git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Namjae Jeon <linkinjeon@kernel.org>
	Sun, 31 Dec 2023 07:13:07 +0000 (16:13 +0900)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 5 Jan 2024 14:18:33 +0000 (15:18 +0100)
commit	7b58ee8d0b91359554cf219cd4f33872ea2afd66
tree	fe36b5bbe9a8a6e3ce76ff6f0196f892ed8e8cb8	tree \| snapshot
parent	0090f0bfc2256ce25054cba1096d71fd0b143c1d	commit \| diff

ksmbd: fix race condition between tree conn lookup and disconnect

[ Upstream commit 33b235a6e6ebe0f05f3586a71e8d281d00f71e2e ]

if thread A in smb2_write is using work-tcon, other thread B use
smb2_tree_disconnect free the tcon, then thread A will use free'd tcon.

                            Time
                             +
Thread A                    | Thread A
smb2_write                  | smb2_tree_disconnect
                             |
                             |
                             |   kfree(tree_conn)
                             |
  // UAF!                    |
  work->tcon->share_conf     |
                             +

This patch add state, reference count and lock for tree conn to fix race
condition issue.

Reported-by: luosili <rootlab@huawei.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

fs/smb/server/mgmt/tree_connect.c		diff \| blob \| blame \| history
fs/smb/server/mgmt/tree_connect.h		diff \| blob \| blame \| history
fs/smb/server/mgmt/user_session.c		diff \| blob \| blame \| history
fs/smb/server/mgmt/user_session.h		diff \| blob \| blame \| history
fs/smb/server/server.c		diff \| blob \| blame \| history
fs/smb/server/smb2pdu.c		diff \| blob \| blame \| history