Patch "cifs: Fix cached_fid refcnt leak in open_shroot" has been added to the 5.7-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Sun, 28 Jun 2020 17:58:06 +0200

This is a note to let you know that I've just added the patch titled

    cifs: Fix cached_fid refcnt leak in open_shroot

to the 5.7-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     cifs-fix-cached_fid-refcnt-leak-in-open_shroot.patch
and it can be found in the queue-5.7 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 77577de64167aa0643d47ffbaacf3642632b321b Mon Sep 17 00:00:00 2001
From: Xiyu Yang <xiyuyang19@xxxxxxxxxxxx>
Date: Sat, 13 Jun 2020 20:27:09 +0800
Subject: cifs: Fix cached_fid refcnt leak in open_shroot

From: Xiyu Yang <xiyuyang19@xxxxxxxxxxxx>

commit 77577de64167aa0643d47ffbaacf3642632b321b upstream.

open_shroot() invokes kref_get(), which increases the refcount of the
"tcon->crfid" object. When open_shroot() returns not zero, it means the
open operation failed and close_shroot() will not be called to decrement
the refcount of the "tcon->crfid".

The reference counting issue happens in one normal path of
open_shroot(). When the cached root have been opened successfully in a
concurrent process, the function increases the refcount and jump to
"oshr_free" to return. However the current return value "rc" may not
equal to 0, thus the increased refcount will not be balanced outside the
function, causing a refcnt leak.

Fix this issue by setting the value of "rc" to 0 before jumping to
"oshr_free" label.

Signed-off-by: Xiyu Yang <xiyuyang19@xxxxxxxxxxxx>
Signed-off-by: Xin Tan <tanxin.ctf@xxxxxxxxx>
Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
CC: Stable <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
 fs/cifs/smb2ops.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -759,6 +759,7 @@ int open_shroot(unsigned int xid, struct
 			/* close extra handle outside of crit sec */
 			SMB2_close(xid, tcon, fid.persistent_fid, fid.volatile_fid);
 		}
+		rc = 0;
 		goto oshr_free;
 	}
 


Patches currently in stable-queue which might be from xiyuyang19@xxxxxxxxxxxx are

queue-5.7/cifs-fix-cached_fid-refcnt-leak-in-open_shroot.patch






