ksmbd: fix potential use-after-free in oplock/lease break ack
commit 50f930db22365738d9387c974416f38a06e8057e upstream. If ksmbd_iov_pin_rsp return error, use-after-free can happen by accessing opinfo->state and opinfo_put and ksmbd_fd_put could called twice. Reported-by: Ziyan Xu <research@securitygossip.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 97c355989928a5f60b228ef5266c1be67a46cdf9)
This commit is contained in:
Namjae Jeon
Wentao Guan
parent
03844d95c0
commit
33cc1bbd9c
|
|
@ -8503,11 +8503,6 @@ static void smb20_oplock_break_ack(struct ksmbd_work *work)
|
|||
goto err_out;
|
||||
}
|
||||
|
||||
opinfo->op_state = OPLOCK_STATE_NONE;
|
||||
wake_up_interruptible_all(&opinfo->oplock_q);
|
||||
opinfo_put(opinfo);
|
||||
ksmbd_fd_put(work, fp);
|
||||
|
||||
rsp->StructureSize = cpu_to_le16(24);
|
||||
rsp->OplockLevel = rsp_oplevel;
|
||||
rsp->Reserved = 0;
|
||||
|
|
@ -8515,16 +8510,15 @@ static void smb20_oplock_break_ack(struct ksmbd_work *work)
|
|||
rsp->VolatileFid = volatile_id;
|
||||
rsp->PersistentFid = persistent_id;
|
||||
ret = ksmbd_iov_pin_rsp(work, rsp, sizeof(struct smb2_oplock_break));
|
||||
if (!ret)
|
||||
return;
|
||||
|
||||
if (ret) {
|
||||
err_out:
|
||||
smb2_set_err_rsp(work);
|
||||
}
|
||||
|
||||
opinfo->op_state = OPLOCK_STATE_NONE;
|
||||
wake_up_interruptible_all(&opinfo->oplock_q);
|
||||
|
||||
opinfo_put(opinfo);
|
||||
ksmbd_fd_put(work, fp);
|
||||
smb2_set_err_rsp(work);
|
||||
}
|
||||
|
||||
static int check_lease_state(struct lease *lease, __le32 req_state)
|
||||
|
|
@ -8654,11 +8648,6 @@ static void smb21_lease_break_ack(struct ksmbd_work *work)
|
|||
}
|
||||
|
||||
lease_state = lease->state;
|
||||
opinfo->op_state = OPLOCK_STATE_NONE;
|
||||
wake_up_interruptible_all(&opinfo->oplock_q);
|
||||
atomic_dec(&opinfo->breaking_cnt);
|
||||
wake_up_interruptible_all(&opinfo->oplock_brk);
|
||||
opinfo_put(opinfo);
|
||||
|
||||
rsp->StructureSize = cpu_to_le16(36);
|
||||
rsp->Reserved = 0;
|
||||
|
|
@ -8667,16 +8656,16 @@ static void smb21_lease_break_ack(struct ksmbd_work *work)
|
|||
rsp->LeaseState = lease_state;
|
||||
rsp->LeaseDuration = 0;
|
||||
ret = ksmbd_iov_pin_rsp(work, rsp, sizeof(struct smb2_lease_ack));
|
||||
if (!ret)
|
||||
return;
|
||||
|
||||
if (ret) {
|
||||
err_out:
|
||||
smb2_set_err_rsp(work);
|
||||
}
|
||||
|
||||
opinfo->op_state = OPLOCK_STATE_NONE;
|
||||
wake_up_interruptible_all(&opinfo->oplock_q);
|
||||
atomic_dec(&opinfo->breaking_cnt);
|
||||
wake_up_interruptible_all(&opinfo->oplock_brk);
|
||||
|
||||
opinfo_put(opinfo);
|
||||
smb2_set_err_rsp(work);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
Loading…
Reference in New Issue