{"id":2230954,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2230954/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-cifs-client/patch/20260430085731.1226229-1-doebel@amazon.de/","project":{"id":12,"url":"http://patchwork.ozlabs.org/api/1.1/projects/12/?format=json","name":"Linux CIFS Client","link_name":"linux-cifs-client","list_id":"linux-cifs.vger.kernel.org","list_email":"linux-cifs@vger.kernel.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260430085731.1226229-1-doebel@amazon.de>","date":"2026-04-30T08:57:17","name":"smb: client: use kzalloc to zero-initialize security descriptor buffer","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"da474842574b8ef72281f8f8e70d6d98195cb966","submitter":{"id":93287,"url":"http://patchwork.ozlabs.org/api/1.1/people/93287/?format=json","name":"Bjoern Doebel","email":"doebel@amazon.de"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/linux-cifs-client/patch/20260430085731.1226229-1-doebel@amazon.de/mbox/","series":[{"id":502241,"url":"http://patchwork.ozlabs.org/api/1.1/series/502241/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-cifs-client/list/?series=502241","date":"2026-04-30T08:57:17","name":"smb: client: use kzalloc to zero-initialize security descriptor buffer","version":1,"mbox":"http://patchwork.ozlabs.org/series/502241/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2230954/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2230954/checks/","tags":{},"headers":{"Return-Path":"\n <linux-cifs+bounces-11309-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=amazon.de header.i=@amazon.de header.a=rsa-sha256\n header.s=amazoncorp2 header.b=TWGwei1/;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=linux-cifs+bounces-11309-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=amazon.de header.i=@amazon.de\n header.b=\"TWGwei1/\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=50.112.246.219","smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=amazon.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=amazon.de"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g5p3Y6ks3z1xqf\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 30 Apr 2026 18:58:01 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 9B5E7301048F\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 30 Apr 2026 08:57:58 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 5867A3FBEA4;\n\tThu, 30 Apr 2026 08:57:56 +0000 (UTC)","from pdx-out-015.esa.us-west-2.outbound.mail-perimeter.amazon.com\n (pdx-out-015.esa.us-west-2.outbound.mail-perimeter.amazon.com\n [50.112.246.219])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 23FB23FE362;\n\tThu, 30 Apr 2026 08:57:54 +0000 (UTC)","from ip-10-5-12-219.us-west-2.compute.internal (HELO\n smtpout.naws.us-west-2.prod.farcaster.email.amazon.dev) ([10.5.12.219])\n  by internal-pdx-out-015.esa.us-west-2.outbound.mail-perimeter.amazon.com\n with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Apr 2026 08:57:52 +0000","from EX19MTAUWA002.ant.amazon.com [205.251.233.234:6652]\n by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.37.224:2525]\n with esmtp (Farcaster)\n id 58b8f1a8-5a6f-4e28-ae21-c24da03d262c;\n Thu, 30 Apr 2026 08:57:52 +0000 (UTC)","from EX19D001UWA001.ant.amazon.com (10.13.138.214) by\n EX19MTAUWA002.ant.amazon.com (10.250.64.202) with Microsoft SMTP Server\n (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.2562.37;\n Thu, 30 Apr 2026 08:57:52 +0000","from dev-dsk-doebel-1a-7b355d76.us-east-1.amazon.com (10.169.119.5)\n by EX19D001UWA001.ant.amazon.com (10.13.138.214) with Microsoft SMTP Server\n (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.2562.37;\n Thu, 30 Apr 2026 08:57:50 +0000"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777539476; cv=none;\n b=QH2NL8Dw+O7PIHRtTZXd08dO6788f9NeJRadLpA8X443Po/hU1Wg7ruaRsJS7WMLf2OaIehyxk77xbFmeTa1MhqVgyEJWAUC1Iro5T242nQK0enaXob2o2FJw5NsOKnHF0LKzNnwCl/fMRDDxDQ0yuLFrdLfiC4+tT4t+ocNgSc=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777539476; c=relaxed/simple;\n\tbh=OCHv4sNKD6FdjVg4X1i6KrqsmWVR5hjxcSUYjRoG4pA=;\n\th=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type;\n b=sZD87U2Y0LXNAXo1qbBWmlO7GuhtuAm30KlieIx9iUEpIaziPu5MXW2HwzuLmplNQB3gg0cb89mjRwMh4itWwElqaNlEsKptgUGwQAprDlO9EoUS0esHk8DwOx1Wy+f3VWW2nh3MBu/z2sdJY4w5Ii5erfOZcfluIAa2BHVclcA=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=amazon.de;\n spf=pass smtp.mailfrom=amazon.de;\n dkim=pass (2048-bit key) header.d=amazon.de header.i=@amazon.de\n header.b=TWGwei1/; arc=none smtp.client-ip=50.112.246.219","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n  d=amazon.de; i=@amazon.de; q=dns/txt; s=amazoncorp2;\n  t=1777539475; x=1809075475;\n  h=from:to:cc:subject:date:message-id:mime-version:\n   content-transfer-encoding;\n  bh=Hn9udz7Pvym1RgV7NCPW6AXSi4+7PUHyGB012LjVUYA=;\n  b=TWGwei1/45oNJHrp3lvy+VAFOpMQSmwoZ2rqO3axJk5lxim/L5tTH9kA\n   RVU9XrtHU/onaX7aUIt8gohoXh1NK5PiSa0uOAyloAIoKD/UKsYBVWo6B\n   I9X6jFwyNUrlx7G7Bu/zM+oOhe8v7CFBoYdqK7wrbeCQN9ojwX1kdQ5O/\n   ozzXjcVjklNx3rm69cG1OSCAelSDFcOGEZQrtycWzEY/leEao0GDBOliM\n   d53b/SNQkFfFL4Jx/CjjDyaVBjNpWq/n1NjT7exa1pZC1xNz4TsMNmp6B\n   AboyvwJ4G8Z8xVItKti07uOJpW9z5SpVfIm3Tf7vvcS/QGJGIZ161fyOP\n   A==;","X-CSE-ConnectionGUID":"UCavD6MDRRiX+ID+sjkW/w==","X-CSE-MsgGUID":"SjeS+foHSViH+O/9vNPIFg==","X-IronPort-AV":"E=Sophos;i=\"6.23,207,1770595200\";\n   d=\"scan'208\";a=\"18367693\"","X-Farcaster-Flow-ID":"58b8f1a8-5a6f-4e28-ae21-c24da03d262c","From":"Bjoern Doebel <doebel@amazon.de>","To":"<sfrench@samba.org>","CC":"Bjoern Doebel <doebel@amazon.de>, <stable@vger.kernel.org>, \"Paulo\n Alcantara\" <pc@manguebit.org>, Ronnie Sahlberg <ronniesahlberg@gmail.com>,\n\tShyam Prasad N <sprasad@microsoft.com>, Tom Talpey <tom@talpey.com>, \"Bharath\n SM\" <bharathsm@microsoft.com>, Namjae Jeon <linkinjeon@kernel.org>, \"open\n list:COMMON INTERNET FILE SYSTEM CLIENT (CIFS and SMB3)\"\n\t<linux-cifs@vger.kernel.org>, \"moderated list:COMMON INTERNET FILE SYSTEM\n CLIENT (CIFS and SMB3)\" <samba-technical@lists.samba.org>, open list\n\t<linux-kernel@vger.kernel.org>","Subject":"[PATCH] smb: client: use kzalloc to zero-initialize security\n descriptor buffer","Date":"Thu, 30 Apr 2026 08:57:17 +0000","Message-ID":"<20260430085731.1226229-1-doebel@amazon.de>","X-Mailer":"git-send-email 2.50.1","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"<linux-cifs.vger.kernel.org>","List-Subscribe":"<mailto:linux-cifs+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:linux-cifs+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","X-ClientProxiedBy":"EX19D041UWA004.ant.amazon.com (10.13.139.9) To\n EX19D001UWA001.ant.amazon.com (10.13.138.214)","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit"},"content":"Commit 62e7dd0a39c2d (\"smb: common: change the data type of num_aces\nto le16\") split struct smb_acl's __le32 num_aces field into __le16\nnum_aces and __le16 reserved. The reserved field corresponds to Sbz2\nin the MS-DTYP ACL wire format, which must be zero [1].\n\nWhen building an ACL descriptor in build_sec_desc(), we are using a\nkmalloc()'ed descriptor buffer and writing the fields explicitly using\nle16() writes now. This never writes to the 2 byte reserved field,\nleaving it as uninitialized heap data.\n\nWhen the reserved field happens to contain non-zero slab garbage,\nSamba rejects the security descriptor with \"ndr_pull_security_descriptor\nfailed: Range Error\", causing chmod to fail with EINVAL.\n\nChange kmalloc() to kzalloc() to ensure the entire buffer is\nzero-initialized.\n\nFixes: 62e7dd0a39c2d (\"smb: common: change the data type of num_aces to le16\")\nCc: stable@vger.kernel.org\n\nSigned-off-by: Bjoern Doebel <doebel@amazon.de>\nAssisted-by: Kiro:claude-opus-4.6\n[1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428\n---\nTested using xfstests' generic/680 test on CIFS (Samba server\non localhost) with AL2023 ARM64 kernel 6.18.22 and 7.1.0-rc1.\nWithout the fix, the test fails after 10-40 iterations. With\nthe fix, we successfully completed 1,000 iterations.\n---\n fs/smb/client/cifsacl.c | 2 +-\n 1 file changed, 1 insertion(+), 1 deletion(-)","diff":"diff --git a/fs/smb/client/cifsacl.c b/fs/smb/client/cifsacl.c\nindex ec5d477793040..a2750f1e3d90b 100644\n--- a/fs/smb/client/cifsacl.c\n+++ b/fs/smb/client/cifsacl.c\n@@ -1732,7 +1732,7 @@ id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64 *pnmode,\n \t * descriptor parameters, and security descriptor itself\n \t */\n \tnsecdesclen = max_t(u32, nsecdesclen, DEFAULT_SEC_DESC_LEN);\n-\tpnntsd = kmalloc(nsecdesclen, GFP_KERNEL);\n+\tpnntsd = kzalloc(nsecdesclen, GFP_KERNEL);\n \tif (!pnntsd) {\n \t\tkfree(pntsd);\n \t\tcifs_put_tlink(tlink);\n","prefixes":[]}