[PATCH resend 1/1] afs: fix null-dereference in CB.InitCallBackState3

[Ren Wei]

From: Nan Li <tonanli66@xxxxxxxxx>

The cache manager callback path now attaches the server record to an
incoming call through the rxrpc peer's app data. That association is
not guaranteed to exist for every callback request.

CB.InitCallBackState3 did not check whether call->server was present
before dereferencing call->server->_uuid in memcmp(). If a remote peer
sent a CB.InitCallBackState3 request that was not mapped to a server
record, the kernel could hit a NULL pointer dereference.

This is a remotely triggerable null-dereference that can be used to
cause a kernel crash, leading to remote denial of service. Fix it by
checking call->server before using it, and ignore unmatched callback
requests in the same way as the other callback handlers.

Fixes: 40e8b52fe8c8 ("afs: Use the per-peer app data provided by rxrpc")
Cc: stable@xxxxxxxxxx
Reported-by: Yuan Tan <yuantan098@xxxxxxxxx>
Reported-by: Yifan Wu <yifanwucs@xxxxxxxxx>
Reported-by: Juefei Pu <tomapufckgml@xxxxxxxxx>
Reported-by: Xin Liu <bird@xxxxxxxxxx>
Signed-off-by: Nan Li <tonanli66@xxxxxxxxx>
Signed-off-by: Ren Wei <n05ec@xxxxxxxxxx>
---
 fs/afs/cmservice.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/fs/afs/cmservice.c b/fs/afs/cmservice.c
index 5540ae1cad59..263c60c811a5 100644
--- a/fs/afs/cmservice.c
+++ b/fs/afs/cmservice.c
@@ -364,6 +364,11 @@ static int afs_deliver_cb_init_call_back_state3(struct afs_call *call)
 	if (!afs_check_call_state(call, AFS_CALL_SV_REPLYING))
 		return afs_io_error(call, afs_io_error_cm_reply);
 
+	if (!call->server) {
+		trace_afs_cm_no_server_u(call, call->request);
+		return 0;
+	}
+
 	if (memcmp(call->request, &call->server->_uuid, sizeof(call->server->_uuid)) != 0) {
 		pr_notice("Callback UUID does not match fileserver UUID\n");
 		trace_afs_cm_no_server_u(call, call->request);
-- 
2.43.0