--- /dev/null
+From 6fe55c2799bc29624770c26f98ba7b06214f43e0 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Thu, 25 May 2023 00:13:38 +0900
+Subject: ksmbd: call putname after using the last component
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 6fe55c2799bc29624770c26f98ba7b06214f43e0 upstream.
+
+last component point filename struct. Currently putname is called after
+vfs_path_parent_lookup(). And then last component is used for
+lookup_one_qstr_excl(). name in last component is freed by previous
+calling putname(). And It cause file lookup failure when testing
+generic/464 test of xfstest.
+
+Fixes: 74d7970febf7 ("ksmbd: fix racy issue from using ->d_parent and ->d_name")
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/vfs.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/fs/ksmbd/vfs.c
++++ b/fs/ksmbd/vfs.c
+@@ -86,12 +86,14 @@ static int ksmbd_vfs_path_lookup_locked(
+ err = vfs_path_parent_lookup(filename, flags,
+ &parent_path, &last, &type,
+ root_share_path);
+- putname(filename);
+- if (err)
++ if (err) {
++ putname(filename);
+ return err;
++ }
+
+ if (unlikely(type != LAST_NORM)) {
+ path_put(&parent_path);
++ putname(filename);
+ return -ENOENT;
+ }
+
+@@ -108,12 +110,14 @@ static int ksmbd_vfs_path_lookup_locked(
+ path->dentry = d;
+ path->mnt = share_conf->vfs_path.mnt;
+ path_put(&parent_path);
++ putname(filename);
+
+ return 0;
+
+ err_out:
+ inode_unlock(parent_path.dentry->d_inode);
+ path_put(&parent_path);
++ putname(filename);
+ return -ENOENT;
+ }
+
--- /dev/null
+From 48b47f0caaa8a9f05ed803cb4f335fa3a7bfc622 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Fri, 12 May 2023 17:05:41 +0900
+Subject: ksmbd: fix uninitialized pointer read in ksmbd_vfs_rename()
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 48b47f0caaa8a9f05ed803cb4f335fa3a7bfc622 upstream.
+
+Uninitialized rd.delegated_inode can be used in vfs_rename().
+Fix this by setting rd.delegated_inode to NULL to avoid the uninitialized
+read.
+
+Fixes: 74d7970febf7 ("ksmbd: fix racy issue from using ->d_parent and ->d_name")
+Reported-by: Coverity Scan <scan-admin@coverity.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/vfs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/ksmbd/vfs.c
++++ b/fs/ksmbd/vfs.c
+@@ -769,6 +769,7 @@ retry:
+ rd.new_dir = new_path.dentry->d_inode,
+ rd.new_dentry = new_dentry,
+ rd.flags = flags,
++ rd.delegated_inode = NULL,
+ err = vfs_rename(&rd);
+ if (err)
+ ksmbd_debug(VFS, "vfs_rename failed err %d\n", err);
--- /dev/null
+From df14afeed2e6c1bbadef7d2f9c46887bbd6d8d94 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Sun, 14 May 2023 10:02:27 +0900
+Subject: ksmbd: fix uninitialized pointer read in smb2_create_link()
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit df14afeed2e6c1bbadef7d2f9c46887bbd6d8d94 upstream.
+
+There is a case that file_present is true and path is uninitialized.
+This patch change file_present is set to false by default and set to
+true when patch is initialized.
+
+Fixes: 74d7970febf7 ("ksmbd: fix racy issue from using ->d_parent and ->d_name")
+Reported-by: Coverity Scan <scan-admin@coverity.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/smb2pdu.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/ksmbd/smb2pdu.c
++++ b/fs/ksmbd/smb2pdu.c
+@@ -5560,7 +5560,7 @@ static int smb2_create_link(struct ksmbd
+ {
+ char *link_name = NULL, *target_name = NULL, *pathname = NULL;
+ struct path path;
+- bool file_present = true;
++ bool file_present = false;
+ int rc;
+
+ if (buf_len < (u64)sizeof(struct smb2_file_link_info) +
+@@ -5593,8 +5593,8 @@ static int smb2_create_link(struct ksmbd
+ if (rc) {
+ if (rc != -ENOENT)
+ goto out;
+- file_present = false;
+- }
++ } else
++ file_present = true;
+
+ if (file_info->ReplaceIfExists) {
+ if (file_present) {
i2c-imx-lpi2c-fix-type-char-overflow-issue-when-calc.patch
netfilter-nf_tables-drop-module-reference-after-updating-chain.patch
kvm-arm64-restore-gicv2-on-gicv3-functionality.patch
+ksmbd-fix-uninitialized-pointer-read-in-ksmbd_vfs_rename.patch
+ksmbd-fix-uninitialized-pointer-read-in-smb2_create_link.patch
+ksmbd-call-putname-after-using-the-last-component.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
