From ceb9a292f5c7b05a170cf425b0c5699630eba557 Mon Sep 17 00:00:00 2001
From: Marios Makassikis <mmakassikis@freebox.fr>
Date: Thu, 6 May 2021 11:41:54 +0900
Subject: [PATCH] cifsd: Fix potential null-ptr-deref in
 destroy_previous_session()

The user field in the session structure is allocated when the client is
authenticated. If the client explicitly logs off, the user field is freed,
but the session is kept around in case the user reconnects. If the TCP
connection hasn't been closed and the client sends a session setup with
a PreviousSessionId set, destroy_previous_session() will be called to
check if the session needs to be cleaned up.

Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr>
Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
---
 fs/cifsd/smb2pdu.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c
index 54df9a30bd232..ebae992f88a06 100644
--- a/fs/cifsd/smb2pdu.c
+++ b/fs/cifsd/smb2pdu.c
@@ -619,7 +619,8 @@ static void destroy_previous_session(struct ksmbd_user *user, u64 id)
 
 	prev_user = prev_sess->user;
 
-	if (strcmp(user->name, prev_user->name) ||
+	if (!prev_user ||
+	    strcmp(user->name, prev_user->name) ||
 	    user->passkey_sz != prev_user->passkey_sz ||
 	    memcmp(user->passkey, prev_user->passkey, user->passkey_sz)) {
 		put_session(prev_sess);
-- 
2.39.5