fs/smb/server/smb2pdu.c:6131 smb2_read_pipe() error: double free of 'rpc_resp'

All of lore.kernel.org
 help / color / mirror / Atom feed

From: kernel test robot <lkp@intel.com>
To: oe-kbuild@lists.linux.dev
Cc: lkp@intel.com, Dan Carpenter <error27@gmail.com>
Subject: fs/smb/server/smb2pdu.c:6131 smb2_read_pipe() error: double free of 'rpc_resp'
Date: Wed, 11 Oct 2023 12:56:39 +0800	[thread overview]
Message-ID: <202310111236.IXH2OKfq-lkp@intel.com> (raw)

BCC: lkp@intel.com
CC: oe-kbuild-all@lists.linux.dev
CC: linux-kernel@vger.kernel.org
TO: Namjae Jeon <linkinjeon@kernel.org>
CC: Steve French <stfrench@microsoft.com>

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head:   1c8b86a3799f7e5be903c3f49fcdaee29fd385b5
commit: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d ksmbd: add support for read compound
date:   6 weeks ago
:::::: branch date: 10 hours ago
:::::: commit date: 6 weeks ago
config: i386-randconfig-141-20231010 (https://download.01.org/0day-ci/archive/20231011/202310111236.IXH2OKfq-lkp@intel.com/config)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
reproduce: (https://download.01.org/0day-ci/archive/20231011/202310111236.IXH2OKfq-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <error27@gmail.com>
| Closes: https://lore.kernel.org/r/202310111236.IXH2OKfq-lkp@intel.com/

New smatch warnings:
fs/smb/server/smb2pdu.c:6131 smb2_read_pipe() error: double free of 'rpc_resp'

Old smatch warnings:
fs/smb/server/smb2pdu.c:3389 smb2_open() warn: Function too hairy.  No more merges.
fs/smb/server/smb2pdu.c:6318 smb2_read() warn: passing freed memory 'aux_payload_buf'

vim +/rpc_resp +6131 fs/smb/server/smb2pdu.c

e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6069  
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6070  /**
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6071   * smb2_read_pipe() - handler for smb2 read from IPC pipe
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6072   * @work:	smb work containing read IPC pipe command buffer
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6073   *
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6074   * Return:	0 on success, otherwise error
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6075   */
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6076  static noinline int smb2_read_pipe(struct ksmbd_work *work)
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6077  {
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6078  	int nbytes = 0, err;
64b39f4a2fd293cf fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-30  6079  	u64 id;
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6080  	struct ksmbd_rpc_command *rpc_resp;
7b7d709ef7cf2853 fs/smb/server/smb2pdu.c Namjae Jeon     2023-06-24  6081  	struct smb2_read_req *req;
7b7d709ef7cf2853 fs/smb/server/smb2pdu.c Namjae Jeon     2023-06-24  6082  	struct smb2_read_rsp *rsp;
7b7d709ef7cf2853 fs/smb/server/smb2pdu.c Namjae Jeon     2023-06-24  6083  
7b7d709ef7cf2853 fs/smb/server/smb2pdu.c Namjae Jeon     2023-06-24  6084  	WORK_BUFFERS(work, req, rsp);
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6085  
2d004c6cae567e33 fs/ksmbd/smb2pdu.c      Paulo Alcantara 2022-03-21  6086  	id = req->VolatileFileId;
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6087  
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6088  	rpc_resp = ksmbd_rpc_read(work->sess, id);
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6089  	if (rpc_resp) {
e2b76ab8b5c9327a fs/smb/server/smb2pdu.c Namjae Jeon     2023-08-29  6090  		void *aux_payload_buf;
e2b76ab8b5c9327a fs/smb/server/smb2pdu.c Namjae Jeon     2023-08-29  6091  
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6092  		if (rpc_resp->flags != KSMBD_RPC_OK) {
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6093  			err = -EINVAL;
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6094  			goto out;
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6095  		}
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6096  
e2b76ab8b5c9327a fs/smb/server/smb2pdu.c Namjae Jeon     2023-08-29  6097  		aux_payload_buf =
81a94b27847f7d2e fs/smb/server/smb2pdu.c Namjae Jeon     2023-05-31  6098  			kvmalloc(rpc_resp->payload_sz, GFP_KERNEL);
e2b76ab8b5c9327a fs/smb/server/smb2pdu.c Namjae Jeon     2023-08-29  6099  		if (!aux_payload_buf) {
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6100  			err = -ENOMEM;
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6101  			goto out;
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6102  		}
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6103  
e2b76ab8b5c9327a fs/smb/server/smb2pdu.c Namjae Jeon     2023-08-29  6104  		memcpy(aux_payload_buf, rpc_resp->payload, rpc_resp->payload_sz);
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6105  
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6106  		nbytes = rpc_resp->payload_sz;
79f6b11a104f3a32 fs/cifsd/smb2pdu.c      Namjae Jeon     2021-04-02  6107  		kvfree(rpc_resp);
e2b76ab8b5c9327a fs/smb/server/smb2pdu.c Namjae Jeon     2023-08-29  6108  		err = ksmbd_iov_pin_rsp_read(work, (void *)rsp,
e2b76ab8b5c9327a fs/smb/server/smb2pdu.c Namjae Jeon     2023-08-29  6109  					     offsetof(struct smb2_read_rsp, Buffer),
e2b76ab8b5c9327a fs/smb/server/smb2pdu.c Namjae Jeon     2023-08-29  6110  					     aux_payload_buf, nbytes);
e2b76ab8b5c9327a fs/smb/server/smb2pdu.c Namjae Jeon     2023-08-29  6111  		if (err)
e2b76ab8b5c9327a fs/smb/server/smb2pdu.c Namjae Jeon     2023-08-29  6112  			goto out;
e2b76ab8b5c9327a fs/smb/server/smb2pdu.c Namjae Jeon     2023-08-29  6113  	} else {
e2b76ab8b5c9327a fs/smb/server/smb2pdu.c Namjae Jeon     2023-08-29  6114  		err = ksmbd_iov_pin_rsp(work, (void *)rsp,
e2b76ab8b5c9327a fs/smb/server/smb2pdu.c Namjae Jeon     2023-08-29  6115  					offsetof(struct smb2_read_rsp, Buffer));
e2b76ab8b5c9327a fs/smb/server/smb2pdu.c Namjae Jeon     2023-08-29  6116  		if (err)
e2b76ab8b5c9327a fs/smb/server/smb2pdu.c Namjae Jeon     2023-08-29  6117  			goto out;
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6118  	}
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6119  
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6120  	rsp->StructureSize = cpu_to_le16(17);
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6121  	rsp->DataOffset = 80;
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6122  	rsp->Reserved = 0;
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6123  	rsp->DataLength = cpu_to_le32(nbytes);
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6124  	rsp->DataRemaining = 0;
699230f31bf55abc fs/ksmbd/smb2pdu.c      Ronnie Sahlberg 2021-09-09  6125  	rsp->Flags = 0;
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6126  	return 0;
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6127  
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6128  out:
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6129  	rsp->hdr.Status = STATUS_UNEXPECTED_IO_ERROR;
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6130  	smb2_set_err_rsp(work);
79f6b11a104f3a32 fs/cifsd/smb2pdu.c      Namjae Jeon     2021-04-02 @6131  	kvfree(rpc_resp);
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6132  	return err;
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6133  }
e2f34481b24db2fd fs/cifsd/smb2pdu.c      Namjae Jeon     2021-03-16  6134  

:::::: The code at line 6131 was first introduced by commit
:::::: 79f6b11a104f3a32f4f4a6f7808a02c301c19710 cifsd: remove wrappers of kvmalloc/kvfree

:::::: TO: Namjae Jeon <namjae.jeon@samsung.com>
:::::: CC: Steve French <stfrench@microsoft.com>

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

next             reply	other threads:[~2023-10-11  4:57 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-11  4:56 kernel test robot [this message]
  -- strict thread matches above, loose matches on Subject: below --
2023-10-11  7:15 fs/smb/server/smb2pdu.c:6131 smb2_read_pipe() error: double free of 'rpc_resp' Dan Carpenter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202310111236.IXH2OKfq-lkp@intel.com \
    --to=lkp@intel.com \
    --cc=error27@gmail.com \
    --cc=oe-kbuild@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.