[PATCH 5.15.y] smb/server: fix potential null-ptr-deref of lease_ctx_info in smb2_open()

[PATCH 5.15.y] smb/server: fix potential null-ptr-deref of lease_ctx_info in smb2_open()

[jianqi.ren.cn]

From: ChenXiaoSong <chenxiaosong@kylinos.cn>

[ Upstream commit 4e8771a3666c8f216eefd6bd2fd50121c6c437db ]

null-ptr-deref will occur when (req_op_level == SMB2_OPLOCK_LEVEL_LEASE)
and parse_lease_state() return NULL.

Fix this by check if 'lease_ctx_info' is NULL.

Additionally, remove the redundant parentheses in
parse_durable_handle_context().

Signed-off-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Signed-off-by: Steve French <stfrench@microsoft.com>
[Drop the parentheses clean-up since the parentheses was introduced by
c8efcc786146 ("ksmbd: add support for durable handles v1/v2") in v6.9
 Minor context change fixed]
Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
---
Verified the build test
---
 fs/ksmbd/oplock.c  | 2 +-
 fs/ksmbd/smb2pdu.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/ksmbd/oplock.c b/fs/ksmbd/oplock.c
index 4e444d01a3c3..9fcdcea0e6bd 100644
--- a/fs/ksmbd/oplock.c
+++ b/fs/ksmbd/oplock.c
@@ -1498,7 +1498,7 @@ void create_lease_buf(u8 *rbuf, struct lease *lease)
  * @open_req:	buffer containing smb2 file open(create) request
  * @is_dir:	whether leasing file is directory
  *
- * Return:  oplock state, -ENOENT if create lease context not found
+ * Return: allocated lease context object on success, otherwise NULL
  */
 struct lease_ctx_info *parse_lease_state(void *open_req, bool is_dir)
 {
diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
index 3dfe0acf21a5..5cd0aa217f67 100644
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -3230,7 +3230,7 @@ int smb2_open(struct ksmbd_work *work)
 			goto err_out1;
 		}
 	} else {
-		if (req_op_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		if (req_op_level == SMB2_OPLOCK_LEVEL_LEASE && lc) {
 			/*
 			 * Compare parent lease using parent key. If there is no
 			 * a lease that has same parent key, Send lease break
-- 
2.34.1

Re: [PATCH 5.15.y] smb/server: fix potential null-ptr-deref of lease_ctx_info in smb2_open()

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

✅ All tests passed successfully. No issues detected.
No action required from the submitter.

The upstream commit SHA1 provided is correct: 4e8771a3666c8f216eefd6bd2fd50121c6c437db

WARNING: Author mismatch between patch and upstream commit:
Backport author: <jianqi.ren.cn@windriver.com>
Commit author: ChenXiaoSong<chenxiaosong@kylinos.cn>

Status in newer kernel trees:
6.14.y | Present (exact SHA1)
6.13.y | Present (exact SHA1)
6.12.y | Present (exact SHA1)
6.6.y | Present (different SHA1: 07f384c5be1f)
6.1.y | Not found

Note: The patch differs from the upstream commit:
---
1:  4e8771a3666c8 < -:  ------------- smb/server: fix potential null-ptr-deref of lease_ctx_info in smb2_open()
-:  ------------- > 1:  1039ccd22f9f2 smb/server: fix potential null-ptr-deref of lease_ctx_info in smb2_open()
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-5.15.y       |  Success    |  Success   |