--- /dev/null
+From 4f8ff9486fd94b9d6a4932f2aefb9f2fc3bd0cf6 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Fri, 25 Jul 2025 10:33:28 +0900
+Subject: ksmbd: fix corrupted mtime and ctime in smb2_open
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 4f8ff9486fd94b9d6a4932f2aefb9f2fc3bd0cf6 upstream.
+
+If STATX_BASIC_STATS flags are not given as an argument to vfs_getattr,
+It can not get ctime and mtime in kstat.
+
+This causes a problem showing mtime and ctime outdated from cifs.ko.
+File: /xfstest.test/foo
+Size: 4096 Blocks: 8 IO Block: 1048576 regular file
+Device: 0,65 Inode: 2033391 Links: 1
+Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
+Context: system_u:object_r:cifs_t:s0
+Access: 2025-07-23 22:15:30.136051900 +0100
+Modify: 1970-01-01 01:00:00.000000000 +0100
+Change: 1970-01-01 01:00:00.000000000 +0100
+Birth: 2025-07-23 22:15:30.136051900 +0100
+
+Cc: stable@vger.kernel.org
+Reported-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/vfs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/server/vfs.c
++++ b/fs/smb/server/vfs.c
+@@ -563,7 +563,8 @@ int ksmbd_vfs_getattr(const struct path
+ {
+ int err;
+
+- err = vfs_getattr(path, stat, STATX_BTIME, AT_STATX_SYNC_AS_STAT);
++ err = vfs_getattr(path, stat, STATX_BASIC_STATS | STATX_BTIME,
++ AT_STATX_SYNC_AS_STAT);
+ if (err)
+ pr_err("getattr failed, err %d\n", err);
+ return err;
--- /dev/null
+From 9b493ab6f35178afd8d619800df9071992f715de Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Mon, 21 Jul 2025 14:28:55 +0900
+Subject: ksmbd: fix null pointer dereference error in generate_encryptionkey
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 9b493ab6f35178afd8d619800df9071992f715de upstream.
+
+If client send two session setups with krb5 authenticate to ksmbd,
+null pointer dereference error in generate_encryptionkey could happen.
+sess->Preauth_HashValue is set to NULL if session is valid.
+So this patch skip generate encryption key if session is valid.
+
+Cc: stable@vger.kernel.org
+Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-27654
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -1610,11 +1610,24 @@ static int krb5_authenticate(struct ksmb
+
+ rsp->SecurityBufferLength = cpu_to_le16(out_len);
+
+- if ((conn->sign || server_conf.enforced_signing) ||
++ /*
++ * If session state is SMB2_SESSION_VALID, We can assume
++ * that it is reauthentication. And the user/password
++ * has been verified, so return it here.
++ */
++ if (sess->state == SMB2_SESSION_VALID) {
++ if (conn->binding)
++ goto binding_session;
++ return 0;
++ }
++
++ if ((rsp->SessionFlags != SMB2_SESSION_FLAG_IS_GUEST_LE &&
++ (conn->sign || server_conf.enforced_signing)) ||
+ (req->SecurityMode & SMB2_NEGOTIATE_SIGNING_REQUIRED))
+ sess->sign = true;
+
+- if (smb3_encryption_negotiated(conn)) {
++ if (smb3_encryption_negotiated(conn) &&
++ !(req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) {
+ retval = conn->ops->generate_encryptionkey(conn, sess);
+ if (retval) {
+ ksmbd_debug(SMB,
+@@ -1627,6 +1640,7 @@ static int krb5_authenticate(struct ksmb
+ sess->sign = false;
+ }
+
++binding_session:
+ if (conn->dialect >= SMB30_PROT_ID) {
+ chann = lookup_chann_list(sess, conn);
+ if (!chann) {
--- /dev/null
+From 44a3059c4c8cc635a1fb2afd692d0730ca1ba4b6 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Fri, 25 Jul 2025 08:13:31 +0900
+Subject: ksmbd: fix Preauh_HashValue race condition
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 44a3059c4c8cc635a1fb2afd692d0730ca1ba4b6 upstream.
+
+If client send multiple session setup requests to ksmbd,
+Preauh_HashValue race condition could happen.
+There is no need to free sess->Preauh_HashValue at session setup phase.
+It can be freed together with session at connection termination phase.
+
+Cc: stable@vger.kernel.org
+Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-27661
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -1831,8 +1831,6 @@ int smb2_sess_setup(struct ksmbd_work *w
+ ksmbd_conn_set_good(conn);
+ sess->state = SMB2_SESSION_VALID;
+ }
+- kfree(sess->Preauth_HashValue);
+- sess->Preauth_HashValue = NULL;
+ } else if (conn->preferred_auth_mech == KSMBD_AUTH_NTLMSSP) {
+ if (negblob->MessageType == NtLmNegotiate) {
+ rc = ntlm_negotiate(work, negblob, negblob_len, rsp);
+@@ -1859,8 +1857,6 @@ int smb2_sess_setup(struct ksmbd_work *w
+ kfree(preauth_sess);
+ }
+ }
+- kfree(sess->Preauth_HashValue);
+- sess->Preauth_HashValue = NULL;
+ } else {
+ pr_info_ratelimited("Unknown NTLMSSP message type : 0x%x\n",
+ le32_to_cpu(negblob->MessageType));
--- /dev/null
+From e6bb9193974059ddbb0ce7763fa3882bd60d4dc3 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Tue, 5 Aug 2025 18:13:13 +0900
+Subject: ksmbd: limit repeated connections from clients with the same IP
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit e6bb9193974059ddbb0ce7763fa3882bd60d4dc3 upstream.
+
+Repeated connections from clients with the same IP address may exhaust
+the max connections and prevent other normal client connections.
+This patch limit repeated connections from clients with the same IP.
+
+Reported-by: tianshuo han <hantianshuo233@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/connection.h | 1 +
+ fs/smb/server/transport_tcp.c | 17 +++++++++++++++++
+ 2 files changed, 18 insertions(+)
+
+--- a/fs/smb/server/connection.h
++++ b/fs/smb/server/connection.h
+@@ -45,6 +45,7 @@ struct ksmbd_conn {
+ struct mutex srv_mutex;
+ int status;
+ unsigned int cli_cap;
++ __be32 inet_addr;
+ char *request_buf;
+ struct ksmbd_transport *transport;
+ struct nls_table *local_nls;
+--- a/fs/smb/server/transport_tcp.c
++++ b/fs/smb/server/transport_tcp.c
+@@ -87,6 +87,7 @@ static struct tcp_transport *alloc_trans
+ return NULL;
+ }
+
++ conn->inet_addr = inet_sk(client_sk->sk)->inet_daddr;
+ conn->transport = KSMBD_TRANS(t);
+ KSMBD_TRANS(t)->conn = conn;
+ KSMBD_TRANS(t)->ops = &ksmbd_tcp_transport_ops;
+@@ -230,6 +231,8 @@ static int ksmbd_kthread_fn(void *p)
+ {
+ struct socket *client_sk = NULL;
+ struct interface *iface = (struct interface *)p;
++ struct inet_sock *csk_inet;
++ struct ksmbd_conn *conn;
+ int ret;
+
+ while (!kthread_should_stop()) {
+@@ -248,6 +251,20 @@ static int ksmbd_kthread_fn(void *p)
+ continue;
+ }
+
++ /*
++ * Limits repeated connections from clients with the same IP.
++ */
++ csk_inet = inet_sk(client_sk->sk);
++ down_read(&conn_list_lock);
++ list_for_each_entry(conn, &conn_list, conns_list)
++ if (csk_inet->inet_daddr == conn->inet_addr) {
++ ret = -EAGAIN;
++ break;
++ }
++ up_read(&conn_list_lock);
++ if (ret == -EAGAIN)
++ continue;
++
+ if (server_conf.max_connections &&
+ atomic_inc_return(&active_num_conn) >= server_conf.max_connections) {
+ pr_info_ratelimited("Limit the maximum number of connections(%u)\n",
selftests-perf_events-add-a-mmap-correctness-test.patch
net-packet-fix-a-race-in-packet_set_ring-and-packet_notifier.patch
vsock-do-not-allow-binding-to-vmaddr_port_any.patch
+ksmbd-fix-null-pointer-dereference-error-in-generate_encryptionkey.patch
+ksmbd-fix-preauh_hashvalue-race-condition.patch
+ksmbd-fix-corrupted-mtime-and-ctime-in-smb2_open.patch
+ksmbd-limit-repeated-connections-from-clients-with-the-same-ip.patch
+smb-server-fix-extension-string-in-ksmbd_extract_shortname.patch
+usb-serial-option-add-foxconn-t99w709.patch
--- /dev/null
+From 8e7d178d06e8937454b6d2f2811fa6a15656a214 Mon Sep 17 00:00:00 2001
+From: Thorsten Blum <thorsten.blum@linux.dev>
+Date: Wed, 6 Aug 2025 03:03:49 +0200
+Subject: smb: server: Fix extension string in ksmbd_extract_shortname()
+
+From: Thorsten Blum <thorsten.blum@linux.dev>
+
+commit 8e7d178d06e8937454b6d2f2811fa6a15656a214 upstream.
+
+In ksmbd_extract_shortname(), strscpy() is incorrectly called with the
+length of the source string (excluding the NUL terminator) rather than
+the size of the destination buffer. This results in "__" being copied
+to 'extension' rather than "___" (two underscores instead of three).
+
+Use the destination buffer size instead to ensure that the string "___"
+(three underscores) is copied correctly.
+
+Cc: stable@vger.kernel.org
+Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
+Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/smb/server/smb_common.c
++++ b/fs/smb/server/smb_common.c
+@@ -515,7 +515,7 @@ int ksmbd_extract_shortname(struct ksmbd
+
+ p = strrchr(longname, '.');
+ if (p == longname) { /*name starts with a dot*/
+- strscpy(extension, "___", strlen("___"));
++ strscpy(extension, "___", sizeof(extension));
+ } else {
+ if (p) {
+ p++;
--- /dev/null
+From ad1244e1ce18f8c1a5ebad8074bfcf10eacb0311 Mon Sep 17 00:00:00 2001
+From: Slark Xiao <slark_xiao@163.com>
+Date: Mon, 21 Jul 2025 19:39:19 +0800
+Subject: USB: serial: option: add Foxconn T99W709
+
+From: Slark Xiao <slark_xiao@163.com>
+
+commit ad1244e1ce18f8c1a5ebad8074bfcf10eacb0311 upstream.
+
+T99W709 is designed based on MTK T300(5G redcap) chip. There are
+7 serial ports to be enumerated: AP_LOG, GNSS, AP_META, AT,
+MD_META, NPT, DBG. RSVD(5) for ADB port.
+
+test evidence as below:
+T: Bus=01 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 7 Spd=480 MxCh= 0
+D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=0489 ProdID=e15f Rev=00.01
+S: Manufacturer=MediaTek Inc.
+S: Product=USB DATA CARD
+S: SerialNumber=355511220000399
+C: #Ifs=10 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
+I: If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+I: If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#=0x3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#=0x4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs
+I: If#=0x6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#=0x7 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#=0x8 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#=0x9 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+
+Signed-off-by: Slark Xiao <slark_xiao@163.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -2346,6 +2346,8 @@ static const struct usb_device_id option
+ .driver_info = RSVD(3) },
+ { USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe145, 0xff), /* Foxconn T99W651 RNDIS */
+ .driver_info = RSVD(5) | RSVD(6) },
++ { USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe15f, 0xff), /* Foxconn T99W709 */
++ .driver_info = RSVD(5) },
+ { USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe167, 0xff), /* Foxconn T99W640 MBIM */
+ .driver_info = RSVD(3) },
+ { USB_DEVICE(0x1508, 0x1001), /* Fibocom NL668 (IOT version) */
projects / thirdparty / kernel / stable-queue.git / commitdiff
