ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger

When a durable file handle survives session disconnect (TCP close without
SMB2_LOGOFF), session_fd_check() sets fp->conn = NULL to preserve the
handle for later reconnection. However, it did not clean up the byte-range
locks on fp->lock_list.

Later, when the durable scavenger thread times out and calls
__ksmbd_close_fd(NULL, fp), the lock cleanup loop did:

    spin_lock(&fp->conn->llist_lock);

This caused a slab use-after-free because fp->conn was NULL and the
original connection object had already been freed by
ksmbd_tcp_disconnect().

The root cause is asymmetric cleanup: lock entries (smb_lock->clist) were
left dangling on the freed conn->lock_list while fp->conn was nulled out.

To fix this issue properly, we need to handle the lifetime of
smb_lock->clist across three paths:
 - Safely skip clist deletion when list is empty and fp->conn is NULL.
 - Remove the lock from the old connection's lock_list in
   session_fd_check()
 - Re-add the lock to the new connection's lock_list in
   ksmbd_reopen_durable_fd().

Fixes: c8efcc786146 ("ksmbd: add support for durable handles v1/v2")
Co-developed-by: munan Huang <munanevil@gmail.com>
Signed-off-by: munan Huang <munanevil@gmail.com>
Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/smb/server/vfs_cache.c b/fs/smb/server/vfs_cache.c
index 168f2dd7e200b7ee9c19513e1845a11c9b644857..87f63525062b1163ab887dc9e442159ff6c0b9da 100644 (file)
--- a/fs/smb/server/vfs_cache.c
+++ b/fs/smb/server/vfs_cache.c
@@ -463,9 +463,11 @@ static void __ksmbd_close_fd(struct ksmbd_file_table *ft, struct ksmbd_file *fp)
         * there are not accesses to fp->lock_list.
         */
        list_for_each_entry_safe(smb_lock, tmp_lock, &fp->lock_list, flist) {
-               spin_lock(&fp->conn->llist_lock);
-               list_del(&smb_lock->clist);
-               spin_unlock(&fp->conn->llist_lock);
+               if (!list_empty(&smb_lock->clist) && fp->conn) {
+                       spin_lock(&fp->conn->llist_lock);
+                       list_del(&smb_lock->clist);
+                       spin_unlock(&fp->conn->llist_lock);
+               }
 
                list_del(&smb_lock->flist);
                locks_free_lock(smb_lock->fl);
@@ -995,6 +997,7 @@ static bool session_fd_check(struct ksmbd_tree_connect *tcon,
        struct ksmbd_inode *ci;
        struct oplock_info *op;
        struct ksmbd_conn *conn;
+       struct ksmbd_lock *smb_lock, *tmp_lock;
 
        if (!is_reconnectable(fp))
                return false;
@@ -1011,6 +1014,12 @@ static bool session_fd_check(struct ksmbd_tree_connect *tcon,
        }
        up_write(&ci->m_lock);
 
+       list_for_each_entry_safe(smb_lock, tmp_lock, &fp->lock_list, flist) {
+               spin_lock(&fp->conn->llist_lock);
+               list_del_init(&smb_lock->clist);
+               spin_unlock(&fp->conn->llist_lock);
+       }
+
        fp->conn = NULL;
        fp->tcon = NULL;
        fp->volatile_id = KSMBD_NO_FID;
@@ -1090,6 +1099,9 @@ int ksmbd_reopen_durable_fd(struct ksmbd_work *work, struct ksmbd_file *fp)
 {
        struct ksmbd_inode *ci;
        struct oplock_info *op;
+       struct ksmbd_conn *conn = work->conn;
+       struct ksmbd_lock *smb_lock;
+       unsigned int old_f_state;
 
        if (!fp->is_durable || fp->conn || fp->tcon) {
                pr_err("Invalid durable fd [%p:%p]\n", fp->conn, fp->tcon);
@@ -1101,9 +1113,23 @@ int ksmbd_reopen_durable_fd(struct ksmbd_work *work, struct ksmbd_file *fp)
                return -EBADF;
        }
 
-       fp->conn = work->conn;
+       old_f_state = fp->f_state;
+       fp->f_state = FP_NEW;
+       __open_id(&work->sess->file_table, fp, OPEN_ID_TYPE_VOLATILE_ID);
+       if (!has_file_id(fp->volatile_id)) {
+               fp->f_state = old_f_state;
+               return -EBADF;
+       }
+
+       fp->conn = conn;
        fp->tcon = work->tcon;
 
+       list_for_each_entry(smb_lock, &fp->lock_list, flist) {
+               spin_lock(&conn->llist_lock);
+               list_add_tail(&smb_lock->clist, &conn->lock_list);
+               spin_unlock(&conn->llist_lock);
+       }
+
        ci = fp->f_ci;
        down_write(&ci->m_lock);
        list_for_each_entry_rcu(op, &ci->m_op_list, op_entry) {
@@ -1114,13 +1140,6 @@ int ksmbd_reopen_durable_fd(struct ksmbd_work *work, struct ksmbd_file *fp)
        }
        up_write(&ci->m_lock);
 
-       fp->f_state = FP_NEW;
-       __open_id(&work->sess->file_table, fp, OPEN_ID_TYPE_VOLATILE_ID);
-       if (!has_file_id(fp->volatile_id)) {
-               fp->conn = NULL;
-               fp->tcon = NULL;
-               return -EBADF;
-       }
        return 0;
 }