5.15-stable patches

added patches:
	ksmbd-fix-uaf-in-smb20_oplock_break_ack.patch

diff --git a/queue-5.15/ksmbd-fix-uaf-in-smb20_oplock_break_ack.patch b/queue-5.15/ksmbd-fix-uaf-in-smb20_oplock_break_ack.patch
new file mode 100644 (file)
index 0000000..f0b55d6
--- /dev/null
+++ b/queue-5.15/ksmbd-fix-uaf-in-smb20_oplock_break_ack.patch
@@ -0,0 +1,34 @@
+From c69813471a1ec081a0b9bf0c6bd7e8afd818afce Mon Sep 17 00:00:00 2001
+From: luosili <rootlab@huawei.com>
+Date: Wed, 4 Oct 2023 18:29:36 +0900
+Subject: ksmbd: fix uaf in smb20_oplock_break_ack
+
+From: luosili <rootlab@huawei.com>
+
+commit c69813471a1ec081a0b9bf0c6bd7e8afd818afce upstream.
+
+drop reference after use opinfo.
+
+Signed-off-by: luosili <rootlab@huawei.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/smb2pdu.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/ksmbd/smb2pdu.c
++++ b/fs/ksmbd/smb2pdu.c
+@@ -8058,10 +8058,10 @@ static void smb20_oplock_break_ack(struc
+               goto err_out;
+       }
+ 
+-      opinfo_put(opinfo);
+-      ksmbd_fd_put(work, fp);
+       opinfo->op_state = OPLOCK_STATE_NONE;
+       wake_up_interruptible_all(&opinfo->oplock_q);
++      opinfo_put(opinfo);
++      ksmbd_fd_put(work, fp);
+ 
+       rsp->StructureSize = cpu_to_le16(24);
+       rsp->OplockLevel = rsp_oplevel;

diff --git a/queue-5.15/series b/queue-5.15/series
index 1bfa7662279d6937d5491cf5ee9486d215858864..0205732d7a796d125799a5c1f7989e4e16fac8cd 100644 (file)
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -71,3 +71,4 @@ rdma-cma-fix-truncation-compilation-warning-in-make_cma_ports.patch
 rdma-uverbs-fix-typo-of-sizeof-argument.patch
 rdma-siw-fix-connection-failure-handling.patch
 rdma-mlx5-fix-null-string-error.patch
+ksmbd-fix-uaf-in-smb20_oplock_break_ack.patch