| Message ID | 20230622181604.4788-2-sprasad@microsoft.com |
|---|---|
| State | New |
| Headers | show |
| Series | [1/3] cifs: log session id when a matching ses is not found | expand |
Shyam Prasad N <nspmangalore@gmail.com> writes: > In smb2_compound_op we have a possible use-after-free > which can cause hard to debug problems later on. > > This was revealed during stress testing with KASAN enabled > kernel. Fixing it by moving the cfile free call to > a few lines below, after the usage. > > Fixes: 76894f3e2f71 ("cifs: improve symlink handling for smb2+") > CC: Paulo Alcantara (SUSE) <pc@cjr.nz> > Signed-off-by: Shyam Prasad N <sprasad@microsoft.com> > --- > fs/smb/client/smb2inode.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) Reviewed-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
merged into cifs-2.6.git for-next On Thu, Jun 22, 2023 at 1:46 PM Paulo Alcantara <pc@manguebit.com> wrote: > > Shyam Prasad N <nspmangalore@gmail.com> writes: > > > In smb2_compound_op we have a possible use-after-free > > which can cause hard to debug problems later on. > > > > This was revealed during stress testing with KASAN enabled > > kernel. Fixing it by moving the cfile free call to > > a few lines below, after the usage. > > > > Fixes: 76894f3e2f71 ("cifs: improve symlink handling for smb2+") > > CC: Paulo Alcantara (SUSE) <pc@cjr.nz> > > Signed-off-by: Shyam Prasad N <sprasad@microsoft.com> > > --- > > fs/smb/client/smb2inode.c | 6 +++--- > > 1 file changed, 3 insertions(+), 3 deletions(-) > > Reviewed-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c index 163a03298430..7e3ac4cb4efa 100644 --- a/fs/smb/client/smb2inode.c +++ b/fs/smb/client/smb2inode.c @@ -398,9 +398,6 @@ static int smb2_compound_op(const unsigned int xid, struct cifs_tcon *tcon, rsp_iov); finished: - if (cfile) - cifsFileInfo_put(cfile); - SMB2_open_free(&rqst[0]); if (rc == -EREMCHG) { pr_warn_once("server share %s deleted\n", tcon->tree_name); @@ -529,6 +526,9 @@ static int smb2_compound_op(const unsigned int xid, struct cifs_tcon *tcon, break; } + if (cfile) + cifsFileInfo_put(cfile); + if (rc && err_iov && err_buftype) { memcpy(err_iov, rsp_iov, 3 * sizeof(*err_iov)); memcpy(err_buftype, resp_buftype, 3 * sizeof(*err_buftype));
In smb2_compound_op we have a possible use-after-free which can cause hard to debug problems later on. This was revealed during stress testing with KASAN enabled kernel. Fixing it by moving the cfile free call to a few lines below, after the usage. Fixes: 76894f3e2f71 ("cifs: improve symlink handling for smb2+") CC: Paulo Alcantara (SUSE) <pc@cjr.nz> Signed-off-by: Shyam Prasad N <sprasad@microsoft.com> --- fs/smb/client/smb2inode.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)