smb/server: fix potential null-ptr-deref of lease_ctx_info in smb2_open()

ChenXiaoSong · Steve French · commit 4e8771a3666c · 2024-08-22T09:52:00.000-05:00
null-ptr-deref will occur when (req_op_level == SMB2_OPLOCK_LEVEL_LEASE)
and parse_lease_state() return NULL.

Fix this by check if 'lease_ctx_info' is NULL.

Additionally, remove the redundant parentheses in
parse_durable_handle_context().

Signed-off-by: ChenXiaoSong &lt;chenxiaosong@kylinos.cn&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
diff --git a/fs/smb/server/oplock.c b/fs/smb/server/oplock.c
@@ -1510,7 +1510,7 @@ void create_lease_buf(u8 *rbuf, struct lease *lease)
  * parse_lease_state() - parse lease context containted in file open request
  * @open_req:	buffer containing smb2 file open(create) request
  *
- * Return:  oplock state, -ENOENT if create lease context not found
+ * Return: allocated lease context object on success, otherwise NULL
  */
 struct lease_ctx_info *parse_lease_state(void *open_req)
 {
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
@@ -2770,8 +2770,8 @@ static int parse_durable_handle_context(struct ksmbd_work *work,
 				}
 			}
 
-			if (((lc && (lc->req_state & SMB2_LEASE_HANDLE_CACHING_LE)) ||
-			     req_op_level == SMB2_OPLOCK_LEVEL_BATCH)) {
+			if ((lc && (lc->req_state & SMB2_LEASE_HANDLE_CACHING_LE)) ||
+			    req_op_level == SMB2_OPLOCK_LEVEL_BATCH) {
 				dh_info->CreateGuid =
 					durable_v2_blob->CreateGuid;
 				dh_info->persistent =
@@ -2791,8 +2791,8 @@ static int parse_durable_handle_context(struct ksmbd_work *work,
 				goto out;
 			}
 
-			if (((lc && (lc->req_state & SMB2_LEASE_HANDLE_CACHING_LE)) ||
-			     req_op_level == SMB2_OPLOCK_LEVEL_BATCH)) {
+			if ((lc && (lc->req_state & SMB2_LEASE_HANDLE_CACHING_LE)) ||
+			    req_op_level == SMB2_OPLOCK_LEVEL_BATCH) {
 				ksmbd_debug(SMB, "Request for durable open\n");
 				dh_info->type = dh_idx;
 			}
@@ -3414,7 +3414,7 @@ int smb2_open(struct ksmbd_work *work)
 			goto err_out1;
 		}
 	} else {
-		if (req_op_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		if (req_op_level == SMB2_OPLOCK_LEVEL_LEASE && lc) {
 			if (S_ISDIR(file_inode(filp)->i_mode)) {
 				lc->req_state &= ~SMB2_LEASE_WRITE_CACHING_LE;
 				lc->is_dir = true;

Original file line number	Diff line number	Diff line change
`@@ -1510,7 +1510,7 @@ void create_lease_buf(u8 rbuf, struct lease lease)`
`1510`	`1510`	`* parse_lease_state() - parse lease context containted in file open request`
`1511`	`1511`	`* @open_req: buffer containing smb2 file open(create) request`
`1512`	`1512`	`*`
`1513`		`- * Return: oplock state, -ENOENT if create lease context not found`
	`1513`	`+ * Return: allocated lease context object on success, otherwise NULL`
`1514`	`1514`	`*/`
`1515`	`1515`	`struct lease_ctx_info parse_lease_state(void open_req)`
`1516`	`1516`	`{`
Original file line number	Diff line number	Diff line change
`@@ -2770,8 +2770,8 @@ static int parse_durable_handle_context(struct ksmbd_work *work,`
`2770`	`2770`	`}`
`2771`	`2771`	`}`
`2772`	`2772`
`2773`		`- if (((lc && (lc->req_state & SMB2_LEASE_HANDLE_CACHING_LE)) \|\|`
`2774`		`- req_op_level == SMB2_OPLOCK_LEVEL_BATCH)) {`
	`2773`	`+ if ((lc && (lc->req_state & SMB2_LEASE_HANDLE_CACHING_LE)) \|\|`
	`2774`	`+ req_op_level == SMB2_OPLOCK_LEVEL_BATCH) {`
`2775`	`2775`	`dh_info->CreateGuid =`
`2776`	`2776`	`durable_v2_blob->CreateGuid;`
`2777`	`2777`	`dh_info->persistent =`
`@@ -2791,8 +2791,8 @@ static int parse_durable_handle_context(struct ksmbd_work *work,`
`2791`	`2791`	`goto out;`
`2792`	`2792`	`}`
`2793`	`2793`
`2794`		`- if (((lc && (lc->req_state & SMB2_LEASE_HANDLE_CACHING_LE)) \|\|`
`2795`		`- req_op_level == SMB2_OPLOCK_LEVEL_BATCH)) {`
	`2794`	`+ if ((lc && (lc->req_state & SMB2_LEASE_HANDLE_CACHING_LE)) \|\|`
	`2795`	`+ req_op_level == SMB2_OPLOCK_LEVEL_BATCH) {`
`2796`	`2796`	`ksmbd_debug(SMB, "Request for durable open\n");`
`2797`	`2797`	`dh_info->type = dh_idx;`
`2798`	`2798`	`}`
`@@ -3414,7 +3414,7 @@ int smb2_open(struct ksmbd_work *work)`
`3414`	`3414`	`goto err_out1;`
`3415`	`3415`	`}`
`3416`	`3416`	`} else {`
`3417`		`- if (req_op_level == SMB2_OPLOCK_LEVEL_LEASE) {`
	`3417`	`+ if (req_op_level == SMB2_OPLOCK_LEVEL_LEASE && lc) {`
`3418`	`3418`	`if (S_ISDIR(file_inode(filp)->i_mode)) {`
`3419`	`3419`	`lc->req_state &= ~SMB2_LEASE_WRITE_CACHING_LE;`
`3420`	`3420`	`lc->is_dir = true;`