<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/fs/smb/client, branch v6.17</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>smb: client: fix wrong index reference in smb2_compound_op()</title>
<updated>2025-09-26T14:45:16+00:00</updated>
<author>
<name>Sang-Heon Jeon</name>
<email>ekffu200098@gmail.com</email>
</author>
<published>2025-09-23T08:16:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=fbe2dc6a9c7318f7263f5e4d50f6272b931c5756'/>
<id>fbe2dc6a9c7318f7263f5e4d50f6272b931c5756</id>
<content type='text'>
In smb2_compound_op(), the loop that processes each command's response
uses wrong indices when accessing response bufferes.

This incorrect indexing leads to improper handling of command results.
Also, if incorrectly computed index is greather than or equal to
MAX_COMPOUND, it can cause out-of-bounds accesses.

Fixes: 3681c74d342d ("smb: client: handle lack of EA support in smb2_query_path_info()") # 6.14
Reviewed-by: Paulo Alcantara (Red Hat) &lt;pc@manguebit.org&gt;
Signed-off-by: Sang-Heon Jeon &lt;ekffu200098@gmail.com&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
In smb2_compound_op(), the loop that processes each command's response
uses wrong indices when accessing response bufferes.

This incorrect indexing leads to improper handling of command results.
Also, if incorrectly computed index is greather than or equal to
MAX_COMPOUND, it can cause out-of-bounds accesses.

Fixes: 3681c74d342d ("smb: client: handle lack of EA support in smb2_query_path_info()") # 6.14
Reviewed-by: Paulo Alcantara (Red Hat) &lt;pc@manguebit.org&gt;
Signed-off-by: Sang-Heon Jeon &lt;ekffu200098@gmail.com&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>smb: client: handle unlink(2) of files open by different clients</title>
<updated>2025-09-22T00:36:27+00:00</updated>
<author>
<name>Paulo Alcantara</name>
<email>pc@manguebit.org</email>
</author>
<published>2025-09-19T17:13:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=1cf9f2a6a544288516a7b9e883a48eba6246bcf2'/>
<id>1cf9f2a6a544288516a7b9e883a48eba6246bcf2</id>
<content type='text'>
In order to identify whether a certain file is open by a different
client, start the unlink process by sending a compound request of
CREATE(DELETE_ON_CLOSE) + CLOSE with only FILE_SHARE_DELETE bit set in
smb2_create_req::ShareAccess.  If the file is currently open, then the
server will fail the request with STATUS_SHARING_VIOLATION, in which
case we'll map it to -EBUSY, so __cifs_unlink() will fall back to
silly-rename the file.

This fixes the following case where open(O_CREAT) fails with
-ENOENT (STATUS_DELETE_PENDING) due to file still open by a different
client.

* Before patch

$ mount.cifs //srv/share /mnt/1 -o ...,nosharesock
$ mount.cifs //srv/share /mnt/2 -o ...,nosharesock
$ cd /mnt/1
$ touch foo
$ exec 3&lt;&gt;foo
$ cd /mnt/2
$ rm foo
$ touch foo
touch: cannot touch 'foo': No such file or directory
$ exec 3&gt;&amp;-

* After patch

$ mount.cifs //srv/share /mnt/1 -o ...,nosharesock
$ mount.cifs //srv/share /mnt/2 -o ...,nosharesock
$ cd /mnt/1
$ touch foo
$ exec 3&lt;&gt;foo
$ cd /mnt/2
$ rm foo
$ touch foo
$ exec 3&gt;&amp;-

Signed-off-by: Paulo Alcantara (Red Hat) &lt;pc@manguebit.org&gt;
Reviewed-by: David Howells &lt;dhowells@redhat.com&gt;
Cc: Frank Sorenson &lt;sorenson@redhat.com&gt;
Cc: linux-cifs@vger.kernel.org
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
In order to identify whether a certain file is open by a different
client, start the unlink process by sending a compound request of
CREATE(DELETE_ON_CLOSE) + CLOSE with only FILE_SHARE_DELETE bit set in
smb2_create_req::ShareAccess.  If the file is currently open, then the
server will fail the request with STATUS_SHARING_VIOLATION, in which
case we'll map it to -EBUSY, so __cifs_unlink() will fall back to
silly-rename the file.

This fixes the following case where open(O_CREAT) fails with
-ENOENT (STATUS_DELETE_PENDING) due to file still open by a different
client.

* Before patch

$ mount.cifs //srv/share /mnt/1 -o ...,nosharesock
$ mount.cifs //srv/share /mnt/2 -o ...,nosharesock
$ cd /mnt/1
$ touch foo
$ exec 3&lt;&gt;foo
$ cd /mnt/2
$ rm foo
$ touch foo
touch: cannot touch 'foo': No such file or directory
$ exec 3&gt;&amp;-

* After patch

$ mount.cifs //srv/share /mnt/1 -o ...,nosharesock
$ mount.cifs //srv/share /mnt/2 -o ...,nosharesock
$ cd /mnt/1
$ touch foo
$ exec 3&lt;&gt;foo
$ cd /mnt/2
$ rm foo
$ touch foo
$ exec 3&gt;&amp;-

Signed-off-by: Paulo Alcantara (Red Hat) &lt;pc@manguebit.org&gt;
Reviewed-by: David Howells &lt;dhowells@redhat.com&gt;
Cc: Frank Sorenson &lt;sorenson@redhat.com&gt;
Cc: linux-cifs@vger.kernel.org
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path</title>
<updated>2025-09-18T21:46:04+00:00</updated>
<author>
<name>Stefan Metzmacher</name>
<email>metze@samba.org</email>
</author>
<published>2025-09-18T01:06:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=daac51c7032036a0ca5f1aa419ad1b0471d1c6e0'/>
<id>daac51c7032036a0ca5f1aa419ad1b0471d1c6e0</id>
<content type='text'>
During tests of another unrelated patch I was able to trigger this
error: Objects remaining on __kmem_cache_shutdown()

Cc: Steve French &lt;smfrench@gmail.com&gt;
Cc: Tom Talpey &lt;tom@talpey.com&gt;
Cc: Long Li &lt;longli@microsoft.com&gt;
Cc: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Fixes: f198186aa9bb ("CIFS: SMBD: Establish SMB Direct connection")
Signed-off-by: Stefan Metzmacher &lt;metze@samba.org&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
During tests of another unrelated patch I was able to trigger this
error: Objects remaining on __kmem_cache_shutdown()

Cc: Steve French &lt;smfrench@gmail.com&gt;
Cc: Tom Talpey &lt;tom@talpey.com&gt;
Cc: Long Li &lt;longli@microsoft.com&gt;
Cc: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Fixes: f198186aa9bb ("CIFS: SMBD: Establish SMB Direct connection")
Signed-off-by: Stefan Metzmacher &lt;metze@samba.org&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>smb: client: fix file open check in __cifs_unlink()</title>
<updated>2025-09-18T21:37:59+00:00</updated>
<author>
<name>Paulo Alcantara</name>
<email>pc@manguebit.org</email>
</author>
<published>2025-09-18T15:30:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=251090e2c2c1be60607d1c521af2c993f04d4f61'/>
<id>251090e2c2c1be60607d1c521af2c993f04d4f61</id>
<content type='text'>
Fix the file open check to decide whether or not silly-rename the file
in SMB2+.

Fixes: c5ea3065586d ("smb: client: fix data loss due to broken rename(2)")
Signed-off-by: Paulo Alcantara (Red Hat) &lt;pc@manguebit.org&gt;
Cc: Frank Sorenson &lt;sorenson@redhat.com&gt;
Reviewed-by: David Howells &lt;dhowells@redhat.com&gt;
Cc: linux-cifs@vger.kernel.org
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Fix the file open check to decide whether or not silly-rename the file
in SMB2+.

Fixes: c5ea3065586d ("smb: client: fix data loss due to broken rename(2)")
Signed-off-by: Paulo Alcantara (Red Hat) &lt;pc@manguebit.org&gt;
Cc: Frank Sorenson &lt;sorenson@redhat.com&gt;
Reviewed-by: David Howells &lt;dhowells@redhat.com&gt;
Cc: linux-cifs@vger.kernel.org
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>smb: client: let smbd_destroy() call disable_work_sync(&amp;info-&gt;post_send_credits_work)</title>
<updated>2025-09-18T01:33:44+00:00</updated>
<author>
<name>Stefan Metzmacher</name>
<email>metze@samba.org</email>
</author>
<published>2025-08-12T11:03:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=d9dcbbcf9145b68aa85c40947311a6907277e097'/>
<id>d9dcbbcf9145b68aa85c40947311a6907277e097</id>
<content type='text'>
In smbd_destroy() we may destroy the memory so we better
wait until post_send_credits_work is no longer pending
and will never be started again.

I actually just hit the case using rxe:

WARNING: CPU: 0 PID: 138 at drivers/infiniband/sw/rxe/rxe_verbs.c:1032 rxe_post_recv+0x1ee/0x480 [rdma_rxe]
...
[ 5305.686979] [    T138]  smbd_post_recv+0x445/0xc10 [cifs]
[ 5305.687135] [    T138]  ? srso_alias_return_thunk+0x5/0xfbef5
[ 5305.687149] [    T138]  ? __kasan_check_write+0x14/0x30
[ 5305.687185] [    T138]  ? __pfx_smbd_post_recv+0x10/0x10 [cifs]
[ 5305.687329] [    T138]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 5305.687356] [    T138]  ? srso_alias_return_thunk+0x5/0xfbef5
[ 5305.687368] [    T138]  ? srso_alias_return_thunk+0x5/0xfbef5
[ 5305.687378] [    T138]  ? _raw_spin_unlock_irqrestore+0x11/0x60
[ 5305.687389] [    T138]  ? srso_alias_return_thunk+0x5/0xfbef5
[ 5305.687399] [    T138]  ? get_receive_buffer+0x168/0x210 [cifs]
[ 5305.687555] [    T138]  smbd_post_send_credits+0x382/0x4b0 [cifs]
[ 5305.687701] [    T138]  ? __pfx_smbd_post_send_credits+0x10/0x10 [cifs]
[ 5305.687855] [    T138]  ? __pfx___schedule+0x10/0x10
[ 5305.687865] [    T138]  ? __pfx__raw_spin_lock_irq+0x10/0x10
[ 5305.687875] [    T138]  ? queue_delayed_work_on+0x8e/0xa0
[ 5305.687889] [    T138]  process_one_work+0x629/0xf80
[ 5305.687908] [    T138]  ? srso_alias_return_thunk+0x5/0xfbef5
[ 5305.687917] [    T138]  ? __kasan_check_write+0x14/0x30
[ 5305.687933] [    T138]  worker_thread+0x87f/0x1570
...

It means rxe_post_recv was called after rdma_destroy_qp().
This happened because put_receive_buffer() was triggered
by ib_drain_qp() and called:
queue_work(info-&gt;workqueue, &amp;info-&gt;post_send_credits_work);

Cc: Steve French &lt;smfrench@gmail.com&gt;
Cc: Tom Talpey &lt;tom@talpey.com&gt;
Cc: Long Li &lt;longli@microsoft.com&gt;
Cc: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Fixes: f198186aa9bb ("CIFS: SMBD: Establish SMB Direct connection")
Signed-off-by: Stefan Metzmacher &lt;metze@samba.org&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
In smbd_destroy() we may destroy the memory so we better
wait until post_send_credits_work is no longer pending
and will never be started again.

I actually just hit the case using rxe:

WARNING: CPU: 0 PID: 138 at drivers/infiniband/sw/rxe/rxe_verbs.c:1032 rxe_post_recv+0x1ee/0x480 [rdma_rxe]
...
[ 5305.686979] [    T138]  smbd_post_recv+0x445/0xc10 [cifs]
[ 5305.687135] [    T138]  ? srso_alias_return_thunk+0x5/0xfbef5
[ 5305.687149] [    T138]  ? __kasan_check_write+0x14/0x30
[ 5305.687185] [    T138]  ? __pfx_smbd_post_recv+0x10/0x10 [cifs]
[ 5305.687329] [    T138]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 5305.687356] [    T138]  ? srso_alias_return_thunk+0x5/0xfbef5
[ 5305.687368] [    T138]  ? srso_alias_return_thunk+0x5/0xfbef5
[ 5305.687378] [    T138]  ? _raw_spin_unlock_irqrestore+0x11/0x60
[ 5305.687389] [    T138]  ? srso_alias_return_thunk+0x5/0xfbef5
[ 5305.687399] [    T138]  ? get_receive_buffer+0x168/0x210 [cifs]
[ 5305.687555] [    T138]  smbd_post_send_credits+0x382/0x4b0 [cifs]
[ 5305.687701] [    T138]  ? __pfx_smbd_post_send_credits+0x10/0x10 [cifs]
[ 5305.687855] [    T138]  ? __pfx___schedule+0x10/0x10
[ 5305.687865] [    T138]  ? __pfx__raw_spin_lock_irq+0x10/0x10
[ 5305.687875] [    T138]  ? queue_delayed_work_on+0x8e/0xa0
[ 5305.687889] [    T138]  process_one_work+0x629/0xf80
[ 5305.687908] [    T138]  ? srso_alias_return_thunk+0x5/0xfbef5
[ 5305.687917] [    T138]  ? __kasan_check_write+0x14/0x30
[ 5305.687933] [    T138]  worker_thread+0x87f/0x1570
...

It means rxe_post_recv was called after rdma_destroy_qp().
This happened because put_receive_buffer() was triggered
by ib_drain_qp() and called:
queue_work(info-&gt;workqueue, &amp;info-&gt;post_send_credits_work);

Cc: Steve French &lt;smfrench@gmail.com&gt;
Cc: Tom Talpey &lt;tom@talpey.com&gt;
Cc: Long Li &lt;longli@microsoft.com&gt;
Cc: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Fixes: f198186aa9bb ("CIFS: SMBD: Establish SMB Direct connection")
Signed-off-by: Stefan Metzmacher &lt;metze@samba.org&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>smb: client: use disable[_delayed]_work_sync in smbdirect.c</title>
<updated>2025-09-18T01:33:44+00:00</updated>
<author>
<name>Stefan Metzmacher</name>
<email>metze@samba.org</email>
</author>
<published>2025-08-12T10:58:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=bac28f604c7699727b2fecf14c3a54668bbe458e'/>
<id>bac28f604c7699727b2fecf14c3a54668bbe458e</id>
<content type='text'>
This makes it safer during the disconnect and avoids
requeueing.

It's ok to call disable[delayed_]work[_sync]() more than once.

Cc: Steve French &lt;smfrench@gmail.com&gt;
Cc: Tom Talpey &lt;tom@talpey.com&gt;
Cc: Long Li &lt;longli@microsoft.com&gt;
Cc: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Fixes: 050b8c374019 ("smbd: Make upper layer decide when to destroy the transport")
Fixes: f198186aa9bb ("CIFS: SMBD: Establish SMB Direct connection")
Fixes: c7398583340a ("CIFS: SMBD: Implement RDMA memory registration")
Signed-off-by: Stefan Metzmacher &lt;metze@samba.org&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This makes it safer during the disconnect and avoids
requeueing.

It's ok to call disable[delayed_]work[_sync]() more than once.

Cc: Steve French &lt;smfrench@gmail.com&gt;
Cc: Tom Talpey &lt;tom@talpey.com&gt;
Cc: Long Li &lt;longli@microsoft.com&gt;
Cc: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Fixes: 050b8c374019 ("smbd: Make upper layer decide when to destroy the transport")
Fixes: f198186aa9bb ("CIFS: SMBD: Establish SMB Direct connection")
Fixes: c7398583340a ("CIFS: SMBD: Implement RDMA memory registration")
Signed-off-by: Stefan Metzmacher &lt;metze@samba.org&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>smb: client: fix filename matching of deferred files</title>
<updated>2025-09-18T01:33:44+00:00</updated>
<author>
<name>Paulo Alcantara</name>
<email>pc@manguebit.org</email>
</author>
<published>2025-09-17T19:03:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=93ed9a2951308db374cba4562533dde97bac70d3'/>
<id>93ed9a2951308db374cba4562533dde97bac70d3</id>
<content type='text'>
Fix the following case where the client would end up closing both
deferred files (foo.tmp &amp; foo) after unlink(foo) due to strstr() call
in cifs_close_deferred_file_under_dentry():

  fd1 = openat(AT_FDCWD, "foo", O_WRONLY|O_CREAT|O_TRUNC, 0666);
  fd2 = openat(AT_FDCWD, "foo.tmp", O_WRONLY|O_CREAT|O_TRUNC, 0666);
  close(fd1);
  close(fd2);
  unlink("foo");

Fixes: e3fc065682eb ("cifs: Deferred close performance improvements")
Signed-off-by: Paulo Alcantara (Red Hat) &lt;pc@manguebit.org&gt;
Reviewed-by: Enzo Matsumiya &lt;ematsumiya@suse.de&gt;
Cc: Frank Sorenson &lt;sorenson@redhat.com&gt;
Cc: David Howells &lt;dhowells@redhat.com&gt;
Cc: linux-cifs@vger.kernel.org
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Fix the following case where the client would end up closing both
deferred files (foo.tmp &amp; foo) after unlink(foo) due to strstr() call
in cifs_close_deferred_file_under_dentry():

  fd1 = openat(AT_FDCWD, "foo", O_WRONLY|O_CREAT|O_TRUNC, 0666);
  fd2 = openat(AT_FDCWD, "foo.tmp", O_WRONLY|O_CREAT|O_TRUNC, 0666);
  close(fd1);
  close(fd2);
  unlink("foo");

Fixes: e3fc065682eb ("cifs: Deferred close performance improvements")
Signed-off-by: Paulo Alcantara (Red Hat) &lt;pc@manguebit.org&gt;
Reviewed-by: Enzo Matsumiya &lt;ematsumiya@suse.de&gt;
Cc: Frank Sorenson &lt;sorenson@redhat.com&gt;
Cc: David Howells &lt;dhowells@redhat.com&gt;
Cc: linux-cifs@vger.kernel.org
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>smb: client: let recv_done verify data_offset, data_length and remaining_data_length</title>
<updated>2025-09-18T01:33:44+00:00</updated>
<author>
<name>Stefan Metzmacher</name>
<email>metze@samba.org</email>
</author>
<published>2025-09-10T09:49:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=f57e53ea252363234f86674db475839e5b87102e'/>
<id>f57e53ea252363234f86674db475839e5b87102e</id>
<content type='text'>
This is inspired by the related server fixes.

Cc: Tom Talpey &lt;tom@talpey.com&gt;
Cc: Long Li &lt;longli@microsoft.com&gt;
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Reviewed-by: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
Fixes: f198186aa9bb ("CIFS: SMBD: Establish SMB Direct connection")
Signed-off-by: Stefan Metzmacher &lt;metze@samba.org&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This is inspired by the related server fixes.

Cc: Tom Talpey &lt;tom@talpey.com&gt;
Cc: Long Li &lt;longli@microsoft.com&gt;
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Reviewed-by: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
Fixes: f198186aa9bb ("CIFS: SMBD: Establish SMB Direct connection")
Signed-off-by: Stefan Metzmacher &lt;metze@samba.org&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>smb: client: fix data loss due to broken rename(2)</title>
<updated>2025-09-09T23:39:58+00:00</updated>
<author>
<name>Paulo Alcantara</name>
<email>pc@manguebit.org</email>
</author>
<published>2025-09-08T00:24:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=c5ea3065586d790ea5193a679b85585173d59866'/>
<id>c5ea3065586d790ea5193a679b85585173d59866</id>
<content type='text'>
Rename of open files in SMB2+ has been broken for a very long time,
resulting in data loss as the CIFS client would fail the rename(2)
call with -ENOENT and then removing the target file.

Fix this by implementing -&gt;rename_pending_delete() for SMB2+, which
will rename busy files to random filenames (e.g. silly rename) during
unlink(2) or rename(2), and then marking them to delete-on-close.

Besides, introduce a FIND_WR_NO_PENDING_DELETE flag to prevent open(2)
from reusing open handles that had been marked as delete pending.
Handle it in cifs_get_readable_path() as well.

Reported-by: Jean-Baptiste Denis &lt;jbdenis@pasteur.fr&gt;
Closes: https://marc.info/?i=16aeb380-30d4-4551-9134-4e7d1dc833c0@pasteur.fr
Reviewed-by: David Howells &lt;dhowells@redhat.com&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (Red Hat) &lt;pc@manguebit.org&gt;
Cc: Frank Sorenson &lt;sorenson@redhat.com&gt;
Cc: Olga Kornievskaia &lt;okorniev@redhat.com&gt;
Cc: Benjamin Coddington &lt;bcodding@redhat.com&gt;
Cc: Scott Mayhew &lt;smayhew@redhat.com&gt;
Cc: linux-cifs@vger.kernel.org
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Rename of open files in SMB2+ has been broken for a very long time,
resulting in data loss as the CIFS client would fail the rename(2)
call with -ENOENT and then removing the target file.

Fix this by implementing -&gt;rename_pending_delete() for SMB2+, which
will rename busy files to random filenames (e.g. silly rename) during
unlink(2) or rename(2), and then marking them to delete-on-close.

Besides, introduce a FIND_WR_NO_PENDING_DELETE flag to prevent open(2)
from reusing open handles that had been marked as delete pending.
Handle it in cifs_get_readable_path() as well.

Reported-by: Jean-Baptiste Denis &lt;jbdenis@pasteur.fr&gt;
Closes: https://marc.info/?i=16aeb380-30d4-4551-9134-4e7d1dc833c0@pasteur.fr
Reviewed-by: David Howells &lt;dhowells@redhat.com&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (Red Hat) &lt;pc@manguebit.org&gt;
Cc: Frank Sorenson &lt;sorenson@redhat.com&gt;
Cc: Olga Kornievskaia &lt;okorniev@redhat.com&gt;
Cc: Benjamin Coddington &lt;bcodding@redhat.com&gt;
Cc: Scott Mayhew &lt;smayhew@redhat.com&gt;
Cc: linux-cifs@vger.kernel.org
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>smb: client: fix compound alignment with encryption</title>
<updated>2025-09-09T22:30:11+00:00</updated>
<author>
<name>Paulo Alcantara</name>
<email>pc@manguebit.org</email>
</author>
<published>2025-09-07T00:19:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=90f7c100d2dd99d5cd5be950d553edd2647e6cc8'/>
<id>90f7c100d2dd99d5cd5be950d553edd2647e6cc8</id>
<content type='text'>
The encryption layer can't handle the padding iovs, so flatten the
compound request into a single buffer with required padding to prevent
the server from dropping the connection when finding unaligned
compound requests.

Fixes: bc925c1216f0 ("smb: client: improve compound padding in encryption")
Signed-off-by: Paulo Alcantara (Red Hat) &lt;pc@manguebit.org&gt;
Reviewed-by: David Howells &lt;dhowells@redhat.com&gt;
Cc: linux-cifs@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The encryption layer can't handle the padding iovs, so flatten the
compound request into a single buffer with required padding to prevent
the server from dropping the connection when finding unaligned
compound requests.

Fixes: bc925c1216f0 ("smb: client: improve compound padding in encryption")
Signed-off-by: Paulo Alcantara (Red Hat) &lt;pc@manguebit.org&gt;
Reviewed-by: David Howells &lt;dhowells@redhat.com&gt;
Cc: linux-cifs@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
