<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/fs/smb/client, branch v6.14</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>smb: client: don't retry IO on failed negprotos with soft mounts</title>
<updated>2025-03-17T22:33:13+00:00</updated>
<author>
<name>Paulo Alcantara</name>
<email>pc@manguebit.com</email>
</author>
<published>2025-03-17T19:39:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=7643dbd9db09fffebb4a62cd27599f17f4148b17'/>
<id>7643dbd9db09fffebb4a62cd27599f17f4148b17</id>
<content type='text'>
If @server-&gt;tcpStatus is set to CifsNeedReconnect after acquiring
@ses-&gt;session_mutex in smb2_reconnect() or cifs_reconnect_tcon(), it
means that a concurrent thread failed to negotiate, in which case the
server is no longer responding to any SMB requests, so there is no
point making the caller retry the IO by returning -EAGAIN.

Fix this by returning -EHOSTDOWN to the callers on soft mounts.

Cc: David Howells &lt;dhowells@redhat.com&gt;
Reported-by: Jay Shin &lt;jaeshin@redhat.com&gt;
Signed-off-by: Paulo Alcantara (Red Hat) &lt;pc@manguebit.com&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
If @server-&gt;tcpStatus is set to CifsNeedReconnect after acquiring
@ses-&gt;session_mutex in smb2_reconnect() or cifs_reconnect_tcon(), it
means that a concurrent thread failed to negotiate, in which case the
server is no longer responding to any SMB requests, so there is no
point making the caller retry the IO by returning -EAGAIN.

Fix this by returning -EHOSTDOWN to the callers on soft mounts.

Cc: David Howells &lt;dhowells@redhat.com&gt;
Reported-by: Jay Shin &lt;jaeshin@redhat.com&gt;
Signed-off-by: Paulo Alcantara (Red Hat) &lt;pc@manguebit.com&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>smb: client: Fix match_session bug preventing session reuse</title>
<updated>2025-03-13T13:41:28+00:00</updated>
<author>
<name>Henrique Carvalho</name>
<email>henrique.carvalho@suse.com</email>
</author>
<published>2025-03-11T18:23:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=605b249ea96770ac4fac4b8510a99e0f8442be5e'/>
<id>605b249ea96770ac4fac4b8510a99e0f8442be5e</id>
<content type='text'>
Fix a bug in match_session() that can causes the session to not be
reused in some cases.

Reproduction steps:

mount.cifs //server/share /mnt/a -o credentials=creds
mount.cifs //server/share /mnt/b -o credentials=creds,sec=ntlmssp
cat /proc/fs/cifs/DebugData | grep SessionId | wc -l

mount.cifs //server/share /mnt/b -o credentials=creds,sec=ntlmssp
mount.cifs //server/share /mnt/a -o credentials=creds
cat /proc/fs/cifs/DebugData | grep SessionId | wc -l

Cc: stable@vger.kernel.org
Reviewed-by: Enzo Matsumiya &lt;ematsumiya@suse.de&gt;
Signed-off-by: Henrique Carvalho &lt;henrique.carvalho@suse.com&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Fix a bug in match_session() that can causes the session to not be
reused in some cases.

Reproduction steps:

mount.cifs //server/share /mnt/a -o credentials=creds
mount.cifs //server/share /mnt/b -o credentials=creds,sec=ntlmssp
cat /proc/fs/cifs/DebugData | grep SessionId | wc -l

mount.cifs //server/share /mnt/b -o credentials=creds,sec=ntlmssp
mount.cifs //server/share /mnt/a -o credentials=creds
cat /proc/fs/cifs/DebugData | grep SessionId | wc -l

Cc: stable@vger.kernel.org
Reviewed-by: Enzo Matsumiya &lt;ematsumiya@suse.de&gt;
Signed-off-by: Henrique Carvalho &lt;henrique.carvalho@suse.com&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>cifs: Fix integer overflow while processing closetimeo mount option</title>
<updated>2025-03-13T13:41:28+00:00</updated>
<author>
<name>Murad Masimov</name>
<email>m.masimov@mt-integration.ru</email>
</author>
<published>2025-03-11T14:22:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=d5a30fddfe2f2e540f6c43b59cf701809995faef'/>
<id>d5a30fddfe2f2e540f6c43b59cf701809995faef</id>
<content type='text'>
User-provided mount parameter closetimeo of type u32 is intended to have
an upper limit, but before it is validated, the value is converted from
seconds to jiffies which can lead to an integer overflow.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 5efdd9122eff ("smb3: allow deferred close timeout to be configurable")
Signed-off-by: Murad Masimov &lt;m.masimov@mt-integration.ru&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
User-provided mount parameter closetimeo of type u32 is intended to have
an upper limit, but before it is validated, the value is converted from
seconds to jiffies which can lead to an integer overflow.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 5efdd9122eff ("smb3: allow deferred close timeout to be configurable")
Signed-off-by: Murad Masimov &lt;m.masimov@mt-integration.ru&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>cifs: Fix integer overflow while processing actimeo mount option</title>
<updated>2025-03-13T13:41:28+00:00</updated>
<author>
<name>Murad Masimov</name>
<email>m.masimov@mt-integration.ru</email>
</author>
<published>2025-03-11T14:22:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=64f690ee22c99e16084e0e45181b2a1eed2fa149'/>
<id>64f690ee22c99e16084e0e45181b2a1eed2fa149</id>
<content type='text'>
User-provided mount parameter actimeo of type u32 is intended to have
an upper limit, but before it is validated, the value is converted from
seconds to jiffies which can lead to an integer overflow.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 6d20e8406f09 ("cifs: add attribute cache timeout (actimeo) tunable")
Signed-off-by: Murad Masimov &lt;m.masimov@mt-integration.ru&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
User-provided mount parameter actimeo of type u32 is intended to have
an upper limit, but before it is validated, the value is converted from
seconds to jiffies which can lead to an integer overflow.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 6d20e8406f09 ("cifs: add attribute cache timeout (actimeo) tunable")
Signed-off-by: Murad Masimov &lt;m.masimov@mt-integration.ru&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>cifs: Fix integer overflow while processing acdirmax mount option</title>
<updated>2025-03-13T13:41:27+00:00</updated>
<author>
<name>Murad Masimov</name>
<email>m.masimov@mt-integration.ru</email>
</author>
<published>2025-03-11T14:22:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=5b29891f91dfb8758baf1e2217bef4b16b2b165b'/>
<id>5b29891f91dfb8758baf1e2217bef4b16b2b165b</id>
<content type='text'>
User-provided mount parameter acdirmax of type u32 is intended to have
an upper limit, but before it is validated, the value is converted from
seconds to jiffies which can lead to an integer overflow.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 4c9f948142a5 ("cifs: Add new mount parameter "acdirmax" to allow caching directory metadata")
Signed-off-by: Murad Masimov &lt;m.masimov@mt-integration.ru&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
User-provided mount parameter acdirmax of type u32 is intended to have
an upper limit, but before it is validated, the value is converted from
seconds to jiffies which can lead to an integer overflow.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 4c9f948142a5 ("cifs: Add new mount parameter "acdirmax" to allow caching directory metadata")
Signed-off-by: Murad Masimov &lt;m.masimov@mt-integration.ru&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>cifs: Fix integer overflow while processing acregmax mount option</title>
<updated>2025-03-13T13:41:27+00:00</updated>
<author>
<name>Murad Masimov</name>
<email>m.masimov@mt-integration.ru</email>
</author>
<published>2025-03-11T14:22:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=7489161b1852390b4413d57f2457cd40b34da6cc'/>
<id>7489161b1852390b4413d57f2457cd40b34da6cc</id>
<content type='text'>
User-provided mount parameter acregmax of type u32 is intended to have
an upper limit, but before it is validated, the value is converted from
seconds to jiffies which can lead to an integer overflow.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 5780464614f6 ("cifs: Add new parameter "acregmax" for distinct file and directory metadata timeout")
Signed-off-by: Murad Masimov &lt;m.masimov@mt-integration.ru&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
User-provided mount parameter acregmax of type u32 is intended to have
an upper limit, but before it is validated, the value is converted from
seconds to jiffies which can lead to an integer overflow.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 5780464614f6 ("cifs: Add new parameter "acregmax" for distinct file and directory metadata timeout")
Signed-off-by: Murad Masimov &lt;m.masimov@mt-integration.ru&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>smb: client: fix regression with guest option</title>
<updated>2025-03-13T13:40:24+00:00</updated>
<author>
<name>Paulo Alcantara</name>
<email>pc@manguebit.com</email>
</author>
<published>2025-03-12T13:51:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=fc99045effa81fdf509c2a97cbb7e6e8f2fd4443'/>
<id>fc99045effa81fdf509c2a97cbb7e6e8f2fd4443</id>
<content type='text'>
When mounting a CIFS share with 'guest' mount option, mount.cifs(8)
will set empty password= and password2= options.  Currently we only
handle empty strings from user= and password= options, so the mount
will fail with

	cifs: Bad value for 'password2'

Fix this by handling empty string from password2= option as well.

Link: https://bbs.archlinux.org/viewtopic.php?id=303927
Reported-by: Adam Williamson &lt;awilliam@redhat.com&gt;
Closes: https://lore.kernel.org/r/83c00b5fea81c07f6897a5dd3ef50fd3b290f56c.camel@redhat.com
Fixes: 35f834265e0d ("smb3: fix broken reconnect when password changing on the server by allowing password rotation")
Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (Red Hat) &lt;pc@manguebit.com&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When mounting a CIFS share with 'guest' mount option, mount.cifs(8)
will set empty password= and password2= options.  Currently we only
handle empty strings from user= and password= options, so the mount
will fail with

	cifs: Bad value for 'password2'

Fix this by handling empty string from password2= option as well.

Link: https://bbs.archlinux.org/viewtopic.php?id=303927
Reported-by: Adam Williamson &lt;awilliam@redhat.com&gt;
Closes: https://lore.kernel.org/r/83c00b5fea81c07f6897a5dd3ef50fd3b290f56c.camel@redhat.com
Fixes: 35f834265e0d ("smb3: fix broken reconnect when password changing on the server by allowing password rotation")
Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (Red Hat) &lt;pc@manguebit.com&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>cifs: fix incorrect validation for num_aces field of smb_acl</title>
<updated>2025-03-03T04:50:54+00:00</updated>
<author>
<name>Namjae Jeon</name>
<email>linkinjeon@kernel.org</email>
</author>
<published>2025-02-12T00:37:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=aa2a739a75ab6f24ef72fb3fdb9192c081eacf06'/>
<id>aa2a739a75ab6f24ef72fb3fdb9192c081eacf06</id>
<content type='text'>
parse_dcal() validate num_aces to allocate ace array.

f (num_aces &gt; ULONG_MAX / sizeof(struct smb_ace *))

It is an incorrect validation that we can create an array of size ULONG_MAX.
smb_acl has -&gt;size field to calculate actual number of aces in response buffer
size. Use this to check invalid num_aces.

Signed-off-by: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
parse_dcal() validate num_aces to allocate ace array.

f (num_aces &gt; ULONG_MAX / sizeof(struct smb_ace *))

It is an incorrect validation that we can create an array of size ULONG_MAX.
smb_acl has -&gt;size field to calculate actual number of aces in response buffer
size. Use this to check invalid num_aces.

Signed-off-by: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>smb: common: change the data type of num_aces to le16</title>
<updated>2025-03-03T04:50:54+00:00</updated>
<author>
<name>Namjae Jeon</name>
<email>linkinjeon@kernel.org</email>
</author>
<published>2025-02-12T14:26:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=62e7dd0a39c2d0d7ff03274c36df971f1b3d2d0d'/>
<id>62e7dd0a39c2d0d7ff03274c36df971f1b3d2d0d</id>
<content type='text'>
2.4.5 in [MS-DTYP].pdf describe the data type of num_aces as le16.

AceCount (2 bytes): An unsigned 16-bit integer that specifies the count
of the number of ACE records in the ACL.

Change it to le16 and add reserved field to smb_acl struct.

Reported-by: Igor Leite Ladessa &lt;igor-ladessa@hotmail.com&gt;
Tested-by: Igor Leite Ladessa &lt;igor-ladessa@hotmail.com&gt;
Signed-off-by: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
2.4.5 in [MS-DTYP].pdf describe the data type of num_aces as le16.

AceCount (2 bytes): An unsigned 16-bit integer that specifies the count
of the number of ACE records in the ACL.

Change it to le16 and add reserved field to smb_acl struct.

Reported-by: Igor Leite Ladessa &lt;igor-ladessa@hotmail.com&gt;
Tested-by: Igor Leite Ladessa &lt;igor-ladessa@hotmail.com&gt;
Signed-off-by: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>cifs: Fix the smb1 readv callback to correctly call netfs</title>
<updated>2025-02-26T00:35:23+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2025-02-25T22:25:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=66cb85c441cd9c44b193ff75b4d0358fccdc6b9c'/>
<id>66cb85c441cd9c44b193ff75b4d0358fccdc6b9c</id>
<content type='text'>
Fix cifs_readv_callback() to call netfs_read_subreq_terminated() rather
than queuing the subrequest work item (which is unset).  Also call the
I/O progress tracepoint.

cc: Jeff Layton &lt;jlayton@kernel.org&gt;
cc: linux-cifs@vger.kernel.org
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Fixes: e2d46f2ec332 ("netfs: Change the read result collector to only use one work item")
Reported-by: Jean-Christophe Guillain &lt;jean-christophe@guillain.net&gt;
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219793
Tested-by: Jean-Christophe Guillain &lt;jean-christophe@guillain.net&gt;
Tested-by: Pali Rohár &lt;pali@kernel.org&gt;
Reviewed-by: Paulo Alcantara (Red Hat) &lt;pc@manguebit.com&gt;
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Fix cifs_readv_callback() to call netfs_read_subreq_terminated() rather
than queuing the subrequest work item (which is unset).  Also call the
I/O progress tracepoint.

cc: Jeff Layton &lt;jlayton@kernel.org&gt;
cc: linux-cifs@vger.kernel.org
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Fixes: e2d46f2ec332 ("netfs: Change the read result collector to only use one work item")
Reported-by: Jean-Christophe Guillain &lt;jean-christophe@guillain.net&gt;
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219793
Tested-by: Jean-Christophe Guillain &lt;jean-christophe@guillain.net&gt;
Tested-by: Pali Rohár &lt;pali@kernel.org&gt;
Reviewed-by: Paulo Alcantara (Red Hat) &lt;pc@manguebit.com&gt;
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
