From: Pali Rohár pali@kernel.org
[ Upstream commit a3e771afbb3bce91c8296828304903e7348003fe ]
For TRANS2 QUERY_PATH_INFO request when the path does not exist, the Windows NT SMB server returns error response STATUS_OBJECT_NAME_NOT_FOUND or ERRDOS/ERRbadfile without the SMBFLG_RESPONSE flag set. Similarly it returns STATUS_DELETE_PENDING when the file is being deleted. And looks like that any error response from TRANS2 QUERY_PATH_INFO does not have SMBFLG_RESPONSE flag set.
So relax check in check_smb_hdr() for detecting if the packet is response for this special case.
This change fixes stat() operation against Windows NT SMB servers and also all operations which depends on -ENOENT result from stat like creat() or mkdir().
Signed-off-by: Pali Rohár pali@kernel.org Signed-off-by: Steve French stfrench@microsoft.com Signed-off-by: Sasha Levin sashal@kernel.org ---
**YES** This commit should be backported to stable kernel trees. Here's my extensive analysis: ## Backport Recommendation: YES ### Nature of the Fix This is a **targeted bug fix** that addresses a specific protocol compliance issue with Windows NT SMB servers. The commit fixes a fundamental problem where basic file operations (`stat()`, `creat()`, `mkdir()`) fail against Windows NT servers due to overly strict SMB header validation. ### Code Change Analysis The fix is remarkably **simple and contained** - only 8 lines of code in a single function: ```c /bin /bin.usr-is-merged /boot /dev /etc /home /init /lib /lib.usr- is-merged /lib64 /lost+found /media /mnt /opt /proc /root /run /sbin /sbin.usr-is-merged /snap /srv /sys /tmp /usr /var * Windows NT server returns error resposne (e.g. STATUS_DELETE_PENDING * or STATUS_OBJECT_NAME_NOT_FOUND or ERRDOS/ERRbadfile or any other) * for some TRANS2 requests without the RESPONSE flag set in header. */ if (smb->Command == SMB_COM_TRANSACTION2 && smb->Status.CifsError != 0) return 0; ``` The change is in the `check_smb_hdr()` function in `fs/smb/client/misc.c`, which validates SMB packet headers. The fix **relaxes validation** only for a very specific case: TRANS2 commands returning errors from Windows NT servers. ### Risk Assessment: LOW 1. **Surgical precision**: Only affects SMB1 TRANS2 error responses, leaving normal operation paths untouched 2. **Conservative approach**: The condition `smb->Status.CifsError != 0` ensures this only applies to actual error responses 3. **No behavioral changes** for compliant servers that properly set the RESPONSE flag 4. **Well-established code path**: The `check_smb_hdr()` function is mature and stable ### Impact Assessment: HIGH 1. **Fixes broken functionality**: Without this fix, basic file operations fail completely against Windows NT servers 2. **Backward compatibility**: Restores support for legacy but still-used server environments 3. **User-visible improvement**: Directly fixes `stat()`, `creat()`, and `mkdir()` operations 4. **No regressions**: Modern SMB servers continue to work as before ### Comparison with Similar Commits Looking at the provided similar commits: - **Similar Commit #2** (Status: YES): Also adds new status code mappings for better server compatibility - **Similar Commit #3** (Status: YES): Reduces unnecessary network roundtrips by improving error handling - **Similar Commit #4** (Status: YES): Fixes WSL reparse point querying over SMB1 - **Similar Commit #5** (Status: YES): Fixes missing resource cleanup This commit follows the **same pattern** as these approved backports: small, targeted fixes that improve compatibility and fix real-world issues without introducing new features or architectural changes. ### Technical Justification The Windows NT server behavior described in the commit is **non-compliant but real**: these servers return error responses for TRANS2 QUERY_PATH_INFO requests without setting the `SMBFLG_RESPONSE` flag. The current strict validation incorrectly treats these as invalid packets, causing the CIFS client to fail when it should handle the errors properly. The fix is **protocol-aware** and **conservative** - it only relaxes validation for the specific case where we know Windows NT behaves differently, ensuring no impact on standard-compliant servers. ### Stable Tree Suitability This commit perfectly fits stable tree criteria: - ✅ **Important bug fix** affecting real-world usage - ✅ **Minimal and contained** change with clear scope - ✅ **No new features** - purely fixes existing broken functionality - ✅ **Low regression risk** due to targeted nature - ✅ **Production-ready** code following established patterns This should be backported to all stable kernels that support SMB1 client functionality, as it fixes a fundamental compatibility issue without any meaningful risk of regression.
fs/cifs/misc.c | 8 ++++++++ 1 file changed, 8 insertions(+)
diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c index db1fcdedf289a..af9752535dbab 100644 --- a/fs/cifs/misc.c +++ b/fs/cifs/misc.c @@ -306,6 +306,14 @@ check_smb_hdr(struct smb_hdr *smb) if (smb->Command == SMB_COM_LOCKING_ANDX) return 0;
+ /* + * Windows NT server returns error resposne (e.g. STATUS_DELETE_PENDING + * or STATUS_OBJECT_NAME_NOT_FOUND or ERRDOS/ERRbadfile or any other) + * for some TRANS2 requests without the RESPONSE flag set in header. + */ + if (smb->Command == SMB_COM_TRANSACTION2 && smb->Status.CifsError != 0) + return 0; + cifs_dbg(VFS, "Server sent request, not response. mid=%u\n", get_mid(smb)); return 1;
From: Peng Fan peng.fan@nxp.com
[ Upstream commit dddbd233e67e792bb0a3f9694a4707e6be29b2c6 ]
&chan->lock is not supposed to protect 'chan->mbox'. And in __mbox_bind_client, try_module_get is also not protected by &chan->lock. So move module_put out of the lock protected region.
Signed-off-by: Peng Fan peng.fan@nxp.com Signed-off-by: Jassi Brar jassisinghbrar@gmail.com Signed-off-by: Sasha Levin sashal@kernel.org ---
**YES** This commit should be backported to stable kernel trees. **Analysis:** 1. **Clear Bug Fix**: The commit fixes an improper use of `module_put()` under a spinlock in `mbox_free_channel()`. Looking at the current code in `/home/sasha/linux/drivers/mailbox/mailbox.c:489`, `module_put()` is called while holding `&chan->lock` with `spin_lock_irqsave()`. 2. **Locking Inconsistency**: The commit message correctly identifies that `&chan->lock` is not supposed to protect `chan->mbox`. In `__mbox_bind_client()` (line 324), `try_module_get(chan->mbox->dev->driver->owner)` is called **outside** the spinlock protection, making the current `module_put()` placement inconsistent. 3. **Minimal Risk Change**: The fix is extremely simple and low-risk - it just moves one line (`module_put()`) outside the spinlock region. This maintains the same operation order but fixes the locking issue. 4. **No Side Effects**: Moving `module_put()` outside the lock doesn't change the functionality or introduce new race conditions. The `module_put()` implementation uses `atomic_dec_if_positive()`, so it's safe to call without additional locking. 5. **Follows Stable Rules**: This commit: - Fixes a real locking issue that could potentially cause problems - Is small and contained (single line move) - Has minimal regression risk - Doesn't introduce new features or architectural changes 6. **Similar Pattern**: Looking at similar commits in the historical references, commits that fix locking issues (like Similar Commit #5 which fixed a locking bug in mailbox-test) were marked as YES for backporting. The commit addresses a legitimate kernel locking violation where `module_put()` should not be called under a spinlock, making it a suitable candidate for stable tree backporting.
drivers/mailbox/mailbox.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c index 6f54501dc7762..cb31ad917b352 100644 --- a/drivers/mailbox/mailbox.c +++ b/drivers/mailbox/mailbox.c @@ -459,8 +459,8 @@ void mbox_free_channel(struct mbox_chan *chan) if (chan->txdone_method == TXDONE_BY_ACK) chan->txdone_method = TXDONE_BY_POLL;
- module_put(chan->mbox->dev->driver->owner); spin_unlock_irqrestore(&chan->lock, flags); + module_put(chan->mbox->dev->driver->owner); } EXPORT_SYMBOL_GPL(mbox_free_channel);
From: Krzysztof Kozlowski krzysztof.kozlowski@linaro.org
[ Upstream commit d905d06e64b0eb3da43af6186c132f5282197998 ]
Device can be unbound, so driver must also release memory for the wakeup source.
Signed-off-by: Krzysztof Kozlowski krzysztof.kozlowski@linaro.org Link: https://lore.kernel.org/r/20250406-mfd-device-wakekup-leak-v1-3-318e14bdba0a... Signed-off-by: Lee Jones lee@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org ---
Now let me understand the difference between the fixes - the historical commits show two patterns: 1. Using `devm_device_init_wakeup()` - automatically handles cleanup 2. Manual cleanup by calling `device_init_wakeup(dev, false)` in remove functions
Let me check if this specific commit has `Cc: stable@vger.kernel.org` in the message:
Based on my analysis of this commit and comparison with the similar historical commits, here is my assessment:
**YES**
This commit should be backported to stable kernel trees for the following reasons:
## Analysis
### **Code Change Analysis** The commit adds a single line in the `max14577_i2c_remove()` function: ```c + device_init_wakeup(max14577->dev, false); ```
This addition occurs at drivers/mfd/max14577.c:459, right before `mfd_remove_devices()` is called.
### **Bug Fix Characteristics** 1. **Memory Leak Fix**: The commit fixes a wakeup source memory leak that occurs when the device is unbound. When `device_init_wakeup(dev, true)` is called during probe (line 442), it allocates memory for wakeup source structures. Without the corresponding cleanup call, this memory is leaked on device removal.
2. **Small and Contained**: The fix is minimal - a single line addition that mirrors the cleanup pattern used throughout the kernel.
3. **Low Risk**: The change has extremely low regression risk since it only adds proper cleanup that should have been there originally.
### **Comparison with Historical Similar Commits** Looking at the provided historical commits, there are two categories:
**YES commits (backported)**: - `gpio: mpc8xxx: Fix wakeup source leaks on device unbind` - Same exact pattern and includes `Cc: stable@vger.kernel.org` - `gpio: zynq: Fix wakeup source leaks on device unbind` - Same exact pattern and includes `Cc: stable@vger.kernel.org`
**NO commits (not backported)**: - IIO driver commits that use `devm_device_init_wakeup()` instead of manual cleanup
The key difference is that the YES commits use the same fix pattern as this MFD commit - manual cleanup in the remove function, while the NO commits use the `devm_` managed approach that automatically handles cleanup.
### **Impact Assessment** - **User Impact**: Memory leaks on device unbind affect systems where MFD devices are frequently bound/unbound - **Subsystem**: MFD (Multi-Function Device) is a core kernel subsystem used by many embedded systems - **Regression Risk**: Minimal - adding proper cleanup cannot cause functional regression
### **Stable Tree Criteria Met** 1. ✅ Fixes an important bug (memory leak) 2. ✅ Small and contained change 3. ✅ No architectural changes 4. ✅ Minimal risk of regression 5. ✅ Follows established patterns seen in other backported commits
The commit follows the exact same pattern as the GPIO driver commits that were successfully backported to stable trees (commits #1 and #2 in the historical examples), making it a clear candidate for backporting.
drivers/mfd/max14577.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/mfd/max14577.c b/drivers/mfd/max14577.c index fd8864cafd25c..4d87b429a7bad 100644 --- a/drivers/mfd/max14577.c +++ b/drivers/mfd/max14577.c @@ -467,6 +467,7 @@ static int max14577_i2c_remove(struct i2c_client *i2c) { struct max14577 *max14577 = i2c_get_clientdata(i2c);
+ device_init_wakeup(max14577->dev, false); mfd_remove_devices(max14577->dev); regmap_del_irq_chip(max14577->irq, max14577->irq_data); if (max14577->dev_type == MAXIM_DEVICE_TYPE_MAX77836)
linux-stable-mirror@lists.linaro.org
-
Sasha Levin