git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Namjae Jeon <linkinjeon@kernel.org>
	Mon, 18 Dec 2023 15:34:31 +0000 (00:34 +0900)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sat, 23 Dec 2023 09:41:58 +0000 (10:41 +0100)
commit	c77fd3e25a51ac92b0f1b347a96eff6a0b4f066f
tree	54a516b5ff98ad68a8fc48f7e059b729e454f8fd	tree
parent	b9a3e4549676857bf4b1b5f92200fbb1740dfa2e	commit \| diff

ksmbd: fix race condition between session lookup and expire

[ Upstream commit 53ff5cf89142b978b1a5ca8dc4d4425e6a09745f ]

Thread A                        +  Thread B
ksmbd_session_lookup            |  smb2_sess_setup
   sess = xa_load                |
                                 |
                                 |    xa_erase(&conn->sessions, sess->id);
                                 |
                                 |    ksmbd_session_destroy(sess) --> kfree(sess)
                                 |
   // UAF!                       |
   sess->last_active = jiffies   |
                                 +

This patch add rwsem to fix race condition between ksmbd_session_lookup
and ksmbd_expire_session.

Reported-by: luosili <rootlab@huawei.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

fs/ksmbd/connection.c		diff \| blob \| blame \| history
fs/ksmbd/connection.h		diff \| blob \| blame \| history
fs/ksmbd/mgmt/user_session.c		diff \| blob \| blame \| history