From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 20 Mar 2026 17:25:31 +0000 (+0100)
Subject: 6.1-stable patches
X-Git-Tag: v6.1.167~86
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=776dac2bbd74b82e3326328ac3cc86a54c06e464;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	ksmbd-unset-conn-binding-on-failed-binding-request.patch
	smb-client-fix-krb5-mount-with-username-option.patch
---

diff --git a/queue-6.1/ksmbd-unset-conn-binding-on-failed-binding-request.patch b/queue-6.1/ksmbd-unset-conn-binding-on-failed-binding-request.patch
new file mode 100644
index 0000000000..eefc6fcae6
--- /dev/null
+++ b/queue-6.1/ksmbd-unset-conn-binding-on-failed-binding-request.patch
@@ -0,0 +1,35 @@
+From 282343cf8a4a5a3603b1cb0e17a7083e4a593b03 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Fri, 13 Mar 2026 10:00:58 +0900
+Subject: ksmbd: unset conn->binding on failed binding request
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 282343cf8a4a5a3603b1cb0e17a7083e4a593b03 upstream.
+
+When a multichannel SMB2_SESSION_SETUP request with
+SMB2_SESSION_REQ_FLAG_BINDING fails ksmbd sets conn->binding = true
+but never clears it on the error path. This leaves the connection in
+a binding state where all subsequent ksmbd_session_lookup_all() calls
+fall back to the global sessions table. This fix it by clearing
+conn->binding = false in the error path.
+
+Cc: stable@vger.kernel.org
+Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -1936,6 +1936,7 @@ out_err:
+ 			}
+ 		}
+ 		smb2_set_err_rsp(work);
++		conn->binding = false;
+ 	} else {
+ 		unsigned int iov_len;
+ 
diff --git a/queue-6.1/series b/queue-6.1/series
index b5a4a0c358..6547ead4f2 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -286,3 +286,5 @@ nfc-nxp-nci-allow-gpios-to-sleep.patch
 net-macb-fix-use-after-free-access-to-ptp-clock.patch
 bluetooth-l2cap-fix-type-confusion-in-l2cap_ecred_reconf_rsp.patch
 bluetooth-l2cap-validate-l2cap_info_rsp-payload-length-before-access.patch
+smb-client-fix-krb5-mount-with-username-option.patch
+ksmbd-unset-conn-binding-on-failed-binding-request.patch
diff --git a/queue-6.1/smb-client-fix-krb5-mount-with-username-option.patch b/queue-6.1/smb-client-fix-krb5-mount-with-username-option.patch
new file mode 100644
index 0000000000..c53665701e
--- /dev/null
+++ b/queue-6.1/smb-client-fix-krb5-mount-with-username-option.patch
@@ -0,0 +1,67 @@
+From 12b4c5d98cd7ca46d5035a57bcd995df614c14e1 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@manguebit.org>
+Date: Fri, 13 Mar 2026 00:03:38 -0300
+Subject: smb: client: fix krb5 mount with username option
+
+From: Paulo Alcantara <pc@manguebit.org>
+
+commit 12b4c5d98cd7ca46d5035a57bcd995df614c14e1 upstream.
+
+Customer reported that some of their krb5 mounts were failing against
+a single server as the client was trying to mount the shares with
+wrong credentials.  It turned out the client was reusing SMB session
+from first mount to try mounting the other shares, even though a
+different username= option had been specified to the other mounts.
+
+By using username mount option along with sec=krb5 to search for
+principals from keytab is supported by cifs.upcall(8) since
+cifs-utils-4.8.  So fix this by matching username mount option in
+match_session() even with Kerberos.
+
+For example, the second mount below should fail with -ENOKEY as there
+is no 'foobar' principal in keytab (/etc/krb5.keytab).  The client
+ends up reusing SMB session from first mount to perform the second
+one, which is wrong.
+
+```
+$ ktutil
+ktutil:  add_entry -password -p testuser -k 1 -e aes256-cts
+Password for testuser@ZELDA.TEST:
+ktutil:  write_kt /etc/krb5.keytab
+ktutil:  quit
+$ klist -ke
+Keytab name: FILE:/etc/krb5.keytab
+KVNO Principal
+ ---- ----------------------------------------------------------------
+   1 testuser@ZELDA.TEST (aes256-cts-hmac-sha1-96)
+$ mount.cifs //w22-root2/scratch /mnt/1 -o sec=krb5,username=testuser
+$ mount.cifs //w22-root2/scratch /mnt/2 -o sec=krb5,username=foobar
+$ mount -t cifs | grep -Po 'username=\K\w+'
+testuser
+testuser
+```
+
+Reported-by: Oscar Santos <ossantos@redhat.com>
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Cc: David Howells <dhowells@redhat.com>
+Cc: linux-cifs@vger.kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/connect.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/smb/client/connect.c
++++ b/fs/smb/client/connect.c
+@@ -1909,6 +1909,10 @@ static int match_session(struct cifs_ses
+ 	case Kerberos:
+ 		if (!uid_eq(ctx->cred_uid, ses->cred_uid))
+ 			return 0;
++		if (strncmp(ses->user_name ?: "",
++			    ctx->username ?: "",
++			    CIFS_MAX_USERNAME_LEN))
++			return 0;
+ 		break;
+ 	case NTLMv2:
+ 	case RawNTLMSSP: