- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS] ubi: Fix possible null-ptr-deref in ubi_free_volume()
by Wang Zhaolong 07 Jan '26

07 Jan '26

From: Yang Yingliang <yangyingliang(a)huawei.com> stable inclusion from stable-v4.19.276 commit 45b2c5ca4d2edae70f19fdb086bd927840c4c309 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/12950 CVE: CVE-2023-54087 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit c15859bfd326c10230f09cb48a17f8a35f190342 ] It willl cause null-ptr-deref in the following case: uif_init() ubi_add_volume() cdev_add() -> if it fails, call kill_volumes() device_register() kill_volumes() -> if ubi_add_volume() fails call this function ubi_free_volume() cdev_del() device_unregister() -> trying to delete a not added device, it causes null-ptr-deref So in ubi_free_volume(), it delete devices whether they are added or not, it will causes null-ptr-deref. Handle the error case whlie calling ubi_add_volume() to fix this problem. If add volume fails, set the corresponding vol to null, so it can not be accessed in kill_volumes() and release the resource in ubi_add_volume() error path. Fixes: 801c135ce73d ("UBI: Unsorted Block Images") Suggested-by: Zhihao Cheng <chengzhihao1(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> Reviewed-by: Zhihao Cheng <chengzhihao1(a)huawei.com> Signed-off-by: Richard Weinberger <richard(a)nod.at> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Zhaolong <wangzhaolong(a)huaweicloud.com> --- drivers/mtd/ubi/build.c | 1 + drivers/mtd/ubi/vmt.c | 12 ++++++------ 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c index df888c34499e..3e7e5b51eafd 100644 --- a/drivers/mtd/ubi/build.c +++ b/drivers/mtd/ubi/build.c @@ -478,10 +478,11 @@ static int uif_init(struct ubi_device *ubi) for (i = 0; i < ubi->vtbl_slots; i++) if (ubi->volumes[i]) { err = ubi_add_volume(ubi, ubi->volumes[i]); if (err) { ubi_err(ubi, "cannot add volume %d", i); + ubi->volumes[i] = NULL; goto out_volumes; } } return 0; diff --git a/drivers/mtd/ubi/vmt.c b/drivers/mtd/ubi/vmt.c index 405cc5289d89..c5dec58846ce 100644 --- a/drivers/mtd/ubi/vmt.c +++ b/drivers/mtd/ubi/vmt.c @@ -593,29 +593,29 @@ int ubi_add_volume(struct ubi_device *ubi, struct ubi_volume *vol) dev = MKDEV(MAJOR(ubi->cdev.dev), vol->vol_id + 1); err = cdev_add(&vol->cdev, dev, 1); if (err) { ubi_err(ubi, "cannot add character device for volume %d, error %d", vol_id, err); + vol_release(&vol->dev); return err; } vol->dev.release = vol_release; vol->dev.parent = &ubi->dev; vol->dev.devt = dev; vol->dev.class = &ubi_class; vol->dev.groups = volume_dev_groups; dev_set_name(&vol->dev, "%s_%d", ubi->ubi_name, vol->vol_id); err = device_register(&vol->dev); - if (err) - goto out_cdev; + if (err) { + cdev_del(&vol->cdev); + put_device(&vol->dev); + return err; + } self_check_volumes(ubi); return err; - -out_cdev: - cdev_del(&vol->cdev); - return err; } /** * ubi_free_volume - free volume. * @ubi: UBI device description object -- 2.34.3

2 1

[PATCH OLK-6.6] cifs: Fix establishing NetBIOS session for SMB2+ connection
by Wang Zhaolong 07 Jan '26

07 Jan '26

From: Pali Rohár <pali(a)kernel.org> stable inclusion from stable-v6.6.93 commit ee68e068cf92f8192ef61557789a6bb7f4b49ce0 category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/8333 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 781802aa5a5950f99899f13ff9d760f5db81d36d ] Function ip_rfc1001_connect() which establish NetBIOS session for SMB connections, currently uses smb_send() function for sending NetBIOS Session Request packet. This function expects that the passed buffer is SMB packet and for SMB2+ connections it mangles packet header, which breaks prepared NetBIOS Session Request packet. Result is that this function send garbage packet for SMB2+ connection, which SMB2+ server cannot parse. That function is not mangling packets for SMB1 connections, so it somehow works for SMB1. Fix this problem and instead of smb_send(), use smb_send_kvec() function which does not mangle prepared packet, this function send them as is. Just API of this function takes struct msghdr (kvec) instead of packet buffer. [MS-SMB2] specification allows SMB2 protocol to use NetBIOS as a transport protocol. NetBIOS can be used over TCP via port 139. So this is a valid configuration, just not so common. And even recent Windows versions (e.g. Windows Server 2022) still supports this configuration: SMB over TCP port 139, including for modern SMB2 and SMB3 dialects. This change fixes SMB2 and SMB3 connections over TCP port 139 which requires establishing of NetBIOS session. Tested that this change fixes establishing of SMB2 and SMB3 connections with Windows Server 2022. Signed-off-by: Pali Rohár <pali(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Zhaolong <wangzhaolong(a)huaweicloud.com> --- fs/smb/client/cifsproto.h | 3 +++ fs/smb/client/connect.c | 20 +++++++++++++++----- fs/smb/client/transport.c | 2 +- 3 files changed, 19 insertions(+), 6 deletions(-) diff --git a/fs/smb/client/cifsproto.h b/fs/smb/client/cifsproto.h index 7f97e5468652..858492220437 100644 --- a/fs/smb/client/cifsproto.h +++ b/fs/smb/client/cifsproto.h @@ -29,10 +29,13 @@ extern void cifs_buf_release(void *); extern struct smb_hdr *cifs_small_buf_get(void); extern void cifs_small_buf_release(void *); extern void free_rsp_buf(int, void *); extern int smb_send(struct TCP_Server_Info *, struct smb_hdr *, unsigned int /* length */); +extern int smb_send_kvec(struct TCP_Server_Info *server, + struct msghdr *msg, + size_t *sent); extern unsigned int _get_xid(void); extern void _free_xid(unsigned int); #define get_xid() \ ({ \ unsigned int __xid = _get_xid(); \ diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c index 23e0b902239a..3eae50bfdb6b 100644 --- a/fs/smb/client/connect.c +++ b/fs/smb/client/connect.c @@ -3049,12 +3049,14 @@ ip_rfc1001_connect(struct TCP_Server_Info *server) * some servers require RFC1001 sessinit before sending * negprot - BB check reconnection in case where second * sessinit is sent but no second negprot */ struct rfc1002_session_packet req = {}; - struct smb_hdr *smb_buf = (struct smb_hdr *)&req; + struct msghdr msg = {}; + struct kvec iov = {}; unsigned int len; + size_t sent; req.trailer.session_req.called_len = sizeof(req.trailer.session_req.called_name); if (server->server_RFC1001_name[0] != 0) rfc1002mangle(req.trailer.session_req.called_name, @@ -3079,23 +3081,31 @@ ip_rfc1001_connect(struct TCP_Server_Info *server) /* * As per rfc1002, @len must be the number of bytes that follows the * length field of a rfc1002 session request payload. */ - len = sizeof(req) - offsetof(struct rfc1002_session_packet, trailer.session_req); + len = sizeof(req.trailer.session_req); + req.type = RFC1002_SESSION_REQUEST; + req.flags = 0; + req.length = cpu_to_be16(len); + len += offsetof(typeof(req), trailer.session_req); + iov.iov_base = &req; + iov.iov_len = len; + iov_iter_kvec(&msg.msg_iter, ITER_SOURCE, &iov, 1, len); + rc = smb_send_kvec(server, &msg, &sent); + if (rc < 0 || len != sent) + return (rc == -EINTR || rc == -EAGAIN) ? rc : -ECONNABORTED; - smb_buf->smb_buf_length = cpu_to_be32((RFC1002_SESSION_REQUEST << 24) | len); - rc = smb_send(server, smb_buf, len); /* * RFC1001 layer in at least one server requires very short break before * negprot presumably because not expecting negprot to follow so fast. * This is a simple solution that works without complicating the code * and causes no significant slowing down on mount for everyone else */ usleep_range(1000, 2000); - return rc; + return 0; } static int generic_ip_connect(struct TCP_Server_Info *server) { diff --git a/fs/smb/client/transport.c b/fs/smb/client/transport.c index 8f045db44319..1d796400680c 100644 --- a/fs/smb/client/transport.c +++ b/fs/smb/client/transport.c @@ -177,11 +177,11 @@ delete_mid(struct mid_q_entry *mid) * @sent: amount of data sent on socket is stored here * * Our basic "send data to server" function. Should be called with srv_mutex * held. The caller is responsible for handling the results. */ -static int +int smb_send_kvec(struct TCP_Server_Info *server, struct msghdr *smb_msg, size_t *sent) { int rc = 0; int retries = 0; -- 2.34.3

2 1

[PATCH v2 openEuler-1.0-LTS 0/4] add mcs support for migrate pages
by Wupeng Ma 07 Jan '26

07 Jan '26

Backport the following patches for OLK-5.10: - e14f9d96acb7 mm/memory-failure: support disabling soft offline for HugeTLB pages - 2f0c01a690d1 mm/memory-failure: userspace controls soft-offlining pages - 9bb3fd60f91e arm64: mm: Add copy mc support for all migrate_page - 45dbef4c04f6 mm: page_eject: Add mc support during offline page - b7f5b9ef641a mm: Update PF_COREDUMP_MCS to PF_MCS - 17d08829674a mm/hwpoison: add migrate_page_mc_extra() - c10a520c4102 mm/hwpoison: introduce copy_mc_highpages - d689cd1c1479 mm/hwpoison: arm64: introduce copy_mc_highpage Add mcs support for migrate page & support disabling soft offline for HugeTLB pages. Since UCE kernel recovery is needed by this. This should be enable with the following step: - echo 1 > /proc/sys/kernel/uce_kernel_recovery Disable soft offline support for hugetlb with the following step: - echo 3 > /proc/sys/vm/enable_soft_offline Since ARCH_ENABLE_HUGEPAGE_MIGRATION is not enabled in openeuler_defconfig in arm64. There is no need to merge soft-offining related patches. Jiaqi Yan (1): mm/memory-failure: userspace controls soft-offlining pages Kyle Meyer (1): mm/memory-failure: support disabling soft offline for HugeTLB pages Wupeng Ma (2): uce: add copy_mc_highpage{s} arm64: mm: Add copy mc support for migrate_page .../ABI/testing/sysfs-memory-page-offline | 3 + include/linux/highmem.h | 55 +++++++++++++ include/linux/mm.h | 1 + kernel/sysctl.c | 9 +++ mm/memory-failure.c | 25 +++++- mm/migrate.c | 79 ++++++++++++++++--- 6 files changed, 162 insertions(+), 10 deletions(-) -- 2.43.0

2 5

[PATCH OLK-5.10] smb: client: fix memory leak in cifs_construct_tcon()
by Wang Zhaolong 07 Jan '26

07 Jan '26

From: Paulo Alcantara <pc(a)manguebit.org> mainline inclusion from mainline-v6.18 commit 3184b6a5a24ec9ee74087b2a550476f386df7dc2 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/11577 CVE: CVE-2025-68295 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- When having a multiuser mount with domain= specified and using cifscreds, cifs_set_cifscreds() will end up setting @ctx->domainname, so it needs to be freed before leaving cifs_construct_tcon(). This fixes the following memory leak reported by kmemleak: mount.cifs //srv/share /mnt -o domain=ZELDA,multiuser,... su - testuser cifscreds add -d ZELDA -u testuser ... ls /mnt/1 ... umount /mnt echo scan > /sys/kernel/debug/kmemleak cat /sys/kernel/debug/kmemleak unreferenced object 0xffff8881203c3f08 (size 8): comm "ls", pid 5060, jiffies 4307222943 hex dump (first 8 bytes): 5a 45 4c 44 41 00 cc cc ZELDA... backtrace (crc d109a8cf): __kmalloc_node_track_caller_noprof+0x572/0x710 kstrdup+0x3a/0x70 cifs_sb_tlink+0x1209/0x1770 [cifs] cifs_get_fattr+0xe1/0xf50 [cifs] cifs_get_inode_info+0xb5/0x240 [cifs] cifs_revalidate_dentry_attr+0x2d1/0x470 [cifs] cifs_getattr+0x28e/0x450 [cifs] vfs_getattr_nosec+0x126/0x180 vfs_statx+0xf6/0x220 do_statx+0xab/0x110 __x64_sys_statx+0xd5/0x130 do_syscall_64+0xbb/0x380 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fixes: f2aee329a68f ("cifs: set domainName when a domain-key is used in multiuser") Signed-off-by: Paulo Alcantara (Red Hat) <pc(a)manguebit.org> Reviewed-by: David Howells <dhowells(a)redhat.com> Cc: Jay Shin <jaeshin(a)redhat.com> Cc: stable(a)vger.kernel.org Cc: linux-cifs(a)vger.kernel.org Signed-off-by: Steve French <stfrench(a)microsoft.com> Conflicts: fs/smb/client/connect.c fs/cifs/connect.c [The code has been refactored multiple times.] Signed-off-by: Wang Zhaolong <wangzhaolong(a)huaweicloud.com> --- fs/cifs/connect.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index 287230b70e51..f779f1f4593d 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c @@ -5219,10 +5219,11 @@ cifs_construct_tcon(struct cifs_sb_info *cifs_sb, kuid_t fsuid) if (cap_unix(ses)) reset_cifs_unix_caps(0, tcon, NULL, vol_info); out: kfree(vol_info->username); + kfree(vol_info->domainname); kfree_sensitive(vol_info->password); kfree(vol_info); return tcon; } -- 2.34.3

2 1

[PATCH OLK-6.6 0/2] CVE-2025-40328
by Wang Zhaolong 07 Jan '26

07 Jan '26

CVE-2025-40328 fixes Henrique Carvalho (2): smb: client: fix potential UAF in smb2_close_cached_fid() smb: client: fix incomplete backport in cfids_invalidation_worker() fs/smb/client/cached_dir.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) -- 2.34.3

2 3

[PATCH OLK-6.6] smb: client: fix memory leak in cifs_construct_tcon()
by Wang Zhaolong 07 Jan '26

07 Jan '26

From: Paulo Alcantara <pc(a)manguebit.org> stable inclusion from stable-v6.6.119 commit f62ffdfb431bdfa4b6d24233b7fd830eca0b801e category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/11577 CVE: CVE-2025-68295 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 3184b6a5a24ec9ee74087b2a550476f386df7dc2 upstream. When having a multiuser mount with domain= specified and using cifscreds, cifs_set_cifscreds() will end up setting @ctx->domainname, so it needs to be freed before leaving cifs_construct_tcon(). This fixes the following memory leak reported by kmemleak: mount.cifs //srv/share /mnt -o domain=ZELDA,multiuser,... su - testuser cifscreds add -d ZELDA -u testuser ... ls /mnt/1 ... umount /mnt echo scan > /sys/kernel/debug/kmemleak cat /sys/kernel/debug/kmemleak unreferenced object 0xffff8881203c3f08 (size 8): comm "ls", pid 5060, jiffies 4307222943 hex dump (first 8 bytes): 5a 45 4c 44 41 00 cc cc ZELDA... backtrace (crc d109a8cf): __kmalloc_node_track_caller_noprof+0x572/0x710 kstrdup+0x3a/0x70 cifs_sb_tlink+0x1209/0x1770 [cifs] cifs_get_fattr+0xe1/0xf50 [cifs] cifs_get_inode_info+0xb5/0x240 [cifs] cifs_revalidate_dentry_attr+0x2d1/0x470 [cifs] cifs_getattr+0x28e/0x450 [cifs] vfs_getattr_nosec+0x126/0x180 vfs_statx+0xf6/0x220 do_statx+0xab/0x110 __x64_sys_statx+0xd5/0x130 do_syscall_64+0xbb/0x380 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fixes: f2aee329a68f ("cifs: set domainName when a domain-key is used in multiuser") Signed-off-by: Paulo Alcantara (Red Hat) <pc(a)manguebit.org> Reviewed-by: David Howells <dhowells(a)redhat.com> Cc: Jay Shin <jaeshin(a)redhat.com> Cc: stable(a)vger.kernel.org Cc: linux-cifs(a)vger.kernel.org Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Wang Zhaolong <wangzhaolong(a)huaweicloud.com> --- fs/smb/client/connect.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c index 23e0b902239a..c3acd5a66035 100644 --- a/fs/smb/client/connect.c +++ b/fs/smb/client/connect.c @@ -4196,10 +4196,11 @@ __cifs_construct_tcon(struct cifs_sb_info *cifs_sb, kuid_t fsuid) reset_cifs_unix_caps(0, tcon, NULL, ctx); #endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */ out: kfree(ctx->username); + kfree(ctx->domainname); kfree_sensitive(ctx->password); kfree(origin_fullpath); kfree(ctx); return tcon; -- 2.34.3

2 1

[PATCH OLK-6.6] cifs: fix memory leak in smb3_fs_context_parse_param error path
by Wang Zhaolong 07 Jan '26

07 Jan '26

From: Shaurya Rane <ssrane_b23(a)ee.vjti.ac.in> stable inclusion from stable-v6.6.118 commit 7627864dc3121f39e220f5253a227edf472de59e category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/11561 CVE: CVE-2025-68219 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 7e4d9120cfa413dd34f4f434befc5dbe6c38b2e5 ] Add proper cleanup of ctx->source and fc->source to the cifs_parse_mount_err error handler. This ensures that memory allocated for the source strings is correctly freed on all error paths, matching the cleanup already performed in the success path by smb3_cleanup_fs_context_contents(). Pointers are also set to NULL after freeing to prevent potential double-free issues. This change fixes a memory leak originally detected by syzbot. The leak occurred when processing Opt_source mount options if an error happened after ctx->source and fc->source were successfully allocated but before the function completed. The specific leak sequence was: 1. ctx->source = smb3_fs_context_fullpath(ctx, '/') allocates memory 2. fc->source = kstrdup(ctx->source, GFP_KERNEL) allocates more memory 3. A subsequent error jumps to cifs_parse_mount_err 4. The old error handler freed passwords but not the source strings, causing the memory to leak. This issue was not addressed by commit e8c73eb7db0a ("cifs: client: fix memory leak in smb3_fs_context_parse_param"), which only fixed leaks from repeated fsconfig() calls but not this error path. Patch updated with minor change suggested by kernel test robot Reported-by: syzbot+87be6809ed9bf6d718e3(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=87be6809ed9bf6d718e3 Fixes: 24e0a1eff9e2 ("cifs: switch to new mount api") Reviewed-by: David Howells <dhowells(a)redhat.com> Signed-off-by: Shaurya Rane <ssrane_b23(a)ee.vjti.ac.in> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Zhaolong <wangzhaolong(a)huaweicloud.com> --- fs/smb/client/fs_context.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c index 137d03781d52..dcb619b64235 100644 --- a/fs/smb/client/fs_context.c +++ b/fs/smb/client/fs_context.c @@ -1722,10 +1722,14 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, cifs_parse_mount_err: kfree_sensitive(ctx->password); ctx->password = NULL; kfree_sensitive(ctx->password2); ctx->password2 = NULL; + kfree(ctx->source); + ctx->source = NULL; + kfree(fc->source); + fc->source = NULL; return -EINVAL; } int smb3_init_fs_context(struct fs_context *fc) { -- 2.34.3

2 1

[PATCH OLK-6.6] smb: client: fix potential cfid UAF in smb2_query_info_compound
by Wang Zhaolong 07 Jan '26

07 Jan '26

From: Henrique Carvalho <henrique.carvalho(a)suse.com> stable inclusion from stable-v6.6.117 commit 939c4e33005e2a56ea8fcedddf0da92df864bd3b category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/11308 CVE: CVE-2025-40320 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 5c76f9961c170552c1d07c830b5e145475151600 upstream. When smb2_query_info_compound() retries, a previously allocated cfid may have been freed in the first attempt. Because cfid wasn't reset on replay, later cleanup could act on a stale pointer, leading to a potential use-after-free. Reinitialize cfid to NULL under the replay label. Example trace (trimmed): refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 11224 at ../lib/refcount.c:28 refcount_warn_saturate+0x9c/0x110 [...] RIP: 0010:refcount_warn_saturate+0x9c/0x110 [...] Call Trace: <TASK> smb2_query_info_compound+0x29c/0x5c0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? step_into+0x10d/0x690 ? __legitimize_path+0x28/0x60 smb2_queryfs+0x6a/0xf0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] smb311_queryfs+0x12d/0x140 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? kmem_cache_alloc+0x18a/0x340 ? getname_flags+0x46/0x1e0 cifs_statfs+0x9f/0x2b0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] statfs_by_dentry+0x67/0x90 vfs_statfs+0x16/0xd0 user_statfs+0x54/0xa0 __do_sys_statfs+0x20/0x50 do_syscall_64+0x58/0x80 Cc: stable(a)kernel.org Fixes: 4f1fffa237692 ("cifs: commands that are retried should have replay flag set") Reviewed-by: Paulo Alcantara (Red Hat) <pc(a)manguebit.com> Acked-by: Shyam Prasad N <sprasad(a)microsoft.com> Reviewed-by: Enzo Matsumiya <ematsumiya(a)suse.de> Signed-off-by: Henrique Carvalho <henrique.carvalho(a)suse.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Wang Zhaolong <wangzhaolong(a)huaweicloud.com> --- fs/smb/client/smb2ops.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c index c19643a37fa0..43c6d2f861f4 100644 --- a/fs/smb/client/smb2ops.c +++ b/fs/smb/client/smb2ops.c @@ -2655,15 +2655,16 @@ smb2_query_info_compound(const unsigned int xid, struct cifs_tcon *tcon, u8 oplock = SMB2_OPLOCK_LEVEL_NONE; struct cifs_open_parms oparms; struct cifs_fid fid; int rc; __le16 *utf16_path; - struct cached_fid *cfid = NULL; + struct cached_fid *cfid; int retries = 0, cur_sleep = 1; replay_again: /* reinitialize for possible replay */ + cfid = NULL; flags = CIFS_CP_CREATE_CLOSE_OP; oplock = SMB2_OPLOCK_LEVEL_NONE; server = cifs_pick_channel(ses); if (!path) -- 2.34.3

2 1

[PATCH OLK-6.6] cifs: client: fix memory leak in smb3_fs_context_parse_param
by Wang Zhaolong 07 Jan '26

07 Jan '26

From: Edward Adam Davis <eadavis(a)qq.com> stable inclusion from stable-v6.6.117 commit 868fc62811d3fabcf5685e14f36377a855d5412d category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/12582 CVE: CVE-2025-40268 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit e8c73eb7db0a498cd4b22d2819e6ab1a6f506bd6 upstream. The user calls fsconfig twice, but when the program exits, free() only frees ctx->source for the second fsconfig, not the first. Regarding fc->source, there is no code in the fs context related to its memory reclamation. To fix this memory leak, release the source memory corresponding to ctx or fc before each parsing. syzbot reported: BUG: memory leak unreferenced object 0xffff888128afa360 (size 96): backtrace (crc 79c9c7ba): kstrdup+0x3c/0x80 mm/util.c:84 smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444 BUG: memory leak unreferenced object 0xffff888112c7d900 (size 96): backtrace (crc 79c9c7ba): smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629 smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438 Reported-by: syzbot+72afd4c236e6bc3f4bac(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=72afd4c236e6bc3f4bac Cc: stable(a)vger.kernel.org Reviewed-by: Paulo Alcantara (Red Hat) <pc(a)manguebit.org> Signed-off-by: Edward Adam Davis <eadavis(a)qq.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Wang Zhaolong <wangzhaolong(a)huaweicloud.com> --- fs/smb/client/fs_context.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c index 137d03781d52..cf233cb9c194 100644 --- a/fs/smb/client/fs_context.c +++ b/fs/smb/client/fs_context.c @@ -1359,16 +1359,18 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, goto cifs_parse_mount_err; default: cifs_errorf(fc, "Unknown error parsing devname\n"); goto cifs_parse_mount_err; } + kfree(ctx->source); ctx->source = smb3_fs_context_fullpath(ctx, '/'); if (IS_ERR(ctx->source)) { ctx->source = NULL; cifs_errorf(fc, "OOM when copying UNC string\n"); goto cifs_parse_mount_err; } + kfree(fc->source); fc->source = kstrdup(ctx->source, GFP_KERNEL); if (fc->source == NULL) { cifs_errorf(fc, "OOM when copying UNC string\n"); goto cifs_parse_mount_err; } -- 2.34.3

2 1

[PATCH OLK-6.6 0/1] mfs: remove FAROUND event for mfsd demo
by Hongbo Li 07 Jan '26

07 Jan '26

Remove FAROUND event for mfsd demo. Hongbo Li (1): mfs: remove FAROUND event for mfsd demo tools/mfs/mfsd.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) -- 2.34.1

2 2