<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/fs, branch master</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>Merge tag 'v7.2-rc1-smb3-server-fixes' of git://git.samba.org/ksmbd</title>
<updated>2026-07-04T04:55:34+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-07-04T04:55:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=1e9cdc2ea15adf4a821eefedabf6c0c8cf0b6a55'/>
<id>1e9cdc2ea15adf4a821eefedabf6c0c8cf0b6a55</id>
<content type='text'>
Pull smb server fixes from Steve French:

 - Fix several use-after-free races in durable handle reconnect,
   supersede, and oplock handling

 - Avoid holding the inode oplock lock while waiting for a lease break
   acknowledgement. This removes delays of up to 35 seconds when cifs.ko
   closes a deferred handle in response to a lease break

 - Fix malformed security descriptor handling, including an undersized
   DACL allocation issue and an out-of-bounds ACE SID read

 - Fix memory leaks in security descriptor and DOS attribute xattr
   encoding/decoding error paths

 - Fix outstanding SMB2 credit leaks on aborted requests and correct the
   QUERY_INFO credit charge calculation

 - Fix hard-link creation without replacement being incorrectly rejected
   when the handle lacks DELETE access

 - Avoid unnecessary zeroing of large SMB2 read buffers

 - Add an oplock list lockdep annotation and update the documented
   support status for durable handles and SMB3.1.1 compression

 - Durable handle fixes to address ownership and lifetime races during
   reconnect, session teardown, oplock handling, and superseding opens,
   preventing stale session and file references from being used by
   concurrent operations

* tag 'v7.2-rc1-smb3-server-fixes' of git://git.samba.org/ksmbd:
  ksmbd: fix app-instance durable supersede session UAF
  ksmbd: snapshot previous oplock state before durable checks
  ksmbd: close superseded durable handles through refcount handoff
  ksmbd: fix use-after-free of fp-&gt;owner.name in durable handle owner check
  smb/server: do not require delete access for non-replacing links
  ksmbd: don't hold ci-&gt;m_lock while waiting for a lease break ack
  ksmbd: doc: update feature support status for durable handles and compression
  ksmbd: annotate oplock list traversals under m_lock
  ksmbd: fix outstanding credit leak on abort and error paths
  ksmbd: fix credit charge calculation for SMB2 QUERY_INFO
  ksmbd: avoid zeroing the read buffer in smb2_read()
  ksmbd: validate num_subauth when copying ACE in set_ntacl_dacl
  ksmbd: reject undersized DACLs before parsing ACEs
  ksmbd: fix n.data memory leak in ksmbd_vfs_set_dos_attrib_xattr
  ksmbd: Fix acl.sd_buf memory leak and invalid sd_size error handling
  ksmbd: fix sd_ndr.data memory leak in ksmbd_vfs_set_sd_xattr
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull smb server fixes from Steve French:

 - Fix several use-after-free races in durable handle reconnect,
   supersede, and oplock handling

 - Avoid holding the inode oplock lock while waiting for a lease break
   acknowledgement. This removes delays of up to 35 seconds when cifs.ko
   closes a deferred handle in response to a lease break

 - Fix malformed security descriptor handling, including an undersized
   DACL allocation issue and an out-of-bounds ACE SID read

 - Fix memory leaks in security descriptor and DOS attribute xattr
   encoding/decoding error paths

 - Fix outstanding SMB2 credit leaks on aborted requests and correct the
   QUERY_INFO credit charge calculation

 - Fix hard-link creation without replacement being incorrectly rejected
   when the handle lacks DELETE access

 - Avoid unnecessary zeroing of large SMB2 read buffers

 - Add an oplock list lockdep annotation and update the documented
   support status for durable handles and SMB3.1.1 compression

 - Durable handle fixes to address ownership and lifetime races during
   reconnect, session teardown, oplock handling, and superseding opens,
   preventing stale session and file references from being used by
   concurrent operations

* tag 'v7.2-rc1-smb3-server-fixes' of git://git.samba.org/ksmbd:
  ksmbd: fix app-instance durable supersede session UAF
  ksmbd: snapshot previous oplock state before durable checks
  ksmbd: close superseded durable handles through refcount handoff
  ksmbd: fix use-after-free of fp-&gt;owner.name in durable handle owner check
  smb/server: do not require delete access for non-replacing links
  ksmbd: don't hold ci-&gt;m_lock while waiting for a lease break ack
  ksmbd: doc: update feature support status for durable handles and compression
  ksmbd: annotate oplock list traversals under m_lock
  ksmbd: fix outstanding credit leak on abort and error paths
  ksmbd: fix credit charge calculation for SMB2 QUERY_INFO
  ksmbd: avoid zeroing the read buffer in smb2_read()
  ksmbd: validate num_subauth when copying ACE in set_ntacl_dacl
  ksmbd: reject undersized DACLs before parsing ACEs
  ksmbd: fix n.data memory leak in ksmbd_vfs_set_dos_attrib_xattr
  ksmbd: Fix acl.sd_buf memory leak and invalid sd_size error handling
  ksmbd: fix sd_ndr.data memory leak in ksmbd_vfs_set_sd_xattr
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'v7.2-rc1-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6</title>
<updated>2026-07-04T01:01:33+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-07-04T01:01:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=6cf48bfec934834ade6e0f5745f9afdbddbe446d'/>
<id>6cf48bfec934834ade6e0f5745f9afdbddbe446d</id>
<content type='text'>
Pull smb client fixes from Steve French:

 - Credit fix

 - Fix alignment issue in parse_posix_ctxt

 - SID parsing fix

* tag 'v7.2-rc1-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6:
  cifs: Fix missing credit release on failure in cifs_issue_read()
  cifs: update internal module version number
  smb: client: use unaligned reads in parse_posix_ctxt()
  smb: client: harden POSIX SID length parsing
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull smb client fixes from Steve French:

 - Credit fix

 - Fix alignment issue in parse_posix_ctxt

 - SID parsing fix

* tag 'v7.2-rc1-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6:
  cifs: Fix missing credit release on failure in cifs_issue_read()
  cifs: update internal module version number
  smb: client: use unaligned reads in parse_posix_ctxt()
  smb: client: harden POSIX SID length parsing
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'vfs-7.2-rc2.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs</title>
<updated>2026-07-03T15:48:05+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-07-03T15:48:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=71dfdfb0209b43dfd6f494f84f5548e4cfd18cb5'/>
<id>71dfdfb0209b43dfd6f494f84f5548e4cfd18cb5</id>
<content type='text'>
Pull vfs fixes from Christian Brauner:

 - netfs:

    - fix the decision when to disallow write-streaming with fscache in
      use, handling of asynchronous cache object creation, a double fput
      in cachefiles, clearing S_KERNEL_FILE without the inode lock held,
      page extraction bugs in the iov_iter helpers (a potential
      underflow, a missing allocation failure check, a memory leak, and
      a folio offset miscalculation), writeback error and ENOMEM
      handling, DIO write retry for filesystems without a
      -&gt;prepare_write() method, and the replacement of the wb_lock mutex
      with a bit lock plus writethrough collection offload so that
      multiple asynchronous writebacks don't interfere with each other.

    - Fix the barriering when walking the netfs subrequest list during
      retries as it was possible to see a subrequest that was just added
      by the application thread.

 - iomap:

    - Change iomap to submit read bios after each extent instead of
      building them up across extents. The old behavior was considered
      problematic for a while and now caused an actual erofs bug.

    - Guard the ioend io_size EOF trim in iomap against underflow when a
      concurrent truncate moves EOF below the start of the ioend,
      wrapping io_size to a huge value.

 - overlayfs

    - Fix a stale overlayfs comment about the locking order.

    - Store the linked-in upper dentry instead of the disconnected
      O_TMPFILE dentry during overlayfs tmpfile copy-up. With a FUSE or
      virtiofs upper layer -&gt;d_revalidate() would try to look up "/" in
      the workdir and fail, causing persistent ESTALE errors that broke
      dpkg and apt.

 - vfs-bpf:

   Have the bpf_real_data_inode() kfunc take a struct file instead of a
   dentry so it is usable from the bprm_check_security, mmap_file, and
   file_mprotect hooks, and rename it from bpf_real_inode() to make the
   data-inode semantics explicit. The kfunc landed this cycle so the
   change is safe.

 - afs:

   NULL pointer dereferences in the callback service and in
   afs_get_tree(), several memory and refcount leaks, missing locking
   around the dynamic root inode numbers and premature cell exposure
   through /afs, a netns destruction hang caused by a misplaced
   increment of net-&gt;cells_outstanding, a bulk lookup malfunction caused
   by the dir_emit() API change, inode (re)initialisation issues, and
   assorted smaller fixes to error codes, seqlock handling, and debug
   output.

 - vfs:

   Refuse O_TMPFILE creation with an unmapped fsuid or fsgid and add a
   selftest for it.

 - vboxsf:

   Add Jori Koolstra as vboxsf maintainer, taking over from Hans de
   Goede.

 - dio:

   Release the pages attached to a short atomic dio bio; the REQ_ATOMIC
   size check error path leaked them.

 - procfs:

   Only bump the parent directory link count when registering
   directories in procfs. Registering regular files inflated the count
   and leaked a link on every create and remove cycle.

 - minix:

   Avoid an unsigned overflow in the minix bitmap block count
   calculation that let crafted images with huge inode or zone counts
   pass superblock validation and crash the kernel during mount.

 - cachefiles:

   Fix a double unlock in the cachefiles nomem_d_alloc error path left
   over from the start_creating() conversion.

 - fat:

   Stop fat from reading directory entries past the 0x00
   end-of-directory marker. If the trailing on-disk slots aren't
   zero-filled the driver surfaced arbitrary garbage as directory
   entries.

 - freexvfs:

   Don't BUG() on unknown typed-extent types in freevxfs, reachable via
   ioctl(FIBMAP) on a crafted image; fail with an I/O error instead.

 - orangefs:

   Keep the readdir entry size 64-bit in orangefs fill_from_part().
   Truncating it to __u32 bypassed the bounds check and led to
   out-of-bounds reads triggerable by the userspace client.

 - xfs:

   Fix the error unwind in xfs_open_devices() which released the rt
   device file twice and left dangling buftarg pointers behind that were
   freed again when the failed mount was torn down.

 - exec:

   Fix an off-by-one in the comment documenting the maximum binfmt
   rewrite depth in exec_binprm(). The code allows five rewrites, not
   four; restricting the code would break userspace so the comment is
   fixed instead.

 - file handles:

   Reject detached mounts in capable_wrt_mount(). A detached mount can
   be dissolved concurrently, leaving a NULL mount namespace that
   open_by_handle_at() would dereference.

* tag 'vfs-7.2-rc2.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: (57 commits)
  netfs: Fix barriering when walking subrequest list
  iomap: submit read bio after each extent
  fuse: call fuse_send_readpages explicitly from fuse_readahead
  iomap: consolidate bio submission
  fhandle: reject detached mounts in capable_wrt_mount()
  netfs: Fix DIO write retry for filesystems without a -&gt;prepare_write()
  netfs: Fix folio state after ENOMEM whilst under writeback iteration
  netfs: Fix writeback error handling
  netfs: Fix writethrough to use collection offload
  netfs: Replace wb_lock with a bit lock for asynchronicity
  netfs: Fix kdoc warning
  scatterlist: Fix offset in folio calc in extract_xarray_to_sg()
  iov_iter: Remove unused variable in kunit_iov_iter.c
  iov_iter: Fix a memory leak in iov_iter_extract_user_pages()
  iov_iter: Fix missing alloc fail check in iov_iter_extract_bvec_pages()
  iov_iter: Fix potential underflow in iov_iter_extract_xarray_pages()
  cachefiles: Fix file burial to take lock when unsetting S_KERNEL_FILE
  cachefiles: Fix double fput
  netfs: Fix netfs_create_write_req() to handle async cache object creation
  netfs: Fix decision whether to disallow write-streaming due to fscache use
  ...
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull vfs fixes from Christian Brauner:

 - netfs:

    - fix the decision when to disallow write-streaming with fscache in
      use, handling of asynchronous cache object creation, a double fput
      in cachefiles, clearing S_KERNEL_FILE without the inode lock held,
      page extraction bugs in the iov_iter helpers (a potential
      underflow, a missing allocation failure check, a memory leak, and
      a folio offset miscalculation), writeback error and ENOMEM
      handling, DIO write retry for filesystems without a
      -&gt;prepare_write() method, and the replacement of the wb_lock mutex
      with a bit lock plus writethrough collection offload so that
      multiple asynchronous writebacks don't interfere with each other.

    - Fix the barriering when walking the netfs subrequest list during
      retries as it was possible to see a subrequest that was just added
      by the application thread.

 - iomap:

    - Change iomap to submit read bios after each extent instead of
      building them up across extents. The old behavior was considered
      problematic for a while and now caused an actual erofs bug.

    - Guard the ioend io_size EOF trim in iomap against underflow when a
      concurrent truncate moves EOF below the start of the ioend,
      wrapping io_size to a huge value.

 - overlayfs

    - Fix a stale overlayfs comment about the locking order.

    - Store the linked-in upper dentry instead of the disconnected
      O_TMPFILE dentry during overlayfs tmpfile copy-up. With a FUSE or
      virtiofs upper layer -&gt;d_revalidate() would try to look up "/" in
      the workdir and fail, causing persistent ESTALE errors that broke
      dpkg and apt.

 - vfs-bpf:

   Have the bpf_real_data_inode() kfunc take a struct file instead of a
   dentry so it is usable from the bprm_check_security, mmap_file, and
   file_mprotect hooks, and rename it from bpf_real_inode() to make the
   data-inode semantics explicit. The kfunc landed this cycle so the
   change is safe.

 - afs:

   NULL pointer dereferences in the callback service and in
   afs_get_tree(), several memory and refcount leaks, missing locking
   around the dynamic root inode numbers and premature cell exposure
   through /afs, a netns destruction hang caused by a misplaced
   increment of net-&gt;cells_outstanding, a bulk lookup malfunction caused
   by the dir_emit() API change, inode (re)initialisation issues, and
   assorted smaller fixes to error codes, seqlock handling, and debug
   output.

 - vfs:

   Refuse O_TMPFILE creation with an unmapped fsuid or fsgid and add a
   selftest for it.

 - vboxsf:

   Add Jori Koolstra as vboxsf maintainer, taking over from Hans de
   Goede.

 - dio:

   Release the pages attached to a short atomic dio bio; the REQ_ATOMIC
   size check error path leaked them.

 - procfs:

   Only bump the parent directory link count when registering
   directories in procfs. Registering regular files inflated the count
   and leaked a link on every create and remove cycle.

 - minix:

   Avoid an unsigned overflow in the minix bitmap block count
   calculation that let crafted images with huge inode or zone counts
   pass superblock validation and crash the kernel during mount.

 - cachefiles:

   Fix a double unlock in the cachefiles nomem_d_alloc error path left
   over from the start_creating() conversion.

 - fat:

   Stop fat from reading directory entries past the 0x00
   end-of-directory marker. If the trailing on-disk slots aren't
   zero-filled the driver surfaced arbitrary garbage as directory
   entries.

 - freexvfs:

   Don't BUG() on unknown typed-extent types in freevxfs, reachable via
   ioctl(FIBMAP) on a crafted image; fail with an I/O error instead.

 - orangefs:

   Keep the readdir entry size 64-bit in orangefs fill_from_part().
   Truncating it to __u32 bypassed the bounds check and led to
   out-of-bounds reads triggerable by the userspace client.

 - xfs:

   Fix the error unwind in xfs_open_devices() which released the rt
   device file twice and left dangling buftarg pointers behind that were
   freed again when the failed mount was torn down.

 - exec:

   Fix an off-by-one in the comment documenting the maximum binfmt
   rewrite depth in exec_binprm(). The code allows five rewrites, not
   four; restricting the code would break userspace so the comment is
   fixed instead.

 - file handles:

   Reject detached mounts in capable_wrt_mount(). A detached mount can
   be dissolved concurrently, leaving a NULL mount namespace that
   open_by_handle_at() would dereference.

* tag 'vfs-7.2-rc2.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: (57 commits)
  netfs: Fix barriering when walking subrequest list
  iomap: submit read bio after each extent
  fuse: call fuse_send_readpages explicitly from fuse_readahead
  iomap: consolidate bio submission
  fhandle: reject detached mounts in capable_wrt_mount()
  netfs: Fix DIO write retry for filesystems without a -&gt;prepare_write()
  netfs: Fix folio state after ENOMEM whilst under writeback iteration
  netfs: Fix writeback error handling
  netfs: Fix writethrough to use collection offload
  netfs: Replace wb_lock with a bit lock for asynchronicity
  netfs: Fix kdoc warning
  scatterlist: Fix offset in folio calc in extract_xarray_to_sg()
  iov_iter: Remove unused variable in kunit_iov_iter.c
  iov_iter: Fix a memory leak in iov_iter_extract_user_pages()
  iov_iter: Fix missing alloc fail check in iov_iter_extract_bvec_pages()
  iov_iter: Fix potential underflow in iov_iter_extract_xarray_pages()
  cachefiles: Fix file burial to take lock when unsetting S_KERNEL_FILE
  cachefiles: Fix double fput
  netfs: Fix netfs_create_write_req() to handle async cache object creation
  netfs: Fix decision whether to disallow write-streaming due to fscache use
  ...
</pre>
</div>
</content>
</entry>
<entry>
<title>netfs: Fix barriering when walking subrequest list</title>
<updated>2026-07-03T09:52:41+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2026-07-02T08:23:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=5c6ce05e406520290c1d89da97fb3cd70c09137d'/>
<id>5c6ce05e406520290c1d89da97fb3cd70c09137d</id>
<content type='text'>
Fix the barriering used when walking the subrequest list in retry as
there's a possibility of seeing a subreq that's just been added by the
application thread.

Fixes: ee4cdf7ba857 ("netfs: Speed up buffered reading")
Fixes: 288ace2f57c9 ("netfs: New writeback implementation")
Link: https://sashiko.dev/#/patchset/20260608145432.681865-1-dhowells%40redhat.com
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Link: https://patch.msgid.link/138807.1782980582@warthog.procyon.org.uk
Reviewed-by: Paulo Alcantara (Red Hat) &lt;pc@manguebit.org&gt;
cc: Paulo Alcantara &lt;pc@manguebit.org&gt;
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner (Amutable) &lt;brauner@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Fix the barriering used when walking the subrequest list in retry as
there's a possibility of seeing a subreq that's just been added by the
application thread.

Fixes: ee4cdf7ba857 ("netfs: Speed up buffered reading")
Fixes: 288ace2f57c9 ("netfs: New writeback implementation")
Link: https://sashiko.dev/#/patchset/20260608145432.681865-1-dhowells%40redhat.com
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Link: https://patch.msgid.link/138807.1782980582@warthog.procyon.org.uk
Reviewed-by: Paulo Alcantara (Red Hat) &lt;pc@manguebit.org&gt;
cc: Paulo Alcantara &lt;pc@manguebit.org&gt;
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner (Amutable) &lt;brauner@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>cifs: Fix missing credit release on failure in cifs_issue_read()</title>
<updated>2026-07-02T14:16:03+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2026-07-02T08:25:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=c16b8c4cfb4fe2244cc33e469a93c1ab8684146b'/>
<id>c16b8c4cfb4fe2244cc33e469a93c1ab8684146b</id>
<content type='text'>
Fix missing release of credits in the failure path in cifs_issue_read()
lest retrying the subreq just overwrites the credits value.

Fixes: 69c3c023af25 ("cifs: Implement netfslib hooks")
Link: https://sashiko.dev/#/patchset/20260608145432.681865-1-dhowells%40redhat.com
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Acked-by: Paulo Alcantara (Red Hat) &lt;pc@manguebit.org&gt;
cc: linux-cifs@vger.kernel.org
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Fix missing release of credits in the failure path in cifs_issue_read()
lest retrying the subreq just overwrites the credits value.

Fixes: 69c3c023af25 ("cifs: Implement netfslib hooks")
Link: https://sashiko.dev/#/patchset/20260608145432.681865-1-dhowells%40redhat.com
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Acked-by: Paulo Alcantara (Red Hat) &lt;pc@manguebit.org&gt;
cc: linux-cifs@vger.kernel.org
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>cifs: update internal module version number</title>
<updated>2026-07-02T01:19:21+00:00</updated>
<author>
<name>Steve French</name>
<email>stfrench@microsoft.com</email>
</author>
<published>2026-06-19T02:23:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=1b7a6da1d617876fbccd98da9bf1c2368e4f9424'/>
<id>1b7a6da1d617876fbccd98da9bf1c2368e4f9424</id>
<content type='text'>
   to 2.60

Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
   to 2.60

Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>smb: client: use unaligned reads in parse_posix_ctxt()</title>
<updated>2026-07-02T01:19:18+00:00</updated>
<author>
<name>Zihan Xi</name>
<email>xizh2024@lzu.edu.cn</email>
</author>
<published>2026-07-01T10:23:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=b86467cd2691192ad4809a5a6e922fc24b8e9839'/>
<id>b86467cd2691192ad4809a5a6e922fc24b8e9839</id>
<content type='text'>
The server controls create-context DataOffset, so the POSIX context data
pointer may be misaligned on strict-alignment architectures. Use
get_unaligned_le32() when reading nlink, reparse_tag, and mode.

Fixes: 69dda3059e7a ("cifs: add SMB2_open() arg to return POSIX data")
Cc: stable@vger.kernel.org
Signed-off-by: Zihan Xi &lt;xizh2024@lzu.edu.cn&gt;
Signed-off-by: Ren Wei &lt;n05ec@lzu.edu.cn&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The server controls create-context DataOffset, so the POSIX context data
pointer may be misaligned on strict-alignment architectures. Use
get_unaligned_le32() when reading nlink, reparse_tag, and mode.

Fixes: 69dda3059e7a ("cifs: add SMB2_open() arg to return POSIX data")
Cc: stable@vger.kernel.org
Signed-off-by: Zihan Xi &lt;xizh2024@lzu.edu.cn&gt;
Signed-off-by: Ren Wei &lt;n05ec@lzu.edu.cn&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>smb: client: harden POSIX SID length parsing</title>
<updated>2026-07-02T01:19:15+00:00</updated>
<author>
<name>Zihan Xi</name>
<email>xizh2024@lzu.edu.cn</email>
</author>
<published>2026-06-28T09:19:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=7ad2bcf2441430bb2e918fb3ef9a90d775a6e422'/>
<id>7ad2bcf2441430bb2e918fb3ef9a90d775a6e422</id>
<content type='text'>
posix_info_sid_size() reads sid[1] to obtain the subauthority count,
but its existing boundary check still accepts buffers with only one
remaining byte. Require two bytes before reading sid[1] so all client
paths that reuse the helper reject truncated POSIX SIDs safely.

Fixes: 349e13ad30b4 ("cifs: add smb2 POSIX info level")
Cc: stable@vger.kernel.org
Reported-by: Yuan Tan &lt;yuantan098@gmail.com&gt;
Reported-by: Yifan Wu &lt;yifanwucs@gmail.com&gt;
Reported-by: Juefei Pu &lt;tomapufckgml@gmail.com&gt;
Reported-by: Xin Liu &lt;bird@lzu.edu.cn&gt;
Assisted-by: Codex:gpt-5.4
Signed-off-by: Zihan Xi &lt;xizh2024@lzu.edu.cn&gt;
Signed-off-by: Ren Wei &lt;n05ec@lzu.edu.cn&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
posix_info_sid_size() reads sid[1] to obtain the subauthority count,
but its existing boundary check still accepts buffers with only one
remaining byte. Require two bytes before reading sid[1] so all client
paths that reuse the helper reject truncated POSIX SIDs safely.

Fixes: 349e13ad30b4 ("cifs: add smb2 POSIX info level")
Cc: stable@vger.kernel.org
Reported-by: Yuan Tan &lt;yuantan098@gmail.com&gt;
Reported-by: Yifan Wu &lt;yifanwucs@gmail.com&gt;
Reported-by: Juefei Pu &lt;tomapufckgml@gmail.com&gt;
Reported-by: Xin Liu &lt;bird@lzu.edu.cn&gt;
Assisted-by: Codex:gpt-5.4
Signed-off-by: Zihan Xi &lt;xizh2024@lzu.edu.cn&gt;
Signed-off-by: Ren Wei &lt;n05ec@lzu.edu.cn&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>iomap: submit read bio after each extent</title>
<updated>2026-07-01T13:26:47+00:00</updated>
<author>
<name>Christoph Hellwig</name>
<email>hch@lst.de</email>
</author>
<published>2026-06-29T12:17:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=c1fb97d31782f5a8c66d127624626accbb0dd8bc'/>
<id>c1fb97d31782f5a8c66d127624626accbb0dd8bc</id>
<content type='text'>
Currently the iomap buffered read path tries to build up read context
(i.e. bios for the typical block based case) over multiple iomaps as
long as the sector matches.  This does not take into account files
that can map to multiple different devices.  While this could be fixed
by a bdev check in iomap_bio_read_folio_range, the building up of I/O
over iomaps actually was a problem for the not yet merged ext2 iomap
port, as that does want to send out I/O at the end of an indirect
block mapped range.

So instead of adding more checks move over to a model where a bio only
spans a single iomap.  Change -&gt;submit_read to be called after each
iteration so that the bio based users submit the bio after each iomap.
Fuse is unchanged because the previous commit stopped using -&gt;submit_read
for it.

Fixes: dfeab2e95a75 ("erofs: add multiple device support")
Reported-by: Kelu Ye &lt;yekelu1@huawei.com&gt;
Reported-by: Yifan Zhao &lt;zhaoyifan28@huawei.com&gt;
Signed-off-by: Christoph Hellwig &lt;hch@lst.de&gt;
Link: https://patch.msgid.link/20260629121750.3392300-4-hch@lst.de
Tested-by: Yifan Zhao &lt;zhaoyifan28@huawei.com&gt;
Reviewed-by: "Darrick J. Wong" &lt;djwong@kernel.org&gt;
Signed-off-by: Christian Brauner (Amutable) &lt;brauner@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Currently the iomap buffered read path tries to build up read context
(i.e. bios for the typical block based case) over multiple iomaps as
long as the sector matches.  This does not take into account files
that can map to multiple different devices.  While this could be fixed
by a bdev check in iomap_bio_read_folio_range, the building up of I/O
over iomaps actually was a problem for the not yet merged ext2 iomap
port, as that does want to send out I/O at the end of an indirect
block mapped range.

So instead of adding more checks move over to a model where a bio only
spans a single iomap.  Change -&gt;submit_read to be called after each
iteration so that the bio based users submit the bio after each iomap.
Fuse is unchanged because the previous commit stopped using -&gt;submit_read
for it.

Fixes: dfeab2e95a75 ("erofs: add multiple device support")
Reported-by: Kelu Ye &lt;yekelu1@huawei.com&gt;
Reported-by: Yifan Zhao &lt;zhaoyifan28@huawei.com&gt;
Signed-off-by: Christoph Hellwig &lt;hch@lst.de&gt;
Link: https://patch.msgid.link/20260629121750.3392300-4-hch@lst.de
Tested-by: Yifan Zhao &lt;zhaoyifan28@huawei.com&gt;
Reviewed-by: "Darrick J. Wong" &lt;djwong@kernel.org&gt;
Signed-off-by: Christian Brauner (Amutable) &lt;brauner@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fuse: call fuse_send_readpages explicitly from fuse_readahead</title>
<updated>2026-07-01T13:26:47+00:00</updated>
<author>
<name>Joanne Koong</name>
<email>joannelkoong@gmail.com</email>
</author>
<published>2026-06-29T12:17:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=3372eb0384b791faf133806da287819f5bfaad76'/>
<id>3372eb0384b791faf133806da287819f5bfaad76</id>
<content type='text'>
Move the call to fuse_send_readpages from the iomap -&gt;submit_read method
to the fuse readahead implementation.

fuse_read_folio() does not need to call fuse_send_readpages() because it
always does reads synchronously (the iomap-&gt;submit_read method for this
was a no-op since data-&gt;ia is always NULL for fuse_read_folio()).

This prepares for an iomap fix that will call -&gt;submit_read after each
iomap.

Signed-off-by: Joanne Koong &lt;joannelkoong@gmail.com&gt;
Signed-off-by: Christoph Hellwig &lt;hch@lst.de&gt;
Link: https://patch.msgid.link/20260629121750.3392300-3-hch@lst.de
Reviewed-by: "Darrick J. Wong" &lt;djwong@kernel.org&gt;
Signed-off-by: Christian Brauner (Amutable) &lt;brauner@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Move the call to fuse_send_readpages from the iomap -&gt;submit_read method
to the fuse readahead implementation.

fuse_read_folio() does not need to call fuse_send_readpages() because it
always does reads synchronously (the iomap-&gt;submit_read method for this
was a no-op since data-&gt;ia is always NULL for fuse_read_folio()).

This prepares for an iomap fix that will call -&gt;submit_read after each
iomap.

Signed-off-by: Joanne Koong &lt;joannelkoong@gmail.com&gt;
Signed-off-by: Christoph Hellwig &lt;hch@lst.de&gt;
Link: https://patch.msgid.link/20260629121750.3392300-3-hch@lst.de
Reviewed-by: "Darrick J. Wong" &lt;djwong@kernel.org&gt;
Signed-off-by: Christian Brauner (Amutable) &lt;brauner@kernel.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
