tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'v6.16-rc5-ksmbd-server-fixes' of git://git.samba.org/ksmbd
Pull smb server fixes from Steve French:
- fix use after free in lease break
- small fix for freeing rdma transport (fixes missing logging of
cm_qp_destroy)
- fix write count leak
* tag 'v6.16-rc5-ksmbd-server-fixes' of git://git.samba.org/ksmbd:
ksmbd: fix potential use-after-free in oplock/lease break ack
ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked()
smb: server: make use of rdma_destroy_qp()
+13
-22
+9
-20
fs/smb/server/smb2pdu.c
+9
-20
fs/smb/server/smb2pdu.c
···
8573
8573
goto err_out;
8574
8574
}
8575
8575
8576
-
opinfo->op_state = OPLOCK_STATE_NONE;
8577
-
wake_up_interruptible_all(&opinfo->oplock_q);
8578
-
opinfo_put(opinfo);
8579
-
ksmbd_fd_put(work, fp);
8580
-
8581
8576
rsp->StructureSize = cpu_to_le16(24);
8582
8577
rsp->OplockLevel = rsp_oplevel;
8583
8578
rsp->Reserved = 0;
···
8580
8585
rsp->VolatileFid = volatile_id;
8581
8586
rsp->PersistentFid = persistent_id;
8582
8587
ret = ksmbd_iov_pin_rsp(work, rsp, sizeof(struct smb2_oplock_break));
8583
-
if (!ret)
8584
-
return;
8585
-
8588
+
if (ret) {
8586
8589
err_out:
8590
+
smb2_set_err_rsp(work);
8591
+
}
8592
+
8587
8593
opinfo->op_state = OPLOCK_STATE_NONE;
8588
8594
wake_up_interruptible_all(&opinfo->oplock_q);
8589
-
8590
8595
opinfo_put(opinfo);
8591
8596
ksmbd_fd_put(work, fp);
8592
-
smb2_set_err_rsp(work);
8593
8597
}
8594
8598
8595
8599
static int check_lease_state(struct lease *lease, __le32 req_state)
···
8718
8724
}
8719
8725
8720
8726
lease_state = lease->state;
8721
-
opinfo->op_state = OPLOCK_STATE_NONE;
8722
-
wake_up_interruptible_all(&opinfo->oplock_q);
8723
-
atomic_dec(&opinfo->breaking_cnt);
8724
-
wake_up_interruptible_all(&opinfo->oplock_brk);
8725
-
opinfo_put(opinfo);
8726
8727
8727
8728
rsp->StructureSize = cpu_to_le16(36);
8728
8729
rsp->Reserved = 0;
···
8726
8737
rsp->LeaseState = lease_state;
8727
8738
rsp->LeaseDuration = 0;
8728
8739
ret = ksmbd_iov_pin_rsp(work, rsp, sizeof(struct smb2_lease_ack));
8729
-
if (!ret)
8730
-
return;
8731
-
8740
+
if (ret) {
8732
8741
err_out:
8742
+
smb2_set_err_rsp(work);
8743
+
}
8744
+
8745
+
opinfo->op_state = OPLOCK_STATE_NONE;
8733
8746
wake_up_interruptible_all(&opinfo->oplock_q);
8734
8747
atomic_dec(&opinfo->breaking_cnt);
8735
8748
wake_up_interruptible_all(&opinfo->oplock_brk);
8736
-
8737
8749
opinfo_put(opinfo);
8738
-
smb2_set_err_rsp(work);
8739
8750
}
8740
8751
8741
8752
/**
+3
-2
fs/smb/server/transport_rdma.c
+3
-2
fs/smb/server/transport_rdma.c
···
433
433
if (t->qp) {
434
434
ib_drain_qp(t->qp);
435
435
ib_mr_pool_destroy(t->qp, &t->qp->rdma_mrs);
436
-
ib_destroy_qp(t->qp);
436
+
t->qp = NULL;
437
+
rdma_destroy_qp(t->cm_id);
437
438
}
438
439
439
440
ksmbd_debug(RDMA, "drain the reassembly queue\n");
···
1941
1940
return 0;
1942
1941
err:
1943
1942
if (t->qp) {
1944
-
ib_destroy_qp(t->qp);
1945
1943
t->qp = NULL;
1944
+
rdma_destroy_qp(t->cm_id);
1946
1945
}
1947
1946
if (t->recv_cq) {
1948
1947
ib_destroy_cq(t->recv_cq);