+++ /dev/null
-From 36991c1ccde2d5a521577c448ffe07fcccfe104d Mon Sep 17 00:00:00 2001
-From: Sean Heelan <seanheelan@gmail.com>
-Date: Tue, 6 May 2025 22:04:52 +0900
-Subject: ksmbd: Fix UAF in __close_file_table_ids
-
-From: Sean Heelan <seanheelan@gmail.com>
-
-commit 36991c1ccde2d5a521577c448ffe07fcccfe104d upstream.
-
-A use-after-free is possible if one thread destroys the file
-via __ksmbd_close_fd while another thread holds a reference to
-it. The existing checks on fp->refcount are not sufficient to
-prevent this.
-
-The fix takes ft->lock around the section which removes the
-file from the file table. This prevents two threads acquiring the
-same file pointer via __close_file_table_ids, as well as the other
-functions which retrieve a file from the IDR and which already use
-this same lock.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Sean Heelan <seanheelan@gmail.com>
-Acked-by: Namjae Jeon <linkinjeon@kernel.org>
-Signed-off-by: Steve French <stfrench@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/smb/server/vfs_cache.c | 33 ++++++++++++++++++++++++++-------
- 1 file changed, 26 insertions(+), 7 deletions(-)
-
---- a/fs/smb/server/vfs_cache.c
-+++ b/fs/smb/server/vfs_cache.c
-@@ -620,21 +620,40 @@ __close_file_table_ids(struct ksmbd_file
- bool (*skip)(struct ksmbd_tree_connect *tcon,
- struct ksmbd_file *fp))
- {
-- unsigned int id;
-- struct ksmbd_file *fp;
-- int num = 0;
-+ struct ksmbd_file *fp;
-+ unsigned int id = 0;
-+ int num = 0;
-
-- idr_for_each_entry(ft->idr, fp, id) {
-- if (skip(tcon, fp))
-+ while (1) {
-+ write_lock(&ft->lock);
-+ fp = idr_get_next(ft->idr, &id);
-+ if (!fp) {
-+ write_unlock(&ft->lock);
-+ break;
-+ }
-+
-+ if (skip(tcon, fp) ||
-+ !atomic_dec_and_test(&fp->refcount)) {
-+ id++;
-+ write_unlock(&ft->lock);
- continue;
-+ }
-
- set_close_state_blocked_works(fp);
-+ idr_remove(ft->idr, fp->volatile_id);
-+ fp->volatile_id = KSMBD_NO_FID;
-+ write_unlock(&ft->lock);
-+
-+ down_write(&fp->f_ci->m_lock);
-+ list_del_init(&fp->node);
-+ up_write(&fp->f_ci->m_lock);
-
-- if (!atomic_dec_and_test(&fp->refcount))
-- continue;
- __ksmbd_close_fd(ft, fp);
-+
- num++;
-+ id++;
- }
-+
- return num;
- }
-
+++ /dev/null
-From c23c03bf1faa1e76be1eba35bad6da6a2a7c95ee Mon Sep 17 00:00:00 2001
-From: Cristian Marussi <cristian.marussi@arm.com>
-Date: Mon, 10 Mar 2025 17:58:00 +0000
-Subject: firmware: arm_scmi: Fix timeout checks on polling path
-
-From: Cristian Marussi <cristian.marussi@arm.com>
-
-commit c23c03bf1faa1e76be1eba35bad6da6a2a7c95ee upstream.
-
-Polling mode transactions wait for a reply busy-looping without holding a
-spinlock, but currently the timeout checks are based only on elapsed time:
-as a result we could hit a false positive whenever our busy-looping thread
-is pre-empted and scheduled out for a time greater than the polling
-timeout.
-
-Change the checks at the end of the busy-loop to make sure that the polling
-wasn't indeed successful or an out-of-order reply caused the polling to be
-forcibly terminated.
-
-Fixes: 31d2f803c19c ("firmware: arm_scmi: Add sync_cmds_completed_on_ret transport flag")
-Reported-by: Huangjie <huangjie1663@phytium.com.cn>
-Closes: https://lore.kernel.org/arm-scmi/20250123083323.2363749-1-jackhuang021@gmail.com/
-Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
-Cc: stable@vger.kernel.org # 5.18.x
-Message-Id: <20250310175800.1444293-1-cristian.marussi@arm.com>
-Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/firmware/arm_scmi/driver.c | 13 ++++++++-----
- 1 file changed, 8 insertions(+), 5 deletions(-)
-
---- a/drivers/firmware/arm_scmi/driver.c
-+++ b/drivers/firmware/arm_scmi/driver.c
-@@ -1017,7 +1017,8 @@ static void xfer_put(const struct scmi_p
- }
-
- static bool scmi_xfer_done_no_timeout(struct scmi_chan_info *cinfo,
-- struct scmi_xfer *xfer, ktime_t stop)
-+ struct scmi_xfer *xfer, ktime_t stop,
-+ bool *ooo)
- {
- struct scmi_info *info = handle_to_scmi_info(cinfo->handle);
-
-@@ -1026,7 +1027,7 @@ static bool scmi_xfer_done_no_timeout(st
- * in case of out-of-order receptions of delayed responses
- */
- return info->desc->ops->poll_done(cinfo, xfer) ||
-- try_wait_for_completion(&xfer->done) ||
-+ (*ooo = try_wait_for_completion(&xfer->done)) ||
- ktime_after(ktime_get(), stop);
- }
-
-@@ -1042,15 +1043,17 @@ static int scmi_wait_for_reply(struct de
- * itself to support synchronous commands replies.
- */
- if (!desc->sync_cmds_completed_on_ret) {
-+ bool ooo = false;
-+
- /*
- * Poll on xfer using transport provided .poll_done();
- * assumes no completion interrupt was available.
- */
- ktime_t stop = ktime_add_ms(ktime_get(), timeout_ms);
-
-- spin_until_cond(scmi_xfer_done_no_timeout(cinfo,
-- xfer, stop));
-- if (ktime_after(ktime_get(), stop)) {
-+ spin_until_cond(scmi_xfer_done_no_timeout(cinfo, xfer,
-+ stop, &ooo));
-+ if (!ooo && !info->desc->ops->poll_done(cinfo, xfer)) {
- dev_err(dev,
- "timed out in resp(caller: %pS) - polling\n",
- (void *)_RET_IP_);
projects / thirdparty / kernel / stable-queue.git / commitdiff
