get:
Show a patch.

patch:
Update a patch.

put:
Update a patch.

GET /api/1.1/patches/2224697/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2224697,
    "url": "http://patchwork.ozlabs.org/api/1.1/patches/2224697/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/linux-cifs-client/patch/20260417184557.1138554-1-michael.bommarito@gmail.com/",
    "project": {
        "id": 12,
        "url": "http://patchwork.ozlabs.org/api/1.1/projects/12/?format=api",
        "name": "Linux CIFS Client",
        "link_name": "linux-cifs-client",
        "list_id": "linux-cifs.vger.kernel.org",
        "list_email": "linux-cifs@vger.kernel.org",
        "web_url": "",
        "scm_url": "",
        "webscm_url": ""
    },
    "msgid": "<20260417184557.1138554-1-michael.bommarito@gmail.com>",
    "date": "2026-04-17T18:45:57",
    "name": "[v2] ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()",
    "commit_ref": null,
    "pull_url": null,
    "state": "new",
    "archived": false,
    "hash": "e55b978473b36c3497f46148e87a82ea38b1bdb1",
    "submitter": {
        "id": 93078,
        "url": "http://patchwork.ozlabs.org/api/1.1/people/93078/?format=api",
        "name": "Michael Bommarito",
        "email": "michael.bommarito@gmail.com"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/linux-cifs-client/patch/20260417184557.1138554-1-michael.bommarito@gmail.com/mbox/",
    "series": [
        {
            "id": 500389,
            "url": "http://patchwork.ozlabs.org/api/1.1/series/500389/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/linux-cifs-client/list/?series=500389",
            "date": "2026-04-17T18:45:57",
            "name": "[v2] ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()",
            "version": 2,
            "mbox": "http://patchwork.ozlabs.org/series/500389/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/2224697/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/2224697/checks/",
    "tags": {},
    "headers": {
        "Return-Path": "\n <linux-cifs+bounces-10893-incoming=patchwork.ozlabs.org@vger.kernel.org>",
        "X-Original-To": [
            "incoming@patchwork.ozlabs.org",
            "linux-cifs@vger.kernel.org"
        ],
        "Delivered-To": "patchwork-incoming@legolas.ozlabs.org",
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=FSYI0g4n;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10893-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)",
            "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=\"FSYI0g4n\"",
            "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=209.85.160.181",
            "smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com",
            "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=gmail.com"
        ],
        "Received": [
            "from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fy3l06psVz1yD3\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 18 Apr 2026 04:46:52 +1000 (AEST)",
            "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 8F4763019912\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 17 Apr 2026 18:46:20 +0000 (UTC)",
            "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id B4D8B32D0D4;\n\tFri, 17 Apr 2026 18:46:19 +0000 (UTC)",
            "from mail-qt1-f181.google.com (mail-qt1-f181.google.com\n [209.85.160.181])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 4884130DED1\n\tfor <linux-cifs@vger.kernel.org>; Fri, 17 Apr 2026 18:46:18 +0000 (UTC)",
            "by mail-qt1-f181.google.com with SMTP id\n d75a77b69052e-506251815a3so8897091cf.0\n        for <linux-cifs@vger.kernel.org>;\n Fri, 17 Apr 2026 11:46:18 -0700 (PDT)",
            "from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net.\n [68.48.65.54])\n        by smtp.gmail.com with ESMTPSA id\n d75a77b69052e-50e39449e36sm22631771cf.21.2026.04.17.11.46.16\n        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n        Fri, 17 Apr 2026 11:46:16 -0700 (PDT)"
        ],
        "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776451579; cv=none;\n b=nvDTtO/X6YTA1Vdmx37Mbmjy+lKNoKZrZvmINm1JMbTPLz8fGVKBLuLEM4x3jpDy0xUrjdV3BppRLn/2w8HOA0TYhHY+/6MnhVPqnrBwc712J0SL6j42L4hDGLTnIvYqn+iYbCFAWrswnt/yzj/954DXei8ZQJvifXSsLEvxvbs=",
        "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776451579; c=relaxed/simple;\n\tbh=qPmRyp0y7PzlYMI7mL0qWLI7uB0ZnmAn0J9PDgiv6ro=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=ObTL1oqS2kZfYZC6lzxG/3mE95fW5oQL5X42vDoKwyoaHwpr1roDvNgFrZrvV2XorWcwCTbLPVej8VttFcGlGR/uWEgOC7iwH7nu8cxFRLypZtO71+PfGpUEH4iB1isv9tCeLhfiWhhMXmDZOD8rJD41o17nSGL/Sss5eerAGAw=",
        "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com;\n spf=pass smtp.mailfrom=gmail.com;\n dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=FSYI0g4n; arc=none smtp.client-ip=209.85.160.181",
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=gmail.com; s=20251104; t=1776451577; x=1777056377;\n darn=vger.kernel.org;\n        h=content-transfer-encoding:mime-version:references:in-reply-to\n         :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n         :message-id:reply-to;\n        bh=wnB324ImcM1acsbVZKl+4DrPTQ21/FeCKs/oLsdwvJ8=;\n        b=FSYI0g4nETrAvo1zQfhGxZ/e+vLE49iiY157/HXbniljyznYXELmem32kWx35zqhV4\n         q7dug+ELSu7DDqRhkouvQj1Mz6LqsTafgfr0UFpw0iEm43/ntfAaRPgTTtiPoypYzipk\n         +HJEaiZGHJH43vmkHbyvEiJ/k6XKRq3VfLl6ka1GfcUkRtPUgrSrG5AwiazeeHtVFdv4\n         8vPD+VkPq4knffgujr/9/utlFuy3K5CBXofhVTtcrJ9p3WY1fFgut8kSlEHxuBsnnLiw\n         m15sKuZ6OhIvOMknRFDB3sXaly1AbjpaJS+xk4phRQ1Ey8Vh8pxMv1EBcl+K1jJD9Hac\n         gDkg==",
        "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=1e100.net; s=20251104; t=1776451577; x=1777056377;\n        h=content-transfer-encoding:mime-version:references:in-reply-to\n         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n         :to:cc:subject:date:message-id:reply-to;\n        bh=wnB324ImcM1acsbVZKl+4DrPTQ21/FeCKs/oLsdwvJ8=;\n        b=QiQghniwoTvXUtTRzLWf0Wl2G4SKfdsg7vZNaU9opW9BpyPtzh2f9fgZs7mtmQEnBq\n         gSQJRpH93eDLg/JC04H3i6Tuc3piafGDQb1gkYHYnt0K68D64unC5Rcb/donVC8EyAIC\n         4EpcR7SFbqVpScP6ePWpAwZvRcQpAZFRNArMDUKyhJMR7jJOBoWneu2nyhb+pWGLO2YV\n         +wOGH/9vVJMrKz9Tt5Po0DjnRSeCaiOqJ0Yttv2BDs7iNra7qFd3/Ow4rPnW6sjyUQrj\n         VDU+N2Lm5R2ADNMNuTInM59WJVnugEVkQ68t/s3noFvjqjH/37MfXwftKxVy6wh/7w9O\n         2uBQ==",
        "X-Forwarded-Encrypted": "i=1;\n AFNElJ/uX4CIXc2VqbQoqiT6H9+NqS3b1wLGQXrm2nJ1zYY3sA5hciSgiu1L1+VkWI5Sp+Qyy/JpTkR0Q2gE@vger.kernel.org",
        "X-Gm-Message-State": "AOJu0YwaP+7pM0dvAL8QJuQOSzN4QQUJOD4Ol/uf91ioLdta1oOeilc4\n\tTIb7l+OVxGB7HBNylfokuSF7ijjQ747NEJxXHt/Mw/z0O4l3FXlguKRDzfJVDoRb",
        "X-Gm-Gg": "AeBDieslhcdoI7ZLbJou3auV1guT4U6IeckyZZChPs7kgX+RcB33uChTCbDMvVEqbo0\n\tmYFNJe9t+Oz6nk6DUr+4c5r901WTLSWrJw0M8oURLf6/84t6nWQRqte9QtCzNw/zFXWLTdYv+vq\n\tjUiIS3ILvz8vwKkjON3+TuYRK8QSTbX2pfCwvZ5vYMj3A2mQrMwvknUgISW5SB5WmdzJr0a1K2+\n\tGvosZDkxTldQOX71WdxPk9uUwj5s05RLIuUg17aLafwPbliEBeNw/jo8XyGnjMuK+y0xSDFPKYW\n\tsyZyPF8BtKREB+v6FznJnxHiFMZPWyMzi7R2ohqZbNnoWAwklhLzbevrLs0Y4IjwePK3+vygKtU\n\tQDeSbP+uFNtI+xKEeTP4UxmjME8k/bglPZnbeOll32+QvtAV7pykYE/L0ZCC2engQQWtELp1zPw\n\tULhVsVPCSUv13ypFSkl3dJe/y0l2suKQRQtM83wYTkY701oC4wKkujtvz3YauWDOtR+o0xdES4c\n\tHuBXWYaXvpa/xy85xlMW9vkX1RnQ68I2BeyM6CVWvwUzV2iJI9pjA==",
        "X-Received": "by 2002:a05:622a:2615:b0:50d:8792:b6d1 with SMTP id\n d75a77b69052e-50e36c122efmr55258341cf.38.1776451577116;\n        Fri, 17 Apr 2026 11:46:17 -0700 (PDT)",
        "From": "Michael Bommarito <michael.bommarito@gmail.com>",
        "To": "Namjae Jeon <linkinjeon@kernel.org>,\n\tSteve French <smfrench@gmail.com>,\n\tlinux-cifs@vger.kernel.org",
        "Cc": "Sergey Senozhatsky <senozhatsky@chromium.org>,\n\tTom Talpey <tom@talpey.com>,\n\tHyunchul Lee <hyc.lee@gmail.com>,\n\tRonnie Sahlberg <lsahlber@redhat.com>,\n\tstable@vger.kernel.org",
        "Subject": "[PATCH v2] ksmbd: validate num_aces and harden ACE walk in\n smb_inherit_dacl()",
        "Date": "Fri, 17 Apr 2026 14:45:57 -0400",
        "Message-ID": "<20260417184557.1138554-1-michael.bommarito@gmail.com>",
        "X-Mailer": "git-send-email 2.53.0",
        "In-Reply-To": "<20260416200439.2987930-1-michael.bommarito@gmail.com>",
        "References": "<20260416200439.2987930-1-michael.bommarito@gmail.com>",
        "Precedence": "bulk",
        "X-Mailing-List": "linux-cifs@vger.kernel.org",
        "List-Id": "<linux-cifs.vger.kernel.org>",
        "List-Subscribe": "<mailto:linux-cifs+subscribe@vger.kernel.org>",
        "List-Unsubscribe": "<mailto:linux-cifs+unsubscribe@vger.kernel.org>",
        "MIME-Version": "1.0",
        "Content-Transfer-Encoding": "8bit"
    },
    "content": "smb_inherit_dacl() trusts the on-disk num_aces value from the parent\ndirectory's DACL xattr and uses it to size a heap allocation:\n\n  aces_base = kmalloc(sizeof(struct smb_ace) * num_aces * 2, ...);\n\nnum_aces is a u16 read from le16_to_cpu(parent_pdacl->num_aces)\nwithout checking that it is consistent with the declared pdacl_size.\nAn authenticated client whose parent directory's security.NTACL is\ntampered (e.g. via offline xattr corruption or a concurrent path that\nbypasses parse_dacl()) can present num_aces = 65535 with minimal\nactual ACE data.  This causes a ~8 MB allocation (not kzalloc, so\nuninitialized) that the subsequent loop only partially populates, and\nmay also overflow the three-way size_t multiply on 32-bit kernels.\n\nAdditionally, the ACE walk loop uses the weaker\noffsetof(struct smb_ace, access_req) minimum size check rather than\nthe minimum valid on-wire ACE size, and does not reject ACEs whose\ndeclared size is below the minimum.\n\nReproduced on UML + KASAN + LOCKDEP against the real ksmbd code path.\nA legitimate mount.cifs client creates a parent directory over SMB\n(ksmbd writes a valid security.NTACL xattr), then the NTACL blob on\nthe backing filesystem is rewritten to set num_aces = 0xFFFF while\nkeeping the posix_acl_hash bytes intact so ksmbd_vfs_get_sd_xattr()'s\nhash check still passes.  A subsequent SMB2 CREATE of a child under\nthat parent drives smb2_open() into smb_inherit_dacl() (share has\n\"vfs objects = acl_xattr\" set), which fails the page allocator:\n\n  WARNING: mm/page_alloc.c:5226 at __alloc_frozen_pages_noprof+0x46c/0x9c0\n  Workqueue: ksmbd-io handle_ksmbd_work\n   __alloc_frozen_pages_noprof+0x46c/0x9c0\n   ___kmalloc_large_node+0x68/0x130\n   __kmalloc_large_node_noprof+0x24/0x70\n   __kmalloc_noprof+0x4c9/0x690\n   smb_inherit_dacl+0x394/0x2430\n   smb2_open+0x595d/0xabe0\n   handle_ksmbd_work+0x3d3/0x1140\n\nWith the patch applied the added guard rejects the tampered value\nwith -EINVAL before any large allocation runs, smb2_open() falls back\nto smb2_create_sd_buffer(), and the child is created with a default\nSD.  No warning, no splat.\n\nFix by:\n\n  1. Validating num_aces against pdacl_size using the same formula\n     applied in parse_dacl().\n\n  2. Replacing the raw kmalloc(sizeof * num_aces * 2) with\n     kmalloc_array(num_aces * 2, sizeof(...)) for overflow-safe\n     allocation.\n\n  3. Tightening the per-ACE loop guard to require the minimum valid\n     ACE size (offsetof(smb_ace, sid) + CIFS_SID_BASE_SIZE) and\n     rejecting under-sized ACEs, matching the hardening in\n     smb_check_perm_dacl() and parse_dacl().\n\nv1 -> v2:\n  - Replace the synthetic test-module splat in the changelog with a\n    real-path UML + KASAN reproduction driven through mount.cifs and\n    SMB2 CREATE; Namjae flagged the kcifs3_test_inherit_dacl_old name\n    in v1 since it does not exist in ksmbd.\n  - Drop the commit-hash citation from the code comment per Namjae's\n    review; keep the parse_dacl() pointer.\n\nFixes: e2f34481b24d (\"cifsd: add server-side procedures for SMB3\")\nCc: stable@vger.kernel.org\nAssisted-by: Claude:claude-opus-4-6\nSigned-off-by: Michael Bommarito <michael.bommarito@gmail.com>\n---\n fs/smb/server/smbacl.c | 28 +++++++++++++++++++++++-----\n 1 file changed, 23 insertions(+), 5 deletions(-)",
    "diff": "diff --git a/fs/smb/server/smbacl.c b/fs/smb/server/smbacl.c\nindex d5943256c071..4a341c1f6630 100644\n--- a/fs/smb/server/smbacl.c\n+++ b/fs/smb/server/smbacl.c\n@@ -1105,8 +1105,24 @@ int smb_inherit_dacl(struct ksmbd_conn *conn,\n \t\tgoto free_parent_pntsd;\n \t}\n \n-\taces_base = kmalloc(sizeof(struct smb_ace) * num_aces * 2,\n-\t\t\t    KSMBD_DEFAULT_GFP);\n+\taces_size = pdacl_size - sizeof(struct smb_acl);\n+\n+\t/*\n+\t * Validate num_aces against the DACL payload before allocating.\n+\t * Each ACE must be at least as large as its fixed-size header\n+\t * (up to the SID base), so num_aces cannot exceed the payload\n+\t * divided by the minimum ACE size.  This mirrors the existing\n+\t * check in parse_dacl().\n+\t */\n+\tif (num_aces > aces_size / (offsetof(struct smb_ace, sid) +\n+\t\t\t\t    offsetof(struct smb_sid, sub_auth) +\n+\t\t\t\t    sizeof(__le16))) {\n+\t\trc = -EINVAL;\n+\t\tgoto free_parent_pntsd;\n+\t}\n+\n+\taces_base = kmalloc_array(num_aces * 2, sizeof(struct smb_ace),\n+\t\t\t\t  KSMBD_DEFAULT_GFP);\n \tif (!aces_base) {\n \t\trc = -ENOMEM;\n \t\tgoto free_parent_pntsd;\n@@ -1115,7 +1131,6 @@ int smb_inherit_dacl(struct ksmbd_conn *conn,\n \taces = (struct smb_ace *)aces_base;\n \tparent_aces = (struct smb_ace *)((char *)parent_pdacl +\n \t\t\tsizeof(struct smb_acl));\n-\taces_size = acl_len - sizeof(struct smb_acl);\n \n \tif (pntsd_type & DACL_AUTO_INHERITED)\n \t\tinherited_flags = INHERITED_ACE;\n@@ -1123,11 +1138,14 @@ int smb_inherit_dacl(struct ksmbd_conn *conn,\n \tfor (i = 0; i < num_aces; i++) {\n \t\tint pace_size;\n \n-\t\tif (offsetof(struct smb_ace, access_req) > aces_size)\n+\t\tif (aces_size < offsetof(struct smb_ace, sid) +\n+\t\t    CIFS_SID_BASE_SIZE)\n \t\t\tbreak;\n \n \t\tpace_size = le16_to_cpu(parent_aces->size);\n-\t\tif (pace_size > aces_size)\n+\t\tif (pace_size > aces_size ||\n+\t\t    pace_size < offsetof(struct smb_ace, sid) +\n+\t\t\t\tCIFS_SID_BASE_SIZE)\n \t\t\tbreak;\n \n \t\taces_size -= pace_size;\n",
    "prefixes": [
        "v2"
    ]
}