From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from air.basealt.ru (air.basealt.ru [193.43.8.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1856230FF05 for ; Thu, 23 Apr 2026 14:41:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.43.8.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776955276; cv=none; b=H+AcFGCnGUFLNZt5tywZWoYR69y1ADB1P4LgJqcw+Bk8hGgBgWAHu3APvnWhVtvS2HG4Lk218IhoOFKV6YHrDRC0PH+Esj3BKJPrVs14517YuWI6qINkpWVDH93hTdryEZl2Hfb+YyNlD90evGBWYoUGPwyxDbR5AcC4IAge/Yg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776955276; c=relaxed/simple; bh=/8iQvCjp9pvtmRh3imXkW86qtNGBFX3fk/DvkqG37H0=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=DNQrykhZlTLWvJ1X0dl1awpJf0TsiC8YKorAFZN6Frl6NNiRAkCtqFjtWukZBMHLRK5lsSZHgTnOtp9Rz8QfA78Kb3aaDZTVSw1SefoqZ8YJfkfrQP6kRflrYZRIb1f5Ul3Gi0VGI00ed6R7RMNz75OuN42wYMmoLZ4AZl/1jKU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=altlinux.org; spf=pass smtp.mailfrom=altlinux.org; arc=none smtp.client-ip=193.43.8.18 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=altlinux.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=altlinux.org Received: from [10.88.129.61] (obninsk.basealt.ru [217.15.195.17]) (Authenticated sender: kovalevvv) by air.basealt.ru (Postfix) with ESMTPSA id 4B1B02336B; Thu, 23 Apr 2026 17:41:12 +0300 (MSK) Message-ID: <83e432c2-8749-aca3-b5c8-ea89edc75ae9@basealt.ru> Date: Thu, 23 Apr 2026 17:41:12 +0300 Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0 Subject: Re: [PATCH v2 5.10.y] cifs: Fix connections leak when tlink setup failed Content-Language: en-US To: Sasha Levin , Greg Kroah-Hartman Cc: stable@vger.kernel.org, lvc-project@linuxtesting.org References: <20260423140245.195039-1-kovalev@altlinux.org> From: Vasiliy Kovalev In-Reply-To: <20260423140245.195039-1-kovalev@altlinux.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit v1 of "cifs: Fix connections leak when tlink setup failed" (CVE-2022-49822) is currently in queue-5.10: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit/?h=queue/5.10&id=685f89e4d2b45768ca796eb22ec1a553fecbdf05 Please drop it and apply v2 instead. v1 introduces a double-free for mntdata on the new goto error path from mount_setup_tlink() failure: after a successful dfs_cache_add_vol() the pointer is owned by vol_list (vi->mntdata), but the error: label still calls kfree(mntdata). v2 NULLs out mntdata after the ownership transfer. v1: https://lore.kernel.org/all/20260421132612.38517-1-kovalev@altlinux.org/ v2: https://lore.kernel.org/all/20260423140245.195039-1-kovalev@altlinux.org/ Sorry for the churn. On 4/23/26 17:02, Vasiliy Kovalev wrote: > --- > v2: address mntdata double-free flagged by sashiko-bot review [1]. > - NULL out mntdata after dfs_cache_add_vol() in the DFS branch of > cifs_mount(); otherwise the new goto error from mount_setup_tlink() > failure hits kfree(mntdata) in the error: label while the pointer > is already owned by vol_list (vi->mntdata set in dfs_cache_add_vol). > > The second concern raised by sashiko-bot (UAF on > cifs_sb->origin_fullpath via cifs_kill_sb()) does not apply to 5.10.y: > cifs_smb3_do_mount() handles cifs_mount() failure via the out_free > label, which kfree()s cifs_sb directly without calling cifs_umount(), > so the kfree(cifs_sb->origin_fullpath) in the error: label is the > only release on this path and must stay. > > [1] https://sashiko.dev/#/patchset/20260421132612.38517-1-kovalev%40altlinux.org -- Thanks, Vasiliy