Re: [PATCH 6.6.y v2 0/3] ksmbd: validate owner of durable handle on reconnect
From: Sasha Levin
Date: Mon May 25 2026 - 11:37:27 EST
On Mon, May 25, 2026 at 06:38:58PM +0800, Alva Lan wrote:
> This series backports three upstream commits to the 6.6.y stable branch
> to address CVE-2026-31717.
>
> Upstream commits:
> - 098c0ac3808c ("ksmbd: avoid reclaiming expired durable opens by the client")
> - 894947e0736d ("ksmbd: add durable scavenger timer")
> - 49110a8ce654 ("ksmbd: validate owner of durable handle on reconnect")
Two notes before this can be queued:
1. The short SHAs in the cover letter for patches 1 and 2 do not resolve
in mainline. The correct upstream SHAs are 520da3c488c5 ("ksmbd:
avoid reclaiming expired durable opens by the client") and
d484d621d40f ("ksmbd: add durable scavenger timer"). Please fix the
cover letter on the next spin.
2. More importantly, this series adds the durable scavenger
(d484d621d40f) without its critical follow-up bf736184d063d ("ksmbd:
close durable scavenger races against m_fp_list lookups", Fixes:
d484d621d40f). That follow-up closes two KASAN-validated bugs in
the scavenger code: an fp->node list-head reuse that corrupts
f_ci->m_fp_list via list_add(&fp->node, &scavenger_list), and a
refcount race between scavenger qualification under global_ft.lock
and m_fp_list walkers that races to a UAF. Please include
bf736184d063d in the next revision so we are not knowingly queuing
the scavenger with these races still open.
Also, given the patches are authored by Namjae, an Acked-by from him
on the 6.6.y adaptation would be helpful before I pick this up.
--
Thanks,
Sasha