kernel/fs/smb/server/auth.c, branch linux-6.18.y

ksmbd: Compare MACs in constant time

2026-03-19T15:08:50Z

commit c5794709bc9105935dbedef8b9cf9c06f2b559fa upstream. To prevent timing attacks, MAC comparisons need to be constant-time. Replace the memcmp() with the correct function, crypto_memneq(). Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers Acked-by: Namjae Jeon Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman

smb: Use arc4 library instead of duplicate arc4 code

2025-09-30T02:21:23Z

fs/smb/common/cifs_arc4.c has an implementation of ARC4, but a copy of this same code is also present in lib/crypto/arc4.c to serve the other users of this legacy algorithm in the kernel. Remove the duplicate implementation in fs/smb/, which seems to have been added because of a misunderstanding, and just use the lib/crypto/ one. Signed-off-by: Eric Biggers Reviewed-by: Paulo Alcantara (Red Hat) Signed-off-by: Steve French

ksmbd: use SHA-256 library API instead of crypto_shash API

2025-05-26T03:54:50Z

ksmbd_gen_sd_hash() does not support any other algorithm, so the crypto_shash abstraction provides no value. Just use the SHA-256 library API instead, which is much simpler and easier to use. Signed-off-by: Eric Biggers Acked-by: Namjae Jeon Signed-off-by: Steve French

ksmbd: fix use-after-free in kerberos authentication

2025-04-25T23:22:01Z

Setting sess->user = NULL was introduced to fix the dangling pointer created by ksmbd_free_user. However, it is possible another thread could be operating on the session and make use of sess->user after it has been passed to ksmbd_free_user but before sess->user is set to NULL. Cc: stable@vger.kernel.org Signed-off-by: Sean Heelan Acked-by: Namjae Jeon Signed-off-by: Steve French

ksmbd: fix session use-after-free in multichannel connection

2025-04-01T05:04:21Z

There is a race condition between session setup and ksmbd_sessions_deregister. The session can be freed before the connection is added to channel list of session. This patch check reference count of session before freeing it. Cc: stable@vger.kernel.org Reported-by: Sean Heelan Signed-off-by: Namjae Jeon Signed-off-by: Steve French

ksmbd: use aead_request_free to match aead_request_alloc

2025-03-28T00:12:00Z

Use aead_request_free() instead of kfree() to properly free memory allocated by aead_request_alloc(). This ensures sensitive crypto data is zeroed before being freed. Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Signed-off-by: Miaoqian Lin Acked-by: Namjae Jeon Signed-off-by: Steve French

ksmbd: fix racy issue from session lookup and expire

2024-12-10T23:48:06Z

Increment the session reference count within the lock for lookup to avoid racy issue with session expire. Cc: stable@vger.kernel.org Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-25737 Signed-off-by: Namjae Jeon Signed-off-by: Steve French

ksmbd: use __GFP_RETRY_MAYFAIL

2024-11-26T00:58:02Z

Prefer to report ENOMEM rather than incur the oom for allocations in ksmbd. __GFP_NORETRY could not achieve that, It would fail the allocations just too easily. __GFP_RETRY_MAYFAIL will keep retrying the allocation until there is no more progress and fail the allocation instead go OOM and let the caller to deal with it. Signed-off-by: Namjae Jeon Signed-off-by: Steve French

ksmbd: add support for supplementary groups

2024-10-11T16:02:14Z

Even though system user has a supplementary group, It gets NT_STATUS_ACCESS_DENIED when attempting to create file or directory. This patch add KSMBD_EVENT_LOGIN_REQUEST_EXT/RESPONSE_EXT netlink events to get supplementary groups list. The new netlink event doesn't break backward compatibility when using old ksmbd-tools. Co-developed-by: Atte Heikkilä Signed-off-by: Atte Heikkilä Signed-off-by: Namjae Jeon Signed-off-by: Steve French

ksmbd: auth: fix most kernel-doc warnings

2024-01-09T18:52:33Z

Fix 12 of 17 kernel-doc warnings in auth.c: auth.c:221: warning: Function parameter or member 'conn' not described in 'ksmbd_auth_ntlmv2' auth.c:221: warning: Function parameter or member 'cryptkey' not described in 'ksmbd_auth_ntlmv2' auth.c:305: warning: Function parameter or member 'blob_len' not described in 'ksmbd_decode_ntlmssp_auth_blob' auth.c:305: warning: Function parameter or member 'conn' not described in 'ksmbd_decode_ntlmssp_auth_blob' auth.c:305: warning: Excess function parameter 'usr' description in 'ksmbd_decode_ntlmssp_auth_blob' auth.c:385: warning: Function parameter or member 'blob_len' not described in 'ksmbd_decode_ntlmssp_neg_blob' auth.c:385: warning: Function parameter or member 'conn' not described in 'ksmbd_decode_ntlmssp_neg_blob' auth.c:385: warning: Excess function parameter 'rsp' description in 'ksmbd_decode_ntlmssp_neg_blob' auth.c:385: warning: Excess function parameter 'sess' description in 'ksmbd_decode_ntlmssp_neg_blob' auth.c:413: warning: Function parameter or member 'conn' not described in 'ksmbd_build_ntlmssp_challenge_blob' auth.c:413: warning: Excess function parameter 'rsp' description in 'ksmbd_build_ntlmssp_challenge_blob' auth.c:413: warning: Excess function parameter 'sess' description in 'ksmbd_build_ntlmssp_challenge_blob' The other 5 are only present when a W=1 kernel build is done or when scripts/kernel-doc is run with -Wall. They are: auth.c:81: warning: No description found for return value of 'ksmbd_gen_sess_key' auth.c:385: warning: No description found for return value of 'ksmbd_decode_ntlmssp_neg_blob' auth.c:413: warning: No description found for return value of 'ksmbd_build_ntlmssp_challenge_blob' auth.c:577: warning: No description found for return value of 'ksmbd_sign_smb2_pdu' auth.c:628: warning: No description found for return value of 'ksmbd_sign_smb3_pdu' Signed-off-by: Randy Dunlap Cc: Namjae Jeon Cc: Steve French Cc: Sergey Senozhatsky Cc: Tom Talpey Cc: linux-cifs@vger.kernel.org Acked-by: Namjae Jeon Signed-off-by: Steve French