kernel/fs/smb/client/fs_context.c, branch linux-rolling-lts

cifs: make default value of retrans as zero

2026-03-19T15:08:42Z

commit e3beefd3af09f8e460ddaf39063d3d7664d7ab59 upstream. When retrans mount option was introduced, the default value was set as 1. However, in the light of some bugs that this has exposed recently we should change it to 0 and retain the old behaviour before this option was introduced. Cc: Reviewed-by: Bharath SM Signed-off-by: Shyam Prasad N Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman

cifs: Fix memory and information leak in smb3_reconfigure()

2026-01-02T11:57:04Z

[ Upstream commit cb6d5aa9c0f10074f1ad056c3e2278ad2cc7ec8d ] In smb3_reconfigure(), if smb3_sync_session_ctx_passwords() fails, the function returns immediately without freeing and erasing the newly allocated new_password and new_password2. This causes both a memory leak and a potential information leak. Fix this by calling kfree_sensitive() on both password buffers before returning in this error case. Fixes: 0f0e357902957 ("cifs: during remount, make sure passwords are in sync") Signed-off-by: Zilin Guan Reviewed-by: ChenXiaoSong Signed-off-by: Steve French Signed-off-by: Sasha Levin

cifs: fix memory leak in smb3_fs_context_parse_param error path

2025-11-20T09:06:25Z

Add proper cleanup of ctx->source and fc->source to the cifs_parse_mount_err error handler. This ensures that memory allocated for the source strings is correctly freed on all error paths, matching the cleanup already performed in the success path by smb3_cleanup_fs_context_contents(). Pointers are also set to NULL after freeing to prevent potential double-free issues. This change fixes a memory leak originally detected by syzbot. The leak occurred when processing Opt_source mount options if an error happened after ctx->source and fc->source were successfully allocated but before the function completed. The specific leak sequence was: 1. ctx->source = smb3_fs_context_fullpath(ctx, '/') allocates memory 2. fc->source = kstrdup(ctx->source, GFP_KERNEL) allocates more memory 3. A subsequent error jumps to cifs_parse_mount_err 4. The old error handler freed passwords but not the source strings, causing the memory to leak. This issue was not addressed by commit e8c73eb7db0a ("cifs: client: fix memory leak in smb3_fs_context_parse_param"), which only fixed leaks from repeated fsconfig() calls but not this error path. Patch updated with minor change suggested by kernel test robot Reported-by: syzbot+87be6809ed9bf6d718e3@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=87be6809ed9bf6d718e3 Fixes: 24e0a1eff9e2 ("cifs: switch to new mount api") Reviewed-by: David Howells Signed-off-by: Shaurya Rane Signed-off-by: Steve French

smb: fix invalid username check in smb3_fs_context_parse_param()

2025-11-11T16:01:47Z

Since the maximum return value of strnlen(..., CIFS_MAX_USERNAME_LEN) is CIFS_MAX_USERNAME_LEN, length check in smb3_fs_context_parse_param() is always FALSE and invalid. Fix the comparison in if statement. Signed-off-by: Yiqi Sun Signed-off-by: Steve French

cifs: client: fix memory leak in smb3_fs_context_parse_param

2025-11-09T23:30:17Z

The user calls fsconfig twice, but when the program exits, free() only frees ctx->source for the second fsconfig, not the first. Regarding fc->source, there is no code in the fs context related to its memory reclamation. To fix this memory leak, release the source memory corresponding to ctx or fc before each parsing. syzbot reported: BUG: memory leak unreferenced object 0xffff888128afa360 (size 96): backtrace (crc 79c9c7ba): kstrdup+0x3c/0x80 mm/util.c:84 smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444 BUG: memory leak unreferenced object 0xffff888112c7d900 (size 96): backtrace (crc 79c9c7ba): smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629 smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438 Reported-by: syzbot+72afd4c236e6bc3f4bac@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=72afd4c236e6bc3f4bac Cc: stable@vger.kernel.org Reviewed-by: Paulo Alcantara (Red Hat) Signed-off-by: Edward Adam Davis Signed-off-by: Steve French

Merge tag '6.18-rc-part1-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6

2025-10-03T21:13:23Z

Pull smb client updates from Steve French: - Fix oops in crypt message - Remove duplicate arc4 code - Fix potential io_uring reconnect - Two important directory leases fixes and three perf improvements - Three minor cleanups - Four debug improvements (e.g. for showing more information on leases, and one for adding more helpful information on reconnect) * tag '6.18-rc-part1-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6: cifs: client: force multichannel=off when max_channels=1 smb client: fix bug with newly created file in cached dir smb: client: short-circuit negative lookups when parent dir is fully cached smb: client: short-circuit in open_cached_dir_by_dentry() if !dentry smb: client: remove pointless cfid->has_lease check smb: client: transport: minor indentation style fix smb: client: transport: avoid reconnects triggered by pending task work smb: client: remove unused fid_lock smb: client: update cfid->last_access_time in open_cached_dir_by_dentry() smb: client: ensure open_cached_dir_by_dentry() only returns valid cfid smb: client: account smb directory cache usage and per-tcon totals smb: client: add drop_dir_cache module parameter to invalidate cached dirents smb: client: show lease state as R/H/W (or NONE) in open_files smb: client: fix crypto buffers in non-linear memory smb: Use arc4 library instead of duplicate arc4 code smb: client: add tcon information to smb2_reconnect() debug messages

cifs: client: force multichannel=off when max_channels=1

2025-10-02T03:42:15Z

Previously, specifying both multichannel and max_channels=1 as mount options would leave multichannel enabled, even though it is not meaningful when only one channel is allowed. This led to confusion and inconsistent behavior, as the client would advertise multichannel capability but never establish secondary channels. Fix this by forcing multichannel to false whenever max_channels=1, ensuring the mount configuration is consistent and matches user intent. This prevents the client from advertising or attempting multichannel support when it is not possible. Signed-off-by: Rajasi Mandal Signed-off-by: Steve French

change the calling conventions for vfs_parse_fs_string()

2025-09-04T19:20:51Z

Absolute majority of callers are passing the 4th argument equal to strlen() of the 3rd one. Drop the v_size argument, add vfs_parse_fs_qstr() for the cases that want independent length. Reviewed-by: Christian Brauner Signed-off-by: Al Viro

smb: client: default to nonativesocket under POSIX mounts

2025-08-05T00:29:10Z

SMB3.1.1 POSIX mounts require sockets to be created with NFS reparse points. Cc: linux-cifs@vger.kernel.org Cc: Ralph Boehme Cc: David Howells Cc: Reported-by: Matthew Richardson Closes: https://marc.info/?i=1124e7cd-6a46-40a6-9f44-b7664a66654b@ed.ac.uk Signed-off-by: Paulo Alcantara (Red Hat) Signed-off-by: Steve French

smb: client: set symlink type as native for POSIX mounts

2025-08-01T05:16:19Z

SMB3.1.1 POSIX mounts require symlinks to be created natively with IO_REPARSE_TAG_SYMLINK reparse point. Cc: linux-cifs@vger.kernel.org Cc: Ralph Boehme Cc: David Howells Cc: Reported-by: Matthew Richardson Closes: https://marc.info/?i=1124e7cd-6a46-40a6-9f44-b7664a66654b@ed.ac.uk Signed-off-by: Paulo Alcantara (Red Hat) Signed-off-by: Steve French