From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Fri, 24 Apr 2026 00:04:18 +0000 (-0700)
Subject: Merge tag 'v7.1-rc-part2-ksmbd-fixes' of git://git.samba.org/ksmbd
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bd1886d6e4ca6b84041d17ba6e11d0f85f7ee1a4;p=thirdparty%2Fkernel%2Fstable.git

Merge tag 'v7.1-rc-part2-ksmbd-fixes' of git://git.samba.org/ksmbd

Pull more smb server updates from Steve French:

 - move fs/smb/common/smbdirect to fs/smb/smbdirect

 - change signature calc to use AES-CMAC library, simpler and faster

 - invalid signature fix

 - multichannel fix

 - open create options fix

 - fix durable handle leak

 - cap maximum lock count to avoid potential denial of service

 - four connection fixes: connection free and session destroy IDA fixes,
   refcount fix, connection leak fix, max_connections off by one fix

 - IPC validation fix

 - fix out of bounds write in getting xattrs

 - fix use after free in durable handle reconnect

 - three ACL fixes: fix potential ACL overflow, harden num_aces check,
   and fix minimum ACE size check

* tag 'v7.1-rc-part2-ksmbd-fixes' of git://git.samba.org/ksmbd:
  smb: smbdirect: move fs/smb/common/smbdirect/ to fs/smb/smbdirect/
  smb: server: stop sending fake security descriptors
  ksmbd: scope conn->binding slowpath to bound sessions only
  ksmbd: fix CreateOptions sanitization clobbering the whole field
  ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open
  ksmbd: fix O(N^2) DoS in smb2_lock via unbounded LockCount
  ksmbd: destroy async_ida in ksmbd_conn_free()
  ksmbd: destroy tree_conn_ida in ksmbd_session_destroy()
  ksmbd: Use AES-CMAC library for SMB3 signature calculation
  ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id()
  ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment
  ksmbd: use check_add_overflow() to prevent u16 DACL size overflow
  ksmbd: fix use-after-free in smb2_open during durable reconnect
  ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()
  smb: server: fix max_connections off-by-one in tcp accept path
  ksmbd: require minimum ACE size in smb_check_perm_dacl()
  ksmbd: validate response sizes in ipc_validate_msg()
  smb: server: fix active_num_conn leak on transport allocation failure
---

bd1886d6e4ca6b84041d17ba6e11d0f85f7ee1a4