ksmbd: fix use-after-free in smb2_lock

If smb_lock->zero_len has value, ->llist of smb_lock is not delete and flock is old one. It will cause use-after-free on error handling routine. Cc: stable@vger.kernel.org Reported-by: Norbert Szetei <norbert@doyensec.com> Tested-by: Norbert Szetei <norbert@doyensec.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
author: Namjae Jeon <linkinjeon@kernel.org> 2025-02-26 15:44:02 +0900
committer: Steve French <stfrench@microsoft.com> 2025-03-02 22:50:53 -0600
commit: 84d2d1641b71dec326e8736a749b7ee76a9599fc (patch)
tree: 7444a92048a0a5b6e4ebc3195db3ecc4b99326d5 /fs/smb
parent: e2ff19f0b7a30e03516e6eb73b948e27a55bc9d2 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index f1efcd027475..35bed8fc1b97 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -7458,13 +7458,13 @@ out_check_cl:
 		}
 
 no_check_cl:
+		flock = smb_lock->fl;
+		list_del(&smb_lock->llist);
+
 		if (smb_lock->zero_len) {
 			err = 0;
 			goto skip;
 		}
-
-		flock = smb_lock->fl;
-		list_del(&smb_lock->llist);
 retry:
 		rc = vfs_lock_file(filp, smb_lock->cmd, flock, NULL);
 skip:
author	Namjae Jeon <linkinjeon@kernel.org>	2025-02-26 15:44:02 +0900
committer	Steve French <stfrench@microsoft.com>	2025-03-02 22:50:53 -0600
commit	84d2d1641b71dec326e8736a749b7ee76a9599fc (patch)
tree	7444a92048a0a5b6e4ebc3195db3ecc4b99326d5 /fs/smb
parent	e2ff19f0b7a30e03516e6eb73b948e27a55bc9d2 (diff)