Merge tag 'v6.15rc-part2-ksmbd-server-fixes' of git://git.samba.org/ksmbd

	ses_enc_key = enc ? sess->smb3encryptionkey :

		sess->smb3decryptionkey;

	if (enc)

		ksmbd_user_session_get(sess);

	memcpy(key, ses_enc_key, SMB3_ENC_DEC_KEY_SIZE);

	if (!enc)

		ksmbd_user_session_put(sess);

	return 0;

}

	KSMBD_SESS_EXITING,

	KSMBD_SESS_NEED_RECONNECT,

	KSMBD_SESS_NEED_NEGOTIATE,

	KSMBD_SESS_NEED_SETUP,

	KSMBD_SESS_RELEASING

};

	return READ_ONCE(conn->status) == KSMBD_SESS_NEED_NEGOTIATE;

}

static inline bool ksmbd_conn_need_setup(struct ksmbd_conn *conn)

{

	return READ_ONCE(conn->status) == KSMBD_SESS_NEED_SETUP;

}

static inline bool ksmbd_conn_need_reconnect(struct ksmbd_conn *conn)

{

	return READ_ONCE(conn->status) == KSMBD_SESS_NEED_RECONNECT;

	WRITE_ONCE(conn->status, KSMBD_SESS_NEED_NEGOTIATE);

}

static inline void ksmbd_conn_set_need_setup(struct ksmbd_conn *conn)

{

	WRITE_ONCE(conn->status, KSMBD_SESS_NEED_SETUP);

}

static inline void ksmbd_conn_set_need_reconnect(struct ksmbd_conn *conn)

{

	WRITE_ONCE(conn->status, KSMBD_SESS_NEED_RECONNECT);

	down_write(&sessions_table_lock);

	down_write(&conn->session_lock);

	xa_for_each(&conn->sessions, id, sess) {

		if (atomic_read(&sess->refcnt) == 0 &&

		if (atomic_read(&sess->refcnt) <= 1 &&

		    (sess->state != SMB2_SESSION_VALID ||

		     time_after(jiffies,

			       sess->last_active + SMB2_SESSION_TIMEOUT))) {

				down_write(&conn->session_lock);

				xa_erase(&conn->sessions, sess->id);

				up_write(&conn->session_lock);

				if (atomic_dec_and_test(&sess->refcnt))

					ksmbd_session_destroy(sess);

			}

		}

		if (xa_empty(&sess->ksmbd_chann_list)) {

			xa_erase(&conn->sessions, sess->id);

			hash_del(&sess->hlist);

			if (atomic_dec_and_test(&sess->refcnt))

				ksmbd_session_destroy(sess);

		}

	}

	if (atomic_read(&sess->refcnt) <= 0)

		WARN_ON(1);

	else

		atomic_dec(&sess->refcnt);

	else if (atomic_dec_and_test(&sess->refcnt))

		ksmbd_session_destroy(sess);

}

struct preauth_session *ksmbd_preauth_session_alloc(struct ksmbd_conn *conn,

	ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_RECONNECT);

	err = ksmbd_conn_wait_idle_sess_id(conn, id);

	if (err) {

		ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_NEGOTIATE);

		ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_SETUP);

		goto out;

	}

	ksmbd_destroy_file_table(&prev_sess->file_table);

	prev_sess->state = SMB2_SESSION_EXPIRED;

	ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_NEGOTIATE);

	ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_SETUP);

	ksmbd_launch_ksmbd_durable_scavenger();

out:

	up_write(&conn->session_lock);

	xa_init(&sess->rpc_handle_list);

	sess->sequence_number = 1;

	rwlock_init(&sess->tree_conns_lock);

	atomic_set(&sess->refcnt, 1);

	atomic_set(&sess->refcnt, 2);

	ret = __init_smb2_session(sess);

	if (ret)

	}

	conn->srv_sec_mode = le16_to_cpu(rsp->SecurityMode);

	ksmbd_conn_set_need_negotiate(conn);

	ksmbd_conn_set_need_setup(conn);

err_out:

	ksmbd_conn_unlock(conn);

	if (sess->Preauth_HashValue)

		return 0;

	if (!conn->preauth_info)

		return -ENOMEM;

	sess->Preauth_HashValue = kmemdup(conn->preauth_info->Preauth_HashValue,

					  PREAUTH_HASHVALUE_SIZE, KSMBD_DEFAULT_GFP);

	if (!sess->Preauth_HashValue)

	ksmbd_debug(SMB, "Received smb2 session setup request\n");

	if (!ksmbd_conn_need_setup(conn) && !ksmbd_conn_good(conn)) {

		work->send_no_response = 1;

		return rc;

	}

	WORK_BUFFERS(work, req, rsp);

	rsp->StructureSize = cpu_to_le16(9);

			if (try_delay) {

				ksmbd_conn_set_need_reconnect(conn);

				ssleep(5);

				ksmbd_conn_set_need_negotiate(conn);

				ksmbd_conn_set_need_setup(conn);

			}

		}

		smb2_set_err_rsp(work);

		return -ENOENT;

	}

	ksmbd_destroy_file_table(&sess->file_table);

	down_write(&conn->session_lock);

	sess->state = SMB2_SESSION_EXPIRED;

	up_write(&conn->session_lock);

	if (sess->user) {

		ksmbd_free_user(sess->user);

		sess->user = NULL;

	ksmbd_all_conn_set_status(sess_id, KSMBD_SESS_NEED_NEGOTIATE);

	}

	ksmbd_all_conn_set_status(sess_id, KSMBD_SESS_NEED_SETUP);

	rsp->StructureSize = cpu_to_le16(4);

	err = ksmbd_iov_pin_rsp(work, rsp, sizeof(struct smb2_logoff_rsp));

		return -EIO;

	}

	if (psid->num_subauth == 0) {

		pr_err("%s: zero subauthorities!\n", __func__);

		return -EIO;

	}

	if (sidtype == SIDOWNER) {

		kuid_t uid;

		uid_t id;

	struct dentry *parent = path->dentry->d_parent;

	struct mnt_idmap *idmap = mnt_idmap(path->mnt);

	int inherited_flags = 0, flags = 0, i, nt_size = 0, pdacl_size;

	int rc = 0, dacloffset, pntsd_type, pntsd_size, acl_len, aces_size;

	int rc = 0, pntsd_type, pntsd_size, acl_len, aces_size;

	unsigned int dacloffset;

	size_t dacl_struct_end;

	u16 num_aces, ace_cnt = 0;

	char *aces_base;

	bool is_dir = S_ISDIR(d_inode(path->dentry)->i_mode);

					    parent, &parent_pntsd);

	if (pntsd_size <= 0)

		return -ENOENT;

	dacloffset = le32_to_cpu(parent_pntsd->dacloffset);

	if (!dacloffset || (dacloffset + sizeof(struct smb_acl) > pntsd_size)) {

	if (!dacloffset ||

	    check_add_overflow(dacloffset, sizeof(struct smb_acl), &dacl_struct_end) ||

	    dacl_struct_end > (size_t)pntsd_size) {

		rc = -EINVAL;

		goto free_parent_pntsd;

	}

	struct smb_ntsd *pntsd = NULL;

	struct smb_acl *pdacl;

	struct posix_acl *posix_acls;

	int rc = 0, pntsd_size, acl_size, aces_size, pdacl_size, dacl_offset;

	int rc = 0, pntsd_size, acl_size, aces_size, pdacl_size;

	unsigned int dacl_offset;

	size_t dacl_struct_end;

	struct smb_sid sid;

	int granted = le32_to_cpu(*pdaccess & ~FILE_MAXIMAL_ACCESS_LE);

	struct smb_ace *ace;

	dacl_offset = le32_to_cpu(pntsd->dacloffset);

	if (!dacl_offset ||

	    (dacl_offset + sizeof(struct smb_acl) > pntsd_size))

	    check_add_overflow(dacl_offset, sizeof(struct smb_acl), &dacl_struct_end) ||

	    dacl_struct_end > (size_t)pntsd_size)

		goto err_out;

	pdacl = (struct smb_acl *)((char *)pntsd + le32_to_cpu(pntsd->dacloffset));