public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed
* [PATCH v2 5.10.y] cifs: Fix connections leak when tlink setup failed
@ 2026-04-23 14:02 Vasiliy Kovalev
  2026-04-23 14:41 ` Vasiliy Kovalev
  0 siblings, 1 reply; 3+ messages in thread
From: Vasiliy Kovalev @ 2026-04-23 14:02 UTC (permalink / raw)
  To: stable; +Cc: Steve French, linux-cifs, samba-technical, lvc-project, kovalev

From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>

commit 1dcdf5f5b2137185cbdd5385f29949ab3da4f00c upstream.

If the tlink setup failed, lost to put the connections, then
the module refcnt leak since the cifsd kthread not exit.

Also leak the fscache info, and for next mount with fsc, it will
print the follow errors:
  CIFS: Cache volume key already in use (cifs,127.0.0.1:445,TEST)

Let's check the result of tlink setup, and do some cleanup.

Fixes: 56c762eb9bee ("cifs: Refactor out cifs_mount()")
Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ kovalev: bp to fix CVE-2022-49822; adapted to use direct xid/ses/tcon
  variables instead of mnt_ctx struct fields due to the older kernel not
  having the corresponding cifs_mount() refactoring (see upstream commit
  c88f7dcd6d64); additionally NULL out mntdata after dfs_cache_add_vol()
  transfers its ownership to vol_list, otherwise the new error path from
  mount_setup_tlink() failure would double-free it via kfree(mntdata) in
  the error: label ]
Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
---
v2: address mntdata double-free flagged by sashiko-bot review [1].
  - NULL out mntdata after dfs_cache_add_vol() in the DFS branch of
    cifs_mount(); otherwise the new goto error from mount_setup_tlink()
    failure hits kfree(mntdata) in the error: label while the pointer
    is already owned by vol_list (vi->mntdata set in dfs_cache_add_vol).

  The second concern raised by sashiko-bot (UAF on
  cifs_sb->origin_fullpath via cifs_kill_sb()) does not apply to 5.10.y:
  cifs_smb3_do_mount() handles cifs_mount() failure via the out_free
  label, which kfree()s cifs_sb directly without calling cifs_umount(),
  so the kfree(cifs_sb->origin_fullpath) in the error: label is the
  only release on this path and must stay.

  [1] https://sashiko.dev/#/patchset/20260421132612.38517-1-kovalev%40altlinux.org

v1: https://lore.kernel.org/all/20260421132612.38517-1-kovalev@altlinux.org/

 fs/cifs/connect.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 769c7759601d..3ce86a88fad4 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -4770,6 +4770,8 @@ int cifs_mount(struct cifs_sb_info *cifs_sb, struct smb_vol *vol)
 	rc = dfs_cache_add_vol(mntdata, vol, cifs_sb->origin_fullpath);
 	if (rc)
 		goto error;
+	/* mntdata is now owned by vol_list */
+	mntdata = NULL;
 	/*
 	 * After reconnecting to a different server, unique ids won't
 	 * match anymore, so we disable serverino. This prevents
@@ -4786,9 +4788,13 @@ int cifs_mount(struct cifs_sb_info *cifs_sb, struct smb_vol *vol)
 	vol->prepath = NULL;
 
 out:
-	free_xid(xid);
 	cifs_try_adding_channels(ses);
-	return mount_setup_tlink(cifs_sb, ses, tcon);
+	rc = mount_setup_tlink(cifs_sb, ses, tcon);
+	if (rc)
+		goto error;
+
+	free_xid(xid);
+	return rc;
 
 error:
 	kfree(ref_path);
@@ -4820,9 +4826,12 @@ int cifs_mount(struct cifs_sb_info *cifs_sb, struct smb_vol *vol)
 			goto error;
 	}
 
-	free_xid(xid);
+	rc = mount_setup_tlink(cifs_sb, ses, tcon);
+	if (rc)
+		goto error;
 
-	return mount_setup_tlink(cifs_sb, ses, tcon);
+	free_xid(xid);
+	return rc;
 
 error:
 	mount_put_conns(cifs_sb, xid, server, ses, tcon);
-- 
2.50.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-04-23 18:59 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-23 14:02 [PATCH v2 5.10.y] cifs: Fix connections leak when tlink setup failed Vasiliy Kovalev
2026-04-23 14:41 ` Vasiliy Kovalev
2026-04-23 18:59   ` Sasha Levin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox