* [PATCH] ksmbd: fix leak of transform buffer on encrypt_resp() failure [not found] <2025110432-maimed-polio-c7b4@gregkh> @ 2025-11-04 10:03 ` Qianchang Zhao 2025-11-04 11:51 ` Namjae Jeon 2025-11-04 14:12 ` Qianchang Zhao 1 sibling, 1 reply; 6+ messages in thread From: Qianchang Zhao @ 2025-11-04 10:03 UTC (permalink / raw) To: Namjae Jeon, Steve French Cc: Sergey Senozhatsky, Tom Talpey, linux-cifs, linux-kernel, gregkh, Qianchang Zhao, Zhitong Liu, stable When encrypt_resp() fails at the send path, we only set STATUS_DATA_ERROR but leave the transform buffer allocated (work->tr_buf in this tree). Repeating this path leaks kernel memory and can lead to OOM (DoS) when encryption is required. Reproduced on: Linux v6.18-rc2 (self-built test kernel) Fix by freeing the transform buffer and forcing plaintext error reply. Reported-by: Qianchang Zhao <pioooooooooip@gmail.com> Reported-by: Zhitong Liu <liuzhitong1993@gmail.com> Cc: stable@vger.kernel.org Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com> --- fs/smb/server/server.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/fs/smb/server/server.c b/fs/smb/server/server.c index 7b01c7589..15dd13e76 100644 --- a/fs/smb/server/server.c +++ b/fs/smb/server/server.c @@ -246,11 +246,11 @@ static void __handle_ksmbd_work(struct ksmbd_work *work, rc = conn->ops->encrypt_resp(work); if (rc < 0) { conn->ops->set_rsp_status(work, STATUS_DATA_ERROR); - work->encrypted = false; - if (work->tr_buf) { - kvfree(work->tr_buf); - work->tr_buf = NULL; - } + work->encrypted = false; + if (work->tr_buf) { + kvfree(work->tr_buf); + work->tr_buf = NULL; + } } } if (work->sess) -- 2.34.1 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] ksmbd: fix leak of transform buffer on encrypt_resp() failure 2025-11-04 10:03 ` [PATCH] ksmbd: fix leak of transform buffer on encrypt_resp() failure Qianchang Zhao @ 2025-11-04 11:51 ` Namjae Jeon 0 siblings, 0 replies; 6+ messages in thread From: Namjae Jeon @ 2025-11-04 11:51 UTC (permalink / raw) To: Qianchang Zhao Cc: Steve French, Sergey Senozhatsky, Tom Talpey, linux-cifs, linux-kernel, gregkh, Zhitong Liu, stable On Tue, Nov 4, 2025 at 7:03 PM Qianchang Zhao <pioooooooooip@gmail.com> wrote: > > When encrypt_resp() fails at the send path, we only set > STATUS_DATA_ERROR but leave the transform buffer allocated (work->tr_buf > in this tree). Repeating this path leaks kernel memory and can lead to > OOM (DoS) when encryption is required. > > Reproduced on: Linux v6.18-rc2 (self-built test kernel) > > Fix by freeing the transform buffer and forcing plaintext error reply. > > Reported-by: Qianchang Zhao <pioooooooooip@gmail.com> > Reported-by: Zhitong Liu <liuzhitong1993@gmail.com> > Cc: stable@vger.kernel.org > Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com> > --- > fs/smb/server/server.c | 10 +++++----- > 1 file changed, 5 insertions(+), 5 deletions(-) > > diff --git a/fs/smb/server/server.c b/fs/smb/server/server.c > index 7b01c7589..15dd13e76 100644 > --- a/fs/smb/server/server.c > +++ b/fs/smb/server/server.c > @@ -246,11 +246,11 @@ static void __handle_ksmbd_work(struct ksmbd_work *work, > rc = conn->ops->encrypt_resp(work); > if (rc < 0) { > conn->ops->set_rsp_status(work, STATUS_DATA_ERROR); > - work->encrypted = false; > - if (work->tr_buf) { > - kvfree(work->tr_buf); > - work->tr_buf = NULL; > - } > + work->encrypted = false; > + if (work->tr_buf) { > + kvfree(work->tr_buf); > + work->tr_buf = NULL; > + } This patch seems to be broken or wrong. Please check the patch again. Thanks! > } > } > if (work->sess) > -- > 2.34.1 > ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH] ksmbd: fix leak of transform buffer on encrypt_resp() failure [not found] <2025110432-maimed-polio-c7b4@gregkh> 2025-11-04 10:03 ` [PATCH] ksmbd: fix leak of transform buffer on encrypt_resp() failure Qianchang Zhao @ 2025-11-04 14:12 ` Qianchang Zhao 2025-11-05 5:14 ` Namjae Jeon 2025-11-06 6:58 ` [PATCH v2] ksmbd: clear 'encrypted' on encrypt_resp() failure to send plaintext error Qianchang Zhao 1 sibling, 2 replies; 6+ messages in thread From: Qianchang Zhao @ 2025-11-04 14:12 UTC (permalink / raw) To: Namjae Jeon, Steve French Cc: Sergey Senozhatsky, Tom Talpey, linux-cifs, linux-kernel, gregkh, Qianchang Zhao, Zhitong Liu, stable When encrypt_resp() fails at the send path, we only set STATUS_DATA_ERROR but leave the transform buffer allocated (work->tr_buf in this tree). Repeating this path leaks kernel memory and can lead to OOM (DoS) when encryption is required. Reproduced on: Linux v6.18-rc2 (self-built test kernel) Fix by freeing the transform buffer and forcing plaintext error reply. Reported-by: Qianchang Zhao <pioooooooooip@gmail.com> Reported-by: Zhitong Liu <liuzhitong1993@gmail.com> Cc: stable@vger.kernel.org Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com> --- fs/smb/server/server.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/fs/smb/server/server.c b/fs/smb/server/server.c index 40420544c..15dd13e76 100644 --- a/fs/smb/server/server.c +++ b/fs/smb/server/server.c @@ -244,8 +244,14 @@ static void __handle_ksmbd_work(struct ksmbd_work *work, if (work->sess && work->sess->enc && work->encrypted && conn->ops->encrypt_resp) { rc = conn->ops->encrypt_resp(work); - if (rc < 0) + if (rc < 0) { conn->ops->set_rsp_status(work, STATUS_DATA_ERROR); + work->encrypted = false; + if (work->tr_buf) { + kvfree(work->tr_buf); + work->tr_buf = NULL; + } + } } if (work->sess) ksmbd_user_session_put(work->sess); -- 2.34.1 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] ksmbd: fix leak of transform buffer on encrypt_resp() failure 2025-11-04 14:12 ` Qianchang Zhao @ 2025-11-05 5:14 ` Namjae Jeon 2025-11-06 6:58 ` [PATCH v2] ksmbd: clear 'encrypted' on encrypt_resp() failure to send plaintext error Qianchang Zhao 1 sibling, 0 replies; 6+ messages in thread From: Namjae Jeon @ 2025-11-05 5:14 UTC (permalink / raw) To: Qianchang Zhao Cc: Steve French, Sergey Senozhatsky, Tom Talpey, linux-cifs, linux-kernel, gregkh, Zhitong Liu, stable On Tue, Nov 4, 2025 at 11:12 PM Qianchang Zhao <pioooooooooip@gmail.com> wrote: > > When encrypt_resp() fails at the send path, we only set > STATUS_DATA_ERROR but leave the transform buffer allocated (work->tr_buf > in this tree). Repeating this path leaks kernel memory and can lead to > OOM (DoS) when encryption is required. > > Reproduced on: Linux v6.18-rc2 (self-built test kernel) > > Fix by freeing the transform buffer and forcing plaintext error reply. > > Reported-by: Qianchang Zhao <pioooooooooip@gmail.com> > Reported-by: Zhitong Liu <liuzhitong1993@gmail.com> > Cc: stable@vger.kernel.org > Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com> > --- > fs/smb/server/server.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/fs/smb/server/server.c b/fs/smb/server/server.c > index 40420544c..15dd13e76 100644 > --- a/fs/smb/server/server.c > +++ b/fs/smb/server/server.c > @@ -244,8 +244,14 @@ static void __handle_ksmbd_work(struct ksmbd_work *work, > if (work->sess && work->sess->enc && work->encrypted && > conn->ops->encrypt_resp) { > rc = conn->ops->encrypt_resp(work); > - if (rc < 0) > + if (rc < 0) { > conn->ops->set_rsp_status(work, STATUS_DATA_ERROR); > + work->encrypted = false; > + if (work->tr_buf) { > + kvfree(work->tr_buf); ->tr_buf is freed in ksmbd_free_work_struct(). How can tr_buf not be freed? Thanks. > + work->tr_buf = NULL; > + } > + } > } > if (work->sess) > ksmbd_user_session_put(work->sess); > -- > 2.34.1 > ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH v2] ksmbd: clear 'encrypted' on encrypt_resp() failure to send plaintext error 2025-11-04 14:12 ` Qianchang Zhao 2025-11-05 5:14 ` Namjae Jeon @ 2025-11-06 6:58 ` Qianchang Zhao 2025-11-08 14:27 ` Namjae Jeon 1 sibling, 1 reply; 6+ messages in thread From: Qianchang Zhao @ 2025-11-06 6:58 UTC (permalink / raw) To: Namjae Jeon, linux-cifs Cc: Steve French, Sergey Senozhatsky, Tom Talpey, linux-kernel, stable, gregkh, Qianchang Zhao, Zhitong Liu When encrypt_resp() fails in the send path, we set STATUS_DATA_ERROR but leave work->encrypted true. The send path then still assumes a valid transform buffer and tries to build/send an encrypted reply. Clear work->encrypted on failure to force a plaintext error reply. The transform buffer (if allocated) is released by ksmbd_free_work_struct(), so no explicit kvfree(tr_buf) is needed. Reported-by: Qianchang Zhao <pioooooooooip@gmail.com> Reported-by: Zhitong Liu <liuzhitong1993@gmail.com> Cc: stable@vger.kernel.org Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com> --- v2: - Drop explicit kvfree(tr_buf); it is freed in ksmbd_free_work_struct(). - Keep only 'work->encrypted = false' and update the commit message. fs/smb/server/server.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/smb/server/server.c b/fs/smb/server/server.c index 40420544c..a7444a78f 100644 --- a/fs/smb/server/server.c +++ b/fs/smb/server/server.c @@ -244,8 +244,10 @@ static void __handle_ksmbd_work(struct ksmbd_work *work, if (work->sess && work->sess->enc && work->encrypted && conn->ops->encrypt_resp) { rc = conn->ops->encrypt_resp(work); - if (rc < 0) + if (rc < 0) { conn->ops->set_rsp_status(work, STATUS_DATA_ERROR); + work->encrypted = false; + } } if (work->sess) ksmbd_user_session_put(work->sess); -- 2.34.1 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v2] ksmbd: clear 'encrypted' on encrypt_resp() failure to send plaintext error 2025-11-06 6:58 ` [PATCH v2] ksmbd: clear 'encrypted' on encrypt_resp() failure to send plaintext error Qianchang Zhao @ 2025-11-08 14:27 ` Namjae Jeon 0 siblings, 0 replies; 6+ messages in thread From: Namjae Jeon @ 2025-11-08 14:27 UTC (permalink / raw) To: Qianchang Zhao Cc: linux-cifs, Steve French, Sergey Senozhatsky, Tom Talpey, linux-kernel, stable, gregkh, Zhitong Liu On Thu, Nov 6, 2025 at 3:58 PM Qianchang Zhao <pioooooooooip@gmail.com> wrote: > > When encrypt_resp() fails in the send path, we set STATUS_DATA_ERROR but > leave work->encrypted true. The send path then still assumes a valid > transform buffer and tries to build/send an encrypted reply. > > Clear work->encrypted on failure to force a plaintext error reply. ksmbd will send a plain text error reply regardless of the work->encrypted value. It doesn't seem to make any sense to set this to false. Thanks. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-11-08 14:27 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <2025110432-maimed-polio-c7b4@gregkh>
2025-11-04 10:03 ` [PATCH] ksmbd: fix leak of transform buffer on encrypt_resp() failure Qianchang Zhao
2025-11-04 11:51 ` Namjae Jeon
2025-11-04 14:12 ` Qianchang Zhao
2025-11-05 5:14 ` Namjae Jeon
2025-11-06 6:58 ` [PATCH v2] ksmbd: clear 'encrypted' on encrypt_resp() failure to send plaintext error Qianchang Zhao
2025-11-08 14:27 ` Namjae Jeon
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).