fs/smb/server/mgmt/user_session.c | 10 +- fs/smb/server/oplock.c | 7 + fs/smb/server/oplock.h | 1 + fs/smb/server/server.c | 1 + fs/smb/server/server.h | 1 + fs/smb/server/smb2pdu.c | 5 +- fs/smb/server/smb2pdu.h | 2 + fs/smb/server/vfs_cache.c | 259 ++++++++++++++++++++++++++++-- fs/smb/server/vfs_cache.h | 15 +- 9 files changed, 279 insertions(+), 22 deletions(-)
v1-v2: add two prerequisite commits
This series backports three upstream commits to the 6.6.y stable branch
to address CVE-2026-31717.
The vulnerability allows any authenticated user to hijack an orphaned
durable file handle by predicting or brute-forcing the persistent ID.
Patch 1 and 2 are prerequisites that add proper durable handle lifecycle
management (scavenger timer and expiration handling). Patch 3 is the
actual security fix that adds owner identity (UID, GID, account name)
tracking to durable handles and validates it during SMB2_CREATE (DHnC)
reconnect, per the MS-SMB2 specification.
Upstream commits:
- 098c0ac3808c ("ksmbd: avoid reclaiming expired durable opens by the client")
- 894947e0736d ("ksmbd: add durable scavenger timer")
- 49110a8ce654 ("ksmbd: validate owner of durable handle on reconnect")
Testing:
- Build tested: all modified files compile cleanly on x86_64 with
CONFIG_SMB_SERVER=y
- Boot tested: kernel boots and ksmbd serves shares normally
- Functional test (Python SMB2 client with DHnC create contexts):
1. Legitimate owner (user_a) can reconnect to own durable handle (PASS)
2. Different user (user_b) is rejected when attempting DHnC reconnect
with user_a's persistent file ID (PASS - STATUS_OBJECT_NAME_NOT_FOUND)
- Regression test (smbclient): basic file operations, concurrent sessions,
sequential cross-user access, and authentication all work correctly
(11/11 PASS)
Thanks,
Namjae Jeon (3):
ksmbd: avoid reclaiming expired durable opens by the client
ksmbd: add durable scavenger timer
ksmbd: validate owner of durable handle on reconnect
fs/smb/server/mgmt/user_session.c | 10 +-
fs/smb/server/oplock.c | 7 +
fs/smb/server/oplock.h | 1 +
fs/smb/server/server.c | 1 +
fs/smb/server/server.h | 1 +
fs/smb/server/smb2pdu.c | 5 +-
fs/smb/server/smb2pdu.h | 2 +
fs/smb/server/vfs_cache.c | 259 ++++++++++++++++++++++++++++--
fs/smb/server/vfs_cache.h | 15 +-
9 files changed, 279 insertions(+), 22 deletions(-)
--
2.43.0
On Mon, May 25, 2026 at 06:38:58PM +0800, Alva Lan wrote:
> This series backports three upstream commits to the 6.6.y stable branch
> to address CVE-2026-31717.
>
> Upstream commits:
> - 098c0ac3808c ("ksmbd: avoid reclaiming expired durable opens by the client")
> - 894947e0736d ("ksmbd: add durable scavenger timer")
> - 49110a8ce654 ("ksmbd: validate owner of durable handle on reconnect")
Two notes before this can be queued:
1. The short SHAs in the cover letter for patches 1 and 2 do not resolve
in mainline. The correct upstream SHAs are 520da3c488c5 ("ksmbd:
avoid reclaiming expired durable opens by the client") and
d484d621d40f ("ksmbd: add durable scavenger timer"). Please fix the
cover letter on the next spin.
2. More importantly, this series adds the durable scavenger
(d484d621d40f) without its critical follow-up bf736184d063d ("ksmbd:
close durable scavenger races against m_fp_list lookups", Fixes:
d484d621d40f). That follow-up closes two KASAN-validated bugs in
the scavenger code: an fp->node list-head reuse that corrupts
f_ci->m_fp_list via list_add(&fp->node, &scavenger_list), and a
refcount race between scavenger qualification under global_ft.lock
and m_fp_list walkers that races to a UAF. Please include
bf736184d063d in the next revision so we are not knowingly queuing
the scavenger with these races still open.
Also, given the patches are authored by Namjae, an Acked-by from him
on the 6.6.y adaptation would be helpful before I pick this up.
--
Thanks,
Sasha
On 5/25/2026 11:33 PM, Sasha Levin wrote:
> On Mon, May 25, 2026 at 06:38:58PM +0800, Alva Lan wrote:
>> This series backports three upstream commits to the 6.6.y stable branch
>> to address CVE-2026-31717.
>>
>> Upstream commits:
>> - 098c0ac3808c ("ksmbd: avoid reclaiming expired durable opens by the client")
>> - 894947e0736d ("ksmbd: add durable scavenger timer")
>> - 49110a8ce654 ("ksmbd: validate owner of durable handle on reconnect")
> Two notes before this can be queued:
>
> 1. The short SHAs in the cover letter for patches 1 and 2 do not resolve
> in mainline. The correct upstream SHAs are 520da3c488c5 ("ksmbd:
> avoid reclaiming expired durable opens by the client") and
> d484d621d40f ("ksmbd: add durable scavenger timer"). Please fix the
> cover letter on the next spin.
>
> 2. More importantly, this series adds the durable scavenger
> (d484d621d40f) without its critical follow-up bf736184d063d ("ksmbd:
> close durable scavenger races against m_fp_list lookups", Fixes:
> d484d621d40f). That follow-up closes two KASAN-validated bugs in
> the scavenger code: an fp->node list-head reuse that corrupts
> f_ci->m_fp_list via list_add(&fp->node, &scavenger_list), and a
> refcount race between scavenger qualification under global_ft.lock
> and m_fp_list walkers that races to a UAF. Please include
> bf736184d063d in the next revision so we are not knowingly queuing
> the scavenger with these races still open.
>
> Also, given the patches are authored by Namjae, an Acked-by from him
> on the 6.6.y adaptation would be helpful before I pick this up.
Thanks for your review. I will add bf736184d063 ("ksmbd: close durable
scavenger races against m_fp_list lookups")
in my v3 backport.
--
Alva Lan
© 2016 - 2026 Red Hat, Inc.