<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/linux.git/fs/smb/server, branch v7.2-rc1</title>
<subtitle>Linux kernel stable tree (mirror)</subtitle>
<id>https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1</id>
<link rel='self' href='https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1'/>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/'/>
<updated>2026-06-23T22:52:42+00:00</updated>
<entry>
<title>ksmbd: fix kernel-doc warnings in smb2_lease_break_noti()</title>
<updated>2026-06-23T22:52:42+00:00</updated>
<author>
<name>Namjae Jeon</name>
<email>linkinjeon@kernel.org</email>
</author>
<published>2026-06-23T20:59:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=da793cf6d60233f47ea5e7e9e39425d71dfcdb79'/>
<id>urn:sha1:da793cf6d60233f47ea5e7e9e39425d71dfcdb79</id>
<content type='text'>
kernel test robot report missing kernel-doc descriptions for the 'wait_ack'
and 'inc_epoch' parameters of smb2_lease_break_noti():

  Warning: fs/smb/server/oplock.c:937 function parameter 'wait_ack' not
   described in 'smb2_lease_break_noti'
  Warning: fs/smb/server/oplock.c:937 function parameter 'inc_epoch' not
   described in 'smb2_lease_break_noti'

Document both parameters to silence the warnings.

Reported-by: kernel test robot &lt;lkp@intel.com&gt;
Signed-off-by: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
</entry>
<entry>
<title>ksmbd: fix inconsistent indenting warnings</title>
<updated>2026-06-23T22:52:42+00:00</updated>
<author>
<name>Namjae Jeon</name>
<email>linkinjeon@kernel.org</email>
</author>
<published>2026-06-23T08:21:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=f455ea21f23e2a82e4adf00d8ee65c268ad82036'/>
<id>urn:sha1:f455ea21f23e2a82e4adf00d8ee65c268ad82036</id>
<content type='text'>
Detected by Smatch.

   fs/smb/server/oplock.c:1446 smb_grant_oplock()
   warn: inconsistent indenting

Reported-by: Dan Carpenter &lt;error27@gmail.com&gt;
Signed-off-by: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
</entry>
<entry>
<title>ksmbd: validate NTLMv2 response before updating session key</title>
<updated>2026-06-23T22:52:42+00:00</updated>
<author>
<name>Haofeng Li</name>
<email>lihaofeng@kylinos.cn</email>
</author>
<published>2026-06-23T01:30:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=954d196bebb2b50151cb96454c72dc113b2af1ac'/>
<id>urn:sha1:954d196bebb2b50151cb96454c72dc113b2af1ac</id>
<content type='text'>
ksmbd_auth_ntlmv2() derives the NTLMv2 session key into
sess-&gt;sess_key before it verifies the NTLMv2 response.
ksmbd_decode_ntlmssp_auth_blob() then continues into KEY_XCH even
when ksmbd_auth_ntlmv2() failed.

With SMB3 multichannel binding, the failed authentication operates on
an existing session and the session setup error path does not expire
binding sessions. A client can send a binding session setup with a
bad NT proof and KEY_XCH and still modify sess-&gt;sess_key before
STATUS_LOGON_FAILURE is returned.

Relevant path:

  smb2_sess_setup()
    -&gt; conn-&gt;binding = true
    -&gt; ntlm_authenticate()
       -&gt; session_user()
       -&gt; ksmbd_decode_ntlmssp_auth_blob()
          -&gt; ksmbd_auth_ntlmv2()
             -&gt; calc_ntlmv2_hash()
             -&gt; hmac_md5_usingrawkey(..., sess-&gt;sess_key)
             -&gt; crypto_memneq() returns mismatch
          -&gt; KEY_XCH arc4_crypt(..., sess-&gt;sess_key, ...)
    -&gt; out_err without expiring the binding session

Derive the base session key into a local buffer and copy it to
sess-&gt;sess_key only after the proof matches. Return immediately on
authentication failure so KEY_XCH is only processed after successful
authentication.

Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Fixes: f9929ef6a2a5 ("ksmbd: add support for key exchange")
Cc: stable@vger.kernel.org
Signed-off-by: Haofeng Li &lt;lihaofeng@kylinos.cn&gt;
Reviewed-by: ChenXiaoSong &lt;chenxiaosong@kylinos.cn&gt;
Acked-by: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
</entry>
<entry>
<title>ksmbd: increase SMB3_DEFAULT_TRANS_SIZE from 1MB to 4MB</title>
<updated>2026-06-23T01:15:06+00:00</updated>
<author>
<name>Namjae Jeon</name>
<email>linkinjeon@kernel.org</email>
</author>
<published>2026-06-22T01:16:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=4429b56506f45891d445f4dc4c8a22b3ec9b12de'/>
<id>urn:sha1:4429b56506f45891d445f4dc4c8a22b3ec9b12de</id>
<content type='text'>
This patch raises `SMB3_DEFAULT_TRANS_SIZE` to 4MB to align it with
`smb2 max read/write`. This allows better I/O negotiation with modern
clients and improves sequential read/write performance on high-speed
networks.

Signed-off-by: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
</entry>
<entry>
<title>ksmbd: fix UBSAN array-index-out-of-bounds in decode_compress_ctxt()</title>
<updated>2026-06-23T01:15:06+00:00</updated>
<author>
<name>Namjae Jeon</name>
<email>linkinjeon@kernel.org</email>
</author>
<published>2026-06-21T12:21:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=474fd91f3828a89dd7dc0a862f77f14e9f9240ff'/>
<id>urn:sha1:474fd91f3828a89dd7dc0a862f77f14e9f9240ff</id>
<content type='text'>
decode_compress_ctxt() walks CompressionAlgorithms[] using the client
supplied CompressionAlgorithmCount. That field is declared in
struct smb2_compression_capabilities_context as a fixed 4-element array,
but the number of algorithms is actually variable and clients such as
Windows advertise more than four (e.g. LZ77, LZ77+Huffman, LZNT1,
Pattern_V1 and LZ4).

The on-wire context length is already validated, so the access is within
the received buffer, but indexing the statically sized [4] array makes
UBSAN report an out-of-bounds access:

  UBSAN: array-index-out-of-bounds in smb2pdu.c:1122:48
  index 4 is out of range for type '__le16 [4]'
  Call Trace:
   smb2_handle_negotiate+0xda7/0xde0 [ksmbd]
   ksmbd_smb_negotiate_common+0x27b/0x3e0 [ksmbd]
   smb2_negotiate_request+0x14/0x20 [ksmbd]
   handle_ksmbd_work+0x181/0x500 [ksmbd]

Walk the algorithms through a pointer so the fixed-array bounds check is
not applied, while keeping the existing length validation that bounds the
loop to the data actually received.

Signed-off-by: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
</entry>
<entry>
<title>ksmbd: sleep interruptibly in the durable handle scavenger</title>
<updated>2026-06-23T01:15:06+00:00</updated>
<author>
<name>Namjae Jeon</name>
<email>linkinjeon@kernel.org</email>
</author>
<published>2026-06-21T10:59:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=5a7f4d6d8e7fc9c3b67412f1b8e5b56c9aec21af'/>
<id>urn:sha1:5a7f4d6d8e7fc9c3b67412f1b8e5b56c9aec21af</id>
<content type='text'>
The durable handle scavenger kthread waits up to DURABLE_HANDLE_MAX_TIMEOUT
(300 seconds) between scans using wait_event_timeout(), which sleeps in
TASK_UNINTERRUPTIBLE. When there are no durable handles pending expiry the
task stays in D state far longer than 120 seconds, so the hung task
detector prints a bogus "task ksmbd-durable-s blocked for more than 120
seconds" warning with a backtrace, even though the thread is only idle.

Use wait_event_interruptible_timeout() so the thread sleeps in
TASK_INTERRUPTIBLE, which the hung task detector ignores. This also suits
the already-freezable kthread. Treat a negative return (e.g. -ERESTARTSYS)
like a timeout when recomputing the next wake interval.

Signed-off-by: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
</entry>
<entry>
<title>ksmbd: start file id allocation at 1</title>
<updated>2026-06-23T01:15:06+00:00</updated>
<author>
<name>Namjae Jeon</name>
<email>linkinjeon@kernel.org</email>
</author>
<published>2026-06-21T10:59:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=6b375be0b4e1be89e9a817880515311503a19114'/>
<id>urn:sha1:6b375be0b4e1be89e9a817880515311503a19114</id>
<content type='text'>
ksmbd allocates both the volatile id (per-session file table) and the
persistent id (global file table) with idr_alloc_cyclic() starting at 0.
The first open after the module loads therefore gets volatile id 0 and
persistent id 0, and ksmbd returns an SMB2 FileId of {0, 0} in the create
response.

Clients treat an all-zero FileId as a null handle. smbtorture's
smb2_util_handle_empty() considers {0, 0} empty, so tests that guard the
close with it (e.g. smb2.oplock.statopen1, smb2.lease.statopen*) never
close that first handle. The leaked open keeps the inode's oplock count
non-zero, so a later batch oplock request on the same file is downgraded
to level II and the test fails.

Start the id allocation at 1 (KSMBD_START_FID) so no handle is ever
assigned a {0, 0} FileId, matching the behaviour of other SMB servers.

Signed-off-by: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
</entry>
<entry>
<title>ksmbd: treat read-control opens as stat opens only for leases</title>
<updated>2026-06-23T01:15:06+00:00</updated>
<author>
<name>Namjae Jeon</name>
<email>linkinjeon@kernel.org</email>
</author>
<published>2026-06-21T10:57:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=be939e11c4724d1de3650e8bafd4c3583d9684b2'/>
<id>urn:sha1:be939e11c4724d1de3650e8bafd4c3583d9684b2</id>
<content type='text'>
A second open that requests only metadata-level access must not break
the existing caching state. ksmbd already skips the break for such opens
via fp-&gt;attrib_only (FILE_READ_ATTRIBUTES,
FILE_WRITE_ATTRIBUTES and FILE_SYNCHRONIZE).

An open requesting only READ_CONTROL (reading the security descriptor)
must be treated differently depending on the existing caching state.
smbtorture smb2.lease.statopen4 expects a read-control open NOT to break
a caching lease, while smb2.oplock.statopen1 expects the same open to
break a batch oplock. So READ_CONTROL is a stat open for leases but not
for oplocks.

Extend the stat-open break-skip in smb_grant_oplock() to also cover a
read-control-only open, but only when the existing holder is a lease.
The global fp-&gt;attrib_only flag (used for share-mode, rename and truncate
decisions) is left unchanged so oplock behaviour is preserved.

Signed-off-by: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
</entry>
<entry>
<title>ksmbd: validate :: stream type against directory create</title>
<updated>2026-06-23T01:15:06+00:00</updated>
<author>
<name>Namjae Jeon</name>
<email>linkinjeon@kernel.org</email>
</author>
<published>2026-06-21T10:52:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=256257279c187386ceb18540a1f8e19252fd01f6'/>
<id>urn:sha1:256257279c187386ceb18540a1f8e19252fd01f6</id>
<content type='text'>
smb2.streams.dir opens &lt;dir&gt;::$DATA with FILE_DIRECTORY_FILE and expects
STATUS_NOT_A_DIRECTORY, then opens &lt;dir&gt;::$DATA without it and expects
STATUS_FILE_IS_A_DIRECTORY.

Commit "treat unnamed DATA stream as base file" canonicalizes the ::$DATA
suffix to a NULL stream name so the open continues through the base-file
path. That skipped the stream/directory type validation, which was
guarded by "if (stream_name)", so opening a directory's ::$DATA stream
with FILE_DIRECTORY_FILE incorrectly returned STATUS_OK and a plain open
of it no longer reported STATUS_FILE_IS_A_DIRECTORY.

parse_stream_name() still records the explicit $DATA type in s_type even
when it clears stream_name.  Run the data-stream vs directory validation
whenever s_type is DATA_STREAM, not only when stream_name is set, so the
canonicalized ::$DATA open is rejected with the correct status.

Signed-off-by: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
</entry>
<entry>
<title>ksmbd: break conflicting-open leases only as far as needed</title>
<updated>2026-06-23T01:15:06+00:00</updated>
<author>
<name>Namjae Jeon</name>
<email>linkinjeon@kernel.org</email>
</author>
<published>2026-06-21T10:51:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=889d2e38943ad9ab253dfd7520e6d92867825e7d'/>
<id>urn:sha1:889d2e38943ad9ab253dfd7520e6d92867825e7d</id>
<content type='text'>
smb2.lease.oplock and smb2.lease.breaking1 hold a lease and then issue a
single conflicting open on the same file.  The held lease must break one
step to drop write caching (RWH-&gt;RH, RW-&gt;R) and then stop, so
lease_break_info.count is 1 and the lease keeps its read/handle caching.

ksmbd instead cascaded the break all the way down to none
(e.g. RWH-&gt;RH-&gt;R-&gt;none), so the break count was 2 or 3 and the reported
lease state ended at 0.  Commit "chain pending lease breaks before waking
waiters" forces break_level to SMB2_OPLOCK_LEVEL_NONE for any non-lease
open against a handle-caching lease, which drives oplock_break()'s retry
loop down to none even when only one open is contending.

Drop that break_level override so a conflicting open breaks a lease only
to its own compatible level (level II, i.e. RH/R).

A deeper break is still required when a truncating open is also waiting
behind the same lease break.  smb2.lease.breaking3 keeps a normal open
pending through RWH-&gt;RH and an overwrite open pending behind it, and
expects the lease to continue RH-&gt;R-&gt;none before either open completes.
The overwrite waiter sets open_trunc on the lease while it blocks on the
pending break, so extend the retry loop to chain another break while that
truncating waiter still needs the lease at none.  The per-break open_trunc
snapshot stays cleared, so the cascade steps down (RH-&gt;R-&gt;none) instead of
collapsing straight to none, and the normal open stays pending until the
lease is fully broken.

Signed-off-by: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
</entry>
</feed>
