This is a note to let you know that I've just added the patch titled
ksmbd: fix racy issue from session setup and logoff
to the 5.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
ksmbd-fix-racy-issue-from-session-setup-and-logoff.patch
and it can be found in the queue-5.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From linkinjeon@xxxxxxxxx Mon Dec 18 16:40:04 2023
From: Namjae Jeon <linkinjeon@xxxxxxxxxx>
Date: Tue, 19 Dec 2023 00:33:48 +0900
Subject: ksmbd: fix racy issue from session setup and logoff
To: gregkh@xxxxxxxxxxxxxxxxxxx, stable@xxxxxxxxxxxxxxx
Cc: smfrench@xxxxxxxxx, Namjae Jeon <linkinjeon@xxxxxxxxxx>, zdi-disclosures@xxxxxxxxxxxxxx, Steve French <stfrench@xxxxxxxxxxxxx>
Message-ID: <20231218153454.8090-89-linkinjeon@xxxxxxxxxx>
From: Namjae Jeon <linkinjeon@xxxxxxxxxx>
[ Upstream commit f5c779b7ddbda30866cf2a27c63e34158f858c73 ]
This racy issue is triggered by sending concurrent session setup and
logoff requests. This patch does not set connection status as
KSMBD_SESS_GOOD if state is KSMBD_SESS_NEED_RECONNECT in session setup.
And relookup session to validate if session is deleted in logoff.
Cc: stable@xxxxxxxxxxxxxxx
Reported-by: zdi-disclosures@xxxxxxxxxxxxxx # ZDI-CAN-20481, ZDI-CAN-20590, ZDI-CAN-20596
Signed-off-by: Namjae Jeon <linkinjeon@xxxxxxxxxx>
Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/ksmbd/connection.c | 14 ++++----
fs/ksmbd/connection.h | 39 ++++++++++++++-----------
fs/ksmbd/mgmt/user_session.c | 1
fs/ksmbd/server.c | 3 +
fs/ksmbd/smb2pdu.c | 67 +++++++++++++++++++++++++++----------------
fs/ksmbd/transport_tcp.c | 2 -
6 files changed, 77 insertions(+), 49 deletions(-)
--- a/fs/ksmbd/connection.c
+++ b/fs/ksmbd/connection.c
@@ -56,7 +56,7 @@ struct ksmbd_conn *ksmbd_conn_alloc(void
return NULL;
conn->need_neg = true;
- conn->status = KSMBD_SESS_NEW;
+ ksmbd_conn_set_new(conn);
conn->local_nls = load_nls("utf8");
if (!conn->local_nls)
conn->local_nls = load_nls_default();
@@ -147,12 +147,12 @@ int ksmbd_conn_try_dequeue_request(struc
return ret;
}
-static void ksmbd_conn_lock(struct ksmbd_conn *conn)
+void ksmbd_conn_lock(struct ksmbd_conn *conn)
{
mutex_lock(&conn->srv_mutex);
}
-static void ksmbd_conn_unlock(struct ksmbd_conn *conn)
+void ksmbd_conn_unlock(struct ksmbd_conn *conn)
{
mutex_unlock(&conn->srv_mutex);
}
@@ -243,7 +243,7 @@ bool ksmbd_conn_alive(struct ksmbd_conn
if (!ksmbd_server_running())
return false;
- if (conn->status == KSMBD_SESS_EXITING)
+ if (ksmbd_conn_exiting(conn))
return false;
if (kthread_should_stop())
@@ -303,7 +303,7 @@ int ksmbd_conn_handler_loop(void *p)
pdu_size = get_rfc1002_len(hdr_buf);
ksmbd_debug(CONN, "RFC1002 header %u bytes\n", pdu_size);
- if (conn->status == KSMBD_SESS_GOOD)
+ if (ksmbd_conn_good(conn))
max_allowed_pdu_size =
SMB3_MAX_MSGSIZE + conn->vals->max_write_size;
else
@@ -312,7 +312,7 @@ int ksmbd_conn_handler_loop(void *p)
if (pdu_size > max_allowed_pdu_size) {
pr_err_ratelimited("PDU length(%u) exceeded maximum allowed pdu size(%u) on connection(%d)\n",
pdu_size, max_allowed_pdu_size,
- conn->status);
+ READ_ONCE(conn->status));
break;
}
@@ -417,7 +417,7 @@ again:
if (task)
ksmbd_debug(CONN, "Stop session handler %s/%d\n",
task->comm, task_pid_nr(task));
- conn->status = KSMBD_SESS_EXITING;
+ ksmbd_conn_set_exiting(conn);
if (t->ops->shutdown) {
read_unlock(&conn_list_lock);
t->ops->shutdown(t);
--- a/fs/ksmbd/connection.h
+++ b/fs/ksmbd/connection.h
@@ -162,6 +162,8 @@ void ksmbd_conn_init_server_callbacks(st
int ksmbd_conn_handler_loop(void *p);
int ksmbd_conn_transport_init(void);
void ksmbd_conn_transport_destroy(void);
+void ksmbd_conn_lock(struct ksmbd_conn *conn);
+void ksmbd_conn_unlock(struct ksmbd_conn *conn);
/*
* WARNING
@@ -169,43 +171,48 @@ void ksmbd_conn_transport_destroy(void);
* This is a hack. We will move status to a proper place once we land
* a multi-sessions support.
*/
-static inline bool ksmbd_conn_good(struct ksmbd_work *work)
+static inline bool ksmbd_conn_good(struct ksmbd_conn *conn)
{
- return work->conn->status == KSMBD_SESS_GOOD;
+ return READ_ONCE(conn->status) == KSMBD_SESS_GOOD;
}
-static inline bool ksmbd_conn_need_negotiate(struct ksmbd_work *work)
+static inline bool ksmbd_conn_need_negotiate(struct ksmbd_conn *conn)
{
- return work->conn->status == KSMBD_SESS_NEED_NEGOTIATE;
+ return READ_ONCE(conn->status) == KSMBD_SESS_NEED_NEGOTIATE;
}
-static inline bool ksmbd_conn_need_reconnect(struct ksmbd_work *work)
+static inline bool ksmbd_conn_need_reconnect(struct ksmbd_conn *conn)
{
- return work->conn->status == KSMBD_SESS_NEED_RECONNECT;
+ return READ_ONCE(conn->status) == KSMBD_SESS_NEED_RECONNECT;
}
-static inline bool ksmbd_conn_exiting(struct ksmbd_work *work)
+static inline bool ksmbd_conn_exiting(struct ksmbd_conn *conn)
{
- return work->conn->status == KSMBD_SESS_EXITING;
+ return READ_ONCE(conn->status) == KSMBD_SESS_EXITING;
}
-static inline void ksmbd_conn_set_good(struct ksmbd_work *work)
+static inline void ksmbd_conn_set_new(struct ksmbd_conn *conn)
{
- work->conn->status = KSMBD_SESS_GOOD;
+ WRITE_ONCE(conn->status, KSMBD_SESS_NEW);
}
-static inline void ksmbd_conn_set_need_negotiate(struct ksmbd_work *work)
+static inline void ksmbd_conn_set_good(struct ksmbd_conn *conn)
{
- work->conn->status = KSMBD_SESS_NEED_NEGOTIATE;
+ WRITE_ONCE(conn->status, KSMBD_SESS_GOOD);
}
-static inline void ksmbd_conn_set_need_reconnect(struct ksmbd_work *work)
+static inline void ksmbd_conn_set_need_negotiate(struct ksmbd_conn *conn)
{
- work->conn->status = KSMBD_SESS_NEED_RECONNECT;
+ WRITE_ONCE(conn->status, KSMBD_SESS_NEED_NEGOTIATE);
}
-static inline void ksmbd_conn_set_exiting(struct ksmbd_work *work)
+static inline void ksmbd_conn_set_need_reconnect(struct ksmbd_conn *conn)
{
- work->conn->status = KSMBD_SESS_EXITING;
+ WRITE_ONCE(conn->status, KSMBD_SESS_NEED_RECONNECT);
+}
+
+static inline void ksmbd_conn_set_exiting(struct ksmbd_conn *conn)
+{
+ WRITE_ONCE(conn->status, KSMBD_SESS_EXITING);
}
#endif /* __CONNECTION_H__ */
--- a/fs/ksmbd/mgmt/user_session.c
+++ b/fs/ksmbd/mgmt/user_session.c
@@ -315,6 +315,7 @@ static struct ksmbd_session *__session_c
if (ksmbd_init_file_table(&sess->file_table))
goto error;
+ sess->state = SMB2_SESSION_IN_PROGRESS;
set_session_flag(sess, protocol);
xa_init(&sess->tree_conns);
xa_init(&sess->ksmbd_chann_list);
--- a/fs/ksmbd/server.c
+++ b/fs/ksmbd/server.c
@@ -93,7 +93,8 @@ static inline int check_conn_state(struc
{
struct smb_hdr *rsp_hdr;
- if (ksmbd_conn_exiting(work) || ksmbd_conn_need_reconnect(work)) {
+ if (ksmbd_conn_exiting(work->conn) ||
+ ksmbd_conn_need_reconnect(work->conn)) {
rsp_hdr = work->response_buf;
rsp_hdr->Status.CifsError = STATUS_CONNECTION_DISCONNECTED;
return 1;
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -265,7 +265,7 @@ int init_smb2_neg_rsp(struct ksmbd_work
rsp = smb2_get_msg(work->response_buf);
- WARN_ON(ksmbd_conn_good(work));
+ WARN_ON(ksmbd_conn_good(conn));
rsp->StructureSize = cpu_to_le16(65);
ksmbd_debug(SMB, "conn->dialect 0x%x\n", conn->dialect);
@@ -295,7 +295,7 @@ int init_smb2_neg_rsp(struct ksmbd_work
rsp->SecurityMode |= SMB2_NEGOTIATE_SIGNING_REQUIRED_LE;
conn->use_spnego = true;
- ksmbd_conn_set_need_negotiate(work);
+ ksmbd_conn_set_need_negotiate(conn);
return 0;
}
@@ -574,7 +574,7 @@ int smb2_check_user_session(struct ksmbd
cmd == SMB2_SESSION_SETUP_HE)
return 0;
- if (!ksmbd_conn_good(work))
+ if (!ksmbd_conn_good(conn))
return -EIO;
sess_id = le64_to_cpu(req_hdr->SessionId);
@@ -625,7 +625,7 @@ static void destroy_previous_session(str
prev_sess->state = SMB2_SESSION_EXPIRED;
xa_for_each(&prev_sess->ksmbd_chann_list, index, chann)
- chann->conn->status = KSMBD_SESS_EXITING;
+ ksmbd_conn_set_exiting(chann->conn);
}
/**
@@ -1081,7 +1081,7 @@ int smb2_handle_negotiate(struct ksmbd_w
ksmbd_debug(SMB, "Received negotiate request\n");
conn->need_neg = false;
- if (ksmbd_conn_good(work)) {
+ if (ksmbd_conn_good(conn)) {
pr_err("conn->tcp_status is already in CifsGood State\n");
work->send_no_response = 1;
return rc;
@@ -1236,7 +1236,7 @@ int smb2_handle_negotiate(struct ksmbd_w
}
conn->srv_sec_mode = le16_to_cpu(rsp->SecurityMode);
- ksmbd_conn_set_need_negotiate(work);
+ ksmbd_conn_set_need_negotiate(conn);
err_out:
if (rc < 0)
@@ -1658,6 +1658,7 @@ int smb2_sess_setup(struct ksmbd_work *w
rsp->SecurityBufferLength = 0;
inc_rfc1001_len(work->response_buf, 9);
+ ksmbd_conn_lock(conn);
if (!req->hdr.SessionId) {
sess = ksmbd_smb2_session_create();
if (!sess) {
@@ -1705,6 +1706,12 @@ int smb2_sess_setup(struct ksmbd_work *w
goto out_err;
}
+ if (ksmbd_conn_need_reconnect(conn)) {
+ rc = -EFAULT;
+ sess = NULL;
+ goto out_err;
+ }
+
if (ksmbd_session_lookup(conn, sess_id)) {
rc = -EACCES;
goto out_err;
@@ -1729,12 +1736,20 @@ int smb2_sess_setup(struct ksmbd_work *w
rc = -ENOENT;
goto out_err;
}
+
+ if (sess->state == SMB2_SESSION_EXPIRED) {
+ rc = -EFAULT;
+ goto out_err;
+ }
+
+ if (ksmbd_conn_need_reconnect(conn)) {
+ rc = -EFAULT;
+ sess = NULL;
+ goto out_err;
+ }
}
work->sess = sess;
- if (sess->state == SMB2_SESSION_EXPIRED)
- sess->state = SMB2_SESSION_IN_PROGRESS;
-
negblob_off = le16_to_cpu(req->SecurityBufferOffset);
negblob_len = le16_to_cpu(req->SecurityBufferLength);
if (negblob_off < offsetof(struct smb2_sess_setup_req, Buffer) ||
@@ -1764,8 +1779,10 @@ int smb2_sess_setup(struct ksmbd_work *w
goto out_err;
}
- ksmbd_conn_set_good(work);
- sess->state = SMB2_SESSION_VALID;
+ if (!ksmbd_conn_need_reconnect(conn)) {
+ ksmbd_conn_set_good(conn);
+ sess->state = SMB2_SESSION_VALID;
+ }
kfree(sess->Preauth_HashValue);
sess->Preauth_HashValue = NULL;
} else if (conn->preferred_auth_mech == KSMBD_AUTH_NTLMSSP) {
@@ -1787,8 +1804,10 @@ int smb2_sess_setup(struct ksmbd_work *w
if (rc)
goto out_err;
- ksmbd_conn_set_good(work);
- sess->state = SMB2_SESSION_VALID;
+ if (!ksmbd_conn_need_reconnect(conn)) {
+ ksmbd_conn_set_good(conn);
+ sess->state = SMB2_SESSION_VALID;
+ }
if (conn->binding) {
struct preauth_session *preauth_sess;
@@ -1856,14 +1875,13 @@ out_err:
if (sess->user && sess->user->flags & KSMBD_USER_FLAG_DELAY_SESSION)
try_delay = true;
- xa_erase(&conn->sessions, sess->id);
- ksmbd_session_destroy(sess);
- work->sess = NULL;
+ sess->state = SMB2_SESSION_EXPIRED;
if (try_delay)
ssleep(5);
}
}
+ ksmbd_conn_unlock(conn);
return rc;
}
@@ -2087,21 +2105,24 @@ int smb2_session_logoff(struct ksmbd_wor
{
struct ksmbd_conn *conn = work->conn;
struct smb2_logoff_rsp *rsp = smb2_get_msg(work->response_buf);
- struct ksmbd_session *sess = work->sess;
+ struct ksmbd_session *sess;
+ struct smb2_logoff_req *req = smb2_get_msg(work->request_buf);
rsp->StructureSize = cpu_to_le16(4);
inc_rfc1001_len(work->response_buf, 4);
ksmbd_debug(SMB, "request\n");
- /* setting CifsExiting here may race with start_tcp_sess */
- ksmbd_conn_set_need_reconnect(work);
+ ksmbd_conn_set_need_reconnect(conn);
ksmbd_close_session_fds(work);
ksmbd_conn_wait_idle(conn);
+ /*
+ * Re-lookup session to validate if session is deleted
+ * while waiting request complete
+ */
+ sess = ksmbd_session_lookup(conn, le64_to_cpu(req->hdr.SessionId));
if (ksmbd_tree_conn_session_logoff(sess)) {
- struct smb2_logoff_req *req = smb2_get_msg(work->request_buf);
-
ksmbd_debug(SMB, "Invalid tid %d\n", req->hdr.Id.SyncId.TreeId);
rsp->hdr.Status = STATUS_NETWORK_NAME_DELETED;
smb2_set_err_rsp(work);
@@ -2113,9 +2134,7 @@ int smb2_session_logoff(struct ksmbd_wor
ksmbd_free_user(sess->user);
sess->user = NULL;
-
- /* let start_tcp_sess free connection info now */
- ksmbd_conn_set_need_negotiate(work);
+ ksmbd_conn_set_need_negotiate(conn);
return 0;
}
--- a/fs/ksmbd/transport_tcp.c
+++ b/fs/ksmbd/transport_tcp.c
@@ -333,7 +333,7 @@ static int ksmbd_tcp_readv(struct tcp_tr
if (length == -EINTR) {
total_read = -ESHUTDOWN;
break;
- } else if (conn->status == KSMBD_SESS_NEED_RECONNECT) {
+ } else if (ksmbd_conn_need_reconnect(conn)) {
total_read = -EAGAIN;
break;
} else if (length == -ERESTARTSYS || length == -EAGAIN) {
Patches currently in stable-queue which might be from linkinjeon@xxxxxxxxx are
queue-5.15/ksmbd-fix-uaf-issue-from-opinfo-conn.patch
queue-5.15/ksmbd-fix-race-condition-from-parallel-smb2-lock-requests.patch
queue-5.15/ksmbd-validate-session-id-and-tree-id-in-compound-request.patch
queue-5.15/ksmbd-reorganize-ksmbd_iov_pin_rsp.patch
queue-5.15/ksmbd-convert-to-use-sysfs_emit-sysfs_emit_at-apis.patch
queue-5.15/ksmbd-validate-length-in-smb2_write.patch
queue-5.15/ksmbd-add-support-for-key-exchange.patch
queue-5.15/ksmbd-request-update-to-stale-share-config.patch
queue-5.15/ksmbd-remove-generic_fillattr-use-in-smb2_open.patch
queue-5.15/ksmbd-fix-uninitialized-pointer-read-in-smb2_create_link.patch
queue-5.15/ksmbd-set-smb2_session_flag_encrypt_data-when-enforcing-data-encryption-for-this-share.patch
queue-5.15/ksmbd-constify-struct-path.patch
queue-5.15/ksmbd-casefold-utf-8-share-names-and-fix-ascii-lowercase-conversion.patch
queue-5.15/ksmbd-validate-smb-request-protocol-id.patch
queue-5.15/ksmbd-avoid-out-of-bounds-access-in-decode_preauth_ctxt.patch
queue-5.15/ksmbd-release-interim-response-after-sending-status-pending-response.patch
queue-5.15/ksmbd-fix-racy-issue-under-cocurrent-smb2-tree-disconnect.patch
queue-5.15/ksmbd-fix-out-of-bounds-read-in-smb2_sess_setup.patch
queue-5.15/ksmbd-decrease-the-number-of-smb3-smbdirect-server-sges.patch
queue-5.15/ksmbd-make-utf-8-file-name-comparison-work-in-__caseless_lookup.patch
queue-5.15/ksmbd-use-f_setlk-when-unlocking-a-file.patch
queue-5.15/fs-introduce-lock_rename_child-helper.patch
queue-5.15/ksmbd-use-kzalloc-instead-of-__gfp_zero.patch
queue-5.15/ksmbd-set-ntlmssp_negotiate_seal-flag-to-challenge-blob.patch
queue-5.15/ksmbd-call-ib_drain_qp-when-disconnected.patch
queue-5.15/ksmbd-fix-posix_acls-and-acls-dereferencing-possible-err_ptr.patch
queue-5.15/ksmbd-destroy-expired-sessions.patch
queue-5.15/ksmbd-fix-resource-leak-in-smb2_lock.patch
queue-5.15/ksmbd-check-iov-vector-index-in-ksmbd_conn_write.patch
queue-5.15/ksmbd-hide-socket-error-message-when-ipv6-config-is-disable.patch
queue-5.15/ksmbd-use-netif_is_bridge_port.patch
queue-5.15/ksmbd-smbd-simplify-tracking-pending-packets.patch
queue-5.15/ksmbd-implements-sess-rpc_handle_list-as-xarray.patch
queue-5.15/ksmbd-remove-duplicate-flag-set-in-smb2_write.patch
queue-5.15/ksmbd-separately-allocate-ci-per-dentry.patch
queue-5.15/ksmbd-fix-racy-issue-from-session-setup-and-logoff.patch
queue-5.15/ksmbd-fix-race-condition-between-session-lookup-and-expire.patch
queue-5.15/ksmbd-fix-wrong-smbd-max-read-write-size-check.patch
queue-5.15/ksmbd-replace-usage-of-found-with-dedicated-list-iterator-variable.patch
queue-5.15/ksmbd-add-support-for-surrogate-pair-conversion.patch
queue-5.15/ksmbd-reduce-server-smbdirect-max-send-receive-segment-sizes.patch
queue-5.15/ksmbd-fix-force-create-mode-and-force-directory-mode.patch
queue-5.15/ksmbd-remove-unneeded-mark_inode_dirty-in-set_info_sec.patch
queue-5.15/ksmbd-fix-potential-double-free-on-smb2_read_pipe-error-path.patch
queue-5.15/ksmbd-remove-unused-ksmbd_tree_conn_share-function.patch
queue-5.15/ksmbd-block-asynchronous-requests-when-making-a-delay-on-session-setup.patch
queue-5.15/ksmbd-call-putname-after-using-the-last-component.patch
queue-5.15/ksmbd-don-t-open-code-file_path.patch
queue-5.15/ksmbd-fix-passing-freed-memory-aux_payload_buf.patch
queue-5.15/ksmbd-fill-sids-in-smb_find_file_posix_info-response.patch
queue-5.15/ksmbd-don-t-open-code-pd.patch
queue-5.15/ksmbd-shorten-experimental-warning-on-loading-the-module.patch
queue-5.15/ksmbd-remove-filename-in-ksmbd_file.patch
queue-5.15/ksmbd-move-oplock-handling-after-unlock-parent-dir.patch
queue-5.15/ksmbd-fix-race-condition-between-tree-conn-lookup-and-disconnect.patch
queue-5.15/ksmbd-smbd-introduce-read-write-credits-for-rdma-read-write.patch
queue-5.15/ksmbd-fix-slab-out-of-bounds-in-init_smb2_rsp_hdr.patch
queue-5.15/ksmbd-fix-recursive-locking-in-vfs-helpers.patch
queue-5.15/ksmbd-fix-some-kernel-doc-comments.patch
queue-5.15/ksmbd-use-struct_size-helper-in-ksmbd_negotiate_smb_dialect.patch
queue-5.15/ksmbd-smbd-relax-the-count-of-sges-required.patch
queue-5.15/ksmbd-fix-wrong-error-response-status-by-using-set_smb2_rsp_status.patch
queue-5.15/ksmbd-fix-spelling-mistake-excceed-exceeded.patch
queue-5.15/ksmbd-fix-null-pointer-dereferences-in-ksmbd_update_fstate.patch
queue-5.15/ksmbd-fix-encryption-failure-issue-for-session-logoff-response.patch
queue-5.15/ksmbd-prevent-memory-leak-on-error-return.patch
queue-5.15/ksmbd-fix-racy-issue-from-using-d_parent-and-d_name.patch
queue-5.15/ksmbd-change-security-id-to-the-one-samba-used-for-posix-extension.patch
queue-5.15/ksmbd-handle-malformed-smb1-message.patch
queue-5.15/ksmbd-don-t-update-op_state-as-oplock_state_none-on-error.patch
queue-5.15/ksmbd-smbd-fix-connection-dropped-issue.patch
queue-5.15/ksmbd-fix-racy-issue-from-smb2-close-and-logoff-with-multichannel.patch
queue-5.15/ksmbd-change-the-return-value-of-ksmbd_vfs_query_maximal_access-to-void.patch
queue-5.15/ksmbd-fix-slub-overflow-in-ksmbd_decode_ntlmssp_auth_blob.patch
queue-5.15/ksmbd-replace-one-element-array-with-flexible-array-member.patch
queue-5.15/ksmbd-fix-uninitialized-pointer-read-in-ksmbd_vfs_rename.patch
queue-5.15/ksmbd-replace-one-element-arrays-with-flexible-array-members.patch
queue-5.15/ksmbd-fix-unsigned-expression-compared-with-zero.patch
queue-5.15/ksmbd-implements-sess-ksmbd_chann_list-as-xarray.patch
queue-5.15/ksmbd-set-file-permission-mode-to-match-samba-server-posix-extension-behavior.patch
queue-5.15/ksmbd-fix-wrong-interim-response-on-compound.patch
queue-5.15/ksmbd-return-invalid-parameter-error-response-if-smb2-request-is-invalid.patch
queue-5.15/ksmbd-smbd-validate-buffer-descriptor-structures.patch
queue-5.15/ksmbd-fix-missing-rdma-capable-flag-for-ipoib-device-in-ksmbd_rdma_capable_netdev.patch
queue-5.15/ksmbd-send-proper-error-response-in-smb2_tree_connect.patch
queue-5.15/ksmbd-set-negotiatecontextcount-once-instead-of-every-inc.patch
queue-5.15/ksmbd-fix-typo-syncronous-synchronous.patch
queue-5.15/ksmbd-validate-share-name-from-share-config-response.patch
queue-5.15/ksmbd-fix-possible-deadlock-in-smb2_open.patch
queue-5.15/ksmbd-fix-multiple-out-of-bounds-read-during-context-decoding.patch
queue-5.15/ksmbd-add-missing-calling-smb2_set_err_rsp-on-error.patch
queue-5.15/ksmbd-remove-unused-ksmbd_share_configs_cleanup-function.patch
queue-5.15/ksmbd-fix-out-of-bound-read-in-parse_lease_state.patch
queue-5.15/ksmbd-remove-duplicated-codes.patch
queue-5.15/ksmbd-remove-a-redundant-zeroing-of-memory.patch
queue-5.15/ksmbd-change-leasekey-data-type-to-u8-array.patch
queue-5.15/ksmbd-add-support-for-read-compound.patch
queue-5.15/ksmbd-fix-kernel-doc-comment-of-ksmbd_vfs_setxattr.patch
queue-5.15/ksmbd-remove-unused-compression-negotiate-ctx-packing.patch
queue-5.15/ksmbd-switch-to-use-kmemdup_nul-helper.patch
queue-5.15/ksmbd-fix-race-condition-from-parallel-smb2-logoff-requests.patch
queue-5.15/ksmbd-fix-out-of-bound-read-in-deassemble_neg_contexts.patch
queue-5.15/ksmbd-remove-unnecessary-generic_fillattr-in-smb2_open.patch
queue-5.15/ksmbd-avoid-duplicate-negotiate-ctx-offset-increments.patch
queue-5.15/ksmbd-remove-experimental-warning.patch
queue-5.15/ksmbd-return-a-literal-instead-of-err-in-ksmbd_vfs_kern_path_locked.patch
queue-5.15/ksmbd-smbd-change-prototypes-of-rdma-read-write-related-functions.patch
queue-5.15/ksmbd-fix-out-of-bounds-in-init_smb2_rsp_hdr.patch
queue-5.15/ksmbd-fix-possible-memory-leak-in-smb2_lock.patch
queue-5.15/ksmbd-remove-unused-field-in-ksmbd_user-struct.patch
queue-5.15/ksmbd-fix-one-kernel-doc-comment.patch
queue-5.15/ksmbd-no-need-to-wait-for-binded-connection-termination-at-logoff.patch
queue-5.15/ksmbd-fix-race-condition-with-fp.patch
queue-5.15/ksmbd-fix-wrong-signingkey-creation-when-encryption-is-aes256.patch
queue-5.15/ksmbd-update-kconfig-to-note-kerberos-support-and-fix-indentation.patch
queue-5.15/ksmbd-move-setting-smb2_flags_async_command-and-asyncid.patch
queue-5.15/smb3-fix-ksmbd-bigendian-bug-in-oplock-break-and-move-its-struct-to-smbfs_common.patch
queue-5.15/ksmbd-store-fids-as-opaque-u64-integers.patch
queue-5.15/ksmbd-delete-asynchronous-work-from-list.patch
queue-5.15/ksmbd-use-kvzalloc-instead-of-kvmalloc.patch
queue-5.15/ksmbd-smbd-change-the-return-value-of-get_sg_list.patch
queue-5.15/ksmbd-add-missing-compound-request-handing-in-some-commands.patch
queue-5.15/ksmbd-remove-unused-is_char_allowed-function.patch
queue-5.15/ksmbd-use-oid-registry-functions-to-decode-oids.patch
queue-5.15/ksmbd-fix-kernel-doc-comment-of-ksmbd_vfs_kern_path_locked.patch
queue-5.15/ksmbd-use-wait_event-instead-of-schedule_timeout.patch
queue-5.15/ksmbd-check-if-a-mount-point-is-crossed-during-path-lookup.patch
queue-5.15/ksmbd-replace-the-ternary-conditional-operator-with-min.patch
