[PATCH resend 1/1] afs: fix null-dereference in CB.InitCallBackState3

[Ren Wei]

From: Nan Li <tonanli66 at gmail.com>

The cache manager callback path now attaches the server record to an
incoming call through the rxrpc peer's app data. That association is
not guaranteed to exist for every callback request.

CB.InitCallBackState3 did not check whether call->server was present
before dereferencing call->server->_uuid in memcmp(). If a remote peer
sent a CB.InitCallBackState3 request that was not mapped to a server
record, the kernel could hit a NULL pointer dereference.

This is a remotely triggerable null-dereference that can be used to
cause a kernel crash, leading to remote denial of service. Fix it by
checking call->server before using it, and ignore unmatched callback
requests in the same way as the other callback handlers.

Fixes: 40e8b52fe8c8 ("afs: Use the per-peer app data provided by rxrpc")
Cc: stable at kernel.org
Reported-by: Yuan Tan <yuantan098 at gmail.com>
Reported-by: Yifan Wu <yifanwucs at gmail.com>
Reported-by: Juefei Pu <tomapufckgml at gmail.com>
Reported-by: Xin Liu <bird at lzu.edu.cn>
Signed-off-by: Nan Li <tonanli66 at gmail.com>
Signed-off-by: Ren Wei <n05ec at lzu.edu.cn>
---
 fs/afs/cmservice.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/fs/afs/cmservice.c b/fs/afs/cmservice.c
index 5540ae1cad59..263c60c811a5 100644
--- a/fs/afs/cmservice.c
+++ b/fs/afs/cmservice.c
@@ -364,6 +364,11 @@ static int afs_deliver_cb_init_call_back_state3(struct afs_call *call)
 	if (!afs_check_call_state(call, AFS_CALL_SV_REPLYING))
 		return afs_io_error(call, afs_io_error_cm_reply);
 
+	if (!call->server) {
+		trace_afs_cm_no_server_u(call, call->request);
+		return 0;
+	}
+
 	if (memcmp(call->request, &call->server->_uuid, sizeof(call->server->_uuid)) != 0) {
 		pr_notice("Callback UUID does not match fileserver UUID\n");
 		trace_afs_cm_no_server_u(call, call->request);
-- 
2.43.0