Fixes for all trees

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.10/cifs-fix-connections-leak-when-tlink-setup-failed.patch b/queue-5.10/cifs-fix-connections-leak-when-tlink-setup-failed.patch
new file mode 100644 (file)
index 0000000..436056a
--- /dev/null
+++ b/queue-5.10/cifs-fix-connections-leak-when-tlink-setup-failed.patch
@@ -0,0 +1,82 @@
+From f6e63ba82cc6f23365a9b2cbe94df0ca46563d55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Apr 2026 17:02:45 +0300
+Subject: cifs: Fix connections leak when tlink setup failed
+
+From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+
+commit 1dcdf5f5b2137185cbdd5385f29949ab3da4f00c upstream.
+
+If the tlink setup failed, lost to put the connections, then
+the module refcnt leak since the cifsd kthread not exit.
+
+Also leak the fscache info, and for next mount with fsc, it will
+print the follow errors:
+  CIFS: Cache volume key already in use (cifs,127.0.0.1:445,TEST)
+
+Let's check the result of tlink setup, and do some cleanup.
+
+Fixes: 56c762eb9bee ("cifs: Refactor out cifs_mount()")
+Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+[ kovalev: bp to fix CVE-2022-49822; adapted to use direct xid/ses/tcon
+  variables instead of mnt_ctx struct fields due to the older kernel not
+  having the corresponding cifs_mount() refactoring (see upstream commit
+  c88f7dcd6d64); additionally NULL out mntdata after dfs_cache_add_vol()
+  transfers its ownership to vol_list, otherwise the new error path from
+  mount_setup_tlink() failure would double-free it via kfree(mntdata) in
+  the error: label ]
+Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/connect.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
+index 769c7759601db..3ce86a88fad4a 100644
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -4770,6 +4770,8 @@ int cifs_mount(struct cifs_sb_info *cifs_sb, struct smb_vol *vol)
+       rc = dfs_cache_add_vol(mntdata, vol, cifs_sb->origin_fullpath);
+       if (rc)
+               goto error;
++      /* mntdata is now owned by vol_list */
++      mntdata = NULL;
+       /*
+        * After reconnecting to a different server, unique ids won't
+        * match anymore, so we disable serverino. This prevents
+@@ -4786,9 +4788,13 @@ int cifs_mount(struct cifs_sb_info *cifs_sb, struct smb_vol *vol)
+       vol->prepath = NULL;
+ 
+ out:
+-      free_xid(xid);
+       cifs_try_adding_channels(ses);
+-      return mount_setup_tlink(cifs_sb, ses, tcon);
++      rc = mount_setup_tlink(cifs_sb, ses, tcon);
++      if (rc)
++              goto error;
++
++      free_xid(xid);
++      return rc;
+ 
+ error:
+       kfree(ref_path);
+@@ -4820,9 +4826,12 @@ int cifs_mount(struct cifs_sb_info *cifs_sb, struct smb_vol *vol)
+                       goto error;
+       }
+ 
+-      free_xid(xid);
++      rc = mount_setup_tlink(cifs_sb, ses, tcon);
++      if (rc)
++              goto error;
+ 
+-      return mount_setup_tlink(cifs_sb, ses, tcon);
++      free_xid(xid);
++      return rc;
+ 
+ error:
+       mount_put_conns(cifs_sb, xid, server, ses, tcon);
+-- 
+2.53.0
+

diff --git a/queue-5.10/series b/queue-5.10/series
index 1ee941b4a70bb29189a0661eb2c9e4a686301541..83b6495652727635519639eb7e57361d1c23697f 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -125,3 +125,4 @@ scripts-dtc-remove-unused-dts_version-in-dtc-lexer.l.patch
 i3c-fix-uninitialized-variable-use-in-i2c-setup.patch
 revert-scsi-ufs-core-improve-scsi-abort-handling.patch
 rxrpc-fix-recvmsg-unconditional-requeue.patch
+cifs-fix-connections-leak-when-tlink-setup-failed.patch