Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.18.22 2026-03-25T10:10:33+00:00 2026-03-25T10:10:33+00:00 Thorsten Blum thorsten.blum@linux.dev 2026-03-18T13:14:44+00:00 urn:sha1:407cc37c21d51f9b9d4d20204b04890880cfa6ae [ Upstream commit 441336115df26b966575de56daf7107ed474faed ] When KSMBD_DEBUG_AUTH logging is enabled, generate_smb3signingkey() and generate_smb3encryptionkey() log the session, signing, encryption, and decryption key bytes. Remove the logs to avoid exposing credentials. Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Cc: stable@vger.kernel.org Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> [ Context ] Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-03-19T15:08:50+00:00 Eric Biggers ebiggers@kernel.org 2026-03-10T19:52:14+00:00 urn:sha1:93c0a22fec914ec4b697e464895a0f594e29fb28 commit c5794709bc9105935dbedef8b9cf9c06f2b559fa upstream. To prevent timing attacks, MAC comparisons need to be constant-time. Replace the memcmp() with the correct function, crypto_memneq(). Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-09-30T02:21:23+00:00 Eric Biggers ebiggers@kernel.org 2025-09-07T03:20:03+00:00 urn:sha1:8e979aab34d766986f6d14f50cebf5f5dd87ab8e fs/smb/common/cifs_arc4.c has an implementation of ARC4, but a copy of this same code is also present in lib/crypto/arc4.c to serve the other users of this legacy algorithm in the kernel. Remove the duplicate implementation in fs/smb/, which seems to have been added because of a misunderstanding, and just use the lib/crypto/ one. Signed-off-by: Eric Biggers <ebiggers@kernel.org> Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org> Signed-off-by: Steve French <stfrench@microsoft.com> 2025-05-26T03:54:50+00:00 Eric Biggers ebiggers@google.com 2025-05-14T04:50:34+00:00 urn:sha1:eb21736021865112f8e1bec20fe55f995bc4e771 ksmbd_gen_sd_hash() does not support any other algorithm, so the crypto_shash abstraction provides no value. Just use the SHA-256 library API instead, which is much simpler and easier to use. Signed-off-by: Eric Biggers <ebiggers@google.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> 2025-04-25T23:22:01+00:00 Sean Heelan seanheelan@gmail.com 2025-04-19T18:59:28+00:00 urn:sha1:e86e9134e1d1c90a960dd57f59ce574d27b9a124 Setting sess->user = NULL was introduced to fix the dangling pointer created by ksmbd_free_user. However, it is possible another thread could be operating on the session and make use of sess->user after it has been passed to ksmbd_free_user but before sess->user is set to NULL. Cc: stable@vger.kernel.org Signed-off-by: Sean Heelan <seanheelan@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> 2025-04-01T05:04:21+00:00 Namjae Jeon linkinjeon@kernel.org 2025-03-27T12:22:51+00:00 urn:sha1:fa4cdb8cbca7d6cb6aa13e4d8d83d1103f6345db There is a race condition between session setup and ksmbd_sessions_deregister. The session can be freed before the connection is added to channel list of session. This patch check reference count of session before freeing it. Cc: stable@vger.kernel.org Reported-by: Sean Heelan <seanheelan@gmail.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> 2025-03-28T00:12:00+00:00 Miaoqian Lin linmq006@gmail.com 2025-03-18T12:12:34+00:00 urn:sha1:6171063e9d046ffa46f51579b2ca4a43caef581a Use aead_request_free() instead of kfree() to properly free memory allocated by aead_request_alloc(). This ensures sensitive crypto data is zeroed before being freed. Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Signed-off-by: Miaoqian Lin <linmq006@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> 2024-12-10T23:48:06+00:00 Namjae Jeon linkinjeon@kernel.org 2024-12-05T12:38:47+00:00 urn:sha1:b95629435b84b9ecc0c765995204a4d8a913ed52 Increment the session reference count within the lock for lookup to avoid racy issue with session expire. Cc: stable@vger.kernel.org Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-25737 Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> 2024-11-26T00:58:02+00:00 Namjae Jeon linkinjeon@kernel.org 2024-11-22T07:33:25+00:00 urn:sha1:0066f623bce8f98b69b752ee03d46a5047c281b8 Prefer to report ENOMEM rather than incur the oom for allocations in ksmbd. __GFP_NORETRY could not achieve that, It would fail the allocations just too easily. __GFP_RETRY_MAYFAIL will keep retrying the allocation until there is no more progress and fail the allocation instead go OOM and let the caller to deal with it. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> 2024-10-11T16:02:14+00:00 Namjae Jeon linkinjeon@kernel.org 2024-10-09T01:39:16+00:00 urn:sha1:a77e0e02af1c2db5fc040511aa78a58a52e116ab Even though system user has a supplementary group, It gets NT_STATUS_ACCESS_DENIED when attempting to create file or directory. This patch add KSMBD_EVENT_LOGIN_REQUEST_EXT/RESPONSE_EXT netlink events to get supplementary groups list. The new netlink event doesn't break backward compatibility when using old ksmbd-tools. Co-developed-by: Atte Heikkilä <atteh.mailbox@gmail.com> Signed-off-by: Atte Heikkilä <atteh.mailbox@gmail.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>