ksmbd: fix potential use-after-free in oplock/lease break ack (50f930db) · Commits · git / linux-net

fs/smb/server/smb2pdu.c

+9 −20

Original line number	Diff line number	Diff line
		@@ -8573,11 +8573,6 @@ static void smb20_oplock_break_ack(struct ksmbd_work *work)
		goto err_out;
		}

		opinfo->op_state = OPLOCK_STATE_NONE;
		wake_up_interruptible_all(&opinfo->oplock_q);
		opinfo_put(opinfo);
		ksmbd_fd_put(work, fp);

		rsp->StructureSize = cpu_to_le16(24);
		rsp->OplockLevel = rsp_oplevel;
		rsp->Reserved = 0;
		@@ -8585,16 +8580,15 @@ static void smb20_oplock_break_ack(struct ksmbd_work *work)
		rsp->VolatileFid = volatile_id;
		rsp->PersistentFid = persistent_id;
		ret = ksmbd_iov_pin_rsp(work, rsp, sizeof(struct smb2_oplock_break));
		if (!ret)
		return;

		if (ret) {
		err_out:
		smb2_set_err_rsp(work);
		}

		opinfo->op_state = OPLOCK_STATE_NONE;
		wake_up_interruptible_all(&opinfo->oplock_q);

		opinfo_put(opinfo);
		ksmbd_fd_put(work, fp);
		smb2_set_err_rsp(work);
		}

		static int check_lease_state(struct lease *lease, __le32 req_state)
		@@ -8724,11 +8718,6 @@ static void smb21_lease_break_ack(struct ksmbd_work *work)
		}

		lease_state = lease->state;
		opinfo->op_state = OPLOCK_STATE_NONE;
		wake_up_interruptible_all(&opinfo->oplock_q);
		atomic_dec(&opinfo->breaking_cnt);
		wake_up_interruptible_all(&opinfo->oplock_brk);
		opinfo_put(opinfo);

		rsp->StructureSize = cpu_to_le16(36);
		rsp->Reserved = 0;
		@@ -8737,16 +8726,16 @@ static void smb21_lease_break_ack(struct ksmbd_work *work)
		rsp->LeaseState = lease_state;
		rsp->LeaseDuration = 0;
		ret = ksmbd_iov_pin_rsp(work, rsp, sizeof(struct smb2_lease_ack));
		if (!ret)
		return;

		if (ret) {
		err_out:
		smb2_set_err_rsp(work);
		}

		opinfo->op_state = OPLOCK_STATE_NONE;
		wake_up_interruptible_all(&opinfo->oplock_q);
		atomic_dec(&opinfo->breaking_cnt);
		wake_up_interruptible_all(&opinfo->oplock_brk);

		opinfo_put(opinfo);
		smb2_set_err_rsp(work);
		}

		/**