From: Greg Kroah-Hartman Date: Tue, 12 Aug 2025 11:12:02 +0000 (+0200) Subject: 6.15-stable patches X-Git-Tag: v6.1.148~40 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6553c33695aa4d48d6e484521ddf0a4d53baf4d1;p=thirdparty%2Fkernel%2Fstable-queue.git 6.15-stable patches added patches: ksmbd-fix-corrupted-mtime-and-ctime-in-smb2_open.patch ksmbd-fix-null-pointer-dereference-error-in-generate_encryptionkey.patch ksmbd-fix-preauh_hashvalue-race-condition.patch ksmbd-limit-repeated-connections-from-clients-with-the-same-ip.patch smb-client-default-to-nonativesocket-under-posix-mounts.patch smb-client-fix-netns-refcount-leak-after-net_passive-changes.patch smb-client-set-symlink-type-as-native-for-posix-mounts.patch smb-server-fix-extension-string-in-ksmbd_extract_shortname.patch usb-serial-option-add-foxconn-t99w709.patch --- diff --git a/queue-6.15/ksmbd-fix-corrupted-mtime-and-ctime-in-smb2_open.patch b/queue-6.15/ksmbd-fix-corrupted-mtime-and-ctime-in-smb2_open.patch new file mode 100644 index 0000000000..1bbf365a02 --- /dev/null +++ b/queue-6.15/ksmbd-fix-corrupted-mtime-and-ctime-in-smb2_open.patch @@ -0,0 +1,44 @@ +From 4f8ff9486fd94b9d6a4932f2aefb9f2fc3bd0cf6 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Fri, 25 Jul 2025 10:33:28 +0900 +Subject: ksmbd: fix corrupted mtime and ctime in smb2_open + +From: Namjae Jeon + +commit 4f8ff9486fd94b9d6a4932f2aefb9f2fc3bd0cf6 upstream. + +If STATX_BASIC_STATS flags are not given as an argument to vfs_getattr, +It can not get ctime and mtime in kstat. + +This causes a problem showing mtime and ctime outdated from cifs.ko. +File: /xfstest.test/foo +Size: 4096 Blocks: 8 IO Block: 1048576 regular file +Device: 0,65 Inode: 2033391 Links: 1 +Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) +Context: system_u:object_r:cifs_t:s0 +Access: 2025-07-23 22:15:30.136051900 +0100 +Modify: 1970-01-01 01:00:00.000000000 +0100 +Change: 1970-01-01 01:00:00.000000000 +0100 +Birth: 2025-07-23 22:15:30.136051900 +0100 + +Cc: stable@vger.kernel.org +Reported-by: David Howells +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/vfs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/smb/server/vfs.c ++++ b/fs/smb/server/vfs.c +@@ -546,7 +546,8 @@ int ksmbd_vfs_getattr(const struct path + { + int err; + +- err = vfs_getattr(path, stat, STATX_BTIME, AT_STATX_SYNC_AS_STAT); ++ err = vfs_getattr(path, stat, STATX_BASIC_STATS | STATX_BTIME, ++ AT_STATX_SYNC_AS_STAT); + if (err) + pr_err("getattr failed, err %d\n", err); + return err; diff --git a/queue-6.15/ksmbd-fix-null-pointer-dereference-error-in-generate_encryptionkey.patch b/queue-6.15/ksmbd-fix-null-pointer-dereference-error-in-generate_encryptionkey.patch new file mode 100644 index 0000000000..7b68d14963 --- /dev/null +++ b/queue-6.15/ksmbd-fix-null-pointer-dereference-error-in-generate_encryptionkey.patch @@ -0,0 +1,60 @@ +From 9b493ab6f35178afd8d619800df9071992f715de Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Mon, 21 Jul 2025 14:28:55 +0900 +Subject: ksmbd: fix null pointer dereference error in generate_encryptionkey + +From: Namjae Jeon + +commit 9b493ab6f35178afd8d619800df9071992f715de upstream. + +If client send two session setups with krb5 authenticate to ksmbd, +null pointer dereference error in generate_encryptionkey could happen. +sess->Preauth_HashValue is set to NULL if session is valid. +So this patch skip generate encryption key if session is valid. + +Cc: stable@vger.kernel.org +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-27654 +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -1621,11 +1621,24 @@ static int krb5_authenticate(struct ksmb + + rsp->SecurityBufferLength = cpu_to_le16(out_len); + +- if ((conn->sign || server_conf.enforced_signing) || ++ /* ++ * If session state is SMB2_SESSION_VALID, We can assume ++ * that it is reauthentication. And the user/password ++ * has been verified, so return it here. ++ */ ++ if (sess->state == SMB2_SESSION_VALID) { ++ if (conn->binding) ++ goto binding_session; ++ return 0; ++ } ++ ++ if ((rsp->SessionFlags != SMB2_SESSION_FLAG_IS_GUEST_LE && ++ (conn->sign || server_conf.enforced_signing)) || + (req->SecurityMode & SMB2_NEGOTIATE_SIGNING_REQUIRED)) + sess->sign = true; + +- if (smb3_encryption_negotiated(conn)) { ++ if (smb3_encryption_negotiated(conn) && ++ !(req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) { + retval = conn->ops->generate_encryptionkey(conn, sess); + if (retval) { + ksmbd_debug(SMB, +@@ -1638,6 +1651,7 @@ static int krb5_authenticate(struct ksmb + sess->sign = false; + } + ++binding_session: + if (conn->dialect >= SMB30_PROT_ID) { + chann = lookup_chann_list(sess, conn); + if (!chann) { diff --git a/queue-6.15/ksmbd-fix-preauh_hashvalue-race-condition.patch b/queue-6.15/ksmbd-fix-preauh_hashvalue-race-condition.patch new file mode 100644 index 0000000000..91c958c171 --- /dev/null +++ b/queue-6.15/ksmbd-fix-preauh_hashvalue-race-condition.patch @@ -0,0 +1,43 @@ +From 44a3059c4c8cc635a1fb2afd692d0730ca1ba4b6 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Fri, 25 Jul 2025 08:13:31 +0900 +Subject: ksmbd: fix Preauh_HashValue race condition + +From: Namjae Jeon + +commit 44a3059c4c8cc635a1fb2afd692d0730ca1ba4b6 upstream. + +If client send multiple session setup requests to ksmbd, +Preauh_HashValue race condition could happen. +There is no need to free sess->Preauh_HashValue at session setup phase. +It can be freed together with session at connection termination phase. + +Cc: stable@vger.kernel.org +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-27661 +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -1847,8 +1847,6 @@ int smb2_sess_setup(struct ksmbd_work *w + ksmbd_conn_set_good(conn); + sess->state = SMB2_SESSION_VALID; + } +- kfree(sess->Preauth_HashValue); +- sess->Preauth_HashValue = NULL; + } else if (conn->preferred_auth_mech == KSMBD_AUTH_NTLMSSP) { + if (negblob->MessageType == NtLmNegotiate) { + rc = ntlm_negotiate(work, negblob, negblob_len, rsp); +@@ -1875,8 +1873,6 @@ int smb2_sess_setup(struct ksmbd_work *w + kfree(preauth_sess); + } + } +- kfree(sess->Preauth_HashValue); +- sess->Preauth_HashValue = NULL; + } else { + pr_info_ratelimited("Unknown NTLMSSP message type : 0x%x\n", + le32_to_cpu(negblob->MessageType)); diff --git a/queue-6.15/ksmbd-limit-repeated-connections-from-clients-with-the-same-ip.patch b/queue-6.15/ksmbd-limit-repeated-connections-from-clients-with-the-same-ip.patch new file mode 100644 index 0000000000..ee61f80f8e --- /dev/null +++ b/queue-6.15/ksmbd-limit-repeated-connections-from-clients-with-the-same-ip.patch @@ -0,0 +1,73 @@ +From e6bb9193974059ddbb0ce7763fa3882bd60d4dc3 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Tue, 5 Aug 2025 18:13:13 +0900 +Subject: ksmbd: limit repeated connections from clients with the same IP + +From: Namjae Jeon + +commit e6bb9193974059ddbb0ce7763fa3882bd60d4dc3 upstream. + +Repeated connections from clients with the same IP address may exhaust +the max connections and prevent other normal client connections. +This patch limit repeated connections from clients with the same IP. + +Reported-by: tianshuo han +Cc: stable@vger.kernel.org +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/connection.h | 1 + + fs/smb/server/transport_tcp.c | 17 +++++++++++++++++ + 2 files changed, 18 insertions(+) + +--- a/fs/smb/server/connection.h ++++ b/fs/smb/server/connection.h +@@ -46,6 +46,7 @@ struct ksmbd_conn { + struct mutex srv_mutex; + int status; + unsigned int cli_cap; ++ __be32 inet_addr; + char *request_buf; + struct ksmbd_transport *transport; + struct nls_table *local_nls; +--- a/fs/smb/server/transport_tcp.c ++++ b/fs/smb/server/transport_tcp.c +@@ -87,6 +87,7 @@ static struct tcp_transport *alloc_trans + return NULL; + } + ++ conn->inet_addr = inet_sk(client_sk->sk)->inet_daddr; + conn->transport = KSMBD_TRANS(t); + KSMBD_TRANS(t)->conn = conn; + KSMBD_TRANS(t)->ops = &ksmbd_tcp_transport_ops; +@@ -230,6 +231,8 @@ static int ksmbd_kthread_fn(void *p) + { + struct socket *client_sk = NULL; + struct interface *iface = (struct interface *)p; ++ struct inet_sock *csk_inet; ++ struct ksmbd_conn *conn; + int ret; + + while (!kthread_should_stop()) { +@@ -248,6 +251,20 @@ static int ksmbd_kthread_fn(void *p) + continue; + } + ++ /* ++ * Limits repeated connections from clients with the same IP. ++ */ ++ csk_inet = inet_sk(client_sk->sk); ++ down_read(&conn_list_lock); ++ list_for_each_entry(conn, &conn_list, conns_list) ++ if (csk_inet->inet_daddr == conn->inet_addr) { ++ ret = -EAGAIN; ++ break; ++ } ++ up_read(&conn_list_lock); ++ if (ret == -EAGAIN) ++ continue; ++ + if (server_conf.max_connections && + atomic_inc_return(&active_num_conn) >= server_conf.max_connections) { + pr_info_ratelimited("Limit the maximum number of connections(%u)\n", diff --git a/queue-6.15/series b/queue-6.15/series index 950ffff3b7..fbb7488562 100644 --- a/queue-6.15/series +++ b/queue-6.15/series @@ -441,3 +441,12 @@ perf-core-prevent-vma-split-of-buffer-mappings.patch selftests-perf_events-add-a-mmap-correctness-test.patch net-packet-fix-a-race-in-packet_set_ring-and-packet_notifier.patch vsock-do-not-allow-binding-to-vmaddr_port_any.patch +ksmbd-fix-null-pointer-dereference-error-in-generate_encryptionkey.patch +ksmbd-fix-preauh_hashvalue-race-condition.patch +ksmbd-fix-corrupted-mtime-and-ctime-in-smb2_open.patch +smb-client-fix-netns-refcount-leak-after-net_passive-changes.patch +smb-client-set-symlink-type-as-native-for-posix-mounts.patch +smb-client-default-to-nonativesocket-under-posix-mounts.patch +ksmbd-limit-repeated-connections-from-clients-with-the-same-ip.patch +smb-server-fix-extension-string-in-ksmbd_extract_shortname.patch +usb-serial-option-add-foxconn-t99w709.patch diff --git a/queue-6.15/smb-client-default-to-nonativesocket-under-posix-mounts.patch b/queue-6.15/smb-client-default-to-nonativesocket-under-posix-mounts.patch new file mode 100644 index 0000000000..0cc952820a --- /dev/null +++ b/queue-6.15/smb-client-default-to-nonativesocket-under-posix-mounts.patch @@ -0,0 +1,35 @@ +From 6b445309eec2bc0594f3e24c7777aeef891d386e Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Thu, 31 Jul 2025 20:46:42 -0300 +Subject: smb: client: default to nonativesocket under POSIX mounts + +From: Paulo Alcantara + +commit 6b445309eec2bc0594f3e24c7777aeef891d386e upstream. + +SMB3.1.1 POSIX mounts require sockets to be created with NFS reparse +points. + +Cc: linux-cifs@vger.kernel.org +Cc: Ralph Boehme +Cc: David Howells +Cc: +Reported-by: Matthew Richardson +Closes: https://marc.info/?i=1124e7cd-6a46-40a6-9f44-b7664a66654b@ed.ac.uk +Signed-off-by: Paulo Alcantara (Red Hat) +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/fs_context.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/smb/client/fs_context.c ++++ b/fs/smb/client/fs_context.c +@@ -1674,6 +1674,7 @@ static int smb3_fs_context_parse_param(s + pr_warn_once("conflicting posix mount options specified\n"); + ctx->linux_ext = 1; + ctx->no_linux_ext = 0; ++ ctx->nonativesocket = 1; /* POSIX mounts use NFS style reparse points */ + } + break; + case Opt_nocase: diff --git a/queue-6.15/smb-client-fix-netns-refcount-leak-after-net_passive-changes.patch b/queue-6.15/smb-client-fix-netns-refcount-leak-after-net_passive-changes.patch new file mode 100644 index 0000000000..d894c243ab --- /dev/null +++ b/queue-6.15/smb-client-fix-netns-refcount-leak-after-net_passive-changes.patch @@ -0,0 +1,124 @@ +From 59b33fab4ca4d7dacc03367082777627e05d0323 Mon Sep 17 00:00:00 2001 +From: Wang Zhaolong +Date: Thu, 17 Jul 2025 21:29:26 +0800 +Subject: smb: client: fix netns refcount leak after net_passive changes + +From: Wang Zhaolong + +commit 59b33fab4ca4d7dacc03367082777627e05d0323 upstream. + +After commit 5c70eb5c593d ("net: better track kernel sockets lifetime"), +kernel sockets now use net_passive reference counting. However, commit +95d2b9f693ff ("Revert "smb: client: fix TCP timers deadlock after rmmod"") +restored the manual socket refcount manipulation without adapting to this +new mechanism, causing a memory leak. + +The issue can be reproduced by[1]: +1. Creating a network namespace +2. Mounting and Unmounting CIFS within the namespace +3. Deleting the namespace + +Some memory leaks may appear after a period of time following step 3. + +unreferenced object 0xffff9951419f6b00 (size 256): + comm "ip", pid 447, jiffies 4294692389 (age 14.730s) + hex dump (first 32 bytes): + 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 80 77 c2 44 51 99 ff ff .........w.DQ... + backtrace: + __kmem_cache_alloc_node+0x30e/0x3d0 + __kmalloc+0x52/0x120 + net_alloc_generic+0x1d/0x30 + copy_net_ns+0x86/0x200 + create_new_namespaces+0x117/0x300 + unshare_nsproxy_namespaces+0x60/0xa0 + ksys_unshare+0x148/0x360 + __x64_sys_unshare+0x12/0x20 + do_syscall_64+0x59/0x110 + entry_SYSCALL_64_after_hwframe+0x78/0xe2 +... +unreferenced object 0xffff9951442e7500 (size 32): + comm "mount.cifs", pid 475, jiffies 4294693782 (age 13.343s) + hex dump (first 32 bytes): + 40 c5 38 46 51 99 ff ff 18 01 96 42 51 99 ff ff @.8FQ......BQ... + 01 00 00 00 6f 00 c5 07 6f 00 d8 07 00 00 00 00 ....o...o....... + backtrace: + __kmem_cache_alloc_node+0x30e/0x3d0 + kmalloc_trace+0x2a/0x90 + ref_tracker_alloc+0x8e/0x1d0 + sk_alloc+0x18c/0x1c0 + inet_create+0xf1/0x370 + __sock_create+0xd7/0x1e0 + generic_ip_connect+0x1d4/0x5a0 [cifs] + cifs_get_tcp_session+0x5d0/0x8a0 [cifs] + cifs_mount_get_session+0x47/0x1b0 [cifs] + dfs_mount_share+0xfa/0xa10 [cifs] + cifs_mount+0x68/0x2b0 [cifs] + cifs_smb3_do_mount+0x10b/0x760 [cifs] + smb3_get_tree+0x112/0x2e0 [cifs] + vfs_get_tree+0x29/0xf0 + path_mount+0x2d4/0xa00 + __se_sys_mount+0x165/0x1d0 + +Root cause: +When creating kernel sockets, sk_alloc() calls net_passive_inc() for +sockets with sk_net_refcnt=0. The CIFS code manually converts kernel +sockets to user sockets by setting sk_net_refcnt=1, but doesn't call +the corresponding net_passive_dec(). This creates an imbalance in the +net_passive counter, which prevents the network namespace from being +destroyed when its last user reference is dropped. As a result, the +entire namespace and all its associated resources remain allocated. + +Timeline of patches leading to this issue: +- commit ef7134c7fc48 ("smb: client: Fix use-after-free of network + namespace.") in v6.12 fixed the original netns UAF by manually + managing socket refcounts +- commit e9f2517a3e18 ("smb: client: fix TCP timers deadlock after + rmmod") in v6.13 attempted to use kernel sockets but introduced + TCP timer issues +- commit 5c70eb5c593d ("net: better track kernel sockets lifetime") + in v6.14-rc5 introduced the net_passive mechanism with + sk_net_refcnt_upgrade() for proper socket conversion +- commit 95d2b9f693ff ("Revert "smb: client: fix TCP timers deadlock + after rmmod"") in v6.15-rc3 reverted to manual refcount management + without adapting to the new net_passive changes + +Fix this by using sk_net_refcnt_upgrade() which properly handles the +net_passive counter when converting kernel sockets to user sockets. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=220343 [1] +Fixes: 95d2b9f693ff ("Revert "smb: client: fix TCP timers deadlock after rmmod"") +Cc: stable@vger.kernel.org +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Enzo Matsumiya +Signed-off-by: Wang Zhaolong +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/connect.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/fs/smb/client/connect.c ++++ b/fs/smb/client/connect.c +@@ -3362,18 +3362,15 @@ generic_ip_connect(struct TCP_Server_Inf + struct net *net = cifs_net_ns(server); + struct sock *sk; + +- rc = __sock_create(net, sfamily, SOCK_STREAM, +- IPPROTO_TCP, &server->ssocket, 1); ++ rc = sock_create_kern(net, sfamily, SOCK_STREAM, ++ IPPROTO_TCP, &server->ssocket); + if (rc < 0) { + cifs_server_dbg(VFS, "Error %d creating socket\n", rc); + return rc; + } + + sk = server->ssocket->sk; +- __netns_tracker_free(net, &sk->ns_tracker, false); +- sk->sk_net_refcnt = 1; +- get_net_track(net, &sk->ns_tracker, GFP_KERNEL); +- sock_inuse_add(net, 1); ++ sk_net_refcnt_upgrade(sk); + + /* BB other socket options to set KEEPALIVE, NODELAY? */ + cifs_dbg(FYI, "Socket created\n"); diff --git a/queue-6.15/smb-client-set-symlink-type-as-native-for-posix-mounts.patch b/queue-6.15/smb-client-set-symlink-type-as-native-for-posix-mounts.patch new file mode 100644 index 0000000000..1edab4f8d9 --- /dev/null +++ b/queue-6.15/smb-client-set-symlink-type-as-native-for-posix-mounts.patch @@ -0,0 +1,132 @@ +From a967e758f8e9d8ce5ef096743393df5e6e51644b Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Thu, 31 Jul 2025 20:46:41 -0300 +Subject: smb: client: set symlink type as native for POSIX mounts + +From: Paulo Alcantara + +commit a967e758f8e9d8ce5ef096743393df5e6e51644b upstream. + +SMB3.1.1 POSIX mounts require symlinks to be created natively with +IO_REPARSE_TAG_SYMLINK reparse point. + +Cc: linux-cifs@vger.kernel.org +Cc: Ralph Boehme +Cc: David Howells +Cc: +Reported-by: Matthew Richardson +Closes: https://marc.info/?i=1124e7cd-6a46-40a6-9f44-b7664a66654b@ed.ac.uk +Signed-off-by: Paulo Alcantara (Red Hat) +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cifsfs.c | 2 +- + fs/smb/client/fs_context.c | 18 ------------------ + fs/smb/client/fs_context.h | 18 +++++++++++++++++- + fs/smb/client/link.c | 11 +++-------- + fs/smb/client/reparse.c | 2 +- + 5 files changed, 22 insertions(+), 29 deletions(-) + +--- a/fs/smb/client/cifsfs.c ++++ b/fs/smb/client/cifsfs.c +@@ -724,7 +724,7 @@ cifs_show_options(struct seq_file *s, st + else + seq_puts(s, ",nativesocket"); + seq_show_option(s, "symlink", +- cifs_symlink_type_str(get_cifs_symlink_type(cifs_sb))); ++ cifs_symlink_type_str(cifs_symlink_type(cifs_sb))); + + seq_printf(s, ",rsize=%u", cifs_sb->ctx->rsize); + seq_printf(s, ",wsize=%u", cifs_sb->ctx->wsize); +--- a/fs/smb/client/fs_context.c ++++ b/fs/smb/client/fs_context.c +@@ -1851,24 +1851,6 @@ static int smb3_fs_context_parse_param(s + return -EINVAL; + } + +-enum cifs_symlink_type get_cifs_symlink_type(struct cifs_sb_info *cifs_sb) +-{ +- if (cifs_sb->ctx->symlink_type == CIFS_SYMLINK_TYPE_DEFAULT) { +- if (cifs_sb->ctx->mfsymlinks) +- return CIFS_SYMLINK_TYPE_MFSYMLINKS; +- else if (cifs_sb->ctx->sfu_emul) +- return CIFS_SYMLINK_TYPE_SFU; +- else if (cifs_sb->ctx->linux_ext && !cifs_sb->ctx->no_linux_ext) +- return CIFS_SYMLINK_TYPE_UNIX; +- else if (cifs_sb->ctx->reparse_type != CIFS_REPARSE_TYPE_NONE) +- return CIFS_SYMLINK_TYPE_NATIVE; +- else +- return CIFS_SYMLINK_TYPE_NONE; +- } else { +- return cifs_sb->ctx->symlink_type; +- } +-} +- + int smb3_init_fs_context(struct fs_context *fc) + { + struct smb3_fs_context *ctx; +--- a/fs/smb/client/fs_context.h ++++ b/fs/smb/client/fs_context.h +@@ -341,7 +341,23 @@ struct smb3_fs_context { + + extern const struct fs_parameter_spec smb3_fs_parameters[]; + +-extern enum cifs_symlink_type get_cifs_symlink_type(struct cifs_sb_info *cifs_sb); ++static inline enum cifs_symlink_type cifs_symlink_type(struct cifs_sb_info *cifs_sb) ++{ ++ bool posix = cifs_sb_master_tcon(cifs_sb)->posix_extensions; ++ ++ if (cifs_sb->ctx->symlink_type != CIFS_SYMLINK_TYPE_DEFAULT) ++ return cifs_sb->ctx->symlink_type; ++ ++ if (cifs_sb->ctx->mfsymlinks) ++ return CIFS_SYMLINK_TYPE_MFSYMLINKS; ++ else if (cifs_sb->ctx->sfu_emul) ++ return CIFS_SYMLINK_TYPE_SFU; ++ else if (cifs_sb->ctx->linux_ext && !cifs_sb->ctx->no_linux_ext) ++ return posix ? CIFS_SYMLINK_TYPE_NATIVE : CIFS_SYMLINK_TYPE_UNIX; ++ else if (cifs_sb->ctx->reparse_type != CIFS_REPARSE_TYPE_NONE) ++ return CIFS_SYMLINK_TYPE_NATIVE; ++ return CIFS_SYMLINK_TYPE_NONE; ++} + + extern int smb3_init_fs_context(struct fs_context *fc); + extern void smb3_cleanup_fs_context_contents(struct smb3_fs_context *ctx); +--- a/fs/smb/client/link.c ++++ b/fs/smb/client/link.c +@@ -606,14 +606,7 @@ cifs_symlink(struct mnt_idmap *idmap, st + + /* BB what if DFS and this volume is on different share? BB */ + rc = -EOPNOTSUPP; +- switch (get_cifs_symlink_type(cifs_sb)) { +- case CIFS_SYMLINK_TYPE_DEFAULT: +- /* should not happen, get_cifs_symlink_type() resolves the default */ +- break; +- +- case CIFS_SYMLINK_TYPE_NONE: +- break; +- ++ switch (cifs_symlink_type(cifs_sb)) { + case CIFS_SYMLINK_TYPE_UNIX: + #ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY + if (pTcon->unix_ext) { +@@ -653,6 +646,8 @@ cifs_symlink(struct mnt_idmap *idmap, st + goto symlink_exit; + } + break; ++ default: ++ break; + } + + if (rc == 0) { +--- a/fs/smb/client/reparse.c ++++ b/fs/smb/client/reparse.c +@@ -38,7 +38,7 @@ int smb2_create_reparse_symlink(const un + struct dentry *dentry, struct cifs_tcon *tcon, + const char *full_path, const char *symname) + { +- switch (get_cifs_symlink_type(CIFS_SB(inode->i_sb))) { ++ switch (cifs_symlink_type(CIFS_SB(inode->i_sb))) { + case CIFS_SYMLINK_TYPE_NATIVE: + return create_native_symlink(xid, inode, dentry, tcon, full_path, symname); + case CIFS_SYMLINK_TYPE_NFS: diff --git a/queue-6.15/smb-server-fix-extension-string-in-ksmbd_extract_shortname.patch b/queue-6.15/smb-server-fix-extension-string-in-ksmbd_extract_shortname.patch new file mode 100644 index 0000000000..43cfacfa51 --- /dev/null +++ b/queue-6.15/smb-server-fix-extension-string-in-ksmbd_extract_shortname.patch @@ -0,0 +1,38 @@ +From 8e7d178d06e8937454b6d2f2811fa6a15656a214 Mon Sep 17 00:00:00 2001 +From: Thorsten Blum +Date: Wed, 6 Aug 2025 03:03:49 +0200 +Subject: smb: server: Fix extension string in ksmbd_extract_shortname() + +From: Thorsten Blum + +commit 8e7d178d06e8937454b6d2f2811fa6a15656a214 upstream. + +In ksmbd_extract_shortname(), strscpy() is incorrectly called with the +length of the source string (excluding the NUL terminator) rather than +the size of the destination buffer. This results in "__" being copied +to 'extension' rather than "___" (two underscores instead of three). + +Use the destination buffer size instead to ensure that the string "___" +(three underscores) is copied correctly. + +Cc: stable@vger.kernel.org +Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") +Signed-off-by: Thorsten Blum +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/smb/server/smb_common.c ++++ b/fs/smb/server/smb_common.c +@@ -515,7 +515,7 @@ int ksmbd_extract_shortname(struct ksmbd + + p = strrchr(longname, '.'); + if (p == longname) { /*name starts with a dot*/ +- strscpy(extension, "___", strlen("___")); ++ strscpy(extension, "___", sizeof(extension)); + } else { + if (p) { + p++; diff --git a/queue-6.15/usb-serial-option-add-foxconn-t99w709.patch b/queue-6.15/usb-serial-option-add-foxconn-t99w709.patch new file mode 100644 index 0000000000..ed23c273d3 --- /dev/null +++ b/queue-6.15/usb-serial-option-add-foxconn-t99w709.patch @@ -0,0 +1,51 @@ +From ad1244e1ce18f8c1a5ebad8074bfcf10eacb0311 Mon Sep 17 00:00:00 2001 +From: Slark Xiao +Date: Mon, 21 Jul 2025 19:39:19 +0800 +Subject: USB: serial: option: add Foxconn T99W709 + +From: Slark Xiao + +commit ad1244e1ce18f8c1a5ebad8074bfcf10eacb0311 upstream. + +T99W709 is designed based on MTK T300(5G redcap) chip. There are +7 serial ports to be enumerated: AP_LOG, GNSS, AP_META, AT, +MD_META, NPT, DBG. RSVD(5) for ADB port. + +test evidence as below: +T: Bus=01 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 7 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0489 ProdID=e15f Rev=00.01 +S: Manufacturer=MediaTek Inc. +S: Product=USB DATA CARD +S: SerialNumber=355511220000399 +C: #Ifs=10 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +I: If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +I: If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs +I: If#=0x6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x7 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x8 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x9 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option + +Signed-off-by: Slark Xiao +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -2346,6 +2346,8 @@ static const struct usb_device_id option + .driver_info = RSVD(3) }, + { USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe145, 0xff), /* Foxconn T99W651 RNDIS */ + .driver_info = RSVD(5) | RSVD(6) }, ++ { USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe15f, 0xff), /* Foxconn T99W709 */ ++ .driver_info = RSVD(5) }, + { USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe167, 0xff), /* Foxconn T99W640 MBIM */ + .driver_info = RSVD(3) }, + { USB_DEVICE(0x1508, 0x1001), /* Fibocom NL668 (IOT version) */