git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Davide Ornaghi <d.ornaghi97@gmail.com>
	Mon, 15 Jun 2026 11:35:01 +0000 (20:35 +0900)
committer	Steve French <stfrench@microsoft.com>
	Tue, 16 Jun 2026 23:57:22 +0000 (18:57 -0500)
commit	1c8951963d8ed357f70f59e0ad4ddce2199d2016
tree	11edc9a38fa015988e11416c27bee2db00edef37	tree \| snapshot
parent	c6394bcaf254c5baf9aff43376020be5db6d3316	commit \| diff

ksmbd: fix path resolution in ksmbd_vfs_kern_path_create

The SMB2 open lookup is rooted at the share with LOOKUP_BENEATH, but the
create/mkdir/hardlink sink is not: ksmbd_vfs_kern_path_create() builds an
absolute path with convert_to_unix_name() and resolves it from AT_FDCWD
via start_creating_path(), so a ".." component is walked from the real
filesystem root and escapes the export.

An authenticated client races a missing path component so the rooted open
lookup returns -ENOENT (taking the create branch) while the same component
is present (a directory) when the create walk runs; the create then
resolves ".." out of the share.

Root the create walk at the share like the lookup and rename paths already
are: resolve the parent with vfs_path_parent_lookup(..., LOOKUP_BENEATH,
&share_conf->vfs_path) and create the final component with
start_creating_noperm(). convert_to_unix_name() then has no callers and is
removed.

Fixes: 265fd1991c1d ("ksmbd: use LOOKUP_BENEATH to prevent the out of share access")
Cc: stable@vger.kernel.org
Signed-off-by: Davide Ornaghi <d.ornaghi97@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

fs/smb/server/misc.c		diff \| blob \| blame \| history
fs/smb/server/misc.h		diff \| blob \| blame \| history
fs/smb/server/vfs.c		diff \| blob \| blame \| history