Commit a74668eb authored Apr 29, 2026 by Shuhao Fu Committed by Steve French May 01, 2026

ksmbd: fail share config requests when path allocation fails



Non-pipe shares must have a duplicated backing path before they can be
published. share_config_request() currently calls kstrndup() for that
path, but if the allocation fails it leaves ret unchanged. If veto list
parsing succeeds and share->name exists, the partially built share is
still inserted into the global share table with share->path left NULL.

A later share-root SMB2 create uses tree_conn->share_conf->path as the
lookup root. If the share was published with path == NULL, that request
passes a NULL pathname into do_getname_kernel()/strlen() and can crash
the ksmbd worker.

Set ret = -ENOMEM when path duplication fails so the incomplete share is
destroyed before publication.

Fixes: e2f34481 ("cifsd: add server-side procedures for SMB3")
Signed-off-by: Shuhao Fu <sfual@cse.ust.hk>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

parent bf736184

fs/smb/server/mgmt/share_config.c

+8 −4

Original line number	Diff line number	Diff line
		@@ -167,7 +167,10 @@ static struct ksmbd_share_config share_config_request(struct ksmbd_work work,

		share->path = kstrndup(ksmbd_share_config_path(resp), path_len,
		KSMBD_DEFAULT_GFP);
		if (share->path) {
		if (!share->path) {
		ret = -ENOMEM;
		} else {
		ret = 0;
		share->path_sz = strlen(share->path);
		while (share->path_sz > 1 &&
		share->path[share->path_sz - 1] == '/')
		@@ -179,6 +182,7 @@ static struct ksmbd_share_config share_config_request(struct ksmbd_work work,
		share->force_directory_mode = resp->force_directory_mode;
		share->force_uid = resp->force_uid;
		share->force_gid = resp->force_gid;
		if (!ret)
		ret = parse_veto_list(share,
		KSMBD_SHARE_CONFIG_VETO_LIST(resp),
		resp->veto_list_sz);