Patch "smb: client: fix NULL ptr deref in cifs_mark_open_handles_for_deleted_file()" has been added to the 6.6-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Fri, 17 May 2024 15:14:51 -0400

This is a note to let you know that I've just added the patch titled

    smb: client: fix NULL ptr deref in cifs_mark_open_handles_for_deleted_file()

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     smb-client-fix-null-ptr-deref-in-cifs_mark_open_hand.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit ffb331b662deb3cacd96d0bba349782cc40b3584
Author: Paulo Alcantara <pc@xxxxxxxxxxxxx>
Date:   Mon Apr 8 18:32:17 2024 -0300

    smb: client: fix NULL ptr deref in cifs_mark_open_handles_for_deleted_file()
    
    [ Upstream commit ec4535b2a1d709d3a1fbec26739c672f13c98a7b ]
    
    cifs_get_fattr() may be called with a NULL inode, so check for a
    non-NULL inode before calling
    cifs_mark_open_handles_for_deleted_file().
    
    This fixes the following oops:
    
      mount.cifs //srv/share /mnt -o ...,vers=3.1.1
      cd /mnt
      touch foo; tail -f foo &
      rm foo
      cat foo
    
      BUG: kernel NULL pointer dereference, address: 00000000000005c0
      #PF: supervisor read access in kernel mode
      #PF: error_code(0x0000) - not-present page
      PGD 0 P4D 0
      Oops: 0000 [#1] PREEMPT SMP NOPTI
      CPU: 2 PID: 696 Comm: cat Not tainted 6.9.0-rc2 #1
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
      1.16.3-1.fc39 04/01/2014
      RIP: 0010:__lock_acquire+0x5d/0x1c70
      Code: 00 00 44 8b a4 24 a0 00 00 00 45 85 f6 0f 84 bb 06 00 00 8b 2d
      48 e2 95 01 45 89 c3 41 89 d2 45 89 c8 85 ed 0 0 <48> 81 3f 40 7a 76
      83 44 0f 44 d8 83 fe 01 0f 86 1b 03 00 00 31 d2
      RSP: 0018:ffffc90000b37490 EFLAGS: 00010002
      RAX: 0000000000000000 RBX: ffff888110021ec0 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000000005c0
      RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
      R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000200
      FS: 00007f2a1fa08740(0000) GS:ffff888157a00000(0000)
      knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0:
      0000000080050033
      CR2: 00000000000005c0 CR3: 000000011ac7c000 CR4: 0000000000750ef0
      PKRU: 55555554
      Call Trace:
       <TASK>
       ? __die+0x23/0x70
       ? page_fault_oops+0x180/0x490
       ? srso_alias_return_thunk+0x5/0xfbef5
       ? exc_page_fault+0x70/0x230
       ? asm_exc_page_fault+0x26/0x30
       ? __lock_acquire+0x5d/0x1c70
       ? srso_alias_return_thunk+0x5/0xfbef5
       ? srso_alias_return_thunk+0x5/0xfbef5
       lock_acquire+0xc0/0x2d0
       ? cifs_mark_open_handles_for_deleted_file+0x3a/0x100 [cifs]
       ? srso_alias_return_thunk+0x5/0xfbef5
       ? kmem_cache_alloc+0x2d9/0x370
       _raw_spin_lock+0x34/0x80
       ? cifs_mark_open_handles_for_deleted_file+0x3a/0x100 [cifs]
       cifs_mark_open_handles_for_deleted_file+0x3a/0x100 [cifs]
       cifs_get_fattr+0x24c/0x940 [cifs]
       ? srso_alias_return_thunk+0x5/0xfbef5
       cifs_get_inode_info+0x96/0x120 [cifs]
       cifs_lookup+0x16e/0x800 [cifs]
       cifs_atomic_open+0xc7/0x5d0 [cifs]
       ? lookup_open.isra.0+0x3ce/0x5f0
       ? __pfx_cifs_atomic_open+0x10/0x10 [cifs]
       lookup_open.isra.0+0x3ce/0x5f0
       path_openat+0x42b/0xc30
       ? srso_alias_return_thunk+0x5/0xfbef5
       ? srso_alias_return_thunk+0x5/0xfbef5
       ? srso_alias_return_thunk+0x5/0xfbef5
       do_filp_open+0xc4/0x170
       do_sys_openat2+0xab/0xe0
       __x64_sys_openat+0x57/0xa0
       do_syscall_64+0xc1/0x1e0
       entry_SYSCALL_64_after_hwframe+0x72/0x7a
    
    Fixes: ffceb7640cbf ("smb: client: do not defer close open handles to deleted files")
    Reviewed-by: Meetakshi Setiya <msetiya@xxxxxxxxxxxxx>
    Reviewed-by: Bharath SM <bharathsm@xxxxxxxxxxxxx>
    Signed-off-by: Paulo Alcantara (Red Hat) <pc@xxxxxxxxxxxxx>
    Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/smb/client/inode.c b/fs/smb/client/inode.c
index b304215a4d668..9cdbc3ccc1d14 100644
--- a/fs/smb/client/inode.c
+++ b/fs/smb/client/inode.c
@@ -1105,7 +1105,8 @@ static int cifs_get_fattr(struct cifs_open_info_data *data,
 		} else {
 			cifs_open_info_to_fattr(fattr, data, sb);
 		}
-		if (!rc && fattr->cf_flags & CIFS_FATTR_DELETE_PENDING)
+		if (!rc && *inode &&
+		    (fattr->cf_flags & CIFS_FATTR_DELETE_PENDING))
 			cifs_mark_open_handles_for_deleted_file(*inode, full_path);
 		break;
 	case -EREMOTE:







