cifs: fix lease break oops in xfstest generic/098

bmastbergen · bmastbergen · commit f34ffb6c27c0 · 2025-10-21T11:01:23.000-04:00
jira VULN-131073 cve-pre CVE-2025-38527 commit-author Steve French <stfrench@microsoft.com> commit c774e67 umount can race with lease break so need to check if tcon->ses->server is still valid to send the lease break response. Reviewed-by: Bharath SM <bharathsm@microsoft.com> Reviewed-by: Shyam Prasad N <sprasad@microsoft.com> Fixes: 59a556a ("SMB3: drop reference to cfile before sending oplock break") Signed-off-by: Steve French <stfrench@microsoft.com> (cherry picked from commit c774e67) Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
diff --git a/fs/cifs/file.c b/fs/cifs/file.c
@@ -5112,9 +5112,13 @@ void cifs_oplock_break(struct work_struct *work)
 	 * disconnected since oplock already released by the server
 	 */
 	if (!oplock_break_cancelled) {
-		rc = tcon->ses->server->ops->oplock_response(tcon, persistent_fid,
+		/* check for server null since can race with kill_sb calling tree disconnect */
+		if (tcon->ses && tcon->ses->server) {
+			rc = tcon->ses->server->ops->oplock_response(tcon, persistent_fid,
 				volatile_fid, net_fid, cinode);
-		cifs_dbg(FYI, "Oplock release rc = %d\n", rc);
+			cifs_dbg(FYI, "Oplock release rc = %d\n", rc);
+		} else
+			pr_warn_once("lease break not sent for unmounted share\n");
 	}
 
 	cifs_done_oplock_break(cinode);
