git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Namjae Jeon <linkinjeon@kernel.org>
	Mon, 18 Dec 2023 15:33:51 +0000 (00:33 +0900)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sat, 23 Dec 2023 09:41:55 +0000 (10:41 +0100)
commit	ae06b798f72d6cc792cfa1745490be65da90eb03
tree	51b18719025035b66d84d2e74f0443d92466fa45	tree
parent	dff87902d96082e6e271385b14adda8f65fc3e03	commit \| diff

ksmbd: fix racy issue from smb2 close and logoff with multichannel

[ Upstream commit abcc506a9a71976a8b4c9bf3ee6efd13229c1e19 ]

When smb client send concurrent smb2 close and logoff request
with multichannel connection, It can cause racy issue. logoff request
free tcon and can cause UAF issues in smb2 close. When receiving logoff
request with multichannel, ksmbd should wait until all remaning requests
complete as well as ones in the current connection, and then make
session expired.

Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-20796 ZDI-CAN-20595
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

fs/ksmbd/connection.c		diff \| blob \| blame \| history
fs/ksmbd/connection.h		diff \| blob \| blame \| history
fs/ksmbd/mgmt/tree_connect.c		diff \| blob \| blame \| history
fs/ksmbd/mgmt/user_session.c		diff \| blob \| blame \| history
fs/ksmbd/smb2pdu.c		diff \| blob \| blame \| history