Re: [PATCH] ksmbd: fail share config requests when path allocation fails

[Shuhao Fu <sfual@cse.ust.hk>]

Hi,

I did a live repro on a current mainline tree to confirm that the
published NULL share path is not just an internal invariant break and can
fault a normal ksmbd request path.

The reproducer forced only the share path duplication failure that
produces the published NULL path state. No consumer-side ksmbd path was
modified.

Repro setup:

1. Start from mainline with CONFIG_SMB_SERVER=y and CONFIG_CIFS=y.
2. Add a narrow temporary trigger in share_config_request() so that only
   one test share forces the path duplication step to fail, leaving
   share->path as NULL while still allowing the share to be published.
   No consumer-side ksmbd path was modified.
3. Boot that kernel under QEMU/KVM with a custom initramfs.
4. In the guest, run a tiny userspace generic-netlink responder that:
   - sends KSMBD_EVENT_STARTING_UP
   - answers login requests as guest
   - answers share config requests for the test share with a valid
     export path
   - answers tree connect requests as writable guest
5. From the same guest, mount that test share over loopback with:

   mount -t cifs //<guest-ip>/<test-share> /mnt/cifs \
     -o guest,vers=3.1.1,port=445,uid=0,gid=0

That mount attempt hit the expected fault path. The clean serial log
showed:

  [   21.045838] CIFS: Attempting to mount //<guest-ip>/<test-share>
  [   21.052302] BUG: kernel NULL pointer dereference, address: 0000000000000000
  [   21.062798] RIP: 0010:strlen+0xb/0x20
  [   21.077290]  do_getname_kernel+0x12/0xf0
  [   21.077707]  __ksmbd_vfs_kern_path+0x89/0x390
  [   21.078648]  smb2_open+0xa03/0x20b0

This matches the expected downstream flow:

- tree connect stores the published share in tree_conn->share_conf
- a share-root SMB2 create builds an empty pathname in smb2_open()
- ksmbd_vfs_path_lookup() interprets that as "use the share root" and
  substitutes tree_conn->share_conf->path
- the broken published share has tree_conn->share_conf->path == NULL
- that NULL pathname reaches do_getname_kernel()/strlen()

I also did a second run with the guest netlink responder logging directly
to the serial console. That log was noisy because the userspace prints
interleaved with the kernel Oops, but it still showed the login request
and the tree connect for the test share immediately around the crash.

I can provide more detail, including the temporary repro pieces and the
serial logs, if useful.

Thanks,
Shuhao

On Wed, Apr 29, 2026 at 05:00:13PM +0800, Shuhao Fu wrote:
> Non-pipe shares must have a duplicated backing path before they can be
> published. share_config_request() currently calls kstrndup() for that
> path, but if the allocation fails it leaves ret unchanged. If veto list
> parsing succeeds and share->name exists, the partially built share is
> still inserted into the global share table with share->path left NULL.
> 
> A later share-root SMB2 create uses tree_conn->share_conf->path as the
> lookup root. If the share was published with path == NULL, that request
> passes a NULL pathname into do_getname_kernel()/strlen() and can crash
> the ksmbd worker.
> 
> Set ret = -ENOMEM when path duplication fails so the incomplete share is
> destroyed before publication.
> 
> Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")