[PATCH v2 5.10.y] cifs: Fix connections leak when tlink setup failed

[PATCH v2 5.10.y] cifs: Fix connections leak when tlink setup failed

[Vasiliy Kovalev]

From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>

commit 1dcdf5f5b2137185cbdd5385f29949ab3da4f00c upstream.

If the tlink setup failed, lost to put the connections, then
the module refcnt leak since the cifsd kthread not exit.

Also leak the fscache info, and for next mount with fsc, it will
print the follow errors:
  CIFS: Cache volume key already in use (cifs,127.0.0.1:445,TEST)

Let's check the result of tlink setup, and do some cleanup.

Fixes: 56c762eb9bee ("cifs: Refactor out cifs_mount()")
Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ kovalev: bp to fix CVE-2022-49822; adapted to use direct xid/ses/tcon
  variables instead of mnt_ctx struct fields due to the older kernel not
  having the corresponding cifs_mount() refactoring (see upstream commit
  c88f7dcd6d64); additionally NULL out mntdata after dfs_cache_add_vol()
  transfers its ownership to vol_list, otherwise the new error path from
  mount_setup_tlink() failure would double-free it via kfree(mntdata) in
  the error: label ]
Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
---
v2: address mntdata double-free flagged by sashiko-bot review [1].
  - NULL out mntdata after dfs_cache_add_vol() in the DFS branch of
    cifs_mount(); otherwise the new goto error from mount_setup_tlink()
    failure hits kfree(mntdata) in the error: label while the pointer
    is already owned by vol_list (vi->mntdata set in dfs_cache_add_vol).

  The second concern raised by sashiko-bot (UAF on
  cifs_sb->origin_fullpath via cifs_kill_sb()) does not apply to 5.10.y:
  cifs_smb3_do_mount() handles cifs_mount() failure via the out_free
  label, which kfree()s cifs_sb directly without calling cifs_umount(),
  so the kfree(cifs_sb->origin_fullpath) in the error: label is the
  only release on this path and must stay.

  [1] https://sashiko.dev/#/patchset/20260421132612.38517-1-kovalev%40altlinux.org

v1: https://lore.kernel.org/all/20260421132612.38517-1-kovalev@altlinux.org/

 fs/cifs/connect.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 769c7759601d..3ce86a88fad4 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -4770,6 +4770,8 @@ int cifs_mount(struct cifs_sb_info *cifs_sb, struct smb_vol *vol)
 	rc = dfs_cache_add_vol(mntdata, vol, cifs_sb->origin_fullpath);
 	if (rc)
 		goto error;
+	/* mntdata is now owned by vol_list */
+	mntdata = NULL;
 	/*
 	 * After reconnecting to a different server, unique ids won't
 	 * match anymore, so we disable serverino. This prevents
@@ -4786,9 +4788,13 @@ int cifs_mount(struct cifs_sb_info *cifs_sb, struct smb_vol *vol)
 	vol->prepath = NULL;
 
 out:
-	free_xid(xid);
 	cifs_try_adding_channels(ses);
-	return mount_setup_tlink(cifs_sb, ses, tcon);
+	rc = mount_setup_tlink(cifs_sb, ses, tcon);
+	if (rc)
+		goto error;
+
+	free_xid(xid);
+	return rc;
 
 error:
 	kfree(ref_path);
@@ -4820,9 +4826,12 @@ int cifs_mount(struct cifs_sb_info *cifs_sb, struct smb_vol *vol)
 			goto error;
 	}
 
-	free_xid(xid);
+	rc = mount_setup_tlink(cifs_sb, ses, tcon);
+	if (rc)
+		goto error;
 
-	return mount_setup_tlink(cifs_sb, ses, tcon);
+	free_xid(xid);
+	return rc;
 
 error:
 	mount_put_conns(cifs_sb, xid, server, ses, tcon);
-- 
2.50.1

Re: [PATCH v2 5.10.y] cifs: Fix connections leak when tlink setup failed

[Vasiliy Kovalev]

v1 of "cifs: Fix connections leak when tlink setup failed" 
(CVE-2022-49822) is currently in queue-5.10:

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit/?h=queue/5.10&id=685f89e4d2b45768ca796eb22ec1a553fecbdf05

Please drop it and apply v2 instead. v1 introduces a double-free for
mntdata on the new goto error path from mount_setup_tlink() failure:
after a successful dfs_cache_add_vol() the pointer is owned by vol_list
(vi->mntdata), but the error: label still calls kfree(mntdata). v2 NULLs
out mntdata after the ownership transfer.

v1: https://lore.kernel.org/all/20260421132612.38517-1-kovalev@altlinux.org/
v2: 
https://lore.kernel.org/all/20260423140245.195039-1-kovalev@altlinux.org/

Sorry for the churn.

On 4/23/26 17:02, Vasiliy Kovalev wrote:
> ---
> v2: address mntdata double-free flagged by sashiko-bot review [1].
>    - NULL out mntdata after dfs_cache_add_vol() in the DFS branch of
>      cifs_mount(); otherwise the new goto error from mount_setup_tlink()
>      failure hits kfree(mntdata) in the error: label while the pointer
>      is already owned by vol_list (vi->mntdata set in dfs_cache_add_vol).
> 
>    The second concern raised by sashiko-bot (UAF on
>    cifs_sb->origin_fullpath via cifs_kill_sb()) does not apply to 5.10.y:
>    cifs_smb3_do_mount() handles cifs_mount() failure via the out_free
>    label, which kfree()s cifs_sb directly without calling cifs_umount(),
>    so the kfree(cifs_sb->origin_fullpath) in the error: label is the
>    only release on this path and must stay.
> 
>    [1] https://sashiko.dev/#/patchset/20260421132612.38517-1-kovalev%40altlinux.org
-- 
Thanks,
Vasiliy

Re: [PATCH v2 5.10.y] cifs: Fix connections leak when tlink setup failed

[Sasha Levin]

On Thu, Apr 23, 2026 at 05:41:12PM +0300, Vasiliy Kovalev wrote:
> v1 of "cifs: Fix connections leak when tlink setup failed"
> (CVE-2022-49822) is currently in queue-5.10:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit/?h=queue/5.10&id=685f89e4d2b45768ca796eb22ec1a553fecbdf05
>
> Please drop it and apply v2 instead. v1 introduces a double-free for
> mntdata on the new goto error path from mount_setup_tlink() failure:
> after a successful dfs_cache_add_vol() the pointer is owned by vol_list
> (vi->mntdata), but the error: label still calls kfree(mntdata). v2 NULLs
> out mntdata after the ownership transfer.

I've dropped v1 from pending-5.10 and queued v2 in its place.

--
Thanks,
Sasha