From 68892610f0c1313df2e9f209ea3c1426b868583d Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 29 Oct 2025 11:37:38 +0100
Subject: [PATCH] 6.1-stable patches

added patches:
	ksmbd-transport_ipc-validate-payload-size-before-reading-handle.patch
---
 ...e-payload-size-before-reading-handle.patch | 47 +++++++++++++++++++
 queue-6.1/series                              |  1 +
 2 files changed, 48 insertions(+)
 create mode 100644 queue-6.1/ksmbd-transport_ipc-validate-payload-size-before-reading-handle.patch

diff --git a/queue-6.1/ksmbd-transport_ipc-validate-payload-size-before-reading-handle.patch b/queue-6.1/ksmbd-transport_ipc-validate-payload-size-before-reading-handle.patch
new file mode 100644
index 0000000000..68b2daa8fd
--- /dev/null
+++ b/queue-6.1/ksmbd-transport_ipc-validate-payload-size-before-reading-handle.patch
@@ -0,0 +1,47 @@
+From 6f40e50ceb99fc8ef37e5c56e2ec1d162733fef0 Mon Sep 17 00:00:00 2001
+From: Qianchang Zhao <pioooooooooip@gmail.com>
+Date: Wed, 22 Oct 2025 15:27:47 +0900
+Subject: ksmbd: transport_ipc: validate payload size before reading handle
+
+From: Qianchang Zhao <pioooooooooip@gmail.com>
+
+commit 6f40e50ceb99fc8ef37e5c56e2ec1d162733fef0 upstream.
+
+handle_response() dereferences the payload as a 4-byte handle without
+verifying that the declared payload size is at least 4 bytes. A malformed
+or truncated message from ksmbd.mountd can lead to a 4-byte read past the
+declared payload size. Validate the size before dereferencing.
+
+This is a minimal fix to guard the initial handle read.
+
+Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
+Cc: stable@vger.kernel.org
+Reported-by: Qianchang Zhao <pioooooooooip@gmail.com>
+Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/transport_ipc.c |    8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/server/transport_ipc.c
++++ b/fs/smb/server/transport_ipc.c
+@@ -249,10 +249,16 @@ static void ipc_msg_handle_free(int hand
+ 
+ static int handle_response(int type, void *payload, size_t sz)
+ {
+-	unsigned int handle = *(unsigned int *)payload;
++	unsigned int handle;
+ 	struct ipc_msg_table_entry *entry;
+ 	int ret = 0;
+ 
++	/* Prevent 4-byte read beyond declared payload size */
++	if (sz < sizeof(unsigned int))
++		return -EINVAL;
++
++	handle = *(unsigned int *)payload;
++
+ 	ipc_update_last_active();
+ 	down_read(&ipc_msg_table_lock);
+ 	hash_for_each_possible(ipc_msg_table, entry, ipc_table_hlist, handle) {
diff --git a/queue-6.1/series b/queue-6.1/series
index 021a218cde..52898d7397 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -155,3 +155,4 @@ mm-ksm-fix-flag-dropping-behavior-in-ksm_madvise.patch
 revert-selftests-mm-fix-map_hugetlb-failure-on-64k-page-size-systems.patch
 arm64-cputype-add-neoverse-v3ae-definitions.patch
 arm64-errata-apply-workarounds-for-neoverse-v3ae.patch
+ksmbd-transport_ipc-validate-payload-size-before-reading-handle.patch
-- 
2.47.3