[PATCH 6.6.y v2 0/3] ksmbd: validate owner of durable handle on reconnect

[Alva Lan]

v1-v2: add two prerequisite commits

This series backports three upstream commits to the 6.6.y stable branch
to address CVE-2026-31717.

The vulnerability allows any authenticated user to hijack an orphaned
durable file handle by predicting or brute-forcing the persistent ID.

Patch 1 and 2 are prerequisites that add proper durable handle lifecycle
management (scavenger timer and expiration handling). Patch 3 is the
actual security fix that adds owner identity (UID, GID, account name)
tracking to durable handles and validates it during SMB2_CREATE (DHnC)
reconnect, per the MS-SMB2 specification.

Upstream commits:
- 098c0ac3808c ("ksmbd: avoid reclaiming expired durable opens by the client")
- 894947e0736d ("ksmbd: add durable scavenger timer")
- 49110a8ce654 ("ksmbd: validate owner of durable handle on reconnect")

Testing:
- Build tested: all modified files compile cleanly on x86_64 with
  CONFIG_SMB_SERVER=y
- Boot tested: kernel boots and ksmbd serves shares normally
- Functional test (Python SMB2 client with DHnC create contexts):
  1. Legitimate owner (user_a) can reconnect to own durable handle (PASS)
  2. Different user (user_b) is rejected when attempting DHnC reconnect
     with user_a's persistent file ID (PASS - STATUS_OBJECT_NAME_NOT_FOUND)
- Regression test (smbclient): basic file operations, concurrent sessions,
  sequential cross-user access, and authentication all work correctly
  (11/11 PASS)

Thanks,

Namjae Jeon (3):
  ksmbd: avoid reclaiming expired durable opens by the client
  ksmbd: add durable scavenger timer
  ksmbd: validate owner of durable handle on reconnect

 fs/smb/server/mgmt/user_session.c |  10 +-
 fs/smb/server/oplock.c            |   7 +
 fs/smb/server/oplock.h            |   1 +
 fs/smb/server/server.c            |   1 +
 fs/smb/server/server.h            |   1 +
 fs/smb/server/smb2pdu.c           |   5 +-
 fs/smb/server/smb2pdu.h           |   2 +
 fs/smb/server/vfs_cache.c         | 259 ++++++++++++++++++++++++++++--
 fs/smb/server/vfs_cache.h         |  15 +-
 9 files changed, 279 insertions(+), 22 deletions(-)

-- 
2.43.0