From 915b17c887b9e1b25d0c6ec2550a93454e123a20 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 19 Mar 2025 07:08:52 -0700
Subject: [PATCH] 6.1-stable patches

added patches:
	smb-client-fix-potential-uaf-in-cifs_dump_full_key.patch
---
 queue-6.1/series                              |  1 +
 ...-potential-uaf-in-cifs_dump_full_key.patch | 47 +++++++++++++++++++
 2 files changed, 48 insertions(+)
 create mode 100644 queue-6.1/smb-client-fix-potential-uaf-in-cifs_dump_full_key.patch

diff --git a/queue-6.1/series b/queue-6.1/series
index a6d415efd8..f13b43a4f8 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -145,3 +145,4 @@ smb3-add-support-for-iakerb.patch
 smb-client-fix-match_session-bug-preventing-session-.patch
 hid-apple-disable-fn-key-handling-on-the-omoton-kb066.patch
 nvme-tcp-fix-a-c2htermreq-error-message.patch
+smb-client-fix-potential-uaf-in-cifs_dump_full_key.patch
diff --git a/queue-6.1/smb-client-fix-potential-uaf-in-cifs_dump_full_key.patch b/queue-6.1/smb-client-fix-potential-uaf-in-cifs_dump_full_key.patch
new file mode 100644
index 0000000000..2d7de0a306
--- /dev/null
+++ b/queue-6.1/smb-client-fix-potential-uaf-in-cifs_dump_full_key.patch
@@ -0,0 +1,47 @@
+From 58acd1f497162e7d282077f816faa519487be045 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@manguebit.com>
+Date: Tue, 2 Apr 2024 16:33:54 -0300
+Subject: smb: client: fix potential UAF in cifs_dump_full_key()
+
+From: Paulo Alcantara <pc@manguebit.com>
+
+commit 58acd1f497162e7d282077f816faa519487be045 upstream.
+
+Skip sessions that are being teared down (status == SES_EXITING) to
+avoid UAF.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/ioctl.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/client/ioctl.c
++++ b/fs/smb/client/ioctl.c
+@@ -246,7 +246,9 @@ static int cifs_dump_full_key(struct cif
+ 		spin_lock(&cifs_tcp_ses_lock);
+ 		list_for_each_entry(server_it, &cifs_tcp_ses_list, tcp_ses_list) {
+ 			list_for_each_entry(ses_it, &server_it->smb_ses_list, smb_ses_list) {
+-				if (ses_it->Suid == out.session_id) {
++				spin_lock(&ses_it->ses_lock);
++				if (ses_it->ses_status != SES_EXITING &&
++				    ses_it->Suid == out.session_id) {
+ 					ses = ses_it;
+ 					/*
+ 					 * since we are using the session outside the crit
+@@ -254,9 +256,11 @@ static int cifs_dump_full_key(struct cif
+ 					 * so increment its refcount
+ 					 */
+ 					ses->ses_count++;
++					spin_unlock(&ses_it->ses_lock);
+ 					found = true;
+ 					goto search_end;
+ 				}
++				spin_unlock(&ses_it->ses_lock);
+ 			}
+ 		}
+ search_end:
-- 
2.47.3