smb: server: fix use-after-free in smb2_open()

The opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is
dereferenced after rcu_read_unlock(), creating a use-after-free
window.

Cc: stable@vger.kernel.org
Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 48836b97951bcf553e1d3ec25f57d8981787c2c8..9f7ff7491e9a8828ef4c846f0f0995b51fc44084 100644 (file)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -3617,10 +3617,8 @@ int smb2_open(struct ksmbd_work *work)
 
 reconnected_fp:
        rsp->StructureSize = cpu_to_le16(89);
-       rcu_read_lock();
-       opinfo = rcu_dereference(fp->f_opinfo);
+       opinfo = opinfo_get(fp);
        rsp->OplockLevel = opinfo != NULL ? opinfo->level : 0;
-       rcu_read_unlock();
        rsp->Flags = 0;
        rsp->CreateAction = cpu_to_le32(file_info);
        rsp->CreationTime = cpu_to_le64(fp->create_time);
@@ -3661,6 +3659,7 @@ reconnected_fp:
                next_ptr = &lease_ccontext->Next;
                next_off = conn->vals->create_lease_size;
        }
+       opinfo_put(opinfo);
 
        if (maximal_access_ctxt) {
                struct create_context *mxac_ccontext;