1. Patchew
  2. linux
  3. View series

[PATCH] ksmbd: fix possible memory leak in smb2_lock()

Hangyu Hua posted 1 patch 2 years, 7 months ago
There is a newer version of this series
fs/ksmbd/smb2pdu.c | 3 +++
1 file changed, 3 insertions(+)
[PATCH] ksmbd: fix possible memory leak in smb2_lock()
Posted by Hangyu Hua 2 years, 7 months ago 
argv needs to be free when setup_async_work fails or when the current
process is woken up.

Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
---
 fs/ksmbd/smb2pdu.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
index d681f91947d9..5b7668c04f76 100644
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -7050,6 +7050,7 @@ int smb2_lock(struct ksmbd_work *work)
 						      smb2_remove_blocked_lock,
 						      argv);
 				if (rc) {
+					kfree(argv);
 					err = -ENOMEM;
 					goto out;
 				}
@@ -7061,6 +7062,8 @@ int smb2_lock(struct ksmbd_work *work)
 
 				ksmbd_vfs_posix_lock_wait(flock);
 
+				work->cancel_fn = NULL;
+				kfree(argv);
 				if (work->state != KSMBD_WORK_ACTIVE) {
 					list_del(&smb_lock->llist);
 					spin_lock(&work->conn->llist_lock);
-- 
2.34.1
Re: [PATCH] ksmbd: fix possible memory leak in smb2_lock()
Posted by Namjae Jeon 2 years, 7 months ago 
2023-02-01 17:10 GMT+09:00, Hangyu Hua <hbh25y@gmail.com>:
> argv needs to be free when setup_async_work fails or when the current
> process is woken up.
>
> Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
> Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
> ---
>  fs/ksmbd/smb2pdu.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
> index d681f91947d9..5b7668c04f76 100644
> --- a/fs/ksmbd/smb2pdu.c
> +++ b/fs/ksmbd/smb2pdu.c
> @@ -7050,6 +7050,7 @@ int smb2_lock(struct ksmbd_work *work)
>  						      smb2_remove_blocked_lock,
>  						      argv);
>  				if (rc) {
> +					kfree(argv);
>  					err = -ENOMEM;
>  					goto out;
>  				}
> @@ -7061,6 +7062,8 @@ int smb2_lock(struct ksmbd_work *work)
>
>  				ksmbd_vfs_posix_lock_wait(flock);
>
> +				work->cancel_fn = NULL;
> +				kfree(argv);
This change seems to causes a NULL pointer dereference issue in
set_close_state_blocked_works(). It is right to free it and set NULL
after removing entry from list.
>  				if (work->state != KSMBD_WORK_ACTIVE) {
>  					list_del(&smb_lock->llist);
>  					spin_lock(&work->conn->llist_lock);
> --
> 2.34.1
>
>
Re: [PATCH] ksmbd: fix possible memory leak in smb2_lock()
Posted by Hangyu Hua 2 years, 7 months ago 
On 4/2/2023 18:10, Namjae Jeon wrote:
> 2023-02-01 17:10 GMT+09:00, Hangyu Hua <hbh25y@gmail.com>:
>> argv needs to be free when setup_async_work fails or when the current
>> process is woken up.
>>
>> Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
>> Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
>> ---
>>   fs/ksmbd/smb2pdu.c | 3 +++
>>   1 file changed, 3 insertions(+)
>>
>> diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
>> index d681f91947d9..5b7668c04f76 100644
>> --- a/fs/ksmbd/smb2pdu.c
>> +++ b/fs/ksmbd/smb2pdu.c
>> @@ -7050,6 +7050,7 @@ int smb2_lock(struct ksmbd_work *work)
>>   						      smb2_remove_blocked_lock,
>>   						      argv);
>>   				if (rc) {
>> +					kfree(argv);
>>   					err = -ENOMEM;
>>   					goto out;
>>   				}
>> @@ -7061,6 +7062,8 @@ int smb2_lock(struct ksmbd_work *work)
>>
>>   				ksmbd_vfs_posix_lock_wait(flock);
>>
>> +				work->cancel_fn = NULL;
>> +				kfree(argv);
> This change seems to causes a NULL pointer dereference issue in
> set_close_state_blocked_works(). It is right to free it and set NULL
> after removing entry from list.

I get it. I will send a v2.

Thanks,
Hangyu
>>   				if (work->state != KSMBD_WORK_ACTIVE) {
>>   					list_del(&smb_lock->llist);
>>   					spin_lock(&work->conn->llist_lock);
>> --
>> 2.34.1
>>
>>

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.