Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v7.0.10 2026-04-27T13:30:16+00:00 2026-04-27T13:30:16+00:00 Namjae Jeon linkinjeon@kernel.org 2026-04-20T16:15:31+00:00 urn:sha1:c908c853f304a4969b5aa10eba0b50350cc65b80 [ Upstream commit 49110a8ce654bbe56bef7c5e44cce31f4b102b8a ] Currently, ksmbd does not verify if the user attempting to reconnect to a durable handle is the same user who originally opened the file. This allows any authenticated user to hijack an orphaned durable handle by predicting or brute-forcing the persistent ID. According to MS-SMB2, the server MUST verify that the SecurityContext of the reconnect request matches the SecurityContext associated with the existing open. Add a durable_owner structure to ksmbd_file to store the original opener's UID, GID, and account name. and catpure the owner information when a file handle becomes orphaned. and implementing ksmbd_vfs_compare_durable_owner() to validate the identity of the requester during SMB2_CREATE (DHnC). Fixes: c8efcc786146 ("ksmbd: add support for durable handles v1/v2") Reported-by: Davide Ornaghi <d.ornaghi97@gmail.com> Reported-by: Navaneeth K <knavaneeth786@gmail.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-08-31T22:48:38+00:00 Philipp Kerling pkerling@casix.org 2025-08-20T14:24:13+00:00 urn:sha1:b5ee94ac651aa42612095c4a75ff7f5c47cd9315 If the client sends SMB2_CREATE_POSIX_CONTEXT to ksmbd, allow the filename to contain a colon (':'). This requires disabling the support for Alternate Data Streams (ADS), which are denoted by a colon-separated suffix to the filename on Windows. This should not be an issue, since this concept is not known to POSIX anyway and the client has to explicitly request a POSIX context to get this behavior. Link: https://lore.kernel.org/all/f9401718e2be2ab22058b45a6817db912784ef61.camel@rx2.rx-server.de/ Signed-off-by: Philipp Kerling <pkerling@casix.org> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> 2025-06-17T21:27:16+00:00 Namjae Jeon linkinjeon@kernel.org 2025-06-13T02:51:29+00:00 urn:sha1:4ea0bb8aaedfad8e695429cda6bd1c8b0dad0844 The bug only appears when: - windows 11 copies a file that has an alternate data stream - streams_xattr is enabled on the share configuration. Microsoft Edge adds a ZoneIdentifier data stream containing the URL for files it downloads. Another way to create a test file: - open cmd.exe - echo "hello from default data stream" > hello.txt - echo "hello again from ads" > hello.txt:ads.txt If you open the file using notepad, we'll see the first message. If you run "notepad hello.txt:ads.txt" in cmd.exe, we should see the second message. dir /s /r should least all streams for the file. The truncation happens because the windows 11 client sends a SetInfo/EndOfFile message on the ADS, but it is instead applied on the main file, because we don't check fp->stream. When receiving set/get info file for a stream file, Change to process requests using stream position and size. Truncate is unnecessary for stream files, so we skip set_file_allocation_info and set_end_of_file_info operations. Reported-by: Marios Makassikis <mmakassikis@freebox.fr> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> 2024-09-21T03:16:11+00:00 Namjae Jeon linkinjeon@kernel.org 2024-09-19T00:22:57+00:00 urn:sha1:289ebd9afeb94862d96c89217068943f1937df5b smb2pdu.c: In function ‘smb2_open’: ./include/linux/minmax.h:20:28: warning: comparison of distinct pointer types lacks a cast 20 | (!!(sizeof((typeof(x) *)1 == (typeof(y) *)1))) | ^~ ./include/linux/minmax.h:26:4: note: in expansion of macro ‘__typecheck’ 26 | (__typecheck(x, y) && __no_side_effects(x, y)) | ^~~~~~~~~~~ ./include/linux/minmax.h:36:24: note: in expansion of macro ‘__safe_cmp’ 36 | __builtin_choose_expr(__safe_cmp(x, y), \ | ^~~~~~~~~~ ./include/linux/minmax.h:45:19: note: in expansion of macro ‘__careful_cmp’ 45 | #define min(x, y) __careful_cmp(x, y, <) | ^~~~~~~~~~~~~ /home/linkinjeon/git/smbd_work/ksmbd/smb2pdu.c:3713:27: note: in expansion of macro ‘min’ 3713 | fp->durable_timeout = min(dh_info.timeout, Fixes: c8efcc786146 ("ksmbd: add support for durable handles v1/v2") Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> 2024-07-15T02:45:40+00:00 Namjae Jeon linkinjeon@kernel.org 2024-07-14T23:29:39+00:00 urn:sha1:d484d621d40f4a8b8959008802d79bef3609641b Launch ksmbd-durable-scavenger kernel thread to scan durable fps that have not been reclaimed by a client within the configured time. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> 2024-07-14T23:00:35+00:00 Namjae Jeon linkinjeon@kernel.org 2024-05-21T13:57:52+00:00 urn:sha1:520da3c488c5bb177871634e713eb8a106082e6b The expired durable opens should not be reclaimed by client. This patch add ->durable_scavenger_timeout to fp and check it in ksmbd_lookup_durable_fd(). Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> 2024-05-05T04:53:36+00:00 Namjae Jeon linkinjeon@kernel.org 2024-05-02T01:07:50+00:00 urn:sha1:d1c189c6cb8b0fb7b5ee549237d27889c40c2f8b lease break wait for lease break acknowledgment. rwsem is more suitable than unlock while traversing the list for parent lease break in ->m_op_list. Cc: stable@vger.kernel.org Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> 2024-03-12T05:36:39+00:00 Namjae Jeon linkinjeon@kernel.org 2024-03-12T05:05:57+00:00 urn:sha1:c8efcc786146a951091588e5fa7e3c754850cb3c Durable file handles allow reopening a file preserved on a short network outage and transparent client reconnection within a timeout. i.e. Durable handles aren't necessarily cleaned up when the opening process terminates. This patch add support for durable handle version 1 and 2. To prove durable handles work on ksmbd, I have tested this patch with the following smbtorture tests: smb2.durable-open.open-oplock smb2.durable-open.open-lease smb2.durable-open.reopen1 smb2.durable-open.reopen1a smb2.durable-open.reopen1a-lease smb2.durable-open.reopen2 smb2.durable-open.reopen2a smb2.durable-open.reopen2-lease smb2.durable-open.reopen2-lease-v2 smb2.durable-open.reopen3 smb2.durable-open.reopen4 smb2.durable-open.delete_on_close2 smb2.durable-open.file-position smb2.durable-open.lease smb2.durable-open.alloc-size smb2.durable-open.read-only smb2.durable-v2-open.create-blob smb2.durable-v2-open.open-oplock smb2.durable-v2-open.open-lease smb2.durable-v2-open.reopen1 smb2.durable-v2-open.reopen1a smb2.durable-v2-open.reopen1a-lease smb2.durable-v2-open.reopen2 smb2.durable-v2-open.reopen2b Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> 2023-12-08T16:11:33+00:00 Namjae Jeon linkinjeon@kernel.org 2023-12-08T05:37:56+00:00 urn:sha1:c2a721eead71202a0d8ddd9b56ec8dce652c71d1 Don't immediately send directory lease break notification on smb2_write(). Instead, It postpones it until smb2_close(). Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> 2023-12-08T16:11:33+00:00 Namjae Jeon linkinjeon@kernel.org 2023-12-08T05:33:41+00:00 urn:sha1:d47d9886aeef79feba7adac701a510d65f3682b5 If client send different parent key, different client guid, or there is no parent lease key flags in create context v2 lease, ksmbd send lease break to client. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>