tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag '6.6-rc5-ksmbd-server-fixes' of git://git.samba.org/ksmbd

Pull smb server fixes from Steve French:

- Fix for possible double free in RPC read

- Add additional check to clarify smb2_open path and quiet Coverity

- Fix incorrect error rsp in a compounding path

- Fix to properly fail open of file with pending delete on close

* tag '6.6-rc5-ksmbd-server-fixes' of git://git.samba.org/ksmbd:
ksmbd: fix potential double free on smb2_read_pipe() error path
ksmbd: fix Null pointer dereferences in ksmbd_update_fstate()
ksmbd: fix wrong error response status by using set_smb2_rsp_status()
ksmbd: not allow to open file if delelete on close bit is set

Linus Torvalds 9a3dad63 bf2069d1

+11 -7
+6 -5
fs/smb/server/smb2pdu.c
··· 231 231 { 232 232 struct smb2_hdr *rsp_hdr; 233 233 234 - if (work->next_smb2_rcv_hdr_off) 235 - rsp_hdr = ksmbd_resp_buf_next(work); 236 - else 237 - rsp_hdr = smb2_get_msg(work->response_buf); 234 + rsp_hdr = smb2_get_msg(work->response_buf); 238 235 rsp_hdr->Status = err; 236 + 237 + work->iov_idx = 0; 238 + work->iov_cnt = 0; 239 + work->next_smb2_rcv_hdr_off = 0; 239 240 smb2_set_err_rsp(work); 240 241 } 241 242 ··· 6152 6151 memcpy(aux_payload_buf, rpc_resp->payload, rpc_resp->payload_sz); 6153 6152 6154 6153 nbytes = rpc_resp->payload_sz; 6155 - kvfree(rpc_resp); 6156 6154 err = ksmbd_iov_pin_rsp_read(work, (void *)rsp, 6157 6155 offsetof(struct smb2_read_rsp, Buffer), 6158 6156 aux_payload_buf, nbytes); 6159 6157 if (err) 6160 6158 goto out; 6159 + kvfree(rpc_resp); 6161 6160 } else { 6162 6161 err = ksmbd_iov_pin_rsp(work, (void *)rsp, 6163 6162 offsetof(struct smb2_read_rsp, Buffer));
+5 -2
fs/smb/server/vfs_cache.c
··· 106 106 ci = __ksmbd_inode_lookup(inode); 107 107 if (ci) { 108 108 ret = KSMBD_INODE_STATUS_OK; 109 - if (ci->m_flags & S_DEL_PENDING) 109 + if (ci->m_flags & (S_DEL_PENDING | S_DEL_ON_CLS)) 110 110 ret = KSMBD_INODE_STATUS_PENDING_DELETE; 111 111 atomic_dec(&ci->m_count); 112 112 } ··· 116 116 117 117 bool ksmbd_inode_pending_delete(struct ksmbd_file *fp) 118 118 { 119 - return (fp->f_ci->m_flags & S_DEL_PENDING); 119 + return (fp->f_ci->m_flags & (S_DEL_PENDING | S_DEL_ON_CLS)); 120 120 } 121 121 122 122 void ksmbd_set_inode_pending_delete(struct ksmbd_file *fp) ··· 603 603 void ksmbd_update_fstate(struct ksmbd_file_table *ft, struct ksmbd_file *fp, 604 604 unsigned int state) 605 605 { 606 + if (!fp) 607 + return; 608 + 606 609 write_lock(&ft->lock); 607 610 fp->f_state = state; 608 611 write_unlock(&ft->lock);