Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 05A1EC05027 for ; Mon, 6 Feb 2023 23:45:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230134AbjBFXpD (ORCPT ); Mon, 6 Feb 2023 18:45:03 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40362 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229936AbjBFXpB (ORCPT ); Mon, 6 Feb 2023 18:45:01 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 291D1303E5; Mon, 6 Feb 2023 15:44:36 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id B4A7EB8167D; Mon, 6 Feb 2023 23:44:34 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5E32AC433A0; Mon, 6 Feb 2023 23:44:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1675727073; bh=+VS0T7saKGxXpafCOxelveBrW5g7V/bi82d9i0jTJOw=; h=In-Reply-To:References:From:Date:Subject:To:Cc:From; b=Mefy5tCBU30U2vgPjHQ7NT0ziRYCnzZIx9vft/xTFg2vhJlUt6LHSYKLSoGkXCWYd R08UlnTuVBLXJgpsldZISrLKoWp1+BTS7RzEahS7i0yztNYFj1N9c+xeioDxRrQJp7 u2fxlEXTGZfG0qx88czFSgAoPEEEW7vv10J/K0etpfvWOzMvpURkF17K3wvEKfW6EN Nb+iqGn6Tp1etLPp/X3m9/1KiOQc4CxSau7PA7n90aLIzATln0Bqv9o31ZvaqkagUo gYO0sQrVuSzk30yAmsgZBhxyU5XNY3gx83c9e5XVE+k/7Kb9st3MrC/HmSCTshFEqO C49rnhzyT028A== Received: by mail-oi1-f173.google.com with SMTP id 20so10436454oix.5; Mon, 06 Feb 2023 15:44:33 -0800 (PST) X-Gm-Message-State: AO0yUKUe1Qpn1DkPv+VbgK0Qbj4RG09MXHQlgiQZU8aT0ExjSSOknS0N 1a1/cgS6VhMNOgLQRmI/j3bSxHnD3QWS4W5Eip0= X-Google-Smtp-Source: AK7set+239NZEdy9JC4+houRK9nVQSewhMxnSxX0ik41Ipo6URjzwhlruxeiBMQvMt0MG9ioy/nceY43s38Zk6g68O0= X-Received: by 2002:a05:6808:10:b0:378:57fb:de1f with SMTP id u16-20020a056808001000b0037857fbde1fmr1019860oic.215.1675727072447; Mon, 06 Feb 2023 15:44:32 -0800 (PST) MIME-Version: 1.0 Received: by 2002:a8a:355:0:b0:4a5:1048:434b with HTTP; Mon, 6 Feb 2023 15:44:31 -0800 (PST) In-Reply-To: <20230206023630.9457-1-hbh25y@gmail.com> References: <20230206023630.9457-1-hbh25y@gmail.com> From: Namjae Jeon Date: Tue, 7 Feb 2023 08:44:31 +0900 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v2] ksmbd: fix possible memory leak in smb2_lock() To: Hangyu Hua Cc: sfrench@samba.org, senozhatsky@chromium.org, tom@talpey.com, lsahlber@redhat.com, hyc.lee@gmail.com, linux-cifs@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 2023-02-06 11:36 GMT+09:00, Hangyu Hua : > argv needs to be free when setup_async_work fails or when the current > process is woken up. > > Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") > Signed-off-by: Hangyu Hua > --- > > v2: avoid NULL pointer dereference in set_close_state_blocked_works() > > fs/ksmbd/smb2pdu.c | 5 +++++ > fs/ksmbd/vfs_cache.c | 2 ++ > 2 files changed, 7 insertions(+) > > diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c > index d681f91947d9..177a24704021 100644 > --- a/fs/ksmbd/smb2pdu.c > +++ b/fs/ksmbd/smb2pdu.c > @@ -7050,6 +7050,7 @@ int smb2_lock(struct ksmbd_work *work) > smb2_remove_blocked_lock, > argv); > if (rc) { > + kfree(argv); > err = -ENOMEM; > goto out; > } > @@ -7072,6 +7073,8 @@ int smb2_lock(struct ksmbd_work *work) > spin_lock(&fp->f_lock); > list_del(&work->fp_entry); > spin_unlock(&fp->f_lock); > + kfree(argv); > + work->cancel_fn = NULL; > rsp->hdr.Status = > STATUS_CANCELLED; > kfree(smb_lock); > @@ -7096,6 +7099,8 @@ int smb2_lock(struct ksmbd_work *work) > spin_lock(&fp->f_lock); > list_del(&work->fp_entry); > spin_unlock(&fp->f_lock); > + kfree(argv); > + work->cancel_fn = NULL; This doesn't seem so simple... You have to consider the racy issue between this change and smb2_cancel(). Also, how are you testing this patch? > goto retry; > } else if (!rc) { > spin_lock(&work->conn->llist_lock); > diff --git a/fs/ksmbd/vfs_cache.c b/fs/ksmbd/vfs_cache.c > index da9163b00350..eb95c16393b7 100644 > --- a/fs/ksmbd/vfs_cache.c > +++ b/fs/ksmbd/vfs_cache.c > @@ -372,6 +372,8 @@ static void set_close_state_blocked_works(struct > ksmbd_file *fp) > list_del(&cancel_work->fp_entry); > cancel_work->state = KSMBD_WORK_CLOSED; > cancel_work->cancel_fn(cancel_work->cancel_argv); > + kfree(cancel_work->cancel_argv); > + cancel_work->cancel_fn = NULL; > } > spin_unlock(&fp->f_lock); > } > -- > 2.34.1 > >