From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Fedor Pchelkin <pchelkin@ispras.ru>,
Namjae Jeon <linkinjeon@kernel.org>,
Steve French <stfrench@microsoft.com>
Subject: [PATCH 6.7 14/28] ksmbd: free ppace array on error in parse_dacl
Date: Thu, 18 Jan 2024 11:49:04 +0100 [thread overview]
Message-ID: <20240118104301.724392561@linuxfoundation.org> (raw)
In-Reply-To: <20240118104301.249503558@linuxfoundation.org>
6.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
commit 8cf9bedfc3c47d24bb0de386f808f925dc52863e upstream.
The ppace array is not freed if one of the init_acl_state() calls inside
parse_dacl() fails. At the moment the function may fail only due to the
memory allocation errors so it's highly unlikely in this case but
nevertheless a fix is needed.
Move ppace allocation after the init_acl_state() calls with proper error
handling.
Found by Linux Verification Center (linuxtesting.org).
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smbacl.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
--- a/fs/smb/server/smbacl.c
+++ b/fs/smb/server/smbacl.c
@@ -401,10 +401,6 @@ static void parse_dacl(struct mnt_idmap
if (num_aces > ULONG_MAX / sizeof(struct smb_ace *))
return;
- ppace = kmalloc_array(num_aces, sizeof(struct smb_ace *), GFP_KERNEL);
- if (!ppace)
- return;
-
ret = init_acl_state(&acl_state, num_aces);
if (ret)
return;
@@ -413,6 +409,13 @@ static void parse_dacl(struct mnt_idmap
free_acl_state(&acl_state);
return;
}
+
+ ppace = kmalloc_array(num_aces, sizeof(struct smb_ace *), GFP_KERNEL);
+ if (!ppace) {
+ free_acl_state(&default_acl_state);
+ free_acl_state(&acl_state);
+ return;
+ }
/*
* reset rwx permissions for user/group/other.
next prev parent reply other threads:[~2024-01-18 10:50 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-18 10:48 [PATCH 6.7 00/28] 6.7.1-rc1 review Greg Kroah-Hartman
2024-01-18 10:48 ` [PATCH 6.7 01/28] f2fs: explicitly null-terminate the xattr list Greg Kroah-Hartman
2024-01-18 10:48 ` [PATCH 6.7 02/28] ALSA: hda/realtek: Add quirks for Dell models Greg Kroah-Hartman
2024-01-18 10:48 ` [PATCH 6.7 03/28] ALSA: hda: cs35l41: Support additional Dell models without _DSD Greg Kroah-Hartman
2024-01-18 10:48 ` [PATCH 6.7 04/28] ALSA: hda: cs35l41: Prevent firmware load if SPI speed too low Greg Kroah-Hartman
2024-01-18 10:48 ` [PATCH 6.7 05/28] ALSA: hda: Add driver properties for cs35l41 for Lenovo Legion Slim 7 Gen 8 serie Greg Kroah-Hartman
2024-01-18 10:48 ` [PATCH 6.7 06/28] ALSA: hda/realtek: enable SND_PCI_QUIRK for Lenovo Legion Slim 7 Gen 8 (2023) serie Greg Kroah-Hartman
2024-01-18 10:48 ` [PATCH 6.7 07/28] ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP Envy X360 13-ay0xxx Greg Kroah-Hartman
2024-01-18 10:48 ` [PATCH 6.7 08/28] ALSA: hda: cs35l41: Support more HP models without _DSD Greg Kroah-Hartman
2024-01-18 10:48 ` [PATCH 6.7 09/28] ACPI: resource: Add another DMI match for the TongFang GMxXGxx Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 10/28] bus: moxtet: Mark the irq as shared Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 11/28] bus: moxtet: Add spi device table Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 12/28] drm/amd/display: Pass pwrseq inst for backlight and ABM Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 13/28] ksmbd: dont allow O_TRUNC open on read-only share Greg Kroah-Hartman
2024-01-18 10:49 ` Greg Kroah-Hartman [this message]
2024-01-18 10:49 ` [PATCH 6.7 15/28] Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d" Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 16/28] binder: use EPOLLERR from eventpoll.h Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 17/28] binder: fix use-after-free in shinkers callback Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 18/28] binder: fix trivial typo of binder_free_buf_locked() Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 19/28] binder: fix comment on binder_alloc_new_buf() return value Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 20/28] uio: Fix use-after-free in uio_open Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 21/28] parport: parport_serial: Add Brainboxes BAR details Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 22/28] parport: parport_serial: Add Brainboxes device IDs and geometry Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 23/28] leds: ledtrig-tty: Free allocated ttyname buffer on deactivate Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 24/28] PCI: Add ACS quirk for more Zhaoxin Root Ports Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 25/28] coresight: etm4x: Fix width of CCITMIN field Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 26/28] scripts/decode_stacktrace.sh: optionally use LLVM utilities Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 27/28] docs: kernel_feat.py: fix potential command injection Greg Kroah-Hartman
2024-01-18 10:49 ` [PATCH 6.7 28/28] mm/memory_hotplug: fix memmap_on_memory sysfs value retrieval Greg Kroah-Hartman
2024-01-18 16:35 ` [PATCH 6.7 00/28] 6.7.1-rc1 review Allen
2024-01-18 19:51 ` Florian Fainelli
2024-01-18 20:17 ` SeongJae Park
2024-01-19 0:43 ` Shuah Khan
2024-01-19 4:30 ` Ron Economos
2024-01-19 6:45 ` Bagas Sanjaya
2024-01-19 13:49 ` Ricardo B. Marliere
2024-01-19 14:14 ` Jon Hunter
2024-01-19 15:48 ` Naresh Kamboju
2024-01-19 16:01 ` Greg Kroah-Hartman
2024-01-19 17:35 ` Naresh Kamboju
2024-01-19 17:53 ` Luna Jernberg
2024-01-20 3:31 ` Justin Forbes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240118104301.724392561@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linkinjeon@kernel.org \
--cc=patches@lists.linux.dev \
--cc=pchelkin@ispras.ru \
--cc=stable@vger.kernel.org \
--cc=stfrench@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).