From: Greg Kroah-Hartman Date: Tue, 22 Apr 2025 09:59:53 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v6.1.135~52 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=18ac36509343063cdd36ba6bfb7268166209507c;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: smb-server-fix-potential-null-ptr-deref-of-lease_ctx_info-in-smb2_open.patch --- diff --git a/queue-6.1/series b/queue-6.1/series index 2fdcde6912..63cb054bd6 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -277,3 +277,4 @@ landlock-add-the-errata-interface.patch revert-loongarch-bpf-fix-off-by-one-error-in-build_prologue.patch nvmet-fc-remove-unused-functions.patch smb-client-fix-use-after-free-of-network-namespace.patch +smb-server-fix-potential-null-ptr-deref-of-lease_ctx_info-in-smb2_open.patch diff --git a/queue-6.1/smb-server-fix-potential-null-ptr-deref-of-lease_ctx_info-in-smb2_open.patch b/queue-6.1/smb-server-fix-potential-null-ptr-deref-of-lease_ctx_info-in-smb2_open.patch new file mode 100644 index 0000000000..33ae210732 --- /dev/null +++ b/queue-6.1/smb-server-fix-potential-null-ptr-deref-of-lease_ctx_info-in-smb2_open.patch @@ -0,0 +1,52 @@ +From 4e8771a3666c8f216eefd6bd2fd50121c6c437db Mon Sep 17 00:00:00 2001 +From: ChenXiaoSong +Date: Thu, 22 Aug 2024 08:20:51 +0000 +Subject: smb/server: fix potential null-ptr-deref of lease_ctx_info in smb2_open() + +From: ChenXiaoSong + +commit 4e8771a3666c8f216eefd6bd2fd50121c6c437db upstream. + +null-ptr-deref will occur when (req_op_level == SMB2_OPLOCK_LEVEL_LEASE) +and parse_lease_state() return NULL. + +Fix this by check if 'lease_ctx_info' is NULL. + +Additionally, remove the redundant parentheses in +parse_durable_handle_context(). + +Signed-off-by: ChenXiaoSong +Signed-off-by: Steve French +[ Drop the parentheses clean-up since the parentheses was introduced by + c8efcc786146 ("ksmbd: add support for durable handles v1/v2") in v6.9 + Minor context change fixed ] +Signed-off-by: Jianqi Ren +Signed-off-by: He Zhe +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/oplock.c | 2 +- + fs/smb/server/smb2pdu.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/smb/server/oplock.c ++++ b/fs/smb/server/oplock.c +@@ -1515,7 +1515,7 @@ void create_lease_buf(u8 *rbuf, struct l + * @open_req: buffer containing smb2 file open(create) request + * @is_dir: whether leasing file is directory + * +- * Return: oplock state, -ENOENT if create lease context not found ++ * Return: allocated lease context object on success, otherwise NULL + */ + struct lease_ctx_info *parse_lease_state(void *open_req, bool is_dir) + { +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -3243,7 +3243,7 @@ int smb2_open(struct ksmbd_work *work) + goto err_out1; + } + } else { +- if (req_op_level == SMB2_OPLOCK_LEVEL_LEASE) { ++ if (req_op_level == SMB2_OPLOCK_LEVEL_LEASE && lc) { + /* + * Compare parent lease using parent key. If there is no + * a lease that has same parent key, Send lease break