Patch "smb/client: avoid possible NULL dereference in cifs_free_subrequest()" has been added to the 6.10-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Thu, 22 Aug 2024 20:13:22 -0400

This is a note to let you know that I've just added the patch titled

    smb/client: avoid possible NULL dereference in cifs_free_subrequest()

to the 6.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     smb-client-avoid-possible-null-dereference-in-cifs_f.patch
and it can be found in the queue-6.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 91ee85fb8eaf49b895086f7bb4ce80df52e5911d
Author: Su Hui <suhui@xxxxxxxxxxxx>
Date:   Thu Aug 8 20:23:32 2024 +0800

    smb/client: avoid possible NULL dereference in cifs_free_subrequest()
    
    [ Upstream commit 74c2ab6d653b4c2354df65a7f7f2df1925a40a51 ]
    
    Clang static checker (scan-build) warning:
            cifsglob.h:line 890, column 3
            Access to field 'ops' results in a dereference of a null pointer.
    
    Commit 519be989717c ("cifs: Add a tracepoint to track credits involved in
    R/W requests") adds a check for 'rdata->server', and let clang throw this
    warning about NULL dereference.
    
    When 'rdata->credits.value != 0 && rdata->server == NULL' happens,
    add_credits_and_wake_if() will call rdata->server->ops->add_credits().
    This will cause NULL dereference problem. Add a check for 'rdata->server'
    to avoid NULL dereference.
    
    Cc: stable@xxxxxxxxxxxxxxx
    Fixes: 69c3c023af25 ("cifs: Implement netfslib hooks")
    Reviewed-by: David Howells <dhowells@xxxxxxxxxx>
    Signed-off-by: Su Hui <suhui@xxxxxxxxxxxx>
    Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/smb/client/file.c b/fs/smb/client/file.c
index b413cfef05422..1fc66bcf49eb4 100644
--- a/fs/smb/client/file.c
+++ b/fs/smb/client/file.c
@@ -316,7 +316,7 @@ static void cifs_free_subrequest(struct netfs_io_subrequest *subreq)
 #endif
 	}
 
-	if (rdata->credits.value != 0)
+	if (rdata->credits.value != 0) {
 		trace_smb3_rw_credits(rdata->rreq->debug_id,
 				      rdata->subreq.debug_index,
 				      rdata->credits.value,
@@ -324,8 +324,12 @@ static void cifs_free_subrequest(struct netfs_io_subrequest *subreq)
 				      rdata->server ? rdata->server->in_flight : 0,
 				      -rdata->credits.value,
 				      cifs_trace_rw_credits_free_subreq);
+		if (rdata->server)
+			add_credits_and_wake_if(rdata->server, &rdata->credits, 0);
+		else
+			rdata->credits.value = 0;
+	}
 
-	add_credits_and_wake_if(rdata->server, &rdata->credits, 0);
 	if (rdata->have_xid)
 		free_xid(rdata->xid);
 }







