From: Greg Kroah-Hartman Date: Mon, 26 Jun 2023 14:35:13 +0000 (+0200) Subject: 6.3-stable patches X-Git-Tag: v4.14.320~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=eee4ae24ca9d19df5a7ee4fa9c4ad660f4f78138;p=thirdparty%2Fkernel%2Fstable-queue.git 6.3-stable patches added patches: ksmbd-call-putname-after-using-the-last-component.patch ksmbd-fix-uninitialized-pointer-read-in-ksmbd_vfs_rename.patch ksmbd-fix-uninitialized-pointer-read-in-smb2_create_link.patch --- diff --git a/queue-6.3/ksmbd-call-putname-after-using-the-last-component.patch b/queue-6.3/ksmbd-call-putname-after-using-the-last-component.patch new file mode 100644 index 00000000000..a082070aca6 --- /dev/null +++ b/queue-6.3/ksmbd-call-putname-after-using-the-last-component.patch @@ -0,0 +1,57 @@ +From 6fe55c2799bc29624770c26f98ba7b06214f43e0 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Thu, 25 May 2023 00:13:38 +0900 +Subject: ksmbd: call putname after using the last component + +From: Namjae Jeon + +commit 6fe55c2799bc29624770c26f98ba7b06214f43e0 upstream. + +last component point filename struct. Currently putname is called after +vfs_path_parent_lookup(). And then last component is used for +lookup_one_qstr_excl(). name in last component is freed by previous +calling putname(). And It cause file lookup failure when testing +generic/464 test of xfstest. + +Fixes: 74d7970febf7 ("ksmbd: fix racy issue from using ->d_parent and ->d_name") +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/vfs.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/fs/ksmbd/vfs.c ++++ b/fs/ksmbd/vfs.c +@@ -86,12 +86,14 @@ static int ksmbd_vfs_path_lookup_locked( + err = vfs_path_parent_lookup(filename, flags, + &parent_path, &last, &type, + root_share_path); +- putname(filename); +- if (err) ++ if (err) { ++ putname(filename); + return err; ++ } + + if (unlikely(type != LAST_NORM)) { + path_put(&parent_path); ++ putname(filename); + return -ENOENT; + } + +@@ -108,12 +110,14 @@ static int ksmbd_vfs_path_lookup_locked( + path->dentry = d; + path->mnt = share_conf->vfs_path.mnt; + path_put(&parent_path); ++ putname(filename); + + return 0; + + err_out: + inode_unlock(parent_path.dentry->d_inode); + path_put(&parent_path); ++ putname(filename); + return -ENOENT; + } + diff --git a/queue-6.3/ksmbd-fix-uninitialized-pointer-read-in-ksmbd_vfs_rename.patch b/queue-6.3/ksmbd-fix-uninitialized-pointer-read-in-ksmbd_vfs_rename.patch new file mode 100644 index 00000000000..69371aba789 --- /dev/null +++ b/queue-6.3/ksmbd-fix-uninitialized-pointer-read-in-ksmbd_vfs_rename.patch @@ -0,0 +1,32 @@ +From 48b47f0caaa8a9f05ed803cb4f335fa3a7bfc622 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Fri, 12 May 2023 17:05:41 +0900 +Subject: ksmbd: fix uninitialized pointer read in ksmbd_vfs_rename() + +From: Namjae Jeon + +commit 48b47f0caaa8a9f05ed803cb4f335fa3a7bfc622 upstream. + +Uninitialized rd.delegated_inode can be used in vfs_rename(). +Fix this by setting rd.delegated_inode to NULL to avoid the uninitialized +read. + +Fixes: 74d7970febf7 ("ksmbd: fix racy issue from using ->d_parent and ->d_name") +Reported-by: Coverity Scan +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/vfs.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ksmbd/vfs.c ++++ b/fs/ksmbd/vfs.c +@@ -769,6 +769,7 @@ retry: + rd.new_dir = new_path.dentry->d_inode, + rd.new_dentry = new_dentry, + rd.flags = flags, ++ rd.delegated_inode = NULL, + err = vfs_rename(&rd); + if (err) + ksmbd_debug(VFS, "vfs_rename failed err %d\n", err); diff --git a/queue-6.3/ksmbd-fix-uninitialized-pointer-read-in-smb2_create_link.patch b/queue-6.3/ksmbd-fix-uninitialized-pointer-read-in-smb2_create_link.patch new file mode 100644 index 00000000000..bea17ad31e1 --- /dev/null +++ b/queue-6.3/ksmbd-fix-uninitialized-pointer-read-in-smb2_create_link.patch @@ -0,0 +1,44 @@ +From df14afeed2e6c1bbadef7d2f9c46887bbd6d8d94 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Sun, 14 May 2023 10:02:27 +0900 +Subject: ksmbd: fix uninitialized pointer read in smb2_create_link() + +From: Namjae Jeon + +commit df14afeed2e6c1bbadef7d2f9c46887bbd6d8d94 upstream. + +There is a case that file_present is true and path is uninitialized. +This patch change file_present is set to false by default and set to +true when patch is initialized. + +Fixes: 74d7970febf7 ("ksmbd: fix racy issue from using ->d_parent and ->d_name") +Reported-by: Coverity Scan +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/smb2pdu.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -5560,7 +5560,7 @@ static int smb2_create_link(struct ksmbd + { + char *link_name = NULL, *target_name = NULL, *pathname = NULL; + struct path path; +- bool file_present = true; ++ bool file_present = false; + int rc; + + if (buf_len < (u64)sizeof(struct smb2_file_link_info) + +@@ -5593,8 +5593,8 @@ static int smb2_create_link(struct ksmbd + if (rc) { + if (rc != -ENOENT) + goto out; +- file_present = false; +- } ++ } else ++ file_present = true; + + if (file_info->ReplaceIfExists) { + if (file_present) { diff --git a/queue-6.3/series b/queue-6.3/series index 53268810352..64788092a18 100644 --- a/queue-6.3/series +++ b/queue-6.3/series @@ -194,3 +194,6 @@ x86-apic-fix-kernel-panic-when-booting-with-intremap.patch i2c-imx-lpi2c-fix-type-char-overflow-issue-when-calc.patch netfilter-nf_tables-drop-module-reference-after-updating-chain.patch kvm-arm64-restore-gicv2-on-gicv3-functionality.patch +ksmbd-fix-uninitialized-pointer-read-in-ksmbd_vfs_rename.patch +ksmbd-fix-uninitialized-pointer-read-in-smb2_create_link.patch +ksmbd-call-putname-after-using-the-last-component.patch