From: Makar Semyonov <m.semenov@tssltd.ru> mainline inclusion from mainline-v6.17-rc4 commit 70bccd9855dae56942f2b18a08ba137bb54093a0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICYXW3 CVE: CVE-2025-39838 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- There can be a NULL pointer dereference bug here. NULL is passed to __cifs_sfu_make_node without checks, which passes it unchecked to cifs_strndup_to_utf16, which in turn passes it to cifs_local_to_utf16_bytes where '*from' is dereferenced, causing a crash. This patch adds a check for NULL 'src' in cifs_strndup_to_utf16 and returns NULL early to prevent dereferencing NULL pointer. Found by Linux Verification Center (linuxtesting.org) with SVACE Signed-off-by: Makar Semyonov <m.semenov@tssltd.ru> Cc: stable@vger.kernel.org Signed-off-by: Steve French <stfrench@microsoft.com> Conflicts: fs/cifs/cifs_unicode.c fs/smb/client/cifs_unicode.c [Code move to fs/smb dirctory in mainline] Signed-off-by: Long Li <leo.lilong@huawei.com> --- fs/cifs/cifs_unicode.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/cifs/cifs_unicode.c b/fs/cifs/cifs_unicode.c index 7932e20555d2..47e38cf7ef89 100644 --- a/fs/cifs/cifs_unicode.c +++ b/fs/cifs/cifs_unicode.c @@ -633,6 +633,9 @@ cifs_strndup_to_utf16(const char *src, const int maxlen, int *utf16_len, int len; __le16 *dst; + if (!src) + return NULL; + len = cifs_local_to_utf16_bytes(src, maxlen, cp); len += 2; /* NULL */ dst = kmalloc(len, GFP_KERNEL); -- 2.39.2