From: Sasha Levin Date: Thu, 23 Apr 2026 18:59:15 +0000 (-0400) Subject: Fixes for all trees X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=3d2bddf63e917f38f09360a047318314cc85ef94;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for all trees Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/cifs-fix-connections-leak-when-tlink-setup-failed.patch b/queue-5.10/cifs-fix-connections-leak-when-tlink-setup-failed.patch new file mode 100644 index 0000000000..436056a382 --- /dev/null +++ b/queue-5.10/cifs-fix-connections-leak-when-tlink-setup-failed.patch @@ -0,0 +1,82 @@ +From f6e63ba82cc6f23365a9b2cbe94df0ca46563d55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Apr 2026 17:02:45 +0300 +Subject: cifs: Fix connections leak when tlink setup failed + +From: Zhang Xiaoxu + +commit 1dcdf5f5b2137185cbdd5385f29949ab3da4f00c upstream. + +If the tlink setup failed, lost to put the connections, then +the module refcnt leak since the cifsd kthread not exit. + +Also leak the fscache info, and for next mount with fsc, it will +print the follow errors: + CIFS: Cache volume key already in use (cifs,127.0.0.1:445,TEST) + +Let's check the result of tlink setup, and do some cleanup. + +Fixes: 56c762eb9bee ("cifs: Refactor out cifs_mount()") +Reviewed-by: Paulo Alcantara (SUSE) +Signed-off-by: Zhang Xiaoxu +Signed-off-by: Steve French +[ kovalev: bp to fix CVE-2022-49822; adapted to use direct xid/ses/tcon + variables instead of mnt_ctx struct fields due to the older kernel not + having the corresponding cifs_mount() refactoring (see upstream commit + c88f7dcd6d64); additionally NULL out mntdata after dfs_cache_add_vol() + transfers its ownership to vol_list, otherwise the new error path from + mount_setup_tlink() failure would double-free it via kfree(mntdata) in + the error: label ] +Signed-off-by: Vasiliy Kovalev +Signed-off-by: Sasha Levin +--- + fs/cifs/connect.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index 769c7759601db..3ce86a88fad4a 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -4770,6 +4770,8 @@ int cifs_mount(struct cifs_sb_info *cifs_sb, struct smb_vol *vol) + rc = dfs_cache_add_vol(mntdata, vol, cifs_sb->origin_fullpath); + if (rc) + goto error; ++ /* mntdata is now owned by vol_list */ ++ mntdata = NULL; + /* + * After reconnecting to a different server, unique ids won't + * match anymore, so we disable serverino. This prevents +@@ -4786,9 +4788,13 @@ int cifs_mount(struct cifs_sb_info *cifs_sb, struct smb_vol *vol) + vol->prepath = NULL; + + out: +- free_xid(xid); + cifs_try_adding_channels(ses); +- return mount_setup_tlink(cifs_sb, ses, tcon); ++ rc = mount_setup_tlink(cifs_sb, ses, tcon); ++ if (rc) ++ goto error; ++ ++ free_xid(xid); ++ return rc; + + error: + kfree(ref_path); +@@ -4820,9 +4826,12 @@ int cifs_mount(struct cifs_sb_info *cifs_sb, struct smb_vol *vol) + goto error; + } + +- free_xid(xid); ++ rc = mount_setup_tlink(cifs_sb, ses, tcon); ++ if (rc) ++ goto error; + +- return mount_setup_tlink(cifs_sb, ses, tcon); ++ free_xid(xid); ++ return rc; + + error: + mount_put_conns(cifs_sb, xid, server, ses, tcon); +-- +2.53.0 + diff --git a/queue-5.10/series b/queue-5.10/series index 1ee941b4a7..83b6495652 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -125,3 +125,4 @@ scripts-dtc-remove-unused-dts_version-in-dtc-lexer.l.patch i3c-fix-uninitialized-variable-use-in-i2c-setup.patch revert-scsi-ufs-core-improve-scsi-abort-handling.patch rxrpc-fix-recvmsg-unconditional-requeue.patch +cifs-fix-connections-leak-when-tlink-setup-failed.patch