smb2_queryfs() calls smb2_query_info_compound() with cifs_sb set to NULL. It is then dereferenced by cifs_create_options(). Commit a6e44cb21534d ("SMB3: Backup intent flag missing from some more ops") removed the NULL check before dereferencing cifs_sb. Add it back.
This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc.
Fixes: a6e44cb21534d ("SMB3: Backup intent flag missing from some more ops") Signed-off-by: Pratyush Yadav ptyadav@amazon.de ---
Only compile-tested. I do not know this code very well. This was pointed out by our static code analysis tool.
fs/cifs/smb2ops.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c index 4cb0ebe7330eb..04256edaa4f73 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -2272,7 +2272,10 @@ smb2_query_info_compound(const unsigned int xid, struct cifs_tcon *tcon, oparms.tcon = tcon; oparms.desired_access = desired_access; oparms.disposition = FILE_OPEN; - oparms.create_options = cifs_create_options(cifs_sb, 0); + if (cifs_sb) + oparms.create_options = cifs_create_options(cifs_sb, 0); + else + oparms.create_options = 0; oparms.fid = &fid; oparms.reconnect = false;
-- 2.39.2