From: Vasiliy Kovalev <kovalev@altlinux.org>
To: Sasha Levin <sashal@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: stable@vger.kernel.org, lvc-project@linuxtesting.org
Subject: Re: [PATCH v2 5.10.y] cifs: Fix connections leak when tlink setup failed
Date: Thu, 23 Apr 2026 17:41:12 +0300 [thread overview]
Message-ID: <83e432c2-8749-aca3-b5c8-ea89edc75ae9@basealt.ru> (raw)
In-Reply-To: <20260423140245.195039-1-kovalev@altlinux.org>
v1 of "cifs: Fix connections leak when tlink setup failed"
(CVE-2022-49822) is currently in queue-5.10:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit/?h=queue/5.10&id=685f89e4d2b45768ca796eb22ec1a553fecbdf05
Please drop it and apply v2 instead. v1 introduces a double-free for
mntdata on the new goto error path from mount_setup_tlink() failure:
after a successful dfs_cache_add_vol() the pointer is owned by vol_list
(vi->mntdata), but the error: label still calls kfree(mntdata). v2 NULLs
out mntdata after the ownership transfer.
v1: https://lore.kernel.org/all/20260421132612.38517-1-kovalev@altlinux.org/
v2:
https://lore.kernel.org/all/20260423140245.195039-1-kovalev@altlinux.org/
Sorry for the churn.
On 4/23/26 17:02, Vasiliy Kovalev wrote:
> ---
> v2: address mntdata double-free flagged by sashiko-bot review [1].
> - NULL out mntdata after dfs_cache_add_vol() in the DFS branch of
> cifs_mount(); otherwise the new goto error from mount_setup_tlink()
> failure hits kfree(mntdata) in the error: label while the pointer
> is already owned by vol_list (vi->mntdata set in dfs_cache_add_vol).
>
> The second concern raised by sashiko-bot (UAF on
> cifs_sb->origin_fullpath via cifs_kill_sb()) does not apply to 5.10.y:
> cifs_smb3_do_mount() handles cifs_mount() failure via the out_free
> label, which kfree()s cifs_sb directly without calling cifs_umount(),
> so the kfree(cifs_sb->origin_fullpath) in the error: label is the
> only release on this path and must stay.
>
> [1] https://sashiko.dev/#/patchset/20260421132612.38517-1-kovalev%40altlinux.org
--
Thanks,
Vasiliy
next prev parent reply other threads:[~2026-04-23 14:41 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-23 14:02 [PATCH v2 5.10.y] cifs: Fix connections leak when tlink setup failed Vasiliy Kovalev
2026-04-23 14:41 ` Vasiliy Kovalev [this message]
2026-04-23 18:59 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=83e432c2-8749-aca3-b5c8-ea89edc75ae9@basealt.ru \
--to=kovalev@altlinux.org \
--cc=gregkh@linuxfoundation.org \
--cc=lvc-project@linuxtesting.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox