Commit 9a3dad63 authored by Linus Torvalds's avatar Linus Torvalds

Merge tag '6.6-rc5-ksmbd-server-fixes' of git://git.samba.org/ksmbd

Pull smb server fixes from Steve French:

 - Fix for possible double free in RPC read

 - Add additional check to clarify smb2_open path and quiet Coverity

 - Fix incorrect error rsp in a compounding path

 - Fix to properly fail open of file with pending delete on close

* tag '6.6-rc5-ksmbd-server-fixes' of git://git.samba.org/ksmbd:
  ksmbd: fix potential double free on smb2_read_pipe() error path
  ksmbd: fix Null pointer dereferences in ksmbd_update_fstate()
  ksmbd: fix wrong error response status by using set_smb2_rsp_status()
  ksmbd: not allow to open file if delelete on close bit is set
parents bf2069d1 1903e6d0
...@@ -231,11 +231,12 @@ void set_smb2_rsp_status(struct ksmbd_work *work, __le32 err) ...@@ -231,11 +231,12 @@ void set_smb2_rsp_status(struct ksmbd_work *work, __le32 err)
{ {
struct smb2_hdr *rsp_hdr; struct smb2_hdr *rsp_hdr;
if (work->next_smb2_rcv_hdr_off)
rsp_hdr = ksmbd_resp_buf_next(work);
else
rsp_hdr = smb2_get_msg(work->response_buf); rsp_hdr = smb2_get_msg(work->response_buf);
rsp_hdr->Status = err; rsp_hdr->Status = err;
work->iov_idx = 0;
work->iov_cnt = 0;
work->next_smb2_rcv_hdr_off = 0;
smb2_set_err_rsp(work); smb2_set_err_rsp(work);
} }
...@@ -6151,12 +6152,12 @@ static noinline int smb2_read_pipe(struct ksmbd_work *work) ...@@ -6151,12 +6152,12 @@ static noinline int smb2_read_pipe(struct ksmbd_work *work)
memcpy(aux_payload_buf, rpc_resp->payload, rpc_resp->payload_sz); memcpy(aux_payload_buf, rpc_resp->payload, rpc_resp->payload_sz);
nbytes = rpc_resp->payload_sz; nbytes = rpc_resp->payload_sz;
kvfree(rpc_resp);
err = ksmbd_iov_pin_rsp_read(work, (void *)rsp, err = ksmbd_iov_pin_rsp_read(work, (void *)rsp,
offsetof(struct smb2_read_rsp, Buffer), offsetof(struct smb2_read_rsp, Buffer),
aux_payload_buf, nbytes); aux_payload_buf, nbytes);
if (err) if (err)
goto out; goto out;
kvfree(rpc_resp);
} else { } else {
err = ksmbd_iov_pin_rsp(work, (void *)rsp, err = ksmbd_iov_pin_rsp(work, (void *)rsp,
offsetof(struct smb2_read_rsp, Buffer)); offsetof(struct smb2_read_rsp, Buffer));
......
...@@ -106,7 +106,7 @@ int ksmbd_query_inode_status(struct inode *inode) ...@@ -106,7 +106,7 @@ int ksmbd_query_inode_status(struct inode *inode)
ci = __ksmbd_inode_lookup(inode); ci = __ksmbd_inode_lookup(inode);
if (ci) { if (ci) {
ret = KSMBD_INODE_STATUS_OK; ret = KSMBD_INODE_STATUS_OK;
if (ci->m_flags & S_DEL_PENDING) if (ci->m_flags & (S_DEL_PENDING | S_DEL_ON_CLS))
ret = KSMBD_INODE_STATUS_PENDING_DELETE; ret = KSMBD_INODE_STATUS_PENDING_DELETE;
atomic_dec(&ci->m_count); atomic_dec(&ci->m_count);
} }
...@@ -116,7 +116,7 @@ int ksmbd_query_inode_status(struct inode *inode) ...@@ -116,7 +116,7 @@ int ksmbd_query_inode_status(struct inode *inode)
bool ksmbd_inode_pending_delete(struct ksmbd_file *fp) bool ksmbd_inode_pending_delete(struct ksmbd_file *fp)
{ {
return (fp->f_ci->m_flags & S_DEL_PENDING); return (fp->f_ci->m_flags & (S_DEL_PENDING | S_DEL_ON_CLS));
} }
void ksmbd_set_inode_pending_delete(struct ksmbd_file *fp) void ksmbd_set_inode_pending_delete(struct ksmbd_file *fp)
...@@ -603,6 +603,9 @@ struct ksmbd_file *ksmbd_open_fd(struct ksmbd_work *work, struct file *filp) ...@@ -603,6 +603,9 @@ struct ksmbd_file *ksmbd_open_fd(struct ksmbd_work *work, struct file *filp)
void ksmbd_update_fstate(struct ksmbd_file_table *ft, struct ksmbd_file *fp, void ksmbd_update_fstate(struct ksmbd_file_table *ft, struct ksmbd_file *fp,
unsigned int state) unsigned int state)
{ {
if (!fp)
return;
write_lock(&ft->lock); write_lock(&ft->lock);
fp->f_state = state; fp->f_state = state;
write_unlock(&ft->lock); write_unlock(&ft->lock);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment