lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <202412161024.LgGt4s2G-lkp@intel.com>
Date: Mon, 16 Dec 2024 10:33:57 +0800
From: kernel test robot <lkp@...el.com>
To: Yunseong Kim <yskelg@...il.com>
Cc: oe-kbuild-all@...ts.linux.dev, linux-kernel@...r.kernel.org,
	Steve French <stfrench@...rosoft.com>
Subject: fs/smb/server/server.c:283:5-24: WARNING: atomic_dec_and_test
 variation before object free at line 284.

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head:   78d4f34e2115b517bcbfe7ec0d018bbbb6f9b0b8
commit: 9a8c5d89d327ff58e9b2517f8a6afb4181d32c6e ksmbd: fix use-after-free in SMB request handling
date:   3 weeks ago
config: parisc-randconfig-r053-20241215 (https://download.01.org/0day-ci/archive/20241216/202412161024.LgGt4s2G-lkp@intel.com/config)
compiler: hppa-linux-gcc (GCC) 14.2.0

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@...el.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202412161024.LgGt4s2G-lkp@intel.com/

cocci warnings: (new ones prefixed by >>)
>> fs/smb/server/server.c:283:5-24: WARNING: atomic_dec_and_test variation before object free at line 284.

vim +283 fs/smb/server/server.c

   255	
   256	/**
   257	 * handle_ksmbd_work() - process pending smb work requests
   258	 * @wk:	smb work containing request command buffer
   259	 *
   260	 * called by kworker threads to processing remaining smb work requests
   261	 */
   262	static void handle_ksmbd_work(struct work_struct *wk)
   263	{
   264		struct ksmbd_work *work = container_of(wk, struct ksmbd_work, work);
   265		struct ksmbd_conn *conn = work->conn;
   266	
   267		atomic64_inc(&conn->stats.request_served);
   268	
   269		__handle_ksmbd_work(work, conn);
   270	
   271		ksmbd_conn_try_dequeue_request(work);
   272		ksmbd_free_work_struct(work);
   273		atomic_dec(&conn->mux_smb_requests);
   274		/*
   275		 * Checking waitqueue to dropping pending requests on
   276		 * disconnection. waitqueue_active is safe because it
   277		 * uses atomic operation for condition.
   278		 */
   279		atomic_inc(&conn->refcnt);
   280		if (!atomic_dec_return(&conn->r_count) && waitqueue_active(&conn->r_count_q))
   281			wake_up(&conn->r_count_q);
   282	
 > 283		if (atomic_dec_and_test(&conn->refcnt))
 > 284			kfree(conn);
   285	}
   286	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ