From: Greg Kroah-Hartman Date: Tue, 16 Jun 2026 04:51:51 +0000 (+0530) Subject: 6.6-stable patches X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9f742cd7666dbc0eaf1ce53a2d96bb38c35110ad;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: cgroup-cpuset-reset-dl-migration-state-on-can_attach-failure.patch fbdev-vt8500lcdfb-initialize-fb_ops-with-fbdev-macros.patch genetlink-use-internal-flags-for-multicast-groups.patch ipmi-ssif-null-thread-on-error.patch ipmi-ssif-remove-unnecessary-indention.patch ksmbd-fix-oob-write-in-query_info-for-compound-requests.patch smb-client-require-net-admin-for-cifs-swn-netlink.patch --- diff --git a/queue-6.6/cgroup-cpuset-reset-dl-migration-state-on-can_attach-failure.patch b/queue-6.6/cgroup-cpuset-reset-dl-migration-state-on-can_attach-failure.patch new file mode 100644 index 0000000000..7be4d02c2e --- /dev/null +++ b/queue-6.6/cgroup-cpuset-reset-dl-migration-state-on-can_attach-failure.patch @@ -0,0 +1,70 @@ +From stable+bounces-253796-greg=kroah.com@vger.kernel.org Fri May 22 19:25:23 2026 +From: Sasha Levin +Date: Fri, 22 May 2026 09:30:46 -0400 +Subject: cgroup/cpuset: Reset DL migration state on can_attach() failure +To: stable@vger.kernel.org +Cc: Guopeng Zhang , Tejun Heo , Chen Ridong , Waiman Long , Sasha Levin +Message-ID: <20260522133046.3882842-1-sashal@kernel.org> + +From: Guopeng Zhang + +[ Upstream commit 4a39eda5fdd867fc39f3c039714dd432cee00268 ] + +cpuset_can_attach() accumulates temporary SCHED_DEADLINE migration +state in the destination cpuset while walking the taskset. + +If a later task_can_attach() or security_task_setscheduler() check +fails, cgroup_migrate_execute() treats cpuset as the failing subsystem +and does not call cpuset_cancel_attach() for it. The partially +accumulated state is then left behind and can be consumed by a later +attach, corrupting cpuset DL task accounting and pending DL bandwidth +accounting. + +Reset the pending DL migration state from the common error exit when +ret is non-zero. Successful can_attach() keeps the state for +cpuset_attach() or cpuset_cancel_attach(). + +Fixes: 2ef269ef1ac0 ("cgroup/cpuset: Free DL BW in case can_attach() fails") +Cc: stable@vger.kernel.org # v6.10+ +Signed-off-by: Guopeng Zhang +Signed-off-by: Tejun Heo +Reviewed-by: Chen Ridong +Reviewed-by: Waiman Long +[ omitted upstream context line `cs->dl_bw_cpu = cpu;` ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cgroup/cpuset.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/kernel/cgroup/cpuset.c ++++ b/kernel/cgroup/cpuset.c +@@ -2609,16 +2609,13 @@ static int cpuset_can_attach(struct cgro + int cpu = cpumask_any_and(cpu_active_mask, cs->effective_cpus); + + if (unlikely(cpu >= nr_cpu_ids)) { +- reset_migrate_dl_data(cs); + ret = -EINVAL; + goto out_unlock; + } + + ret = dl_bw_alloc(cpu, cs->sum_migrate_dl_bw); +- if (ret) { +- reset_migrate_dl_data(cs); ++ if (ret) + goto out_unlock; +- } + } + + out_success: +@@ -3458,7 +3455,10 @@ static int cpuset_can_fork(struct task_s + * changes which zero cpus/mems_allowed. + */ + cs->attach_in_progress++; ++ + out_unlock: ++ if (ret) ++ reset_migrate_dl_data(cs); + mutex_unlock(&cpuset_mutex); + return ret; + } diff --git a/queue-6.6/fbdev-vt8500lcdfb-initialize-fb_ops-with-fbdev-macros.patch b/queue-6.6/fbdev-vt8500lcdfb-initialize-fb_ops-with-fbdev-macros.patch new file mode 100644 index 0000000000..2f8544aea9 --- /dev/null +++ b/queue-6.6/fbdev-vt8500lcdfb-initialize-fb_ops-with-fbdev-macros.patch @@ -0,0 +1,69 @@ +From 63a11adaceb8b77d70bcce0890197fa9462ce160 Mon Sep 17 00:00:00 2001 +From: Thomas Zimmermann +Date: Mon, 27 Nov 2023 14:15:51 +0100 +Subject: fbdev/vt8500lcdfb: Initialize fb_ops with fbdev macros + +From: Thomas Zimmermann + +commit 63a11adaceb8b77d70bcce0890197fa9462ce160 upstream. + +Initialize the instance of struct fb_ops with fbdev initializer +macros for framebuffers in DMA-able virtual address space. Set the +read/write, draw and mmap callbacks to the correct implementation +and avoid implicit defaults. Also select the necessary helpers in +Kconfig. + +Fbdev drivers sometimes rely on the callbacks being NULL for a +default I/O-memory-based implementation to be invoked; hence +requiring the I/O helpers to be built in any case. Setting all +callbacks in all drivers explicitly will allow to make the I/O +helpers optional. This benefits systems that do not use these +functions. + +Signed-off-by: Thomas Zimmermann +Reviewed-by: Javier Martinez Canillas +Link: https://patchwork.freedesktop.org/patch/msgid/20231127131655.4020-23-tzimmermann@suse.de +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/Kconfig | 1 + + drivers/video/fbdev/vt8500lcdfb.c | 4 +++- + 2 files changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/video/fbdev/Kconfig ++++ b/drivers/video/fbdev/Kconfig +@@ -1464,6 +1464,7 @@ config FB_VT8500 + select FB_SYS_FILLRECT if (!FB_WMT_GE_ROPS) + select FB_SYS_COPYAREA if (!FB_WMT_GE_ROPS) + select FB_SYS_IMAGEBLIT ++ select FB_SYS_FOPS + select FB_MODE_HELPERS + select VIDEOMODE_HELPERS + help +--- a/drivers/video/fbdev/vt8500lcdfb.c ++++ b/drivers/video/fbdev/vt8500lcdfb.c +@@ -241,6 +241,7 @@ static int vt8500lcd_blank(int blank, st + + static const struct fb_ops vt8500lcd_ops = { + .owner = THIS_MODULE, ++ __FB_DEFAULT_DMAMEM_OPS_RDWR, + .fb_set_par = vt8500lcd_set_par, + .fb_setcolreg = vt8500lcd_setcolreg, + .fb_fillrect = wmt_ge_fillrect, +@@ -250,6 +251,7 @@ static const struct fb_ops vt8500lcd_ops + .fb_ioctl = vt8500lcd_ioctl, + .fb_pan_display = vt8500lcd_pan_display, + .fb_blank = vt8500lcd_blank, ++ // .fb_mmap needs DMA mmap + }; + + static irqreturn_t vt8500lcd_handle_irq(int irq, void *dev_id) +@@ -357,7 +359,7 @@ static int vt8500lcd_probe(struct platfo + + fbi->fb.fix.smem_start = fb_mem_phys; + fbi->fb.fix.smem_len = fb_mem_len; +- fbi->fb.screen_base = fb_mem_virt; ++ fbi->fb.screen_buffer = fb_mem_virt; + + fbi->palette_size = PAGE_ALIGN(512); + fbi->palette_cpu = dma_alloc_coherent(&pdev->dev, diff --git a/queue-6.6/genetlink-use-internal-flags-for-multicast-groups.patch b/queue-6.6/genetlink-use-internal-flags-for-multicast-groups.patch new file mode 100644 index 0000000000..601ecdf452 --- /dev/null +++ b/queue-6.6/genetlink-use-internal-flags-for-multicast-groups.patch @@ -0,0 +1,116 @@ +From stable+bounces-256658-greg=kroah.com@vger.kernel.org Fri May 29 23:16:28 2026 +From: Sasha Levin +Date: Fri, 29 May 2026 12:51:26 -0400 +Subject: genetlink: Use internal flags for multicast groups +To: stable@vger.kernel.org +Cc: Ido Schimmel , Mat Martineau , Andy Shevchenko , "David S. Miller" , Sasha Levin +Message-ID: <20260529165127.1228435-1-sashal@kernel.org> + +From: Ido Schimmel + +[ Upstream commit cd4d7263d58ab98fd4dee876776e4da6c328faa3 ] + +As explained in commit e03781879a0d ("drop_monitor: Require +'CAP_SYS_ADMIN' when joining "events" group"), the "flags" field in the +multicast group structure reuses uAPI flags despite the field not being +exposed to user space. This makes it impossible to extend its use +without adding new uAPI flags, which is inappropriate for internal +kernel checks. + +Solve this by adding internal flags (i.e., "GENL_MCAST_*") and convert +the existing users to use them instead of the uAPI flags. + +Tested using the reproducers in commit 44ec98ea5ea9 ("psample: Require +'CAP_NET_ADMIN' when joining "packets" group") and commit e03781879a0d +("drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group"). + +No functional changes intended. + +Signed-off-by: Ido Schimmel +Reviewed-by: Mat Martineau +Reviewed-by: Andy Shevchenko +Signed-off-by: David S. Miller +Stable-dep-of: d1ebfce2c1d1 ("smb: client: require net admin for CIFS SWN netlink") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/net/genetlink.h | 9 ++++++--- + net/core/drop_monitor.c | 2 +- + net/mptcp/pm_netlink.c | 2 +- + net/netlink/genetlink.c | 4 ++-- + net/psample/psample.c | 2 +- + 5 files changed, 11 insertions(+), 8 deletions(-) + +--- a/include/net/genetlink.h ++++ b/include/net/genetlink.h +@@ -8,16 +8,19 @@ + + #define GENLMSG_DEFAULT_SIZE (NLMSG_DEFAULT_SIZE - GENL_HDRLEN) + ++/* Binding to multicast group requires %CAP_NET_ADMIN */ ++#define GENL_MCAST_CAP_NET_ADMIN BIT(0) ++/* Binding to multicast group requires %CAP_SYS_ADMIN */ ++#define GENL_MCAST_CAP_SYS_ADMIN BIT(1) ++ + /** + * struct genl_multicast_group - generic netlink multicast group + * @name: name of the multicast group, names are per-family +- * @flags: GENL_* flags (%GENL_ADMIN_PERM or %GENL_UNS_ADMIN_PERM) +- * @cap_sys_admin: whether %CAP_SYS_ADMIN is required for binding ++ * @flags: GENL_MCAST_* flags + */ + struct genl_multicast_group { + char name[GENL_NAMSIZ]; + u8 flags; +- u8 cap_sys_admin:1; + }; + + struct genl_split_ops; +--- a/net/core/drop_monitor.c ++++ b/net/core/drop_monitor.c +@@ -183,7 +183,7 @@ out: + } + + static const struct genl_multicast_group dropmon_mcgrps[] = { +- { .name = "events", .cap_sys_admin = 1 }, ++ { .name = "events", .flags = GENL_MCAST_CAP_SYS_ADMIN, }, + }; + + static void send_dm_alert(struct work_struct *work) +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -1328,7 +1328,7 @@ bool mptcp_pm_nl_is_backup(struct mptcp_ + static const struct genl_multicast_group mptcp_pm_mcgrps[] = { + [MPTCP_PM_CMD_GRP_OFFSET] = { .name = MPTCP_PM_CMD_GRP_NAME, }, + [MPTCP_PM_EV_GRP_OFFSET] = { .name = MPTCP_PM_EV_GRP_NAME, +- .flags = GENL_UNS_ADMIN_PERM, ++ .flags = GENL_MCAST_CAP_NET_ADMIN, + }, + }; + +--- a/net/netlink/genetlink.c ++++ b/net/netlink/genetlink.c +@@ -1683,10 +1683,10 @@ static int genl_bind(struct net *net, in + continue; + + grp = &family->mcgrps[i]; +- if ((grp->flags & GENL_UNS_ADMIN_PERM) && ++ if ((grp->flags & GENL_MCAST_CAP_NET_ADMIN) && + !ns_capable(net->user_ns, CAP_NET_ADMIN)) + ret = -EPERM; +- if (grp->cap_sys_admin && ++ if ((grp->flags & GENL_MCAST_CAP_SYS_ADMIN) && + !ns_capable(net->user_ns, CAP_SYS_ADMIN)) + ret = -EPERM; + +--- a/net/psample/psample.c ++++ b/net/psample/psample.c +@@ -32,7 +32,7 @@ enum psample_nl_multicast_groups { + static const struct genl_multicast_group psample_nl_mcgrps[] = { + [PSAMPLE_NL_MCGRP_CONFIG] = { .name = PSAMPLE_NL_MCGRP_CONFIG_NAME }, + [PSAMPLE_NL_MCGRP_SAMPLE] = { .name = PSAMPLE_NL_MCGRP_SAMPLE_NAME, +- .flags = GENL_UNS_ADMIN_PERM }, ++ .flags = GENL_MCAST_CAP_NET_ADMIN, }, + }; + + static struct genl_family psample_nl_family __ro_after_init; diff --git a/queue-6.6/ipmi-ssif-null-thread-on-error.patch b/queue-6.6/ipmi-ssif-null-thread-on-error.patch new file mode 100644 index 0000000000..21b083c5da --- /dev/null +++ b/queue-6.6/ipmi-ssif-null-thread-on-error.patch @@ -0,0 +1,34 @@ +From a8aebe93a4938c0ca1941eeaae821738f869be3d Mon Sep 17 00:00:00 2001 +From: Corey Minyard +Date: Tue, 21 Apr 2026 06:50:22 -0500 +Subject: ipmi:ssif: NULL thread on error + +From: Corey Minyard + +commit a8aebe93a4938c0ca1941eeaae821738f869be3d upstream. + +Cleanup code was checking the thread for NULL, but it was possibly +a PTR_ERR() in one spot. + +Spotted with static analysis. + +Link: https://sourceforge.net/p/openipmi/mailman/message/59324676/ +Fixes: 75c486cb1bca ("ipmi:ssif: Clean up kthread on errors") +Cc: # 91eb7ec72612: ipmi:ssif: Remove unnecessary indention +Cc: stable@vger.kernel.org +Signed-off-by: Corey Minyard +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/ipmi/ipmi_ssif.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/char/ipmi/ipmi_ssif.c ++++ b/drivers/char/ipmi/ipmi_ssif.c +@@ -1883,6 +1883,7 @@ static int ssif_probe(struct i2c_client + "kssif%4.4x", thread_num); + if (IS_ERR(ssif_info->thread)) { + rv = PTR_ERR(ssif_info->thread); ++ ssif_info->thread = NULL; + dev_notice(&ssif_info->client->dev, + "Could not start kernel thread: error %d\n", + rv); diff --git a/queue-6.6/ipmi-ssif-remove-unnecessary-indention.patch b/queue-6.6/ipmi-ssif-remove-unnecessary-indention.patch new file mode 100644 index 0000000000..8b9201f66b --- /dev/null +++ b/queue-6.6/ipmi-ssif-remove-unnecessary-indention.patch @@ -0,0 +1,62 @@ +From 91eb7ec7261254b6875909df767185838598e21e Mon Sep 17 00:00:00 2001 +From: Corey Minyard +Date: Mon, 13 Apr 2026 07:09:15 -0500 +Subject: ipmi:ssif: Remove unnecessary indention + +From: Corey Minyard + +commit 91eb7ec7261254b6875909df767185838598e21e upstream. + +A section was in {} that didn't need to be, move the variable +definition to the top and set th eindentino properly. + +Signed-off-by: Corey Minyard +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/ipmi/ipmi_ssif.c | 28 ++++++++++++---------------- + 1 file changed, 12 insertions(+), 16 deletions(-) + +--- a/drivers/char/ipmi/ipmi_ssif.c ++++ b/drivers/char/ipmi/ipmi_ssif.c +@@ -1667,6 +1667,7 @@ static int ssif_probe(struct i2c_client + int len = 0; + int i; + u8 slave_addr = 0; ++ unsigned int thread_num; + struct ssif_addr_info *addr_info = NULL; + + mutex_lock(&ssif_infos_mutex); +@@ -1875,22 +1876,17 @@ static int ssif_probe(struct i2c_client + ssif_info->handlers.request_events = request_events; + ssif_info->handlers.set_need_watch = ssif_set_need_watch; + +- { +- unsigned int thread_num; +- +- thread_num = ((i2c_adapter_id(ssif_info->client->adapter) +- << 8) | +- ssif_info->client->addr); +- init_completion(&ssif_info->wake_thread); +- ssif_info->thread = kthread_run(ipmi_ssif_thread, ssif_info, +- "kssif%4.4x", thread_num); +- if (IS_ERR(ssif_info->thread)) { +- rv = PTR_ERR(ssif_info->thread); +- dev_notice(&ssif_info->client->dev, +- "Could not start kernel thread: error %d\n", +- rv); +- goto out; +- } ++ thread_num = ((i2c_adapter_id(ssif_info->client->adapter) << 8) | ++ ssif_info->client->addr); ++ init_completion(&ssif_info->wake_thread); ++ ssif_info->thread = kthread_run(ipmi_ssif_thread, ssif_info, ++ "kssif%4.4x", thread_num); ++ if (IS_ERR(ssif_info->thread)) { ++ rv = PTR_ERR(ssif_info->thread); ++ dev_notice(&ssif_info->client->dev, ++ "Could not start kernel thread: error %d\n", ++ rv); ++ goto out; + } + + dev_set_drvdata(&ssif_info->client->dev, ssif_info); diff --git a/queue-6.6/ksmbd-fix-oob-write-in-query_info-for-compound-requests.patch b/queue-6.6/ksmbd-fix-oob-write-in-query_info-for-compound-requests.patch new file mode 100644 index 0000000000..ac005ead84 --- /dev/null +++ b/queue-6.6/ksmbd-fix-oob-write-in-query_info-for-compound-requests.patch @@ -0,0 +1,331 @@ +From fda9522ed6afaec45cabc198d8492270c394c7bc Mon Sep 17 00:00:00 2001 +From: Asim Viladi Oglu Manizada +Date: Wed, 25 Mar 2026 09:14:22 +0900 +Subject: ksmbd: fix OOB write in QUERY_INFO for compound requests + +From: Asim Viladi Oglu Manizada + +commit fda9522ed6afaec45cabc198d8492270c394c7bc upstream. + +When a compound request such as READ + QUERY_INFO(Security) is received, +and the first command (READ) consumes most of the response buffer, +ksmbd could write beyond the allocated buffer while building a security +descriptor. + +The root cause was that smb2_get_info_sec() checked buffer space using +ppntsd_size from xattr, while build_sec_desc() often synthesized a +significantly larger descriptor from POSIX ACLs. + +This patch introduces smb_acl_sec_desc_scratch_len() to accurately +compute the final descriptor size beforehand, performs proper buffer +checking with smb2_calc_max_out_buf_len(), and uses exact-sized +allocation + iov pinning. + +Cc: stable@vger.kernel.org +Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound") +Signed-off-by: Asim Viladi Oglu Manizada +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +[ In v6.6, replace KSMBD_DEFAULT_GFP with GFP_KERNEL per +commit 0066f623bce8 ("ksmbd: use __GFP_RETRY_MAYFAIL"). ] +Signed-off-by: Alva Lan +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 121 +++++++++++++++++++++++++++++++++++------------- + fs/smb/server/smbacl.c | 43 +++++++++++++++++ + fs/smb/server/smbacl.h | 2 + 3 files changed, 134 insertions(+), 32 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -3385,20 +3385,24 @@ int smb2_open(struct ksmbd_work *work) + KSMBD_SHARE_FLAG_ACL_XATTR)) { + struct smb_fattr fattr; + struct smb_ntsd *pntsd; +- int pntsd_size, ace_num = 0; ++ int pntsd_size; ++ size_t scratch_len; + + ksmbd_acls_fattr(&fattr, idmap, inode); +- if (fattr.cf_acls) +- ace_num = fattr.cf_acls->a_count; +- if (fattr.cf_dacls) +- ace_num += fattr.cf_dacls->a_count; +- +- pntsd = kmalloc(sizeof(struct smb_ntsd) + +- sizeof(struct smb_sid) * 3 + +- sizeof(struct smb_acl) + +- sizeof(struct smb_ace) * ace_num * 2, +- GFP_KERNEL); ++ scratch_len = smb_acl_sec_desc_scratch_len(&fattr, ++ NULL, 0, ++ OWNER_SECINFO | GROUP_SECINFO | ++ DACL_SECINFO); ++ if (!scratch_len || scratch_len == SIZE_MAX) { ++ rc = -EFBIG; ++ posix_acl_release(fattr.cf_acls); ++ posix_acl_release(fattr.cf_dacls); ++ goto err_out; ++ } ++ ++ pntsd = kvzalloc(scratch_len, GFP_KERNEL); + if (!pntsd) { ++ rc = -ENOMEM; + posix_acl_release(fattr.cf_acls); + posix_acl_release(fattr.cf_dacls); + goto err_out; +@@ -3413,7 +3417,7 @@ int smb2_open(struct ksmbd_work *work) + posix_acl_release(fattr.cf_acls); + posix_acl_release(fattr.cf_dacls); + if (rc) { +- kfree(pntsd); ++ kvfree(pntsd); + goto err_out; + } + +@@ -3423,7 +3427,7 @@ int smb2_open(struct ksmbd_work *work) + pntsd, + pntsd_size, + false); +- kfree(pntsd); ++ kvfree(pntsd); + if (rc) + pr_err("failed to store ntacl in xattr : %d\n", + rc); +@@ -5345,8 +5349,9 @@ static int smb2_get_info_file(struct ksm + if (test_share_config_flag(work->tcon->share_conf, + KSMBD_SHARE_FLAG_PIPE)) { + /* smb2 info file called for pipe */ +- return smb2_get_info_file_pipe(work->sess, req, rsp, ++ rc = smb2_get_info_file_pipe(work->sess, req, rsp, + work->response_buf); ++ goto iov_pin_out; + } + + if (work->next_smb2_rcv_hdr_off) { +@@ -5446,6 +5451,12 @@ static int smb2_get_info_file(struct ksm + rc = buffer_check_err(le32_to_cpu(req->OutputBufferLength), + rsp, work->response_buf); + ksmbd_fd_put(work, fp); ++ ++iov_pin_out: ++ if (!rc) ++ rc = ksmbd_iov_pin_rsp(work, (void *)rsp, ++ offsetof(struct smb2_query_info_rsp, Buffer) + ++ le32_to_cpu(rsp->OutputBufferLength)); + return rc; + } + +@@ -5665,6 +5676,11 @@ static int smb2_get_info_filesystem(stru + rc = buffer_check_err(le32_to_cpu(req->OutputBufferLength), + rsp, work->response_buf); + path_put(&path); ++ ++ if (!rc) ++ rc = ksmbd_iov_pin_rsp(work, (void *)rsp, ++ offsetof(struct smb2_query_info_rsp, Buffer) + ++ le32_to_cpu(rsp->OutputBufferLength)); + return rc; + } + +@@ -5674,13 +5690,14 @@ static int smb2_get_info_sec(struct ksmb + { + struct ksmbd_file *fp; + struct mnt_idmap *idmap; +- struct smb_ntsd *pntsd = (struct smb_ntsd *)rsp->Buffer, *ppntsd = NULL; ++ struct smb_ntsd *pntsd = NULL, *ppntsd = NULL; + struct smb_fattr fattr = {{0}}; + struct inode *inode; + __u32 secdesclen = 0; + unsigned int id = KSMBD_NO_FID, pid = KSMBD_NO_FID; + int addition_info = le32_to_cpu(req->AdditionalInformation); +- int rc = 0, ppntsd_size = 0; ++ int rc = 0, ppntsd_size = 0, max_len; ++ size_t scratch_len = 0; + + if (addition_info & ~(OWNER_SECINFO | GROUP_SECINFO | DACL_SECINFO | + PROTECTED_DACL_SECINFO | +@@ -5688,6 +5705,11 @@ static int smb2_get_info_sec(struct ksmb + ksmbd_debug(SMB, "Unsupported addition info: 0x%x)\n", + addition_info); + ++ pntsd = kzalloc(ALIGN(sizeof(struct smb_ntsd), 8), ++ GFP_KERNEL); ++ if (!pntsd) ++ return -ENOMEM; ++ + pntsd->revision = cpu_to_le16(1); + pntsd->type = cpu_to_le16(SELF_RELATIVE | DACL_PROTECTED); + pntsd->osidoffset = 0; +@@ -5696,9 +5718,7 @@ static int smb2_get_info_sec(struct ksmb + pntsd->dacloffset = 0; + + secdesclen = sizeof(struct smb_ntsd); +- rsp->OutputBufferLength = cpu_to_le32(secdesclen); +- +- return 0; ++ goto iov_pin; + } + + if (work->next_smb2_rcv_hdr_off) { +@@ -5730,18 +5750,58 @@ static int smb2_get_info_sec(struct ksmb + &ppntsd); + + /* Check if sd buffer size exceeds response buffer size */ +- if (smb2_resp_buf_len(work, 8) > ppntsd_size) +- rc = build_sec_desc(idmap, pntsd, ppntsd, ppntsd_size, +- addition_info, &secdesclen, &fattr); ++ max_len = smb2_calc_max_out_buf_len(work, ++ offsetof(struct smb2_query_info_rsp, Buffer), ++ le32_to_cpu(req->OutputBufferLength)); ++ if (max_len < 0) { ++ rc = -EINVAL; ++ goto release_acl; ++ } ++ ++ scratch_len = smb_acl_sec_desc_scratch_len(&fattr, ppntsd, ++ ppntsd_size, addition_info); ++ if (!scratch_len || scratch_len == SIZE_MAX) { ++ rc = -EFBIG; ++ goto release_acl; ++ } ++ ++ pntsd = kvzalloc(scratch_len, GFP_KERNEL); ++ if (!pntsd) { ++ rc = -ENOMEM; ++ goto release_acl; ++ } ++ ++ rc = build_sec_desc(idmap, pntsd, ppntsd, ppntsd_size, ++ addition_info, &secdesclen, &fattr); ++ ++release_acl: + posix_acl_release(fattr.cf_acls); + posix_acl_release(fattr.cf_dacls); + kfree(ppntsd); + ksmbd_fd_put(work, fp); ++ ++ if (!rc && ALIGN(secdesclen, 8) > scratch_len) ++ rc = -EFBIG; + if (rc) +- return rc; ++ goto err_out; + ++iov_pin: + rsp->OutputBufferLength = cpu_to_le32(secdesclen); +- return 0; ++ rc = buffer_check_err(le32_to_cpu(req->OutputBufferLength), ++ rsp, work->response_buf); ++ if (rc) ++ goto err_out; ++ ++ rc = ksmbd_iov_pin_rsp_read(work, (void *)rsp, ++ offsetof(struct smb2_query_info_rsp, Buffer), ++ pntsd, secdesclen); ++err_out: ++ if (rc) { ++ rsp->OutputBufferLength = 0; ++ kvfree(pntsd); ++ } ++ ++ return rc; + } + + /** +@@ -5765,6 +5825,9 @@ int smb2_query_info(struct ksmbd_work *w + goto err_out; + } + ++ rsp->StructureSize = cpu_to_le16(9); ++ rsp->OutputBufferOffset = cpu_to_le16(72); ++ + switch (req->InfoType) { + case SMB2_O_INFO_FILE: + ksmbd_debug(SMB, "GOT SMB2_O_INFO_FILE\n"); +@@ -5785,14 +5848,6 @@ int smb2_query_info(struct ksmbd_work *w + } + ksmbd_revert_fsids(work); + +- if (!rc) { +- rsp->StructureSize = cpu_to_le16(9); +- rsp->OutputBufferOffset = cpu_to_le16(72); +- rc = ksmbd_iov_pin_rsp(work, (void *)rsp, +- offsetof(struct smb2_query_info_rsp, Buffer) + +- le32_to_cpu(rsp->OutputBufferLength)); +- } +- + err_out: + if (rc < 0) { + if (rc == -EACCES) +@@ -5803,6 +5858,8 @@ err_out: + rsp->hdr.Status = STATUS_UNEXPECTED_IO_ERROR; + else if (rc == -ENOMEM) + rsp->hdr.Status = STATUS_INSUFFICIENT_RESOURCES; ++ else if (rc == -EINVAL && rsp->hdr.Status == 0) ++ rsp->hdr.Status = STATUS_INVALID_PARAMETER; + else if (rc == -EOPNOTSUPP || rsp->hdr.Status == 0) + rsp->hdr.Status = STATUS_INVALID_INFO_CLASS; + smb2_set_err_rsp(work); +--- a/fs/smb/server/smbacl.c ++++ b/fs/smb/server/smbacl.c +@@ -930,6 +930,49 @@ int parse_sec_desc(struct mnt_idmap *idm + return 0; + } + ++size_t smb_acl_sec_desc_scratch_len(struct smb_fattr *fattr, ++ struct smb_ntsd *ppntsd, int ppntsd_size, int addition_info) ++{ ++ size_t len = sizeof(struct smb_ntsd); ++ size_t tmp; ++ ++ if (addition_info & OWNER_SECINFO) ++ len += sizeof(struct smb_sid); ++ if (addition_info & GROUP_SECINFO) ++ len += sizeof(struct smb_sid); ++ if (!(addition_info & DACL_SECINFO)) ++ return len; ++ ++ len += sizeof(struct smb_acl); ++ if (ppntsd && ppntsd_size > 0) { ++ unsigned int dacl_offset = le32_to_cpu(ppntsd->dacloffset); ++ ++ if (dacl_offset < ppntsd_size && ++ check_add_overflow(len, ppntsd_size - dacl_offset, &len)) ++ return 0; ++ } ++ ++ if (fattr->cf_acls) { ++ if (check_mul_overflow((size_t)fattr->cf_acls->a_count, ++ 2 * sizeof(struct smb_ace), &tmp) || ++ check_add_overflow(len, tmp, &len)) ++ return 0; ++ } else { ++ /* default/minimum DACL */ ++ if (check_add_overflow(len, 5 * sizeof(struct smb_ace), &len)) ++ return 0; ++ } ++ ++ if (fattr->cf_dacls) { ++ if (check_mul_overflow((size_t)fattr->cf_dacls->a_count, ++ sizeof(struct smb_ace), &tmp) || ++ check_add_overflow(len, tmp, &len)) ++ return 0; ++ } ++ ++ return len; ++} ++ + /* Convert permission bits from mode to equivalent CIFS ACL */ + int build_sec_desc(struct mnt_idmap *idmap, + struct smb_ntsd *pntsd, struct smb_ntsd *ppntsd, +--- a/fs/smb/server/smbacl.h ++++ b/fs/smb/server/smbacl.h +@@ -101,6 +101,8 @@ int set_info_sec(struct ksmbd_conn *conn + bool type_check, bool get_write); + void id_to_sid(unsigned int cid, uint sidtype, struct smb_sid *ssid); + void ksmbd_init_domain(u32 *sub_auth); ++size_t smb_acl_sec_desc_scratch_len(struct smb_fattr *fattr, ++ struct smb_ntsd *ppntsd, int ppntsd_size, int addition_info); + + static inline uid_t posix_acl_uid_translate(struct mnt_idmap *idmap, + struct posix_acl_entry *pace) diff --git a/queue-6.6/series b/queue-6.6/series index c1f13dd174..25537c35c1 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -370,3 +370,10 @@ driver-core-reject-devices-with-unregistered-buses.patch mm-hugetlb-avoid-false-positive-lockdep-assertion.patch soc-qcom-ice-fix-race-between-qcom_ice_probe-and-of_.patch mm-huge_memory-update-file-pmd-counter-before-folio_.patch +ipmi-ssif-remove-unnecessary-indention.patch +ipmi-ssif-null-thread-on-error.patch +fbdev-vt8500lcdfb-initialize-fb_ops-with-fbdev-macros.patch +ksmbd-fix-oob-write-in-query_info-for-compound-requests.patch +cgroup-cpuset-reset-dl-migration-state-on-can_attach-failure.patch +genetlink-use-internal-flags-for-multicast-groups.patch +smb-client-require-net-admin-for-cifs-swn-netlink.patch diff --git a/queue-6.6/smb-client-require-net-admin-for-cifs-swn-netlink.patch b/queue-6.6/smb-client-require-net-admin-for-cifs-swn-netlink.patch new file mode 100644 index 0000000000..3e2b20e669 --- /dev/null +++ b/queue-6.6/smb-client-require-net-admin-for-cifs-swn-netlink.patch @@ -0,0 +1,62 @@ +From stable+bounces-256659-greg=kroah.com@vger.kernel.org Fri May 29 22:44:26 2026 +From: Sasha Levin +Date: Fri, 29 May 2026 12:51:27 -0400 +Subject: smb: client: require net admin for CIFS SWN netlink +To: stable@vger.kernel.org +Cc: Michael Bommarito , Steve French , Sasha Levin +Message-ID: <20260529165127.1228435-2-sashal@kernel.org> + +From: Michael Bommarito + +[ Upstream commit d1ebfce2c1d161186a82e77590bf7da2ea1bce91 ] + +CIFS_GENL_CMD_SWN_NOTIFY is the userspace witness-notify command. The +intended sender is the cifs.witness helper, but the generic-netlink +operation currently has no capability flag, so any local process can send +RESOURCE_CHANGE or CLIENT_MOVE notifications to the in-kernel witness +handler. + +The same family exposes CIFS_GENL_MCGRP_SWN without multicast-group +capability flags. Register messages sent to that group include the witness +registration id and, for NTLM-authenticated mounts, the username, domain, +and password attributes copied from the CIFS session. An unprivileged +local process should not be able to join that group and receive those +messages. + +Require CAP_NET_ADMIN for incoming SWN_NOTIFY commands with +GENL_ADMIN_PERM, and require CAP_NET_ADMIN over the network namespace for +joining the SWN multicast group with GENL_MCAST_CAP_NET_ADMIN. The +cifs.witness service runs with the privileges needed for both operations. + +Fixes: fed979a7e082 ("cifs: Set witness notification handler for messages from userspace daemon") +Cc: stable@vger.kernel.org +Signed-off-by: Michael Bommarito +Assisted-by: Claude:claude-opus-4-7 +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/netlink.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/smb/client/netlink.c ++++ b/fs/smb/client/netlink.c +@@ -33,13 +33,17 @@ static const struct nla_policy cifs_genl + static const struct genl_ops cifs_genl_ops[] = { + { + .cmd = CIFS_GENL_CMD_SWN_NOTIFY, ++ .flags = GENL_ADMIN_PERM, + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, + .doit = cifs_swn_notify, + }, + }; + + static const struct genl_multicast_group cifs_genl_mcgrps[] = { +- [CIFS_GENL_MCGRP_SWN] = { .name = CIFS_GENL_MCGRP_SWN_NAME }, ++ [CIFS_GENL_MCGRP_SWN] = { ++ .name = CIFS_GENL_MCGRP_SWN_NAME, ++ .flags = GENL_MCAST_CAP_NET_ADMIN, ++ }, + }; + + struct genl_family cifs_genl_family = {