Commit 9a3dad63 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag '6.6-rc5-ksmbd-server-fixes' of git://git.samba.org/ksmbd 

Pull smb server fixes from Steve French:

 - Fix for possible double free in RPC read

 - Add additional check to clarify smb2_open path and quiet Coverity

 - Fix incorrect error rsp in a compounding path

 - Fix to properly fail open of file with pending delete on close

* tag '6.6-rc5-ksmbd-server-fixes' of git://git.samba.org/ksmbd:
  ksmbd: fix potential double free on smb2_read_pipe() error path
  ksmbd: fix Null pointer dereferences in ksmbd_update_fstate()
  ksmbd: fix wrong error response status by using set_smb2_rsp_status()
  ksmbd: not allow to open file if delelete on close bit is set
parents bf2069d1 1903e6d0

fs/smb/server/smb2pdu.c

+6 −5
Original line number Diff line number Diff line
@@ -231,11 +231,12 @@ void set_smb2_rsp_status(struct ksmbd_work *work, __le32 err) 
{

	struct smb2_hdr *rsp_hdr;



	if (work->next_smb2_rcv_hdr_off)

		rsp_hdr = ksmbd_resp_buf_next(work);

	else

	rsp_hdr = smb2_get_msg(work->response_buf);

	rsp_hdr->Status = err;



	work->iov_idx = 0;

	work->iov_cnt = 0;

	work->next_smb2_rcv_hdr_off = 0;

	smb2_set_err_rsp(work);

}
@@ -6151,12 +6152,12 @@ static noinline int smb2_read_pipe(struct ksmbd_work *work) 
		memcpy(aux_payload_buf, rpc_resp->payload, rpc_resp->payload_sz);



		nbytes = rpc_resp->payload_sz;

		kvfree(rpc_resp);

		err = ksmbd_iov_pin_rsp_read(work, (void *)rsp,

					     offsetof(struct smb2_read_rsp, Buffer),

					     aux_payload_buf, nbytes);

		if (err)

			goto out;

		kvfree(rpc_resp);

	} else {

		err = ksmbd_iov_pin_rsp(work, (void *)rsp,

					offsetof(struct smb2_read_rsp, Buffer));

fs/smb/server/vfs_cache.c

+5 −2
Original line number Diff line number Diff line
@@ -106,7 +106,7 @@ int ksmbd_query_inode_status(struct inode *inode) 
	ci = __ksmbd_inode_lookup(inode);

	if (ci) {

		ret = KSMBD_INODE_STATUS_OK;

		if (ci->m_flags & S_DEL_PENDING)

		if (ci->m_flags & (S_DEL_PENDING | S_DEL_ON_CLS))

			ret = KSMBD_INODE_STATUS_PENDING_DELETE;

		atomic_dec(&ci->m_count);

	}
@@ -116,7 +116,7 @@ int ksmbd_query_inode_status(struct inode *inode) 


bool ksmbd_inode_pending_delete(struct ksmbd_file *fp)

{

	return (fp->f_ci->m_flags & S_DEL_PENDING);

	return (fp->f_ci->m_flags & (S_DEL_PENDING | S_DEL_ON_CLS));

}



void ksmbd_set_inode_pending_delete(struct ksmbd_file *fp)
@@ -603,6 +603,9 @@ struct ksmbd_file *ksmbd_open_fd(struct ksmbd_work *work, struct file *filp) 
void ksmbd_update_fstate(struct ksmbd_file_table *ft, struct ksmbd_file *fp,

			 unsigned int state)

{

	if (!fp)

		return;



	write_lock(&ft->lock);

	fp->f_state = state;

	write_unlock(&ft->lock);