fs/smb/server/smb2pdu.c:6131 smb2_read_pipe() error: double free of 'rpc_resp'
From: Dan Carpenter
Date: Wed Oct 11 2023 - 03:15:47 EST
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 1c8b86a3799f7e5be903c3f49fcdaee29fd385b5
commit: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d ksmbd: add support for read compound
config: i386-randconfig-141-20231010 (https://download.01.org/0day-ci/archive/20231011/202310111236.IXH2OKfq-lkp@xxxxxxxxx/config)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
reproduce: (https://download.01.org/0day-ci/archive/20231011/202310111236.IXH2OKfq-lkp@xxxxxxxxx/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@xxxxxxxxx>
| Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
| Closes: https://lore.kernel.org/r/202310111236.IXH2OKfq-lkp@xxxxxxxxx/
New smatch warnings:
fs/smb/server/smb2pdu.c:6131 smb2_read_pipe() error: double free of 'rpc_resp'
vim +/rpc_resp +6131 fs/smb/server/smb2pdu.c
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6076 static noinline int smb2_read_pipe(struct ksmbd_work *work)
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6077 {
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6078 int nbytes = 0, err;
64b39f4a2fd293cf fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-30 6079 u64 id;
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6080 struct ksmbd_rpc_command *rpc_resp;
7b7d709ef7cf2853 fs/smb/server/smb2pdu.c Namjae Jeon 2023-06-24 6081 struct smb2_read_req *req;
7b7d709ef7cf2853 fs/smb/server/smb2pdu.c Namjae Jeon 2023-06-24 6082 struct smb2_read_rsp *rsp;
7b7d709ef7cf2853 fs/smb/server/smb2pdu.c Namjae Jeon 2023-06-24 6083
7b7d709ef7cf2853 fs/smb/server/smb2pdu.c Namjae Jeon 2023-06-24 6084 WORK_BUFFERS(work, req, rsp);
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6085
2d004c6cae567e33 fs/ksmbd/smb2pdu.c Paulo Alcantara 2022-03-21 6086 id = req->VolatileFileId;
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6087
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6088 rpc_resp = ksmbd_rpc_read(work->sess, id);
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6089 if (rpc_resp) {
e2b76ab8b5c9327a fs/smb/server/smb2pdu.c Namjae Jeon 2023-08-29 6090 void *aux_payload_buf;
e2b76ab8b5c9327a fs/smb/server/smb2pdu.c Namjae Jeon 2023-08-29 6091
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6092 if (rpc_resp->flags != KSMBD_RPC_OK) {
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6093 err = -EINVAL;
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6094 goto out;
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6095 }
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6096
e2b76ab8b5c9327a fs/smb/server/smb2pdu.c Namjae Jeon 2023-08-29 6097 aux_payload_buf =
81a94b27847f7d2e fs/smb/server/smb2pdu.c Namjae Jeon 2023-05-31 6098 kvmalloc(rpc_resp->payload_sz, GFP_KERNEL);
e2b76ab8b5c9327a fs/smb/server/smb2pdu.c Namjae Jeon 2023-08-29 6099 if (!aux_payload_buf) {
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6100 err = -ENOMEM;
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6101 goto out;
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6102 }
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6103
e2b76ab8b5c9327a fs/smb/server/smb2pdu.c Namjae Jeon 2023-08-29 6104 memcpy(aux_payload_buf, rpc_resp->payload, rpc_resp->payload_sz);
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6105
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6106 nbytes = rpc_resp->payload_sz;
79f6b11a104f3a32 fs/cifsd/smb2pdu.c Namjae Jeon 2021-04-02 6107 kvfree(rpc_resp);
Freed
e2b76ab8b5c9327a fs/smb/server/smb2pdu.c Namjae Jeon 2023-08-29 6108 err = ksmbd_iov_pin_rsp_read(work, (void *)rsp,
e2b76ab8b5c9327a fs/smb/server/smb2pdu.c Namjae Jeon 2023-08-29 6109 offsetof(struct smb2_read_rsp, Buffer),
e2b76ab8b5c9327a fs/smb/server/smb2pdu.c Namjae Jeon 2023-08-29 6110 aux_payload_buf, nbytes);
e2b76ab8b5c9327a fs/smb/server/smb2pdu.c Namjae Jeon 2023-08-29 6111 if (err)
e2b76ab8b5c9327a fs/smb/server/smb2pdu.c Namjae Jeon 2023-08-29 6112 goto out;
Goto out
e2b76ab8b5c9327a fs/smb/server/smb2pdu.c Namjae Jeon 2023-08-29 6113 } else {
e2b76ab8b5c9327a fs/smb/server/smb2pdu.c Namjae Jeon 2023-08-29 6114 err = ksmbd_iov_pin_rsp(work, (void *)rsp,
e2b76ab8b5c9327a fs/smb/server/smb2pdu.c Namjae Jeon 2023-08-29 6115 offsetof(struct smb2_read_rsp, Buffer));
e2b76ab8b5c9327a fs/smb/server/smb2pdu.c Namjae Jeon 2023-08-29 6116 if (err)
e2b76ab8b5c9327a fs/smb/server/smb2pdu.c Namjae Jeon 2023-08-29 6117 goto out;
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6118 }
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6119
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6120 rsp->StructureSize = cpu_to_le16(17);
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6121 rsp->DataOffset = 80;
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6122 rsp->Reserved = 0;
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6123 rsp->DataLength = cpu_to_le32(nbytes);
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6124 rsp->DataRemaining = 0;
699230f31bf55abc fs/ksmbd/smb2pdu.c Ronnie Sahlberg 2021-09-09 6125 rsp->Flags = 0;
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6126 return 0;
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6127
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6128 out:
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6129 rsp->hdr.Status = STATUS_UNEXPECTED_IO_ERROR;
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6130 smb2_set_err_rsp(work);
79f6b11a104f3a32 fs/cifsd/smb2pdu.c Namjae Jeon 2021-04-02 @6131 kvfree(rpc_resp);
Double freed
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6132 return err;
e2f34481b24db2fd fs/cifsd/smb2pdu.c Namjae Jeon 2021-03-16 6133 }
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki