From: Henrique Carvalho <henrique.carvalho@suse.com> stable inclusion from stable-v6.6.118 commit 64332afa9f769135972021b8f2b06b089f024068 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/12599 CVE: CVE-2025-40328 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- The previous commit bdb596ceb4b7 ("smb: client: fix potential UAF in smb2_close_cached_fid()") was an incomplete backport and missed one kref_put() call in cfids_invalidation_worker() that should have been converted to close_cached_dir(). Fixes: cb52d9c86d70 ("smb: client: fix potential UAF in smb2_close_cached_fid()")" Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Wang Zhaolong <wangzhaolong@huaweicloud.com> --- fs/smb/client/cached_dir.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/smb/client/cached_dir.c b/fs/smb/client/cached_dir.c index 6b42d7c2ef4a..44bc04c939f7 100644 --- a/fs/smb/client/cached_dir.c +++ b/fs/smb/client/cached_dir.c @@ -686,11 +686,11 @@ static void cfids_invalidation_worker(struct work_struct *work) spin_unlock(&cfids->cfid_list_lock); list_for_each_entry_safe(cfid, q, &entry, entry) { list_del(&cfid->entry); /* Drop the ref-count acquired in invalidate_all_cached_dirs */ - kref_put(&cfid->refcount, smb2_close_cached_fid); + close_cached_dir(cfid); } } static void cfids_laundromat_worker(struct work_struct *work) { -- 2.34.3