5.15-stable patches

added patches:
	smb-client-fix-match_session-bug-preventing-session-reuse.patch
	smb-client-fix-potential-uaf-in-cifs_debug_files_proc_show.patch

diff --git a/queue-5.15/series b/queue-5.15/series
index 242906e647ad3748306e50f7a7b38e3396173408..ab8d2bca0595f2256f02d9df0bc072c6cf89e061 100644 (file)
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -74,3 +74,5 @@ i2c-ali15x3-fix-an-error-handling-path-in-ali15x3_pr.patch
 i2c-sis630-fix-an-error-handling-path-in-sis630_prob.patch
 drm-amd-display-check-for-invalid-input-params-when-.patch
 drm-amd-display-fix-null-check-for-pipe_ctx-plane_st.patch
+smb-client-fix-match_session-bug-preventing-session-reuse.patch
+smb-client-fix-potential-uaf-in-cifs_debug_files_proc_show.patch

diff --git a/queue-5.15/smb-client-fix-match_session-bug-preventing-session-reuse.patch b/queue-5.15/smb-client-fix-match_session-bug-preventing-session-reuse.patch
new file mode 100644 (file)
index 0000000..3cc2c99
--- /dev/null
+++ b/queue-5.15/smb-client-fix-match_session-bug-preventing-session-reuse.patch
@@ -0,0 +1,66 @@
+From 605b249ea96770ac4fac4b8510a99e0f8442be5e Mon Sep 17 00:00:00 2001
+From: Henrique Carvalho <henrique.carvalho@suse.com>
+Date: Tue, 11 Mar 2025 15:23:59 -0300
+Subject: smb: client: Fix match_session bug preventing session reuse
+
+From: Henrique Carvalho <henrique.carvalho@suse.com>
+
+commit 605b249ea96770ac4fac4b8510a99e0f8442be5e upstream.
+
+Fix a bug in match_session() that can causes the session to not be
+reused in some cases.
+
+Reproduction steps:
+
+mount.cifs //server/share /mnt/a -o credentials=creds
+mount.cifs //server/share /mnt/b -o credentials=creds,sec=ntlmssp
+cat /proc/fs/cifs/DebugData | grep SessionId | wc -l
+
+mount.cifs //server/share /mnt/b -o credentials=creds,sec=ntlmssp
+mount.cifs //server/share /mnt/a -o credentials=creds
+cat /proc/fs/cifs/DebugData | grep SessionId | wc -l
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Enzo Matsumiya <ematsumiya@suse.de>
+Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/connect.c |   15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -1582,9 +1582,8 @@ out_err:
+ 
+ static int match_session(struct cifs_ses *ses, struct smb3_fs_context *ctx)
+ {
+-      if (ctx->sectype != Unspecified &&
+-          ctx->sectype != ses->sectype)
+-              return 0;
++      struct TCP_Server_Info *server = ses->server;
++      enum securityEnum ctx_sec, ses_sec;
+ 
+       /*
+        * If an existing session is limited to less channels than
+@@ -1597,11 +1596,19 @@ static int match_session(struct cifs_ses
+       }
+       spin_unlock(&ses->chan_lock);
+ 
+-      switch (ses->sectype) {
++      ctx_sec = server->ops->select_sectype(server, ctx->sectype);
++      ses_sec = server->ops->select_sectype(server, ses->sectype);
++
++      if (ctx_sec != ses_sec)
++              return 0;
++
++      switch (ctx_sec) {
+       case Kerberos:
+               if (!uid_eq(ctx->cred_uid, ses->cred_uid))
+                       return 0;
+               break;
++      case NTLMv2:
++      case RawNTLMSSP:
+       default:
+               /* NULL username means anonymous session */
+               if (ses->user_name == NULL) {

diff --git a/queue-5.15/smb-client-fix-potential-uaf-in-cifs_debug_files_proc_show.patch b/queue-5.15/smb-client-fix-potential-uaf-in-cifs_debug_files_proc_show.patch
new file mode 100644 (file)
index 0000000..3706d7c
--- /dev/null
+++ b/queue-5.15/smb-client-fix-potential-uaf-in-cifs_debug_files_proc_show.patch
@@ -0,0 +1,52 @@
+From ca545b7f0823f19db0f1148d59bc5e1a56634502 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@manguebit.com>
+Date: Tue, 2 Apr 2024 16:33:53 -0300
+Subject: smb: client: fix potential UAF in cifs_debug_files_proc_show()
+
+From: Paulo Alcantara <pc@manguebit.com>
+
+commit ca545b7f0823f19db0f1148d59bc5e1a56634502 upstream.
+
+Skip sessions that are being teared down (status == SES_EXITING) to
+avoid UAF.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+[ This patch removes lock/unlock operation in routine cifs_ses_exiting()
+  for ses_lock is not present in v5.15 and not ported yet. ses->status
+  is protected by a global lock, cifs_tcp_ses_lock, in v5.15. ]
+Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/cifs_debug.c |    2 ++
+ fs/cifs/cifsglob.h   |    8 ++++++++
+ 2 files changed, 10 insertions(+)
+
+--- a/fs/cifs/cifs_debug.c
++++ b/fs/cifs/cifs_debug.c
+@@ -183,6 +183,8 @@ static int cifs_debug_files_proc_show(st
+       list_for_each_entry(server, &cifs_tcp_ses_list, tcp_ses_list) {
+               list_for_each(tmp, &server->smb_ses_list) {
+                       ses = list_entry(tmp, struct cifs_ses, smb_ses_list);
++                      if (cifs_ses_exiting(ses))
++                              continue;
+                       list_for_each(tmp1, &ses->tcon_list) {
+                               tcon = list_entry(tmp1, struct cifs_tcon, tcon_list);
+                               spin_lock(&tcon->open_file_lock);
+--- a/fs/cifs/cifsglob.h
++++ b/fs/cifs/cifsglob.h
+@@ -2041,4 +2041,12 @@ static inline struct scatterlist *cifs_s
+       return sg;
+ }
+ 
++static inline bool cifs_ses_exiting(struct cifs_ses *ses)
++{
++      bool ret;
++
++      ret = ses->status == CifsExiting;
++      return ret;
++}
++
+ #endif        /* _CIFS_GLOB_H */