This is a note to let you know that I've just added the patch titled cifs: fix leak in cifs_smb3_do_mount() ctx to the 5.11-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: cifs-fix-leak-in-cifs_smb3_do_mount-ctx.patch and it can be found in the queue-5.11 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 315db9a05b7a56810728589baa930864107e4634 Mon Sep 17 00:00:00 2001 From: David Disseldorp <ddiss@xxxxxxx> Date: Fri, 23 Apr 2021 00:14:03 +0200 Subject: cifs: fix leak in cifs_smb3_do_mount() ctx From: David Disseldorp <ddiss@xxxxxxx> commit 315db9a05b7a56810728589baa930864107e4634 upstream. cifs_smb3_do_mount() calls smb3_fs_context_dup() and then cifs_setup_volume_info(). The latter's subsequent smb3_parse_devname() call overwrites the cifs_sb->ctx->UNC string already dup'ed by smb3_fs_context_dup(), resulting in a leak. E.g. unreferenced object 0xffff888002980420 (size 32): comm "mount", pid 160, jiffies 4294892541 (age 30.416s) hex dump (first 32 bytes): 5c 5c 31 39 32 2e 31 36 38 2e 31 37 34 2e 31 30 \\192.168.174.10 34 5c 72 61 70 69 64 6f 2d 73 68 61 72 65 00 00 4\rapido-share.. backtrace: [<00000000069e12f6>] kstrdup+0x28/0x50 [<00000000b61f4032>] smb3_fs_context_dup+0x127/0x1d0 [cifs] [<00000000c6e3e3bf>] cifs_smb3_do_mount+0x77/0x660 [cifs] [<0000000063467a6b>] smb3_get_tree+0xdf/0x220 [cifs] [<00000000716f731e>] vfs_get_tree+0x1b/0x90 [<00000000491d3892>] path_mount+0x62a/0x910 [<0000000046b2e774>] do_mount+0x50/0x70 [<00000000ca7b64dd>] __x64_sys_mount+0x81/0xd0 [<00000000b5122496>] do_syscall_64+0x33/0x40 [<000000002dd397af>] entry_SYSCALL_64_after_hwframe+0x44/0xae This change is a bandaid until the cifs_setup_volume_info() TODO and error handling issues are resolved. Signed-off-by: David Disseldorp <ddiss@xxxxxxx> Acked-by: Ronnie Sahlberg <lsahlber@xxxxxxxxxx> Reviewed-by: Paulo Alcantara (SUSE) <pc@xxxxxx> CC: <stable@xxxxxxxxxxxxxxx> # v5.11+ Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/cifs/cifsfs.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/fs/cifs/cifsfs.c +++ b/fs/cifs/cifsfs.c @@ -823,6 +823,12 @@ cifs_smb3_do_mount(struct file_system_ty goto out; } + /* cifs_setup_volume_info->smb3_parse_devname() redups UNC & prepath */ + kfree(cifs_sb->ctx->UNC); + cifs_sb->ctx->UNC = NULL; + kfree(cifs_sb->ctx->prepath); + cifs_sb->ctx->prepath = NULL; + rc = cifs_setup_volume_info(cifs_sb->ctx, NULL, old_ctx->UNC); if (rc) { root = ERR_PTR(rc); Patches currently in stable-queue which might be from ddiss@xxxxxxx are queue-5.11/cifs-fix-regression-when-mounting-shares-with-prefix-paths.patch queue-5.11/cifs-fix-leak-in-cifs_smb3_do_mount-ctx.patch