6.1-stable patches

added patches:
	smb-client-fix-potential-uaf-in-cifs_dump_full_key.patch

diff --git a/queue-6.1/series b/queue-6.1/series
index a6d415efd85a7bfcf25ad3a832fd9a22bca38b07..f13b43a4f85f7ee5a3ed2da6b28e0c679ef23196 100644 (file)
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -145,3 +145,4 @@ smb3-add-support-for-iakerb.patch
 smb-client-fix-match_session-bug-preventing-session-.patch
 hid-apple-disable-fn-key-handling-on-the-omoton-kb066.patch
 nvme-tcp-fix-a-c2htermreq-error-message.patch
+smb-client-fix-potential-uaf-in-cifs_dump_full_key.patch

diff --git a/queue-6.1/smb-client-fix-potential-uaf-in-cifs_dump_full_key.patch b/queue-6.1/smb-client-fix-potential-uaf-in-cifs_dump_full_key.patch
new file mode 100644 (file)
index 0000000..2d7de0a
--- /dev/null
+++ b/queue-6.1/smb-client-fix-potential-uaf-in-cifs_dump_full_key.patch
@@ -0,0 +1,47 @@
+From 58acd1f497162e7d282077f816faa519487be045 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@manguebit.com>
+Date: Tue, 2 Apr 2024 16:33:54 -0300
+Subject: smb: client: fix potential UAF in cifs_dump_full_key()
+
+From: Paulo Alcantara <pc@manguebit.com>
+
+commit 58acd1f497162e7d282077f816faa519487be045 upstream.
+
+Skip sessions that are being teared down (status == SES_EXITING) to
+avoid UAF.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/ioctl.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/client/ioctl.c
++++ b/fs/smb/client/ioctl.c
+@@ -246,7 +246,9 @@ static int cifs_dump_full_key(struct cif
+               spin_lock(&cifs_tcp_ses_lock);
+               list_for_each_entry(server_it, &cifs_tcp_ses_list, tcp_ses_list) {
+                       list_for_each_entry(ses_it, &server_it->smb_ses_list, smb_ses_list) {
+-                              if (ses_it->Suid == out.session_id) {
++                              spin_lock(&ses_it->ses_lock);
++                              if (ses_it->ses_status != SES_EXITING &&
++                                  ses_it->Suid == out.session_id) {
+                                       ses = ses_it;
+                                       /*
+                                        * since we are using the session outside the crit
+@@ -254,9 +256,11 @@ static int cifs_dump_full_key(struct cif
+                                        * so increment its refcount
+                                        */
+                                       ses->ses_count++;
++                                      spin_unlock(&ses_it->ses_lock);
+                                       found = true;
+                                       goto search_end;
+                               }
++                              spin_unlock(&ses_it->ses_lock);
+                       }
+               }
+ search_end: