1. Patchew
  2. linux
  3. View series

[PATCH 6.6.y v3 0/4] ksmbd: validate owner of durable handle on reconnect

Alva Lan posted 4 patches 1 week, 6 days ago
Only 1 patches received!
fs/smb/server/mgmt/user_session.c |  10 +-
fs/smb/server/oplock.c            |   7 +
fs/smb/server/oplock.h            |   1 +
fs/smb/server/server.c            |   1 +
fs/smb/server/server.h            |   1 +
fs/smb/server/smb2pdu.c           |   5 +-
fs/smb/server/smb2pdu.h           |   2 +
fs/smb/server/vfs_cache.c         | 309 ++++++++++++++++++++++++++++--
fs/smb/server/vfs_cache.h         |  15 +-
9 files changed, 329 insertions(+), 22 deletions(-)
[PATCH 6.6.y v3 0/4] ksmbd: validate owner of durable handle on reconnect
Posted by Alva Lan 1 week, 6 days ago 
v1->v2: add two prerequisite commits
v2->v3: add bf736184d063 ("ksmbd: close durable scavenger races against m_fp_list lookups")  

This series backports four upstream commits to the 6.6.y stable branch.

The patches fix:

1. Patch 1 and 2 are prerequisites that add proper durable handle lifecycle
management (scavenger timer and expiration handling).
2. Patch 3 fixes a missing validation that allowed any authenticated user to 
hijack orphaned durable handles by predicting or brute-forcing the persistent
ID.
3. Patch 4 fixes race conditions in the durable scavenger thread that could 
lead to list corruption (fp->node reuse) and use-after-free when concurrent
m_fp_list walkers interact with handle expiration.

Patches:
  [1/4] ksmbd: avoid reclaiming expired durable opens by the client
  [2/4] ksmbd: add durable scavenger timer
  [3/4] ksmbd: validate owner of durable handle on reconnect
  [4/4] ksmbd: close durable scavenger races against m_fp_list lookups

Testing performed:
  - Boot: x86_64 target
  - Functional regression (all pass):
      * mkdir / rmdir (single, nested, recursive)
      * read / write (small files, 1MB, 10MB)
      * append, rename (file + directory), delete
      * chmod, stat, directory listing
      * concurrent I/O (5 parallel writers)
      * multi-user access (cross-user read/write)
  - CVE-specific tests (all pass):
      * Race 1: fp->node list-head reuse — no CONFIG_DEBUG_LIST reports
      * Race 2: UAF via refcount race — no KASAN reports under concurrent
        rename + scavenger expiry
      * persistent_id recycling — new handles remain valid after old ones
        expire
      * open_files_count — no underflow when detached fp closed by
        unrelated connection
      * Owner validation — same user reconnects successfully; different
        user cannot hijack durable handle via DHnC
  - Server stability: ksmbd remains healthy after all stress tests,
    dmesg clean (no list corruption, KASAN, UAF, ODEBUG, or WARNING)

DaeMyung Kang (1):
  ksmbd: close durable scavenger races against m_fp_list lookups

Namjae Jeon (3):
  ksmbd: avoid reclaiming expired durable opens by the client
  ksmbd: add durable scavenger timer
  ksmbd: validate owner of durable handle on reconnect

 fs/smb/server/mgmt/user_session.c |  10 +-
 fs/smb/server/oplock.c            |   7 +
 fs/smb/server/oplock.h            |   1 +
 fs/smb/server/server.c            |   1 +
 fs/smb/server/server.h            |   1 +
 fs/smb/server/smb2pdu.c           |   5 +-
 fs/smb/server/smb2pdu.h           |   2 +
 fs/smb/server/vfs_cache.c         | 309 ++++++++++++++++++++++++++++--
 fs/smb/server/vfs_cache.h         |  15 +-
 9 files changed, 329 insertions(+), 22 deletions(-)

-- 
2.43.0
Re: [PATCH 6.6.y v3 0/4] ksmbd: validate owner of durable handle on reconnect
Posted by Sasha Levin 1 week, 6 days ago 
On Tue, May 26, 2026 at 03:57:01PM +0800, Alva Lan wrote:
> This series backports the fix for CVE-2026-31717 along with the two
> prerequisite commits and the follow-up that closes the scavenger
> races (KASAN-validated).

Queued the full v3 series (all four patches) for 6.6, thanks.

-- 
Thanks,
Sasha

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.