u64 size,
                   __u16 fid, __u32 pid_of_opener, bool SetAllocation)
 {
        struct smb_com_transaction2_sfi_req *pSMB  = NULL;
-        char *data_offset;
        struct file_end_of_file_info *parm_data;
        int rc = 0;
        __u16 params, param_offset, offset, byte_count, count;
@@ -4893,8 +4934,6 @@ CIFSSMBSetFileSize(const int xid, struct cifsTconInfo *tcon, __u64 size,
        param_offset = offsetof(struct smb_com_transaction2_sfi_req, Fid) - 4;
        offset = param_offset + params;
-        data_offset = (char *) (&pSMB->hdr.Protocol) + offset;
        count = sizeof(struct file_end_of_file_info);
        pSMB->MaxParameterCount = cpu_to_le16(2);
        /* BB find exact max SMB PDU from sess structure BB */
@@ -5208,7 +5247,7 @@ cifs_fill_unix_set_info(FILE_UNIX_BASIC_INFO *data_offset,
         * Samba server ignores set of file size to zero due to bugs in some
         * older clients, but we should be precise - we use SetFileSize to
         * set file size and do not want to truncate file size to zero
-         * accidently as happened on one Samba server beta by putting
+         * accidentally as happened on one Samba server beta by putting
         * zero instead of -1 here
         */
        data_offset->EndOfFile = cpu_to_le64(NO_CHANGE_64);
@@ -5562,7 +5601,7 @@ QAllEAsRetry:
        }
        /* make sure list_len doesn't go past end of SMB */
-        end_of_smb = (char *)pByteArea(&pSMBr->hdr) + BCC(&pSMBr->hdr);
+        end_of_smb = (char *)pByteArea(&pSMBr->hdr) + get_bcc(&pSMBr->hdr);
        if ((char *)ea_response_data + list_len > end_of_smb) {
                cFYI(1, "EA list appears to go beyond SMB");
                rc = -EIO;
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index a65d311d163a..db9d55b507d0 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -52,8 +52,8 @@
 #define CIFS_PORT 445
 #define RFC1001_PORT 139
-extern void SMBNTencrypt(unsigned char *passwd, unsigned char *c8,
+/* SMB echo "timeout" -- FIXME: tunable? */
-                         unsigned char *p24);
+#define SMB_ECHO_INTERVAL (60 * HZ)
 extern mempool_t *cifs_req_poolp;
@@ -84,6 +84,7 @@ struct smb_vol {
        bool no_xattr:1;   /* set if xattr (EA) support should be disabled*/
        bool server_ino:1; /* use inode numbers from server ie UniqueId */
        bool direct_io:1;
+        bool strict_io:1; /* strict cache behavior */
        bool remap:1;      /* set to remap seven reserved chars in filenames */
        bool posix_paths:1; /* unset to not ask for posix pathnames. */
        bool no_linux_ext:1;
@@ -152,6 +153,7 @@ cifs_reconnect(struct TCP_Server_Info *server)
        /* before reconnecting the tcp session, mark the smb session (uid)
                and the tid bad so they are not used until reconnected */
+        cFYI(1, "%s: marking sessions and tcons for reconnect", __func__);
        spin_lock(&cifs_tcp_ses_lock);
        list_for_each(tmp, &server->smb_ses_list) {
                ses = list_entry(tmp, struct cifsSesInfo, smb_ses_list);
@@ -163,7 +165,9 @@ cifs_reconnect(struct TCP_Server_Info *server)
                }
        }
        spin_unlock(&cifs_tcp_ses_lock);
        /* do not want to be sending data on a socket we are freeing */
+        cFYI(1, "%s: tearing down socket", __func__);
        mutex_lock(&server->srv_mutex);
        if (server->ssocket) {
                cFYI(1, "State: 0x%x Flags: 0x%lx", server->ssocket->state,
@@ -180,25 +184,22 @@ cifs_reconnect(struct TCP_Server_Info *server)
        kfree(server->session_key.response);
        server->session_key.response = NULL;
        server->session_key.len = 0;
+        server->lstrp = jiffies;
+        mutex_unlock(&server->srv_mutex);
+        /* mark submitted MIDs for retry and issue callback */
+        cFYI(1, "%s: issuing mid callbacks", __func__);
        spin_lock(&GlobalMid_Lock);
-        list_for_each(tmp, &server->pending_mid_q) {
+        list_for_each_safe(tmp, tmp2, &server->pending_mid_q) {
-                mid_entry = list_entry(tmp, struct
+                mid_entry = list_entry(tmp, struct mid_q_entry, qhead);
-                                        mid_q_entry,
+                if (mid_entry->midState == MID_REQUEST_SUBMITTED)
-                                        qhead);
-                if (mid_entry->midState == MID_REQUEST_SUBMITTED) {
-                                /* Mark other intransit requests as needing
-                                   retry so we do not immediately mark the
-                                   session bad again (ie after we reconnect
-                                   below) as they timeout too */
                        mid_entry->midState = MID_RETRY_NEEDED;
-                }
+                list_del_init(&mid_entry->qhead);
+                mid_entry->callback(mid_entry);
        }
        spin_unlock(&GlobalMid_Lock);
-        mutex_unlock(&server->srv_mutex);
-        while ((server->tcpStatus != CifsExiting) &&
+        while (server->tcpStatus == CifsNeedReconnect) {
-               (server->tcpStatus != CifsGood)) {
                try_to_freeze();
                /* we should try only the port we connected to before */
@@ -210,12 +211,11 @@ cifs_reconnect(struct TCP_Server_Info *server)
                        atomic_inc(&tcpSesReconnectCount);
                        spin_lock(&GlobalMid_Lock);
                        if (server->tcpStatus != CifsExiting)
-                                server->tcpStatus = CifsGood;
+                                server->tcpStatus = CifsNeedNegotiate;
                        spin_unlock(&GlobalMid_Lock);
-        /*              atomic_set(&server->inFlight,0);*/
-                        wake_up(&server->response_q);
                }
        }
        return rc;
 }
@@ -229,9 +229,8 @@ cifs_reconnect(struct TCP_Server_Info *server)
 static int check2ndT2(struct smb_hdr *pSMB, unsigned int maxBufSize)
 {
        struct smb_t2_rsp *pSMBt;
-        int total_data_size;
-        int data_in_this_rsp;
        int remaining;
+        __u16 total_data_size, data_in_this_rsp;
        if (pSMB->Command != SMB_COM_TRANSACTION2)
                return 0;
@@ -245,48 +244,45 @@ static int check2ndT2(struct smb_hdr *pSMB, unsigned int maxBufSize)
        pSMBt = (struct smb_t2_rsp *)pSMB;
-        total_data_size = le16_to_cpu(pSMBt->t2_rsp.TotalDataCount);
+        total_data_size = get_unaligned_le16(&pSMBt->t2_rsp.TotalDataCount);
-        data_in_this_rsp = le16_to_cpu(pSMBt->t2_rsp.DataCount);
+        data_in_this_rsp = get_unaligned_le16(&pSMBt->t2_rsp.DataCount);
-        remaining = total_data_size - data_in_this_rsp;
+        if (total_data_size == data_in_this_rsp)
-        if (remaining == 0)
                return 0;
-        else if (remaining < 0) {
+        else if (total_data_size < data_in_this_rsp) {
                cFYI(1, "total data %d smaller than data in frame %d",
                        total_data_size, data_in_this_rsp);
                return -EINVAL;
-        } else {
-                cFYI(1, "missing %d bytes from transact2, check next response",
-                        remaining);
-                if (total_data_size > maxBufSize) {
-                        cERROR(1, "TotalDataSize %d is over maximum buffer %d",
-                                total_data_size, maxBufSize);
-                        return -EINVAL;
-                }
-                return remaining;
        }
+        remaining = total_data_size - data_in_this_rsp;
+        cFYI(1, "missing %d bytes from transact2, check next response",
+                remaining);
+        if (total_data_size > maxBufSize) {
+                cERROR(1, "TotalDataSize %d is over maximum buffer %d",
+                        total_data_size, maxBufSize);
+                return -EINVAL;
+        }
+        return remaining;
 }
 static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB)
 {
        struct smb_t2_rsp *pSMB2 = (struct smb_t2_rsp *)psecond;
        struct smb_t2_rsp *pSMBt  = (struct smb_t2_rsp *)pTargetSMB;
-        int total_data_size;
-        int total_in_buf;
-        int remaining;
-        int total_in_buf2;
        char *data_area_of_target;
        char *data_area_of_buf2;
-        __u16 byte_count;
+        int remaining;
+        __u16 byte_count, total_data_size, total_in_buf, total_in_buf2;
-        total_data_size = le16_to_cpu(pSMBt->t2_rsp.TotalDataCount);
+        total_data_size = get_unaligned_le16(&pSMBt->t2_rsp.TotalDataCount);
-        if (total_data_size != le16_to_cpu(pSMB2->t2_rsp.TotalDataCount)) {
+        if (total_data_size !=
+            get_unaligned_le16(&pSMB2->t2_rsp.TotalDataCount))
                cFYI(1, "total data size of primary and secondary t2 differ");
-        }
-        total_in_buf = le16_to_cpu(pSMBt->t2_rsp.DataCount);
+        total_in_buf = get_unaligned_le16(&pSMBt->t2_rsp.DataCount);
        remaining = total_data_size - total_in_buf;
@@ -296,28 +292,28 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB)
        if (remaining == 0) /* nothing to do, ignore */
                return 0;
-        total_in_buf2 = le16_to_cpu(pSMB2->t2_rsp.DataCount);
+        total_in_buf2 = get_unaligned_le16(&pSMB2->t2_rsp.DataCount);
        if (remaining < total_in_buf2) {
                cFYI(1, "transact2 2nd response contains too much data");
        }
        /* find end of first SMB data area */
        data_area_of_target = (char *)&pSMBt->hdr.Protocol +
-                                le16_to_cpu(pSMBt->t2_rsp.DataOffset);
+                                get_unaligned_le16(&pSMBt->t2_rsp.DataOffset);
        /* validate target area */
-        data_area_of_buf2 = (char *) &pSMB2->hdr.Protocol +
+        data_area_of_buf2 = (char *)&pSMB2->hdr.Protocol +
-                                        le16_to_cpu(pSMB2->t2_rsp.DataOffset);
+                                get_unaligned_le16(&pSMB2->t2_rsp.DataOffset);
        data_area_of_target += total_in_buf;
        /* copy second buffer into end of first buffer */
        memcpy(data_area_of_target, data_area_of_buf2, total_in_buf2);
        total_in_buf += total_in_buf2;
-        pSMBt->t2_rsp.DataCount = cpu_to_le16(total_in_buf);
+        put_unaligned_le16(total_in_buf, &pSMBt->t2_rsp.DataCount);
-        byte_count = le16_to_cpu(BCC_LE(pTargetSMB));
+        byte_count = get_bcc_le(pTargetSMB);
        byte_count += total_in_buf2;
-        BCC_LE(pTargetSMB) = cpu_to_le16(byte_count);
+        put_bcc_le(byte_count, pTargetSMB);
        byte_count = pTargetSMB->smb_buf_length;
        byte_count += total_in_buf2;
@@ -331,7 +327,31 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB)
                return 0; /* we are done */
        } else /* more responses to go */
                return 1;
+}
+static void
+cifs_echo_request(struct work_struct *work)
+{
+        int rc;
+        struct TCP_Server_Info *server = container_of(work,
+                                        struct TCP_Server_Info, echo.work);
+        /*
+         * We cannot send an echo until the NEGOTIATE_PROTOCOL request is
+         * done, which is indicated by maxBuf != 0. Also, no need to ping if
+         * we got a response recently
+         */
+        if (server->maxBuf == 0 ||
+            time_before(jiffies, server->lstrp + SMB_ECHO_INTERVAL - HZ))
+                goto requeue_echo;
+        rc = CIFSSMBEcho(server);
+        if (rc)
+                cFYI(1, "Unable to send echo request to server: %s",
+                        server->hostname);
+requeue_echo:
+        queue_delayed_work(system_nrt_wq, &server->echo, SMB_ECHO_INTERVAL);
 }
 static int
@@ -345,8 +365,7 @@ cifs_demultiplex_thread(struct TCP_Server_Info *server)
        struct msghdr smb_msg;
        struct kvec iov;
        struct socket *csocket = server->ssocket;
-        struct list_head *tmp;
+        struct list_head *tmp, *tmp2;
-        struct cifsSesInfo *ses;
        struct task_struct *task_to_wake = NULL;
        struct mid_q_entry *mid_entry;
        char temp;
@@ -399,7 +418,20 @@ cifs_demultiplex_thread(struct TCP_Server_Info *server)
                smb_msg.msg_control = NULL;
                smb_msg.msg_controllen = 0;
                pdu_length = 4; /* enough to get RFC1001 header */
 incomplete_rcv:
+                if (echo_retries > 0 && server->tcpStatus == CifsGood &&
+                    time_after(jiffies, server->lstrp +
+                                        (echo_retries * SMB_ECHO_INTERVAL))) {
+                        cERROR(1, "Server %s has not responded in %d seconds. "
+                                  "Reconnecting...", server->hostname,
+                                  (echo_retries * SMB_ECHO_INTERVAL / HZ));
+                        cifs_reconnect(server);
+                        csocket = server->ssocket;
+                        wake_up(&server->response_q);
+                        continue;
+                }
                length =
                    kernel_recvmsg(csocket, &smb_msg,
                                &iov, 1, pdu_length, 0 /* BB other flags? */);
@@ -550,25 +582,36 @@ incomplete_rcv:
                else if (reconnect == 1)
                        continue;
-                length += 4; /* account for rfc1002 hdr */
+                total_read += 4; /* account for rfc1002 hdr */
+                dump_smb(smb_buffer, total_read);
-                dump_smb(smb_buffer, length);
+                /*
-                if (checkSMB(smb_buffer, smb_buffer->Mid, total_read+4)) {
+                 * We know that we received enough to get to the MID as we
-                        cifs_dump_mem("Bad SMB: ", smb_buffer, 48);
+                 * checked the pdu_length earlier. Now check to see
-                        continue;
+                 * if the rest of the header is OK. We borrow the length
-                }
+                 * var for the rest of the loop to avoid a new stack var.
+                 *
+                 * 48 bytes is enough to display the header and a little bit
+                 * into the payload for debugging purposes.
+                 */
+                length = checkSMB(smb_buffer, smb_buffer->Mid, total_read);
+                if (length != 0)
+                        cifs_dump_mem("Bad SMB: ", smb_buffer,
+                                        min_t(unsigned int, total_read, 48));
+                mid_entry = NULL;
+                server->lstrp = jiffies;
-                task_to_wake = NULL;
                spin_lock(&GlobalMid_Lock);
-                list_for_each(tmp, &server->pending_mid_q) {
+                list_for_each_safe(tmp, tmp2, &server->pending_mid_q) {
                        mid_entry = list_entry(tmp, struct mid_q_entry, qhead);
                        if ((mid_entry->mid == smb_buffer->Mid) &&
                            (mid_entry->midState == MID_REQUEST_SUBMITTED) &&
                            (mid_entry->command == smb_buffer->Command)) {
-                                if (check2ndT2(smb_buffer,server->maxBuf) > 0) {
+                                if (length == 0 &&
+                                   check2ndT2(smb_buffer, server->maxBuf) > 0) {
                                        /* We have a multipart transact2 resp */
                                        isMultiRsp = true;
                                        if (mid_entry->resp_buf) {
@@ -603,20 +646,24 @@ incomplete_rcv:
                                mid_entry->resp_buf = smb_buffer;
                                mid_entry->largeBuf = isLargeBuf;
 multi_t2_fnd:
-                                task_to_wake = mid_entry->tsk;
+                                if (length == 0)
-                                mid_entry->midState = MID_RESPONSE_RECEIVED;
+                                        mid_entry->midState =
+                                                        MID_RESPONSE_RECEIVED;
+                                else
+                                        mid_entry->midState =
+                                                        MID_RESPONSE_MALFORMED;
 #ifdef CONFIG_CIFS_STATS2
                                mid_entry->when_received = jiffies;
 #endif
-                                /* so we do not time out requests to  server
+                                list_del_init(&mid_entry->qhead);
-                                which is still responding (since server could
+                                mid_entry->callback(mid_entry);
-                                be busy but not dead) */
-                                server->lstrp = jiffies;
                                break;
                        }
+                        mid_entry = NULL;
                }
                spin_unlock(&GlobalMid_Lock);
-                if (task_to_wake) {
+                if (mid_entry != NULL) {
                        /* Was previous buf put in mpx struct for multi-rsp? */
                        if (!isMultiRsp) {
                                /* smb buffer will be freed by user thread */
@@ -625,11 +672,13 @@ multi_t2_fnd:
                                else
                                        smallbuf = NULL;
                        }
-                        wake_up_process(task_to_wake);
+                } else if (length != 0) {
+                        /* response sanity checks failed */
+                        continue;
                } else if (!is_valid_oplock_break(smb_buffer, server) &&
                           !isMultiRsp) {
                        cERROR(1, "No task to wake, unknown frame received! "
-                                   "NumMids %d", midCount.counter);
+                                   "NumMids %d", atomic_read(&midCount));
                        cifs_dump_mem("Received Data is: ", (char *)smb_buffer,
                                      sizeof(struct smb_hdr));
 #ifdef CONFIG_CIFS_DEBUG2
@@ -677,44 +726,16 @@ multi_t2_fnd:
        if (smallbuf) /* no sense logging a debug message if NULL */
                cifs_small_buf_release(smallbuf);
-        /*
+        if (!list_empty(&server->pending_mid_q)) {
-         * BB: we shouldn't have to do any of this. It shouldn't be
-         * possible to exit from the thread with active SMB sessions
-         */
-        spin_lock(&cifs_tcp_ses_lock);
-        if (list_empty(&server->pending_mid_q)) {
-                /* loop through server session structures attached to this and
-                    mark them dead */
-                list_for_each(tmp, &server->smb_ses_list) {
-                        ses = list_entry(tmp, struct cifsSesInfo,
-                                         smb_ses_list);
-                        ses->status = CifsExiting;
-                        ses->server = NULL;
-                }
-                spin_unlock(&cifs_tcp_ses_lock);
-        } else {
-                /* although we can not zero the server struct pointer yet,
-                since there are active requests which may depnd on them,
-                mark the corresponding SMB sessions as exiting too */
-                list_for_each(tmp, &server->smb_ses_list) {
-                        ses = list_entry(tmp, struct cifsSesInfo,
-                                         smb_ses_list);
-                        ses->status = CifsExiting;
-                }
                spin_lock(&GlobalMid_Lock);
-                list_for_each(tmp, &server->pending_mid_q) {
+                list_for_each_safe(tmp, tmp2, &server->pending_mid_q) {
-                mid_entry = list_entry(tmp, struct mid_q_entry, qhead);
+                        mid_entry = list_entry(tmp, struct mid_q_entry, qhead);
-                        if (mid_entry->midState == MID_REQUEST_SUBMITTED) {
+                        cFYI(1, "Clearing Mid 0x%x - issuing callback",
-                                cFYI(1, "Clearing Mid 0x%x - waking up ",
                                         mid_entry->mid);
-                                task_to_wake = mid_entry->tsk;
+                        list_del_init(&mid_entry->qhead);
-                                if (task_to_wake)
+                        mid_entry->callback(mid_entry);
-                                        wake_up_process(task_to_wake);
-                        }
                }
                spin_unlock(&GlobalMid_Lock);
-                spin_unlock(&cifs_tcp_ses_lock);
                /* 1/8th of sec is more than enough time for them to exit */
                msleep(125);
        }
@@ -732,18 +753,6 @@ multi_t2_fnd:
                coming home not much else we can do but free the memory */
        }
-        /* last chance to mark ses pointers invalid
-        if there are any pointing to this (e.g
-        if a crazy root user tried to kill cifsd
-        kernel thread explicitly this might happen) */
-        /* BB: This shouldn't be necessary, see above */
-        spin_lock(&cifs_tcp_ses_lock);
-        list_for_each(tmp, &server->smb_ses_list) {
-                ses = list_entry(tmp, struct cifsSesInfo, smb_ses_list);
-                ses->server = NULL;
-        }
-        spin_unlock(&cifs_tcp_ses_lock);
        kfree(server->hostname);
        task_to_wake = xchg(&server->tsk, NULL);
        kfree(server);
@@ -871,7 +880,8 @@ cifs_parse_mount_options(char *options, const char *devname,
                                /* null user, ie anonymous, authentication */
                                vol->nullauth = 1;
                        }
-                        if (strnlen(value, 200) < 200) {
+                        if (strnlen(value, MAX_USERNAME_SIZE) <
+                                                MAX_USERNAME_SIZE) {
                                vol->username = value;
                        } else {
                                printk(KERN_WARNING "CIFS: username too long\n");
@@ -1113,6 +1123,8 @@ cifs_parse_mount_options(char *options, const char *devname,
                } else if (!strnicmp(data, "uid", 3) && value && *value) {
                        vol->linux_uid = simple_strtoul(value, &value, 0);
                        uid_specified = true;
+                } else if (!strnicmp(data, "cruid", 5) && value && *value) {
+                        vol->cred_uid = simple_strtoul(value, &value, 0);
                } else if (!strnicmp(data, "forceuid", 8)) {
                        override_uid = 1;
                } else if (!strnicmp(data, "noforceuid", 10)) {
@@ -1353,6 +1365,8 @@ cifs_parse_mount_options(char *options, const char *devname,
                        vol->direct_io = 1;
                } else if (strnicmp(data, "forcedirectio", 13) == 0) {
                        vol->direct_io = 1;
+                } else if (strnicmp(data, "strictcache", 11) == 0) {
+                        vol->strict_io = 1;
                } else if (strnicmp(data, "noac", 4) == 0) {
                        printk(KERN_WARNING "CIFS: Mount option noac not "
                                "supported. Instead set "
@@ -1458,7 +1472,7 @@ srcip_matches(struct sockaddr *srcaddr, struct sockaddr *rhs)
 static bool
 match_port(struct TCP_Server_Info *server, struct sockaddr *addr)
 {
-        unsigned short int port, *sport;
+        __be16 port, *sport;
        switch (addr->sa_family) {
        case AF_INET:
@@ -1558,7 +1572,7 @@ match_security(struct TCP_Server_Info *server, struct smb_vol *vol)
                return false;
        }
-        /* now check if signing mode is acceptible */
+        /* now check if signing mode is acceptable */
        if ((secFlags & CIFSSEC_MAY_SIGN) == 0 &&
            (server->secMode & SECMODE_SIGN_REQUIRED))
                        return false;
@@ -1577,6 +1591,9 @@ cifs_find_tcp_session(struct sockaddr *addr, struct smb_vol *vol)
        spin_lock(&cifs_tcp_ses_lock);
        list_for_each_entry(server, &cifs_tcp_ses_list, tcp_ses_list) {
+                if (!net_eq(cifs_net_ns(server), current->nsproxy->net_ns))
+                        continue;
                if (!match_address(server, addr,
                                   (struct sockaddr *)&vol->srcaddr))
                        continue;
@@ -1607,9 +1624,13 @@ cifs_put_tcp_session(struct TCP_Server_Info *server)
                return;
        }
+        put_net(cifs_net_ns(server));
        list_del_init(&server->tcp_ses_list);
        spin_unlock(&cifs_tcp_ses_lock);
+        cancel_delayed_work_sync(&server->echo);
        spin_lock(&GlobalMid_Lock);
        server->tcpStatus = CifsExiting;
        spin_unlock(&GlobalMid_Lock);
@@ -1679,6 +1700,7 @@ cifs_get_tcp_session(struct smb_vol *volume_info)
                goto out_err;
        }
+        cifs_set_net_ns(tcp_ses, get_net(current->nsproxy->net_ns));
        tcp_ses->hostname = extract_hostname(volume_info->UNC);
        if (IS_ERR(tcp_ses->hostname)) {
                rc = PTR_ERR(tcp_ses->hostname);
@@ -1699,8 +1721,10 @@ cifs_get_tcp_session(struct smb_vol *volume_info)
                volume_info->target_rfc1001_name, RFC1001_NAME_LEN_WITH_NULL);
        tcp_ses->session_estab = false;
        tcp_ses->sequence_number = 0;
+        tcp_ses->lstrp = jiffies;
        INIT_LIST_HEAD(&tcp_ses->tcp_ses_list);
        INIT_LIST_HEAD(&tcp_ses->smb_ses_list);
+        INIT_DELAYED_WORK(&tcp_ses->echo, cifs_echo_request);
        /*
         * at this point we are the only ones with the pointer
@@ -1741,6 +1765,7 @@ cifs_get_tcp_session(struct smb_vol *volume_info)
                module_put(THIS_MODULE);
                goto out_err_crypto_release;
        }
+        tcp_ses->tcpStatus = CifsNeedNegotiate;
        /* thread spawned, put it on the list */
        spin_lock(&cifs_tcp_ses_lock);
@@ -1749,11 +1774,16 @@ cifs_get_tcp_session(struct smb_vol *volume_info)
        cifs_fscache_get_client_cookie(tcp_ses);
+        /* queue echo request delayed work */
+        queue_delayed_work(system_nrt_wq, &tcp_ses->echo, SMB_ECHO_INTERVAL);
        return tcp_ses;
 out_err_crypto_release:
        cifs_crypto_shash_release(tcp_ses);
+        put_net(cifs_net_ns(tcp_ses));
 out_err:
        if (tcp_ses) {
                if (!IS_ERR(tcp_ses->hostname))
@@ -1779,7 +1809,9 @@ cifs_find_smb_ses(struct TCP_Server_Info *server, struct smb_vol *vol)
                        break;
                default:
                        /* anything else takes username/password */
-                        if (strncmp(ses->userName, vol->username,
+                        if (ses->user_name == NULL)
+                                continue;
+                        if (strncmp(ses->user_name, vol->username,
                                    MAX_USERNAME_SIZE))
                                continue;
                        if (strlen(vol->username) != 0 &&
@@ -1822,6 +1854,8 @@ cifs_put_smb_ses(struct cifsSesInfo *ses)
        cifs_put_tcp_session(server);
 }
+static bool warned_on_ntlm;  /* globals init to false automatically */
 static struct cifsSesInfo *
 cifs_get_smb_ses(struct TCP_Server_Info *server, struct smb_vol *volume_info)
 {
@@ -1877,9 +1911,11 @@ cifs_get_smb_ses(struct TCP_Server_Info *server, struct smb_vol *volume_info)
        else
                sprintf(ses->serverName, "%pI4", &addr->sin_addr);
-        if (volume_info->username)
+        if (volume_info->username) {
-                strncpy(ses->userName, volume_info->username,
+                ses->user_name = kstrdup(volume_info->username, GFP_KERNEL);
-                        MAX_USERNAME_SIZE);
+                if (!ses->user_name)
+                        goto get_ses_fail;
+        }
        /* volume_info->password freed at unmount */
        if (volume_info->password) {
@@ -1894,6 +1930,15 @@ cifs_get_smb_ses(struct TCP_Server_Info *server, struct smb_vol *volume_info)
        }
        ses->cred_uid = volume_info->cred_uid;
        ses->linux_uid = volume_info->linux_uid;
+        /* ntlmv2 is much stronger than ntlm security, and has been broadly
+        supported for many years, time to update default security mechanism */
+        if ((volume_info->secFlg == 0) && warned_on_ntlm == false) {
+                warned_on_ntlm = true;
+                cERROR(1, "default security mechanism requested.  The default "
+                        "security mechanism will be upgraded from ntlm to "
+                        "ntlmv2 in kernel release 2.6.41");
+        }
        ses->overrideSecFlg = volume_info->secFlg;
        mutex_lock(&ses->session_mutex);
@@ -2247,7 +2292,7 @@ static int
 generic_ip_connect(struct TCP_Server_Info *server)
 {
        int rc = 0;
-        unsigned short int sport;
+        __be16 sport;
        int slen, sfamily;
        struct socket *socket = server->ssocket;
        struct sockaddr *saddr;
@@ -2265,8 +2310,8 @@ generic_ip_connect(struct TCP_Server_Info *server)
        }
        if (socket == NULL) {
-                rc = sock_create_kern(sfamily, SOCK_STREAM,
+                rc = __sock_create(cifs_net_ns(server), sfamily, SOCK_STREAM,
-                                      IPPROTO_TCP, &socket);
+                                   IPPROTO_TCP, &socket, 1);
                if (rc < 0) {
                        cERROR(1, "Error %d creating socket", rc);
                        server->ssocket = NULL;
@@ -2332,7 +2377,7 @@ generic_ip_connect(struct TCP_Server_Info *server)
 static int
 ip_connect(struct TCP_Server_Info *server)
 {
-        unsigned short int *sport;
+        __be16 *sport;
        struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *)&server->dstaddr;
        struct sockaddr_in *addr = (struct sockaddr_in *)&server->dstaddr;
@@ -2578,6 +2623,8 @@ static void setup_cifs_sb(struct smb_vol *pvolume_info,
        if (pvolume_info->multiuser)
                cifs_sb->mnt_cifs_flags |= (CIFS_MOUNT_MULTIUSER |
                                            CIFS_MOUNT_NO_PERM);
+        if (pvolume_info->strict_io)
+                cifs_sb->mnt_cifs_flags |= CIFS_MOUNT_STRICT_IO;
        if (pvolume_info->direct_io) {
                cFYI(1, "mounting share using direct i/o");
                cifs_sb->mnt_cifs_flags |= CIFS_MOUNT_DIRECT_IO;
@@ -2795,7 +2842,7 @@ try_mount_again:
 remote_path_check:
        /* check if a whole path (including prepath) is not remote */
-        if (!rc && cifs_sb->prepathlen && tcon) {
+        if (!rc && tcon) {
                /* build_path_to_root works only when we have a valid tcon */
                full_path = cifs_build_path_to_root(cifs_sb, tcon);
                if (full_path == NULL) {
@@ -2902,7 +2949,7 @@ mount_fail_check:
                if (mount_data != mount_data_global)
                        kfree(mount_data);
                /* If find_unc succeeded then rc == 0 so we can not end */
-                /* up accidently freeing someone elses tcon struct */
+                /* up accidentally freeing someone elses tcon struct */
                if (tcon)
                        cifs_put_tcon(tcon);
                else if (pSesInfo)
@@ -2934,8 +2981,8 @@ CIFSTCon(unsigned int xid, struct cifsSesInfo *ses,
        TCONX_RSP *pSMBr;
        unsigned char *bcc_ptr;
        int rc = 0;
-        int length, bytes_left;
+        int length;
-        __u16 count;
+        __u16 bytes_left, count;
        if (ses == NULL)
                return -EIO;
@@ -2963,7 +3010,7 @@ CIFSTCon(unsigned int xid, struct cifsSesInfo *ses,
                bcc_ptr++;              /* skip password */
                /* already aligned so no need to do it below */
        } else {
-                pSMB->PasswordLength = cpu_to_le16(CIFS_SESS_KEY_SIZE);
+                pSMB->PasswordLength = cpu_to_le16(CIFS_AUTH_RESP_SIZE);
                /* BB FIXME add code to fail this if NTLMv2 or Kerberos
                   specified as required (when that support is added to
                   the vfs in the future) as only NTLM or the much
@@ -2979,9 +3026,10 @@ CIFSTCon(unsigned int xid, struct cifsSesInfo *ses,
                                         bcc_ptr);
                else
 #endif /* CIFS_WEAK_PW_HASH */
-                SMBNTencrypt(tcon->password, ses->server->cryptkey, bcc_ptr);
+                rc = SMBNTencrypt(tcon->password, ses->server->cryptkey,
+                                        bcc_ptr);
-                bcc_ptr += CIFS_SESS_KEY_SIZE;
+                bcc_ptr += CIFS_AUTH_RESP_SIZE;
                if (ses->capabilities & CAP_UNICODE) {
                        /* must align unicode strings */
                        *bcc_ptr = 0; /* null byte password */
@@ -3019,7 +3067,7 @@ CIFSTCon(unsigned int xid, struct cifsSesInfo *ses,
        pSMB->ByteCount = cpu_to_le16(count);
        rc = SendReceive(xid, ses, smb_buffer, smb_buffer_response, &length,
-                         CIFS_STD_OP);
+                         0);
        /* above now done in SendReceive */
        if ((rc == 0) && (tcon != NULL)) {
@@ -3029,7 +3077,7 @@ CIFSTCon(unsigned int xid, struct cifsSesInfo *ses,
                tcon->need_reconnect = false;
                tcon->tid = smb_buffer_response->Tid;
                bcc_ptr = pByteArea(smb_buffer_response);
-                bytes_left = BCC(smb_buffer_response);
+                bytes_left = get_bcc(smb_buffer_response);
                length = strnlen(bcc_ptr, bytes_left - 2);
                if (smb_buffer->Flags2 & SMBFLG2_UNICODE)
                        is_unicode = true;
diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
index dd5f22918c33..9ea65cf36714 100644
--- a/fs/cifs/dir.c
+++ b/fs/cifs/dir.c
@@ -189,7 +189,7 @@ cifs_create(struct inode *inode, struct dentry *direntry, int mode,
                        inode->i_sb, mode, oflags, &oplock, &fileHandle, xid);
                /* EIO could indicate that (posix open) operation is not
                   supported, despite what server claimed in capability
-                   negotation.  EREMOTE indicates DFS junction, which is not
+                   negotiation.  EREMOTE indicates DFS junction, which is not
                   handled in posix open */
                if (rc == 0) {
diff --git a/fs/cifs/file.c b/fs/cifs/file.c
index d843631c028d..faf59529e847 100644
--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -287,6 +287,7 @@ void cifsFileInfo_put(struct cifsFileInfo *cifs_file)
        struct inode *inode = cifs_file->dentry->d_inode;
        struct cifsTconInfo *tcon = tlink_tcon(cifs_file->tlink);
        struct cifsInodeInfo *cifsi = CIFS_I(inode);
+        struct cifs_sb_info *cifs_sb = CIFS_SB(inode->i_sb);
        struct cifsLockInfo *li, *tmp;
        spin_lock(&cifs_file_list_lock);
@@ -302,6 +303,13 @@ void cifsFileInfo_put(struct cifsFileInfo *cifs_file)
        if (list_empty(&cifsi->openFileList)) {
                cFYI(1, "closing last open instance for inode %p",
                        cifs_file->dentry->d_inode);
+                /* in strict cache mode we need invalidate mapping on the last
+                   close  because it may cause a error when we open this file
+                   again and get at least level II oplock */
+                if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_STRICT_IO)
+                        CIFS_I(inode)->invalid_mapping = true;
                cifs_set_oplock_level(cifsi, 0);
        }
        spin_unlock(&cifs_file_list_lock);
@@ -338,7 +346,6 @@ int cifs_open(struct inode *inode, struct file *file)
        struct cifsTconInfo *tcon;
        struct tcon_link *tlink;
        struct cifsFileInfo *pCifsFile = NULL;
-        struct cifsInodeInfo *pCifsInode;
        char *full_path = NULL;
        bool posix_open_ok = false;
        __u16 netfid;
@@ -353,8 +360,6 @@ int cifs_open(struct inode *inode, struct file *file)
        }
        tcon = tlink_tcon(tlink);
-        pCifsInode = CIFS_I(file->f_path.dentry->d_inode);
        full_path = build_path_from_dentry(file->f_path.dentry);
        if (full_path == NULL) {
                rc = -ENOMEM;
@@ -570,8 +575,10 @@ reopen_error_exit:
 int cifs_close(struct inode *inode, struct file *file)
 {
-        cifsFileInfo_put(file->private_data);
+        if (file->private_data != NULL) {
-        file->private_data = NULL;
+                cifsFileInfo_put(file->private_data);
+                file->private_data = NULL;
+        }
        /* return code from the ->release op is always ignored */
        return 0;
@@ -726,12 +733,12 @@ int cifs_lock(struct file *file, int cmd, struct file_lock *pfLock)
                /* BB we could chain these into one lock request BB */
                rc = CIFSSMBLock(xid, tcon, netfid, length, pfLock->fl_start,
-                                 0, 1, lockType, 0 /* wait flag */ );
+                                 0, 1, lockType, 0 /* wait flag */, 0);
                if (rc == 0) {
                        rc = CIFSSMBLock(xid, tcon, netfid, length,
                                         pfLock->fl_start, 1 /* numUnlock */ ,
                                         0 /* numLock */ , lockType,
-                                         0 /* wait flag */ );
+                                         0 /* wait flag */, 0);
                        pfLock->fl_type = F_UNLCK;
                        if (rc != 0)
                                cERROR(1, "Error unlocking previously locked "
@@ -748,13 +755,13 @@ int cifs_lock(struct file *file, int cmd, struct file_lock *pfLock)
                                rc = CIFSSMBLock(xid, tcon, netfid, length,
                                        pfLock->fl_start, 0, 1,
                                        lockType | LOCKING_ANDX_SHARED_LOCK,
-                                        0 /* wait flag */);
+                                        0 /* wait flag */, 0);
                                if (rc == 0) {
                                        rc = CIFSSMBLock(xid, tcon, netfid,
                                                length, pfLock->fl_start, 1, 0,
                                                lockType |
                                                LOCKING_ANDX_SHARED_LOCK,
-                                                0 /* wait flag */);
+                                                0 /* wait flag */, 0);
                                        pfLock->fl_type = F_RDLCK;
                                        if (rc != 0)
                                                cERROR(1, "Error unlocking "
@@ -797,8 +804,8 @@ int cifs_lock(struct file *file, int cmd, struct file_lock *pfLock)
                if (numLock) {
                        rc = CIFSSMBLock(xid, tcon, netfid, length,
-                                        pfLock->fl_start,
+                                         pfLock->fl_start, 0, numLock, lockType,
-                                        0, numLock, lockType, wait_flag);
+                                         wait_flag, 0);
                        if (rc == 0) {
                                /* For Windows locks we must store them. */
@@ -818,9 +825,9 @@ int cifs_lock(struct file *file, int cmd, struct file_lock *pfLock)
                                                (pfLock->fl_start + length) >=
                                                (li->offset + li->length)) {
                                        stored_rc = CIFSSMBLock(xid, tcon,
-                                                        netfid,
+                                                        netfid, li->length,
-                                                        li->length, li->offset,
+                                                        li->offset, 1, 0,
-                                                        1, 0, li->type, false);
+                                                        li->type, false, 0);
                                        if (stored_rc)
                                                rc = stored_rc;
                                        else {
@@ -839,31 +846,8 @@ int cifs_lock(struct file *file, int cmd, struct file_lock *pfLock)
        return rc;
 }
-/*
- * Set the timeout on write requests past EOF. For some servers (Windows)
- * these calls can be very long.
- *
- * If we're writing >10M past the EOF we give a 180s timeout. Anything less
- * than that gets a 45s timeout. Writes not past EOF get 15s timeouts.
- * The 10M cutoff is totally arbitrary. A better scheme for this would be
- * welcome if someone wants to suggest one.
- *
- * We may be able to do a better job with this if there were some way to
- * declare that a file should be sparse.
- */
-static int
-cifs_write_timeout(struct cifsInodeInfo *cifsi, loff_t offset)
-{
-        if (offset <= cifsi->server_eof)
-                return CIFS_STD_OP;
-        else if (offset > (cifsi->server_eof + (10 * 1024 * 1024)))
-                return CIFS_VLONG_OP;
-        else
-                return CIFS_LONG_OP;
-}
 /* update the file size (if needed) after a write */
-static void
+void
 cifs_update_eof(struct cifsInodeInfo *cifsi, loff_t offset,
                      unsigned int bytes_written)
 {
@@ -882,7 +866,7 @@ ssize_t cifs_user_write(struct file *file, const char __user *write_data,
        unsigned int total_written;
        struct cifs_sb_info *cifs_sb;
        struct cifsTconInfo *pTcon;
-        int xid, long_op;
+        int xid;
        struct cifsFileInfo *open_file;
        struct cifsInodeInfo *cifsi = CIFS_I(inode);
@@ -903,7 +887,6 @@ ssize_t cifs_user_write(struct file *file, const char __user *write_data,
        xid = GetXid();
-        long_op = cifs_write_timeout(cifsi, *poffset);
        for (total_written = 0; write_size > total_written;
             total_written += bytes_written) {
                rc = -EAGAIN;
@@ -931,7 +914,7 @@ ssize_t cifs_user_write(struct file *file, const char __user *write_data,
                                min_t(const int, cifs_sb->wsize,
                                      write_size - total_written),
                                *poffset, &bytes_written,
-                                NULL, write_data + total_written, long_op);
+                                NULL, write_data + total_written, 0);
                }
                if (rc || (bytes_written == 0)) {
                        if (total_written)
@@ -944,8 +927,6 @@ ssize_t cifs_user_write(struct file *file, const char __user *write_data,
                        cifs_update_eof(cifsi, *poffset, bytes_written);
                        *poffset += bytes_written;
                }
-                long_op = CIFS_STD_OP; /* subsequent writes fast -
-                                    15 seconds is plenty */
        }
        cifs_stats_bytes_written(pTcon, total_written);
@@ -974,7 +955,7 @@ static ssize_t cifs_write(struct cifsFileInfo *open_file,
        unsigned int total_written;
        struct cifs_sb_info *cifs_sb;
        struct cifsTconInfo *pTcon;
-        int xid, long_op;
+        int xid;
        struct dentry *dentry = open_file->dentry;
        struct cifsInodeInfo *cifsi = CIFS_I(dentry->d_inode);
@@ -987,11 +968,13 @@ static ssize_t cifs_write(struct cifsFileInfo *open_file,
        xid = GetXid();
-        long_op = cifs_write_timeout(cifsi, *poffset);
        for (total_written = 0; write_size > total_written;
             total_written += bytes_written) {
                rc = -EAGAIN;
                while (rc == -EAGAIN) {
+                        struct kvec iov[2];
+                        unsigned int len;
                        if (open_file->invalidHandle) {
                                /* we could deadlock if we called
                                   filemap_fdatawait from here so tell
@@ -1001,31 +984,14 @@ static ssize_t cifs_write(struct cifsFileInfo *open_file,
                                if (rc != 0)
                                        break;
                        }
-                        if (experimEnabled || (pTcon->ses->server &&
-                                ((pTcon->ses->server->secMode &
+                        len = min((size_t)cifs_sb->wsize,
-                                (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
+                                  write_size - total_written);
-                                == 0))) {
+                        /* iov[0] is reserved for smb header */
-                                struct kvec iov[2];
+                        iov[1].iov_base = (char *)write_data + total_written;
-                                unsigned int len;
+                        iov[1].iov_len = len;
+                        rc = CIFSSMBWrite2(xid, pTcon, open_file->netfid, len,
-                                len = min((size_t)cifs_sb->wsize,
+                                           *poffset, &bytes_written, iov, 1, 0);
-                                          write_size - total_written);
-                                /* iov[0] is reserved for smb header */
-                                iov[1].iov_base = (char *)write_data +
-                                                  total_written;
-                                iov[1].iov_len = len;
-                                rc = CIFSSMBWrite2(xid, pTcon,
-                                                open_file->netfid, len,
-                                                *poffset, &bytes_written,
-                                                iov, 1, long_op);
-                        } else
-                                rc = CIFSSMBWrite(xid, pTcon,
-                                         open_file->netfid,
-                                         min_t(const int, cifs_sb->wsize,
-                                               write_size - total_written),
-                                         *poffset, &bytes_written,
-                                         write_data + total_written,
-                                         NULL, long_op);
                }
                if (rc || (bytes_written == 0)) {
                        if (total_written)
@@ -1038,8 +1004,6 @@ static ssize_t cifs_write(struct cifsFileInfo *open_file,
                        cifs_update_eof(cifsi, *poffset, bytes_written);
                        *poffset += bytes_written;
                }
-                long_op = CIFS_STD_OP; /* subsequent writes fast -
-                                    15 seconds is plenty */
        }
        cifs_stats_bytes_written(pTcon, total_written);
@@ -1167,7 +1131,6 @@ static int cifs_partialpagewrite(struct page *page, unsigned from, unsigned to)
        char *write_data;
        int rc = -EFAULT;
        int bytes_written = 0;
-        struct cifs_sb_info *cifs_sb;
        struct inode *inode;
        struct cifsFileInfo *open_file;
@@ -1175,7 +1138,6 @@ static int cifs_partialpagewrite(struct page *page, unsigned from, unsigned to)
                return -EFAULT;
        inode = page->mapping->host;
-        cifs_sb = CIFS_SB(inode->i_sb);
        offset += (loff_t)from;
        write_data = kmap(page);
@@ -1239,7 +1201,7 @@ static int cifs_writepages(struct address_space *mapping,
        struct pagevec pvec;
        int rc = 0;
        int scanned = 0;
-        int xid, long_op;
+        int xid;
        cifs_sb = CIFS_SB(mapping->host->i_sb);
@@ -1266,12 +1228,6 @@ static int cifs_writepages(struct address_space *mapping,
        }
        tcon = tlink_tcon(open_file->tlink);
-        if (!experimEnabled && tcon->ses->server->secMode &
-                        (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED)) {
-                cifsFileInfo_put(open_file);
-                kfree(iov);
-                return generic_writepages(mapping, wbc);
-        }
        cifsFileInfo_put(open_file);
        xid = GetXid();
@@ -1377,43 +1333,67 @@ retry:
                                break;
                }
                if (n_iov) {
+retry_write:
                        open_file = find_writable_file(CIFS_I(mapping->host),
                                                        false);
                        if (!open_file) {
                                cERROR(1, "No writable handles for inode");
                                rc = -EBADF;
                        } else {
-                                long_op = cifs_write_timeout(cifsi, offset);
                                rc = CIFSSMBWrite2(xid, tcon, open_file->netfid,
                                                   bytes_to_write, offset,
                                                   &bytes_written, iov, n_iov,
-                                                   long_op);
+                                                   0);
                                cifsFileInfo_put(open_file);
-                                cifs_update_eof(cifsi, offset, bytes_written);
                        }
-                        if (rc || bytes_written < bytes_to_write) {
+                        cFYI(1, "Write2 rc=%d, wrote=%u", rc, bytes_written);
-                                cERROR(1, "Write2 ret %d, wrote %d",
-                                          rc, bytes_written);
+                        /*
-                                mapping_set_error(mapping, rc);
+                         * For now, treat a short write as if nothing got
-                        } else {
+                         * written. A zero length write however indicates
+                         * ENOSPC or EFBIG. We have no way to know which
+                         * though, so call it ENOSPC for now. EFBIG would
+                         * get translated to AS_EIO anyway.
+                         *
+                         * FIXME: make it take into account the data that did
+                         *        get written
+                         */
+                        if (rc == 0) {
+                                if (bytes_written == 0)
+                                        rc = -ENOSPC;
+                                else if (bytes_written < bytes_to_write)
+                                        rc = -EAGAIN;
+                        }
+                        /* retry on data-integrity flush */
+                        if (wbc->sync_mode == WB_SYNC_ALL && rc == -EAGAIN)
+                                goto retry_write;
+                        /* fix the stats and EOF */
+                        if (bytes_written > 0) {
                                cifs_stats_bytes_written(tcon, bytes_written);
+                                cifs_update_eof(cifsi, offset, bytes_written);
                        }
                        for (i = 0; i < n_iov; i++) {
                                page = pvec.pages[first + i];
-                                /* Should we also set page error on
+                                /* on retryable write error, redirty page */
-                                success rc but too little data written? */
+                                if (rc == -EAGAIN)
-                                /* BB investigate retry logic on temporary
+                                        redirty_page_for_writepage(wbc, page);
-                                server crash cases and how recovery works
+                                else if (rc != 0)
-                                when page marked as error */
-                                if (rc)
                                        SetPageError(page);
                                kunmap(page);
                                unlock_page(page);
                                end_page_writeback(page);
                                page_cache_release(page);
                        }
+                        if (rc != -EAGAIN)
+                                mapping_set_error(mapping, rc);
+                        else
+                                rc = 0;
                        if ((wbc->nr_to_write -= n_iov) <= 0)
                                done = 1;
                        index = next;
@@ -1525,59 +1505,51 @@ static int cifs_write_end(struct file *file, struct address_space *mapping,
        return rc;
 }
-int cifs_fsync(struct file *file, int datasync)
+int cifs_strict_fsync(struct file *file, int datasync)
 {
        int xid;
        int rc = 0;
        struct cifsTconInfo *tcon;
        struct cifsFileInfo *smbfile = file->private_data;
        struct inode *inode = file->f_path.dentry->d_inode;
+        struct cifs_sb_info *cifs_sb = CIFS_SB(inode->i_sb);
        xid = GetXid();
        cFYI(1, "Sync file - name: %s datasync: 0x%x",
                file->f_path.dentry->d_name.name, datasync);
-        rc = filemap_write_and_wait(inode->i_mapping);
+        if (!CIFS_I(inode)->clientCanCacheRead)
-        if (rc == 0) {
+                cifs_invalidate_mapping(inode);
-                struct cifs_sb_info *cifs_sb = CIFS_SB(inode->i_sb);
-                tcon = tlink_tcon(smbfile->tlink);
+        tcon = tlink_tcon(smbfile->tlink);
-                if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NOSSYNC))
+        if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NOSSYNC))
-                        rc = CIFSSMBFlush(xid, tcon, smbfile->netfid);
+                rc = CIFSSMBFlush(xid, tcon, smbfile->netfid);
-        }
        FreeXid(xid);
        return rc;
 }
-/* static void cifs_sync_page(struct page *page)
+int cifs_fsync(struct file *file, int datasync)
 {
-        struct address_space *mapping;
+        int xid;
-        struct inode *inode;
-        unsigned long index = page->index;
-        unsigned int rpages = 0;
        int rc = 0;
+        struct cifsTconInfo *tcon;
+        struct cifsFileInfo *smbfile = file->private_data;
+        struct cifs_sb_info *cifs_sb = CIFS_SB(file->f_path.dentry->d_sb);
-        cFYI(1, "sync page %p", page);
+        xid = GetXid();
-        mapping = page->mapping;
-        if (!mapping)
-                return 0;
-        inode = mapping->host;
-        if (!inode)
-                return; */
-/*      fill in rpages then
+        cFYI(1, "Sync file - name: %s datasync: 0x%x",
-        result = cifs_pagein_inode(inode, index, rpages); */ /* BB finish */
+                file->f_path.dentry->d_name.name, datasync);
-/*      cFYI(1, "rpages is %d for sync page of Index %ld", rpages, index);
+        tcon = tlink_tcon(smbfile->tlink);
+        if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NOSSYNC))
+                rc = CIFSSMBFlush(xid, tcon, smbfile->netfid);
-#if 0
+        FreeXid(xid);
-        if (rc < 0)
+        return rc;
-                return rc;
+}
-        return 0;
-#endif
-} */
 /*
 * As file closes, flush all cached write data for this inode checking
@@ -1596,42 +1568,244 @@ int cifs_flush(struct file *file, fl_owner_t id)
        return rc;
 }
-ssize_t cifs_user_read(struct file *file, char __user *read_data,
+static int
-        size_t read_size, loff_t *poffset)
+cifs_write_allocate_pages(struct page **pages, unsigned long num_pages)
 {
-        int rc = -EACCES;
+        int rc = 0;
+        unsigned long i;
+        for (i = 0; i < num_pages; i++) {
+                pages[i] = alloc_page(__GFP_HIGHMEM);
+                if (!pages[i]) {
+                        /*
+                         * save number of pages we have already allocated and
+                         * return with ENOMEM error
+                         */
+                        num_pages = i;
+                        rc = -ENOMEM;
+                        goto error;
+                }
+        }
+        return rc;
+error:
+        for (i = 0; i < num_pages; i++)
+                put_page(pages[i]);
+        return rc;
+}
+static inline
+size_t get_numpages(const size_t wsize, const size_t len, size_t *cur_len)
+{
+        size_t num_pages;
+        size_t clen;
+        clen = min_t(const size_t, len, wsize);
+        num_pages = clen / PAGE_CACHE_SIZE;
+        if (clen % PAGE_CACHE_SIZE)
+                num_pages++;
+        if (cur_len)
+                *cur_len = clen;
+        return num_pages;
+}
+static ssize_t
+cifs_iovec_write(struct file *file, const struct iovec *iov,
+                 unsigned long nr_segs, loff_t *poffset)
+{
+        unsigned int written;
+        unsigned long num_pages, npages, i;
+        size_t copied, len, cur_len;
+        ssize_t total_written = 0;
+        struct kvec *to_send;
+        struct page **pages;
+        struct iov_iter it;
+        struct inode *inode;
+        struct cifsFileInfo *open_file;
+        struct cifsTconInfo *pTcon;
+        struct cifs_sb_info *cifs_sb;
+        int xid, rc;
+        len = iov_length(iov, nr_segs);
+        if (!len)
+                return 0;
+        rc = generic_write_checks(file, poffset, &len, 0);
+        if (rc)
+                return rc;
+        cifs_sb = CIFS_SB(file->f_path.dentry->d_sb);
+        num_pages = get_numpages(cifs_sb->wsize, len, &cur_len);
+        pages = kmalloc(sizeof(struct pages *)*num_pages, GFP_KERNEL);
+        if (!pages)
+                return -ENOMEM;
+        to_send = kmalloc(sizeof(struct kvec)*(num_pages + 1), GFP_KERNEL);
+        if (!to_send) {
+                kfree(pages);
+                return -ENOMEM;
+        }
+        rc = cifs_write_allocate_pages(pages, num_pages);
+        if (rc) {
+                kfree(pages);
+                kfree(to_send);
+                return rc;
+        }
+        xid = GetXid();
+        open_file = file->private_data;
+        pTcon = tlink_tcon(open_file->tlink);
+        inode = file->f_path.dentry->d_inode;
+        iov_iter_init(&it, iov, nr_segs, len, 0);
+        npages = num_pages;
+        do {
+                size_t save_len = cur_len;
+                for (i = 0; i < npages; i++) {
+                        copied = min_t(const size_t, cur_len, PAGE_CACHE_SIZE);
+                        copied = iov_iter_copy_from_user(pages[i], &it, 0,
+                                                         copied);
+                        cur_len -= copied;
+                        iov_iter_advance(&it, copied);
+                        to_send[i+1].iov_base = kmap(pages[i]);
+                        to_send[i+1].iov_len = copied;
+                }
+                cur_len = save_len - cur_len;
+                do {
+                        if (open_file->invalidHandle) {
+                                rc = cifs_reopen_file(open_file, false);
+                                if (rc != 0)
+                                        break;
+                        }
+                        rc = CIFSSMBWrite2(xid, pTcon, open_file->netfid,
+                                           cur_len, *poffset, &written,
+                                           to_send, npages, 0);
+                } while (rc == -EAGAIN);
+                for (i = 0; i < npages; i++)
+                        kunmap(pages[i]);
+                if (written) {
+                        len -= written;
+                        total_written += written;
+                        cifs_update_eof(CIFS_I(inode), *poffset, written);
+                        *poffset += written;
+                } else if (rc < 0) {
+                        if (!total_written)
+                                total_written = rc;
+                        break;
+                }
+                /* get length and number of kvecs of the next write */
+                npages = get_numpages(cifs_sb->wsize, len, &cur_len);
+        } while (len > 0);
+        if (total_written > 0) {
+                spin_lock(&inode->i_lock);
+                if (*poffset > inode->i_size)
+                        i_size_write(inode, *poffset);
+                spin_unlock(&inode->i_lock);
+        }
+        cifs_stats_bytes_written(pTcon, total_written);
+        mark_inode_dirty_sync(inode);
+        for (i = 0; i < num_pages; i++)
+                put_page(pages[i]);
+        kfree(to_send);
+        kfree(pages);
+        FreeXid(xid);
+        return total_written;
+}
+static ssize_t cifs_user_writev(struct kiocb *iocb, const struct iovec *iov,
+                                unsigned long nr_segs, loff_t pos)
+{
+        ssize_t written;
+        struct inode *inode;
+        inode = iocb->ki_filp->f_path.dentry->d_inode;
+        /*
+         * BB - optimize the way when signing is disabled. We can drop this
+         * extra memory-to-memory copying and use iovec buffers for constructing
+         * write request.
+         */
+        written = cifs_iovec_write(iocb->ki_filp, iov, nr_segs, &pos);
+        if (written > 0) {
+                CIFS_I(inode)->invalid_mapping = true;
+                iocb->ki_pos = pos;
+        }
+        return written;
+}
+ssize_t cifs_strict_writev(struct kiocb *iocb, const struct iovec *iov,
+                           unsigned long nr_segs, loff_t pos)
+{
+        struct inode *inode;
+        inode = iocb->ki_filp->f_path.dentry->d_inode;
+        if (CIFS_I(inode)->clientCanCacheAll)
+                return generic_file_aio_write(iocb, iov, nr_segs, pos);
+        /*
+         * In strict cache mode we need to write the data to the server exactly
+         * from the pos to pos+len-1 rather than flush all affected pages
+         * because it may cause a error with mandatory locks on these pages but
+         * not on the region from pos to ppos+len-1.
+         */
+        return cifs_user_writev(iocb, iov, nr_segs, pos);
+}
+static ssize_t
+cifs_iovec_read(struct file *file, const struct iovec *iov,
+                 unsigned long nr_segs, loff_t *poffset)
+{
+        int rc;
+        int xid;
+        ssize_t total_read;
        unsigned int bytes_read = 0;
-        unsigned int total_read = 0;
+        size_t len, cur_len;
-        unsigned int current_read_size;
+        int iov_offset = 0;
        struct cifs_sb_info *cifs_sb;
        struct cifsTconInfo *pTcon;
-        int xid;
        struct cifsFileInfo *open_file;
-        char *smb_read_data;
-        char __user *current_offset;
        struct smb_com_read_rsp *pSMBr;
+        char *read_data;
+        if (!nr_segs)
+                return 0;
+        len = iov_length(iov, nr_segs);
+        if (!len)
+                return 0;
        xid = GetXid();
        cifs_sb = CIFS_SB(file->f_path.dentry->d_sb);
-        if (file->private_data == NULL) {
-                rc = -EBADF;
-                FreeXid(xid);
-                return rc;
-        }
        open_file = file->private_data;
        pTcon = tlink_tcon(open_file->tlink);
        if ((file->f_flags & O_ACCMODE) == O_WRONLY)
                cFYI(1, "attempting read on write only file instance");
-        for (total_read = 0, current_offset = read_data;
+        for (total_read = 0; total_read < len; total_read += bytes_read) {
-             read_size > total_read;
+                cur_len = min_t(const size_t, len - total_read, cifs_sb->rsize);
-             total_read += bytes_read, current_offset += bytes_read) {
-                current_read_size = min_t(const int, read_size - total_read,
-                                          cifs_sb->rsize);
                rc = -EAGAIN;
-                smb_read_data = NULL;
+                read_data = NULL;
                while (rc == -EAGAIN) {
                        int buf_type = CIFS_NO_BUFFER;
                        if (open_file->invalidHandle) {
@@ -1639,27 +1813,25 @@ ssize_t cifs_user_read(struct file *file, char __user *read_data,
                                if (rc != 0)
                                        break;
                        }
-                        rc = CIFSSMBRead(xid, pTcon,
+                        rc = CIFSSMBRead(xid, pTcon, open_file->netfid,
-                                         open_file->netfid,
+                                         cur_len, *poffset, &bytes_read,
-                                         current_read_size, *poffset,
+                                         &read_data, &buf_type);
-                                         &bytes_read, &smb_read_data,
+                        pSMBr = (struct smb_com_read_rsp *)read_data;
-                                         &buf_type);
+                        if (read_data) {
-                        pSMBr = (struct smb_com_read_rsp *)smb_read_data;
+                                char *data_offset = read_data + 4 +
-                        if (smb_read_data) {
+                                                le16_to_cpu(pSMBr->DataOffset);
-                                if (copy_to_user(current_offset,
+                                if (memcpy_toiovecend(iov, data_offset,
-                                                smb_read_data +
+                                                      iov_offset, bytes_read))
-                                                4 /* RFC1001 length field */ +
-                                                le16_to_cpu(pSMBr->DataOffset),
-                                                bytes_read))
                                        rc = -EFAULT;
                                if (buf_type == CIFS_SMALL_BUFFER)
-                                        cifs_small_buf_release(smb_read_data);
+                                        cifs_small_buf_release(read_data);
                                else if (buf_type == CIFS_LARGE_BUFFER)
-                                        cifs_buf_release(smb_read_data);
+                                        cifs_buf_release(read_data);
-                                smb_read_data = NULL;
+                                read_data = NULL;
+                                iov_offset += bytes_read;
                        }
                }
                if (rc || (bytes_read == 0)) {
                        if (total_read) {
                                break;
@@ -1672,13 +1844,57 @@ ssize_t cifs_user_read(struct file *file, char __user *read_data,
                        *poffset += bytes_read;
                }
        }
        FreeXid(xid);
        return total_read;
 }
+ssize_t cifs_user_read(struct file *file, char __user *read_data,
+                       size_t read_size, loff_t *poffset)
+{
+        struct iovec iov;
+        iov.iov_base = read_data;
+        iov.iov_len = read_size;
+        return cifs_iovec_read(file, &iov, 1, poffset);
+}
+static ssize_t cifs_user_readv(struct kiocb *iocb, const struct iovec *iov,
+                               unsigned long nr_segs, loff_t pos)
+{
+        ssize_t read;
+        read = cifs_iovec_read(iocb->ki_filp, iov, nr_segs, &pos);
+        if (read > 0)
+                iocb->ki_pos = pos;
+        return read;
+}
+ssize_t cifs_strict_readv(struct kiocb *iocb, const struct iovec *iov,
+                          unsigned long nr_segs, loff_t pos)
+{
+        struct inode *inode;
+        inode = iocb->ki_filp->f_path.dentry->d_inode;
+        if (CIFS_I(inode)->clientCanCacheRead)
+                return generic_file_aio_read(iocb, iov, nr_segs, pos);
+        /*
+         * In strict cache mode we need to read from the server all the time
+         * if we don't have level II oplock because the server can delay mtime
+         * change - so we can't make a decision about inode invalidating.
+         * And we can also fail with pagereading if there are mandatory locks
+         * on pages affected by this read but not on the region from pos to
+         * pos+len-1.
+         */
+        return cifs_user_readv(iocb, iov, nr_segs, pos);
+}
 static ssize_t cifs_read(struct file *file, char *read_data, size_t read_size,
-        loff_t *poffset)
+                         loff_t *poffset)
 {
        int rc = -EACCES;
        unsigned int bytes_read = 0;
@@ -1746,6 +1962,41 @@ static ssize_t cifs_read(struct file *file, char *read_data, size_t read_size,
        return total_read;
 }
+/*
+ * If the page is mmap'ed into a process' page tables, then we need to make
+ * sure that it doesn't change while being written back.
+ */
+static int
+cifs_page_mkwrite(struct vm_area_struct *vma, struct vm_fault *vmf)
+{
+        struct page *page = vmf->page;
+        lock_page(page);
+        return VM_FAULT_LOCKED;
+}
+static struct vm_operations_struct cifs_file_vm_ops = {
+        .fault = filemap_fault,
+        .page_mkwrite = cifs_page_mkwrite,
+};
+int cifs_file_strict_mmap(struct file *file, struct vm_area_struct *vma)
+{
+        int rc, xid;
+        struct inode *inode = file->f_path.dentry->d_inode;
+        xid = GetXid();
+        if (!CIFS_I(inode)->clientCanCacheRead)
+                cifs_invalidate_mapping(inode);
+        rc = generic_file_mmap(file, vma);
+        if (rc == 0)
+                vma->vm_ops = &cifs_file_vm_ops;
+        FreeXid(xid);
+        return rc;
+}
 int cifs_file_mmap(struct file *file, struct vm_area_struct *vma)
 {
        int rc, xid;
@@ -1758,6 +2009,8 @@ int cifs_file_mmap(struct file *file, struct vm_area_struct *vma)
                return rc;
        }
        rc = generic_file_mmap(file, vma);
+        if (rc == 0)
+                vma->vm_ops = &cifs_file_vm_ops;
        FreeXid(xid);
        return rc;
 }
@@ -2192,7 +2445,8 @@ void cifs_oplock_break(struct work_struct *work)
         */
        if (!cfile->oplock_break_cancelled) {
                rc = CIFSSMBLock(0, tlink_tcon(cfile->tlink), cfile->netfid, 0,
-                                 0, 0, 0, LOCKING_ANDX_OPLOCK_RELEASE, false);
+                                 0, 0, 0, LOCKING_ANDX_OPLOCK_RELEASE, false,
+                                 cinode->clientCanCacheRead ? 1 : 0);
                cFYI(1, "Oplock release rc = %d", rc);
        }
@@ -2232,7 +2486,6 @@ const struct address_space_operations cifs_addr_ops = {
        .set_page_dirty = __set_page_dirty_nobuffers,
        .releasepage = cifs_release_page,
        .invalidatepage = cifs_invalidate_page,
-        /* .sync_page = cifs_sync_page, */
        /* .direct_IO = */
 };
@@ -2250,6 +2503,5 @@ const struct address_space_operations cifs_addr_ops_smallbuf = {
        .set_page_dirty = __set_page_dirty_nobuffers,
        .releasepage = cifs_release_page,
        .invalidatepage = cifs_invalidate_page,
-        /* .sync_page = cifs_sync_page, */
        /* .direct_IO = */
 };
diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
index 6c9ee8014ff0..8852470b4fbb 100644
--- a/fs/cifs/inode.c
+++ b/fs/cifs/inode.c
@@ -44,13 +44,17 @@ static void cifs_set_ops(struct inode *inode)
                                inode->i_fop = &cifs_file_direct_nobrl_ops;
                        else
                                inode->i_fop = &cifs_file_direct_ops;
+                } else if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_STRICT_IO) {
+                        if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NO_BRL)
+                                inode->i_fop = &cifs_file_strict_nobrl_ops;
+                        else
+                                inode->i_fop = &cifs_file_strict_ops;
                } else if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NO_BRL)
                        inode->i_fop = &cifs_file_nobrl_ops;
                else { /* not direct, send byte range locks */
                        inode->i_fop = &cifs_file_ops;
                }
                /* check if server can support readpages */
                if (cifs_sb_master_tcon(cifs_sb)->ses->server->maxBuf <
                                PAGE_CACHE_SIZE + MAX_CIFS_HDR_SIZE)
@@ -1679,7 +1683,7 @@ cifs_inode_needs_reval(struct inode *inode)
 /*
 * Zap the cache. Called when invalid_mapping flag is set.
 */
-static void
+void
 cifs_invalidate_mapping(struct inode *inode)
 {
        int rc;
diff --git a/fs/cifs/link.c b/fs/cifs/link.c
index 306769de2fb5..ce417a9764a3 100644
--- a/fs/cifs/link.c
+++ b/fs/cifs/link.c
@@ -28,7 +28,6 @@
 #include "cifsproto.h"
 #include "cifs_debug.h"
 #include "cifs_fs_sb.h"
-#include "md5.h"
 #define CIFS_MF_SYMLINK_LEN_OFFSET (4+1)
 #define CIFS_MF_SYMLINK_MD5_OFFSET (CIFS_MF_SYMLINK_LEN_OFFSET+(4+1))
@@ -47,6 +46,45 @@
        md5_hash[12], md5_hash[13], md5_hash[14], md5_hash[15]
 static int
+symlink_hash(unsigned int link_len, const char *link_str, u8 *md5_hash)
+{
+        int rc;
+        unsigned int size;
+        struct crypto_shash *md5;
+        struct sdesc *sdescmd5;
+        md5 = crypto_alloc_shash("md5", 0, 0);
+        if (IS_ERR(md5)) {
+                rc = PTR_ERR(md5);
+                cERROR(1, "%s: Crypto md5 allocation error %d\n", __func__, rc);
+                return rc;
+        }
+        size = sizeof(struct shash_desc) + crypto_shash_descsize(md5);
+        sdescmd5 = kmalloc(size, GFP_KERNEL);
+        if (!sdescmd5) {
+                rc = -ENOMEM;
+                cERROR(1, "%s: Memory allocation failure\n", __func__);
+                goto symlink_hash_err;
+        }
+        sdescmd5->shash.tfm = md5;
+        sdescmd5->shash.flags = 0x0;
+        rc = crypto_shash_init(&sdescmd5->shash);
+        if (rc) {
+                cERROR(1, "%s: Could not init md5 shash\n", __func__);
+                goto symlink_hash_err;
+        }
+        crypto_shash_update(&sdescmd5->shash, link_str, link_len);
+        rc = crypto_shash_final(&sdescmd5->shash, md5_hash);
+symlink_hash_err:
+        crypto_free_shash(md5);
+        kfree(sdescmd5);
+        return rc;
+}
+static int
 CIFSParseMFSymlink(const u8 *buf,
                   unsigned int buf_len,
                   unsigned int *_link_len,
@@ -56,7 +94,6 @@ CIFSParseMFSymlink(const u8 *buf,
        unsigned int link_len;
        const char *md5_str1;
        const char *link_str;
-        struct MD5Context md5_ctx;
        u8 md5_hash[16];
        char md5_str2[34];
@@ -70,9 +107,11 @@ CIFSParseMFSymlink(const u8 *buf,
        if (rc != 1)
                return -EINVAL;
-        cifs_MD5_init(&md5_ctx);
+        rc = symlink_hash(link_len, link_str, md5_hash);
-        cifs_MD5_update(&md5_ctx, (const u8 *)link_str, link_len);
+        if (rc) {
-        cifs_MD5_final(md5_hash, &md5_ctx);
+                cFYI(1, "%s: MD5 hash failure: %d\n", __func__, rc);
+                return rc;
+        }
        snprintf(md5_str2, sizeof(md5_str2),
                 CIFS_MF_SYMLINK_MD5_FORMAT,
@@ -94,9 +133,9 @@ CIFSParseMFSymlink(const u8 *buf,
 static int
 CIFSFormatMFSymlink(u8 *buf, unsigned int buf_len, const char *link_str)
 {
+        int rc;
        unsigned int link_len;
        unsigned int ofs;
-        struct MD5Context md5_ctx;
        u8 md5_hash[16];
        if (buf_len != CIFS_MF_SYMLINK_FILE_SIZE)
@@ -107,9 +146,11 @@ CIFSFormatMFSymlink(u8 *buf, unsigned int buf_len, const char *link_str)
        if (link_len > CIFS_MF_SYMLINK_LINK_MAXLEN)
                return -ENAMETOOLONG;
-        cifs_MD5_init(&md5_ctx);
+        rc = symlink_hash(link_len, link_str, md5_hash);
-        cifs_MD5_update(&md5_ctx, (const u8 *)link_str, link_len);
+        if (rc) {
-        cifs_MD5_final(md5_hash, &md5_ctx);
+                cFYI(1, "%s: MD5 hash failure: %d\n", __func__, rc);
+                return rc;
+        }
        snprintf(buf, buf_len,
                 CIFS_MF_SYMLINK_LEN_FORMAT CIFS_MF_SYMLINK_MD5_FORMAT,
@@ -198,7 +239,7 @@ CIFSQueryMFSymLink(const int xid, struct cifsTconInfo *tcon,
        if (rc != 0)
                return rc;
-        if (file_info.EndOfFile != CIFS_MF_SYMLINK_FILE_SIZE) {
+        if (file_info.EndOfFile != cpu_to_le64(CIFS_MF_SYMLINK_FILE_SIZE)) {
                CIFSSMBClose(xid, tcon, netfid);
                /* it's not a symlink */
                return -EINVAL;
@@ -275,7 +316,7 @@ CIFSCheckMFSymlink(struct cifs_fattr *fattr,
        if (rc != 0)
                goto out;
-        if (file_info.EndOfFile != CIFS_MF_SYMLINK_FILE_SIZE) {
+        if (file_info.EndOfFile != cpu_to_le64(CIFS_MF_SYMLINK_FILE_SIZE)) {
                CIFSSMBClose(xid, pTcon, netfid);
                /* it's not a symlink */
                goto out;
diff --git a/fs/cifs/md4.c b/fs/cifs/md4.c
deleted file mode 100644
index a725c2609d67..000000000000
--- a/fs/cifs/md4.c
+++ /dev/null
@@ -1,205 +0,0 @@
-/*
-   Unix SMB/Netbios implementation.
-   Version 1.9.
-   a implementation of MD4 designed for use in the SMB authentication protocol
-   Copyright (C) Andrew Tridgell 1997-1998.
-   Modified by Steve French (sfrench@us.ibm.com) 2002-2003
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 2 of the License, or
-   (at your option) any later version.
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-   You should have received a copy of the GNU General Public License
-   along with this program; if not, write to the Free Software
-   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-#include <linux/module.h>
-#include <linux/fs.h>
-#include "cifsencrypt.h"
-/* NOTE: This code makes no attempt to be fast! */
-static __u32
-F(__u32 X, __u32 Y, __u32 Z)
-{
-        return (X & Y) | ((~X) & Z);
-}
-static __u32
-G(__u32 X, __u32 Y, __u32 Z)
-{
-        return (X & Y) | (X & Z) | (Y & Z);
-}
-static __u32
-H(__u32 X, __u32 Y, __u32 Z)
-{
-        return X ^ Y ^ Z;
-}
-static __u32
-lshift(__u32 x, int s)
-{
-        x &= 0xFFFFFFFF;
-        return ((x << s) & 0xFFFFFFFF) | (x >> (32 - s));
-}
-#define ROUND1(a,b,c,d,k,s) (*a) = lshift((*a) + F(*b,*c,*d) + X[k], s)
-#define ROUND2(a,b,c,d,k,s) (*a) = lshift((*a) + G(*b,*c,*d) + X[k] + (__u32)0x5A827999,s)
-#define ROUND3(a,b,c,d,k,s) (*a) = lshift((*a) + H(*b,*c,*d) + X[k] + (__u32)0x6ED9EBA1,s)
-/* this applies md4 to 64 byte chunks */
-static void
-mdfour64(__u32 *M, __u32 *A, __u32 *B, __u32 *C, __u32 *D)
-{
-        int j;
-        __u32 AA, BB, CC, DD;
-        __u32 X[16];
-        for (j = 0; j < 16; j++)
-                X[j] = M[j];
-        AA = *A;
-        BB = *B;
-        CC = *C;
-        DD = *D;
-        ROUND1(A, B, C, D, 0, 3);
-        ROUND1(D, A, B, C, 1, 7);
-        ROUND1(C, D, A, B, 2, 11);
-        ROUND1(B, C, D, A, 3, 19);
-        ROUND1(A, B, C, D, 4, 3);
-        ROUND1(D, A, B, C, 5, 7);
-        ROUND1(C, D, A, B, 6, 11);
-        ROUND1(B, C, D, A, 7, 19);
-        ROUND1(A, B, C, D, 8, 3);
-        ROUND1(D, A, B, C, 9, 7);
-        ROUND1(C, D, A, B, 10, 11);
-        ROUND1(B, C, D, A, 11, 19);
-        ROUND1(A, B, C, D, 12, 3);
-        ROUND1(D, A, B, C, 13, 7);
-        ROUND1(C, D, A, B, 14, 11);
-        ROUND1(B, C, D, A, 15, 19);
-        ROUND2(A, B, C, D, 0, 3);
-        ROUND2(D, A, B, C, 4, 5);
-        ROUND2(C, D, A, B, 8, 9);
-        ROUND2(B, C, D, A, 12, 13);
-        ROUND2(A, B, C, D, 1, 3);
-        ROUND2(D, A, B, C, 5, 5);
-        ROUND2(C, D, A, B, 9, 9);
-        ROUND2(B, C, D, A, 13, 13);
-        ROUND2(A, B, C, D, 2, 3);
-        ROUND2(D, A, B, C, 6, 5);
-        ROUND2(C, D, A, B, 10, 9);
-        ROUND2(B, C, D, A, 14, 13);
-        ROUND2(A, B, C, D, 3, 3);
-        ROUND2(D, A, B, C, 7, 5);
-        ROUND2(C, D, A, B, 11, 9);
-        ROUND2(B, C, D, A, 15, 13);
-        ROUND3(A, B, C, D, 0, 3);
-        ROUND3(D, A, B, C, 8, 9);
-        ROUND3(C, D, A, B, 4, 11);
-        ROUND3(B, C, D, A, 12, 15);
-        ROUND3(A, B, C, D, 2, 3);
-        ROUND3(D, A, B, C, 10, 9);
-        ROUND3(C, D, A, B, 6, 11);
-        ROUND3(B, C, D, A, 14, 15);
-        ROUND3(A, B, C, D, 1, 3);
-        ROUND3(D, A, B, C, 9, 9);
-        ROUND3(C, D, A, B, 5, 11);
-        ROUND3(B, C, D, A, 13, 15);
-        ROUND3(A, B, C, D, 3, 3);
-        ROUND3(D, A, B, C, 11, 9);
-        ROUND3(C, D, A, B, 7, 11);
-        ROUND3(B, C, D, A, 15, 15);
-        *A += AA;
-        *B += BB;
-        *C += CC;
-        *D += DD;
-        *A &= 0xFFFFFFFF;
-        *B &= 0xFFFFFFFF;
-        *C &= 0xFFFFFFFF;
-        *D &= 0xFFFFFFFF;
-        for (j = 0; j < 16; j++)
-                X[j] = 0;
-}
-static void
-copy64(__u32 *M, unsigned char *in)
-{
-        int i;
-        for (i = 0; i < 16; i++)
-                M[i] = (in[i * 4 + 3] << 24) | (in[i * 4 + 2] << 16) |
-                    (in[i * 4 + 1] << 8) | (in[i * 4 + 0] << 0);
-}
-static void
-copy4(unsigned char *out, __u32 x)
-{
-        out[0] = x & 0xFF;
-        out[1] = (x >> 8) & 0xFF;
-        out[2] = (x >> 16) & 0xFF;
-        out[3] = (x >> 24) & 0xFF;
-}
-/* produce a md4 message digest from data of length n bytes */
-void
-mdfour(unsigned char *out, unsigned char *in, int n)
-{
-        unsigned char buf[128];
-        __u32 M[16];
-        __u32 b = n * 8;
-        int i;
-        __u32 A = 0x67452301;
-        __u32 B = 0xefcdab89;
-        __u32 C = 0x98badcfe;
-        __u32 D = 0x10325476;
-        while (n > 64) {
-                copy64(M, in);
-                mdfour64(M, &A, &B, &C, &D);
-                in += 64;
-                n -= 64;
-        }
-        for (i = 0; i < 128; i++)
-                buf[i] = 0;
-        memcpy(buf, in, n);
-        buf[n] = 0x80;
-        if (n <= 55) {
-                copy4(buf + 56, b);
-                copy64(M, buf);
-                mdfour64(M, &A, &B, &C, &D);
-        } else {
-                copy4(buf + 120, b);
-                copy64(M, buf);
-                mdfour64(M, &A, &B, &C, &D);
-                copy64(M, buf + 64);
-                mdfour64(M, &A, &B, &C, &D);
-        }
-        for (i = 0; i < 128; i++)
-                buf[i] = 0;
-        copy64(M, buf);
-        copy4(out, A);
-        copy4(out + 4, B);
-        copy4(out + 8, C);
-        copy4(out + 12, D);
-        A = B = C = D = 0;
-}
diff --git a/fs/cifs/md5.c b/fs/cifs/md5.c
deleted file mode 100644
index 98b66a54c319..000000000000
--- a/fs/cifs/md5.c
+++ /dev/null
@@ -1,366 +0,0 @@
-/*
- * This code implements the MD5 message-digest algorithm.
- * The algorithm is due to Ron Rivest.  This code was
- * written by Colin Plumb in 1993, no copyright is claimed.
- * This code is in the public domain; do with it what you wish.
- *
- * Equivalent code is available from RSA Data Security, Inc.
- * This code has been tested against that, and is equivalent,
- * except that you don't need to include two pages of legalese
- * with every copy.
- *
- * To compute the message digest of a chunk of bytes, declare an
- * MD5Context structure, pass it to cifs_MD5_init, call cifs_MD5_update as
- * needed on buffers full of bytes, and then call cifs_MD5_final, which
- * will fill a supplied 16-byte array with the digest.
- */
-/* This code slightly modified to fit into Samba by
-   abartlet@samba.org Jun 2001
-   and to fit the cifs vfs by
-   Steve French sfrench@us.ibm.com */
-#include <linux/string.h>
-#include "md5.h"
-static void MD5Transform(__u32 buf[4], __u32 const in[16]);
-/*
- * Note: this code is harmless on little-endian machines.
- */
-static void
-byteReverse(unsigned char *buf, unsigned longs)
-{
-        __u32 t;
-        do {
-                t = (__u32) ((unsigned) buf[3] << 8 | buf[2]) << 16 |
-                    ((unsigned) buf[1] << 8 | buf[0]);
-                *(__u32 *) buf = t;
-                buf += 4;
-        } while (--longs);
-}
-/*
- * Start MD5 accumulation.  Set bit count to 0 and buffer to mysterious
- * initialization constants.
- */
-void
-cifs_MD5_init(struct MD5Context *ctx)
-{
-        ctx->buf[0] = 0x67452301;
-        ctx->buf[1] = 0xefcdab89;
-        ctx->buf[2] = 0x98badcfe;
-        ctx->buf[3] = 0x10325476;
-        ctx->bits[0] = 0;
-        ctx->bits[1] = 0;
-}
-/*
- * Update context to reflect the concatenation of another buffer full
- * of bytes.
- */
-void
-cifs_MD5_update(struct MD5Context *ctx, unsigned char const *buf, unsigned len)
-{
-        register __u32 t;
-        /* Update bitcount */
-        t = ctx->bits[0];
-        if ((ctx->bits[0] = t + ((__u32) len << 3)) < t)
-                ctx->bits[1]++; /* Carry from low to high */
-        ctx->bits[1] += len >> 29;
-        t = (t >> 3) & 0x3f;    /* Bytes already in shsInfo->data */
-        /* Handle any leading odd-sized chunks */
-        if (t) {
-                unsigned char *p = (unsigned char *) ctx->in + t;
-                t = 64 - t;
-                if (len < t) {
-                        memmove(p, buf, len);
-                        return;
-                }
-                memmove(p, buf, t);
-                byteReverse(ctx->in, 16);
-                MD5Transform(ctx->buf, (__u32 *) ctx->in);
-                buf += t;
-                len -= t;
-        }
-        /* Process data in 64-byte chunks */
-        while (len >= 64) {
-                memmove(ctx->in, buf, 64);
-                byteReverse(ctx->in, 16);
-                MD5Transform(ctx->buf, (__u32 *) ctx->in);
-                buf += 64;
-                len -= 64;
-        }
-        /* Handle any remaining bytes of data. */
-        memmove(ctx->in, buf, len);
-}
-/*
- * Final wrapup - pad to 64-byte boundary with the bit pattern
- * 1 0* (64-bit count of bits processed, MSB-first)
- */
-void
-cifs_MD5_final(unsigned char digest[16], struct MD5Context *ctx)
-{
-        unsigned int count;
-        unsigned char *p;
-        /* Compute number of bytes mod 64 */
-        count = (ctx->bits[0] >> 3) & 0x3F;
-        /* Set the first char of padding to 0x80.  This is safe since there is
-           always at least one byte free */
-        p = ctx->in + count;
-        *p++ = 0x80;
-        /* Bytes of padding needed to make 64 bytes */
-        count = 64 - 1 - count;
-        /* Pad out to 56 mod 64 */
-        if (count < 8) {
-                /* Two lots of padding:  Pad the first block to 64 bytes */
-                memset(p, 0, count);
-                byteReverse(ctx->in, 16);
-                MD5Transform(ctx->buf, (__u32 *) ctx->in);
-                /* Now fill the next block with 56 bytes */
-                memset(ctx->in, 0, 56);
-        } else {
-                /* Pad block to 56 bytes */
-                memset(p, 0, count - 8);
-        }
-        byteReverse(ctx->in, 14);
-        /* Append length in bits and transform */
-        ((__u32 *) ctx->in)[14] = ctx->bits[0];
-        ((__u32 *) ctx->in)[15] = ctx->bits[1];
-        MD5Transform(ctx->buf, (__u32 *) ctx->in);
-        byteReverse((unsigned char *) ctx->buf, 4);
-        memmove(digest, ctx->buf, 16);
-        memset(ctx, 0, sizeof(*ctx));   /* In case it's sensitive */
-}
-/* The four core functions - F1 is optimized somewhat */
-/* #define F1(x, y, z) (x & y | ~x & z) */
-#define F1(x, y, z) (z ^ (x & (y ^ z)))
-#define F2(x, y, z) F1(z, x, y)
-#define F3(x, y, z) (x ^ y ^ z)
-#define F4(x, y, z) (y ^ (x | ~z))
-/* This is the central step in the MD5 algorithm. */
-#define MD5STEP(f, w, x, y, z, data, s) \
-        (w += f(x, y, z) + data,  w = w<<s | w>>(32-s),  w += x)
-/*
- * The core of the MD5 algorithm, this alters an existing MD5 hash to
- * reflect the addition of 16 longwords of new data.  cifs_MD5_update blocks
- * the data and converts bytes into longwords for this routine.
- */
-static void
-MD5Transform(__u32 buf[4], __u32 const in[16])
-{
-        register __u32 a, b, c, d;
-        a = buf[0];
-        b = buf[1];
-        c = buf[2];
-        d = buf[3];
-        MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478, 7);
-        MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756, 12);
-        MD5STEP(F1, c, d, a, b, in[2] + 0x242070db, 17);
-        MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceee, 22);
-        MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0faf, 7);
-        MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62a, 12);
-        MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613, 17);
-        MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501, 22);
-        MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8, 7);
-        MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7af, 12);
-        MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1, 17);
-        MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7be, 22);
-        MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122, 7);
-        MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193, 12);
-        MD5STEP(F1, c, d, a, b, in[14] + 0xa679438e, 17);
-        MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821, 22);
-        MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562, 5);
-        MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340, 9);
-        MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51, 14);
-        MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aa, 20);
-        MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105d, 5);
-        MD5STEP(F2, d, a, b, c, in[10] + 0x02441453, 9);
-        MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681, 14);
-        MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8, 20);
-        MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6, 5);
-        MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6, 9);
-        MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87, 14);
-        MD5STEP(F2, b, c, d, a, in[8] + 0x455a14ed, 20);
-        MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905, 5);
-        MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8, 9);
-        MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9, 14);
-        MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20);
-        MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942, 4);
-        MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681, 11);
-        MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122, 16);
-        MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380c, 23);
-        MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44, 4);
-        MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9, 11);
-        MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60, 16);
-        MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70, 23);
-        MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6, 4);
-        MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127fa, 11);
-        MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085, 16);
-        MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05, 23);
-        MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039, 4);
-        MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5, 11);
-        MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8, 16);
-        MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665, 23);
-        MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244, 6);
-        MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97, 10);
-        MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7, 15);
-        MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039, 21);
-        MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3, 6);
-        MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92, 10);
-        MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47d, 15);
-        MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1, 21);
-        MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4f, 6);
-        MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10);
-        MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314, 15);
-        MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1, 21);
-        MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82, 6);
-        MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235, 10);
-        MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bb, 15);
-        MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391, 21);
-        buf[0] += a;
-        buf[1] += b;
-        buf[2] += c;
-        buf[3] += d;
-}
-#if 0   /* currently unused */
-/***********************************************************************
- the rfc 2104 version of hmac_md5 initialisation.
-***********************************************************************/
-static void
-hmac_md5_init_rfc2104(unsigned char *key, int key_len,
-                      struct HMACMD5Context *ctx)
-{
-        int i;
-        /* if key is longer than 64 bytes reset it to key=MD5(key) */
-        if (key_len > 64) {
-                unsigned char tk[16];
-                struct MD5Context tctx;
-                cifs_MD5_init(&tctx);
-                cifs_MD5_update(&tctx, key, key_len);
-                cifs_MD5_final(tk, &tctx);
-                key = tk;
-                key_len = 16;
-        }
-        /* start out by storing key in pads */
-        memset(ctx->k_ipad, 0, sizeof(ctx->k_ipad));
-        memset(ctx->k_opad, 0, sizeof(ctx->k_opad));
-        memcpy(ctx->k_ipad, key, key_len);
-        memcpy(ctx->k_opad, key, key_len);
-        /* XOR key with ipad and opad values */
-        for (i = 0; i < 64; i++) {
-                ctx->k_ipad[i] ^= 0x36;
-                ctx->k_opad[i] ^= 0x5c;
-        }
-        cifs_MD5_init(&ctx->ctx);
-        cifs_MD5_update(&ctx->ctx, ctx->k_ipad, 64);
-}
-#endif
-/***********************************************************************
- the microsoft version of hmac_md5 initialisation.
-***********************************************************************/
-void
-hmac_md5_init_limK_to_64(const unsigned char *key, int key_len,
-                         struct HMACMD5Context *ctx)
-{
-        int i;
-        /* if key is longer than 64 bytes truncate it */
-        if (key_len > 64)
-                key_len = 64;
-        /* start out by storing key in pads */
-        memset(ctx->k_ipad, 0, sizeof(ctx->k_ipad));
-        memset(ctx->k_opad, 0, sizeof(ctx->k_opad));
-        memcpy(ctx->k_ipad, key, key_len);
-        memcpy(ctx->k_opad, key, key_len);
-        /* XOR key with ipad and opad values */
-        for (i = 0; i < 64; i++) {
-                ctx->k_ipad[i] ^= 0x36;
-                ctx->k_opad[i] ^= 0x5c;
-        }
-        cifs_MD5_init(&ctx->ctx);
-        cifs_MD5_update(&ctx->ctx, ctx->k_ipad, 64);
-}
-/***********************************************************************
- update hmac_md5 "inner" buffer
-***********************************************************************/
-void
-hmac_md5_update(const unsigned char *text, int text_len,
-                struct HMACMD5Context *ctx)
-{
-        cifs_MD5_update(&ctx->ctx, text, text_len);     /* then text of datagram */
-}
-/***********************************************************************
- finish off hmac_md5 "inner" buffer and generate outer one.
-***********************************************************************/
-void
-hmac_md5_final(unsigned char *digest, struct HMACMD5Context *ctx)
-{
-        struct MD5Context ctx_o;
-        cifs_MD5_final(digest, &ctx->ctx);
-        cifs_MD5_init(&ctx_o);
-        cifs_MD5_update(&ctx_o, ctx->k_opad, 64);
-        cifs_MD5_update(&ctx_o, digest, 16);
-        cifs_MD5_final(digest, &ctx_o);
-}
-/***********************************************************
- single function to calculate an HMAC MD5 digest from data.
- use the microsoft hmacmd5 init method because the key is 16 bytes.
-************************************************************/
-#if 0 /* currently unused */
-static void
-hmac_md5(unsigned char key[16], unsigned char *data, int data_len,
-         unsigned char *digest)
-{
-        struct HMACMD5Context ctx;
-        hmac_md5_init_limK_to_64(key, 16, &ctx);
-        if (data_len != 0)
-                hmac_md5_update(data, data_len, &ctx);
-        hmac_md5_final(digest, &ctx);
-}
-#endif
diff --git a/fs/cifs/md5.h b/fs/cifs/md5.h
deleted file mode 100644
index 6fba8cb402fd..000000000000
--- a/fs/cifs/md5.h
+++ /dev/null
@@ -1,38 +0,0 @@
-#ifndef MD5_H
-#define MD5_H
-#ifndef HEADER_MD5_H
-/* Try to avoid clashes with OpenSSL */
-#define HEADER_MD5_H
-#endif
-struct MD5Context {
-        __u32 buf[4];
-        __u32 bits[2];
-        unsigned char in[64];
-};
-#endif                          /* !MD5_H */
-#ifndef _HMAC_MD5_H
-struct HMACMD5Context {
-        struct MD5Context ctx;
-        unsigned char k_ipad[65];
-        unsigned char k_opad[65];
-};
-#endif                          /* _HMAC_MD5_H */
-void cifs_MD5_init(struct MD5Context *context);
-void cifs_MD5_update(struct MD5Context *context, unsigned char const *buf,
-                        unsigned len);
-void cifs_MD5_final(unsigned char digest[16], struct MD5Context *context);
-/* The following definitions come from lib/hmacmd5.c  */
-/* void hmac_md5_init_rfc2104(unsigned char *key, int key_len,
-                        struct HMACMD5Context *ctx);*/
-void hmac_md5_init_limK_to_64(const unsigned char *key, int key_len,
-                        struct HMACMD5Context *ctx);
-void hmac_md5_update(const unsigned char *text, int text_len,
-                        struct HMACMD5Context *ctx);
-void hmac_md5_final(unsigned char *digest, struct HMACMD5Context *ctx);
-/* void hmac_md5(unsigned char key[16], unsigned char *data, int data_len,
-                        unsigned char *digest);*/
diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c
index 43f10281bc19..0c684ae4c071 100644
--- a/fs/cifs/misc.c
+++ b/fs/cifs/misc.c
@@ -100,6 +100,7 @@ sesInfoFree(struct cifsSesInfo *buf_to_free)
                memset(buf_to_free->password, 0, strlen(buf_to_free->password));
                kfree(buf_to_free->password);
        }
+        kfree(buf_to_free->user_name);
        kfree(buf_to_free->domainName);
        kfree(buf_to_free);
 }
@@ -236,10 +237,7 @@ __u16 GetNextMid(struct TCP_Server_Info *server)
 {
        __u16 mid = 0;
        __u16 last_mid;
-        int   collision;
+        bool collision;
-        if (server == NULL)
-                return mid;
        spin_lock(&GlobalMid_Lock);
        last_mid = server->CurrentMid; /* we do not want to loop forever */
@@ -252,24 +250,38 @@ __u16 GetNextMid(struct TCP_Server_Info *server)
        (and it would also have to have been a request that
         did not time out) */
        while (server->CurrentMid != last_mid) {
-                struct list_head *tmp;
                struct mid_q_entry *mid_entry;
+                unsigned int num_mids;
-                collision = 0;
+                collision = false;
                if (server->CurrentMid == 0)
                        server->CurrentMid++;
-                list_for_each(tmp, &server->pending_mid_q) {
+                num_mids = 0;
-                        mid_entry = list_entry(tmp, struct mid_q_entry, qhead);
+                list_for_each_entry(mid_entry, &server->pending_mid_q, qhead) {
+                        ++num_mids;
-                        if ((mid_entry->mid == server->CurrentMid) &&
+                        if (mid_entry->mid == server->CurrentMid &&
-                            (mid_entry->midState == MID_REQUEST_SUBMITTED)) {
+                            mid_entry->midState == MID_REQUEST_SUBMITTED) {
                                /* This mid is in use, try a different one */
-                                collision = 1;
+                                collision = true;
                                break;
                        }
                }
-                if (collision == 0) {
+                /*
+                 * if we have more than 32k mids in the list, then something
+                 * is very wrong. Possibly a local user is trying to DoS the
+                 * box by issuing long-running calls and SIGKILL'ing them. If
+                 * we get to 2^16 mids then we're in big trouble as this
+                 * function could loop forever.
+                 *
+                 * Go ahead and assign out the mid in this situation, but force
+                 * an eventual reconnect to clean out the pending_mid_q.
+                 */
+                if (num_mids > 32768)
+                        server->tcpStatus = CifsNeedReconnect;
+                if (!collision) {
                        mid = server->CurrentMid;
                        break;
                }
@@ -381,29 +393,31 @@ header_assemble(struct smb_hdr *buffer, char smb_command /* command */ ,
 }
 static int
-checkSMBhdr(struct smb_hdr *smb, __u16 mid)
+check_smb_hdr(struct smb_hdr *smb, __u16 mid)
 {
-        /* Make sure that this really is an SMB, that it is a response,
+        /* does it have the right SMB "signature" ? */
-           and that the message ids match */
+        if (*(__le32 *) smb->Protocol != cpu_to_le32(0x424d53ff)) {
-        if ((*(__le32 *) smb->Protocol == cpu_to_le32(0x424d53ff)) &&
+                cERROR(1, "Bad protocol string signature header 0x%x",
-                (mid == smb->Mid)) {
+                        *(unsigned int *)smb->Protocol);
-                if (smb->Flags & SMBFLG_RESPONSE)
+                return 1;
-                        return 0;
-                else {
-                /* only one valid case where server sends us request */
-                        if (smb->Command == SMB_COM_LOCKING_ANDX)
-                                return 0;
-                        else
-                                cERROR(1, "Received Request not response");
-                }
-        } else { /* bad signature or mid */
-                if (*(__le32 *) smb->Protocol != cpu_to_le32(0x424d53ff))
-                        cERROR(1, "Bad protocol string signature header %x",
-                                *(unsigned int *) smb->Protocol);
-                if (mid != smb->Mid)
-                        cERROR(1, "Mids do not match");
        }
-        cERROR(1, "bad smb detected. The Mid=%d", smb->Mid);
+        /* Make sure that message ids match */
+        if (mid != smb->Mid) {
+                cERROR(1, "Mids do not match. received=%u expected=%u",
+                        smb->Mid, mid);
+                return 1;
+        }
+        /* if it's a response then accept */
+        if (smb->Flags & SMBFLG_RESPONSE)
+                return 0;
+        /* only one valid case where server sends us request */
+        if (smb->Command == SMB_COM_LOCKING_ANDX)
+                return 0;
+        cERROR(1, "Server sent request, not response. mid=%u", smb->Mid);
        return 1;
 }
@@ -448,7 +462,7 @@ checkSMB(struct smb_hdr *smb, __u16 mid, unsigned int length)
                return 1;
        }
-        if (checkSMBhdr(smb, mid))
+        if (check_smb_hdr(smb, mid))
                return 1;
        clc_len = smbCalcSize_LE(smb);
@@ -465,25 +479,26 @@ checkSMB(struct smb_hdr *smb, __u16 mid, unsigned int length)
                        if (((4 + len) & 0xFFFF) == (clc_len & 0xFFFF))
                                return 0; /* bcc wrapped */
                }
-                cFYI(1, "Calculated size %d vs length %d mismatch for mid %d",
+                cFYI(1, "Calculated size %u vs length %u mismatch for mid=%u",
                                clc_len, 4 + len, smb->Mid);
-                /* Windows XP can return a few bytes too much, presumably
-                an illegal pad, at the end of byte range lock responses
+                if (4 + len < clc_len) {
-                so we allow for that three byte pad, as long as actual
+                        cERROR(1, "RFC1001 size %u smaller than SMB for mid=%u",
-                received length is as long or longer than calculated length */
-                /* We have now had to extend this more, since there is a
-                case in which it needs to be bigger still to handle a
-                malformed response to transact2 findfirst from WinXP when
-                access denied is returned and thus bcc and wct are zero
-                but server says length is 0x21 bytes too long as if the server
-                forget to reset the smb rfc1001 length when it reset the
-                wct and bcc to minimum size and drop the t2 parms and data */
-                if ((4+len > clc_len) && (len <= clc_len + 512))
-                        return 0;
-                else {
-                        cERROR(1, "RFC1001 size %d bigger than SMB for Mid=%d",
                                        len, smb->Mid);
                        return 1;
+                } else if (len > clc_len + 512) {
+                        /*
+                         * Some servers (Windows XP in particular) send more
+                         * data than the lengths in the SMB packet would
+                         * indicate on certain calls (byte range locks and
+                         * trans2 find first calls in particular). While the
+                         * client can handle such a frame by ignoring the
+                         * trailing data, we choose limit the amount of extra
+                         * data to 512 bytes.
+                         */
+                        cERROR(1, "RFC1001 size %u more than 512 bytes larger "
+                                  "than SMB for mid=%u", len, smb->Mid);
+                        return 1;
                }
        }
        return 0;
@@ -506,7 +521,7 @@ is_valid_oplock_break(struct smb_hdr *buf, struct TCP_Server_Info *srv)
                        (struct smb_com_transaction_change_notify_rsp *)buf;
                struct file_notify_information *pnotify;
                __u32 data_offset = 0;
-                if (pSMBr->ByteCount > sizeof(struct file_notify_information)) {
+                if (get_bcc_le(buf) > sizeof(struct file_notify_information)) {
                        data_offset = le32_to_cpu(pSMBr->DataOffset);
                        pnotify = (struct file_notify_information *)
@@ -571,7 +586,7 @@ is_valid_oplock_break(struct smb_hdr *buf, struct TCP_Server_Info *srv)
                                pCifsInode = CIFS_I(netfile->dentry->d_inode);
                                cifs_set_oplock_level(pCifsInode,
-                                                      pSMB->OplockLevel);
+                                        pSMB->OplockLevel ? OPLOCK_READ : 0);
                                /*
                                 * cifs_oplock_break_put() can't be called
                                 * from here.  Get reference after queueing
@@ -637,77 +652,6 @@ dump_smb(struct smb_hdr *smb_buf, int smb_buf_length)
        return;
 }
-/* Convert 16 bit Unicode pathname to wire format from string in current code
-   page.  Conversion may involve remapping up the seven characters that are
-   only legal in POSIX-like OS (if they are present in the string). Path
-   names are little endian 16 bit Unicode on the wire */
-int
-cifsConvertToUCS(__le16 *target, const char *source, int maxlen,
-                 const struct nls_table *cp, int mapChars)
-{
-        int i, j, charlen;
-        int len_remaining = maxlen;
-        char src_char;
-        __u16 temp;
-        if (!mapChars)
-                return cifs_strtoUCS(target, source, PATH_MAX, cp);
-        for (i = 0, j = 0; i < maxlen; j++) {
-                src_char = source[i];
-                switch (src_char) {
-                        case 0:
-                                target[j] = 0;
-                                goto ctoUCS_out;
-                        case ':':
-                                target[j] = cpu_to_le16(UNI_COLON);
-                                break;
-                        case '*':
-                                target[j] = cpu_to_le16(UNI_ASTERIK);
-                                break;
-                        case '?':
-                                target[j] = cpu_to_le16(UNI_QUESTION);
-                                break;
-                        case '<':
-                                target[j] = cpu_to_le16(UNI_LESSTHAN);
-                                break;
-                        case '>':
-                                target[j] = cpu_to_le16(UNI_GRTRTHAN);
-                                break;
-                        case '|':
-                                target[j] = cpu_to_le16(UNI_PIPE);
-                                break;
-                        /* BB We can not handle remapping slash until
-                           all the calls to build_path_from_dentry
-                           are modified, as they use slash as separator BB */
-                        /* case '\\':
-                                target[j] = cpu_to_le16(UNI_SLASH);
-                                break;*/
-                        default:
-                                charlen = cp->char2uni(source+i,
-                                        len_remaining, &temp);
-                                /* if no match, use question mark, which
-                                at least in some cases servers as wild card */
-                                if (charlen < 1) {
-                                        target[j] = cpu_to_le16(0x003f);
-                                        charlen = 1;
-                                } else
-                                        target[j] = cpu_to_le16(temp);
-                                len_remaining -= charlen;
-                                /* character may take more than one byte in the
-                                   the source string, but will take exactly two
-                                   bytes in the target string */
-                                i += charlen;
-                                continue;
-                }
-                i++; /* move to next char in source string */
-                len_remaining--;
-        }
-ctoUCS_out:
-        return i;
-}
 void
 cifs_autodisable_serverino(struct cifs_sb_info *cifs_sb)
 {
diff --git a/fs/cifs/netmisc.c b/fs/cifs/netmisc.c
index 9aad47a2d62f..79f641eeda30 100644
--- a/fs/cifs/netmisc.c
+++ b/fs/cifs/netmisc.c
@@ -170,7 +170,7 @@ cifs_convert_address(struct sockaddr *dst, const char *src, int len)
 {
        int rc, alen, slen;
        const char *pct;
-        char *endp, scope_id[13];
+        char scope_id[13];
        struct sockaddr_in *s4 = (struct sockaddr_in *) dst;
        struct sockaddr_in6 *s6 = (struct sockaddr_in6 *) dst;
@@ -197,9 +197,9 @@ cifs_convert_address(struct sockaddr *dst, const char *src, int len)
                memcpy(scope_id, pct + 1, slen);
                scope_id[slen] = '\0';
-                s6->sin6_scope_id = (u32) simple_strtoul(pct, &endp, 0);
+                rc = strict_strtoul(scope_id, 0,
-                if (endp != scope_id + slen)
+                                        (unsigned long *)&s6->sin6_scope_id);
-                        return 0;
+                rc = (rc == 0) ? 1 : 0;
        }
        return rc;
@@ -899,8 +899,8 @@ map_smb_to_linux_error(struct smb_hdr *smb, int logErr)
        }
        /* else ERRHRD class errors or junk  - return EIO */
-        cFYI(1, "Mapping smb error code %d to POSIX err %d",
+        cFYI(1, "Mapping smb error code 0x%x to POSIX err %d",
-                 smberrcode, rc);
+                 le32_to_cpu(smb->Status.CifsError), rc);
        /* generic corrective action e.g. reconnect SMB session on
         * ERRbaduid could be added */
@@ -916,14 +916,14 @@ unsigned int
 smbCalcSize(struct smb_hdr *ptr)
 {
        return (sizeof(struct smb_hdr) + (2 * ptr->WordCount) +
-                2 /* size of the bcc field */ + BCC(ptr));
+                2 /* size of the bcc field */ + get_bcc(ptr));
 }
 unsigned int
 smbCalcSize_LE(struct smb_hdr *ptr)
 {
        return (sizeof(struct smb_hdr) + (2 * ptr->WordCount) +
-                2 /* size of the bcc field */ + le16_to_cpu(BCC_LE(ptr)));
+                2 /* size of the bcc field */ + get_bcc_le(ptr));
 }
 /* The following are taken from fs/ntfs/util.c */
diff --git a/fs/cifs/readdir.c b/fs/cifs/readdir.c
index 7f25cc3d2256..f8e4cd2a7912 100644
--- a/fs/cifs/readdir.c
+++ b/fs/cifs/readdir.c
@@ -764,7 +764,6 @@ int cifs_readdir(struct file *file, void *direntry, filldir_t filldir)
 {
        int rc = 0;
        int xid, i;
-        struct cifs_sb_info *cifs_sb;
        struct cifsTconInfo *pTcon;
        struct cifsFileInfo *cifsFile = NULL;
        char *current_entry;
@@ -775,8 +774,6 @@ int cifs_readdir(struct file *file, void *direntry, filldir_t filldir)
        xid = GetXid();
-        cifs_sb = CIFS_SB(file->f_path.dentry->d_sb);
        /*
         * Ensure FindFirst doesn't fail before doing filldir() for '.' and
         * '..'. Otherwise we won't be able to notify VFS in case of failure.
diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index eb746486e49e..f6728eb6f4b9 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -219,12 +219,12 @@ static void unicode_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses,
                bcc_ptr++;
        } */
        /* copy user */
-        if (ses->userName == NULL) {
+        if (ses->user_name == NULL) {
                /* null user mount */
                *bcc_ptr = 0;
                *(bcc_ptr+1) = 0;
        } else {
-                bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->userName,
+                bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->user_name,
                                          MAX_USERNAME_SIZE, nls_cp);
        }
        bcc_ptr += 2 * bytes_ret;
@@ -244,12 +244,11 @@ static void ascii_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses,
        /* copy user */
        /* BB what about null user mounts - check that we do this BB */
        /* copy user */
-        if (ses->userName == NULL) {
+        if (ses->user_name != NULL)
-                /* BB what about null user mounts - check that we do this BB */
+                strncpy(bcc_ptr, ses->user_name, MAX_USERNAME_SIZE);
-        } else {
+        /* else null user mount */
-                strncpy(bcc_ptr, ses->userName, MAX_USERNAME_SIZE);
-        }
+        bcc_ptr += strnlen(ses->user_name, MAX_USERNAME_SIZE);
-        bcc_ptr += strnlen(ses->userName, MAX_USERNAME_SIZE);
        *bcc_ptr = 0;
        bcc_ptr++; /* account for null termination */
@@ -277,7 +276,7 @@ static void ascii_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses,
 }
 static void
-decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifsSesInfo *ses,
+decode_unicode_ssetup(char **pbcc_area, __u16 bleft, struct cifsSesInfo *ses,
                      const struct nls_table *nls_cp)
 {
        int len;
@@ -323,7 +322,7 @@ decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifsSesInfo *ses,
        return;
 }
-static int decode_ascii_ssetup(char **pbcc_area, int bleft,
+static int decode_ascii_ssetup(char **pbcc_area, __u16 bleft,
                               struct cifsSesInfo *ses,
                               const struct nls_table *nls_cp)
 {
@@ -405,8 +404,8 @@ static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
        /* BB spec says that if AvId field of MsvAvTimestamp is populated then
                we must set the MIC field of the AUTHENTICATE_MESSAGE */
        ses->ntlmssp->server_flags = le32_to_cpu(pblob->NegotiateFlags);
-        tioffset = cpu_to_le16(pblob->TargetInfoArray.BufferOffset);
+        tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
-        tilen = cpu_to_le16(pblob->TargetInfoArray.Length);
+        tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
        if (tilen) {
                ses->auth_key.response = kmalloc(tilen, GFP_KERNEL);
                if (!ses->auth_key.response) {
@@ -523,14 +522,14 @@ static int build_ntlmssp_auth_blob(unsigned char *pbuffer,
                tmp += len;
        }
-        if (ses->userName == NULL) {
+        if (ses->user_name == NULL) {
                sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer);
                sec_blob->UserName.Length = 0;
                sec_blob->UserName.MaximumLength = 0;
                tmp += 2;
        } else {
                int len;
-                len = cifs_strtoUCS((__le16 *)tmp, ses->userName,
+                len = cifs_strtoUCS((__le16 *)tmp, ses->user_name,
                                    MAX_USERNAME_SIZE, nls_cp);
                len *= 2; /* unicode is 2 bytes each */
                sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer);
@@ -575,12 +574,11 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses,
        char *str_area;
        SESSION_SETUP_ANDX *pSMB;
        __u32 capabilities;
-        int count;
+        __u16 count;
        int resp_buf_type;
        struct kvec iov[3];
        enum securityEnum type;
-        __u16 action;
+        __u16 action, bytes_remaining;
-        int bytes_remaining;
        struct key *spnego_key = NULL;
        __le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */
        u16 blob_len;
@@ -657,13 +655,13 @@ ssetup_ntlmssp_authenticate:
        if (type == LANMAN) {
 #ifdef CONFIG_CIFS_WEAK_PW_HASH
-                char lnm_session_key[CIFS_SESS_KEY_SIZE];
+                char lnm_session_key[CIFS_AUTH_RESP_SIZE];
                pSMB->req.hdr.Flags2 &= ~SMBFLG2_UNICODE;
                /* no capabilities flags in old lanman negotiation */
-                pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_SESS_KEY_SIZE);
+                pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_AUTH_RESP_SIZE);
                /* Calculate hash with password and copy into bcc_ptr.
                 * Encryption Key (stored as in cryptkey) gets used if the
@@ -676,8 +674,8 @@ ssetup_ntlmssp_authenticate:
                                        true : false, lnm_session_key);
                ses->flags |= CIFS_SES_LANMAN;
-                memcpy(bcc_ptr, (char *)lnm_session_key, CIFS_SESS_KEY_SIZE);
+                memcpy(bcc_ptr, (char *)lnm_session_key, CIFS_AUTH_RESP_SIZE);
-                bcc_ptr += CIFS_SESS_KEY_SIZE;
+                bcc_ptr += CIFS_AUTH_RESP_SIZE;
                /* can not sign if LANMAN negotiated so no need
                to calculate signing key? but what if server
@@ -876,10 +874,10 @@ ssetup_ntlmssp_authenticate:
        count = iov[1].iov_len + iov[2].iov_len;
        smb_buf->smb_buf_length += count;
-        BCC_LE(smb_buf) = cpu_to_le16(count);
+        put_bcc_le(count, smb_buf);
        rc = SendReceive2(xid, ses, iov, 3 /* num_iovecs */, &resp_buf_type,
-                          CIFS_STD_OP /* not long */ | CIFS_LOG_ERROR);
+                          CIFS_LOG_ERROR);
        /* SMB request buf freed in SendReceive2 */
        pSMB = (SESSION_SETUP_ANDX *)iov[0].iov_base;
@@ -910,7 +908,7 @@ ssetup_ntlmssp_authenticate:
        cFYI(1, "UID = %d ", ses->Suid);
        /* response can have either 3 or 4 word count - Samba sends 3 */
        /* and lanman response is 3 */
-        bytes_remaining = BCC(smb_buf);
+        bytes_remaining = get_bcc(smb_buf);
        bcc_ptr = pByteArea(smb_buf);
        if (smb_buf->WordCount == 4) {
diff --git a/fs/cifs/smbdes.c b/fs/cifs/smbdes.c
index b6b6dcb500bf..04721485925d 100644
--- a/fs/cifs/smbdes.c
+++ b/fs/cifs/smbdes.c
@@ -45,7 +45,6 @@
   up with a different answer to the one above)
 */
 #include <linux/slab.h>
-#include "cifsencrypt.h"
 #define uchar unsigned char
 static uchar perm1[56] = { 57, 49, 41, 33, 25, 17, 9,
diff --git a/fs/cifs/smbencrypt.c b/fs/cifs/smbencrypt.c
index 192ea51af20f..b5041c849981 100644
--- a/fs/cifs/smbencrypt.c
+++ b/fs/cifs/smbencrypt.c
@@ -32,9 +32,8 @@
 #include "cifs_unicode.h"
 #include "cifspdu.h"
 #include "cifsglob.h"
-#include "md5.h"
 #include "cifs_debug.h"
-#include "cifsencrypt.h"
+#include "cifsproto.h"
 #ifndef false
 #define false 0
@@ -48,14 +47,58 @@
 #define SSVALX(buf,pos,val) (CVAL(buf,pos)=(val)&0xFF,CVAL(buf,pos+1)=(val)>>8)
 #define SSVAL(buf,pos,val) SSVALX((buf),(pos),((__u16)(val)))
-/*The following definitions come from  libsmb/smbencrypt.c  */
+/* produce a md4 message digest from data of length n bytes */
+int
+mdfour(unsigned char *md4_hash, unsigned char *link_str, int link_len)
+{
+        int rc;
+        unsigned int size;
+        struct crypto_shash *md4;
+        struct sdesc *sdescmd4;
+        md4 = crypto_alloc_shash("md4", 0, 0);
+        if (IS_ERR(md4)) {
+                rc = PTR_ERR(md4);
+                cERROR(1, "%s: Crypto md4 allocation error %d\n", __func__, rc);
+                return rc;
+        }
+        size = sizeof(struct shash_desc) + crypto_shash_descsize(md4);
+        sdescmd4 = kmalloc(size, GFP_KERNEL);
+        if (!sdescmd4) {
+                rc = -ENOMEM;
+                cERROR(1, "%s: Memory allocation failure\n", __func__);
+                goto mdfour_err;
+        }
+        sdescmd4->shash.tfm = md4;
+        sdescmd4->shash.flags = 0x0;
+        rc = crypto_shash_init(&sdescmd4->shash);
+        if (rc) {
+                cERROR(1, "%s: Could not init md4 shash\n", __func__);
+                goto mdfour_err;
+        }
+        crypto_shash_update(&sdescmd4->shash, link_str, link_len);
+        rc = crypto_shash_final(&sdescmd4->shash, md4_hash);
-void SMBencrypt(unsigned char *passwd, const unsigned char *c8,
+mdfour_err:
-                unsigned char *p24);
+        crypto_free_shash(md4);
-void E_md4hash(const unsigned char *passwd, unsigned char *p16);
+        kfree(sdescmd4);
-static void SMBOWFencrypt(unsigned char passwd[16], const unsigned char *c8,
-                   unsigned char p24[24]);
+        return rc;
-void SMBNTencrypt(unsigned char *passwd, unsigned char *c8, unsigned char *p24);
+}
+/* Does the des encryption from the NT or LM MD4 hash. */
+static void
+SMBOWFencrypt(unsigned char passwd[16], const unsigned char *c8,
+              unsigned char p24[24])
+{
+        unsigned char p21[21];
+        memset(p21, '\0', 21);
+        memcpy(p21, passwd, 16);
+        E_P24(p21, c8, p24);
+}
 /*
   This implements the X/Open SMB password encryption
@@ -118,9 +161,10 @@ _my_mbstowcs(__u16 *dst, const unsigned char *src, int len)
 * Creates the MD4 Hash of the users password in NT UNICODE.
 */
-void
+int
 E_md4hash(const unsigned char *passwd, unsigned char *p16)
 {
+        int rc;
        int len;
        __u16 wpwd[129];
@@ -139,8 +183,10 @@ E_md4hash(const unsigned char *passwd, unsigned char *p16)
        /* Calculate length in bytes */
        len = _my_wcslen(wpwd) * sizeof(__u16);
-        mdfour(p16, (unsigned char *) wpwd, len);
+        rc = mdfour(p16, (unsigned char *) wpwd, len);
        memset(wpwd, 0, 129 * 2);
+        return rc;
 }
 #if 0 /* currently unused */
@@ -212,19 +258,6 @@ ntv2_owf_gen(const unsigned char owf[16], const char *user_n,
 }
 #endif
-/* Does the des encryption from the NT or LM MD4 hash. */
-static void
-SMBOWFencrypt(unsigned char passwd[16], const unsigned char *c8,
-              unsigned char p24[24])
-{
-        unsigned char p21[21];
-        memset(p21, '\0', 21);
-        memcpy(p21, passwd, 16);
-        E_P24(p21, c8, p24);
-}
 /* Does the des encryption from the FIRST 8 BYTES of the NT or LM MD4 hash. */
 #if 0 /* currently unused */
 static void
@@ -242,16 +275,21 @@ NTLMSSPOWFencrypt(unsigned char passwd[8],
 #endif
 /* Does the NT MD4 hash then des encryption. */
+int
-void
 SMBNTencrypt(unsigned char *passwd, unsigned char *c8, unsigned char *p24)
 {
+        int rc;
        unsigned char p21[21];
        memset(p21, '\0', 21);
-        E_md4hash(passwd, p21);
+        rc = E_md4hash(passwd, p21);
+        if (rc) {
+                cFYI(1, "%s Can't generate NT hash, error: %d", __func__, rc);
+                return rc;
+        }
        SMBOWFencrypt(p21, c8, p24);
+        return rc;
 }
diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c
index 59ca81b16919..46d8756f2b24 100644
--- a/fs/cifs/transport.c
+++ b/fs/cifs/transport.c
@@ -36,7 +36,13 @@
 extern mempool_t *cifs_mid_poolp;
-static struct mid_q_entry *
+static void
+wake_up_task(struct mid_q_entry *mid)
+{
+        wake_up_process(mid->callback_data);
+}
+struct mid_q_entry *
 AllocMidQEntry(const struct smb_hdr *smb_buffer, struct TCP_Server_Info *server)
 {
        struct mid_q_entry *temp;
@@ -58,28 +64,28 @@ AllocMidQEntry(const struct smb_hdr *smb_buffer, struct TCP_Server_Info *server)
        /*      do_gettimeofday(&temp->when_sent);*/ /* easier to use jiffies */
                /* when mid allocated can be before when sent */
                temp->when_alloc = jiffies;
-                temp->tsk = current;
+                /*
+                 * The default is for the mid to be synchronous, so the
+                 * default callback just wakes up the current task.
+                 */
+                temp->callback = wake_up_task;
+                temp->callback_data = current;
        }
-        spin_lock(&GlobalMid_Lock);
-        list_add_tail(&temp->qhead, &server->pending_mid_q);
        atomic_inc(&midCount);
        temp->midState = MID_REQUEST_ALLOCATED;
-        spin_unlock(&GlobalMid_Lock);
        return temp;
 }
-static void
+void
 DeleteMidQEntry(struct mid_q_entry *midEntry)
 {
 #ifdef CONFIG_CIFS_STATS2
        unsigned long now;
 #endif
-        spin_lock(&GlobalMid_Lock);
        midEntry->midState = MID_FREE;
-        list_del(&midEntry->qhead);
        atomic_dec(&midCount);
-        spin_unlock(&GlobalMid_Lock);
        if (midEntry->largeBuf)
                cifs_buf_release(midEntry->resp_buf);
        else
@@ -103,6 +109,16 @@ DeleteMidQEntry(struct mid_q_entry *midEntry)
        mempool_free(midEntry, cifs_mid_poolp);
 }
+static void
+delete_mid(struct mid_q_entry *mid)
+{
+        spin_lock(&GlobalMid_Lock);
+        list_del(&mid->qhead);
+        spin_unlock(&GlobalMid_Lock);
+        DeleteMidQEntry(mid);
+}
 static int
 smb_sendv(struct TCP_Server_Info *server, struct kvec *iov, int n_vec)
 {
@@ -220,9 +236,9 @@ smb_sendv(struct TCP_Server_Info *server, struct kvec *iov, int n_vec)
                server->tcpStatus = CifsNeedReconnect;
        }
-        if (rc < 0) {
+        if (rc < 0 && rc != -EINTR)
                cERROR(1, "Error %d sending data on socket to server", rc);
-        } else
+        else
                rc = 0;
        /* Don't want to modify the buffer as a
@@ -244,31 +260,31 @@ smb_send(struct TCP_Server_Info *server, struct smb_hdr *smb_buffer,
        return smb_sendv(server, &iov, 1);
 }
-static int wait_for_free_request(struct cifsSesInfo *ses, const int long_op)
+static int wait_for_free_request(struct TCP_Server_Info *server,
+                                 const int long_op)
 {
        if (long_op == CIFS_ASYNC_OP) {
                /* oplock breaks must not be held up */
-                atomic_inc(&ses->server->inFlight);
+                atomic_inc(&server->inFlight);
                return 0;
        }
        spin_lock(&GlobalMid_Lock);
        while (1) {
-                if (atomic_read(&ses->server->inFlight) >=
+                if (atomic_read(&server->inFlight) >= cifs_max_pending) {
-                                cifs_max_pending){
                        spin_unlock(&GlobalMid_Lock);
 #ifdef CONFIG_CIFS_STATS2
-                        atomic_inc(&ses->server->num_waiters);
+                        atomic_inc(&server->num_waiters);
 #endif
-                        wait_event(ses->server->request_q,
+                        wait_event(server->request_q,
-                                   atomic_read(&ses->server->inFlight)
+                                   atomic_read(&server->inFlight)
                                     < cifs_max_pending);
 #ifdef CONFIG_CIFS_STATS2
-                        atomic_dec(&ses->server->num_waiters);
+                        atomic_dec(&server->num_waiters);
 #endif
                        spin_lock(&GlobalMid_Lock);
                } else {
-                        if (ses->server->tcpStatus == CifsExiting) {
+                        if (server->tcpStatus == CifsExiting) {
                                spin_unlock(&GlobalMid_Lock);
                                return -ENOENT;
                        }
@@ -278,7 +294,7 @@ static int wait_for_free_request(struct cifsSesInfo *ses, const int long_op)
                        /* update # of requests on the wire to server */
                        if (long_op != CIFS_BLOCKING_OP)
-                                atomic_inc(&ses->server->inFlight);
+                                atomic_inc(&server->inFlight);
                        spin_unlock(&GlobalMid_Lock);
                        break;
                }
@@ -308,53 +324,85 @@ static int allocate_mid(struct cifsSesInfo *ses, struct smb_hdr *in_buf,
        *ppmidQ = AllocMidQEntry(in_buf, ses->server);
        if (*ppmidQ == NULL)
                return -ENOMEM;
+        spin_lock(&GlobalMid_Lock);
+        list_add_tail(&(*ppmidQ)->qhead, &ses->server->pending_mid_q);
+        spin_unlock(&GlobalMid_Lock);
        return 0;
 }
-static int wait_for_response(struct cifsSesInfo *ses,
+static int
-                        struct mid_q_entry *midQ,
+wait_for_response(struct TCP_Server_Info *server, struct mid_q_entry *midQ)
-                        unsigned long timeout,
-                        unsigned long time_to_wait)
 {
-        unsigned long curr_timeout;
+        int error;
-        for (;;) {
+        error = wait_event_killable(server->response_q,
-                curr_timeout = timeout + jiffies;
+                                    midQ->midState != MID_REQUEST_SUBMITTED);
-                wait_event_timeout(ses->server->response_q,
+        if (error < 0)
-                        midQ->midState != MID_REQUEST_SUBMITTED, timeout);
+                return -ERESTARTSYS;
-                if (time_after(jiffies, curr_timeout) &&
+        return 0;
-                        (midQ->midState == MID_REQUEST_SUBMITTED) &&
+}
-                        ((ses->server->tcpStatus == CifsGood) ||
-                         (ses->server->tcpStatus == CifsNew))) {
-                        unsigned long lrt;
-                        /* We timed out. Is the server still
+/*
-                           sending replies ? */
+ * Send a SMB request and set the callback function in the mid to handle
-                        spin_lock(&GlobalMid_Lock);
+ * the result. Caller is responsible for dealing with timeouts.
-                        lrt = ses->server->lstrp;
+ */
-                        spin_unlock(&GlobalMid_Lock);
+int
+cifs_call_async(struct TCP_Server_Info *server, struct smb_hdr *in_buf,
+                mid_callback_t *callback, void *cbdata)
+{
+        int rc;
+        struct mid_q_entry *mid;
-                        /* Calculate time_to_wait past last receive time.
+        rc = wait_for_free_request(server, CIFS_ASYNC_OP);
-                         Although we prefer not to time out if the
+        if (rc)
-                         server is still responding - we will time
+                return rc;
-                         out if the server takes more than 15 (or 45
-                         or 180) seconds to respond to this request
+        /* enable signing if server requires it */
-                         and has not responded to any request from
+        if (server->secMode & (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
-                         other threads on the client within 10 seconds */
+                in_buf->Flags2 |= SMBFLG2_SECURITY_SIGNATURE;
-                        lrt += time_to_wait;
-                        if (time_after(jiffies, lrt)) {
+        mutex_lock(&server->srv_mutex);
-                                /* No replies for time_to_wait. */
+        mid = AllocMidQEntry(in_buf, server);
-                                cERROR(1, "server not responding");
+        if (mid == NULL) {
-                                return -1;
+                mutex_unlock(&server->srv_mutex);
-                        }
+                return -ENOMEM;
-                } else {
-                        return 0;
-                }
        }
-}
+        /* put it on the pending_mid_q */
+        spin_lock(&GlobalMid_Lock);
+        list_add_tail(&mid->qhead, &server->pending_mid_q);
+        spin_unlock(&GlobalMid_Lock);
+        rc = cifs_sign_smb(in_buf, server, &mid->sequence_number);
+        if (rc) {
+                mutex_unlock(&server->srv_mutex);
+                goto out_err;
+        }
+        mid->callback = callback;
+        mid->callback_data = cbdata;
+        mid->midState = MID_REQUEST_SUBMITTED;
+#ifdef CONFIG_CIFS_STATS2
+        atomic_inc(&server->inSend);
+#endif
+        rc = smb_send(server, in_buf, in_buf->smb_buf_length);
+#ifdef CONFIG_CIFS_STATS2
+        atomic_dec(&server->inSend);
+        mid->when_sent = jiffies;
+#endif
+        mutex_unlock(&server->srv_mutex);
+        if (rc)
+                goto out_err;
+        return rc;
+out_err:
+        delete_mid(mid);
+        atomic_dec(&server->inFlight);
+        wake_up(&server->request_q);
+        return rc;
+}
 /*
 *
@@ -382,6 +430,84 @@ SendReceiveNoRsp(const unsigned int xid, struct cifsSesInfo *ses,
        return rc;
 }
+static int
+sync_mid_result(struct mid_q_entry *mid, struct TCP_Server_Info *server)
+{
+        int rc = 0;
+        cFYI(1, "%s: cmd=%d mid=%d state=%d", __func__, mid->command,
+                mid->mid, mid->midState);
+        spin_lock(&GlobalMid_Lock);
+        /* ensure that it's no longer on the pending_mid_q */
+        list_del_init(&mid->qhead);
+        switch (mid->midState) {
+        case MID_RESPONSE_RECEIVED:
+                spin_unlock(&GlobalMid_Lock);
+                return rc;
+        case MID_REQUEST_SUBMITTED:
+                /* socket is going down, reject all calls */
+                if (server->tcpStatus == CifsExiting) {
+                        cERROR(1, "%s: canceling mid=%d cmd=0x%x state=%d",
+                               __func__, mid->mid, mid->command, mid->midState);
+                        rc = -EHOSTDOWN;
+                        break;
+                }
+        case MID_RETRY_NEEDED:
+                rc = -EAGAIN;
+                break;
+        case MID_RESPONSE_MALFORMED:
+                rc = -EIO;
+                break;
+        default:
+                cERROR(1, "%s: invalid mid state mid=%d state=%d", __func__,
+                        mid->mid, mid->midState);
+                rc = -EIO;
+        }
+        spin_unlock(&GlobalMid_Lock);
+        DeleteMidQEntry(mid);
+        return rc;
+}
+/*
+ * An NT cancel request header looks just like the original request except:
+ *
+ * The Command is SMB_COM_NT_CANCEL
+ * The WordCount is zeroed out
+ * The ByteCount is zeroed out
+ *
+ * This function mangles an existing request buffer into a
+ * SMB_COM_NT_CANCEL request and then sends it.
+ */
+static int
+send_nt_cancel(struct TCP_Server_Info *server, struct smb_hdr *in_buf,
+                struct mid_q_entry *mid)
+{
+        int rc = 0;
+        /* -4 for RFC1001 length and +2 for BCC field */
+        in_buf->smb_buf_length = sizeof(struct smb_hdr) - 4  + 2;
+        in_buf->Command = SMB_COM_NT_CANCEL;
+        in_buf->WordCount = 0;
+        put_bcc_le(0, in_buf);
+        mutex_lock(&server->srv_mutex);
+        rc = cifs_sign_smb(in_buf, server, &mid->sequence_number);
+        if (rc) {
+                mutex_unlock(&server->srv_mutex);
+                return rc;
+        }
+        rc = smb_send(server, in_buf, in_buf->smb_buf_length);
+        mutex_unlock(&server->srv_mutex);
+        cFYI(1, "issued NT_CANCEL for mid %u, rc = %d",
+                in_buf->Mid, rc);
+        return rc;
+}
 int
 SendReceive2(const unsigned int xid, struct cifsSesInfo *ses,
             struct kvec *iov, int n_vec, int *pRespBufType /* ret */,
@@ -390,7 +516,6 @@ SendReceive2(const unsigned int xid, struct cifsSesInfo *ses,
        int rc = 0;
        int long_op;
        unsigned int receive_len;
-        unsigned long timeout;
        struct mid_q_entry *midQ;
        struct smb_hdr *in_buf = iov[0].iov_base;
@@ -413,7 +538,7 @@ SendReceive2(const unsigned int xid, struct cifsSesInfo *ses,
           to the same server. We may make this configurable later or
           use ses->maxReq */
-        rc = wait_for_free_request(ses, long_op);
+        rc = wait_for_free_request(ses->server, long_op);
        if (rc) {
                cifs_small_buf_release(in_buf);
                return rc;
@@ -452,70 +577,41 @@ SendReceive2(const unsigned int xid, struct cifsSesInfo *ses,
 #endif
        mutex_unlock(&ses->server->srv_mutex);
-        cifs_small_buf_release(in_buf);
-        if (rc < 0)
+        if (rc < 0) {
-                goto out;
+                cifs_small_buf_release(in_buf);
-        if (long_op == CIFS_STD_OP)
-                timeout = 15 * HZ;
-        else if (long_op == CIFS_VLONG_OP) /* e.g. slow writes past EOF */
-                timeout = 180 * HZ;
-        else if (long_op == CIFS_LONG_OP)
-                timeout = 45 * HZ; /* should be greater than
-                        servers oplock break timeout (about 43 seconds) */
-        else if (long_op == CIFS_ASYNC_OP)
-                goto out;
-        else if (long_op == CIFS_BLOCKING_OP)
-                timeout = 0x7FFFFFFF; /*  large, but not so large as to wrap */
-        else {
-                cERROR(1, "unknown timeout flag %d", long_op);
-                rc = -EIO;
                goto out;
        }
-        /* wait for 15 seconds or until woken up due to response arriving or
+        if (long_op == CIFS_ASYNC_OP) {
-           due to last connection to this server being unmounted */
+                cifs_small_buf_release(in_buf);
-        if (signal_pending(current)) {
+                goto out;
-                /* if signal pending do not hold up user for full smb timeout
-                but we still give response a chance to complete */
-                timeout = 2 * HZ;
        }
-        /* No user interrupts in wait - wreaks havoc with performance */
+        rc = wait_for_response(ses->server, midQ);
-        wait_for_response(ses, midQ, timeout, 10 * HZ);
+        if (rc != 0) {
+                send_nt_cancel(ses->server, in_buf, midQ);
-        spin_lock(&GlobalMid_Lock);
+                spin_lock(&GlobalMid_Lock);
-        if (midQ->resp_buf == NULL) {
-                cERROR(1, "No response to cmd %d mid %d",
-                        midQ->command, midQ->mid);
                if (midQ->midState == MID_REQUEST_SUBMITTED) {
-                        if (ses->server->tcpStatus == CifsExiting)
+                        midQ->callback = DeleteMidQEntry;
-                                rc = -EHOSTDOWN;
+                        spin_unlock(&GlobalMid_Lock);
-                        else {
+                        cifs_small_buf_release(in_buf);
-                                ses->server->tcpStatus = CifsNeedReconnect;
+                        atomic_dec(&ses->server->inFlight);
-                                midQ->midState = MID_RETRY_NEEDED;
+                        wake_up(&ses->server->request_q);
-                        }
+                        return rc;
-                }
-                if (rc != -EHOSTDOWN) {
-                        if (midQ->midState == MID_RETRY_NEEDED) {
-                                rc = -EAGAIN;
-                                cFYI(1, "marking request for retry");
-                        } else {
-                                rc = -EIO;
-                        }
                }
                spin_unlock(&GlobalMid_Lock);
-                DeleteMidQEntry(midQ);
+        }
-                /* Update # of requests on wire to server */
+        cifs_small_buf_release(in_buf);
+        rc = sync_mid_result(midQ, ses->server);
+        if (rc != 0) {
                atomic_dec(&ses->server->inFlight);
                wake_up(&ses->server->request_q);
                return rc;
        }
-        spin_unlock(&GlobalMid_Lock);
        receive_len = midQ->resp_buf->smb_buf_length;
        if (receive_len > CIFSMaxBufSize + MAX_CIFS_HDR_SIZE) {
@@ -559,19 +655,18 @@ SendReceive2(const unsigned int xid, struct cifsSesInfo *ses,
                if (receive_len >= sizeof(struct smb_hdr) - 4
                    /* do not count RFC1001 header */  +
                    (2 * midQ->resp_buf->WordCount) + 2 /* bcc */ )
-                        BCC(midQ->resp_buf) =
+                        put_bcc(get_bcc_le(midQ->resp_buf), midQ->resp_buf);
-                                le16_to_cpu(BCC_LE(midQ->resp_buf));
                if ((flags & CIFS_NO_RESP) == 0)
                        midQ->resp_buf = NULL;  /* mark it so buf will
                                                   not be freed by
-                                                   DeleteMidQEntry */
+                                                   delete_mid */
        } else {
                rc = -EIO;
                cFYI(1, "Bad MID state?");
        }
 out:
-        DeleteMidQEntry(midQ);
+        delete_mid(midQ);
        atomic_dec(&ses->server->inFlight);
        wake_up(&ses->server->request_q);
@@ -585,7 +680,6 @@ SendReceive(const unsigned int xid, struct cifsSesInfo *ses,
 {
        int rc = 0;
        unsigned int receive_len;
-        unsigned long timeout;
        struct mid_q_entry *midQ;
        if (ses == NULL) {
@@ -610,7 +704,7 @@ SendReceive(const unsigned int xid, struct cifsSesInfo *ses,
                return -EIO;
        }
-        rc = wait_for_free_request(ses, long_op);
+        rc = wait_for_free_request(ses->server, long_op);
        if (rc)
                return rc;
@@ -649,64 +743,31 @@ SendReceive(const unsigned int xid, struct cifsSesInfo *ses,
        if (rc < 0)
                goto out;
-        if (long_op == CIFS_STD_OP)
+        if (long_op == CIFS_ASYNC_OP)
-                timeout = 15 * HZ;
-        /* wait for 15 seconds or until woken up due to response arriving or
-           due to last connection to this server being unmounted */
-        else if (long_op == CIFS_ASYNC_OP)
-                goto out;
-        else if (long_op == CIFS_VLONG_OP) /* writes past EOF can be slow */
-                timeout = 180 * HZ;
-        else if (long_op == CIFS_LONG_OP)
-                timeout = 45 * HZ; /* should be greater than
-                        servers oplock break timeout (about 43 seconds) */
-        else if (long_op == CIFS_BLOCKING_OP)
-                timeout = 0x7FFFFFFF; /* large but no so large as to wrap */
-        else {
-                cERROR(1, "unknown timeout flag %d", long_op);
-                rc = -EIO;
                goto out;
-        }
-        if (signal_pending(current)) {
-                /* if signal pending do not hold up user for full smb timeout
-                but we still give response a chance to complete */
-                timeout = 2 * HZ;
-        }
-        /* No user interrupts in wait - wreaks havoc with performance */
-        wait_for_response(ses, midQ, timeout, 10 * HZ);
-        spin_lock(&GlobalMid_Lock);
+        rc = wait_for_response(ses->server, midQ);
-        if (midQ->resp_buf == NULL) {
+        if (rc != 0) {
-                cERROR(1, "No response for cmd %d mid %d",
+                send_nt_cancel(ses->server, in_buf, midQ);
-                          midQ->command, midQ->mid);
+                spin_lock(&GlobalMid_Lock);
                if (midQ->midState == MID_REQUEST_SUBMITTED) {
-                        if (ses->server->tcpStatus == CifsExiting)
+                        /* no longer considered to be "in-flight" */
-                                rc = -EHOSTDOWN;
+                        midQ->callback = DeleteMidQEntry;
-                        else {
+                        spin_unlock(&GlobalMid_Lock);
-                                ses->server->tcpStatus = CifsNeedReconnect;
+                        atomic_dec(&ses->server->inFlight);
-                                midQ->midState = MID_RETRY_NEEDED;
+                        wake_up(&ses->server->request_q);
-                        }
+                        return rc;
-                }
-                if (rc != -EHOSTDOWN) {
-                        if (midQ->midState == MID_RETRY_NEEDED) {
-                                rc = -EAGAIN;
-                                cFYI(1, "marking request for retry");
-                        } else {
-                                rc = -EIO;
-                        }
                }
                spin_unlock(&GlobalMid_Lock);
-                DeleteMidQEntry(midQ);
+        }
-                /* Update # of requests on wire to server */
+        rc = sync_mid_result(midQ, ses->server);
+        if (rc != 0) {
                atomic_dec(&ses->server->inFlight);
                wake_up(&ses->server->request_q);
                return rc;
        }
-        spin_unlock(&GlobalMid_Lock);
        receive_len = midQ->resp_buf->smb_buf_length;
        if (receive_len > CIFSMaxBufSize + MAX_CIFS_HDR_SIZE) {
@@ -748,43 +809,20 @@ SendReceive(const unsigned int xid, struct cifsSesInfo *ses,
                if (receive_len >= sizeof(struct smb_hdr) - 4
                    /* do not count RFC1001 header */  +
                    (2 * out_buf->WordCount) + 2 /* bcc */ )
-                        BCC(out_buf) = le16_to_cpu(BCC_LE(out_buf));
+                        put_bcc(get_bcc_le(midQ->resp_buf), midQ->resp_buf);
        } else {
                rc = -EIO;
                cERROR(1, "Bad MID state?");
        }
 out:
-        DeleteMidQEntry(midQ);
+        delete_mid(midQ);
        atomic_dec(&ses->server->inFlight);
        wake_up(&ses->server->request_q);
        return rc;
 }
-/* Send an NT_CANCEL SMB to cause the POSIX blocking lock to return. */
-static int
-send_nt_cancel(struct cifsTconInfo *tcon, struct smb_hdr *in_buf,
-                struct mid_q_entry *midQ)
-{
-        int rc = 0;
-        struct cifsSesInfo *ses = tcon->ses;
-        __u16 mid = in_buf->Mid;
-        header_assemble(in_buf, SMB_COM_NT_CANCEL, tcon, 0);
-        in_buf->Mid = mid;
-        mutex_lock(&ses->server->srv_mutex);
-        rc = cifs_sign_smb(in_buf, ses->server, &midQ->sequence_number);
-        if (rc) {
-                mutex_unlock(&ses->server->srv_mutex);
-                return rc;
-        }
-        rc = smb_send(ses->server, in_buf, in_buf->smb_buf_length);
-        mutex_unlock(&ses->server->srv_mutex);
-        return rc;
-}
 /* We send a LOCKINGX_CANCEL_LOCK to cause the Windows
   blocking lock to return. */
@@ -807,7 +845,7 @@ send_lock_cancel(const unsigned int xid, struct cifsTconInfo *tcon,
        pSMB->hdr.Mid = GetNextMid(ses->server);
        return SendReceive(xid, ses, in_buf, out_buf,
-                        &bytes_returned, CIFS_STD_OP);
+                        &bytes_returned, 0);
 }
 int
@@ -845,7 +883,7 @@ SendReceiveBlockingLock(const unsigned int xid, struct cifsTconInfo *tcon,
                return -EIO;
        }
-        rc = wait_for_free_request(ses, CIFS_BLOCKING_OP);
+        rc = wait_for_free_request(ses->server, CIFS_BLOCKING_OP);
        if (rc)
                return rc;
@@ -863,7 +901,7 @@ SendReceiveBlockingLock(const unsigned int xid, struct cifsTconInfo *tcon,
        rc = cifs_sign_smb(in_buf, ses->server, &midQ->sequence_number);
        if (rc) {
-                DeleteMidQEntry(midQ);
+                delete_mid(midQ);
                mutex_unlock(&ses->server->srv_mutex);
                return rc;
        }
@@ -880,7 +918,7 @@ SendReceiveBlockingLock(const unsigned int xid, struct cifsTconInfo *tcon,
        mutex_unlock(&ses->server->srv_mutex);
        if (rc < 0) {
-                DeleteMidQEntry(midQ);
+                delete_mid(midQ);
                return rc;
        }
@@ -899,10 +937,9 @@ SendReceiveBlockingLock(const unsigned int xid, struct cifsTconInfo *tcon,
                if (in_buf->Command == SMB_COM_TRANSACTION2) {
                        /* POSIX lock. We send a NT_CANCEL SMB to cause the
                           blocking lock to return. */
+                        rc = send_nt_cancel(ses->server, in_buf, midQ);
-                        rc = send_nt_cancel(tcon, in_buf, midQ);
                        if (rc) {
-                                DeleteMidQEntry(midQ);
+                                delete_mid(midQ);
                                return rc;
                        }
                } else {
@@ -914,47 +951,33 @@ SendReceiveBlockingLock(const unsigned int xid, struct cifsTconInfo *tcon,
                        /* If we get -ENOLCK back the lock may have
                           already been removed. Don't exit in this case. */
                        if (rc && rc != -ENOLCK) {
-                                DeleteMidQEntry(midQ);
+                                delete_mid(midQ);
                                return rc;
                        }
                }
-                /* Wait 5 seconds for the response. */
+                rc = wait_for_response(ses->server, midQ);
-                if (wait_for_response(ses, midQ, 5 * HZ, 5 * HZ) == 0) {
+                if (rc) {
-                        /* We got the response - restart system call. */
+                        send_nt_cancel(ses->server, in_buf, midQ);
-                        rstart = 1;
+                        spin_lock(&GlobalMid_Lock);
-                }
+                        if (midQ->midState == MID_REQUEST_SUBMITTED) {
-        }
+                                /* no longer considered to be "in-flight" */
+                                midQ->callback = DeleteMidQEntry;
-        spin_lock(&GlobalMid_Lock);
+                                spin_unlock(&GlobalMid_Lock);
-        if (midQ->resp_buf) {
+                                return rc;
-                spin_unlock(&GlobalMid_Lock);
-                receive_len = midQ->resp_buf->smb_buf_length;
-        } else {
-                cERROR(1, "No response for cmd %d mid %d",
-                          midQ->command, midQ->mid);
-                if (midQ->midState == MID_REQUEST_SUBMITTED) {
-                        if (ses->server->tcpStatus == CifsExiting)
-                                rc = -EHOSTDOWN;
-                        else {
-                                ses->server->tcpStatus = CifsNeedReconnect;
-                                midQ->midState = MID_RETRY_NEEDED;
                        }
+                        spin_unlock(&GlobalMid_Lock);
                }
-                if (rc != -EHOSTDOWN) {
+                /* We got the response - restart system call. */
-                        if (midQ->midState == MID_RETRY_NEEDED) {
+                rstart = 1;
-                                rc = -EAGAIN;
-                                cFYI(1, "marking request for retry");
-                        } else {
-                                rc = -EIO;
-                        }
-                }
-                spin_unlock(&GlobalMid_Lock);
-                DeleteMidQEntry(midQ);
-                return rc;
        }
+        rc = sync_mid_result(midQ, ses->server);
+        if (rc != 0)
+                return rc;
+        receive_len = midQ->resp_buf->smb_buf_length;
        if (receive_len > CIFSMaxBufSize + MAX_CIFS_HDR_SIZE) {
                cERROR(1, "Frame too large received.  Length: %d  Xid: %d",
                        receive_len, xid);
@@ -998,10 +1021,10 @@ SendReceiveBlockingLock(const unsigned int xid, struct cifsTconInfo *tcon,
        if (receive_len >= sizeof(struct smb_hdr) - 4
            /* do not count RFC1001 header */  +
            (2 * out_buf->WordCount) + 2 /* bcc */ )
-                BCC(out_buf) = le16_to_cpu(BCC_LE(out_buf));
+                put_bcc(get_bcc_le(out_buf), out_buf);
 out:
-        DeleteMidQEntry(midQ);
+        delete_mid(midQ);
        if (rstart && rc == -EACCES)
                return -ERESTARTSYS;
        return rc;