kernel/linux.git/fs/smb/client, branch v7.0-rc7

fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath

2026-03-31T23:21:14+00:00

When cifs_sanitize_prepath is called with an empty string or a string containing only delimiters (e.g., "/"), the current logic attempts to check *(cursor2 - 1) before cursor2 has advanced. This results in an out-of-bounds read. This patch adds an early exit check after stripping prepended delimiters. If no path content remains, the function returns NULL. The bug was identified via manual audit and verified using a standalone test case compiled with AddressSanitizer, which triggered a SEGV on affected inputs. Signed-off-by: Fredric Cover Reviewed-by: Henrique Carvalho <[2]henrique.carvalho@suse.com> Signed-off-by: Steve French

smb/client: ensure smb2_mapping_table rebuild on cmd changes

2026-03-23T13:17:26+00:00

The current rule for smb2_mapping_table.c uses `$(call cmd,...)`, which fails to track command line modifications in the Makefile (e.g., modifying the command to `perl -d` or `perl -w` for debug will not trigger a rebuild) and does not generate the required .cmd file for Kbuild. Fix this by transitioning to the standard `$(call if_changed,...)` macro. This includes adding the `FORCE` prerequisite and appending the output file to the `targets` variable so Kbuild can track it properly. As a result, Kbuild now automatically handles the cleaning of the generated file, allowing us to safely drop the redundant `clean-files` assignment. Fixes: c527e13a7a66 ("cifs: Autogenerate SMB2 error mapping table") Signed-off-by: Huiwen He Reviewed-by: ChenXiaoSong Signed-off-by: Steve French

smb: client: fix generic/694 due to wrong ->i_blocks

2026-03-19T18:56:25+00:00

When updating ->i_size, make sure to always update ->i_blocks as well until we query new allocation size from the server. generic/694 was failing because smb3_simple_falloc() was missing the update of ->i_blocks after calling cifs_setsize(). So, fix this by updating ->i_blocks directly in cifs_setsize(), so all places that call it doesn't need to worry about updating ->i_blocks later. Reported-by: Shyam Prasad N Closes: https://lore.kernel.org/r/CANT5p=rqgRwaADB=b_PhJkqXjtfq3SFv41SSTXSVEHnuh871pA@mail.gmail.com Signed-off-by: Paulo Alcantara (Red Hat) Cc: David Howells Cc: linux-cifs@vger.kernel.org Signed-off-by: Steve French

cifs: smb1: fix comment typo

2026-03-17T02:12:40+00:00

The file contains a spelling error in a source comment (resposne). Typos in comments reduce readability and make text searches less reliable for developers and maintainers. Replace 'resposne' with 'response' in the affected comment. This is a comment-only cleanup and does not change behavior. [v2: Removed Fixes: and Cc: to stable tags.] Signed-off-by: Joseph Salisbury Signed-off-by: Steve French

smb: client: fix krb5 mount with username option

2026-03-16T01:53:09+00:00

Customer reported that some of their krb5 mounts were failing against a single server as the client was trying to mount the shares with wrong credentials. It turned out the client was reusing SMB session from first mount to try mounting the other shares, even though a different username= option had been specified to the other mounts. By using username mount option along with sec=krb5 to search for principals from keytab is supported by cifs.upcall(8) since cifs-utils-4.8. So fix this by matching username mount option in match_session() even with Kerberos. For example, the second mount below should fail with -ENOKEY as there is no 'foobar' principal in keytab (/etc/krb5.keytab). The client ends up reusing SMB session from first mount to perform the second one, which is wrong. ``` $ ktutil ktutil: add_entry -password -p testuser -k 1 -e aes256-cts Password for testuser@ZELDA.TEST: ktutil: write_kt /etc/krb5.keytab ktutil: quit $ klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- ---------------------------------------------------------------- 1 testuser@ZELDA.TEST (aes256-cts-hmac-sha1-96) $ mount.cifs //w22-root2/scratch /mnt/1 -o sec=krb5,username=testuser $ mount.cifs //w22-root2/scratch /mnt/2 -o sec=krb5,username=foobar $ mount -t cifs | grep -Po 'username=\K\w+' testuser testuser ``` Reported-by: Oscar Santos Signed-off-by: Paulo Alcantara (Red Hat) Cc: David Howells Cc: linux-cifs@vger.kernel.org Cc: stable@vger.kernel.org Signed-off-by: Steve French

cifs: make default value of retrans as zero

2026-03-11T23:46:42+00:00

When retrans mount option was introduced, the default value was set as 1. However, in the light of some bugs that this has exposed recently we should change it to 0 and retain the old behaviour before this option was introduced. Cc: Reviewed-by: Bharath SM Signed-off-by: Shyam Prasad N Signed-off-by: Steve French

smb: client: fix open handle lookup in cifs_open()

2026-03-11T23:46:40+00:00

When looking up open handles to be re-used in cifs_open(), calling cifs_get_{writable,readable}_path() is wrong as it will look up for the first matching open handle, and if @file->f_flags doesn't match, it will ignore the remaining open handles in cifsInodeInfo::openFileList that might potentially match @file->f_flags. For writable and readable handles, fix this by calling __cifs_get_writable_file() and __find_readable_file(), respectively, with FIND_OPEN_FLAGS set. With the patch, the following program ends up with two opens instead of three sent over the wire. ``` #define _GNU_SOURCE #include #include #include int main(int argc, char *argv[]) { int fd; fd = open("/mnt/1/foo", O_CREAT | O_WRONLY | O_TRUNC, 0664); close(fd); fd = open("/mnt/1/foo", O_DIRECT | O_WRONLY); close(fd); fd = open("/mnt/1/foo", O_WRONLY); close(fd); fd = open("/mnt/1/foo", O_DIRECT | O_WRONLY); close(fd); return 0; } ``` ``` $ mount.cifs //srv/share /mnt/1 -o ... $ gcc test.c && ./a.out ``` Signed-off-by: Paulo Alcantara (Red Hat) Reviewed-by: ChenXiaoSong Cc: David Howells Cc: linux-cifs@vger.kernel.org Signed-off-by: Steve French

smb: client: fix iface port assignment in parse_server_interfaces

2026-03-11T23:46:28+00:00

parse_server_interfaces() initializes interface socket addresses with CIFS_PORT. When the mount uses a non-default port this overwrites the configured destination port. Later, cifs_chan_update_iface() copies this sockaddr into server->dstaddr, causing reconnect attempts to use the wrong port after server interface updates. Use the existing port from server->dstaddr instead. Cc: stable@vger.kernel.org Fixes: fe856be475f7 ("CIFS: parse and store info on iface queries") Tested-by: Dr. Thomas Orgis Reviewed-by: Enzo Matsumiya Signed-off-by: Henrique Carvalho Signed-off-by: Steve French

smb/client: only export symbol for 'smb2maperror-test' module

2026-03-10T22:22:04+00:00

Only export smb2_get_err_map_test smb2_error_map_table_test and smb2_error_map_num symbol for 'smb2maperror-test' module. Fixes: 7d0bf050a587 ("smb/client: make SMB2 maperror KUnit tests a separate module") Signed-off-by: Ye Bin Reviewed-by: ChenXiaoSong Signed-off-by: Steve French

smb: client: fix in-place encryption corruption in SMB2_write()

2026-03-10T22:22:03+00:00

SMB2_write() places write payload in iov[1..n] as part of rq_iov. smb3_init_transform_rq() pointer-shares rq_iov, so crypt_message() encrypts iov[1] in-place, replacing the original plaintext with ciphertext. On a replayable error, the retry sends the same iov[1] which now contains ciphertext instead of the original data, resulting in corruption. The corruption is most likely to be observed when connections are unstable, as reconnects trigger write retries that re-send the already-encrypted data. This affects SFU mknod, MF symlinks, etc. On kernels before 6.10 (prior to the netfs conversion), sync writes also used this path and were similarly affected. The async write path wasn't unaffected as it uses rq_iter which gets deep-copied. Fix by moving the write payload into rq_iter via iov_iter_kvec(), so smb3_init_transform_rq() deep-copies it before encryption. Cc: stable@vger.kernel.org #6.3+ Acked-by: Henrique Carvalho Acked-by: Shyam Prasad N Acked-by: Paulo Alcantara (Red Hat) Signed-off-by: Bharath SM Signed-off-by: Steve French