From: Shuhao Fu <sfual@cse.ust.hk> mainline inclusion from mainline-v6.18-rc2 commit c2b77f42205ef485a647f62082c442c1cd69d3fc category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/7767 CVE: CVE-2025-40103 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- Fix three refcount inconsistency issues related to `cifs_sb_tlink`. Comments for `cifs_sb_tlink` state that `cifs_put_tlink()` needs to be called after successful calls to `cifs_sb_tlink()`. Three calls fail to update refcount accordingly, leading to possible resource leaks. Fixes: 8ceb98437946 ("CIFS: Move rename to ops struct") Fixes: 2f1afe25997f ("cifs: Use smb 2 - 3 and cifsacl mount options getacl functions") Fixes: 366ed846df60 ("cifs: Use smb 2 - 3 and cifsacl mount options setacl function") Cc: stable@vger.kernel.org Signed-off-by: Shuhao Fu <sfual@cse.ust.hk> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Wang Zhaolong <wangzhaolong@huaweicloud.com> --- fs/smb/client/inode.c | 6 ++++-- fs/smb/client/smb2ops.c | 8 ++++---- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/fs/smb/client/inode.c b/fs/smb/client/inode.c index 84d35a7c4e3b..108f5963e786 100644 --- a/fs/smb/client/inode.c +++ b/fs/smb/client/inode.c @@ -2305,12 +2305,14 @@ cifs_do_rename(const unsigned int xid, struct dentry *from_dentry, if (IS_ERR(tlink)) return PTR_ERR(tlink); tcon = tlink_tcon(tlink); server = tcon->ses->server; - if (!server->ops->rename) - return -ENOSYS; + if (!server->ops->rename) { + rc = -ENOSYS; + goto do_rename_exit; + } /* try path-based rename first */ rc = server->ops->rename(xid, tcon, from_dentry, from_path, to_path, cifs_sb); diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c index c19643a37fa0..4950fa4550ae 100644 --- a/fs/smb/client/smb2ops.c +++ b/fs/smb/client/smb2ops.c @@ -3064,12 +3064,11 @@ get_smb2_acl_by_path(struct cifs_sb_info *cifs_sb, xid = get_xid(); utf16_path = cifs_convert_path_to_utf16(path, cifs_sb); if (!utf16_path) { rc = -ENOMEM; - free_xid(xid); - return ERR_PTR(rc); + goto put_tlink; } oparms = (struct cifs_open_parms) { .tcon = tcon, .path = path, @@ -3097,10 +3096,11 @@ get_smb2_acl_by_path(struct cifs_sb_info *cifs_sb, fid.volatile_fid, (void **)&pntsd, pacllen, info); SMB2_close(xid, tcon, fid.persistent_fid, fid.volatile_fid); } +put_tlink: cifs_put_tlink(tlink); free_xid(xid); cifs_dbg(FYI, "%s: rc = %d ACL len %d\n", __func__, rc, *pacllen); if (rc) @@ -3137,12 +3137,11 @@ set_smb2_acl(struct smb_ntsd *pnntsd, __u32 acllen, access_flags |= WRITE_DAC; utf16_path = cifs_convert_path_to_utf16(path, cifs_sb); if (!utf16_path) { rc = -ENOMEM; - free_xid(xid); - return rc; + goto put_tlink; } oparms = (struct cifs_open_parms) { .tcon = tcon, .desired_access = access_flags, @@ -3159,10 +3158,11 @@ set_smb2_acl(struct smb_ntsd *pnntsd, __u32 acllen, rc = SMB2_set_acl(xid, tlink_tcon(tlink), fid.persistent_fid, fid.volatile_fid, pnntsd, acllen, aclflag); SMB2_close(xid, tcon, fid.persistent_fid, fid.volatile_fid); } +put_tlink: cifs_put_tlink(tlink); free_xid(xid); return rc; } -- 2.34.3