summaryrefslogtreecommitdiff
path: root/fs
AgeCommit message (Collapse)Author
2026-06-27Merge tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/linuxLinus Torvalds
Pull fscrypt fixes from Eric Biggers: - Fix a bug where in a specific edge case, file contents en/decryption could be done with the wrong data unit size - Fix the data structure used for keeping track of users that have added an fscrypt key to be a simple list instead of a 'struct key' keyring This fixes issues such as a lockdep report found by syzbot and possible unintended interactions with the keyctl() system calls * tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/linux: fscrypt: Replace mk_users keyring with simple list fscrypt: Fix key setup in edge case with multiple data unit sizes
2026-06-26Merge tag 'ceph-for-7.2-rc1' of https://github.com/ceph/ceph-clientLinus Torvalds
Pull ceph updates from Ilya Dryomov: "This adds support for manual client session reset in CephFS, allowing operators to get out of tricky livelock situations involving caps and file locks without evicting the problematic client instance on the MDS side or rebooting the client node both of which can be disruptive" * tag 'ceph-for-7.2-rc1' of https://github.com/ceph/ceph-client: ceph: add manual reset debugfs control and tracepoints ceph: add client reset state machine and session teardown ceph: add diagnostic timeout loop to wait_caps_flush() ceph: harden send_mds_reconnect and handle active-MDS peer reset ceph: use proper endian conversion for flock_len in reconnect ceph: convert inode flags to named bit positions and atomic bitops rbd: switch to dynamic root device
2026-06-26Merge tag 'gfs2-for-7.2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2 Pull gfs2 updates from Andreas Gruenbacher: - fix page poisoning not handled correctly when growing files - quota initialization / destruction fixes: sleeping under a bitlock in PREEMPT_RT, broken quota_init error recovery, missing RCU synchronization * tag 'gfs2-for-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2: gfs2: page poisoning fix gfs2: Remove unused fallocate_chunk argument gfs2: fix use-after-free in gfs2_qd_dealloc gfs2: move quota_init qc iterator increment gfs2: fix quota init duplicate scan
2026-06-26Merge tag 'ecryptfs-7.2-rc1-updates' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs Pull ecryptfs updates from Tyler Hicks: "No functional changes, just code cleanups: - replace kmalloc()/snprintf() with kasprintf() - simplify code flow by removing an unnecessary variable" * tag 'ecryptfs-7.2-rc1-updates' of git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs: ecryptfs: use kasprintf in ecryptfs_crypto_api_algify_cipher_name ecryptfs: remove redundant variable found_auth_tok
2026-06-26Merge tag 'v7.2-rc-part2-smb3-server-fixes' of git://git.samba.org/ksmbdLinus Torvalds
Pull smb server updates from Steve French: "This is mostly a correctness and compatibility update for ksmbd's SMB2/3 lease, oplock, durable handle, compound request, CREATE, rename, stream and share-mode handling. A large part of the series fixes cases found by smbtorture where ksmbd diverged from the SMB2/3 protocol requirements. The main changes are: - Rework SMB2 lease state handling so lease state is shared per ClientGuid/LeaseKey across opens, with better validation of lease create contexts, ACK handling, epochs, break-in-progress reporting, v2 lease notification routing, and chained lease breaks - Fix several oplock break corner cases, including ACK validation, timeout downgrade behavior, level-II break handling on unlink, share-conflict lease breaks, and read-control/stat-open behavior - Fix durable handle behavior around delete-on-close, stale reconnects, reconnect context parsing, oplock/lease break invalidation, and durable v2 AppInstanceId replacement - Fix compound request handling so related commands propagate failed statuses correctly, preserve response framing across chained errors, keep compound FIDs across READ/WRITE/FLUSH, and send interim STATUS_PENDING where clients expect cancellable compound I/O - Tighten CREATE and stream semantics, including create attribute validation, allocation size reporting, explicit create security descriptors, unnamed DATA stream handling, stream directory validation, and stream delete sharing against the base file - Fix rename and metadata behavior, including parent directory sharing checks, denying directory rename with open children, and preserving SMB ChangeTime across rename for open handles - Fix two important safety issues: a multichannel byte-range lock list owner race that could lead to use-after-free, and an NTLMv2 session key update before authentication proof validation - Fix a concurrent SMB2 NEGOTIATE preauth use-after-free, a UBSAN warning in compression capability parsing, a false hung-task warning in the durable handle scavenger, endian debug logging, Smatch indentation warnings, and kernel-doc warnings - Increase the default SMB3 transaction size from 1MB to 4MB to better match modern read/write negotiation and improve sequential I/O behavior" * tag 'v7.2-rc-part2-smb3-server-fixes' of git://git.samba.org/ksmbd: (50 commits) ksmbd: fix kernel-doc warnings in smb2_lease_break_noti() ksmbd: fix inconsistent indenting warnings ksmbd: validate NTLMv2 response before updating session key ksmbd: increase SMB3_DEFAULT_TRANS_SIZE from 1MB to 4MB ksmbd: fix UBSAN array-index-out-of-bounds in decode_compress_ctxt() ksmbd: sleep interruptibly in the durable handle scavenger ksmbd: start file id allocation at 1 ksmbd: treat read-control opens as stat opens only for leases ksmbd: validate :: stream type against directory create ksmbd: break conflicting-open leases only as far as needed ksmbd: break handle caching for share conflicts ksmbd: normalize ungrantable lease states ksmbd: return oplock protocol error for level II ack ksmbd: avoid level II oplock break notification on unlink ksmbd: downgrade oplock after break timeout ksmbd: apply create security descriptor first ksmbd: return requested create allocation size ksmbd: tighten create file attribute validation ksmbd: reject empty-attribute synchronize-only create ksmbd: honor stream delete sharing for base file ...
2026-06-25Merge tag 'v7.2-rc-part2-smb3-client-fixes' of ↵Linus Torvalds
git://git.samba.org/sfrench/cifs-2.6 Pull smb client fixes from Steve French: - fix potential double frees - fix potential memory leak in receiving compound response - querydir improvement - fix chown with smb311 posix extensions - ACL setting fixes - minor debug improvement and cleanup - add some missing protocol defines - sparse file fixes * tag 'v7.2-rc-part2-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6: cifs: define variable sized buffer for querydir responses smb/client: do not account EOF extension as allocation smb/client: preserve errors from smb2_set_sparse() smb: client: Fix next buffer leak in receive_encrypted_standard() smb/client: use %pe to print error pointer smb/client: name the default fallocate mode smb common: add missing AAPL defines smb/client: fix chown/chgrp with SMB3 POSIX Extensions smb/client: fix security flag calculation when setting security descriptors smb: client: refactor ACL setting control flow in id_mode_to_cifs_acl() smb: client: fix query directory replay double-free smb: client: fix change notify replay double-free smb: client: fix query_info() replay double-free smb: client: fix double-free in SMB2_close() replay smb: client: fix double-free in SMB2_ioctl() replay smb: client: fix double-free in SMB2_open() replay smb: client: fix double-free in SMB2_flush() replay
2026-06-25Merge tag 'net-7.2-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Jakub Kicinski: "Including fixes from netfilter and IPsec. Current release - regressions: - do not acquire dev->tx_global_lock in netdev_watchdog_up() - ethtool: keep rtnl_lock for ops using ethtool_op_get_link() - fix deadlock in nested UP notifier events Current release - new code bugs: - eth: - cn20k: fix subbank free list indexing for search order - airoha: fix BQL underflow in shared QDMA TX ring Previous releases - regressions: - netfilter: - flowtable: fix offloaded ct timeout never being extended - nf_conncount: prevent connlimit drops for early confirmed ct Previous releases - always broken: - require CAP_NET_ADMIN in the originating netns when modifying cross-netns devices - report NAPI thread PID in the caller's pid namespace - mac802154: fix dirty frag in in-place crypto for IOT radios - sctp: hold socket lock when dumping endpoints in sctp_diag, avoid an overflow - eth: gve: fix header buffer corruption with header-split and HW-GRO - af_key: initialize alg_key_len for IPComp states, prevent OOB read" * tag 'net-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (213 commits) selftests: bonding: add a test for VLAN propagation over a bonded real device vlan: defer real device state propagation to netdev_work net: add the driver-facing netdev_work scheduling API net: turn the rx_mode work into a generic netdev_work facility net: ethtool: keep rtnl_lock for ops using ethtool_op_get_link() rxrpc: Fix rxrpc_rotate_tx_rotate() to check there's something to rotate rxrpc: Fix leak of released call in recvmsg(MSG_PEEK) rxrpc: Fix socket notification race rxrpc: Fix potential infinite loop in rxrpc_recvmsg() rxrpc: Fix oob challenge leak in cleanup after notification failure rxrpc: Fix the reception of a reply packet before data transmission afs: Fix uncancelled rxrpc OOB message handler afs: Fix further netns teardown to cancel the preallocation charger rxrpc: Fix double unlock in rxrpc_recvmsg() rxrpc: Fix leak of connection from OOB challenge rxrpc: Fix ACKALL packet handling net: hns3: differentiate autoneg default values between copper and fiber net: hns3: fix permanent link down deadlock after reset net: hns3: refactor MAC autoneg and speed configuration net: hns3: unify copper port ksettings configuration path ...
2026-06-25afs: Fix uncancelled rxrpc OOB message handlerDavid Howells
Fix AFS to cancel its OOB message processing (typically to respond to security challenges). Also move OOB message processing to afs_wq so that it's also waited for and make the OOB handler just return if the net namespace is no longer live. Fixes: 5800b1cf3fd8 ("rxrpc: Allow CHALLENGEs to the passed to the app for a RESPONSE") Link: https://sashiko.dev/#/patchset/20260609140911.838677-1-dhowells%40redhat.com Signed-off-by: David Howells <dhowells@redhat.com> cc: Li Daming <d4n.for.sec@gmail.com> cc: Ren Wei <n05ec@lzu.edu.cn> cc: Marc Dionne <marc.dionne@auristor.com> cc: Jeffrey Altman <jaltman@auristor.com> cc: Simon Horman <horms@kernel.org> cc: linux-afs@lists.infradead.org cc: stable@kernel.org Link: https://patch.msgid.link/20260624163819.3017002-6-dhowells@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-25afs: Fix further netns teardown to cancel the preallocation chargerDavid Howells
When an afs network namespace is torn down, it cancels and waits for the work item that keeps the preallocated rxrpc call/conn/peer queue charged before disabling incoming (i.e. listen 0), but there's a small window in which it can be requeued by an incoming call wending through the I/O thread. Fix this by cancelling the charger work item again after reducing the listen backlog to zero. Fixes: 47694fbc9d24 ("afs: Fix netns teardown to cancel the preallocation charger") Reported-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: David Howells <dhowells@redhat.com> Link: https://sashiko.dev/#/patchset/20260609140911.838677-1-dhowells%40redhat.com cc: Li Daming <d4n.for.sec@gmail.com> cc: Ren Wei <n05ec@lzu.edu.cn> cc: Marc Dionne <marc.dionne@auristor.com> cc: Jeffrey Altman <jaltman@auristor.com> cc: Simon Horman <horms@kernel.org> cc: linux-afs@lists.infradead.org cc: stable@kernel.org Link: https://patch.msgid.link/20260624163819.3017002-5-dhowells@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-24cifs: define variable sized buffer for querydir responsesShyam Prasad N
QueryDirectory responses today are stored in one of two fixed sized buffers: smallbuf (448 bytes) or bigbuf (16KB). These are borrowed from server struct and are not sufficient for large-sized query dir operations. With this change we will now define a new buffer type specifically for cifs_search_info to hold variable sized responses. These will be allocated by kmalloc and freed by kfree. Signed-off-by: Shyam Prasad N <sprasad@microsoft.com> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-24smb/client: do not account EOF extension as allocationHuiwen He
cifs_setsize() updates the local inode size after SetEOF succeeds. It also used the new EOF as a local i_blocks estimate, but extending EOF does not prove that the intervening range was allocated. For example, after writing 1 MiB and then extending EOF to 10 MiB, the client can report the file as fully allocated even though the server still reports a much smaller AllocationSize: $ dd if=/dev/zero of=test bs=1M count=1 $ truncate -s 10M test && stat -c 'size=%s blocks=%b' test $ stat --cached=never -c 'size=%s blocks=%b' test client stat: size=10485760 blocks=20480 server stat: size=10485760 blocks=2056 client stat after revalidation: size=10485760 blocks=2056 A later attribute revalidation may correct i_blocks, but callers such as xfstests generic/495 invoke swapon immediately after truncate. The swapfile hole check can therefore observe the inflated local i_blocks value and accept a sparse file. Do not grow i_blocks from cifs_setsize() on EOF extension. Only clamp it on shrink; allocation growth must come from write completion or from server-reported AllocationSize. With this change, EOF extension no longer makes a sparse file appear fully allocated before the next attribute revalidation, and xfstests generic/495 no longer accepts it through the inflated local i_blocks value. Signed-off-by: Huiwen He <hehuiwen@kylinos.cn> Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-24Merge tag 'ntfs3_for_7.2' of ↵Linus Torvalds
https://github.com/Paragon-Software-Group/linux-ntfs3 Pull ntfs3 updates from Konstantin Komarov: "Added: - depth limit to indx_find_buffer() to prevent stack overflow - validate split-point offset in indx_insert_into_buffer() - bounds check to run_get_highest_vcn() - fileattr_get() and fileattr_set() support - zero stale pagecache beyond valid data length - handle delayed allocation overlap in run lookup - validate lcns_follow in log_replay() conversion - cap RESTART_TABLE free-chain walker at rt->used - resize log->one_page_buf when adopting on-disk page size - reject direct userspace writes to reserved $LX* xattrs Fixed: - out-of-bounds read in decompress_lznt() - avoid -Wmaybe-uninitialized warnings - hold ni_lock across readdir metadata walk - preserve non-DOS attribute bits in system.dos_attrib - validate index entry key bounds - syncing wrong inode on DIRSYNC cross-directory rename - validate Dirty Page Table capacity in log_replay() copy_lcns - wrong LCN in run_remove_range() when splitting a run - allocate iomap inline_data using alloc_page - mount failure on 64K page-size kernels - out-of-bounds read in ntfs_dir_emit() and hdr_find_e() - bound attr_off in UpdateResidentValue against data_off - bound DeleteIndexEntryAllocation memmove length - bound copy_lcns dp->page_lcns[] index in analysis pass - bound NTFS_DE view.data_off in UpdateRecordData{Root,Allocation} - prevent potential lcn remains uninitialized Changed: - bound to_move in indx_insert_into_root() before hdr_insert_head() - call _ntfs_bad_inode() when failing to rename - fold resident writeback into writepages loop - force waiting for direct I/O completion - fold file size handling into ntfs_set_size() - reject SEEK_DATA and SEEK_HOLE past EOF early - format code, add descriptive comments and remove non-useful" * tag 'ntfs3_for_7.2' of https://github.com/Paragon-Software-Group/linux-ntfs3: (34 commits) ntfs3: reject direct userspace writes to reserved $LX* xattrs fs/ntfs3: resize log->one_page_buf when adopting on-disk page size fs/ntfs3: prevent potential lcn remains uninitialized ntfs3: cap RESTART_TABLE free-chain walker at rt->used fs/ntfs3: bound NTFS_DE view.data_off in UpdateRecordData{Root,Allocation} fs/ntfs3: validate lcns_follow in log_replay conversion fs/ntfs3: bound copy_lcns dp->page_lcns[] index in analysis pass fs/ntfs3: bound DeleteIndexEntryAllocation memmove length fs/ntfs3: bound attr_off in UpdateResidentValue against data_off ntfs3: fix out-of-bounds read in ntfs_dir_emit() and hdr_find_e() fs/ntfs3: fix mount failure on 64K page-size kernels ntfs3: avoid another -Wmaybe-uninitialized warning ntfs3: Allocate iomap inline_data using alloc_page fs/ntfs3: format code, deal with comments fs/ntfs3: reject SEEK_DATA and SEEK_HOLE past EOF early fs/ntfs3: fold file size handling into ntfs_set_size() fs/ntfs3: force waiting for direct I/O completion fs/ntfs3: fold resident writeback into writepages loop fs/ntfs3: handle delayed allocation overlap in run lookup fs/ntfs3: zero stale pagecache beyond valid data length ...
2026-06-24smb/client: preserve errors from smb2_set_sparse()Huiwen He
smb2_set_sparse() converts every FSCTL_SET_SPARSE failure to false and marks sparse support as broken for the share. Callers therefore report EOPNOTSUPP even for errors such as ENOSPC or EACCES, and later sparse operations remain disabled until the share is unmounted. Return the SMB2 ioctl error directly. Set broken_sparse_sup only for EOPNOTSUPP, which indicates that the server does not support the request. Update smb3_punch_hole() to propagate the error returned by smb2_set_sparse(). Fixes: 3d1a3745d8ca ("Add sparse file support to SMB2/SMB3 mounts") Signed-off-by: Huiwen He <hehuiwen@kylinos.cn> Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-24smb: client: Fix next buffer leak in receive_encrypted_standard()Haoxiang Li
receive_encrypted_standard() allocates next_buffer before checking whether the number of compound PDUs already reached MAX_COMPOUND. If the limit check fails, the function returns immediately and the newly allocated next_buffer is not assigned to server->smallbuf/server->bigbuf, making it leaked. Move the MAX_COMPOUND check before allocating next_buffer. Fixes: b24df3e30cbf ("cifs: update receive_encrypted_standard to handle compounded responses") Cc: stable@vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-24smb/client: use %pe to print error pointerFredric Cover
Currently, __reconnect_target_locked() prints the error pointer 'hostname' using PTR_ERR() and %ld, printing only the error code. Fix this by using by using %pe to print the error symbolic code instead, and remove PTR_ERR(). Signed-off-by: Fredric Cover <fredric.cover.lkernel@gmail.com> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-24smb/client: name the default fallocate modeHuiwen He
FALLOC_FL_ALLOCATE_RANGE identifies the default fallocate allocation mode and is defined as zero. Use the symbolic name instead of a literal zero in smb3_fallocate() to make the mode dispatch clearer. This does not change behavior. Signed-off-by: Huiwen He <hehuiwen@kylinos.cn> Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-24smb common: add missing AAPL definesSteve French
Add various defines for AAPL open context, e.g. for queries of server capabilities. Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-24smb/client: fix chown/chgrp with SMB3 POSIX ExtensionsRalph Boehme
Ownership (chown) and group (chgrp) modifications were being ignored when mounting with SMB3 POSIX Extensions unless CIFS_MOUNT_CIFS_ACL or CIFS_MOUNT_MODE_FROM_SID were also explicitly set. Fix this by checking for posix_extensions in cifs_setattr_nounix() when updating UID and GID, ensuring that id_mode_to_cifs_acl() is called to map and set the ownership/group information on the server. Cc: stable@vger.kernel.org Signed-off-by: Ralph Boehme <slow@samba.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-24smb/client: fix security flag calculation when setting security descriptorsRalph Boehme
In id_mode_to_cifs_acl(), aclflag was initialized to CIFS_ACL_DACL by default. This forced the client to request setting the DACL even when only an ownership (chown) or group (chgrp) change was being performed. Let build_sec_desc() do the proper flag calculation by initializing aclflag to 0. build_sec_desc() sets the appropriate bits (CIFS_ACL_OWNER, CIFS_ACL_GROUP, or CIFS_ACL_DACL) depending on what actually changed. During ownership transfer, CIFS_ACL_DACL is only set if replace_sids_and_copy_aces() actually replaces the SIDs inside any of the DACL's ACEs. If build_sec_desc() results in aclflag being 0 (meaning no changes were mapped), exit early to avoid sending an empty security descriptor update to the server. Signed-off-by: Ralph Boehme <slow@samba.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-23Merge tag 'nfs-for-7.2-1' of git://git.linux-nfs.org/projects/anna/linux-nfsLinus Torvalds
Pull NFS client updates from Anna Schumaker: "New features: - XPRTRDMA: Decouple req recycling from RPC completion - NFS: Expose FMODE_NOWAIT for read-only files Bugfixes: - SUNRPC: - Fix sunrpc sysfs error handling - Fix uninitialized xprt_create_args structure - XPRTRDMA: - Harden connect and reply handling - NFS: - Fix EOF updates after fallocate/zero-range - Keep PG_UPTODATE clear after read errors in page groups - Use nfsi->rwsem to protect traversal of the file lock list - Prevent resource leak in nfs_alloc_server() - NFSv4: - Clear exception state on successful mkdir retry - Don't skip revalidate when holding a dir delegation and attrs are stale - pNFS: - Fix use-after-free in pnfs_update_layout() - Defer return_range callbacks until after inode unlock - Fix LAYOUTCOMMIT retry loop on OLD_STATEID - Reject zero-length r_addr in nfs4_decode_mp_ds_addr - NFS/flexfiles: - Reject zero-length filehandle version arrays - Fix checking if a layout is striped - Fixes for honoring FF_FLAGS_NO_IO_THRU_MDS Other cleanups and improvements: - Remove the fileid field from struct nfs_inode - Move long-delayed xprtrdma work onto the system_dfl_long_wq - Convert xprtrdma send buffer free list to an llist - Show "<redacted>" for cert_serial and privkey_serial mount options" * tag 'nfs-for-7.2-1' of git://git.linux-nfs.org/projects/anna/linux-nfs: (42 commits) NFS: Use common error handling code in nfs_alloc_server() NFS: Prevent resource leak in nfs_alloc_server() NFSv4/pNFS: reject zero-length r_addr in nfs4_decode_mp_ds_addr nfs: don't skip revalidate on directory delegation when attrs flagged stale xprtrdma: Return sendctx slot after Send preparation failure xprtrdma: Repost Receive buffers for malformed replies xprtrdma: Sanitize the reply credit grant after parsing xprtrdma: Fix bcall rep leak and unbounded peek xprtrdma: Resize reply buffers before reposting receives xprtrdma: Check frwr_wp_create() during connect xprtrdma: Initialize re_id before removal registration xprtrdma: Fix ep kref imbalance on ADDR_CHANGE xprtrdma: Convert send buffer free list to llist NFS: correct CONFIG_NFS_V4 macro name in #endif comment nfs: use nfsi->rwsem to protect traversal of the file lock list NFSv4.1/pNFS: fix LAYOUTCOMMIT retry loop on OLD_STATEID nfs: expose FMODE_NOWAIT for read-only files nfs: add nowait version of nfs_start_io_direct NFSv4/flexfiles: honor FF_FLAGS_NO_IO_THRU_MDS in pg_get_mirror_count_write NFSv4/flexfiles: honor FF_FLAGS_NO_IO_THRU_MDS on fatal DS connect errors ...
2026-06-23Merge tag 'f2fs-for-7.2-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs Pull f2fs updates from Jaegeuk Kim: "The changes primarily focus on filesystem error reporting, reducing memory footprint by reverting in-memory data structures used for runtime validation, honoring FDP hints, and adding trace and debug logs. In addition, there are critical bug fixes resolving out-of-bounds read vulnerabilities in inline directory and ACL handling, potential deadlocks in balance_fs, use-after-free issues in atomic writes, and false data/node type assignments in large sections. Enhancements: - Revert in-memory sit version and block bitmaps - support to report fserror - add trace_f2fs_fault_report - add iostat latency tracking for direct IO - add logs in f2fs_disable_checkpoint() - honor per-I/O write streams for direct writes - map data writes to FDP streams - skip inode folio lookup for cached overwrite - skip direct I/O iostat context when disabled - revert "check in-memory block bitmap" - revert "check in-memory sit version bitmap" Fixes: - optimize representative type determination in GC - fix incorrect FI_NO_EXTENT handling in __destroy_extent_node() - fix potential deadlock in f2fs_balance_fs() - fix potential deadlock in gc_merge path of f2fs_balance_fs() - atomic: fix UAF issue on f2fs_inode_info.atomic_inode - fix missing read bio submission on large folio error - pass correct iostat type for single node writes - fix to do sanity check on f2fs_get_node_folio_ra() - validate orphan inode entry count - keep atomic write retry from zeroing original data - read COW data with the original inode during atomic write - validate inline dentry name lengths before conversion - validate dentry name length before lookup compares it - reject setattr size changes on large folio files - revert "remove non-uptodate folio from the page cache in move_data_block" - validate ACL entry sizes in f2fs_acl_from_disk() - bound i_inline_xattr_size for non-inline-xattr inodes - fix listxattr handling of corrupted xattr entries - fix to round down start offset of fallocate for pin file" * tag 'f2fs-for-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs: (42 commits) f2fs: fix to round down start offset of fallocate for pin file f2fs: fix listxattr handling of corrupted xattr entries f2fs: skip direct I/O iostat context when disabled f2fs: remove unneeded f2fs_is_compressed_page() f2fs: avoid unnecessary fscrypt_finalize_bounce_page() f2fs: avoid unnecessary sanity check on ckpt_valid_blocks f2fs: misc cleanup in f2fs_record_stop_reason() f2fs: fix wrong description in printed log f2fs: bound i_inline_xattr_size for non-inline-xattr inodes f2fs: validate ACL entry sizes in f2fs_acl_from_disk() Revert "f2fs: remove non-uptodate folio from the page cache in move_data_block" f2fs: Split f2fs_write_end_io() f2fs: Rename f2fs_post_read_wq into f2fs_wq f2fs: Prepare for supporting delayed bio completion f2fs: reject setattr size changes on large folio files f2fs: validate dentry name length before lookup compares it f2fs: validate inline dentry name lengths before conversion f2fs: read COW data with the original inode during atomic write f2fs: skip inode folio lookup for cached overwrite f2fs: keep atomic write retry from zeroing original data ...
2026-06-23ksmbd: fix kernel-doc warnings in smb2_lease_break_noti()Namjae Jeon
kernel test robot report missing kernel-doc descriptions for the 'wait_ack' and 'inc_epoch' parameters of smb2_lease_break_noti(): Warning: fs/smb/server/oplock.c:937 function parameter 'wait_ack' not described in 'smb2_lease_break_noti' Warning: fs/smb/server/oplock.c:937 function parameter 'inc_epoch' not described in 'smb2_lease_break_noti' Document both parameters to silence the warnings. Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-23ksmbd: fix inconsistent indenting warningsNamjae Jeon
Detected by Smatch. fs/smb/server/oplock.c:1446 smb_grant_oplock() warn: inconsistent indenting Reported-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-23ksmbd: validate NTLMv2 response before updating session keyHaofeng Li
ksmbd_auth_ntlmv2() derives the NTLMv2 session key into sess->sess_key before it verifies the NTLMv2 response. ksmbd_decode_ntlmssp_auth_blob() then continues into KEY_XCH even when ksmbd_auth_ntlmv2() failed. With SMB3 multichannel binding, the failed authentication operates on an existing session and the session setup error path does not expire binding sessions. A client can send a binding session setup with a bad NT proof and KEY_XCH and still modify sess->sess_key before STATUS_LOGON_FAILURE is returned. Relevant path: smb2_sess_setup() -> conn->binding = true -> ntlm_authenticate() -> session_user() -> ksmbd_decode_ntlmssp_auth_blob() -> ksmbd_auth_ntlmv2() -> calc_ntlmv2_hash() -> hmac_md5_usingrawkey(..., sess->sess_key) -> crypto_memneq() returns mismatch -> KEY_XCH arc4_crypt(..., sess->sess_key, ...) -> out_err without expiring the binding session Derive the base session key into a local buffer and copy it to sess->sess_key only after the proof matches. Return immediately on authentication failure so KEY_XCH is only processed after successful authentication. Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Fixes: f9929ef6a2a5 ("ksmbd: add support for key exchange") Cc: stable@vger.kernel.org Signed-off-by: Haofeng Li <lihaofeng@kylinos.cn> Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-23Merge tag 'mm-stable-2026-06-23-08-55' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Pull more MM updates from Andrew Morton: - "khugepaged: add mTHP collapse support" (Nico Pache) Provide khugepaged with the capability to collapse anonymous memory regions to mTHPs - "Remove CONFIG_READ_ONLY_THP_FOR_FS and enable file THP for writable files" (Zi Yan) Remove the READ_ONLY_THP_FOR_FS check in file_thp_enabled(), so that khugepaged and MADV_COLLAPSE can run on filesystems with PMD THP pagecache support even without READ_ONLY_THP_FOR_FS enabled - "make MM selftests more CI friendly" (Mike Rapoport) General fixes and cleanups to the MM selftests. Also move more MM selftests under the kselftest framework, making them more amenable to ongoing CI testing - "selftests/mm: fix failures and robustness improvements" and "selftests/mm: assorted fixes for hmm-tests" (Sayali Patil) Fix several issues in MM selftests which were revealed by powerpc 64k pagesize * tag 'mm-stable-2026-06-23-08-55' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: (118 commits) Revert "mm: limit filemap_fault readahead to VMA boundaries" mm/vmscan: pass NULL to trace vmscan node reclaim mm: use mapping_mapped to simplify the code selftests/mm: fix exclusive_cow test fork() handling selftests/mm: remove hardcoded THP sizing assumptions in hmm tests selftests/mm: allow PUD-level entries in compound testcase of hmm tests mm/gup_test: reject wrapped user ranges mm/page_frag: reject invalid CPUs in page_frag_test mm/damon/core: always put unsuccessfully committed target pids mm: page_isolation: avoid unsafe folio reads while scanning compound pages mm/shrinker: do not hold RCU lock in shrinker_debugfs_count_show() selftests: mm: fix and speedup "droppable" test mm: merge writeout into pageout MAINTAINERS: add Hao Ge as reviewer for codetag and alloc_tag selftests/mm: clarify alternate unmapping in compaction_test selftests/mm: move hwpoison setup into run_test() and silence modprobe output for memory-failure category selftests/mm: skip uffd-stress test when nr_pages_per_cpu is zero selftests/mm: skip uffd-wp-mremap if UFFD write-protect is unsupported selftests/mm: ensure destination is hugetlb-backed in hugetlb-mremap selftest/mm: register existing mapping with userfaultfd in hugetlb-mremap ...
2026-06-22Merge tag 'erofs-for-7.2-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs Pull erofs updates from Gao Xiang: "The most notable change is the removal of the fscache backend: it has been deprecated for almost two years, mainly because EROFS file-backed mounts and fanotify pre-content hooks (together with erofs-utils) now provide better functionality and simpler codebase. In addition, fscache has depended on netfslib for years, which is undesirable for EROFS since it is a local filesystem. More details in [1]. In addition, sparse support has been added to the pcluster layout, which is helpful for large sparse AI datasets, and map requests for chunk-based inodes have been optimized to be more efficient as well. There are also the usual fixes and cleanups. Summary: - Report more consecutive chunks of the same type for each iomap request - Add sparse support for the pcluster layout - Update the EROFS documentation overview - Remove the deprecated fscache backend - Various fixes and cleanups" Link: https://lore.kernel.org/r/20260622013622.934174-1-hsiangkao@linux.alibaba.com [1] * tag 'erofs-for-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs: erofs: handle 48-bit blocks_hi for compressed inodes erofs: remove fscache backend entirely erofs: simplify RCU read critical sections erofs: add sparse support to pcluster layout erofs: add folio order to trace_erofs_read_folio erofs: introduce erofs_map_chunks() erofs: call erofs_exit_ishare() before rcu_barrier() erofs: update the overview of the documentation erofs: clean up erofs_ishare_fill_inode()
2026-06-22ksmbd: increase SMB3_DEFAULT_TRANS_SIZE from 1MB to 4MBNamjae Jeon
This patch raises `SMB3_DEFAULT_TRANS_SIZE` to 4MB to align it with `smb2 max read/write`. This allows better I/O negotiation with modern clients and improves sequential read/write performance on high-speed networks. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-22ksmbd: fix UBSAN array-index-out-of-bounds in decode_compress_ctxt()Namjae Jeon
decode_compress_ctxt() walks CompressionAlgorithms[] using the client supplied CompressionAlgorithmCount. That field is declared in struct smb2_compression_capabilities_context as a fixed 4-element array, but the number of algorithms is actually variable and clients such as Windows advertise more than four (e.g. LZ77, LZ77+Huffman, LZNT1, Pattern_V1 and LZ4). The on-wire context length is already validated, so the access is within the received buffer, but indexing the statically sized [4] array makes UBSAN report an out-of-bounds access: UBSAN: array-index-out-of-bounds in smb2pdu.c:1122:48 index 4 is out of range for type '__le16 [4]' Call Trace: smb2_handle_negotiate+0xda7/0xde0 [ksmbd] ksmbd_smb_negotiate_common+0x27b/0x3e0 [ksmbd] smb2_negotiate_request+0x14/0x20 [ksmbd] handle_ksmbd_work+0x181/0x500 [ksmbd] Walk the algorithms through a pointer so the fixed-array bounds check is not applied, while keeping the existing length validation that bounds the loop to the data actually received. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-22ksmbd: sleep interruptibly in the durable handle scavengerNamjae Jeon
The durable handle scavenger kthread waits up to DURABLE_HANDLE_MAX_TIMEOUT (300 seconds) between scans using wait_event_timeout(), which sleeps in TASK_UNINTERRUPTIBLE. When there are no durable handles pending expiry the task stays in D state far longer than 120 seconds, so the hung task detector prints a bogus "task ksmbd-durable-s blocked for more than 120 seconds" warning with a backtrace, even though the thread is only idle. Use wait_event_interruptible_timeout() so the thread sleeps in TASK_INTERRUPTIBLE, which the hung task detector ignores. This also suits the already-freezable kthread. Treat a negative return (e.g. -ERESTARTSYS) like a timeout when recomputing the next wake interval. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-22ksmbd: start file id allocation at 1Namjae Jeon
ksmbd allocates both the volatile id (per-session file table) and the persistent id (global file table) with idr_alloc_cyclic() starting at 0. The first open after the module loads therefore gets volatile id 0 and persistent id 0, and ksmbd returns an SMB2 FileId of {0, 0} in the create response. Clients treat an all-zero FileId as a null handle. smbtorture's smb2_util_handle_empty() considers {0, 0} empty, so tests that guard the close with it (e.g. smb2.oplock.statopen1, smb2.lease.statopen*) never close that first handle. The leaked open keeps the inode's oplock count non-zero, so a later batch oplock request on the same file is downgraded to level II and the test fails. Start the id allocation at 1 (KSMBD_START_FID) so no handle is ever assigned a {0, 0} FileId, matching the behaviour of other SMB servers. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-22ksmbd: treat read-control opens as stat opens only for leasesNamjae Jeon
A second open that requests only metadata-level access must not break the existing caching state. ksmbd already skips the break for such opens via fp->attrib_only (FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES and FILE_SYNCHRONIZE). An open requesting only READ_CONTROL (reading the security descriptor) must be treated differently depending on the existing caching state. smbtorture smb2.lease.statopen4 expects a read-control open NOT to break a caching lease, while smb2.oplock.statopen1 expects the same open to break a batch oplock. So READ_CONTROL is a stat open for leases but not for oplocks. Extend the stat-open break-skip in smb_grant_oplock() to also cover a read-control-only open, but only when the existing holder is a lease. The global fp->attrib_only flag (used for share-mode, rename and truncate decisions) is left unchanged so oplock behaviour is preserved. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-22ksmbd: validate :: stream type against directory createNamjae Jeon
smb2.streams.dir opens <dir>::$DATA with FILE_DIRECTORY_FILE and expects STATUS_NOT_A_DIRECTORY, then opens <dir>::$DATA without it and expects STATUS_FILE_IS_A_DIRECTORY. Commit "treat unnamed DATA stream as base file" canonicalizes the ::$DATA suffix to a NULL stream name so the open continues through the base-file path. That skipped the stream/directory type validation, which was guarded by "if (stream_name)", so opening a directory's ::$DATA stream with FILE_DIRECTORY_FILE incorrectly returned STATUS_OK and a plain open of it no longer reported STATUS_FILE_IS_A_DIRECTORY. parse_stream_name() still records the explicit $DATA type in s_type even when it clears stream_name. Run the data-stream vs directory validation whenever s_type is DATA_STREAM, not only when stream_name is set, so the canonicalized ::$DATA open is rejected with the correct status. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-22ksmbd: break conflicting-open leases only as far as neededNamjae Jeon
smb2.lease.oplock and smb2.lease.breaking1 hold a lease and then issue a single conflicting open on the same file. The held lease must break one step to drop write caching (RWH->RH, RW->R) and then stop, so lease_break_info.count is 1 and the lease keeps its read/handle caching. ksmbd instead cascaded the break all the way down to none (e.g. RWH->RH->R->none), so the break count was 2 or 3 and the reported lease state ended at 0. Commit "chain pending lease breaks before waking waiters" forces break_level to SMB2_OPLOCK_LEVEL_NONE for any non-lease open against a handle-caching lease, which drives oplock_break()'s retry loop down to none even when only one open is contending. Drop that break_level override so a conflicting open breaks a lease only to its own compatible level (level II, i.e. RH/R). A deeper break is still required when a truncating open is also waiting behind the same lease break. smb2.lease.breaking3 keeps a normal open pending through RWH->RH and an overwrite open pending behind it, and expects the lease to continue RH->R->none before either open completes. The overwrite waiter sets open_trunc on the lease while it blocks on the pending break, so extend the retry loop to chain another break while that truncating waiter still needs the lease at none. The per-break open_trunc snapshot stays cleared, so the cascade steps down (RH->R->none) instead of collapsing straight to none, and the normal open stays pending until the lease is fully broken. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-22ksmbd: break handle caching for share conflictsNamjae Jeon
smb2.lease.break_twice first opens a file with an RHW lease and then tries a second open with restrictive sharing. That open must fail with a sharing violation, but the existing lease should be broken from RHW to RW because only handle caching conflicts with the requested sharing. ksmbd used the normal write-cache break calculation for this path, so RHW was broken to RH. The following successful open then did not generate the expected second break from RW to R. Pass share-conflict context into the lease break helper and, for lease breaks caused by sharing, drop only SMB2_LEASE_HANDLE_CACHING from the current lease state. Other break paths keep the existing write/truncate break behavior. A share-conflict break must also remain a single break. The triggering open fails with a sharing violation and is never granted, so there is no target oplock level to converge on. The lease break retry loop, however, keeps breaking while the lease level is still above req_op_level, which broke RHW all the way down to R in one open (lease_break_info.count became 2 instead of 1). Skip the again loop for share-conflict breaks so the sharing open produces exactly one RHW->RW break and the later successful open produces the separate RW->R break the test expects. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-22ksmbd: normalize ungrantable lease statesNamjae Jeon
smb2.lease.request verifies which SMB2 lease state combinations are granted by the server. Requests for H-only, W-only, and HW leases are valid lease state bitmasks, but they are not grantable combinations and should be returned as lease state none. ksmbd only checked that the requested bits were inside the SMB2 lease state mask. As a result it could grant H-only, W-only, or HW requests and return non-zero lease states where the client expects no lease. Keep the bitmask validation, but normalize ungrantable combinations to zero before allocating or looking up the lease. The grantable combinations remain unchanged: R, RH, RW, and RHW. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-22ksmbd: return oplock protocol error for level II ackNamjae Jeon
SMB2 level II to none oplock breaks do not require an acknowledgment from the client. smb2.oplock.levelii500 intentionally acknowledges such a break and expects the server to reject it with STATUS_INVALID_OPLOCK_PROTOCOL. ksmbd drops the local level II oplock to none immediately after sending the break notification because it does not wait for an ACK. When the client then sends the invalid ACK, smb20_oplock_break_ack() sees that the oplock is not in OPLOCK_ACK_WAIT state and returns STATUS_INVALID_DEVICE_STATE before checking the current oplock level. If the oplock is already none when an unexpected SMB2 oplock break ACK arrives, report STATUS_INVALID_OPLOCK_PROTOCOL. Keep the existing STATUS_INVALID_DEVICE_STATE response for other unexpected non-wait states. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-22ksmbd: avoid level II oplock break notification on unlinkNamjae Jeon
smb2_util_unlink() opens the target with FILE_DELETE_ON_CLOSE and then closes that handle. Other clients can also mark a file for delete with SMB2 SET_INFO FileDispositionInformation. When these unlink paths break existing SMB2 level II oplocks, ksmbd sends an unsolicited SMB2_OPLOCK_BREAK notification to none. This races with the synchronous CREATE or SET_INFO response expected by the client, and smbtorture reports NT_STATUS_INVALID_NETWORK_RESPONSE while running smb2.oplock.exclusive2. SMB2 level II oplock breaks do not require an acknowledgment in the delete path. Keep lease handling unchanged, but drop plain SMB2 level II oplocks locally for unlink requests without sending a break notification. Normal write/truncate paths still send the level II to none notification, preserving the behavior covered by smb2.oplock.levelII500. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-22ksmbd: downgrade oplock after break timeoutNamjae Jeon
smb2.oplock.batch22a opens a file with a batch oplock and then issues a second open that waits for the oplock break timeout. After the timeout the second open should succeed, but the granted oplock level must be level II. When the break times out, oplock_break() returns -ENOENT after invalidating the previous opener. smb_grant_oplock() went straight to set_lev with the original requested oplock level, so the second open could be granted a new batch oplock. Downgrade the requested oplock to level II on the -ENOENT break-timeout path before granting the oplock to the new open. A break that completes because the previous owner closed its handle from the oplock break handler must be distinguished from a real timeout. smb2.oplock.batch7 closes the first handle during the break wait, and the second open is then expected to be granted the originally requested batch oplock. Return -EAGAIN from the non-lease break path when the previous opener closed during the break wait, recheck sharing in smb_grant_oplock(), and grant the requested oplock if the close removed the conflict. Real break timeouts still return -ENOENT and keep the downgrade to level II. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-22ksmbd: apply create security descriptor firstNamjae Jeon
smb2.create.aclfile creates files with an SMB2_CREATE_SD_BUFFER create context and expects the resulting security descriptor to match the descriptor supplied by the client. ksmbd currently tries to inherit the parent DACL first and only parses the SMB2_CREATE_SD_BUFFER context when DACL inheritance fails. If inheritance succeeds, the explicit security descriptor supplied on create is ignored. This breaks create requests that include owner/group information in the security descriptor. Apply the create security descriptor first when the context is present. Fall back to the existing inherited/default ACL path only when no create security descriptor was supplied. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-22ksmbd: return requested create allocation sizeNamjae Jeon
smb2.create.blob sends an SMB2_CREATE_ALLOCATION_SIZE create context with a 1MiB allocation size and expects the create response AllocationSize field to match the requested size. smb2.create.open additionally compares the AllocationSize returned in the CREATE response with the AllocationSize returned by FILE_ALL_INFORMATION on the same handle. ksmbd applies the allocation with fallocate(), but then fills both the create response and handle-based information from stat.blocks << 9. On filesystems such as ext4 this can include filesystem allocation rounding and metadata effects, causing a response larger than the SMB2 allocation size context and a disagreement between the two queries. Remember the requested allocation size while processing the create context, store the reported allocation size in struct ksmbd_file, and use it for both the create response and handle-based allocation size responses. Update the stored value when FILE_ALLOCATION_INFORMATION changes it, and fall back to stat.blocks << 9 when no allocation size context was provided. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-22ksmbd: tighten create file attribute validationNamjae Jeon
smb2.create.gentest checks each create FileAttributes bit independently and expects FILE_ATTRIBUTE_INTEGRITY_STREAM and FILE_ATTRIBUTE_NO_SCRUB_DATA to be rejected with STATUS_INVALID_PARAMETER. ksmbd validates create FileAttributes against FILE_ATTRIBUTE_MASK, which includes those bits. It also rejects only requests that have no known attribute bit at all, so a request containing both known and unknown bits can pass validation. Use a create-specific attribute mask that excludes INTEGRITY_STREAM and NO_SCRUB_DATA, and reject any bit outside that mask. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-22ksmbd: reject empty-attribute synchronize-only createNamjae Jeon
smb2.create.gentest checks each desired access bit independently and expects an open that requests only SYNCHRONIZE with CreateDisposition OPEN_IF and FileAttributes 0 to fail with STATUS_ACCESS_DENIED. Rejecting all SYNCHRONIZE-only opens is too broad: SYNCHRONIZE does not imply read, write, or delete data access, and smb2.sharemode.sharemode-access expects a SYNCHRONIZE-only open to succeed when it does not conflict with the existing share mode. Limit the rejection to the gentest create shape: SYNCHRONIZE-only access, OPEN_IF disposition, and no file attributes. Other synchronize-only opens are handled by the normal permission and share-mode checks. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-22ksmbd: honor stream delete sharing for base fileNamjae Jeon
smb2.streams.delete opens an alternate data stream without FILE_SHARE_DELETE and then tries to delete the base file. Windows rejects the base-file delete with STATUS_SHARING_VIOLATION while the stream handle is open. ksmbd tracks stream opens on the same ksmbd_inode as the base file, but the delete-on-close path only checked delete access on the base handle before marking the inode delete-pending. As a result, deleting the base file succeeded even though an open stream handle denied delete sharing. Add a helper to detect open stream handles on the same inode that do not allow FILE_SHARE_DELETE, and reject base-file delete pending and DELETE opens with a sharing violation in that case. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-22ksmbd: send pending interim for last compound I/ONamjae Jeon
smb2.compound_async.write_write and smb2.compound_async.read_read expect the last I/O request in a compound request to become cancellable before its final response is received. smb clients mark a request cancellable after receiving an interim STATUS_PENDING response. ksmbd handled the last READ/WRITE synchronously and returned the final response directly, so the client never observed STATUS_PENDING and req->cancel.can_cancel remained false. For the last READ or WRITE in a compound request, register the work briefly as async and send a STATUS_PENDING interim response before continuing with the normal synchronous completion. The final READ/WRITE response remains unchanged. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-22ksmbd: return success for deferred final closeNamjae Jeon
ksmbd_close_fd() marks an open file as FP_CLOSED and drops the file table reference. If another in-flight request still holds a reference, the final close is deferred until that request drops its reference. The function currently returns -EINVAL in that deferred-final-close case because fp is cleared when the reference count does not reach zero. That turns a valid close into STATUS_FILE_CLOSED. smb2.compound_find.compound_find_close sends QUERY_DIRECTORY and then closes the same directory handle before receiving the find response. The query holds a reference while it builds the response, so close must mark the handle closed and return success even though final teardown is delayed. Track whether the handle was successfully transitioned to FP_CLOSED and return success when only the final close is deferred. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-22ksmbd: preserve compound responses for chained errorsNamjae Jeon
set_smb2_rsp_status() resets the response iov and compound offsets before building an error response. That is fine for a single request, but it corrupts a compound response when an error is detected after an earlier compound element has already been completed. smb2.compound.invalid4 sends a READ as the first compound element and a bogus command as the second one. The READ response must remain in the compound response with STATUS_END_OF_FILE, followed by the bogus command response with STATUS_INVALID_PARAMETER. Resetting the response state for the second command breaks the compound framing and the client reports NT_STATUS_INVALID_NETWORK_RESPONSE. When setting an error for a chained command, update and pin only the current compound response slot instead of resetting the whole response. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-22ksmbd: validate handle for create or get object idNamjae Jeon
FSCTL_CREATE_OR_GET_OBJECT_ID returned a dummy successful response without checking whether the request handle was valid. That let an invalid related compound handle succeed in smb2.compound.related5, although the client expected STATUS_FILE_CLOSED. Look up the file handle before building the object id response and fail with STATUS_FILE_CLOSED when the handle is invalid or already closed. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-22ksmbd: propagate failed command status in related compoundsNamjae Jeon
In a related compound request, later commands can refer to the file handle from an earlier command using the related FID value. If the earlier command fails without producing a valid compound FID, the later related commands must fail with the same status instead of operating on an invalid or stale handle. smb2.compound.related4 sends CREATE followed by IOCTL, CLOSE and SET_INFO. The CREATE is expected to fail with STATUS_ACCESS_DENIED, and the remaining related commands are expected to return STATUS_ACCESS_DENIED as well. ksmbd only stored the compound FID on successful CREATE and did not remember failed compound statuses. Store the failed status in the work item and make related handle-based requests fail immediately with that status only when the compound FID is invalid. Also preserve and consume the related FID across successful FLUSH, READ and WRITE requests whose responses do not carry a file id. Keep a valid compound FID across non-close failures so later related commands can continue to use the handle. When extracting the FID from a successful READ, WRITE or FLUSH request, use the request structure matching the SMB2 command: READ and WRITE place PersistentFileId and VolatileFileId at a different offset than FLUSH, so a single smb2_flush_req cast can save the wrong value as compound_fid and make the following related request fail with STATUS_FILE_CLOSED (smb2.compound_async.write_write after smb2.compound_async.flush_flush). Only update the saved compound FID when the request carries a valid volatile FID. otherwise an all-ones related FID would overwrite the CREATE FID and break smb2.compound.related6. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-22ksmbd: deny renaming directory with open childrenNamjae Jeon
Windows denies renaming a directory while a file below that directory is still open. smb2.rename.rename_dir_openfile checks this by keeping a file handle open under the directory and then attempting to rename the directory handle. ksmbd did not check open children before calling vfs_rename(), so the rename incorrectly succeeded. For non-POSIX clients, scan the global open file table for active handles whose dentries are below the directory being renamed. If any child is open, fail the rename with -EACCES so the client receives STATUS_ACCESS_DENIED. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-22ksmbd: check parent directory sharing conflicts on renameNamjae Jeon
When renaming a file, some existing opens on the parent directory must block the rename with STATUS_SHARING_VIOLATION. This includes parent directory handles opened with DELETE access and handles opened without FILE_SHARE_DELETE. ksmbd checked only the parent's desired access for FILE_DELETE. That handled smb2.rename.share_delete_and_delete_access, but missed the case where the parent directory was opened without delete access and without delete sharing, so smb2.rename.no_share_delete_no_delete_access incorrectly succeeded. Attribute-only parent opens, however, must not block the rename. smb2.rename.msword opens the parent directory with only SYNCHRONIZE and FILE_READ_ATTRIBUTES, no share access, and then renames an already-open child file. Windows allows this pattern. Reject parent directory handles that request DELETE access, and reject non-attribute-only parent opens that deny FILE_SHARE_DELETE, while allowing attribute-only parent opens to coexist with child rename. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>