Merge tag '6.6-rc5-ksmbd-server-fixes' of git://git.samba.org/ksmbd

torvalds · torvalds · commit 9a3dad63edbe · 2023-10-14T19:50:39.000-07:00
Pull smb server fixes from Steve French:

 - Fix for possible double free in RPC read

 - Add additional check to clarify smb2_open path and quiet Coverity

 - Fix incorrect error rsp in a compounding path

 - Fix to properly fail open of file with pending delete on close

* tag '6.6-rc5-ksmbd-server-fixes' of git://git.samba.org/ksmbd:
  ksmbd: fix potential double free on smb2_read_pipe() error path
  ksmbd: fix Null pointer dereferences in ksmbd_update_fstate()
  ksmbd: fix wrong error response status by using set_smb2_rsp_status()
  ksmbd: not allow to open file if delelete on close bit is set
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
@@ -231,11 +231,12 @@ void set_smb2_rsp_status(struct ksmbd_work *work, __le32 err)
 {
 	struct smb2_hdr *rsp_hdr;
 
-	if (work->next_smb2_rcv_hdr_off)
-		rsp_hdr = ksmbd_resp_buf_next(work);
-	else
-		rsp_hdr = smb2_get_msg(work->response_buf);
+	rsp_hdr = smb2_get_msg(work->response_buf);
 	rsp_hdr->Status = err;
+
+	work->iov_idx = 0;
+	work->iov_cnt = 0;
+	work->next_smb2_rcv_hdr_off = 0;
 	smb2_set_err_rsp(work);
 }
 
@@ -6151,12 +6152,12 @@ static noinline int smb2_read_pipe(struct ksmbd_work *work)
 		memcpy(aux_payload_buf, rpc_resp->payload, rpc_resp->payload_sz);
 
 		nbytes = rpc_resp->payload_sz;
-		kvfree(rpc_resp);
 		err = ksmbd_iov_pin_rsp_read(work, (void *)rsp,
 					     offsetof(struct smb2_read_rsp, Buffer),
 					     aux_payload_buf, nbytes);
 		if (err)
 			goto out;
+		kvfree(rpc_resp);
 	} else {
 		err = ksmbd_iov_pin_rsp(work, (void *)rsp,
 					offsetof(struct smb2_read_rsp, Buffer));
diff --git a/fs/smb/server/vfs_cache.c b/fs/smb/server/vfs_cache.c
@@ -106,7 +106,7 @@ int ksmbd_query_inode_status(struct inode *inode)
 	ci = __ksmbd_inode_lookup(inode);
 	if (ci) {
 		ret = KSMBD_INODE_STATUS_OK;
-		if (ci->m_flags & S_DEL_PENDING)
+		if (ci->m_flags & (S_DEL_PENDING | S_DEL_ON_CLS))
 			ret = KSMBD_INODE_STATUS_PENDING_DELETE;
 		atomic_dec(&ci->m_count);
 	}
@@ -116,7 +116,7 @@ int ksmbd_query_inode_status(struct inode *inode)
 
 bool ksmbd_inode_pending_delete(struct ksmbd_file *fp)
 {
-	return (fp->f_ci->m_flags & S_DEL_PENDING);
+	return (fp->f_ci->m_flags & (S_DEL_PENDING | S_DEL_ON_CLS));
 }
 
 void ksmbd_set_inode_pending_delete(struct ksmbd_file *fp)
@@ -603,6 +603,9 @@ struct ksmbd_file *ksmbd_open_fd(struct ksmbd_work *work, struct file *filp)
 void ksmbd_update_fstate(struct ksmbd_file_table *ft, struct ksmbd_file *fp,
 			 unsigned int state)
 {
+	if (!fp)
+		return;
+
 	write_lock(&ft->lock);
 	fp->f_state = state;
 	write_unlock(&ft->lock);

Original file line number	Diff line number	Diff line change
`@@ -106,7 +106,7 @@ int ksmbd_query_inode_status(struct inode *inode)`
`106`	`106`	`ci = __ksmbd_inode_lookup(inode);`
`107`	`107`	`if (ci) {`
`108`	`108`	`ret = KSMBD_INODE_STATUS_OK;`
`109`		`- if (ci->m_flags & S_DEL_PENDING)`
	`109`	`+ if (ci->m_flags & (S_DEL_PENDING \| S_DEL_ON_CLS))`
`110`	`110`	`ret = KSMBD_INODE_STATUS_PENDING_DELETE;`
`111`	`111`	`atomic_dec(&ci->m_count);`
`112`	`112`	`}`
`@@ -116,7 +116,7 @@ int ksmbd_query_inode_status(struct inode *inode)`
`116`	`116`
`117`	`117`	`bool ksmbd_inode_pending_delete(struct ksmbd_file *fp)`
`118`	`118`	`{`
`119`		`- return (fp->f_ci->m_flags & S_DEL_PENDING);`
	`119`	`+ return (fp->f_ci->m_flags & (S_DEL_PENDING \| S_DEL_ON_CLS));`
`120`	`120`	`}`
`121`	`121`
`122`	`122`	`void ksmbd_set_inode_pending_delete(struct ksmbd_file *fp)`
`@@ -603,6 +603,9 @@ struct ksmbd_file ksmbd_open_fd(struct ksmbd_work work, struct file *filp)`
`603`	`603`	`void ksmbd_update_fstate(struct ksmbd_file_table ft, struct ksmbd_file fp,`
`604`	`604`	`unsigned int state)`
`605`	`605`	`{`
	`606`	`+ if (!fp)`
	`607`	`+ return;`
	`608`	`+`
`606`	`609`	`write_lock(&ft->lock);`
`607`	`610`	`fp->f_state = state;`
`608`	`611`	`write_unlock(&ft->lock);`