[lvc-project] [PATCH v2 5.10.y] cifs: Fix connections leak when tlink setup failed
Vasiliy Kovalev
kovalev at altlinux.org
Thu Apr 23 17:41:12 MSK 2026
v1 of "cifs: Fix connections leak when tlink setup failed"
(CVE-2022-49822) is currently in queue-5.10:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit/?h=queue/5.10&id=685f89e4d2b45768ca796eb22ec1a553fecbdf05
Please drop it and apply v2 instead. v1 introduces a double-free for
mntdata on the new goto error path from mount_setup_tlink() failure:
after a successful dfs_cache_add_vol() the pointer is owned by vol_list
(vi->mntdata), but the error: label still calls kfree(mntdata). v2 NULLs
out mntdata after the ownership transfer.
v1: https://lore.kernel.org/all/20260421132612.38517-1-kovalev@altlinux.org/
v2:
https://lore.kernel.org/all/20260423140245.195039-1-kovalev@altlinux.org/
Sorry for the churn.
On 4/23/26 17:02, Vasiliy Kovalev wrote:
> ---
> v2: address mntdata double-free flagged by sashiko-bot review [1].
> - NULL out mntdata after dfs_cache_add_vol() in the DFS branch of
> cifs_mount(); otherwise the new goto error from mount_setup_tlink()
> failure hits kfree(mntdata) in the error: label while the pointer
> is already owned by vol_list (vi->mntdata set in dfs_cache_add_vol).
>
> The second concern raised by sashiko-bot (UAF on
> cifs_sb->origin_fullpath via cifs_kill_sb()) does not apply to 5.10.y:
> cifs_smb3_do_mount() handles cifs_mount() failure via the out_free
> label, which kfree()s cifs_sb directly without calling cifs_umount(),
> so the kfree(cifs_sb->origin_fullpath) in the error: label is the
> only release on this path and must stay.
>
> [1] https://sashiko.dev/#/patchset/20260421132612.38517-1-kovalev%40altlinux.org
--
Thanks,
Vasiliy
More information about the lvc-project
mailing list