NACK/Cmnt: [SRU][J][PATCH 1/1] smb: server: fix use-after-free in smb2_open()
Stefan Bader
stefan.bader at canonical.com
Tue Jul 7 15:41:51 UTC 2026
On 07/07/2026 08:01, Jian Hui Lee via kernel-team wrote:
> hi cengiz,
>
this does not seem to be in reply to a message. Which makes it rather
hard to connect it to a submission.
-Stefan
> On Wed, Jun 24, 2026 at 5:07 PM Cengiz Can via kernel-team
> <kernel-team at lists.ubuntu.com> wrote:
>>
>> From: Marios Makassikis <mmakassikis at freebox.fr>
>>
>> The opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is
>> dereferenced after rcu_read_unlock(), creating a use-after-free
>> window.
>>
>> Cc: stable at vger.kernel.org
>> Signed-off-by: Marios Makassikis <mmakassikis at freebox.fr>
>> Acked-by: Namjae Jeon <linkinjeon at kernel.org>
>> Signed-off-by: Steve French <stfrench at microsoft.com>
>> (backported from commit 1e689a56173827669a35da7cb2a3c78ed5c53680)
>> [bot_kybele: File lives at fs/ksmbd/smb2pdu.c (pre-fs/smb/server move); the
>> context line after OplockLevel is "rsp->Reserved = 0;" here, not upstream's
>> "rsp->Flags = 0;", so I kept Reserved and only dropped the now-unneeded
>> rcu_read_unlock().]
>> CVE-2026-43378
>> Assisted-by: kybele:claude-opus-4.8
>> Signed-off-by: Cengiz Can <cengiz.can at canonical.com>
>> ---
>> fs/ksmbd/smb2pdu.c | 5 ++---
>> 1 file changed, 2 insertions(+), 3 deletions(-)
>>
>> diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
>> index 07ae294541bb..b3570b4c7fc1 100644
>> --- a/fs/ksmbd/smb2pdu.c
>> +++ b/fs/ksmbd/smb2pdu.c
>> @@ -3345,10 +3345,8 @@ int smb2_open(struct ksmbd_work *work)
>> memcpy(fp->client_guid, conn->ClientGUID, SMB2_CLIENT_GUID_SIZE);
>>
>> rsp->StructureSize = cpu_to_le16(89);
>> - rcu_read_lock();
>> - opinfo = rcu_dereference(fp->f_opinfo);
>> + opinfo = opinfo_get(fp);
>> rsp->OplockLevel = opinfo != NULL ? opinfo->level : 0;
>> - rcu_read_unlock();
>> rsp->Reserved = 0;
>> rsp->CreateAction = cpu_to_le32(file_info);
>> rsp->CreationTime = cpu_to_le64(fp->create_time);
>> @@ -3389,6 +3387,7 @@ int smb2_open(struct ksmbd_work *work)
>> next_ptr = &lease_ccontext->Next;
>> next_off = conn->vals->create_lease_size;
>> }
>> + opinfo_put(opinfo);
> on jammy, if opinfo is null, there is no null guard in opinfo_put():
> 197 void opinfo_put(struct oplock_info *opinfo)
> 198 {
> 199 if (!atomic_dec_and_test(&opinfo->refcount))
> 200 return;
> 201
> 202 call_rcu(&opinfo->rcu_head, opinfo_free_rcu);
> 203 }
>
> upstream went through several iterations to make opinfo_put()
> null-safe. we might need to pull in some of those changes here.
>
>>
>> if (maximal_access_ctxt) {
>> struct create_context *mxac_ccontext;
>> --
>> 2.43.0
>>
>>
>> --
>> kernel-team mailing list
>> kernel-team at lists.ubuntu.com
>> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 52669 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260707/07c32371/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260707/07c32371/attachment-0001.sig>
More information about the kernel-team
mailing list