Commit 84d2d164 authored Feb 26, 2025 by Namjae Jeon Committed by Steve French Mar 02, 2025

ksmbd: fix use-after-free in smb2_lock



If smb_lock->zero_len has value, ->llist of smb_lock is not delete and
flock is old one. It will cause use-after-free on error handling
routine.

Cc: stable@vger.kernel.org
Reported-by: Norbert Szetei <norbert@doyensec.com>
Tested-by: Norbert Szetei <norbert@doyensec.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

parent e2ff19f0

fs/smb/server/smb2pdu.c

+3 −3

Original line number	Diff line number	Diff line
		@@ -7458,13 +7458,13 @@ int smb2_lock(struct ksmbd_work *work)
		}

		no_check_cl:
		flock = smb_lock->fl;
		list_del(&smb_lock->llist);

		if (smb_lock->zero_len) {
		err = 0;
		goto skip;
		}

		flock = smb_lock->fl;
		list_del(&smb_lock->llist);
		retry:
		rc = vfs_lock_file(filp, smb_lock->cmd, flock, NULL);
		skip: