kernel/fs/smb/server/smb2pdu.c, branch linux-rolling-stable Hosts the 0x221E linux distro kernel. https://universe.0xinfinity.dev/distro/kernel/atom?h=linux-rolling-stable 2026-03-19T15:15:22Z smb: server: fix use-after-free in smb2_open() 2026-03-19T15:15:22Z Marios Makassikis mmakassikis@freebox.fr 2026-03-03T10:14:32Z urn:sha1:190e5f808e8058640b408ccfed25440b441a718a commit 1e689a56173827669a35da7cb2a3c78ed5c53680 upstream. The opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is dereferenced after rcu_read_unlock(), creating a use-after-free window. Cc: stable@vger.kernel.org Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> smb/server: Fix another refcount leak in smb2_open() 2026-03-19T15:14:45Z Guenter Roeck linux@roeck-us.net 2026-02-27T05:54:21Z urn:sha1:571eb3e421a2ff207708e16eac6d9b52b1b0ebd3 [ Upstream commit c15e7c62feb3751cbdd458555819df1d70374890 ] If ksmbd_override_fsids() fails, we jump to err_out2. At that point, fp is NULL because it hasn't been assigned dh_info.fp yet, so ksmbd_fd_put(work, fp) will not be called. However, dh_info.fp was already inserted into the session file table by ksmbd_reopen_durable_fd(), so it will leak in the session file table until the session is closed. Move fp = dh_info.fp; ahead of the ksmbd_override_fsids() check to fix the problem. Found by an experimental AI code review agent at Google. Fixes: c8efcc786146a ("ksmbd: add support for durable handles v1/v2") Signed-off-by: Guenter Roeck <linux@roeck-us.net> Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org> ksmbd: Compare MACs in constant time 2026-03-12T11:09:35Z Eric Biggers ebiggers@kernel.org 2026-02-18T04:28:29Z urn:sha1:f4588b85efd6007d46b80aa1b9fb746628ffb3dc commit c5794709bc9105935dbedef8b9cf9c06f2b559fa upstream. To prevent timing attacks, MAC comparisons need to be constant-time. Replace the memcmp() with the correct function, crypto_memneq(). Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths 2026-02-26T23:01:38Z Fedor Pchelkin pchelkin@ispras.ru 2026-02-14T15:45:14Z urn:sha1:4c38600feb81c670edb82e49d201d3d2d00cd4c3 commit a09dc10d1353f0e92c21eae2a79af1c2b1ddcde8 upstream. There are two places where ksmbd_vfs_kern_path_end_removing() needs to be called in order to balance what the corresponding successful call to ksmbd_vfs_kern_path_start_removing() has done, i.e. drop inode locks and put the taken references. Otherwise there might be potential deadlocks and unbalanced locks which are caught like: BUG: workqueue leaked lock or atomic: kworker/5:21/0x00000000/7596 last function: handle_ksmbd_work 2 locks held by kworker/5:21/7596: #0: ffff8881051ae448 (sb_writers#3){.+.+}-{0:0}, at: ksmbd_vfs_kern_path_locked+0x142/0x660 #1: ffff888130e966c0 (&type->i_mutex_dir_key#3/1){+.+.}-{4:4}, at: ksmbd_vfs_kern_path_locked+0x17d/0x660 CPU: 5 PID: 7596 Comm: kworker/5:21 Not tainted 6.1.162-00456-gc29b353f383b #138 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 Workqueue: ksmbd-io handle_ksmbd_work Call Trace: <TASK> dump_stack_lvl+0x44/0x5b process_one_work.cold+0x57/0x5c worker_thread+0x82/0x600 kthread+0x153/0x190 ret_from_fork+0x22/0x30 </TASK> Found by Linux Verification Center (linuxtesting.org). Fixes: d5fc1400a34b ("smb/server: avoid deadlock when linking with ReplaceIfExists") Cc: stable@vger.kernel.org Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ksmbd: add chann_lock to protect ksmbd_chann_list xarray 2026-02-16T09:13:29Z Namjae Jeon linkinjeon@kernel.org 2026-02-09T01:43:19Z urn:sha1:36ef605c0395b94b826a8c8d6f2697071173de6e commit 4f3a06cc57976cafa8c6f716646be6c79a99e485 upstream. ksmbd_chann_list xarray lacks synchronization, allowing use-after-free in multi-channel sessions (between lookup_chann_list() and ksmbd_chann_del). Adds rw_semaphore chann_lock to struct ksmbd_session and protects all xa_load/xa_store/xa_erase accesses. Cc: stable@vger.kernel.org Reported-by: Igor Stepansky <igor.stepansky@orca.security> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> smb/server: fix refcount leak in smb2_open() 2025-12-29T23:39:58Z ZhangGuoDong zhangguodong@kylinos.cn 2025-12-29T03:15:18Z urn:sha1:f416c556997aa56ec4384c6b6efd6a0e6ac70aa7 When ksmbd_vfs_getattr() fails, the reference count of ksmbd_file must be released. Suggested-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: ZhangGuoDong <zhangguodong@kylinos.cn> Signed-off-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> smb/server: fix refcount leak in parse_durable_handle_context() 2025-12-29T23:39:58Z ZhangGuoDong zhangguodong@kylinos.cn 2025-12-29T02:13:29Z urn:sha1:3296c3012a9d9a27e81e34910384e55a6ff3cff0 When the command is a replay operation and -ENOEXEC is returned, the refcount of ksmbd_file must be released. Signed-off-by: ZhangGuoDong <zhangguodong@kylinos.cn> Signed-off-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> smb/server: call ksmbd_session_rpc_close() on error path in create_smb2_pipe() 2025-12-29T23:39:57Z ZhangGuoDong zhangguodong@kylinos.cn 2025-12-28T14:51:01Z urn:sha1:7c28f8eef5ac5312794d8a52918076dcd787e53b When ksmbd_iov_pin_rsp() fails, we should call ksmbd_session_rpc_close(). Signed-off-by: ZhangGuoDong <zhangguodong@kylinos.cn> Signed-off-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> ksmbd: Fix memory leak in get_file_all_info() 2025-12-29T23:39:57Z Zilin Guan zilin@seu.edu.cn 2025-12-24T14:20:16Z urn:sha1:0c56693b06a68476ba113db6347e7897475f9e4c In get_file_all_info(), if vfs_getattr() fails, the function returns immediately without freeing the allocated filename, leading to a memory leak. Fix this by freeing the filename before returning in this error case. Fixes: 5614c8c487f6a ("ksmbd: replace generic_fillattr with vfs_getattr") Signed-off-by: Zilin Guan <zilin@seu.edu.cn> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> ksmbd: rename smb2_get_msg to smb_get_msg 2025-12-22T01:20:46Z Namjae Jeon linkinjeon@kernel.org 2025-12-19T01:04:25Z urn:sha1:0b444cfd8b74ebce421ccd96eac9c495e536c92e With the removal of the RFC1002 length field from the SMB header, smb2_get_msg is now used to get the smb1 request from the request buffer. Since this function is no longer exclusive to smb2 and now supports smb1 as well, This patch rename it to smb_get_msg to better reflect its usage. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>