[GIT PULL] ksmbd server fixes
From: Steve French
Date: Fri Jun 26 2026 - 10:18:36 EST
Please pull the following changes since commit
dac3b26eae7bee261fa05f20c3fcc24988a7c233:
Merge tag 'v7.2-rc-part1-ksmbd-fixes' of git://git.samba.org/ksmbd
(2026-06-18 09:21:50 -0700)
are available in the Git repository at:
git://git.samba.org/ksmbd.git tags/v7.2-rc-part2-smb3-server-fixes
for you to fetch changes up to da793cf6d60233f47ea5e7e9e39425d71dfcdb79:
ksmbd: fix kernel-doc warnings in smb2_lease_break_noti()
(2026-06-23 17:52:42 -0500)
----------------------------------------------------------------
50 ksmbd server fixes
This is mostly a correctness and compatibility update for ksmbd's SMB2/3
lease, oplock, durable handle, compound request, CREATE, rename, stream and
share-mode handling. A large part of the series fixes cases found by
smbtorture where ksmbd diverged from the SMB2/3 protocol requirements.
The main changes are:
- Rework SMB2 lease state handling so lease state is shared per
ClientGuid/LeaseKey across opens, with better validation of lease create
contexts, ACK handling, epochs, break-in-progress reporting, v2 lease
notification routing, and chained lease breaks.
- Fix several oplock break corner cases, including ACK validation, timeout
downgrade behavior, level-II break handling on unlink, share-conflict
lease breaks, and read-control/stat-open behavior.
- Fix durable handle behavior around delete-on-close, stale reconnects,
reconnect context parsing, oplock/lease break invalidation, and durable
v2 AppInstanceId replacement.
- Fix compound request handling so related commands propagate failed
statuses correctly, preserve response framing across chained errors, keep
compound FIDs across READ/WRITE/FLUSH, and send interim STATUS_PENDING
where clients expect cancellable compound I/O.
- Tighten CREATE and stream semantics, including create attribute
validation, allocation size reporting, explicit create security
descriptors, unnamed DATA stream handling, stream directory validation,
and stream delete sharing against the base file.
- Fix rename and metadata behavior, including parent directory sharing
checks, denying directory rename with open children, and preserving SMB
ChangeTime across rename for open handles.
- Fix two important safety issues: a multichannel byte-range lock list
owner race that could lead to use-after-free, and an NTLMv2 session key
update before authentication proof validation.
- Fix a concurrent SMB2 NEGOTIATE preauth use-after-free, a UBSAN warning
in compression capability parsing, a false hung-task warning in the
durable handle scavenger, endian debug logging, Smatch indentation
warnings, and kernel-doc warnings.
- Increase the default SMB3 transaction size from 1MB to 4MB to better
match modern read/write negotiation and improve sequential I/O behavior.
----------------------------------------------------------------
ChenXiaoSong (1):
smb/server: fix debug log endianness in smb2_cancel()
Gil Portnoy (1):
ksmbd: fix use-after-free of conn->preauth_info in concurrent
SMB2 NEGOTIATE
Haofeng Li (1):
ksmbd: validate NTLMv2 response before updating session key
Namjae Jeon (47):
ksmbd: track the connection owning a byte-range lock
ksmbd: validate SMB2 lease create contexts
ksmbd: use connection ClientGUID for lease lookup
ksmbd: fix lease break and ack state handling
ksmbd: clean up lease response flags and directory leases
ksmbd: share SMB2 lease state across opens
ksmbd: align SMB2 oplock break ack handling
ksmbd: treat unnamed DATA stream as base file
ksmbd: compute lease break-in-progress flag on response
ksmbd: chain pending lease breaks before waking waiters
ksmbd: do not wait for RH lease break ack on overwrite
ksmbd: honor SMB2 v2 lease epochs
ksmbd: break RH leases before delete-on-close
ksmbd: route v2 lease breaks on the client lease channel
ksmbd: keep common response iovecs in the work item
ksmbd: handle missing create contexts for lease opens
ksmbd: supersede disconnected delete-on-close durable handle
ksmbd: invalidate durable handles on oplock break
ksmbd: fix durable reconnect context parsing
ksmbd: handle durable v2 app instance id
ksmbd: preserve open change time across rename
ksmbd: check parent directory sharing conflicts on rename
ksmbd: deny renaming directory with open children
ksmbd: propagate failed command status in related compounds
ksmbd: validate handle for create or get object id
ksmbd: preserve compound responses for chained errors
ksmbd: return success for deferred final close
ksmbd: send pending interim for last compound I/O
ksmbd: honor stream delete sharing for base file
ksmbd: reject empty-attribute synchronize-only create
ksmbd: tighten create file attribute validation
ksmbd: return requested create allocation size
ksmbd: apply create security descriptor first
ksmbd: downgrade oplock after break timeout
ksmbd: avoid level II oplock break notification on unlink
ksmbd: return oplock protocol error for level II ack
ksmbd: normalize ungrantable lease states
ksmbd: break handle caching for share conflicts
ksmbd: break conflicting-open leases only as far as needed
ksmbd: validate :: stream type against directory create
ksmbd: treat read-control opens as stat opens only for leases
ksmbd: start file id allocation at 1
ksmbd: sleep interruptibly in the durable handle scavenger
ksmbd: fix UBSAN array-index-out-of-bounds in decode_compress_ctxt()
ksmbd: increase SMB3_DEFAULT_TRANS_SIZE from 1MB to 4MB
ksmbd: fix inconsistent indenting warnings
ksmbd: fix kernel-doc warnings in smb2_lease_break_noti()
fs/smb/server/auth.c | 20 +-
fs/smb/server/ksmbd_work.c | 58 ++--
fs/smb/server/ksmbd_work.h | 4 +
fs/smb/server/misc.c | 14 +-
fs/smb/server/oplock.c | 679 +++++++++++++++++++++++++++++++--------------
fs/smb/server/oplock.h | 14 +-
fs/smb/server/smb2pdu.c | 676 +++++++++++++++++++++++++++++++-------------
fs/smb/server/smb2pdu.h | 2 +-
fs/smb/server/vfs.c | 12 +-
fs/smb/server/vfs_cache.c | 265 +++++++++++++++++-
fs/smb/server/vfs_cache.h | 18 +-
11 files changed, 1317 insertions(+), 445 deletions(-)
--
Thanks,
Steve