1. Patchew
  2. linux
  3. View series

[PATCH 6.12.y 0/1] ksmbd: validate owner of durable handle on reconnect

Alva Lan posted 1 patch 2 days, 11 hours ago
There is a newer version of this series
fs/smb/server/mgmt/user_session.c |  7 ++-
fs/smb/server/oplock.c            |  7 +++
fs/smb/server/oplock.h            |  1 +
fs/smb/server/smb2pdu.c           |  3 +-
fs/smb/server/vfs_cache.c         | 87 +++++++++++++++++++++++++++----
fs/smb/server/vfs_cache.h         | 12 ++++-
6 files changed, 102 insertions(+), 15 deletions(-)
[PATCH 6.12.y 0/1] ksmbd: validate owner of durable handle on reconnect
Posted by Alva Lan 2 days, 11 hours ago 
This patch backports upstream commit 49110a8ce654 ("ksmbd: validate owner
of durable handle on reconnect") to the 6.12.y stable branch to address
CVE-2026-31717.

The vulnerability allows any authenticated user to hijack an orphaned
durable file handle by predicting or brute-forcing the persistent ID.

The fix adds owner identity (UID, GID, account name) tracking to durable
handles and validates it during SMB2_CREATE (DHnC) reconnect, per the
MS-SMB2 specification.

Testing:
- Build tested: compiled cleanly on x86_64 with CONFIG_SMB_SERVER=y
- Boot tested: kernel boots and ksmbd serves shares normally
- Functional test: verified using a Python SMB2 test client that:
  1. Legitimate owner (user_a) can reconnect to own durable handle (PASS)
  2. Different user (user_b) is rejected when attempting DHnC reconnect
     with user_a's persistent file ID (PASS - STATUS_OBJECT_NAME_NOT_FOUND)

Thanks,


Namjae Jeon (1):
  ksmbd: validate owner of durable handle on reconnect

 fs/smb/server/mgmt/user_session.c |  7 ++-
 fs/smb/server/oplock.c            |  7 +++
 fs/smb/server/oplock.h            |  1 +
 fs/smb/server/smb2pdu.c           |  3 +-
 fs/smb/server/vfs_cache.c         | 87 +++++++++++++++++++++++++++----
 fs/smb/server/vfs_cache.h         | 12 ++++-
 6 files changed, 102 insertions(+), 15 deletions(-)

-- 
2.43.0

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.