From cdbf592ea7194acc990a106553e62eb83c337e2c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 12 Aug 2025 13:55:47 +0200 Subject: [PATCH] 6.6-stable patches added patches: ksmbd-fix-corrupted-mtime-and-ctime-in-smb2_open.patch ksmbd-fix-null-pointer-dereference-error-in-generate_encryptionkey.patch ksmbd-fix-preauh_hashvalue-race-condition.patch ksmbd-limit-repeated-connections-from-clients-with-the-same-ip.patch smb-server-fix-extension-string-in-ksmbd_extract_shortname.patch usb-serial-option-add-foxconn-t99w709.patch --- ...rrupted-mtime-and-ctime-in-smb2_open.patch | 44 +++++++++++ ...ence-error-in-generate_encryptionkey.patch | 60 +++++++++++++++ ...-fix-preauh_hashvalue-race-condition.patch | 43 +++++++++++ ...ctions-from-clients-with-the-same-ip.patch | 73 +++++++++++++++++++ queue-6.6/series | 6 ++ ...on-string-in-ksmbd_extract_shortname.patch | 38 ++++++++++ ...sb-serial-option-add-foxconn-t99w709.patch | 51 +++++++++++++ 7 files changed, 315 insertions(+) create mode 100644 queue-6.6/ksmbd-fix-corrupted-mtime-and-ctime-in-smb2_open.patch create mode 100644 queue-6.6/ksmbd-fix-null-pointer-dereference-error-in-generate_encryptionkey.patch create mode 100644 queue-6.6/ksmbd-fix-preauh_hashvalue-race-condition.patch create mode 100644 queue-6.6/ksmbd-limit-repeated-connections-from-clients-with-the-same-ip.patch create mode 100644 queue-6.6/smb-server-fix-extension-string-in-ksmbd_extract_shortname.patch create mode 100644 queue-6.6/usb-serial-option-add-foxconn-t99w709.patch diff --git a/queue-6.6/ksmbd-fix-corrupted-mtime-and-ctime-in-smb2_open.patch b/queue-6.6/ksmbd-fix-corrupted-mtime-and-ctime-in-smb2_open.patch new file mode 100644 index 0000000000..7e9e44e506 --- /dev/null +++ b/queue-6.6/ksmbd-fix-corrupted-mtime-and-ctime-in-smb2_open.patch @@ -0,0 +1,44 @@ +From 4f8ff9486fd94b9d6a4932f2aefb9f2fc3bd0cf6 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Fri, 25 Jul 2025 10:33:28 +0900 +Subject: ksmbd: fix corrupted mtime and ctime in smb2_open + +From: Namjae Jeon + +commit 4f8ff9486fd94b9d6a4932f2aefb9f2fc3bd0cf6 upstream. + +If STATX_BASIC_STATS flags are not given as an argument to vfs_getattr, +It can not get ctime and mtime in kstat. + +This causes a problem showing mtime and ctime outdated from cifs.ko. +File: /xfstest.test/foo +Size: 4096 Blocks: 8 IO Block: 1048576 regular file +Device: 0,65 Inode: 2033391 Links: 1 +Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) +Context: system_u:object_r:cifs_t:s0 +Access: 2025-07-23 22:15:30.136051900 +0100 +Modify: 1970-01-01 01:00:00.000000000 +0100 +Change: 1970-01-01 01:00:00.000000000 +0100 +Birth: 2025-07-23 22:15:30.136051900 +0100 + +Cc: stable@vger.kernel.org +Reported-by: David Howells +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/vfs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/smb/server/vfs.c ++++ b/fs/smb/server/vfs.c +@@ -563,7 +563,8 @@ int ksmbd_vfs_getattr(const struct path + { + int err; + +- err = vfs_getattr(path, stat, STATX_BTIME, AT_STATX_SYNC_AS_STAT); ++ err = vfs_getattr(path, stat, STATX_BASIC_STATS | STATX_BTIME, ++ AT_STATX_SYNC_AS_STAT); + if (err) + pr_err("getattr failed, err %d\n", err); + return err; diff --git a/queue-6.6/ksmbd-fix-null-pointer-dereference-error-in-generate_encryptionkey.patch b/queue-6.6/ksmbd-fix-null-pointer-dereference-error-in-generate_encryptionkey.patch new file mode 100644 index 0000000000..1edfdff3dd --- /dev/null +++ b/queue-6.6/ksmbd-fix-null-pointer-dereference-error-in-generate_encryptionkey.patch @@ -0,0 +1,60 @@ +From 9b493ab6f35178afd8d619800df9071992f715de Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Mon, 21 Jul 2025 14:28:55 +0900 +Subject: ksmbd: fix null pointer dereference error in generate_encryptionkey + +From: Namjae Jeon + +commit 9b493ab6f35178afd8d619800df9071992f715de upstream. + +If client send two session setups with krb5 authenticate to ksmbd, +null pointer dereference error in generate_encryptionkey could happen. +sess->Preauth_HashValue is set to NULL if session is valid. +So this patch skip generate encryption key if session is valid. + +Cc: stable@vger.kernel.org +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-27654 +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -1610,11 +1610,24 @@ static int krb5_authenticate(struct ksmb + + rsp->SecurityBufferLength = cpu_to_le16(out_len); + +- if ((conn->sign || server_conf.enforced_signing) || ++ /* ++ * If session state is SMB2_SESSION_VALID, We can assume ++ * that it is reauthentication. And the user/password ++ * has been verified, so return it here. ++ */ ++ if (sess->state == SMB2_SESSION_VALID) { ++ if (conn->binding) ++ goto binding_session; ++ return 0; ++ } ++ ++ if ((rsp->SessionFlags != SMB2_SESSION_FLAG_IS_GUEST_LE && ++ (conn->sign || server_conf.enforced_signing)) || + (req->SecurityMode & SMB2_NEGOTIATE_SIGNING_REQUIRED)) + sess->sign = true; + +- if (smb3_encryption_negotiated(conn)) { ++ if (smb3_encryption_negotiated(conn) && ++ !(req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) { + retval = conn->ops->generate_encryptionkey(conn, sess); + if (retval) { + ksmbd_debug(SMB, +@@ -1627,6 +1640,7 @@ static int krb5_authenticate(struct ksmb + sess->sign = false; + } + ++binding_session: + if (conn->dialect >= SMB30_PROT_ID) { + chann = lookup_chann_list(sess, conn); + if (!chann) { diff --git a/queue-6.6/ksmbd-fix-preauh_hashvalue-race-condition.patch b/queue-6.6/ksmbd-fix-preauh_hashvalue-race-condition.patch new file mode 100644 index 0000000000..0aa269ec45 --- /dev/null +++ b/queue-6.6/ksmbd-fix-preauh_hashvalue-race-condition.patch @@ -0,0 +1,43 @@ +From 44a3059c4c8cc635a1fb2afd692d0730ca1ba4b6 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Fri, 25 Jul 2025 08:13:31 +0900 +Subject: ksmbd: fix Preauh_HashValue race condition + +From: Namjae Jeon + +commit 44a3059c4c8cc635a1fb2afd692d0730ca1ba4b6 upstream. + +If client send multiple session setup requests to ksmbd, +Preauh_HashValue race condition could happen. +There is no need to free sess->Preauh_HashValue at session setup phase. +It can be freed together with session at connection termination phase. + +Cc: stable@vger.kernel.org +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-27661 +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -1831,8 +1831,6 @@ int smb2_sess_setup(struct ksmbd_work *w + ksmbd_conn_set_good(conn); + sess->state = SMB2_SESSION_VALID; + } +- kfree(sess->Preauth_HashValue); +- sess->Preauth_HashValue = NULL; + } else if (conn->preferred_auth_mech == KSMBD_AUTH_NTLMSSP) { + if (negblob->MessageType == NtLmNegotiate) { + rc = ntlm_negotiate(work, negblob, negblob_len, rsp); +@@ -1859,8 +1857,6 @@ int smb2_sess_setup(struct ksmbd_work *w + kfree(preauth_sess); + } + } +- kfree(sess->Preauth_HashValue); +- sess->Preauth_HashValue = NULL; + } else { + pr_info_ratelimited("Unknown NTLMSSP message type : 0x%x\n", + le32_to_cpu(negblob->MessageType)); diff --git a/queue-6.6/ksmbd-limit-repeated-connections-from-clients-with-the-same-ip.patch b/queue-6.6/ksmbd-limit-repeated-connections-from-clients-with-the-same-ip.patch new file mode 100644 index 0000000000..a43d2ca34e --- /dev/null +++ b/queue-6.6/ksmbd-limit-repeated-connections-from-clients-with-the-same-ip.patch @@ -0,0 +1,73 @@ +From e6bb9193974059ddbb0ce7763fa3882bd60d4dc3 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Tue, 5 Aug 2025 18:13:13 +0900 +Subject: ksmbd: limit repeated connections from clients with the same IP + +From: Namjae Jeon + +commit e6bb9193974059ddbb0ce7763fa3882bd60d4dc3 upstream. + +Repeated connections from clients with the same IP address may exhaust +the max connections and prevent other normal client connections. +This patch limit repeated connections from clients with the same IP. + +Reported-by: tianshuo han +Cc: stable@vger.kernel.org +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/connection.h | 1 + + fs/smb/server/transport_tcp.c | 17 +++++++++++++++++ + 2 files changed, 18 insertions(+) + +--- a/fs/smb/server/connection.h ++++ b/fs/smb/server/connection.h +@@ -45,6 +45,7 @@ struct ksmbd_conn { + struct mutex srv_mutex; + int status; + unsigned int cli_cap; ++ __be32 inet_addr; + char *request_buf; + struct ksmbd_transport *transport; + struct nls_table *local_nls; +--- a/fs/smb/server/transport_tcp.c ++++ b/fs/smb/server/transport_tcp.c +@@ -87,6 +87,7 @@ static struct tcp_transport *alloc_trans + return NULL; + } + ++ conn->inet_addr = inet_sk(client_sk->sk)->inet_daddr; + conn->transport = KSMBD_TRANS(t); + KSMBD_TRANS(t)->conn = conn; + KSMBD_TRANS(t)->ops = &ksmbd_tcp_transport_ops; +@@ -230,6 +231,8 @@ static int ksmbd_kthread_fn(void *p) + { + struct socket *client_sk = NULL; + struct interface *iface = (struct interface *)p; ++ struct inet_sock *csk_inet; ++ struct ksmbd_conn *conn; + int ret; + + while (!kthread_should_stop()) { +@@ -248,6 +251,20 @@ static int ksmbd_kthread_fn(void *p) + continue; + } + ++ /* ++ * Limits repeated connections from clients with the same IP. ++ */ ++ csk_inet = inet_sk(client_sk->sk); ++ down_read(&conn_list_lock); ++ list_for_each_entry(conn, &conn_list, conns_list) ++ if (csk_inet->inet_daddr == conn->inet_addr) { ++ ret = -EAGAIN; ++ break; ++ } ++ up_read(&conn_list_lock); ++ if (ret == -EAGAIN) ++ continue; ++ + if (server_conf.max_connections && + atomic_inc_return(&active_num_conn) >= server_conf.max_connections) { + pr_info_ratelimited("Limit the maximum number of connections(%u)\n", diff --git a/queue-6.6/series b/queue-6.6/series index a60ed43e2b..b8dd6e54bb 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -234,3 +234,9 @@ perf-core-prevent-vma-split-of-buffer-mappings.patch selftests-perf_events-add-a-mmap-correctness-test.patch net-packet-fix-a-race-in-packet_set_ring-and-packet_notifier.patch vsock-do-not-allow-binding-to-vmaddr_port_any.patch +ksmbd-fix-null-pointer-dereference-error-in-generate_encryptionkey.patch +ksmbd-fix-preauh_hashvalue-race-condition.patch +ksmbd-fix-corrupted-mtime-and-ctime-in-smb2_open.patch +ksmbd-limit-repeated-connections-from-clients-with-the-same-ip.patch +smb-server-fix-extension-string-in-ksmbd_extract_shortname.patch +usb-serial-option-add-foxconn-t99w709.patch diff --git a/queue-6.6/smb-server-fix-extension-string-in-ksmbd_extract_shortname.patch b/queue-6.6/smb-server-fix-extension-string-in-ksmbd_extract_shortname.patch new file mode 100644 index 0000000000..43cfacfa51 --- /dev/null +++ b/queue-6.6/smb-server-fix-extension-string-in-ksmbd_extract_shortname.patch @@ -0,0 +1,38 @@ +From 8e7d178d06e8937454b6d2f2811fa6a15656a214 Mon Sep 17 00:00:00 2001 +From: Thorsten Blum +Date: Wed, 6 Aug 2025 03:03:49 +0200 +Subject: smb: server: Fix extension string in ksmbd_extract_shortname() + +From: Thorsten Blum + +commit 8e7d178d06e8937454b6d2f2811fa6a15656a214 upstream. + +In ksmbd_extract_shortname(), strscpy() is incorrectly called with the +length of the source string (excluding the NUL terminator) rather than +the size of the destination buffer. This results in "__" being copied +to 'extension' rather than "___" (two underscores instead of three). + +Use the destination buffer size instead to ensure that the string "___" +(three underscores) is copied correctly. + +Cc: stable@vger.kernel.org +Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") +Signed-off-by: Thorsten Blum +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/smb/server/smb_common.c ++++ b/fs/smb/server/smb_common.c +@@ -515,7 +515,7 @@ int ksmbd_extract_shortname(struct ksmbd + + p = strrchr(longname, '.'); + if (p == longname) { /*name starts with a dot*/ +- strscpy(extension, "___", strlen("___")); ++ strscpy(extension, "___", sizeof(extension)); + } else { + if (p) { + p++; diff --git a/queue-6.6/usb-serial-option-add-foxconn-t99w709.patch b/queue-6.6/usb-serial-option-add-foxconn-t99w709.patch new file mode 100644 index 0000000000..ed23c273d3 --- /dev/null +++ b/queue-6.6/usb-serial-option-add-foxconn-t99w709.patch @@ -0,0 +1,51 @@ +From ad1244e1ce18f8c1a5ebad8074bfcf10eacb0311 Mon Sep 17 00:00:00 2001 +From: Slark Xiao +Date: Mon, 21 Jul 2025 19:39:19 +0800 +Subject: USB: serial: option: add Foxconn T99W709 + +From: Slark Xiao + +commit ad1244e1ce18f8c1a5ebad8074bfcf10eacb0311 upstream. + +T99W709 is designed based on MTK T300(5G redcap) chip. There are +7 serial ports to be enumerated: AP_LOG, GNSS, AP_META, AT, +MD_META, NPT, DBG. RSVD(5) for ADB port. + +test evidence as below: +T: Bus=01 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 7 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0489 ProdID=e15f Rev=00.01 +S: Manufacturer=MediaTek Inc. +S: Product=USB DATA CARD +S: SerialNumber=355511220000399 +C: #Ifs=10 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +I: If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +I: If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs +I: If#=0x6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x7 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x8 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x9 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option + +Signed-off-by: Slark Xiao +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -2346,6 +2346,8 @@ static const struct usb_device_id option + .driver_info = RSVD(3) }, + { USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe145, 0xff), /* Foxconn T99W651 RNDIS */ + .driver_info = RSVD(5) | RSVD(6) }, ++ { USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe15f, 0xff), /* Foxconn T99W709 */ ++ .driver_info = RSVD(5) }, + { USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe167, 0xff), /* Foxconn T99W640 MBIM */ + .driver_info = RSVD(3) }, + { USB_DEVICE(0x1508, 0x1001), /* Fibocom NL668 (IOT version) */ -- 2.47.3