--- /dev/null
+From stable+bounces-253796-greg=kroah.com@vger.kernel.org Fri May 22 19:25:23 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 May 2026 09:30:46 -0400
+Subject: cgroup/cpuset: Reset DL migration state on can_attach() failure
+To: stable@vger.kernel.org
+Cc: Guopeng Zhang <zhangguopeng@kylinos.cn>, Tejun Heo <tj@kernel.org>, Chen Ridong <chenridong@huaweicloud.com>, Waiman Long <longman@redhat.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260522133046.3882842-1-sashal@kernel.org>
+
+From: Guopeng Zhang <zhangguopeng@kylinos.cn>
+
+[ Upstream commit 4a39eda5fdd867fc39f3c039714dd432cee00268 ]
+
+cpuset_can_attach() accumulates temporary SCHED_DEADLINE migration
+state in the destination cpuset while walking the taskset.
+
+If a later task_can_attach() or security_task_setscheduler() check
+fails, cgroup_migrate_execute() treats cpuset as the failing subsystem
+and does not call cpuset_cancel_attach() for it. The partially
+accumulated state is then left behind and can be consumed by a later
+attach, corrupting cpuset DL task accounting and pending DL bandwidth
+accounting.
+
+Reset the pending DL migration state from the common error exit when
+ret is non-zero. Successful can_attach() keeps the state for
+cpuset_attach() or cpuset_cancel_attach().
+
+Fixes: 2ef269ef1ac0 ("cgroup/cpuset: Free DL BW in case can_attach() fails")
+Cc: stable@vger.kernel.org # v6.10+
+Signed-off-by: Guopeng Zhang <zhangguopeng@kylinos.cn>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reviewed-by: Chen Ridong <chenridong@huaweicloud.com>
+Reviewed-by: Waiman Long <longman@redhat.com>
+[ omitted upstream context line `cs->dl_bw_cpu = cpu;` ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/cgroup/cpuset.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/kernel/cgroup/cpuset.c
++++ b/kernel/cgroup/cpuset.c
+@@ -2609,16 +2609,13 @@ static int cpuset_can_attach(struct cgro
+ int cpu = cpumask_any_and(cpu_active_mask, cs->effective_cpus);
+
+ if (unlikely(cpu >= nr_cpu_ids)) {
+- reset_migrate_dl_data(cs);
+ ret = -EINVAL;
+ goto out_unlock;
+ }
+
+ ret = dl_bw_alloc(cpu, cs->sum_migrate_dl_bw);
+- if (ret) {
+- reset_migrate_dl_data(cs);
++ if (ret)
+ goto out_unlock;
+- }
+ }
+
+ out_success:
+@@ -3458,7 +3455,10 @@ static int cpuset_can_fork(struct task_s
+ * changes which zero cpus/mems_allowed.
+ */
+ cs->attach_in_progress++;
++
+ out_unlock:
++ if (ret)
++ reset_migrate_dl_data(cs);
+ mutex_unlock(&cpuset_mutex);
+ return ret;
+ }
--- /dev/null
+From 63a11adaceb8b77d70bcce0890197fa9462ce160 Mon Sep 17 00:00:00 2001
+From: Thomas Zimmermann <tzimmermann@suse.de>
+Date: Mon, 27 Nov 2023 14:15:51 +0100
+Subject: fbdev/vt8500lcdfb: Initialize fb_ops with fbdev macros
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+commit 63a11adaceb8b77d70bcce0890197fa9462ce160 upstream.
+
+Initialize the instance of struct fb_ops with fbdev initializer
+macros for framebuffers in DMA-able virtual address space. Set the
+read/write, draw and mmap callbacks to the correct implementation
+and avoid implicit defaults. Also select the necessary helpers in
+Kconfig.
+
+Fbdev drivers sometimes rely on the callbacks being NULL for a
+default I/O-memory-based implementation to be invoked; hence
+requiring the I/O helpers to be built in any case. Setting all
+callbacks in all drivers explicitly will allow to make the I/O
+helpers optional. This benefits systems that do not use these
+functions.
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20231127131655.4020-23-tzimmermann@suse.de
+Cc: Ben Hutchings <benh@debian.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/Kconfig | 1 +
+ drivers/video/fbdev/vt8500lcdfb.c | 4 +++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/Kconfig
++++ b/drivers/video/fbdev/Kconfig
+@@ -1464,6 +1464,7 @@ config FB_VT8500
+ select FB_SYS_FILLRECT if (!FB_WMT_GE_ROPS)
+ select FB_SYS_COPYAREA if (!FB_WMT_GE_ROPS)
+ select FB_SYS_IMAGEBLIT
++ select FB_SYS_FOPS
+ select FB_MODE_HELPERS
+ select VIDEOMODE_HELPERS
+ help
+--- a/drivers/video/fbdev/vt8500lcdfb.c
++++ b/drivers/video/fbdev/vt8500lcdfb.c
+@@ -241,6 +241,7 @@ static int vt8500lcd_blank(int blank, st
+
+ static const struct fb_ops vt8500lcd_ops = {
+ .owner = THIS_MODULE,
++ __FB_DEFAULT_DMAMEM_OPS_RDWR,
+ .fb_set_par = vt8500lcd_set_par,
+ .fb_setcolreg = vt8500lcd_setcolreg,
+ .fb_fillrect = wmt_ge_fillrect,
+@@ -250,6 +251,7 @@ static const struct fb_ops vt8500lcd_ops
+ .fb_ioctl = vt8500lcd_ioctl,
+ .fb_pan_display = vt8500lcd_pan_display,
+ .fb_blank = vt8500lcd_blank,
++ // .fb_mmap needs DMA mmap
+ };
+
+ static irqreturn_t vt8500lcd_handle_irq(int irq, void *dev_id)
+@@ -357,7 +359,7 @@ static int vt8500lcd_probe(struct platfo
+
+ fbi->fb.fix.smem_start = fb_mem_phys;
+ fbi->fb.fix.smem_len = fb_mem_len;
+- fbi->fb.screen_base = fb_mem_virt;
++ fbi->fb.screen_buffer = fb_mem_virt;
+
+ fbi->palette_size = PAGE_ALIGN(512);
+ fbi->palette_cpu = dma_alloc_coherent(&pdev->dev,
--- /dev/null
+From stable+bounces-256658-greg=kroah.com@vger.kernel.org Fri May 29 23:16:28 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 May 2026 12:51:26 -0400
+Subject: genetlink: Use internal flags for multicast groups
+To: stable@vger.kernel.org
+Cc: Ido Schimmel <idosch@nvidia.com>, Mat Martineau <martineau@kernel.org>, Andy Shevchenko <andriy.shevchenko@linux.intel.com>, "David S. Miller" <davem@davemloft.net>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260529165127.1228435-1-sashal@kernel.org>
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit cd4d7263d58ab98fd4dee876776e4da6c328faa3 ]
+
+As explained in commit e03781879a0d ("drop_monitor: Require
+'CAP_SYS_ADMIN' when joining "events" group"), the "flags" field in the
+multicast group structure reuses uAPI flags despite the field not being
+exposed to user space. This makes it impossible to extend its use
+without adding new uAPI flags, which is inappropriate for internal
+kernel checks.
+
+Solve this by adding internal flags (i.e., "GENL_MCAST_*") and convert
+the existing users to use them instead of the uAPI flags.
+
+Tested using the reproducers in commit 44ec98ea5ea9 ("psample: Require
+'CAP_NET_ADMIN' when joining "packets" group") and commit e03781879a0d
+("drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group").
+
+No functional changes intended.
+
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: d1ebfce2c1d1 ("smb: client: require net admin for CIFS SWN netlink")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/genetlink.h | 9 ++++++---
+ net/core/drop_monitor.c | 2 +-
+ net/mptcp/pm_netlink.c | 2 +-
+ net/netlink/genetlink.c | 4 ++--
+ net/psample/psample.c | 2 +-
+ 5 files changed, 11 insertions(+), 8 deletions(-)
+
+--- a/include/net/genetlink.h
++++ b/include/net/genetlink.h
+@@ -8,16 +8,19 @@
+
+ #define GENLMSG_DEFAULT_SIZE (NLMSG_DEFAULT_SIZE - GENL_HDRLEN)
+
++/* Binding to multicast group requires %CAP_NET_ADMIN */
++#define GENL_MCAST_CAP_NET_ADMIN BIT(0)
++/* Binding to multicast group requires %CAP_SYS_ADMIN */
++#define GENL_MCAST_CAP_SYS_ADMIN BIT(1)
++
+ /**
+ * struct genl_multicast_group - generic netlink multicast group
+ * @name: name of the multicast group, names are per-family
+- * @flags: GENL_* flags (%GENL_ADMIN_PERM or %GENL_UNS_ADMIN_PERM)
+- * @cap_sys_admin: whether %CAP_SYS_ADMIN is required for binding
++ * @flags: GENL_MCAST_* flags
+ */
+ struct genl_multicast_group {
+ char name[GENL_NAMSIZ];
+ u8 flags;
+- u8 cap_sys_admin:1;
+ };
+
+ struct genl_split_ops;
+--- a/net/core/drop_monitor.c
++++ b/net/core/drop_monitor.c
+@@ -183,7 +183,7 @@ out:
+ }
+
+ static const struct genl_multicast_group dropmon_mcgrps[] = {
+- { .name = "events", .cap_sys_admin = 1 },
++ { .name = "events", .flags = GENL_MCAST_CAP_SYS_ADMIN, },
+ };
+
+ static void send_dm_alert(struct work_struct *work)
+--- a/net/mptcp/pm_netlink.c
++++ b/net/mptcp/pm_netlink.c
+@@ -1328,7 +1328,7 @@ bool mptcp_pm_nl_is_backup(struct mptcp_
+ static const struct genl_multicast_group mptcp_pm_mcgrps[] = {
+ [MPTCP_PM_CMD_GRP_OFFSET] = { .name = MPTCP_PM_CMD_GRP_NAME, },
+ [MPTCP_PM_EV_GRP_OFFSET] = { .name = MPTCP_PM_EV_GRP_NAME,
+- .flags = GENL_UNS_ADMIN_PERM,
++ .flags = GENL_MCAST_CAP_NET_ADMIN,
+ },
+ };
+
+--- a/net/netlink/genetlink.c
++++ b/net/netlink/genetlink.c
+@@ -1683,10 +1683,10 @@ static int genl_bind(struct net *net, in
+ continue;
+
+ grp = &family->mcgrps[i];
+- if ((grp->flags & GENL_UNS_ADMIN_PERM) &&
++ if ((grp->flags & GENL_MCAST_CAP_NET_ADMIN) &&
+ !ns_capable(net->user_ns, CAP_NET_ADMIN))
+ ret = -EPERM;
+- if (grp->cap_sys_admin &&
++ if ((grp->flags & GENL_MCAST_CAP_SYS_ADMIN) &&
+ !ns_capable(net->user_ns, CAP_SYS_ADMIN))
+ ret = -EPERM;
+
+--- a/net/psample/psample.c
++++ b/net/psample/psample.c
+@@ -32,7 +32,7 @@ enum psample_nl_multicast_groups {
+ static const struct genl_multicast_group psample_nl_mcgrps[] = {
+ [PSAMPLE_NL_MCGRP_CONFIG] = { .name = PSAMPLE_NL_MCGRP_CONFIG_NAME },
+ [PSAMPLE_NL_MCGRP_SAMPLE] = { .name = PSAMPLE_NL_MCGRP_SAMPLE_NAME,
+- .flags = GENL_UNS_ADMIN_PERM },
++ .flags = GENL_MCAST_CAP_NET_ADMIN, },
+ };
+
+ static struct genl_family psample_nl_family __ro_after_init;
--- /dev/null
+From a8aebe93a4938c0ca1941eeaae821738f869be3d Mon Sep 17 00:00:00 2001
+From: Corey Minyard <corey@minyard.net>
+Date: Tue, 21 Apr 2026 06:50:22 -0500
+Subject: ipmi:ssif: NULL thread on error
+
+From: Corey Minyard <corey@minyard.net>
+
+commit a8aebe93a4938c0ca1941eeaae821738f869be3d upstream.
+
+Cleanup code was checking the thread for NULL, but it was possibly
+a PTR_ERR() in one spot.
+
+Spotted with static analysis.
+
+Link: https://sourceforge.net/p/openipmi/mailman/message/59324676/
+Fixes: 75c486cb1bca ("ipmi:ssif: Clean up kthread on errors")
+Cc: <stable@vger.kernel.org> # 91eb7ec72612: ipmi:ssif: Remove unnecessary indention
+Cc: stable@vger.kernel.org
+Signed-off-by: Corey Minyard <corey@minyard.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/ipmi/ipmi_ssif.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/char/ipmi/ipmi_ssif.c
++++ b/drivers/char/ipmi/ipmi_ssif.c
+@@ -1883,6 +1883,7 @@ static int ssif_probe(struct i2c_client
+ "kssif%4.4x", thread_num);
+ if (IS_ERR(ssif_info->thread)) {
+ rv = PTR_ERR(ssif_info->thread);
++ ssif_info->thread = NULL;
+ dev_notice(&ssif_info->client->dev,
+ "Could not start kernel thread: error %d\n",
+ rv);
--- /dev/null
+From 91eb7ec7261254b6875909df767185838598e21e Mon Sep 17 00:00:00 2001
+From: Corey Minyard <corey@minyard.net>
+Date: Mon, 13 Apr 2026 07:09:15 -0500
+Subject: ipmi:ssif: Remove unnecessary indention
+
+From: Corey Minyard <corey@minyard.net>
+
+commit 91eb7ec7261254b6875909df767185838598e21e upstream.
+
+A section was in {} that didn't need to be, move the variable
+definition to the top and set th eindentino properly.
+
+Signed-off-by: Corey Minyard <corey@minyard.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/ipmi/ipmi_ssif.c | 28 ++++++++++++----------------
+ 1 file changed, 12 insertions(+), 16 deletions(-)
+
+--- a/drivers/char/ipmi/ipmi_ssif.c
++++ b/drivers/char/ipmi/ipmi_ssif.c
+@@ -1667,6 +1667,7 @@ static int ssif_probe(struct i2c_client
+ int len = 0;
+ int i;
+ u8 slave_addr = 0;
++ unsigned int thread_num;
+ struct ssif_addr_info *addr_info = NULL;
+
+ mutex_lock(&ssif_infos_mutex);
+@@ -1875,22 +1876,17 @@ static int ssif_probe(struct i2c_client
+ ssif_info->handlers.request_events = request_events;
+ ssif_info->handlers.set_need_watch = ssif_set_need_watch;
+
+- {
+- unsigned int thread_num;
+-
+- thread_num = ((i2c_adapter_id(ssif_info->client->adapter)
+- << 8) |
+- ssif_info->client->addr);
+- init_completion(&ssif_info->wake_thread);
+- ssif_info->thread = kthread_run(ipmi_ssif_thread, ssif_info,
+- "kssif%4.4x", thread_num);
+- if (IS_ERR(ssif_info->thread)) {
+- rv = PTR_ERR(ssif_info->thread);
+- dev_notice(&ssif_info->client->dev,
+- "Could not start kernel thread: error %d\n",
+- rv);
+- goto out;
+- }
++ thread_num = ((i2c_adapter_id(ssif_info->client->adapter) << 8) |
++ ssif_info->client->addr);
++ init_completion(&ssif_info->wake_thread);
++ ssif_info->thread = kthread_run(ipmi_ssif_thread, ssif_info,
++ "kssif%4.4x", thread_num);
++ if (IS_ERR(ssif_info->thread)) {
++ rv = PTR_ERR(ssif_info->thread);
++ dev_notice(&ssif_info->client->dev,
++ "Could not start kernel thread: error %d\n",
++ rv);
++ goto out;
+ }
+
+ dev_set_drvdata(&ssif_info->client->dev, ssif_info);
--- /dev/null
+From fda9522ed6afaec45cabc198d8492270c394c7bc Mon Sep 17 00:00:00 2001
+From: Asim Viladi Oglu Manizada <manizada@pm.me>
+Date: Wed, 25 Mar 2026 09:14:22 +0900
+Subject: ksmbd: fix OOB write in QUERY_INFO for compound requests
+
+From: Asim Viladi Oglu Manizada <manizada@pm.me>
+
+commit fda9522ed6afaec45cabc198d8492270c394c7bc upstream.
+
+When a compound request such as READ + QUERY_INFO(Security) is received,
+and the first command (READ) consumes most of the response buffer,
+ksmbd could write beyond the allocated buffer while building a security
+descriptor.
+
+The root cause was that smb2_get_info_sec() checked buffer space using
+ppntsd_size from xattr, while build_sec_desc() often synthesized a
+significantly larger descriptor from POSIX ACLs.
+
+This patch introduces smb_acl_sec_desc_scratch_len() to accurately
+compute the final descriptor size beforehand, performs proper buffer
+checking with smb2_calc_max_out_buf_len(), and uses exact-sized
+allocation + iov pinning.
+
+Cc: stable@vger.kernel.org
+Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound")
+Signed-off-by: Asim Viladi Oglu Manizada <manizada@pm.me>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+[ In v6.6, replace KSMBD_DEFAULT_GFP with GFP_KERNEL per
+commit 0066f623bce8 ("ksmbd: use __GFP_RETRY_MAYFAIL"). ]
+Signed-off-by: Alva Lan <alvalan9@foxmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 121 +++++++++++++++++++++++++++++++++++-------------
+ fs/smb/server/smbacl.c | 43 +++++++++++++++++
+ fs/smb/server/smbacl.h | 2
+ 3 files changed, 134 insertions(+), 32 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -3385,20 +3385,24 @@ int smb2_open(struct ksmbd_work *work)
+ KSMBD_SHARE_FLAG_ACL_XATTR)) {
+ struct smb_fattr fattr;
+ struct smb_ntsd *pntsd;
+- int pntsd_size, ace_num = 0;
++ int pntsd_size;
++ size_t scratch_len;
+
+ ksmbd_acls_fattr(&fattr, idmap, inode);
+- if (fattr.cf_acls)
+- ace_num = fattr.cf_acls->a_count;
+- if (fattr.cf_dacls)
+- ace_num += fattr.cf_dacls->a_count;
+-
+- pntsd = kmalloc(sizeof(struct smb_ntsd) +
+- sizeof(struct smb_sid) * 3 +
+- sizeof(struct smb_acl) +
+- sizeof(struct smb_ace) * ace_num * 2,
+- GFP_KERNEL);
++ scratch_len = smb_acl_sec_desc_scratch_len(&fattr,
++ NULL, 0,
++ OWNER_SECINFO | GROUP_SECINFO |
++ DACL_SECINFO);
++ if (!scratch_len || scratch_len == SIZE_MAX) {
++ rc = -EFBIG;
++ posix_acl_release(fattr.cf_acls);
++ posix_acl_release(fattr.cf_dacls);
++ goto err_out;
++ }
++
++ pntsd = kvzalloc(scratch_len, GFP_KERNEL);
+ if (!pntsd) {
++ rc = -ENOMEM;
+ posix_acl_release(fattr.cf_acls);
+ posix_acl_release(fattr.cf_dacls);
+ goto err_out;
+@@ -3413,7 +3417,7 @@ int smb2_open(struct ksmbd_work *work)
+ posix_acl_release(fattr.cf_acls);
+ posix_acl_release(fattr.cf_dacls);
+ if (rc) {
+- kfree(pntsd);
++ kvfree(pntsd);
+ goto err_out;
+ }
+
+@@ -3423,7 +3427,7 @@ int smb2_open(struct ksmbd_work *work)
+ pntsd,
+ pntsd_size,
+ false);
+- kfree(pntsd);
++ kvfree(pntsd);
+ if (rc)
+ pr_err("failed to store ntacl in xattr : %d\n",
+ rc);
+@@ -5345,8 +5349,9 @@ static int smb2_get_info_file(struct ksm
+ if (test_share_config_flag(work->tcon->share_conf,
+ KSMBD_SHARE_FLAG_PIPE)) {
+ /* smb2 info file called for pipe */
+- return smb2_get_info_file_pipe(work->sess, req, rsp,
++ rc = smb2_get_info_file_pipe(work->sess, req, rsp,
+ work->response_buf);
++ goto iov_pin_out;
+ }
+
+ if (work->next_smb2_rcv_hdr_off) {
+@@ -5446,6 +5451,12 @@ static int smb2_get_info_file(struct ksm
+ rc = buffer_check_err(le32_to_cpu(req->OutputBufferLength),
+ rsp, work->response_buf);
+ ksmbd_fd_put(work, fp);
++
++iov_pin_out:
++ if (!rc)
++ rc = ksmbd_iov_pin_rsp(work, (void *)rsp,
++ offsetof(struct smb2_query_info_rsp, Buffer) +
++ le32_to_cpu(rsp->OutputBufferLength));
+ return rc;
+ }
+
+@@ -5665,6 +5676,11 @@ static int smb2_get_info_filesystem(stru
+ rc = buffer_check_err(le32_to_cpu(req->OutputBufferLength),
+ rsp, work->response_buf);
+ path_put(&path);
++
++ if (!rc)
++ rc = ksmbd_iov_pin_rsp(work, (void *)rsp,
++ offsetof(struct smb2_query_info_rsp, Buffer) +
++ le32_to_cpu(rsp->OutputBufferLength));
+ return rc;
+ }
+
+@@ -5674,13 +5690,14 @@ static int smb2_get_info_sec(struct ksmb
+ {
+ struct ksmbd_file *fp;
+ struct mnt_idmap *idmap;
+- struct smb_ntsd *pntsd = (struct smb_ntsd *)rsp->Buffer, *ppntsd = NULL;
++ struct smb_ntsd *pntsd = NULL, *ppntsd = NULL;
+ struct smb_fattr fattr = {{0}};
+ struct inode *inode;
+ __u32 secdesclen = 0;
+ unsigned int id = KSMBD_NO_FID, pid = KSMBD_NO_FID;
+ int addition_info = le32_to_cpu(req->AdditionalInformation);
+- int rc = 0, ppntsd_size = 0;
++ int rc = 0, ppntsd_size = 0, max_len;
++ size_t scratch_len = 0;
+
+ if (addition_info & ~(OWNER_SECINFO | GROUP_SECINFO | DACL_SECINFO |
+ PROTECTED_DACL_SECINFO |
+@@ -5688,6 +5705,11 @@ static int smb2_get_info_sec(struct ksmb
+ ksmbd_debug(SMB, "Unsupported addition info: 0x%x)\n",
+ addition_info);
+
++ pntsd = kzalloc(ALIGN(sizeof(struct smb_ntsd), 8),
++ GFP_KERNEL);
++ if (!pntsd)
++ return -ENOMEM;
++
+ pntsd->revision = cpu_to_le16(1);
+ pntsd->type = cpu_to_le16(SELF_RELATIVE | DACL_PROTECTED);
+ pntsd->osidoffset = 0;
+@@ -5696,9 +5718,7 @@ static int smb2_get_info_sec(struct ksmb
+ pntsd->dacloffset = 0;
+
+ secdesclen = sizeof(struct smb_ntsd);
+- rsp->OutputBufferLength = cpu_to_le32(secdesclen);
+-
+- return 0;
++ goto iov_pin;
+ }
+
+ if (work->next_smb2_rcv_hdr_off) {
+@@ -5730,18 +5750,58 @@ static int smb2_get_info_sec(struct ksmb
+ &ppntsd);
+
+ /* Check if sd buffer size exceeds response buffer size */
+- if (smb2_resp_buf_len(work, 8) > ppntsd_size)
+- rc = build_sec_desc(idmap, pntsd, ppntsd, ppntsd_size,
+- addition_info, &secdesclen, &fattr);
++ max_len = smb2_calc_max_out_buf_len(work,
++ offsetof(struct smb2_query_info_rsp, Buffer),
++ le32_to_cpu(req->OutputBufferLength));
++ if (max_len < 0) {
++ rc = -EINVAL;
++ goto release_acl;
++ }
++
++ scratch_len = smb_acl_sec_desc_scratch_len(&fattr, ppntsd,
++ ppntsd_size, addition_info);
++ if (!scratch_len || scratch_len == SIZE_MAX) {
++ rc = -EFBIG;
++ goto release_acl;
++ }
++
++ pntsd = kvzalloc(scratch_len, GFP_KERNEL);
++ if (!pntsd) {
++ rc = -ENOMEM;
++ goto release_acl;
++ }
++
++ rc = build_sec_desc(idmap, pntsd, ppntsd, ppntsd_size,
++ addition_info, &secdesclen, &fattr);
++
++release_acl:
+ posix_acl_release(fattr.cf_acls);
+ posix_acl_release(fattr.cf_dacls);
+ kfree(ppntsd);
+ ksmbd_fd_put(work, fp);
++
++ if (!rc && ALIGN(secdesclen, 8) > scratch_len)
++ rc = -EFBIG;
+ if (rc)
+- return rc;
++ goto err_out;
+
++iov_pin:
+ rsp->OutputBufferLength = cpu_to_le32(secdesclen);
+- return 0;
++ rc = buffer_check_err(le32_to_cpu(req->OutputBufferLength),
++ rsp, work->response_buf);
++ if (rc)
++ goto err_out;
++
++ rc = ksmbd_iov_pin_rsp_read(work, (void *)rsp,
++ offsetof(struct smb2_query_info_rsp, Buffer),
++ pntsd, secdesclen);
++err_out:
++ if (rc) {
++ rsp->OutputBufferLength = 0;
++ kvfree(pntsd);
++ }
++
++ return rc;
+ }
+
+ /**
+@@ -5765,6 +5825,9 @@ int smb2_query_info(struct ksmbd_work *w
+ goto err_out;
+ }
+
++ rsp->StructureSize = cpu_to_le16(9);
++ rsp->OutputBufferOffset = cpu_to_le16(72);
++
+ switch (req->InfoType) {
+ case SMB2_O_INFO_FILE:
+ ksmbd_debug(SMB, "GOT SMB2_O_INFO_FILE\n");
+@@ -5785,14 +5848,6 @@ int smb2_query_info(struct ksmbd_work *w
+ }
+ ksmbd_revert_fsids(work);
+
+- if (!rc) {
+- rsp->StructureSize = cpu_to_le16(9);
+- rsp->OutputBufferOffset = cpu_to_le16(72);
+- rc = ksmbd_iov_pin_rsp(work, (void *)rsp,
+- offsetof(struct smb2_query_info_rsp, Buffer) +
+- le32_to_cpu(rsp->OutputBufferLength));
+- }
+-
+ err_out:
+ if (rc < 0) {
+ if (rc == -EACCES)
+@@ -5803,6 +5858,8 @@ err_out:
+ rsp->hdr.Status = STATUS_UNEXPECTED_IO_ERROR;
+ else if (rc == -ENOMEM)
+ rsp->hdr.Status = STATUS_INSUFFICIENT_RESOURCES;
++ else if (rc == -EINVAL && rsp->hdr.Status == 0)
++ rsp->hdr.Status = STATUS_INVALID_PARAMETER;
+ else if (rc == -EOPNOTSUPP || rsp->hdr.Status == 0)
+ rsp->hdr.Status = STATUS_INVALID_INFO_CLASS;
+ smb2_set_err_rsp(work);
+--- a/fs/smb/server/smbacl.c
++++ b/fs/smb/server/smbacl.c
+@@ -930,6 +930,49 @@ int parse_sec_desc(struct mnt_idmap *idm
+ return 0;
+ }
+
++size_t smb_acl_sec_desc_scratch_len(struct smb_fattr *fattr,
++ struct smb_ntsd *ppntsd, int ppntsd_size, int addition_info)
++{
++ size_t len = sizeof(struct smb_ntsd);
++ size_t tmp;
++
++ if (addition_info & OWNER_SECINFO)
++ len += sizeof(struct smb_sid);
++ if (addition_info & GROUP_SECINFO)
++ len += sizeof(struct smb_sid);
++ if (!(addition_info & DACL_SECINFO))
++ return len;
++
++ len += sizeof(struct smb_acl);
++ if (ppntsd && ppntsd_size > 0) {
++ unsigned int dacl_offset = le32_to_cpu(ppntsd->dacloffset);
++
++ if (dacl_offset < ppntsd_size &&
++ check_add_overflow(len, ppntsd_size - dacl_offset, &len))
++ return 0;
++ }
++
++ if (fattr->cf_acls) {
++ if (check_mul_overflow((size_t)fattr->cf_acls->a_count,
++ 2 * sizeof(struct smb_ace), &tmp) ||
++ check_add_overflow(len, tmp, &len))
++ return 0;
++ } else {
++ /* default/minimum DACL */
++ if (check_add_overflow(len, 5 * sizeof(struct smb_ace), &len))
++ return 0;
++ }
++
++ if (fattr->cf_dacls) {
++ if (check_mul_overflow((size_t)fattr->cf_dacls->a_count,
++ sizeof(struct smb_ace), &tmp) ||
++ check_add_overflow(len, tmp, &len))
++ return 0;
++ }
++
++ return len;
++}
++
+ /* Convert permission bits from mode to equivalent CIFS ACL */
+ int build_sec_desc(struct mnt_idmap *idmap,
+ struct smb_ntsd *pntsd, struct smb_ntsd *ppntsd,
+--- a/fs/smb/server/smbacl.h
++++ b/fs/smb/server/smbacl.h
+@@ -101,6 +101,8 @@ int set_info_sec(struct ksmbd_conn *conn
+ bool type_check, bool get_write);
+ void id_to_sid(unsigned int cid, uint sidtype, struct smb_sid *ssid);
+ void ksmbd_init_domain(u32 *sub_auth);
++size_t smb_acl_sec_desc_scratch_len(struct smb_fattr *fattr,
++ struct smb_ntsd *ppntsd, int ppntsd_size, int addition_info);
+
+ static inline uid_t posix_acl_uid_translate(struct mnt_idmap *idmap,
+ struct posix_acl_entry *pace)
mm-hugetlb-avoid-false-positive-lockdep-assertion.patch
soc-qcom-ice-fix-race-between-qcom_ice_probe-and-of_.patch
mm-huge_memory-update-file-pmd-counter-before-folio_.patch
+ipmi-ssif-remove-unnecessary-indention.patch
+ipmi-ssif-null-thread-on-error.patch
+fbdev-vt8500lcdfb-initialize-fb_ops-with-fbdev-macros.patch
+ksmbd-fix-oob-write-in-query_info-for-compound-requests.patch
+cgroup-cpuset-reset-dl-migration-state-on-can_attach-failure.patch
+genetlink-use-internal-flags-for-multicast-groups.patch
+smb-client-require-net-admin-for-cifs-swn-netlink.patch
--- /dev/null
+From stable+bounces-256659-greg=kroah.com@vger.kernel.org Fri May 29 22:44:26 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 May 2026 12:51:27 -0400
+Subject: smb: client: require net admin for CIFS SWN netlink
+To: stable@vger.kernel.org
+Cc: Michael Bommarito <michael.bommarito@gmail.com>, Steve French <stfrench@microsoft.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260529165127.1228435-2-sashal@kernel.org>
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+[ Upstream commit d1ebfce2c1d161186a82e77590bf7da2ea1bce91 ]
+
+CIFS_GENL_CMD_SWN_NOTIFY is the userspace witness-notify command. The
+intended sender is the cifs.witness helper, but the generic-netlink
+operation currently has no capability flag, so any local process can send
+RESOURCE_CHANGE or CLIENT_MOVE notifications to the in-kernel witness
+handler.
+
+The same family exposes CIFS_GENL_MCGRP_SWN without multicast-group
+capability flags. Register messages sent to that group include the witness
+registration id and, for NTLM-authenticated mounts, the username, domain,
+and password attributes copied from the CIFS session. An unprivileged
+local process should not be able to join that group and receive those
+messages.
+
+Require CAP_NET_ADMIN for incoming SWN_NOTIFY commands with
+GENL_ADMIN_PERM, and require CAP_NET_ADMIN over the network namespace for
+joining the SWN multicast group with GENL_MCAST_CAP_NET_ADMIN. The
+cifs.witness service runs with the privileges needed for both operations.
+
+Fixes: fed979a7e082 ("cifs: Set witness notification handler for messages from userspace daemon")
+Cc: stable@vger.kernel.org
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Assisted-by: Claude:claude-opus-4-7
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/netlink.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/client/netlink.c
++++ b/fs/smb/client/netlink.c
+@@ -33,13 +33,17 @@ static const struct nla_policy cifs_genl
+ static const struct genl_ops cifs_genl_ops[] = {
+ {
+ .cmd = CIFS_GENL_CMD_SWN_NOTIFY,
++ .flags = GENL_ADMIN_PERM,
+ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+ .doit = cifs_swn_notify,
+ },
+ };
+
+ static const struct genl_multicast_group cifs_genl_mcgrps[] = {
+- [CIFS_GENL_MCGRP_SWN] = { .name = CIFS_GENL_MCGRP_SWN_NAME },
++ [CIFS_GENL_MCGRP_SWN] = {
++ .name = CIFS_GENL_MCGRP_SWN_NAME,
++ .flags = GENL_MCAST_CAP_NET_ADMIN,
++ },
+ };
+
+ struct genl_family cifs_genl_family = {
projects / thirdparty / kernel / stable-queue.git / commitdiff
