From 287eea093c51080871923a028b512cfb657cc30f Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 29 Oct 2025 11:38:35 +0100
Subject: [PATCH] 6.12-stable patches

added patches:
	ksmbd-transport_ipc-validate-payload-size-before-reading-handle.patch
---
 ...e-payload-size-before-reading-handle.patch | 47 +++++++++++++++++++
 queue-6.12/series                             |  1 +
 2 files changed, 48 insertions(+)
 create mode 100644 queue-6.12/ksmbd-transport_ipc-validate-payload-size-before-reading-handle.patch

diff --git a/queue-6.12/ksmbd-transport_ipc-validate-payload-size-before-reading-handle.patch b/queue-6.12/ksmbd-transport_ipc-validate-payload-size-before-reading-handle.patch
new file mode 100644
index 0000000000..d716bd3245
--- /dev/null
+++ b/queue-6.12/ksmbd-transport_ipc-validate-payload-size-before-reading-handle.patch
@@ -0,0 +1,47 @@
+From 6f40e50ceb99fc8ef37e5c56e2ec1d162733fef0 Mon Sep 17 00:00:00 2001
+From: Qianchang Zhao <pioooooooooip@gmail.com>
+Date: Wed, 22 Oct 2025 15:27:47 +0900
+Subject: ksmbd: transport_ipc: validate payload size before reading handle
+
+From: Qianchang Zhao <pioooooooooip@gmail.com>
+
+commit 6f40e50ceb99fc8ef37e5c56e2ec1d162733fef0 upstream.
+
+handle_response() dereferences the payload as a 4-byte handle without
+verifying that the declared payload size is at least 4 bytes. A malformed
+or truncated message from ksmbd.mountd can lead to a 4-byte read past the
+declared payload size. Validate the size before dereferencing.
+
+This is a minimal fix to guard the initial handle read.
+
+Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
+Cc: stable@vger.kernel.org
+Reported-by: Qianchang Zhao <pioooooooooip@gmail.com>
+Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/transport_ipc.c |    8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/server/transport_ipc.c
++++ b/fs/smb/server/transport_ipc.c
+@@ -263,10 +263,16 @@ static void ipc_msg_handle_free(int hand
+ 
+ static int handle_response(int type, void *payload, size_t sz)
+ {
+-	unsigned int handle = *(unsigned int *)payload;
++	unsigned int handle;
+ 	struct ipc_msg_table_entry *entry;
+ 	int ret = 0;
+ 
++	/* Prevent 4-byte read beyond declared payload size */
++	if (sz < sizeof(unsigned int))
++		return -EINVAL;
++
++	handle = *(unsigned int *)payload;
++
+ 	ipc_update_last_active();
+ 	down_read(&ipc_msg_table_lock);
+ 	hash_for_each_possible(ipc_msg_table, entry, ipc_table_hlist, handle) {
diff --git a/queue-6.12/series b/queue-6.12/series
index 02dd764a6c..fe7afaa42a 100644
--- a/queue-6.12/series
+++ b/queue-6.12/series
@@ -115,3 +115,4 @@ serial-sc16is7xx-remove-useless-enable-of-enhanced-features.patch
 devcoredump-fix-circular-locking-dependency-with-devcd-mutex.patch
 arm64-mte-do-not-warn-if-the-page-is-already-tagged-in-copy_highpage.patch
 xfs-always-warn-about-deprecated-mount-options.patch
+ksmbd-transport_ipc-validate-payload-size-before-reading-handle.patch
-- 
2.47.3