[{"id":3683933,"web_url":"http://patchwork.ozlabs.org/comment/3683933/","msgid":"<20260429090346.GA3329611@chcpu16>","list_archive_url":null,"date":"2026-04-29T09:03:46","subject":"Re: [PATCH] ksmbd: fail share config requests when path allocation\n fails","submitter":{"id":91564,"url":"http://patchwork.ozlabs.org/api/people/91564/","name":"Shuhao Fu","email":"sfual@cse.ust.hk"},"content":"Hi,\n\nI did a live repro on a current mainline tree to confirm that the\npublished NULL share path is not just an internal invariant break and can\nfault a normal ksmbd request path.\n\nThe reproducer forced only the share path duplication failure that\nproduces the published NULL path state. No consumer-side ksmbd path was\nmodified.\n\nRepro setup:\n\n1. Start from mainline with CONFIG_SMB_SERVER=y and CONFIG_CIFS=y.\n2. Add a narrow temporary trigger in share_config_request() so that only\n one test share forces the path duplication step to fail, leaving\n share->path as NULL while still allowing the share to be published.\n No consumer-side ksmbd path was modified.\n3. Boot that kernel under QEMU/KVM with a custom initramfs.\n4. In the guest, run a tiny userspace generic-netlink responder that:\n - sends KSMBD_EVENT_STARTING_UP\n - answers login requests as guest\n - answers share config requests for the test share with a valid\n export path\n - answers tree connect requests as writable guest\n5. From the same guest, mount that test share over loopback with:\n\n mount -t cifs /// /mnt/cifs \\\n -o guest,vers=3.1.1,port=445,uid=0,gid=0\n\nThat mount attempt hit the expected fault path. The clean serial log\nshowed:\n\n [ 21.045838] CIFS: Attempting to mount ///\n [ 21.052302] BUG: kernel NULL pointer dereference, address: 0000000000000000\n [ 21.062798] RIP: 0010:strlen+0xb/0x20\n [ 21.077290] do_getname_kernel+0x12/0xf0\n [ 21.077707] __ksmbd_vfs_kern_path+0x89/0x390\n [ 21.078648] smb2_open+0xa03/0x20b0\n\nThis matches the expected downstream flow:\n\n- tree connect stores the published share in tree_conn->share_conf\n- a share-root SMB2 create builds an empty pathname in smb2_open()\n- ksmbd_vfs_path_lookup() interprets that as \"use the share root\" and\n substitutes tree_conn->share_conf->path\n- the broken published share has tree_conn->share_conf->path == NULL\n- that NULL pathname reaches do_getname_kernel()/strlen()\n\nI also did a second run with the guest netlink responder logging directly\nto the serial console. That log was noisy because the userspace prints\ninterleaved with the kernel Oops, but it still showed the login request\nand the tree connect for the test share immediately around the crash.\n\nI can provide more detail, including the temporary repro pieces and the\nserial logs, if useful.\n\nThanks,\nShuhao\n\nOn Wed, Apr 29, 2026 at 05:00:13PM +0800, Shuhao Fu wrote:\n> Non-pipe shares must have a duplicated backing path before they can be\n> published. share_config_request() currently calls kstrndup() for that\n> path, but if the allocation fails it leaves ret unchanged. If veto list\n> parsing succeeds and share->name exists, the partially built share is\n> still inserted into the global share table with share->path left NULL.\n> \n> A later share-root SMB2 create uses tree_conn->share_conf->path as the\n> lookup root. If the share was published with path == NULL, that request\n> passes a NULL pathname into do_getname_kernel()/strlen() and can crash\n> the ksmbd worker.\n> \n> Set ret = -ENOMEM when path duplication fails so the incomplete share is\n> destroyed before publication.\n> \n> Fixes: e2f34481b24d (\"cifsd: add server-side procedures for SMB3\")","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=cse.ust.hk header.i=@cse.ust.hk header.a=rsa-sha256\n header.s=cseusthk header.b=whNLnPTH;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=linux-cifs+bounces-11269-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=cse.ust.hk header.i=@cse.ust.hk\n header.b=\"whNLnPTH\"","smtp.subspace.kernel.org;\n arc=pass smtp.client-ip=143.89.41.157","smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=cse.ust.hk","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=cse.ust.hk"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g5BG624xxz1yHX\n\tfor ; Wed, 29 Apr 2026 19:05:02 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 1DE273013031\n\tfor ; Wed, 29 Apr 2026 09:04:30 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id A45F43BB9E4;\n\tWed, 29 Apr 2026 09:04:28 +0000 (UTC)","from cse.ust.hk (cssvr7.cse.ust.hk [143.89.41.157])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 2FADA3B8BD1;\n\tWed, 29 Apr 2026 09:04:25 +0000 (UTC)","from chcpu16 (191host045.mobilenet.cse.ust.hk [143.89.191.45])\n\t(authenticated bits=0)\n\tby cse.ust.hk (8.18.1/8.12.5) with ESMTPSA id 63T93pkr3612389\n\t(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT);\n\tWed, 29 Apr 2026 17:04:08 +0800"],"ARC-Seal":["i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777453468; cv=pass;\n b=W3R4oVBL0a2+IASDlzpnLaqglcX1K97DkaEkEkhkDANxXXk3XR0wnzRzRDnpZIrVYymCF6lRS9OLUTX/UPWV1l7ix2Iw/vtAZD1vePTKWx8427389Fz2FnAttklTxI34jfC/lvm4dkS4YH4C69zS8lyd8ziwLn1TB/H74A6MlN8=","i=1; d=cse.ust.hk; s=arccse; a=rsa-sha256; cv=none; t=1777453448;\n\tb=Nj8daFpt928C6rzNeFMQpbJcj+NDWYlogqWRX/I2xl+efh9RrEFWeMy+2LoV92QJt/vX\n\t w+SvRNkEIVvLMRf1fbWzH175fXsrIOM5trg5Sv88/RWFMIl2oHOPY3pS+kJs/C/K7Fu9O\n\t GaInDYSeYjDJ8qmJu09r3HeaiwR6AdfCbA="],"ARC-Message-Signature":["i=2; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777453468; c=relaxed/simple;\n\tbh=iKrkcM9Z3p2ijasIv53wNOlemWi42Epaovpsf5JvyiQ=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=iTQF2zTzBV4BSNjfmm0JwCxuVgD72HuCToBweSRzn0mUfEPEzwJe9mtyS6+GI0D/BxXlMZZEAe3pQ2ik56vYPBet9b7iBiocBsgGuyPsC2RWgCwZr6dFuWYt0mYBYOgrMZM9IyTpGJPdn4MfriRy5sXSLbkba9V4BVyibWqHnyc=","i=1; d=cse.ust.hk; s=arccse; a=rsa-sha256;\n\tc=relaxed/relaxed; t=1777453448;\n\th=DKIM-Signature:Date:From:To:Subject:Message-ID:MIME-Version;\n\tbh=dIR0y+9u5dRbumJlLK2vjotk4Gly3R5STWOQTyyknzE=;\n\tb=JiMQ+yve2YxCaUnVl0IrxLiv3gNEEecQH2H3aoz3CVrAwa+URVOzmbSLaeiSyczbdrER\n\t xe0TjI33hl0a3M14kvn423WxuJq4bYFR1Rkz/h/4KVeQgvC2oLQocjuRGdJFfASZnlkzF\n\t XjaumsJ+GLzM0yai/BDO7ighWNm1XVf8y4="],"ARC-Authentication-Results":["i=2; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=cse.ust.hk;\n spf=pass smtp.mailfrom=cse.ust.hk;\n dkim=pass (1024-bit key) header.d=cse.ust.hk header.i=@cse.ust.hk\n header.b=whNLnPTH; arc=pass smtp.client-ip=143.89.41.157","i=1; cse.ust.hk;\n arc=none smtp.remote-ip=143.89.191.45"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=cse.ust.hk;\n\ts=cseusthk; t=1777453448;\n\tbh=dIR0y+9u5dRbumJlLK2vjotk4Gly3R5STWOQTyyknzE=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=whNLnPTHh+qnfxkqQJL6RIC0AYVkUcJtZ7SAq819hIu2DnDstz47UNuzuNdr7oX5x\n\t ffAL2I25oRnaOb0MOk2O1X9SKPj/t3oZcPd0RsCUqq1OpVYEHp3IgaUFPWtn2QcsJr\n\t MdVO/u4qba4/OYJMBL0uifh+y8AIVCK7NeuGkgFc=","Date":"Wed, 29 Apr 2026 17:03:46 +0800","From":"Shuhao Fu ","To":"Namjae Jeon , Steve French ,\n linux-cifs@vger.kernel.org","Cc":"Sergey Senozhatsky ,\n Tom Talpey ,\n linux-kernel@vger.kernel.org","Subject":"Re: [PATCH] ksmbd: fail share config requests when path allocation\n fails","Message-ID":"<20260429090346.GA3329611@chcpu16>","References":"<20260429085956.GA3326432@chcpu16>","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<20260429085956.GA3326432@chcpu16>","X-Env-From":"sfual"}},{"id":3684060,"web_url":"http://patchwork.ozlabs.org/comment/3684060/","msgid":"","list_archive_url":null,"date":"2026-04-29T13:43:06","subject":"Re: [PATCH] ksmbd: fail share config requests when path allocation\n fails","submitter":{"id":79386,"url":"http://patchwork.ozlabs.org/api/people/79386/","name":"Namjae Jeon","email":"linkinjeon@kernel.org"},"content":"On Wed, Apr 29, 2026 at 6:00 PM Shuhao Fu wrote:\n>\n> Non-pipe shares must have a duplicated backing path before they can be\n> published. share_config_request() currently calls kstrndup() for that\n> path, but if the allocation fails it leaves ret unchanged. If veto list\n> parsing succeeds and share->name exists, the partially built share is\n> still inserted into the global share table with share->path left NULL.\n>\n> A later share-root SMB2 create uses tree_conn->share_conf->path as the\n> lookup root. If the share was published with path == NULL, that request\n> passes a NULL pathname into do_getname_kernel()/strlen() and can crash\n> the ksmbd worker.\n>\n> Set ret = -ENOMEM when path duplication fails so the incomplete share is\n> destroyed before publication.\n>\n> Fixes: e2f34481b24d (\"cifsd: add server-side procedures for SMB3\")\n> Signed-off-by: Shuhao Fu \nApplied it to #ksmbd-for-next-next.\nThanks!","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256\n header.s=k20201202 header.b=jADbK+Q1;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=linux-cifs+bounces-11275-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=\"jADbK+Q1\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=10.30.226.201"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g5Jjq3PZQz1yHX\n\tfor ; Wed, 29 Apr 2026 23:55:59 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 6CC3F30D8F5B\n\tfor ; Wed, 29 Apr 2026 13:45:13 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 3DF5A401484;\n\tWed, 29 Apr 2026 13:43:25 +0000 (UTC)","from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org\n [10.30.226.201])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 6B35B401490\n\tfor ; Wed, 29 Apr 2026 13:43:23 +0000 (UTC)","by smtp.kernel.org (Postfix) with ESMTPSA id D6E4DC4AF0B\n\tfor ; Wed, 29 Apr 2026 13:43:20 +0000 (UTC)","by mail-ej1-f43.google.com with SMTP id\n a640c23a62f3a-ba5b107eaa2so1420206166b.3\n for ;\n Wed, 29 Apr 2026 06:43:20 -0700 (PDT)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777470203; cv=none;\n b=uAznETX3b7XD2LwrW0ahfSNiLqd9UBDiLD2JXXhDLxzpk1Me5tHcOv3qpdLBup2jDaNQjwSCcUnIVMbe9gA9PGzqlu0n3z8CvIv5Przh+Spejrjo7B6XU1RzYAt1g3VCi9qzsyNsSTtoO/uL/HgkfWko17yp7JxDuz+TSLLpWzU=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777470203; c=relaxed/simple;\n\tbh=ru+/VQqNw+RePt0bZj4FS8VFpVXHxbInhjX4BRQnFzs=;\n\th=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:\n\t To:Cc:Content-Type;\n b=kNn4l/koteD8S1ZDDtnDvRBXiRjzElQewMwodQj4+FTP0yo99Ux8Z88BBMNTIJu9dMX4ih/UhxQe6MTHG8Ycfg/+hayRwOVt8fLsAhvPZkmaXi0DgxgyZGzrjvrsu2AoTH2cYLJRVdeicm9WtD7bzTL6ZXL+3YYb/a1xH3GjfxM=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=jADbK+Q1; arc=none smtp.client-ip=10.30.226.201","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;\n\ts=k20201202; t=1777470200;\n\tbh=ru+/VQqNw+RePt0bZj4FS8VFpVXHxbInhjX4BRQnFzs=;\n\th=References:In-Reply-To:From:Date:Subject:To:Cc:From;\n\tb=jADbK+Q1Y7uMZJuKi/bJbO2Qp1IRw/zZOMn6AYejgPLXBJtkjRwvUOkWZN9O4S4ZF\n\t Nl8Ei5RH3OzWra93AJquNca+ziTn+pVF8VxPKlyR/+3UvA8hKjiPy2dux4ri6es+0H\n\t D+qJC9x5aaJgwKG0TdiU1c/L3KH8m0KZl/eUYXLAQx5vmQljNoEY7Xr4zGo6IUYsdZ\n\t K4+Xdrz+UarVAcTAybPUcBc1zB31j8YsbsPQ6LSxKvLUnerJE2b2cASBlC/HV7wTZl\n\t hi8zrIC/Y7kHB4bNFByM9YRh7VIb5xOCQ2wY6f9em4gTN8DgVmnqIln54bMilTqbgA\n\t 1V3cvo0CMuA+Q==","X-Forwarded-Encrypted":"i=1;\n AFNElJ+ftBDpxs1ptiG7vmahHlsCHpBwQZGtT6ehlA3Uo9Ugc3QFeceioUqgvtd2NOM+c+s1d5O7/slg7mBn@vger.kernel.org","X-Gm-Message-State":"AOJu0YwyVOp+a4zG69U3l75JF/PHh3zifpuHUqyOeirwA49PfWTFMwlt\n\tP/SRTz2WIPBMSaUNoFew79P9vGZ+mAn+PwJCxBmPv7t4spbuXC+E2e2pTRX1kb3fUIJiW5e98OF\n\twy75E/F5aMobw81rEym7IovDq43JJT2Y=","X-Received":"by 2002:a17:906:6206:b0:b9d:17f1:fff1 with SMTP id\n a640c23a62f3a-bb804053542mr488977266b.42.1777470199462; Wed, 29 Apr 2026\n 06:43:19 -0700 (PDT)","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","References":"<20260429085956.GA3326432@chcpu16>","In-Reply-To":"<20260429085956.GA3326432@chcpu16>","From":"Namjae Jeon ","Date":"Wed, 29 Apr 2026 22:43:06 +0900","X-Gmail-Original-Message-ID":"\n ","X-Gm-Features":"AVHnY4IvIilQ79NWPpqPmUxa-KD0x0b3VSQqhrexJP6SFGHD6JI1KCxlCJ9en3U","Message-ID":"\n ","Subject":"Re: [PATCH] ksmbd: fail share config requests when path allocation\n fails","To":"Shuhao Fu ","Cc":"Steve French , linux-cifs@vger.kernel.org,\n\tSergey Senozhatsky , Tom Talpey ,\n linux-kernel@vger.kernel.org","Content-Type":"text/plain; charset=\"UTF-8\"","Content-Transfer-Encoding":"quoted-printable"}}]