From: Michael Bommarito <michael.bommarito@gmail.com> mainline inclusion from mainline-v7.1-rc1 commit a55a60886e612bedb0e9a402ba0dca544c4c6a51 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14459 CVE: CVE-2026-31709 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- After validate_dacl() was factored out in commit 149822e5541c, the local end_of_dacl in parse_dacl() is only read by the dump_ace() call under #ifdef CONFIG_CIFS_DEBUG2. With CIFS_DEBUG2 off the variable is assigned but never used, which gcc -W=1 flags as -Wunused-but-set-variable. Remove the local and compute the end-of-dacl pointer inline at the single call site inside the existing CIFS_DEBUG2 guard. No functional change: when CIFS_DEBUG2 is enabled the argument value is identical to what the removed local carried; when CIFS_DEBUG2 is disabled the code was already dead. Reported-by: kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202604220046.tGkRxVtS-lkp@intel.com/ Fixes: 149822e5541c ("smb: client: validate the whole DACL before rewriting it in cifsacl") Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Steve French <stfrench@microsoft.com> Conflicts: fs/smb/client/cifsacl.c [Commit 62e7dd0a39c2 ("smb: common: change the data type of num_aces to le16") change the data type of num_aces to le16; commit 2757ad3e4b6f ("smb: client: require a full NFS mode SID before reading mode bits") add check of num_subauth.] Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com> --- fs/smb/client/cifsacl.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fs/smb/client/cifsacl.c b/fs/smb/client/cifsacl.c index d53923fe33a5..03e447214eb9 100644 --- a/fs/smb/client/cifsacl.c +++ b/fs/smb/client/cifsacl.c @@ -836,7 +836,7 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, int i; int num_aces = 0; int acl_size; - char *acl_base, *end_of_dacl; + char *acl_base; struct smb_ace **ppace; /* BB need to add parm so we can store the SID BB */ @@ -860,7 +860,6 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, user/group/other have no permissions */ fattr->cf_mode &= ~(0777); - end_of_dacl = (char *)pdacl + le16_to_cpu(pdacl->size); acl_base = (char *)pdacl; acl_size = sizeof(struct smb_acl); @@ -877,7 +876,8 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, ppace[i] = (struct smb_ace *) (acl_base + acl_size); #ifdef CONFIG_CIFS_DEBUG2 - dump_ace(ppace[i], end_of_dacl); + dump_ace(ppace[i], + (char *)pdacl + le16_to_cpu(pdacl->size)); #endif if (mode_from_special_sid && (compare_sids(&(ppace[i]->sid), -- 2.52.0