From: Greg Kroah-Hartman Date: Tue, 14 Jul 2026 14:45:19 +0000 (+0200) Subject: 6.6-stable patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0d337fc7c43867e5a2215bfde33ae45230715042;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: ksmbd-add-a-permission-check-for-fsctl_set_zero_data.patch ksmbd-add-a-write_dac-write_owner-check-to-smb2-set_info-security.patch ksmbd-add-per-handle-permission-check-to-file_link_information.patch ksmbd-add-permission-checks-for-fsctl_duplicate_extents_to_file.patch ksmbd-enforce-file_read_attributes-on-smb_find_file_posix_information.patch ksmbd-fix-uaf-of-struct-file_lock-in-smb2_lock-deferred-lock-cancellation.patch ksmbd-require-source-read-access-for-duplicate-extents.patch ksmbd-run-set-info-with-opener-credentials.patch ksmbd-serialize-query_directory-requests-per-file.patch ksmbd-use-opener-credentials-for-delete-on-close.patch smb-client-fix-change-notify-replay-double-free.patch smb-client-fix-double-free-in-smb2_close-replay.patch smb-client-fix-double-free-in-smb2_flush-replay.patch smb-client-fix-double-free-in-smb2_ioctl-replay.patch smb-client-fix-double-free-in-smb2_open-replay.patch smb-client-fix-error-code-in-smb2_aead_req_alloc.patch smb-client-fix-next-buffer-leak-in-receive_encrypted_standard.patch smb-client-fix-query-directory-replay-double-free.patch smb-client-fix-query_info-replay-double-free.patch smb-client-harden-posix-sid-length-parsing.patch smb-client-mask-server-provided-mode-to-07777-in-modefromsid.patch smb-client-use-unaligned-reads-in-parse_posix_ctxt.patch --- diff --git a/queue-6.6/ksmbd-add-a-permission-check-for-fsctl_set_zero_data.patch b/queue-6.6/ksmbd-add-a-permission-check-for-fsctl_set_zero_data.patch new file mode 100644 index 0000000000..66f5a0ea89 --- /dev/null +++ b/queue-6.6/ksmbd-add-a-permission-check-for-fsctl_set_zero_data.patch @@ -0,0 +1,50 @@ +From 3320ba068198adc144c89d6661b805acce01735b Mon Sep 17 00:00:00 2001 +From: Gil Portnoy +Date: Wed, 10 Jun 2026 20:07:04 +0900 +Subject: ksmbd: add a permission check for FSCTL_SET_ZERO_DATA + +From: Gil Portnoy + +commit 3320ba068198adc144c89d6661b805acce01735b upstream. + +FSCTL_SET_ZERO_DATA in smb2_ioctl() destroys file data via +ksmbd_vfs_zero_data() -> vfs_fallocate(PUNCH_HOLE/ZERO_RANGE) after +checking only the share-level KSMBD_TREE_CONN_FLAG_WRITABLE, with no +per-handle access check. A handle opened with only FILE_WRITE_ATTRIBUTES +still yields an FMODE_WRITE filp (FILE_WRITE_ATTRIBUTES is part of +FILE_WRITE_DESIRE_ACCESS_LE, so smb2_create_open_flags() opens it +O_WRONLY), so the vfs_fallocate FMODE_WRITE check does not stop it; only +the missing fp->daccess gate would. Reproduced on mainline 7.1-rc7 with +KASAN by an authenticated SMB client: a FILE_WRITE_ATTRIBUTES-only handle +zeroed 4096 bytes of file data it had no FILE_WRITE_DATA right to +(6/6; a FILE_READ_DATA-only handle was correctly denied). + +This is the unfixed sibling of commit cc57232cae23 ("ksmbd: fix FSCTL +permission bypass by adding a permission check for FSCTL_SET_SPARSE"). +Because SET_ZERO_DATA writes data (not an attribute), require +FILE_WRITE_DATA. + +Cc: stable@vger.kernel.org +Signed-off-by: Gil Portnoy +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -8407,6 +8407,12 @@ int smb2_ioctl(struct ksmbd_work *work) + goto out; + } + ++ if (!(fp->daccess & FILE_WRITE_DATA_LE)) { ++ ksmbd_fd_put(work, fp); ++ ret = -EACCES; ++ goto out; ++ } ++ + ret = ksmbd_vfs_zero_data(work, fp, off, len); + ksmbd_fd_put(work, fp); + if (ret < 0) diff --git a/queue-6.6/ksmbd-add-a-write_dac-write_owner-check-to-smb2-set_info-security.patch b/queue-6.6/ksmbd-add-a-write_dac-write_owner-check-to-smb2-set_info-security.patch new file mode 100644 index 0000000000..06876e1d11 --- /dev/null +++ b/queue-6.6/ksmbd-add-a-write_dac-write_owner-check-to-smb2-set_info-security.patch @@ -0,0 +1,60 @@ +From 44df157a1183a7f746caa970c169255da5ac61f8 Mon Sep 17 00:00:00 2001 +From: Gil Portnoy +Date: Tue, 9 Jun 2026 00:00:00 +0000 +Subject: ksmbd: add a WRITE_DAC/WRITE_OWNER check to SMB2 SET_INFO SECURITY +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gil Portnoy + +commit 44df157a1183a7f746caa970c169255da5ac61f8 upstream. + +commit cc57232cae23 ("ksmbd: fix FSCTL permission bypass by adding a +permission check for FSCTL_SET_SPARSE") added a fp->daccess gate to +fsctl_set_sparse and noted that "similar handle-level checks exist in other +functions but are missing here." The SMB2 SET_INFO SECURITY arm is one of +the missing ones, and the most security-relevant: smb2_set_info_sec() calls +set_info_sec() with no per-handle access check. + +set_info_sec() (fs/smb/server/smbacl.c) re-permissions the file: it +rewrites owner/group/mode via notify_change(), rewrites the POSIX ACL via +set_posix_acl(), and on KSMBD_SHARE_FLAG_ACL_XATTR shares removes and +rewrites the Windows security descriptor via ksmbd_vfs_set_sd_xattr(). +Every other persistent-mutation arm of the sibling handler +smb2_set_info_file() checks fp->daccess first (FILE_WRITE_DATA / +FILE_DELETE / FILE_WRITE_EA / FILE_WRITE_ATTRIBUTES); the SECURITY arm — +which mutates the access control itself — is the only one with no gate. + +A client can therefore open a handle with FILE_WRITE_ATTRIBUTES only (no +FILE_WRITE_DAC / FILE_WRITE_OWNER) and use SMB2_SET_INFO with InfoType +SMB2_O_INFO_SECURITY to rewrite the file's DACL and owner, granting itself +access the handle's daccess never carried. Unlike the FSCTL data arms this +is a metadata/xattr operation, so there is no FMODE_WRITE VFS backstop — +the missing fp->daccess check is the entire gate. + +Setting a security descriptor is the WRITE_DAC / WRITE_OWNER operation, so +require at least one of those on the handle before re-permissioning the +file. -EACCES is mapped to STATUS_ACCESS_DENIED by smb2_set_info(). + +Cc: stable@vger.kernel.org +Signed-off-by: Gil Portnoy +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -6555,6 +6555,9 @@ static int smb2_set_info_sec(struct ksmb + + fp->saccess |= FILE_SHARE_DELETE_LE; + ++ if (!(fp->daccess & (FILE_WRITE_DAC_LE | FILE_WRITE_OWNER_LE))) ++ return -EACCES; ++ + return set_info_sec(fp->conn, fp->tcon, &fp->filp->f_path, pntsd, + buf_len, false, true); + } diff --git a/queue-6.6/ksmbd-add-per-handle-permission-check-to-file_link_information.patch b/queue-6.6/ksmbd-add-per-handle-permission-check-to-file_link_information.patch new file mode 100644 index 0000000000..2a46fcba55 --- /dev/null +++ b/queue-6.6/ksmbd-add-per-handle-permission-check-to-file_link_information.patch @@ -0,0 +1,49 @@ +From 13f3942f2bf45856bb751faed2f0c4618f41ca20 Mon Sep 17 00:00:00 2001 +From: Gil Portnoy +Date: Wed, 10 Jun 2026 20:13:51 +0900 +Subject: ksmbd: add per-handle permission check to FILE_LINK_INFORMATION + +From: Gil Portnoy + +commit 13f3942f2bf45856bb751faed2f0c4618f41ca20 upstream. + +The FILE_LINK_INFORMATION arm of smb2_set_info_file() calls +smb2_create_link() with no per-handle fp->daccess check. On the +ReplaceIfExists path smb2_create_link() unlinks an existing file at the +target name (ksmbd_vfs_remove_file) and creates a hardlink +(ksmbd_vfs_link); neither helper checks daccess. A handle opened with +FILE_READ_DATA only (no FILE_DELETE, no FILE_WRITE_DATA) can therefore +delete an arbitrary file in the share and plant a hardlink over its name. + +The sibling delete/move arms in the same switch already gate: +FILE_RENAME_INFORMATION and FILE_DISPOSITION_INFORMATION both require +FILE_DELETE_LE; FILE_FULL_EA_INFORMATION requires FILE_WRITE_EA_LE. Gate +the link arm the same way as its closest analogue (rename), since it +mutates the namespace and, on replace, deletes an existing entry. + +This is a sibling of commit cc57232cae23 ("ksmbd: fix FSCTL permission +bypass by adding a permission check for FSCTL_SET_SPARSE"). + +Cc: stable@vger.kernel.org +Signed-off-by: Gil Portnoy +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -6504,6 +6504,11 @@ static int smb2_set_info_file(struct ksm + } + case FILE_LINK_INFORMATION: + { ++ if (!(fp->daccess & FILE_DELETE_LE)) { ++ pr_err("no right to delete : 0x%x\n", fp->daccess); ++ return -EACCES; ++ } ++ + if (buf_len < sizeof(struct smb2_file_link_info)) + return -EINVAL; + diff --git a/queue-6.6/ksmbd-add-permission-checks-for-fsctl_duplicate_extents_to_file.patch b/queue-6.6/ksmbd-add-permission-checks-for-fsctl_duplicate_extents_to_file.patch new file mode 100644 index 0000000000..8c85028c33 --- /dev/null +++ b/queue-6.6/ksmbd-add-permission-checks-for-fsctl_duplicate_extents_to_file.patch @@ -0,0 +1,48 @@ +From 388e4139db27a9e3612c9d356b826f5b1ff6a9e3 Mon Sep 17 00:00:00 2001 +From: Gil Portnoy +Date: Fri, 12 Jun 2026 07:15:38 +0900 +Subject: ksmbd: add permission checks for FSCTL_DUPLICATE_EXTENTS_TO_FILE + +From: Gil Portnoy + +commit 388e4139db27a9e3612c9d356b826f5b1ff6a9e3 upstream. + +The FSCTL_DUPLICATE_EXTENTS_TO_FILE arm of smb2_ioctl() overwrites the +destination file's data via vfs_clone_file_range() with neither the +share-level KSMBD_TREE_CONN_FLAG_WRITABLE check nor a per-handle +fp->daccess check that the other write-bearing arms carry. A client can +overwrite destination data on a read-only share, or from a handle opened +with only FILE_WRITE_ATTRIBUTES (which still yields an FMODE_WRITE filp). +FILE_WRITE_ATTRIBUTES-only destination handle overwrote the file's data via +the clone. Add both checks, matching the FSCTL_SET_SPARSE permission fix; +require FILE_WRITE_DATA since this writes data. + +Cc: stable@vger.kernel.org +Signed-off-by: Gil Portnoy +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -8482,6 +8482,17 @@ int smb2_ioctl(struct ksmbd_work *work) + goto dup_ext_out; + } + ++ if (!test_tree_conn_flag(work->tcon, ++ KSMBD_TREE_CONN_FLAG_WRITABLE)) { ++ ret = -EACCES; ++ goto dup_ext_out; ++ } ++ ++ if (!(fp_out->daccess & FILE_WRITE_DATA_LE)) { ++ ret = -EACCES; ++ goto dup_ext_out; ++ } ++ + src_off = le64_to_cpu(dup_ext->SourceFileOffset); + dst_off = le64_to_cpu(dup_ext->TargetFileOffset); + length = le64_to_cpu(dup_ext->ByteCount); diff --git a/queue-6.6/ksmbd-enforce-file_read_attributes-on-smb_find_file_posix_information.patch b/queue-6.6/ksmbd-enforce-file_read_attributes-on-smb_find_file_posix_information.patch new file mode 100644 index 0000000000..56db26ea7d --- /dev/null +++ b/queue-6.6/ksmbd-enforce-file_read_attributes-on-smb_find_file_posix_information.patch @@ -0,0 +1,47 @@ +From 20c8442dc1003f9f7bb522d3dcd81d09ea59a79e Mon Sep 17 00:00:00 2001 +From: Gil Portnoy +Date: Thu, 11 Jun 2026 22:59:51 +0900 +Subject: ksmbd: enforce FILE_READ_ATTRIBUTES on SMB_FIND_FILE_POSIX_INFORMATION + +From: Gil Portnoy + +commit 20c8442dc1003f9f7bb522d3dcd81d09ea59a79e upstream. + +find_file_posix_info() in smb2_query_info() returns file metadata (owner +uid, group gid, mode, inode, size, allocation size, hard-link count and all +four timestamps) but performs no per-handle access check. Every sibling +query handler gates on the handle's granted access first -- +get_file_basic_info(), get_file_all_info(), get_file_network_open_info() +and get_file_attribute_tag_info() all reject a handle lacking +FILE_READ_ATTRIBUTES_LE with -EACCES. The POSIX handler is gated only by +the connection-scoped tcon->posix_extensions flag, which is not a +per-handle authorization, so a handle opened with only FILE_WRITE_DATA is +correctly denied FileBasicInformation yet is allowed the strict-superset +POSIX info. Mirror the FILE_READ_ATTRIBUTES_LE gate the sibling info +handlers already use. + +Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") +Cc: stable@vger.kernel.org +Signed-off-by: Gil Portnoy +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -5290,6 +5290,12 @@ static int find_file_posix_info(struct s + int out_buf_len = sizeof(struct smb311_posix_qinfo) + 32; + int ret; + ++ if (!(fp->daccess & FILE_READ_ATTRIBUTES_LE)) { ++ pr_err("no right to read the attributes : 0x%x\n", ++ fp->daccess); ++ return -EACCES; ++ } ++ + ret = vfs_getattr(&fp->filp->f_path, &stat, STATX_BASIC_STATS, + AT_STATX_SYNC_AS_STAT); + if (ret) diff --git a/queue-6.6/ksmbd-fix-uaf-of-struct-file_lock-in-smb2_lock-deferred-lock-cancellation.patch b/queue-6.6/ksmbd-fix-uaf-of-struct-file_lock-in-smb2_lock-deferred-lock-cancellation.patch new file mode 100644 index 0000000000..3aba89c3cc --- /dev/null +++ b/queue-6.6/ksmbd-fix-uaf-of-struct-file_lock-in-smb2_lock-deferred-lock-cancellation.patch @@ -0,0 +1,86 @@ +From d20d1c8ba5765d1d12eefc0aee6385ab3f240e1e Mon Sep 17 00:00:00 2001 +From: Davide Ornaghi +Date: Sat, 6 Jun 2026 16:11:04 +0900 +Subject: ksmbd: fix UAF of struct file_lock in SMB2_LOCK deferred-lock cancellation + +From: Davide Ornaghi + +commit d20d1c8ba5765d1d12eefc0aee6385ab3f240e1e upstream. + +When a blocking byte-range lock request is deferred in the +FILE_LOCK_DEFERRED path, ksmbd registers the asynchronous work into +the connection's async_requests list via setup_async_work(). The cancel +callback smb2_remove_blocked_lock() holds a reference to the flock. + +If the lock waiter is subsequently woken up but the work state is no +longer KSMBD_WORK_ACTIVE (e.g., due to a concurrent cancellation), the +cleanup path calls locks_free_lock(flock) without dequeuing the work from +the async_requests list. Concurrently, smb2_cancel() walks the list +under conn->request_lock and invokes the cancel callback, which then +dereferences the already freed 'flock'. This leads to a slab-use-after-free +inside __wake_up_common. + +Fix this by restructuring the cleanup logic after the worker returns +from ksmbd_vfs_posix_lock_wait(). Move list_del(&smb_lock->llist) and +release_async_work(work) to the top of the cleanup block. This guarantees +that the async work is completely dequeued and serialized under +conn->request_lock before locks_free_lock(flock) is called, rendering +the flock unreachable for any concurrent smb2_cancel(). + +Cc: stable@vger.kernel.org +Signed-off-by: Davide Ornaghi +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 34 ++++++++++++++++------------------ + 1 file changed, 16 insertions(+), 18 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -7667,29 +7667,27 @@ skip: + list_del(&work->fp_entry); + spin_unlock(&fp->f_lock); + +- if (work->state != KSMBD_WORK_ACTIVE) { +- list_del(&smb_lock->llist); +- locks_free_lock(flock); ++ list_del(&smb_lock->llist); ++ release_async_work(work); ++ ++ if (work->state == KSMBD_WORK_ACTIVE) ++ goto retry; + +- if (work->state == KSMBD_WORK_CANCELLED) { +- rsp->hdr.Status = +- STATUS_CANCELLED; +- kfree(smb_lock); +- smb2_send_interim_resp(work, +- STATUS_CANCELLED); +- work->send_no_response = 1; +- goto out; +- } ++ locks_free_lock(flock); + +- rsp->hdr.Status = +- STATUS_RANGE_NOT_LOCKED; ++ if (work->state == KSMBD_WORK_CANCELLED) { ++ rsp->hdr.Status = STATUS_CANCELLED; + kfree(smb_lock); +- goto out2; ++ smb2_send_interim_resp(work, ++ STATUS_CANCELLED); ++ work->send_no_response = 1; ++ goto out; + } + +- list_del(&smb_lock->llist); +- release_async_work(work); +- goto retry; ++ rsp->hdr.Status = ++ STATUS_RANGE_NOT_LOCKED; ++ kfree(smb_lock); ++ goto out2; + } else if (!rc) { + list_add(&smb_lock->llist, &rollback_list); + spin_lock(&work->conn->llist_lock); diff --git a/queue-6.6/ksmbd-require-source-read-access-for-duplicate-extents.patch b/queue-6.6/ksmbd-require-source-read-access-for-duplicate-extents.patch new file mode 100644 index 0000000000..7c1b67b953 --- /dev/null +++ b/queue-6.6/ksmbd-require-source-read-access-for-duplicate-extents.patch @@ -0,0 +1,40 @@ +From cedff600f1642aa982178503552f0d007bc829c8 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Sat, 13 Jun 2026 22:00:02 +0900 +Subject: ksmbd: require source read access for duplicate extents + +From: Namjae Jeon + +commit cedff600f1642aa982178503552f0d007bc829c8 upstream. + +FSCTL_DUPLICATE_EXTENTS_TO_FILE passes the source file directly to +vfs_clone_file_range() or vfs_copy_file_range() without checking the SMB +access mask granted to the source handle. A handle opened with attribute +access can consequently be used to copy file contents into an +attacker-readable destination. + +Require FILE_READ_DATA on the source handle before either VFS operation, +matching other ksmbd data-copy paths. + +Cc: stable@vger.kernel.org +Reported-by: Musaab Khan +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -8500,6 +8500,10 @@ int smb2_ioctl(struct ksmbd_work *work) + ret = -EACCES; + goto dup_ext_out; + } ++ if (!(fp_in->daccess & FILE_READ_DATA_LE)) { ++ ret = -EACCES; ++ goto dup_ext_out; ++ } + + src_off = le64_to_cpu(dup_ext->SourceFileOffset); + dst_off = le64_to_cpu(dup_ext->TargetFileOffset); diff --git a/queue-6.6/ksmbd-run-set-info-with-opener-credentials.patch b/queue-6.6/ksmbd-run-set-info-with-opener-credentials.patch new file mode 100644 index 0000000000..709f578adf --- /dev/null +++ b/queue-6.6/ksmbd-run-set-info-with-opener-credentials.patch @@ -0,0 +1,68 @@ +From b383bcad3d2fe634b26efbce53e22bbb5753a520 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Sat, 13 Jun 2026 22:00:01 +0900 +Subject: ksmbd: run set info with opener credentials + +From: Namjae Jeon + +commit b383bcad3d2fe634b26efbce53e22bbb5753a520 upstream. + +SMB2 SET_INFO handlers call path-based VFS helpers after checking the +access mask granted to the SMB handle. Those helpers perform their owner, +inode permission and LSM checks using the current ksmbd worker credentials. + +Run the complete SET_INFO dispatch with the credentials captured when the +handle was opened. This also removes the separate security information +credential setup and keeps all SET_INFO classes under one credential scope. + +Direct override_creds() is used because it can nest with the request +credential overrides already used by rename and link helpers. + +Cc: stable@vger.kernel.org +Reported-by: Musaab Khan +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -6570,6 +6570,7 @@ static int smb2_set_info_sec(struct ksmb + */ + int smb2_set_info(struct ksmbd_work *work) + { ++ const struct cred *saved_cred; + struct smb2_set_info_req *req; + struct smb2_set_info_rsp *rsp; + struct ksmbd_file *fp = NULL; +@@ -6611,6 +6612,7 @@ int smb2_set_info(struct ksmbd_work *wor + goto err_out; + } + ++ saved_cred = override_creds(fp->filp->f_cred); + switch (req->InfoType) { + case SMB2_O_INFO_FILE: + ksmbd_debug(SMB, "GOT SMB2_O_INFO_FILE\n"); +@@ -6618,19 +6620,15 @@ int smb2_set_info(struct ksmbd_work *wor + break; + case SMB2_O_INFO_SECURITY: + ksmbd_debug(SMB, "GOT SMB2_O_INFO_SECURITY\n"); +- if (ksmbd_override_fsids(work)) { +- rc = -ENOMEM; +- goto err_out; +- } + rc = smb2_set_info_sec(fp, + le32_to_cpu(req->AdditionalInformation), + (char *)req + le16_to_cpu(req->BufferOffset), + le32_to_cpu(req->BufferLength)); +- ksmbd_revert_fsids(work); + break; + default: + rc = -EOPNOTSUPP; + } ++ revert_creds(saved_cred); + + if (rc < 0) + goto err_out; diff --git a/queue-6.6/ksmbd-serialize-query_directory-requests-per-file.patch b/queue-6.6/ksmbd-serialize-query_directory-requests-per-file.patch new file mode 100644 index 0000000000..fccb4fad66 --- /dev/null +++ b/queue-6.6/ksmbd-serialize-query_directory-requests-per-file.patch @@ -0,0 +1,86 @@ +From be6d26bf27499977c746abc163659915082348d8 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Fri, 12 Jun 2026 08:00:00 +0900 +Subject: ksmbd: serialize QUERY_DIRECTORY requests per file + +From: Namjae Jeon + +commit be6d26bf27499977c746abc163659915082348d8 upstream. + +smb2_query_dir() stores a pointer to its stack-allocated private data in +the ksmbd_file readdir_data. Concurrent QUERY_DIRECTORY requests using the +same file handle can overwrite this pointer while an iterate_dir() callback +is still using it, resulting in a stack use-after-free. + +Add a per-file mutex and hold it while accessing the shared directory +enumeration state. The lock covers scan restart, dot entry state, +readdir_data setup and iteration, and response construction. This prevents +another request from replacing readdir_data.private before the current +request has finished using it and also serializes the shared file position. + +Cc: stable@vger.kernel.org +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-30527 +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 4 ++++ + fs/smb/server/vfs_cache.c | 1 + + fs/smb/server/vfs_cache.h | 2 ++ + 3 files changed, 7 insertions(+) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -4445,6 +4445,8 @@ int smb2_query_dir(struct ksmbd_work *wo + ksmbd_debug(SMB, "Search pattern is %s\n", srch_ptr); + } + ++ mutex_lock(&dir_fp->readdir_lock); ++ + if (srch_flag & SMB2_REOPEN || srch_flag & SMB2_RESTART_SCANS) { + ksmbd_debug(SMB, "Restart directory scan\n"); + generic_file_llseek(dir_fp->filp, 0, SEEK_SET); +@@ -4549,6 +4551,7 @@ no_buf_len: + goto err_out; + } + ++ mutex_unlock(&dir_fp->readdir_lock); + kfree(srch_ptr); + ksmbd_fd_put(work, dir_fp); + ksmbd_revert_fsids(work); +@@ -4556,6 +4559,7 @@ no_buf_len: + + err_out: + pr_err("error while processing smb2 query dir rc = %d\n", rc); ++ mutex_unlock(&dir_fp->readdir_lock); + kfree(srch_ptr); + + err_out2: +--- a/fs/smb/server/vfs_cache.c ++++ b/fs/smb/server/vfs_cache.c +@@ -686,6 +686,7 @@ struct ksmbd_file *ksmbd_open_fd(struct + INIT_LIST_HEAD(&fp->node); + INIT_LIST_HEAD(&fp->lock_list); + spin_lock_init(&fp->f_lock); ++ mutex_init(&fp->readdir_lock); + atomic_set(&fp->refcount, 1); + + fp->filp = filp; +--- a/fs/smb/server/vfs_cache.h ++++ b/fs/smb/server/vfs_cache.h +@@ -8,6 +8,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -112,6 +113,7 @@ struct ksmbd_file { + + /* if ls is happening on directory, below is valid*/ + struct ksmbd_readdir_data readdir_data; ++ struct mutex readdir_lock; + int dot_dotdot[2]; + unsigned int f_state; + bool reserve_lease_break; diff --git a/queue-6.6/ksmbd-use-opener-credentials-for-delete-on-close.patch b/queue-6.6/ksmbd-use-opener-credentials-for-delete-on-close.patch new file mode 100644 index 0000000000..104b5767fe --- /dev/null +++ b/queue-6.6/ksmbd-use-opener-credentials-for-delete-on-close.patch @@ -0,0 +1,74 @@ +From 52e2f21911158ec961cd5aae19c56460db382af0 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Sat, 13 Jun 2026 22:00:00 +0900 +Subject: ksmbd: use opener credentials for delete-on-close + +From: Namjae Jeon + +commit 52e2f21911158ec961cd5aae19c56460db382af0 upstream. + +Delete-on-close can be completed by deferred or durable handle teardown, +where no request work is available. Both the base-file unlink and the ADS +xattr removal consequently run with the ksmbd worker credentials and can +bypass filesystem permission checks. + +Run both operations with the credentials captured in struct file when the +handle was opened. This preserves the authenticated user's fsuid, fsgid, +supplementary groups and capability restrictions at final close. + +Cc: stable@vger.kernel.org +Reported-by: Musaab Khan +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/vfs.c | 7 +++++-- + fs/smb/server/vfs_cache.c | 4 ++++ + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/fs/smb/server/vfs.c ++++ b/fs/smb/server/vfs.c +@@ -1084,13 +1084,15 @@ int ksmbd_vfs_remove_xattr(struct mnt_id + + int ksmbd_vfs_unlink(struct file *filp) + { ++ const struct cred *saved_cred; + int err = 0; + struct dentry *dir, *dentry = filp->f_path.dentry; + struct mnt_idmap *idmap = file_mnt_idmap(filp); + ++ saved_cred = override_creds(filp->f_cred); + err = mnt_want_write(filp->f_path.mnt); + if (err) +- return err; ++ goto out_revert; + + dir = dget_parent(dentry); + err = ksmbd_vfs_lock_parent(dir, dentry); +@@ -1110,7 +1112,8 @@ int ksmbd_vfs_unlink(struct file *filp) + out: + dput(dir); + mnt_drop_write(filp->f_path.mnt); +- ++out_revert: ++ revert_creds(saved_cred); + return err; + } + +--- a/fs/smb/server/vfs_cache.c ++++ b/fs/smb/server/vfs_cache.c +@@ -292,10 +292,14 @@ static void __ksmbd_inode_close(struct k + up_write(&ci->m_lock); + + if (remove_stream_xattr) { ++ const struct cred *saved_cred; ++ ++ saved_cred = override_creds(filp->f_cred); + err = ksmbd_vfs_remove_xattr(file_mnt_idmap(filp), + &filp->f_path, + fp->stream.name, + true); ++ revert_creds(saved_cred); + if (err) + pr_err("remove xattr failed : %s\n", + fp->stream.name); diff --git a/queue-6.6/series b/queue-6.6/series index c47741cab9..8c77f5ed18 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -179,3 +179,25 @@ fs-ntfs3-handle-attr_set_size-errors-when-truncating.patch fs-ntfs3-zero-fill-folios-beyond-i_valid-in-ntfs_rea.patch fs-ntfs3-fix-missing-run-load-for-vcn0-in-attr_data_.patch coresight-ultrasoc-smb-fix-oob-write-in-smb_sync_perf_buffer.patch +smb-client-fix-error-code-in-smb2_aead_req_alloc.patch +ksmbd-add-permission-checks-for-fsctl_duplicate_extents_to_file.patch +ksmbd-add-a-permission-check-for-fsctl_set_zero_data.patch +ksmbd-serialize-query_directory-requests-per-file.patch +ksmbd-fix-uaf-of-struct-file_lock-in-smb2_lock-deferred-lock-cancellation.patch +ksmbd-require-source-read-access-for-duplicate-extents.patch +ksmbd-add-a-write_dac-write_owner-check-to-smb2-set_info-security.patch +ksmbd-run-set-info-with-opener-credentials.patch +ksmbd-enforce-file_read_attributes-on-smb_find_file_posix_information.patch +ksmbd-add-per-handle-permission-check-to-file_link_information.patch +ksmbd-use-opener-credentials-for-delete-on-close.patch +smb-client-fix-query-directory-replay-double-free.patch +smb-client-fix-query_info-replay-double-free.patch +smb-client-fix-double-free-in-smb2_ioctl-replay.patch +smb-client-fix-change-notify-replay-double-free.patch +smb-client-fix-double-free-in-smb2_flush-replay.patch +smb-client-fix-double-free-in-smb2_open-replay.patch +smb-client-fix-double-free-in-smb2_close-replay.patch +smb-client-fix-next-buffer-leak-in-receive_encrypted_standard.patch +smb-client-use-unaligned-reads-in-parse_posix_ctxt.patch +smb-client-harden-posix-sid-length-parsing.patch +smb-client-mask-server-provided-mode-to-07777-in-modefromsid.patch diff --git a/queue-6.6/smb-client-fix-change-notify-replay-double-free.patch b/queue-6.6/smb-client-fix-change-notify-replay-double-free.patch new file mode 100644 index 0000000000..e67561e587 --- /dev/null +++ b/queue-6.6/smb-client-fix-change-notify-replay-double-free.patch @@ -0,0 +1,35 @@ +From 145f820dcbb2cced374f2532f8a61a44dce4a615 Mon Sep 17 00:00:00 2001 +From: Henrique Carvalho +Date: Thu, 18 Jun 2026 17:34:37 -0300 +Subject: smb: client: fix change notify replay double-free + +From: Henrique Carvalho + +commit 145f820dcbb2cced374f2532f8a61a44dce4a615 upstream. + +A response-bearing attempt can return a replayable error and free its +response buffer. If SMB2_notify_init() fails before the next send, cleanup +retains the previous buffer type and frees that response again. + +Reset response bookkeeping before each attempt to prevent the stale free. + +Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set") +Cc: stable@vger.kernel.org +Signed-off-by: Henrique Carvalho +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2pdu.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -4024,6 +4024,8 @@ SMB2_change_notify(const unsigned int xi + + replay_again: + /* reinitialize for possible replay */ ++ resp_buftype = CIFS_NO_BUFFER; ++ memset(&rsp_iov, 0, sizeof(rsp_iov)); + flags = 0; + server = cifs_pick_channel(ses); + diff --git a/queue-6.6/smb-client-fix-double-free-in-smb2_close-replay.patch b/queue-6.6/smb-client-fix-double-free-in-smb2_close-replay.patch new file mode 100644 index 0000000000..5009a8d124 --- /dev/null +++ b/queue-6.6/smb-client-fix-double-free-in-smb2_close-replay.patch @@ -0,0 +1,35 @@ +From f96e1cdcb63ed3321142ff2fcdf784e32cda8fee Mon Sep 17 00:00:00 2001 +From: Henrique Carvalho +Date: Thu, 18 Jun 2026 17:34:35 -0300 +Subject: smb: client: fix double-free in SMB2_close() replay + +From: Henrique Carvalho + +commit f96e1cdcb63ed3321142ff2fcdf784e32cda8fee upstream. + +A response-bearing attempt can return a replayable error and free its +response buffer. If SMB2_close_init() fails before the next send, cleanup +retains the previous buffer type and frees that response again. + +Reset response bookkeeping before each attempt to prevent the stale free. + +Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set") +Cc: stable@vger.kernel.org +Signed-off-by: Henrique Carvalho +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2pdu.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -3629,6 +3629,8 @@ __SMB2_close(const unsigned int xid, str + + replay_again: + /* reinitialize for possible replay */ ++ resp_buftype = CIFS_NO_BUFFER; ++ memset(&rsp_iov, 0, sizeof(rsp_iov)); + flags = 0; + query_attrs = false; + server = cifs_pick_channel(ses); diff --git a/queue-6.6/smb-client-fix-double-free-in-smb2_flush-replay.patch b/queue-6.6/smb-client-fix-double-free-in-smb2_flush-replay.patch new file mode 100644 index 0000000000..89c8b8865e --- /dev/null +++ b/queue-6.6/smb-client-fix-double-free-in-smb2_flush-replay.patch @@ -0,0 +1,45 @@ +From 4be31c943a3a27a5a0251dbb8f5cb89059ec3d5a Mon Sep 17 00:00:00 2001 +From: Zhao Zhang +Date: Thu, 18 Jun 2026 23:28:05 +0800 +Subject: smb: client: fix double-free in SMB2_flush() replay + +From: Zhao Zhang + +commit 4be31c943a3a27a5a0251dbb8f5cb89059ec3d5a upstream. + +SMB2_flush() keeps its response buffer bookkeeping across replay +attempts. If a replayable flush response is received and the retry then +fails before cifs_send_recv() stores a replacement response, flush_exit +will free the stale response pointer a second time. + +Reinitialize resp_buftype and rsp_iov at the top of the replay loop so +cleanup only acts on response state produced by the current attempt. +This fixes a double-free without changing replay handling for successful +requests. + +Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set") +Cc: stable@vger.kernel.org +Reported-by: Yuan Tan +Reported-by: Zhengchuan Liang +Reported-by: Xin Liu +Assisted-by: Codex:GPT-5.4 +Acked-by: Henrique Carvalho +Signed-off-by: Zhao Zhang +Signed-off-by: Ren Wei +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2pdu.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -4350,6 +4350,8 @@ SMB2_flush(const unsigned int xid, struc + + replay_again: + /* reinitialize for possible replay */ ++ resp_buftype = CIFS_NO_BUFFER; ++ memset(&rsp_iov, 0, sizeof(rsp_iov)); + flags = 0; + server = cifs_pick_channel(ses); + diff --git a/queue-6.6/smb-client-fix-double-free-in-smb2_ioctl-replay.patch b/queue-6.6/smb-client-fix-double-free-in-smb2_ioctl-replay.patch new file mode 100644 index 0000000000..ab0946e0d8 --- /dev/null +++ b/queue-6.6/smb-client-fix-double-free-in-smb2_ioctl-replay.patch @@ -0,0 +1,35 @@ +From f9bbadb6c94583e3b4af1afc449bfceb1d1ddec9 Mon Sep 17 00:00:00 2001 +From: Henrique Carvalho +Date: Thu, 18 Jun 2026 17:34:34 -0300 +Subject: smb: client: fix double-free in SMB2_ioctl() replay + +From: Henrique Carvalho + +commit f9bbadb6c94583e3b4af1afc449bfceb1d1ddec9 upstream. + +A response-bearing attempt can return a replayable error and free its +response buffer. If SMB2_ioctl_init() fails before the next send, cleanup +retains the previous buffer type and frees that response again. + +Reset response bookkeeping before each attempt to prevent the stale free. + +Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set") +Cc: stable@vger.kernel.org +Signed-off-by: Henrique Carvalho +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2pdu.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -3437,6 +3437,8 @@ SMB2_ioctl(const unsigned int xid, struc + + replay_again: + /* reinitialize for possible replay */ ++ resp_buftype = CIFS_NO_BUFFER; ++ memset(&rsp_iov, 0, sizeof(rsp_iov)); + flags = 0; + server = cifs_pick_channel(ses); + diff --git a/queue-6.6/smb-client-fix-double-free-in-smb2_open-replay.patch b/queue-6.6/smb-client-fix-double-free-in-smb2_open-replay.patch new file mode 100644 index 0000000000..466755c766 --- /dev/null +++ b/queue-6.6/smb-client-fix-double-free-in-smb2_open-replay.patch @@ -0,0 +1,35 @@ +From b55e182f2324bc6a604c21a47aa6c448f719a532 Mon Sep 17 00:00:00 2001 +From: Henrique Carvalho +Date: Thu, 18 Jun 2026 17:34:33 -0300 +Subject: smb: client: fix double-free in SMB2_open() replay + +From: Henrique Carvalho + +commit b55e182f2324bc6a604c21a47aa6c448f719a532 upstream. + +A response-bearing attempt can return a replayable error and free its +response buffer. If SMB2_open_init() fails before the next send, cleanup +retains the previous buffer type and frees that response again. + +Reset response bookkeeping before each attempt to prevent the stale free. + +Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set") +Cc: stable@vger.kernel.org +Signed-off-by: Henrique Carvalho +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2pdu.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -3208,6 +3208,8 @@ SMB2_open(const unsigned int xid, struct + + replay_again: + /* reinitialize for possible replay */ ++ resp_buftype = CIFS_NO_BUFFER; ++ memset(&rsp_iov, 0, sizeof(rsp_iov)); + flags = 0; + server = cifs_pick_channel(ses); + oparms->replay = !!(retries); diff --git a/queue-6.6/smb-client-fix-error-code-in-smb2_aead_req_alloc.patch b/queue-6.6/smb-client-fix-error-code-in-smb2_aead_req_alloc.patch new file mode 100644 index 0000000000..94ec1bb0bb --- /dev/null +++ b/queue-6.6/smb-client-fix-error-code-in-smb2_aead_req_alloc.patch @@ -0,0 +1,45 @@ +From 61f28012e5650c619223decdb7970e0d3162e949 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 11 Jun 2026 10:35:28 +0300 +Subject: smb/client: Fix error code in smb2_aead_req_alloc() + +From: Dan Carpenter + +commit 61f28012e5650c619223decdb7970e0d3162e949 upstream. + +The "*num_sgs" variable is a u32 so "ERR_PTR(*num_sgs)" doesn't work. +We would have to do something similar to the previous line where it's +cast to int and then long. However, it's simpler to store the return in +an int ret variable. + +This bug would eventually result in a crash when dereference the invalid +error pointer. + +Fixes: d08089f649a0 ("cifs: Change the I/O paths to use an iterator rather than a page list") +Cc: stable@kernel.org +Signed-off-by: Dan Carpenter +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2ops.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/fs/smb/client/smb2ops.c ++++ b/fs/smb/client/smb2ops.c +@@ -4182,11 +4182,13 @@ static void *smb2_aead_req_alloc(struct + unsigned int req_size = sizeof(**req) + crypto_aead_reqsize(tfm); + unsigned int iv_size = crypto_aead_ivsize(tfm); + unsigned int len; ++ int ret; + u8 *p; + +- *num_sgs = cifs_get_num_sgs(rqst, num_rqst, sig); +- if (IS_ERR_VALUE((long)(int)*num_sgs)) +- return ERR_PTR(*num_sgs); ++ ret = cifs_get_num_sgs(rqst, num_rqst, sig); ++ if (ret < 0) ++ return ERR_PTR(ret); ++ *num_sgs = ret; + + len = iv_size; + len += crypto_aead_alignmask(tfm) & ~(crypto_tfm_ctx_alignment() - 1); diff --git a/queue-6.6/smb-client-fix-next-buffer-leak-in-receive_encrypted_standard.patch b/queue-6.6/smb-client-fix-next-buffer-leak-in-receive_encrypted_standard.patch new file mode 100644 index 0000000000..4e6d73bb44 --- /dev/null +++ b/queue-6.6/smb-client-fix-next-buffer-leak-in-receive_encrypted_standard.patch @@ -0,0 +1,52 @@ +From 1c6267a1d5cf4c73b656f8181b310cbbb3e4767b Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Tue, 23 Jun 2026 09:45:38 +0800 +Subject: smb: client: Fix next buffer leak in receive_encrypted_standard() + +From: Haoxiang Li + +commit 1c6267a1d5cf4c73b656f8181b310cbbb3e4767b upstream. + +receive_encrypted_standard() allocates next_buffer before checking +whether the number of compound PDUs already reached MAX_COMPOUND. If +the limit check fails, the function returns immediately and the newly +allocated next_buffer is not assigned to server->smallbuf/server->bigbuf, +making it leaked. + +Move the MAX_COMPOUND check before allocating next_buffer. + +Fixes: b24df3e30cbf ("cifs: update receive_encrypted_standard to handle compounded responses") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2ops.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/fs/smb/client/smb2ops.c ++++ b/fs/smb/client/smb2ops.c +@@ -4942,6 +4942,12 @@ receive_encrypted_standard(struct TCP_Se + one_more: + shdr = (struct smb2_hdr *)buf; + next_cmd = le32_to_cpu(shdr->NextCommand); ++ ++ if (*num_mids >= MAX_COMPOUND) { ++ cifs_server_dbg(VFS, "too many PDUs in compound\n"); ++ return -1; ++ } ++ + if (next_cmd) { + if (WARN_ON_ONCE(next_cmd > pdu_length)) + return -1; +@@ -4965,10 +4971,6 @@ one_more: + mid_entry->resp_buf_size = server->pdu_size; + } + +- if (*num_mids >= MAX_COMPOUND) { +- cifs_server_dbg(VFS, "too many PDUs in compound\n"); +- return -1; +- } + bufs[*num_mids] = buf; + mids[(*num_mids)++] = mid_entry; + diff --git a/queue-6.6/smb-client-fix-query-directory-replay-double-free.patch b/queue-6.6/smb-client-fix-query-directory-replay-double-free.patch new file mode 100644 index 0000000000..828470181a --- /dev/null +++ b/queue-6.6/smb-client-fix-query-directory-replay-double-free.patch @@ -0,0 +1,35 @@ +From 9647492b5e41954be59d5157eddbcd4cdc1656f7 Mon Sep 17 00:00:00 2001 +From: Henrique Carvalho +Date: Thu, 18 Jun 2026 17:34:38 -0300 +Subject: smb: client: fix query directory replay double-free + +From: Henrique Carvalho + +commit 9647492b5e41954be59d5157eddbcd4cdc1656f7 upstream. + +A response-bearing attempt can return a replayable error and free its +response buffer. If SMB2_query_directory_init() fails before the next send, +cleanup retains the previous buffer type and frees that response again. + +Reset response bookkeeping before each attempt to prevent the stale free. + +Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set") +Cc: stable@vger.kernel.org +Signed-off-by: Henrique Carvalho +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2pdu.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -5814,6 +5814,8 @@ SMB311_posix_qfs_info(const unsigned int + + replay_again: + /* reinitialize for possible replay */ ++ resp_buftype = CIFS_NO_BUFFER; ++ memset(&rsp_iov, 0, sizeof(rsp_iov)); + flags = 0; + server = cifs_pick_channel(ses); + diff --git a/queue-6.6/smb-client-fix-query_info-replay-double-free.patch b/queue-6.6/smb-client-fix-query_info-replay-double-free.patch new file mode 100644 index 0000000000..753cc35d4c --- /dev/null +++ b/queue-6.6/smb-client-fix-query_info-replay-double-free.patch @@ -0,0 +1,35 @@ +From 2a88561d66eb855813cf004a0abe648bbb17de5e Mon Sep 17 00:00:00 2001 +From: Henrique Carvalho +Date: Thu, 18 Jun 2026 17:34:36 -0300 +Subject: smb: client: fix query_info() replay double-free + +From: Henrique Carvalho + +commit 2a88561d66eb855813cf004a0abe648bbb17de5e upstream. + +A response-bearing attempt can return a replayable error and free its +response buffer. If SMB2_query_info_init() fails before the next send, +cleanup retains the previous buffer type and frees that response again. + +Reset response bookkeeping before each attempt to prevent the stale free. + +Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set") +Cc: stable@vger.kernel.org +Signed-off-by: Henrique Carvalho +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2pdu.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -3833,6 +3833,8 @@ query_info(const unsigned int xid, struc + + replay_again: + /* reinitialize for possible replay */ ++ resp_buftype = CIFS_NO_BUFFER; ++ memset(&rsp_iov, 0, sizeof(rsp_iov)); + flags = 0; + allocated = false; + server = cifs_pick_channel(ses); diff --git a/queue-6.6/smb-client-harden-posix-sid-length-parsing.patch b/queue-6.6/smb-client-harden-posix-sid-length-parsing.patch new file mode 100644 index 0000000000..8fadc59a00 --- /dev/null +++ b/queue-6.6/smb-client-harden-posix-sid-length-parsing.patch @@ -0,0 +1,40 @@ +From 7ad2bcf2441430bb2e918fb3ef9a90d775a6e422 Mon Sep 17 00:00:00 2001 +From: Zihan Xi +Date: Sun, 28 Jun 2026 17:19:24 +0800 +Subject: smb: client: harden POSIX SID length parsing + +From: Zihan Xi + +commit 7ad2bcf2441430bb2e918fb3ef9a90d775a6e422 upstream. + +posix_info_sid_size() reads sid[1] to obtain the subauthority count, +but its existing boundary check still accepts buffers with only one +remaining byte. Require two bytes before reading sid[1] so all client +paths that reuse the helper reject truncated POSIX SIDs safely. + +Fixes: 349e13ad30b4 ("cifs: add smb2 POSIX info level") +Cc: stable@vger.kernel.org +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Xin Liu +Assisted-by: Codex:gpt-5.4 +Signed-off-by: Zihan Xi +Signed-off-by: Ren Wei +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2pdu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -5130,7 +5130,7 @@ int posix_info_sid_size(const void *beg, + size_t subauth; + int total; + +- if (beg + 1 > end) ++ if (beg + 2 > end) + return -1; + + subauth = *(u8 *)(beg+1); diff --git a/queue-6.6/smb-client-mask-server-provided-mode-to-07777-in-modefromsid.patch b/queue-6.6/smb-client-mask-server-provided-mode-to-07777-in-modefromsid.patch new file mode 100644 index 0000000000..2fdad8677f --- /dev/null +++ b/queue-6.6/smb-client-mask-server-provided-mode-to-07777-in-modefromsid.patch @@ -0,0 +1,34 @@ +From e3d9c7160d483fc8f9e225aafad8ecbbc43f3151 Mon Sep 17 00:00:00 2001 +From: Norbert Manthey +Date: Thu, 9 Jul 2026 15:54:39 +0000 +Subject: smb: client: mask server-provided mode to 07777 in modefromsid + +From: Norbert Manthey + +commit e3d9c7160d483fc8f9e225aafad8ecbbc43f3151 upstream. + +When modefromsid is active, parse_dacl() applies the server-provided +sub_auth[2] value from the NFS mode SID to cf_mode without masking to +07777. Apply the correct masking, same as in the read path. + +Fixes: e2f8fbfb8d09c ("cifs: get mode bits from special sid on stat") +Signed-off-by: Norbert Manthey +Assisted-by: Kiro:claude-opus-4.6 +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cifsacl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/smb/client/cifsacl.c ++++ b/fs/smb/client/cifsacl.c +@@ -890,7 +890,7 @@ static void parse_dacl(struct smb_acl *p + */ + fattr->cf_mode &= ~07777; + fattr->cf_mode |= +- le32_to_cpu(ppace[i]->sid.sub_auth[2]); ++ le32_to_cpu(ppace[i]->sid.sub_auth[2]) & 07777; + break; + } else { + if (compare_sids(&(ppace[i]->sid), pownersid) == 0) { diff --git a/queue-6.6/smb-client-use-unaligned-reads-in-parse_posix_ctxt.patch b/queue-6.6/smb-client-use-unaligned-reads-in-parse_posix_ctxt.patch new file mode 100644 index 0000000000..6f63f08646 --- /dev/null +++ b/queue-6.6/smb-client-use-unaligned-reads-in-parse_posix_ctxt.patch @@ -0,0 +1,38 @@ +From b86467cd2691192ad4809a5a6e922fc24b8e9839 Mon Sep 17 00:00:00 2001 +From: Zihan Xi +Date: Wed, 1 Jul 2026 18:23:21 +0800 +Subject: smb: client: use unaligned reads in parse_posix_ctxt() + +From: Zihan Xi + +commit b86467cd2691192ad4809a5a6e922fc24b8e9839 upstream. + +The server controls create-context DataOffset, so the POSIX context data +pointer may be misaligned on strict-alignment architectures. Use +get_unaligned_le32() when reading nlink, reparse_tag, and mode. + +Fixes: 69dda3059e7a ("cifs: add SMB2_open() arg to return POSIX data") +Cc: stable@vger.kernel.org +Signed-off-by: Zihan Xi +Signed-off-by: Ren Wei +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2pdu.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -2307,9 +2307,9 @@ parse_posix_ctxt(struct create_context * + + memset(posix, 0, sizeof(*posix)); + +- posix->nlink = le32_to_cpu(*(__le32 *)(beg + 0)); +- posix->reparse_tag = le32_to_cpu(*(__le32 *)(beg + 4)); +- posix->mode = le32_to_cpu(*(__le32 *)(beg + 8)); ++ posix->nlink = get_unaligned_le32(beg); ++ posix->reparse_tag = get_unaligned_le32(beg + 4); ++ posix->mode = get_unaligned_le32(beg + 8); + + sid = beg + 12; + sid_len = posix_info_sid_size(sid, end);