Memory safety (use-after-free, double-free)
Description
The commit bundles fixes for memory-safety vulnerabilities in the ksmbd SMB server (smbdirect path and related code). The primary issues addressed are memory-corruption risks such as use-after-free and double-free in the SMB Direct path (e.g., handling and ownership of request objects in smbdirect_send paths, and the flow where a request is moved to a batch and should not be freed), as well as a use-after-free in the close path for durable/async operations. Additional changes address a potential crypto-message use-after-free, a memory leak in session setup, validation improvements (EA name length), and safer handling of related FSCC structures to reduce the risk of out-of-bounds or invalid memory access. Overall, these changes are aimed at mitigating memory-safety defects that could lead to crashes or code execution, rather than pure functionality changes.
Commit Details
Author: Linus Torvalds
Date: 2026-04-16 02:14 UTC
Message:
Merge tag 'v7.1-rc-part1-ksmbd-srv-fixes' of git://git.samba.org/ksmbd
Pull smb server updates from Steve French:
- smbdirect double free fixes
- Add some smbdirect logging
- Minor cleanup in crypto, and smbdirect and in IPC handling
- Minor cleanup to move header info to common FSCC code
- Fix crypt message use after free
- Fix memory leak in session setup
- Fix for DACL parsing
- Fix EA name length validation
- Reconnect fix
- Fix use after free in close
* tag 'v7.1-rc-part1-ksmbd-srv-fixes' of git://git.samba.org/ksmbd:
smb: smbdirect: add some logging to SMBDIRECT_CHECK_STATUS_{WARN,DISCONNECT}()
smb: smbdirect: introduce smbdirect_socket.logging infrastructure
smb: smbdirect: let smbdirect.h include #include <linux/types.h>
smb: server: avoid double-free in smb_direct_free_sendmsg after smb_direct_flush_send_list()
smb: client: avoid double-free in smbd_free_send_io() after smbd_send_batch_flush()
ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine
ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc
ksmbd: require 3 sub-authorities before reading sub_auth[2]
ksmbd: validate EaNameLength in smb2_get_ea()
ksmbd: Remove unnecessary selection of CRYPTO_ECB
ksmbd: validate owner of durable handle on reconnect
ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger
ksmbd: ipc: use kzalloc_flex and __counted_by
smb: move filesystem_vol_info into common/fscc.h
smb: move file_basic_info into common/fscc.h
smb: move some definitions from common/smb2pdu.h into common/fscc.h
Triage Assessment
Vulnerability Type: Memory safety (use-after-free, double-free)
Confidence: HIGH
Reasoning:
Commit message and code changes indicate fixes for memory safety issues (double free and use-after-free) in smbdirect and related crypto handling, along with related validation fixes (EA name length, reconnect owner). These are classic memory corruption/security fixes (RCE via use-after-free/double-free, information disclosure via leaks mitigated).
Verification Assessment
Vulnerability Type: Memory safety (use-after-free, double-free)
Confidence: HIGH
Affected Versions: v7.0-rc6 and earlier (baseline for this patch, before this v7.1-rc-part1 ksmbd-srv-fixes merge)
Code Diff
diff --git a/fs/smb/client/smb1pdu.h b/fs/smb/client/smb1pdu.h
index 97f7e1244a8b3b..7584e94d9b2bfa 100644
--- a/fs/smb/client/smb1pdu.h
+++ b/fs/smb/client/smb1pdu.h
@@ -2061,15 +2061,6 @@ typedef struct {
__le32 EASize;
} __packed FILE_INFO_STANDARD; /* level 1 SetPath/FileInfo */
-typedef struct {
- __le64 CreationTime;
- __le64 LastAccessTime;
- __le64 LastWriteTime;
- __le64 ChangeTime;
- __le32 Attributes;
- __u32 Pad;
-} __packed FILE_BASIC_INFO; /* size info, level 0x101 */
-
struct file_allocation_info {
__le64 AllocationSize; /* Note old Samba srvr rounds this up too much */
} __packed; /* size used on disk, for level 0x103 for set, 0x105 for query */
diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
index 5188218c25be42..59d7418cc48063 100644
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -6147,8 +6147,8 @@ SMB2_QFS_attr(const unsigned int xid, struct cifs_tcon *tcon,
max_len = sizeof(struct smb3_fs_ss_info);
min_len = sizeof(struct smb3_fs_ss_info);
} else if (level == FS_VOLUME_INFORMATION) {
- max_len = sizeof(struct smb3_fs_vol_info) + MAX_VOL_LABEL_LEN;
- min_len = sizeof(struct smb3_fs_vol_info);
+ max_len = sizeof(struct filesystem_vol_info) + MAX_VOL_LABEL_LEN;
+ min_len = sizeof(struct filesystem_vol_info);
} else {
cifs_dbg(FYI, "Invalid qfsinfo level %d\n", level);
return -EINVAL;
@@ -6203,9 +6203,9 @@ SMB2_QFS_attr(const unsigned int xid, struct cifs_tcon *tcon,
tcon->perf_sector_size =
le32_to_cpu(ss_info->PhysicalBytesPerSectorForPerf);
} else if (level == FS_VOLUME_INFORMATION) {
- struct smb3_fs_vol_info *vol_info = (struct smb3_fs_vol_info *)
+ struct filesystem_vol_info *vol_info = (struct filesystem_vol_info *)
(offset + (char *)rsp);
- tcon->vol_serial_number = vol_info->VolumeSerialNumber;
+ tcon->vol_serial_number = le32_to_cpu(vol_info->VolumeSerialNumber);
tcon->vol_create_time = vol_info->VolumeCreationTime;
}
diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c
index c79304012b08c3..46165810501331 100644
--- a/fs/smb/client/smbdirect.c
+++ b/fs/smb/client/smbdirect.c
@@ -1551,17 +1551,25 @@ static int smbd_post_send_iter(struct smbdirect_socket *sc,
rc = smbd_post_send(sc, batch, request);
if (!rc) {
+ /*
+ * From here request is moved to batch
+ * and we should not free it explicitly.
+ */
+
if (batch != &_batch)
return 0;
rc = smbd_send_batch_flush(sc, batch, true);
if (!rc)
return 0;
+
+ goto err_flush;
}
err_dma:
smbd_free_send_io(request);
+err_flush:
err_alloc:
atomic_inc(&sc->send_io.credits.count);
wake_up(&sc->send_io.credits.wait_queue);
diff --git a/fs/smb/common/fscc.h b/fs/smb/common/fscc.h
index 0123f34db1e891..b4ccddca925656 100644
--- a/fs/smb/common/fscc.h
+++ b/fs/smb/common/fscc.h
@@ -12,6 +12,220 @@
#ifndef _COMMON_SMB_FSCC_H
#define _COMMON_SMB_FSCC_H
+/* Reparse structures - see MS-FSCC 2.1.2 */
+
+/* struct fsctl_reparse_info_req is empty, only response structs (see below) */
+struct reparse_data_buffer {
+ __le32 ReparseTag;
+ __le16 ReparseDataLength;
+ __u16 Reserved;
+ __u8 DataBuffer[]; /* Variable Length */
+} __packed;
+
+struct reparse_guid_data_buffer {
+ __le32 ReparseTag;
+ __le16 ReparseDataLength;
+ __u16 Reserved;
+ __u8 ReparseGuid[16];
+ __u8 DataBuffer[]; /* Variable Length */
+} __packed;
+
+struct reparse_mount_point_data_buffer {
+ __le32 ReparseTag;
+ __le16 ReparseDataLength;
+ __u16 Reserved;
+ __le16 SubstituteNameOffset;
+ __le16 SubstituteNameLength;
+ __le16 PrintNameOffset;
+ __le16 PrintNameLength;
+ __u8 PathBuffer[]; /* Variable Length */
+} __packed;
+
+#define SYMLINK_FLAG_RELATIVE 0x00000001
+
+struct reparse_symlink_data_buffer {
+ __le32 ReparseTag;
+ __le16 ReparseDataLength;
+ __u16 Reserved;
+ __le16 SubstituteNameOffset;
+ __le16 SubstituteNameLength;
+ __le16 PrintNameOffset;
+ __le16 PrintNameLength;
+ __le32 Flags;
+ __u8 PathBuffer[]; /* Variable Length */
+} __packed;
+
+/* For IO_REPARSE_TAG_NFS - see MS-FSCC 2.1.2.6 */
+#define NFS_SPECFILE_LNK 0x00000000014B4E4C
+#define NFS_SPECFILE_CHR 0x0000000000524843
+#define NFS_SPECFILE_BLK 0x00000000004B4C42
+#define NFS_SPECFILE_FIFO 0x000000004F464946
+#define NFS_SPECFILE_SOCK 0x000000004B434F53
+struct reparse_nfs_data_buffer {
+ __le32 ReparseTag;
+ __le16 ReparseDataLength;
+ __u16 Reserved;
+ __le64 InodeType; /* NFS_SPECFILE_* */
+ __u8 DataBuffer[];
+} __packed;
+
+/* For IO_REPARSE_TAG_LX_SYMLINK - see MS-FSCC 2.1.2.7 */
+struct reparse_wsl_symlink_data_buffer {
+ __le32 ReparseTag;
+ __le16 ReparseDataLength;
+ __u16 Reserved;
+ __le32 Version; /* Always 2 */
+ __u8 Target[]; /* Variable Length UTF-8 string without nul-term */
+} __packed;
+
+/* See MS-FSCC 2.3.7 */
+struct duplicate_extents_to_file {
+ __u64 PersistentFileHandle; /* source file handle, opaque endianness */
+ __u64 VolatileFileHandle;
+ __le64 SourceFileOffset;
+ __le64 TargetFileOffset;
+ __le64 ByteCount; /* Bytes to be copied */
+} __packed;
+
+/* See MS-FSCC 2.3.9 */
+#define DUPLICATE_EXTENTS_DATA_EX_SOURCE_ATOMIC 0x00000001
+struct duplicate_extents_to_file_ex {
+ __le64 StructureSize; /* MUST be set to 0x30 */
+ __u64 PersistentFileHandle; /* source file handle, opaque endianness */
+ __u64 VolatileFileHandle;
+ __le64 SourceFileOffset;
+ __le64 TargetFileOffset;
+ __le64 ByteCount; /* Bytes to be copied */
+ __le32 Flags;
+ __le32 Reserved;
+} __packed;
+
+/* See MS-FSCC 2.3.20 */
+struct fsctl_get_integrity_information_rsp {
+ __le16 ChecksumAlgorithm;
+ __le16 Reserved;
+ __le32 Flags;
+ __le32 ChecksumChunkSizeInBytes;
+ __le32 ClusterSizeInBytes;
+} __packed;
+
+/* See MS-FSCC 2.3.52 */
+struct file_allocated_range_buffer {
+ __le64 file_offset;
+ __le64 length;
+} __packed;
+
+/* See MS-FSCC 2.3.55 */
+struct fsctl_query_file_regions_req {
+ __le64 FileOffset;
+ __le64 Length;
+ __le32 DesiredUsage;
+ __le32 Reserved;
+} __packed;
+
+/* DesiredUsage flags see MS-FSCC 2.3.56.1 */
+#define FILE_USAGE_INVALID_RANGE 0x00000000
+#define FILE_USAGE_VALID_CACHED_DATA 0x00000001
+#define FILE_USAGE_NONCACHED_DATA 0x00000002
+struct file_region_info {
+ __le64 FileOffset;
+ __le64 Length;
+ __le32 DesiredUsage;
+ __le32 Reserved;
+} __packed;
+
+/* See MS-FSCC 2.3.56 */
+struct fsctl_query_file_region_rsp {
+ __le32 Flags;
+ __le32 TotalRegionEntryCount;
+ __le32 RegionEntryCount;
+ __u32 Reserved;
+ struct file_region_info Regions[];
+} __packed;
+
+/* See MS-FSCC 2.3.58 */
+struct fsctl_query_on_disk_vol_info_rsp {
+ __le64 DirectoryCount;
+ __le64 FileCount;
+ __le16 FsFormatMajVersion;
+ __le16 FsFormatMinVersion;
+ __u8 FsFormatName[24];
+ __le64 FormatTime;
+ __le64 LastUpdateTime;
+ __u8 CopyrightInfo[68];
+ __u8 AbstractInfo[68];
+ __u8 FormatImplInfo[68];
+ __u8 LastModifyImplInfo[68];
+} __packed;
+
+/* See MS-FSCC 2.3.73 */
+struct fsctl_set_integrity_information_req {
+ __le16 ChecksumAlgorithm;
+ __le16 Reserved;
+ __le32 Flags;
+} __packed;
+
+/* See MS-FSCC 2.3.75 */
+struct fsctl_set_integrity_info_ex_req {
+ __u8 EnableIntegrity;
+ __u8 KeepState;
+ __u16 Reserved;
+ __le32 Flags;
+ __u8 Version;
+ __u8 Reserved2[7];
+} __packed;
+
+/*
+ * this goes in the ioctl buffer when doing FSCTL_SET_ZERO_DATA
+ * See MS-FSCC 2.3.85
+ */
+struct file_zero_data_information {
+ __le64 FileOffset;
+ __le64 BeyondFinalZero;
+} __packed;
+
+/*
+ * This level 18, although with struct with same name is different from cifs
+ * level 0x107. Level 0x107 has an extra u64 between AccessFlags and
+ * CurrentByteOffset.
+ * See MS-FSCC 2.4.2
+ */
+struct smb2_file_all_info { /* data block encoding of response to level 18 */
+ __le64 CreationTime; /* Beginning of FILE_BASIC_INFO equivalent */
+ __le64 LastAccessTime;
+ __le64 LastWriteTime;
+ __le64 ChangeTime;
+ __le32 Attributes;
+ __u32 Pad1; /* End of FILE_BASIC_INFO_INFO equivalent */
+ __le64 AllocationSize; /* Beginning of FILE_STANDARD_INFO equivalent */
+ __le64 EndOfFile; /* size ie offset to first free byte in file */
+ __le32 NumberOfLinks; /* hard links */
+ __u8 DeletePending;
+ __u8 Directory;
+ __u16 Pad2; /* End of FILE_STANDARD_INFO equivalent */
+ __le64 IndexNumber;
+ __le32 EASize;
+ __le32 AccessFlags;
+ __le64 CurrentByteOffset;
+ __le32 Mode;
+ __le32 AlignmentRequirement;
+ __le32 FileNameLength;
+ union {
+ char __pad; /* Legacy structure padding */
+ DECLARE_FLEX_ARRAY(char, FileName);
+ };
+} __packed; /* level 18 Query */
+
+/* See MS-FSCC 2.4.7 */
+typedef struct file_basic_info { /* data block encoding of response to level 18 */
+ __le64 CreationTime;
+ __le64 LastAccessTime;
+ __le64 LastWriteTime;
+ __le64 ChangeTime;
+ __le32 Attributes;
+ __u32 Pad;
+} __packed FILE_BASIC_INFO; /* size info, level 0x101 */
+
/* See MS-FSCC 2.4.8 */
typedef struct {
__le32 NextEntryOffset;
@@ -46,6 +260,11 @@ typedef struct {
char FileName[];
} __packed FILE_DIRECTORY_INFO; /* level 0x101 FF resp data */
+/* See MS-FSCC 2.4.13 */
+struct smb2_file_eof_info { /* encoding of request for level 10 */
+ __le64 EndOfFile; /* new end of file value */
+} __packed; /* level 20 Set */
+
/* See MS-FSCC 2.4.14 */
typedef struct {
__le32 NextEntryOffset;
@@ -80,6 +299,26 @@ typedef struct {
char FileName[];
} __packed FILE_ID_FULL_DIR_INFO; /* level 0x105 FF rsp data */
+/* See MS-FSCC 2.4.27 */
+struct smb2_file_internal_info {
+ __le64 IndexNumber;
+} __packed; /* level 6 Query */
+
+/* See MS-FSCC 2.4.28.2 */
+struct smb2_file_link_info { /* encoding of request for level 11 */
+ /* New members MUST be added within the struct_group() macro below. */
+ __struct_group(smb2_file_link_info_hdr, __hdr, __packed,
+ __u8 ReplaceIfExists; /* 1 = replace existing link with new */
+ /* 0 = fail if link already exists */
+ __u8 Reserved[7];
+ __u64 RootDirectory; /* MBZ for network operations (why says spec?) */
+ __le32 FileNameLength;
+ );
+ char FileName[]; /* Name to be assigned to new link */
+} __packed; /* level 11 Set */
+static_assert(offsetof(struct smb2_file_link_info, FileName) == sizeof(struct smb2_file_link_info_hdr),
+ "struct member likely outside of __struct_group()");
+
/* See MS-FSCC 2.4.34 */
struct smb2_file_network_open_info {
struct_group_attr(network_open_info, __packed,
@@ -94,6 +333,37 @@ struct smb2_file_network_open_info {
__le32 Reserved;
} __packed; /* level 34 Query also similar returned in close rsp and open rsp */
+/* See MS-FSCC 2.4.42.2 */
+struct smb2_file_rename_info { /* encoding of request for level 10 */
+ /* New members MUST be added within the struct_group() macro below. */
+ __struct_group(smb2_file_rename_info_hdr, __hdr, __packed,
+ __u8 ReplaceIfExists; /* 1 = replace existing target with new */
+ /* 0 = fail if target already exists */
+ __u8 Reserved[7];
+ __u64 RootDirectory; /* MBZ for network operations (why says spec?) */
+ __le32 FileNameLength;
+ );
+ char FileName[]; /* New name to be assigned */
+ /* padding - overall struct size must be >= 24 so filename + pad >= 6 */
+} __packed; /* level 10 Set */
+static_assert(offsetof(struct smb2_file_rename_info, FileName) == sizeof(struct smb2_file_rename_info_hdr),
+ "struct member likely outside of __struct_group()");
+
+/* File System Information Classes */
+/* See MS-FSCC 2.5 */
+#define FS_VOLUME_INFORMATION 1 /* Query */
+#define FS_LABEL_INFORMATION 2 /* Set */
+#define FS_SIZE_INFORMATION 3 /* Query */
+#define FS_DEVICE_INFORMATION 4 /* Query */
+#define FS_ATTRIBUTE_INFORMATION 5 /* Query */
+#define FS_CONTROL_INFORMATION 6 /* Query, Set */
+#define FS_FULL_SIZE_INFORMATION 7 /* Query */
+#define FS_OBJECT_ID_INFORMATION 8 /* Query, Set */
+#define FS_DRIVER_PATH_INFORMATION 9 /* Query */
+#define FS_SECTOR_SIZE_INFORMATION 11 /* SMB3 or later. Query */
+/* See POSIX Extensions to MS-FSCC 2.3.1.1 */
+#define FS_POSIX_INFORMATION 100 /* SMB3.1.1 POSIX. Query */
+
/* See MS-FSCC 2.5.1 */
#define MAX_FS_NAME_LEN 52
typedef struct {
@@ -130,6 +400,45 @@ typedef struct {
#define FILE_CASE_PRESERVED_NAMES 0x00000002
#define FILE_CASE_SENSITIVE_SEARCH 0x00000001
+/*
+ * File System Control Information
+ * See MS-FSCC 2.5.2
+ */
+struct smb2_fs_control_info {
+ __le64 FreeSpaceStartFiltering;
+ __le64 FreeSpaceThreshold;
+ __le64 FreeSpaceStopFiltering;
+ __le64 DefaultQuotaThreshold;
+ __le64 DefaultQuotaLimit;
+ __le32 FileSystemControlFlags;
+ __le32 Padding;
+} __packed;
+
+/* See MS-FSCC 2.5.4 */
+struct smb2_fs_full_size_info {
+ __le64 TotalAllocationUnits;
+ __le64 CallerAvailableAllocationUnits;
+ __le64 ActualAvailableAllocationUnits;
+ __le32 SectorsPerAllocationUnit;
+ __le32 BytesPerSector;
+} __packed;
+
+/* See MS-FSCC 2.5.7 */
+#define SSINFO_FLAGS_ALIGNED_DEVICE 0x00000001
+#define SSINFO_FLAGS_PARTITION_ALIGNED_ON_DEVICE 0x00000002
+#define SSINFO_FLAGS_NO_SEEK_PENALTY 0x00000004
+#define SSINFO_FLAGS_TRIM_ENABLED 0x00000008
+/* sector size info struct */
+struct smb3_fs_ss_info {
+ __le32 LogicalBytesPerSector;
+ __le32 PhysicalBytesPerSectorForAtomicity;
+ __le32 PhysicalBytesPerSectorForPerf;
+ __le32 FSEffPhysicalBytesPerSectorForAtomicity;
+ __le32 Flags;
+ __le32 ByteOffsetForSectorAlignment;
+ __le32 ByteOffsetForPartitionAlignment;
+} __packed;
+
/* See MS-FSCC 2.5.8 */
typedef struct {
__le64 TotalAllocationUnits;
@@ -138,6 +447,17 @@ typedef struct {
__le32 BytesPerSector;
} __packed FILE_SYSTEM_SIZE_INFO; /* size info, level 0x103 */
+/* volume info struct - see MS-FSCC 2.5.9 */
+#define MAX_VOL_LABEL_LEN 32
+struct filesystem_vol_info {
+ __le64 VolumeCreationTime;
+ __le32 VolumeSerialNumber;
+ __le32 VolumeLabelLength; /* includes trailing null */
+ __u8 SupportsObjects; /* True if eg like NTFS, supports objects */
+ __u8 Reserved;
+ __u8 VolumeLabel[]; /* variable len */
+} __packed;
+
/* See MS-FSCC 2.5.10 */
typedef struct {
__le32 DeviceType;
@@ -189,6 +509,22 @@ typedef struct {
#define FILE_ATTRIBUTE_NO_SCRUB_DATA_LE cpu_to_le32(FILE_ATTRIBUTE_NO_SCRUB_DATA)
#define FILE_ATTRIBUTE_MASK_LE cpu_to_le32(FILE_ATTRIBUTE_MASK)
+/*
+ * SMB2 Notify Action Flags
+ * See MS-FSCC 2.7.1
+ */
+#define FILE_ACTION_ADDED 0x00000001
+#define FILE_ACTION_REMOVED 0x00000002
+#define FILE_ACTION_MODIFIED 0x00000003
+#define FILE_ACTION_RENAMED_OLD_NAME 0x00000004
+#define FILE_ACTION_RENAMED_NEW_NAME 0x00000005
+#define FILE_ACTION_ADDED_STREAM 0x00000006
+#define FILE_ACTION_REMOVED_STREAM 0x00000007
+#define FILE_ACTION_MODIFIED_STREAM 0x00000008
+#define FILE_ACTION_REMOVED_BY_DELETE 0x00000009
+#define FILE_ACTION_ID_NOT_TUNNELLED 0x0000000A
+#define FILE_ACTION_TUNNELLED_ID_COLLISION 0x0000000B
+
/*
* Response contains array of the following structures
* See MS-FSCC 2.7.1
diff --git a/fs/smb/common/smb2pdu.h b/fs/smb/common/smb2pdu.h
index e482c86ceb00d2..85a4248d4f29d9 100644
--- a/fs/smb/co
... [truncated]