In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix double put of @cfile in smb2setpath_size()
If smb2compoundop() is called with a valid @cfile and returned -EINVAL, we need to call cifsgetwritable_path() before retrying it as the reference of @cfile was already dropped by previous call.
This fixes the following KASAN splat when running fstests generic/013 against Windows Server 2022:
CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detachifpending+0xab/0x200 Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176
CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifsoplockbreak [cifs] Call Trace: <TASK> dumpstacklvl+0x5d/0x80 ? detachifpending+0xab/0x200 printreport+0x156/0x4d9 ? detachifpending+0xab/0x200 ? virtaddrvalid+0x145/0x300 ? _physaddr+0x46/0x90 ? detachifpending+0xab/0x200 kasanreport+0xda/0x110 ? detachifpending+0xab/0x200 detachifpending+0xab/0x200 timerdelete+0x96/0xe0 ? _pfxtimerdelete+0x10/0x10 ? rcuiswatching+0x20/0x50 trytograbpending+0x46/0x3b0 _cancelwork+0x89/0x1b0 ? _pfxcancelwork+0x10/0x10 ? kasansavetrack+0x14/0x30 cifsclosedeferredfile+0x110/0x2c0 [cifs] ? _pfxcifsclosedeferredfile+0x10/0x10 [cifs] ? _pfxdownread+0x10/0x10 cifsoplockbreak+0x4c1/0xa50 [cifs] ? _pfxcifsoplockbreak+0x10/0x10 [cifs] ? lockisheldtype+0x85/0xf0 ? markheldlocks+0x1a/0x90 processonework+0x4c6/0x9f0 ? findheldlock+0x8a/0xa0 ? _pfxprocessonework+0x10/0x10 ? lockacquired+0x220/0x550 ? _listaddvalidorreport+0x37/0x100 workerthread+0x2e4/0x570 ? _kthreadparkme+0xd1/0xf0 ? _pfxworkerthread+0x10/0x10 kthread+0x17f/0x1c0 ? kthread+0xda/0x1c0 ? _pfxkthread+0x10/0x10 retfromfork+0x31/0x60 ? _pfxkthread+0x10/0x10 retfromfork_asm+0x1a/0x30 </TASK>
Allocated by task 1118: kasansavestack+0x30/0x50 kasansavetrack+0x14/0x30 _kasankmalloc+0xaa/0xb0 cifsnewfileinfo+0xc8/0x9d0 [cifs] cifsatomicopen+0x467/0x770 [cifs] lookupopen.isra.0+0x665/0x8b0 pathopenat+0x4c3/0x1380 dofilpopen+0x167/0x270 dosysopenat2+0x129/0x160 _x64syscreat+0xad/0xe0 dosyscall64+0xbb/0x1d0 entrySYSCALL64after_hwframe+0x77/0x7f
Freed by task 83: kasansavestack+0x30/0x50 kasansavetrack+0x14/0x30 kasansavefreeinfo+0x3b/0x70 poisonslabobject+0xe9/0x160 _kasanslabfree+0x32/0x50 kfree+0xf2/0x300 processonework+0x4c6/0x9f0 workerthread+0x2e4/0x570 kthread+0x17f/0x1c0 retfromfork+0x31/0x60 retfromforkasm+0x1a/0x30
Last potentially related work creation: kasansavestack+0x30/0x50 _kasanrecordauxstack+0xad/0xc0 insertwork+0x29/0xe0 _queuework+0x5ea/0x760 queueworkon+0x6d/0x90 _cifsFileInfoput+0x3f6/0x770 [cifs] smb2compoundop+0x911/0x3940 [cifs] smb2setpathsize+0x228/0x270 [cifs] cifssetfilesize+0x197/0x460 [cifs] cifssetattr+0xd9c/0x14b0 [cifs] notifychange+0x4e3/0x740 dotruncate+0xfa/0x180 vfstruncate+0x195/0x200 _x64systruncate+0x109/0x150 dosyscall64+0xbb/0x1d0 entrySYSCALL64after_hwframe+0x77/0x7f