git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Namjae Jeon <linkinjeon@kernel.org>
	Mon, 18 Dec 2023 15:34:32 +0000 (00:34 +0900)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sat, 23 Dec 2023 09:41:58 +0000 (10:41 +0100)
commit	f99d5d1d2a255c517ffe2ffab8bc7563c651aafb
tree	7e3b76dcdfe9a123b309e065f2c29299b70ffdf9	tree
parent	c77fd3e25a51ac92b0f1b347a96eff6a0b4f066f	commit \| diff

ksmbd: fix race condition with fp

[ Upstream commit 5a7ee91d1154f35418367a6eaae74046fd06ed89 ]

fp can used in each command. If smb2_close command is coming at the
same time, UAF issue can happen by race condition.

                           Time
                            +
Thread A                    | Thread B1 B2 .... B5
smb2_open                   | smb2_close
                            |
__open_id                  |
   insert fp to file_table  |
                            |
                            |   atomic_dec_and_test(&fp->refcount)
                            |   if fp->refcount == 0, free fp by kfree.
// UAF!                    |
use fp                     |
                            +
This patch add f_state not to use freed fp is used and not to free fp in
use.

Reported-by: luosili <rootlab@huawei.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

fs/ksmbd/smb2pdu.c		diff \| blob \| blame \| history
fs/ksmbd/vfs_cache.c		diff \| blob \| blame \| history
fs/ksmbd/vfs_cache.h		diff \| blob \| blame \| history