From: Greg Kroah-Hartman Date: Fri, 24 Apr 2026 12:31:40 +0000 (+0200) Subject: 6.1-stable patches X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=19ad7c86c8eea7f09ae5a8f3de1004a30cf87460;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: alsa-caiaq-take-a-reference-on-the-usb-device-in-create_card.patch alsa-usb-audio-apply-quirk-for-moondrop-ju-jiu.patch crypto-ccp-don-t-attempt-to-copy-csr-to-userspace-if-psp-command-failed.patch crypto-ccp-don-t-attempt-to-copy-id-to-userspace-if-psp-command-failed.patch crypto-ccp-don-t-attempt-to-copy-pdh-cert-to-userspace-if-psp-command-failed.patch f2fs-fix-use-after-free-of-sbi-in-f2fs_compress_write_end_io.patch fs-ntfs3-validate-rec-used-in-journal-replay-file-record-check.patch fuse-quiet-down-complaints-in-fuse_conn_limit_write.patch fuse-reject-oversized-dirents-in-page-cache.patch ksmbd-fix-out-of-bounds-write-in-smb2_get_ea-ea-alignment.patch ksmbd-use-check_add_overflow-to-prevent-u16-dacl-size-overflow.patch rxrpc-fix-missing-validation-of-ticket-length-in-non-xdr-key-preparsing.patch smb-client-fix-oob-read-in-smb2_ioctl_query_info-query_info-path.patch smb-client-require-a-full-nfs-mode-sid-before-reading-mode-bits.patch smb-server-fix-active_num_conn-leak-on-transport-allocation-failure.patch smb-server-fix-max_connections-off-by-one-in-tcp-accept-path.patch --- diff --git a/queue-6.1/alsa-caiaq-take-a-reference-on-the-usb-device-in-create_card.patch b/queue-6.1/alsa-caiaq-take-a-reference-on-the-usb-device-in-create_card.patch new file mode 100644 index 0000000000..7c245509c6 --- /dev/null +++ b/queue-6.1/alsa-caiaq-take-a-reference-on-the-usb-device-in-create_card.patch @@ -0,0 +1,57 @@ +From 80bb50e2d459213cccff3111d5ef98ed4238c0d5 Mon Sep 17 00:00:00 2001 +From: Berk Cem Goksel +Date: Mon, 13 Apr 2026 06:49:41 +0300 +Subject: ALSA: caiaq: take a reference on the USB device in create_card() + +From: Berk Cem Goksel + +commit 80bb50e2d459213cccff3111d5ef98ed4238c0d5 upstream. + +The caiaq driver stores a pointer to the parent USB device in +cdev->chip.dev but never takes a reference on it. The card's +private_free callback, snd_usb_caiaq_card_free(), can run +asynchronously via snd_card_free_when_closed() after the USB +device has already been disconnected and freed, so any access to +cdev->chip.dev in that path dereferences a freed usb_device. + +On top of the refcounting issue, the current card_free implementation +calls usb_reset_device(cdev->chip.dev). A reset in a free callback +is inappropriate: the device is going away, the call takes the +device lock in a teardown context, and the reset races with the +disconnect path that the callback is already cleaning up after. + +Take a reference on the USB device in create_card() with +usb_get_dev(), drop it with usb_put_dev() in the free callback, +and remove the usb_reset_device() call. + +Fixes: b04dcbb7f7b1 ("ALSA: caiaq: Use snd_card_free_when_closed() at disconnection") +Cc: stable@vger.kernel.org +Cc: Andrey Konovalov +Signed-off-by: Berk Cem Goksel +Link: https://patch.msgid.link/20260413034941.1131465-3-berkcgoksel@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/caiaq/device.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/usb/caiaq/device.c ++++ b/sound/usb/caiaq/device.c +@@ -384,7 +384,7 @@ static void card_free(struct snd_card *c + snd_usb_caiaq_input_free(cdev); + #endif + snd_usb_caiaq_audio_free(cdev); +- usb_reset_device(cdev->chip.dev); ++ usb_put_dev(cdev->chip.dev); + } + + static int create_card(struct usb_device *usb_dev, +@@ -410,7 +410,7 @@ static int create_card(struct usb_device + return err; + + cdev = caiaqdev(card); +- cdev->chip.dev = usb_dev; ++ cdev->chip.dev = usb_get_dev(usb_dev); + cdev->chip.card = card; + cdev->chip.usb_id = USB_ID(le16_to_cpu(usb_dev->descriptor.idVendor), + le16_to_cpu(usb_dev->descriptor.idProduct)); diff --git a/queue-6.1/alsa-usb-audio-apply-quirk-for-moondrop-ju-jiu.patch b/queue-6.1/alsa-usb-audio-apply-quirk-for-moondrop-ju-jiu.patch new file mode 100644 index 0000000000..3d671b7ee4 --- /dev/null +++ b/queue-6.1/alsa-usb-audio-apply-quirk-for-moondrop-ju-jiu.patch @@ -0,0 +1,40 @@ +From 4513d3e0bbc0585b86ccf2631902593ff97e88f5 Mon Sep 17 00:00:00 2001 +From: Cryolitia PukNgae +Date: Thu, 2 Apr 2026 13:36:57 +0800 +Subject: ALSA: usb-audio: apply quirk for MOONDROP JU Jiu + +From: Cryolitia PukNgae + +commit 4513d3e0bbc0585b86ccf2631902593ff97e88f5 upstream. + +It(ID 31b2:0111 JU Jiu) reports a MIN value -12800 for volume control, but +will mute when setting it less than -10880. + +Thanks to my girlfriend Kagura for reporting this issue. + +Cc: Kagura +Cc: stable@vger.kernel.org +Signed-off-by: Cryolitia PukNgae +Link: https://patch.msgid.link/20260402-syy-v1-1-068d3bc30ddc@linux.dev +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/mixer.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -1198,6 +1198,13 @@ static void volume_control_quirks(struct + cval->min = -14208; /* Mute under it */ + } + break; ++ case USB_ID(0x31b2, 0x0111): /* MOONDROP JU Jiu */ ++ if (!strcmp(kctl->id.name, "PCM Playback Volume")) { ++ usb_audio_info(chip, ++ "set volume quirk for MOONDROP JU Jiu\n"); ++ cval->min = -10880; /* Mute under it */ ++ } ++ break; + } + } + diff --git a/queue-6.1/crypto-ccp-don-t-attempt-to-copy-csr-to-userspace-if-psp-command-failed.patch b/queue-6.1/crypto-ccp-don-t-attempt-to-copy-csr-to-userspace-if-psp-command-failed.patch new file mode 100644 index 0000000000..b29d99eefa --- /dev/null +++ b/queue-6.1/crypto-ccp-don-t-attempt-to-copy-csr-to-userspace-if-psp-command-failed.patch @@ -0,0 +1,84 @@ +From abe4a6d6f606113251868c2c4a06ba904bb41eed Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 13 Mar 2026 10:43:16 -0700 +Subject: crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed + +From: Sean Christopherson + +commit abe4a6d6f606113251868c2c4a06ba904bb41eed upstream. + +When retrieving the PEK CSR, don't attempt to copy the blob to userspace +if the firmware command failed. If the failure was due to an invalid +length, i.e. the userspace buffer+length was too small, copying the number +of bytes _firmware_ requires will overflow the kernel-allocated buffer and +leak data to userspace. + + BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] + BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] + BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 + Read of size 2084 at addr ffff898144612e20 by task syz.9.219/21405 + + CPU: 14 UID: 0 PID: 21405 Comm: syz.9.219 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY + Tainted: [U]=USER, [O]=OOT_MODULE + Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025 + Call Trace: + + dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120 + print_address_description ../mm/kasan/report.c:378 [inline] + print_report+0xbc/0x260 ../mm/kasan/report.c:482 + kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595 + check_region_inline ../mm/kasan/generic.c:-1 [inline] + kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200 + instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] + _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] + _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 + copy_to_user ../include/linux/uaccess.h:236 [inline] + sev_ioctl_do_pek_csr+0x31f/0x590 ../drivers/crypto/ccp/sev-dev.c:1872 + sev_ioctl+0x3a4/0x490 ../drivers/crypto/ccp/sev-dev.c:2562 + vfs_ioctl ../fs/ioctl.c:51 [inline] + __do_sys_ioctl ../fs/ioctl.c:597 [inline] + __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583 + do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + + +WARN if the driver says the command succeeded, but the firmware error code +says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any +firwmware error. + +Reported-by: Alexander Potapenko +Reported-by: Sebastian Alba Vives +Fixes: e799035609e1 ("crypto: ccp: Implement SEV_PEK_CSR ioctl command") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/ccp/sev-dev.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/crypto/ccp/sev-dev.c ++++ b/drivers/crypto/ccp/sev-dev.c +@@ -669,7 +669,10 @@ cmd: + + ret = __sev_do_cmd_locked(SEV_CMD_PEK_CSR, &data, &argp->error); + +- /* If we query the CSR length, FW responded with expected data. */ ++ /* ++ * Firmware will returns the length of the CSR blob (either the minimum ++ * required length or the actual length written), return it to the user. ++ */ + input.length = data.len; + + if (copy_to_user((void __user *)argp->data, &input, sizeof(input))) { +@@ -677,6 +680,9 @@ cmd: + goto e_free_blob; + } + ++ if (ret || WARN_ON_ONCE(argp->error)) ++ goto e_free_blob; ++ + if (blob) { + if (copy_to_user(input_address, blob, input.length)) + ret = -EFAULT; diff --git a/queue-6.1/crypto-ccp-don-t-attempt-to-copy-id-to-userspace-if-psp-command-failed.patch b/queue-6.1/crypto-ccp-don-t-attempt-to-copy-id-to-userspace-if-psp-command-failed.patch new file mode 100644 index 0000000000..72ee08a898 --- /dev/null +++ b/queue-6.1/crypto-ccp-don-t-attempt-to-copy-id-to-userspace-if-psp-command-failed.patch @@ -0,0 +1,72 @@ +From 4f685dbfa87c546e51d9dc6cab379d20f275e114 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 13 Mar 2026 10:57:31 -0700 +Subject: crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed + +From: Sean Christopherson + +commit 4f685dbfa87c546e51d9dc6cab379d20f275e114 upstream. + +When retrieving the ID for the CPU, don't attempt to copy the ID blob to +userspace if the firmware command failed. If the failure was due to an +invalid length, i.e. the userspace buffer+length was too small, copying +the number of bytes _firmware_ requires will overflow the kernel-allocated +buffer and leak data to userspace. + + BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] + BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] + BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 + Read of size 64 at addr ffff8881867f5960 by task syz.0.906/24388 + + CPU: 130 UID: 0 PID: 24388 Comm: syz.0.906 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY + Tainted: [U]=USER, [O]=OOT_MODULE + Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025 + Call Trace: + + dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120 + print_address_description ../mm/kasan/report.c:378 [inline] + print_report+0xbc/0x260 ../mm/kasan/report.c:482 + kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595 + check_region_inline ../mm/kasan/generic.c:-1 [inline] + kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200 + instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] + _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] + _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 + copy_to_user ../include/linux/uaccess.h:236 [inline] + sev_ioctl_do_get_id2+0x361/0x490 ../drivers/crypto/ccp/sev-dev.c:2222 + sev_ioctl+0x25f/0x490 ../drivers/crypto/ccp/sev-dev.c:2575 + vfs_ioctl ../fs/ioctl.c:51 [inline] + __do_sys_ioctl ../fs/ioctl.c:597 [inline] + __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583 + do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + + +WARN if the driver says the command succeeded, but the firmware error code +says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any +firwmware error. + +Reported-by: Alexander Potapenko +Reported-by: Sebastian Alba Vives +Fixes: d6112ea0cb34 ("crypto: ccp - introduce SEV_GET_ID2 command") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/ccp/sev-dev.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/crypto/ccp/sev-dev.c ++++ b/drivers/crypto/ccp/sev-dev.c +@@ -927,6 +927,9 @@ static int sev_ioctl_do_get_id2(struct s + goto e_free; + } + ++ if (ret || WARN_ON_ONCE(argp->error)) ++ goto e_free; ++ + if (id_blob) { + if (copy_to_user(input_address, id_blob, data.len)) { + ret = -EFAULT; diff --git a/queue-6.1/crypto-ccp-don-t-attempt-to-copy-pdh-cert-to-userspace-if-psp-command-failed.patch b/queue-6.1/crypto-ccp-don-t-attempt-to-copy-pdh-cert-to-userspace-if-psp-command-failed.patch new file mode 100644 index 0000000000..1e63052aae --- /dev/null +++ b/queue-6.1/crypto-ccp-don-t-attempt-to-copy-pdh-cert-to-userspace-if-psp-command-failed.patch @@ -0,0 +1,84 @@ +From e76239fed3cffd6d304d8ca3ce23984fd24f57d3 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 13 Mar 2026 10:48:53 -0700 +Subject: crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command failed + +From: Sean Christopherson + +commit e76239fed3cffd6d304d8ca3ce23984fd24f57d3 upstream. + +When retrieving the PDH cert, don't attempt to copy the blobs to userspace +if the firmware command failed. If the failure was due to an invalid +length, i.e. the userspace buffer+length was too small, copying the number +of bytes _firmware_ requires will overflow the kernel-allocated buffer and +leak data to userspace. + + BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] + BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] + BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 + Read of size 2084 at addr ffff8885c4ab8aa0 by task syz.0.186/21033 + + CPU: 51 UID: 0 PID: 21033 Comm: syz.0.186 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY + Tainted: [U]=USER, [O]=OOT_MODULE + Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.84.12-0 11/17/2025 + Call Trace: + + dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120 + print_address_description ../mm/kasan/report.c:378 [inline] + print_report+0xbc/0x260 ../mm/kasan/report.c:482 + kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595 + check_region_inline ../mm/kasan/generic.c:-1 [inline] + kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200 + instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] + _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] + _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 + copy_to_user ../include/linux/uaccess.h:236 [inline] + sev_ioctl_do_pdh_export+0x3d3/0x7c0 ../drivers/crypto/ccp/sev-dev.c:2347 + sev_ioctl+0x2a2/0x490 ../drivers/crypto/ccp/sev-dev.c:2568 + vfs_ioctl ../fs/ioctl.c:51 [inline] + __do_sys_ioctl ../fs/ioctl.c:597 [inline] + __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583 + do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + + +WARN if the driver says the command succeeded, but the firmware error code +says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any +firwmware error. + +Reported-by: Alexander Potapenko +Reported-by: Sebastian Alba Vives +Fixes: 76a2b524a4b1 ("crypto: ccp: Implement SEV_PDH_CERT_EXPORT ioctl command") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/ccp/sev-dev.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/crypto/ccp/sev-dev.c ++++ b/drivers/crypto/ccp/sev-dev.c +@@ -1041,7 +1041,10 @@ static int sev_ioctl_do_pdh_export(struc + cmd: + ret = __sev_do_cmd_locked(SEV_CMD_PDH_CERT_EXPORT, &data, &argp->error); + +- /* If we query the length, FW responded with expected data. */ ++ /* ++ * Firmware will return the length of the blobs (either the minimum ++ * required length or the actual length written), return 'em to the user. ++ */ + input.cert_chain_len = data.cert_chain_len; + input.pdh_cert_len = data.pdh_cert_len; + +@@ -1050,6 +1053,9 @@ cmd: + goto e_free_cert; + } + ++ if (ret || WARN_ON_ONCE(argp->error)) ++ goto e_free_cert; ++ + if (pdh_blob) { + if (copy_to_user(input_pdh_cert_address, + pdh_blob, input.pdh_cert_len)) { diff --git a/queue-6.1/f2fs-fix-use-after-free-of-sbi-in-f2fs_compress_write_end_io.patch b/queue-6.1/f2fs-fix-use-after-free-of-sbi-in-f2fs_compress_write_end_io.patch new file mode 100644 index 0000000000..5db4cdb0de --- /dev/null +++ b/queue-6.1/f2fs-fix-use-after-free-of-sbi-in-f2fs_compress_write_end_io.patch @@ -0,0 +1,78 @@ +From 39d4ee19c1e7d753dd655aebee632271b171f43a Mon Sep 17 00:00:00 2001 +From: George Saad +Date: Mon, 23 Mar 2026 11:21:23 +0000 +Subject: f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: George Saad + +commit 39d4ee19c1e7d753dd655aebee632271b171f43a upstream. + +In f2fs_compress_write_end_io(), dec_page_count(sbi, type) can bring +the F2FS_WB_CP_DATA counter to zero, unblocking +f2fs_wait_on_all_pages() in f2fs_put_super() on a concurrent unmount +CPU. The unmount path then proceeds to call +f2fs_destroy_page_array_cache(sbi), which destroys +sbi->page_array_slab via kmem_cache_destroy(), and eventually +kfree(sbi). Meanwhile, the bio completion callback is still executing: +when it reaches page_array_free(sbi, ...), it dereferences +sbi->page_array_slab — a destroyed slab cache — to call +kmem_cache_free(), causing a use-after-free. + +This is the same class of bug as CVE-2026-23234 (which fixed the +equivalent race in f2fs_write_end_io() in data.c), but in the +compressed writeback completion path that was not covered by that fix. + +Fix this by moving dec_page_count() to after page_array_free(), so +that all sbi accesses complete before the counter decrement that can +unblock unmount. For non-last folios (where atomic_dec_return on +cic->pending_pages is nonzero), dec_page_count is called immediately +before returning — page_array_free is not reached on this path, so +there is no post-decrement sbi access. For the last folio, +page_array_free runs while the F2FS_WB_CP_DATA counter is still +nonzero (this folio has not yet decremented it), keeping sbi alive, +and dec_page_count runs as the final operation. + +Fixes: 4c8ff7095bef ("f2fs: support data compression") +Cc: stable@vger.kernel.org +Signed-off-by: George Saad +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/compress.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/fs/f2fs/compress.c ++++ b/fs/f2fs/compress.c +@@ -1444,10 +1444,10 @@ void f2fs_compress_write_end_io(struct b + + f2fs_compress_free_page(page); + +- dec_page_count(sbi, type); +- +- if (atomic_dec_return(&cic->pending_pages)) ++ if (atomic_dec_return(&cic->pending_pages)) { ++ dec_page_count(sbi, type); + return; ++ } + + for (i = 0; i < cic->nr_rpages; i++) { + WARN_ON(!cic->rpages[i]); +@@ -1457,6 +1457,14 @@ void f2fs_compress_write_end_io(struct b + + page_array_free(cic->inode, cic->rpages, cic->nr_rpages); + kmem_cache_free(cic_entry_slab, cic); ++ ++ /* ++ * Make sure dec_page_count() is the last access to sbi. ++ * Once it drops the F2FS_WB_CP_DATA counter to zero, the ++ * unmount thread can proceed to destroy sbi and ++ * sbi->page_array_slab. ++ */ ++ dec_page_count(sbi, type); + } + + static int f2fs_write_raw_pages(struct compress_ctx *cc, diff --git a/queue-6.1/fs-ntfs3-validate-rec-used-in-journal-replay-file-record-check.patch b/queue-6.1/fs-ntfs3-validate-rec-used-in-journal-replay-file-record-check.patch new file mode 100644 index 0000000000..527d395696 --- /dev/null +++ b/queue-6.1/fs-ntfs3-validate-rec-used-in-journal-replay-file-record-check.patch @@ -0,0 +1,78 @@ +From 0ca0485e4b2e837ebb6cbd4f2451aba665a03e4b Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 9 Apr 2026 16:37:15 +0200 +Subject: fs/ntfs3: validate rec->used in journal-replay file record check + +From: Greg Kroah-Hartman + +commit 0ca0485e4b2e837ebb6cbd4f2451aba665a03e4b upstream. + +check_file_record() validates rec->total against the record size but +never validates rec->used. The do_action() journal-replay handlers read +rec->used from disk and use it to compute memmove lengths: + + DeleteAttribute: memmove(attr, ..., used - asize - roff) + CreateAttribute: memmove(..., attr, used - roff) + change_attr_size: memmove(..., used - PtrOffset(rec, next)) + +When rec->used is smaller than the offset of a validated attribute, or +larger than the record size, these subtractions can underflow allowing +us to copy huge amounts of memory in to a 4kb buffer, generally +considered a bad idea overall. + +This requires a corrupted filesystem, which isn't a threat model the +kernel really needs to worry about, but checking for such an obvious +out-of-bounds value is good to keep things robust, especially on journal +replay + +Fix this up by bounding rec->used correctly. + +This is much like commit b2bc7c44ed17 ("fs/ntfs3: Fix slab-out-of-bounds +read in DeleteIndexEntryRoot") which checked different values in this +same switch statement. + +Cc: Konstantin Komarov +Fixes: b46acd6a6a62 ("fs/ntfs3: Add NTFS journal") +Cc: stable +Assisted-by: gregkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Konstantin Komarov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ntfs3/fslog.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/fs/ntfs3/fslog.c ++++ b/fs/ntfs3/fslog.c +@@ -2792,13 +2792,14 @@ static inline bool check_file_record(con + u16 fn = le16_to_cpu(rec->rhdr.fix_num); + u16 ao = le16_to_cpu(rec->attr_off); + u32 rs = sbi->record_size; ++ u32 used = le32_to_cpu(rec->used); + + /* Check the file record header for consistency. */ + if (rec->rhdr.sign != NTFS_FILE_SIGNATURE || + fo > (SECTOR_SIZE - ((rs >> SECTOR_SHIFT) + 1) * sizeof(short)) || + (fn - 1) * SECTOR_SIZE != rs || ao < MFTRECORD_FIXUP_OFFSET_1 || + ao > sbi->record_size - SIZEOF_RESIDENT || !is_rec_inuse(rec) || +- le32_to_cpu(rec->total) != rs) { ++ le32_to_cpu(rec->total) != rs || used > rs || used < ao) { + return false; + } + +@@ -2810,6 +2811,15 @@ static inline bool check_file_record(con + return false; + } + ++ /* ++ * The do_action() handlers compute memmove lengths as ++ * "rec->used - ", which underflows when ++ * rec->used is smaller than the attribute walk reached. At this ++ * point attr is the ATTR_END marker; rec->used must cover it. ++ */ ++ if (used < PtrOffset(rec, attr) + sizeof(attr->type)) ++ return false; ++ + return true; + } + diff --git a/queue-6.1/fuse-quiet-down-complaints-in-fuse_conn_limit_write.patch b/queue-6.1/fuse-quiet-down-complaints-in-fuse_conn_limit_write.patch new file mode 100644 index 0000000000..6faa4830fc --- /dev/null +++ b/queue-6.1/fuse-quiet-down-complaints-in-fuse_conn_limit_write.patch @@ -0,0 +1,67 @@ +From 129a45f9755a89f573c6a513a6b9e3d234ce89b0 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Mon, 23 Feb 2026 15:06:50 -0800 +Subject: fuse: quiet down complaints in fuse_conn_limit_write +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Darrick J. Wong + +commit 129a45f9755a89f573c6a513a6b9e3d234ce89b0 upstream. + +gcc 15 complains about an uninitialized variable val that is passed by +reference into fuse_conn_limit_write: + + control.c: In function ‘fuse_conn_congestion_threshold_write’: + include/asm-generic/rwonce.h:55:37: warning: ‘val’ may be used uninitialized [-Wmaybe-uninitialized] + 55 | *(volatile typeof(x) *)&(x) = (val); \ + | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~ + include/asm-generic/rwonce.h:61:9: note: in expansion of macro ‘__WRITE_ONCE’ + 61 | __WRITE_ONCE(x, val); \ + | ^~~~~~~~~~~~ + control.c:178:9: note: in expansion of macro ‘WRITE_ONCE’ + 178 | WRITE_ONCE(fc->congestion_threshold, val); + | ^~~~~~~~~~ + control.c:166:18: note: ‘val’ was declared here + 166 | unsigned val; + | ^~~ + +Unfortunately there's enough macro spew involved in kstrtoul_from_user +that I think gcc gives up on its analysis and sprays the above warning. +AFAICT it's not actually a bug, but we could just zero-initialize the +variable to enable using -Wmaybe-uninitialized to find real problems. + +Previously we would use some weird uninitialized_var annotation to quiet +down the warnings, so clearly this code has been like this for quite +some time. + +Cc: stable@vger.kernel.org # v5.9 +Fixes: 3f649ab728cda8 ("treewide: Remove uninitialized_var() usage") +Signed-off-by: Darrick J. Wong +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/control.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/fuse/control.c ++++ b/fs/fuse/control.c +@@ -120,7 +120,7 @@ static ssize_t fuse_conn_max_background_ + const char __user *buf, + size_t count, loff_t *ppos) + { +- unsigned val; ++ unsigned int val = 0; + ssize_t ret; + + ret = fuse_conn_limit_write(file, buf, count, ppos, &val, +@@ -162,7 +162,7 @@ static ssize_t fuse_conn_congestion_thre + const char __user *buf, + size_t count, loff_t *ppos) + { +- unsigned val; ++ unsigned int val = 0; + struct fuse_conn *fc; + ssize_t ret; + diff --git a/queue-6.1/fuse-reject-oversized-dirents-in-page-cache.patch b/queue-6.1/fuse-reject-oversized-dirents-in-page-cache.patch new file mode 100644 index 0000000000..0999686ca0 --- /dev/null +++ b/queue-6.1/fuse-reject-oversized-dirents-in-page-cache.patch @@ -0,0 +1,50 @@ +From 51a8de6c50bf947c8f534cd73da4c8f0a13e7bed Mon Sep 17 00:00:00 2001 +From: Samuel Page +Date: Mon, 20 Apr 2026 11:01:37 +0200 +Subject: fuse: reject oversized dirents in page cache + +From: Samuel Page + +commit 51a8de6c50bf947c8f534cd73da4c8f0a13e7bed upstream. + +fuse_add_dirent_to_cache() computes a serialized dirent size from the +server-controlled namelen field and copies the dirent into a single +page-cache page. The existing logic only checks whether the dirent fits +in the remaining space of the current page and advances to a fresh page +if not. It never checks whether the dirent itself exceeds PAGE_SIZE. + +As a result, a malicious FUSE server can return a dirent with +namelen=4095, producing a serialized record size of 4120 bytes. On 4 KiB +page systems this causes memcpy() to overflow the cache page by 24 bytes +into the following kernel page. + +Reject dirents that cannot fit in a single page before copying them into +the readdir cache. + +Fixes: 69e34551152a ("fuse: allow caching readdir") +Cc: stable@vger.kernel.org # v6.16+ +Assisted-by: Bynario AI +Signed-off-by: Samuel Page +Reported-by: Qi Tang +Reported-by: Zijun Hu +Signed-off-by: Miklos Szeredi +Link: https://patch.msgid.link/20260420090139.662772-1-mszeredi@redhat.com +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/readdir.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/fuse/readdir.c ++++ b/fs/fuse/readdir.c +@@ -41,6 +41,10 @@ static void fuse_add_dirent_to_cache(str + unsigned int offset; + void *addr; + ++ /* Dirent doesn't fit in readdir cache page? Skip caching. */ ++ if (reclen > PAGE_SIZE) ++ return; ++ + spin_lock(&fi->rdc.lock); + /* + * Is cache already completed? Or this entry does not go at the end of diff --git a/queue-6.1/ksmbd-fix-out-of-bounds-write-in-smb2_get_ea-ea-alignment.patch b/queue-6.1/ksmbd-fix-out-of-bounds-write-in-smb2_get_ea-ea-alignment.patch new file mode 100644 index 0000000000..04cbe64795 --- /dev/null +++ b/queue-6.1/ksmbd-fix-out-of-bounds-write-in-smb2_get_ea-ea-alignment.patch @@ -0,0 +1,52 @@ +From 30010c952077a1c89ecdd71fc4d574c75a8f5617 Mon Sep 17 00:00:00 2001 +From: Tristan Madani +Date: Fri, 17 Apr 2026 19:33:17 +0000 +Subject: ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment + +From: Tristan Madani + +commit 30010c952077a1c89ecdd71fc4d574c75a8f5617 upstream. + +smb2_get_ea() applies 4-byte alignment padding via memset() after +writing each EA entry. The bounds check on buf_free_len is performed +before the value memcpy, but the alignment memset fires unconditionally +afterward with no check on remaining space. + +When the EA value exactly fills the remaining buffer (buf_free_len == 0 +after value subtraction), the alignment memset writes 1-3 NUL bytes +past the buf_free_len boundary. In compound requests where the response +buffer is shared across commands, the first command (e.g., READ) can +consume most of the buffer, leaving a tight remainder for the QUERY_INFO +EA response. The alignment memset then overwrites past the physical +kvmalloc allocation into adjacent kernel heap memory. + +Add a bounds check before the alignment memset to ensure buf_free_len +can accommodate the padding bytes. + +This is the same bug pattern fixed by commit beef2634f81f ("ksmbd: fix +potencial OOB in get_file_all_info() for compound requests") and +commit fda9522ed6af ("ksmbd: fix OOB write in QUERY_INFO for compound +requests"), both of which added bounds checks before unconditional +writes in QUERY_INFO response handlers. + +Cc: stable@vger.kernel.org +Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound") +Signed-off-by: Tristan Madani +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -4495,6 +4495,8 @@ static int smb2_get_ea(struct ksmbd_work + /* align next xattr entry at 4 byte bundary */ + alignment_bytes = ((next_offset + 3) & ~3) - next_offset; + if (alignment_bytes) { ++ if (buf_free_len < alignment_bytes) ++ break; + memset(ptr, '\0', alignment_bytes); + ptr += alignment_bytes; + next_offset += alignment_bytes; diff --git a/queue-6.1/ksmbd-use-check_add_overflow-to-prevent-u16-dacl-size-overflow.patch b/queue-6.1/ksmbd-use-check_add_overflow-to-prevent-u16-dacl-size-overflow.patch new file mode 100644 index 0000000000..02c5415db9 --- /dev/null +++ b/queue-6.1/ksmbd-use-check_add_overflow-to-prevent-u16-dacl-size-overflow.patch @@ -0,0 +1,86 @@ +From 299f962c0b02d048fb45d248b4da493d03f3175d Mon Sep 17 00:00:00 2001 +From: Tristan Madani +Date: Fri, 17 Apr 2026 19:54:57 +0000 +Subject: ksmbd: use check_add_overflow() to prevent u16 DACL size overflow + +From: Tristan Madani + +commit 299f962c0b02d048fb45d248b4da493d03f3175d upstream. + +set_posix_acl_entries_dacl() and set_ntacl_dacl() accumulate ACE sizes +in u16 variables. When a file has many POSIX ACL entries, the +accumulated size can wrap past 65535, causing the pointer arithmetic +(char *)pndace + *size to land within already-written ACEs. Subsequent +writes then overwrite earlier entries, and pndacl->size gets a +truncated value. + +Use check_add_overflow() at each accumulation point to detect the +wrap before it corrupts the buffer, consistent with existing +check_mul_overflow() usage elsewhere in smbacl.c. + +Cc: stable@vger.kernel.org +Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") +Signed-off-by: Tristan Madani +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smbacl.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/fs/smb/server/smbacl.c ++++ b/fs/smb/server/smbacl.c +@@ -596,6 +596,7 @@ static void set_posix_acl_entries_dacl(s + struct smb_sid *sid; + struct smb_ace *ntace; + int i, j; ++ u16 ace_sz; + + if (!fattr->cf_acls) + goto posix_default_acl; +@@ -640,8 +641,10 @@ static void set_posix_acl_entries_dacl(s + flags = 0x03; + + ntace = (struct smb_ace *)((char *)pndace + *size); +- *size += fill_ace_for_sid(ntace, sid, ACCESS_ALLOWED, flags, ++ ace_sz = fill_ace_for_sid(ntace, sid, ACCESS_ALLOWED, flags, + pace->e_perm, 0777); ++ if (check_add_overflow(*size, ace_sz, size)) ++ break; + (*num_aces)++; + if (pace->e_tag == ACL_USER) + ntace->access_req |= +@@ -650,8 +653,10 @@ static void set_posix_acl_entries_dacl(s + if (S_ISDIR(fattr->cf_mode) && + (pace->e_tag == ACL_USER || pace->e_tag == ACL_GROUP)) { + ntace = (struct smb_ace *)((char *)pndace + *size); +- *size += fill_ace_for_sid(ntace, sid, ACCESS_ALLOWED, ++ ace_sz = fill_ace_for_sid(ntace, sid, ACCESS_ALLOWED, + 0x03, pace->e_perm, 0777); ++ if (check_add_overflow(*size, ace_sz, size)) ++ break; + (*num_aces)++; + if (pace->e_tag == ACL_USER) + ntace->access_req |= +@@ -691,8 +696,10 @@ posix_default_acl: + } + + ntace = (struct smb_ace *)((char *)pndace + *size); +- *size += fill_ace_for_sid(ntace, sid, ACCESS_ALLOWED, 0x0b, ++ ace_sz = fill_ace_for_sid(ntace, sid, ACCESS_ALLOWED, 0x0b, + pace->e_perm, 0777); ++ if (check_add_overflow(*size, ace_sz, size)) ++ break; + (*num_aces)++; + if (pace->e_tag == ACL_USER) + ntace->access_req |= +@@ -728,7 +735,8 @@ static void set_ntacl_dacl(struct user_n + break; + + memcpy((char *)pndace + size, ntace, nt_ace_size); +- size += nt_ace_size; ++ if (check_add_overflow(size, nt_ace_size, &size)) ++ break; + aces_size -= nt_ace_size; + ntace = (struct smb_ace *)((char *)ntace + nt_ace_size); + num_aces++; diff --git a/queue-6.1/rxrpc-fix-missing-validation-of-ticket-length-in-non-xdr-key-preparsing.patch b/queue-6.1/rxrpc-fix-missing-validation-of-ticket-length-in-non-xdr-key-preparsing.patch new file mode 100644 index 0000000000..737f21869c --- /dev/null +++ b/queue-6.1/rxrpc-fix-missing-validation-of-ticket-length-in-non-xdr-key-preparsing.patch @@ -0,0 +1,56 @@ +From ac33733b10b484d666f97688561670afd5861383 Mon Sep 17 00:00:00 2001 +From: Anderson Nascimento +Date: Wed, 22 Apr 2026 17:14:35 +0100 +Subject: rxrpc: Fix missing validation of ticket length in non-XDR key preparsing + +From: Anderson Nascimento + +commit ac33733b10b484d666f97688561670afd5861383 upstream. + +In rxrpc_preparse(), there are two paths for parsing key payloads: the +XDR path (for large payloads) and the non-XDR path (for payloads <= 28 +bytes). While the XDR path (rxrpc_preparse_xdr_rxkad()) correctly +validates the ticket length against AFSTOKEN_RK_TIX_MAX, the non-XDR +path fails to do so. + +This allows an unprivileged user to provide a very large ticket length. +When this key is later read via rxrpc_read(), the total +token size (toksize) calculation results in a value that exceeds +AFSTOKEN_LENGTH_MAX, triggering a WARN_ON(). + +[ 2001.302904] WARNING: CPU: 2 PID: 2108 at net/rxrpc/key.c:778 rxrpc_read+0x109/0x5c0 [rxrpc] + +Fix this by adding a check in the non-XDR parsing path of rxrpc_preparse() +to ensure the ticket length does not exceed AFSTOKEN_RK_TIX_MAX, +bringing it into parity with the XDR parsing logic. + +Fixes: 8a7a3eb4ddbe ("KEYS: RxRPC: Use key preparsing") +Fixes: 84924aac08a4 ("rxrpc: Fix checker warning") +Reported-by: Anderson Nascimento +Signed-off-by: Anderson Nascimento +Signed-off-by: David Howells +cc: Marc Dionne +cc: Jeffrey Altman +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260422161438.2593376-7-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/key.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/rxrpc/key.c ++++ b/net/rxrpc/key.c +@@ -340,6 +340,10 @@ static int rxrpc_preparse(struct key_pre + if (v1->security_index != RXRPC_SECURITY_RXKAD) + goto error; + ++ ret = -EKEYREJECTED; ++ if (v1->ticket_length > AFSTOKEN_RK_TIX_MAX) ++ goto error; ++ + plen = sizeof(*token->kad) + v1->ticket_length; + prep->quotalen += plen + sizeof(*token); + diff --git a/queue-6.1/series b/queue-6.1/series index d9191ca717..665649afdb 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -141,3 +141,19 @@ scripts-dtc-remove-unused-dts_version-in-dtc-lexer.l.patch arm64-mm-fix-va-range-sanity-check.patch rxrpc-fix-anonymous-key-handling.patch rxrpc-only-handle-response-during-service-challenge.patch +fs-ntfs3-validate-rec-used-in-journal-replay-file-record-check.patch +fuse-reject-oversized-dirents-in-page-cache.patch +fuse-quiet-down-complaints-in-fuse_conn_limit_write.patch +smb-server-fix-active_num_conn-leak-on-transport-allocation-failure.patch +smb-server-fix-max_connections-off-by-one-in-tcp-accept-path.patch +smb-client-require-a-full-nfs-mode-sid-before-reading-mode-bits.patch +smb-client-fix-oob-read-in-smb2_ioctl_query_info-query_info-path.patch +ksmbd-fix-out-of-bounds-write-in-smb2_get_ea-ea-alignment.patch +ksmbd-use-check_add_overflow-to-prevent-u16-dacl-size-overflow.patch +f2fs-fix-use-after-free-of-sbi-in-f2fs_compress_write_end_io.patch +alsa-usb-audio-apply-quirk-for-moondrop-ju-jiu.patch +alsa-caiaq-take-a-reference-on-the-usb-device-in-create_card.patch +crypto-ccp-don-t-attempt-to-copy-csr-to-userspace-if-psp-command-failed.patch +crypto-ccp-don-t-attempt-to-copy-pdh-cert-to-userspace-if-psp-command-failed.patch +crypto-ccp-don-t-attempt-to-copy-id-to-userspace-if-psp-command-failed.patch +rxrpc-fix-missing-validation-of-ticket-length-in-non-xdr-key-preparsing.patch diff --git a/queue-6.1/smb-client-fix-oob-read-in-smb2_ioctl_query_info-query_info-path.patch b/queue-6.1/smb-client-fix-oob-read-in-smb2_ioctl_query_info-query_info-path.patch new file mode 100644 index 0000000000..ce934064a2 --- /dev/null +++ b/queue-6.1/smb-client-fix-oob-read-in-smb2_ioctl_query_info-query_info-path.patch @@ -0,0 +1,51 @@ +From a58c5af19ff0d6f44f6e9fe31e33a2c92223f77e Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Sun, 19 Apr 2026 19:35:19 -0400 +Subject: smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path + +From: Michael Bommarito + +commit a58c5af19ff0d6f44f6e9fe31e33a2c92223f77e upstream. + +smb2_ioctl_query_info() has two response-copy branches: PASSTHRU_FSCTL +and the default QUERY_INFO path. The QUERY_INFO branch clamps +qi.input_buffer_length to the server-reported OutputBufferLength and then +copies qi.input_buffer_length bytes from qi_rsp->Buffer to userspace, but +it never verifies that the flexible-array payload actually fits within +rsp_iov[1].iov_len. + +A malicious server can return OutputBufferLength larger than the actual +QUERY_INFO response, causing copy_to_user() to walk past the response +buffer and expose adjacent kernel heap to userspace. + +Guard the QUERY_INFO copy with a bounds check on the actual Buffer +payload. Use struct_size(qi_rsp, Buffer, qi.input_buffer_length) +rather than an open-coded addition so the guard cannot overflow on +32-bit builds. + +Fixes: f5778c398713 ("SMB3: Allow SMB3 FSCTL queries to be sent to server from tools") +Cc: stable@vger.kernel.org +Signed-off-by: Michael Bommarito +Assisted-by: Claude:claude-opus-4-6 +Assisted-by: Codex:gpt-5-4 +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2ops.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/smb/client/smb2ops.c ++++ b/fs/smb/client/smb2ops.c +@@ -1701,6 +1701,12 @@ smb2_ioctl_query_info(const unsigned int + qi_rsp = (struct smb2_query_info_rsp *)rsp_iov[1].iov_base; + if (le32_to_cpu(qi_rsp->OutputBufferLength) < qi.input_buffer_length) + qi.input_buffer_length = le32_to_cpu(qi_rsp->OutputBufferLength); ++ if (qi.input_buffer_length > 0 && ++ struct_size(qi_rsp, Buffer, qi.input_buffer_length) > ++ rsp_iov[1].iov_len) { ++ rc = -EFAULT; ++ goto out; ++ } + if (copy_to_user(&pqi->input_buffer_length, + &qi.input_buffer_length, + sizeof(qi.input_buffer_length))) { diff --git a/queue-6.1/smb-client-require-a-full-nfs-mode-sid-before-reading-mode-bits.patch b/queue-6.1/smb-client-require-a-full-nfs-mode-sid-before-reading-mode-bits.patch new file mode 100644 index 0000000000..e305c1c2ef --- /dev/null +++ b/queue-6.1/smb-client-require-a-full-nfs-mode-sid-before-reading-mode-bits.patch @@ -0,0 +1,42 @@ +From 2757ad3e4b6f9e0fed4c7739594e702abc5cab21 Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Mon, 20 Apr 2026 09:50:58 -0400 +Subject: smb: client: require a full NFS mode SID before reading mode bits + +From: Michael Bommarito + +commit 2757ad3e4b6f9e0fed4c7739594e702abc5cab21 upstream. + +parse_dacl() treats an ACE SID matching sid_unix_NFS_mode as an NFS +mode SID and reads sid.sub_auth[2] to recover the mode bits. + +That assumes the ACE carries three subauthorities, but compare_sids() +only compares min(a, b) subauthorities. A malicious server can return +an ACE with num_subauth = 2 and sub_auth[] = {88, 3}, which still +matches sid_unix_NFS_mode and then drives the sub_auth[2] read four +bytes past the end of the ACE. + +Require num_subauth >= 3 before treating the ACE as an NFS mode SID. +This keeps the fix local to the special-SID mode path without changing +compare_sids() semantics for the rest of cifsacl. + +Fixes: e2f8fbfb8d09 ("cifs: get mode bits from special sid on stat") +Cc: stable@vger.kernel.org +Assisted-by: Claude:claude-opus-4-6 +Signed-off-by: Michael Bommarito +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cifsacl.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/smb/client/cifsacl.c ++++ b/fs/smb/client/cifsacl.c +@@ -807,6 +807,7 @@ static void parse_dacl(struct cifs_acl * + dump_ace(ppace[i], end_of_acl); + #endif + if (mode_from_special_sid && ++ ppace[i]->sid.num_subauth >= 3 && + (compare_sids(&(ppace[i]->sid), + &sid_unix_NFS_mode) == 0)) { + /* diff --git a/queue-6.1/smb-server-fix-active_num_conn-leak-on-transport-allocation-failure.patch b/queue-6.1/smb-server-fix-active_num_conn-leak-on-transport-allocation-failure.patch new file mode 100644 index 0000000000..b44787d7c2 --- /dev/null +++ b/queue-6.1/smb-server-fix-active_num_conn-leak-on-transport-allocation-failure.patch @@ -0,0 +1,68 @@ +From 6551300dc452ac16a855a83dbd1e74899542d3b3 Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Tue, 14 Apr 2026 18:54:38 -0400 +Subject: smb: server: fix active_num_conn leak on transport allocation failure + +From: Michael Bommarito + +commit 6551300dc452ac16a855a83dbd1e74899542d3b3 upstream. + +Commit 77ffbcac4e56 ("smb: server: fix leak of active_num_conn in +ksmbd_tcp_new_connection()") addressed the kthread_run() failure +path. The earlier alloc_transport() == NULL path in the same +function has the same leak, is reachable pre-authentication via any +TCP connect to port 445, and was empirically reproduced on UML +(ARCH=um, v7.0-rc7): a small number of forced allocation failures +were sufficient to put ksmbd into a state where every subsequent +connection attempt was rejected for the remainder of the boot. + +ksmbd_kthread_fn() increments active_num_conn before calling +ksmbd_tcp_new_connection() and discards the return value, so when +alloc_transport() returns NULL the socket is released and -ENOMEM +returned without decrementing the counter. Each such failure +permanently consumes one slot from the max_connections pool; once +cumulative failures reach the cap, atomic_inc_return() hits the +threshold on every subsequent accept and every new connection is +rejected. The counter is only reset by module reload. + +An unauthenticated remote attacker can drive the server toward the +memory pressure that makes alloc_transport() fail by holding open +connections with large RFC1002 lengths up to MAX_STREAM_PROT_LEN +(0x00FFFFFF); natural transient allocation failures on a loaded +host produce the same drift more slowly. + +Mirror the existing rollback pattern in ksmbd_kthread_fn(): on the +alloc_transport() failure path, decrement active_num_conn gated on +server_conf.max_connections. + +Repro details: with the patch reverted, forced alloc_transport() +NULL returns leaked counter slots and subsequent connection +attempts -- including legitimate connects issued after the +forced-fail window had closed -- were all rejected with "Limit the +maximum number of connections". With this patch applied, the same +connect sequence produces no rejections and the counter cycles +cleanly between zero and one on every accept. + +Fixes: 0d0d4680db22 ("ksmbd: add max connections parameter") +Cc: stable@vger.kernel.org +Assisted-by: Claude:claude-opus-4-6 +Assisted-by: Codex:gpt-5-4 +Signed-off-by: Michael Bommarito +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/transport_tcp.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/smb/server/transport_tcp.c ++++ b/fs/smb/server/transport_tcp.c +@@ -199,6 +199,8 @@ static int ksmbd_tcp_new_connection(stru + t = alloc_transport(client_sk); + if (!t) { + sock_release(client_sk); ++ if (server_conf.max_connections) ++ atomic_dec(&active_num_conn); + return -ENOMEM; + } + diff --git a/queue-6.1/smb-server-fix-max_connections-off-by-one-in-tcp-accept-path.patch b/queue-6.1/smb-server-fix-max_connections-off-by-one-in-tcp-accept-path.patch new file mode 100644 index 0000000000..4d0506b215 --- /dev/null +++ b/queue-6.1/smb-server-fix-max_connections-off-by-one-in-tcp-accept-path.patch @@ -0,0 +1,52 @@ +From ce23158bfe584bd90d1918f279fdf9de57802012 Mon Sep 17 00:00:00 2001 +From: DaeMyung Kang +Date: Fri, 17 Apr 2026 06:17:35 +0900 +Subject: smb: server: fix max_connections off-by-one in tcp accept path + +From: DaeMyung Kang + +commit ce23158bfe584bd90d1918f279fdf9de57802012 upstream. + +The global max_connections check in ksmbd's TCP accept path counts +the newly accepted connection with atomic_inc_return(), but then +rejects the connection when the result is greater than or equal to +server_conf.max_connections. + +That makes the effective limit one smaller than configured. For +example: + +- max_connections=1 rejects the first connection +- max_connections=2 allows only one connection + +The per-IP limit in the same function uses <= correctly because it +counts only pre-existing connections. The global limit instead checks +the post-increment total, so it should reject only when that total +exceeds the configured maximum. + +Fix this by changing the comparison from >= to >, so exactly +max_connections simultaneous connections are allowed and the next one +is rejected. This matches the documented meaning of max_connections +in fs/smb/server/ksmbd_netlink.h as the "Number of maximum simultaneous +connections". + +Fixes: 0d0d4680db22 ("ksmbd: add max connections parameter") +Cc: stable@vger.kernel.org +Signed-off-by: DaeMyung Kang +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/transport_tcp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/smb/server/transport_tcp.c ++++ b/fs/smb/server/transport_tcp.c +@@ -293,7 +293,7 @@ static int ksmbd_kthread_fn(void *p) + + skip_max_ip_conns_limit: + if (server_conf.max_connections && +- atomic_inc_return(&active_num_conn) >= server_conf.max_connections) { ++ atomic_inc_return(&active_num_conn) > server_conf.max_connections) { + pr_info_ratelimited("Limit the maximum number of connections(%u)\n", + atomic_read(&active_num_conn)); + atomic_dec(&active_num_conn);