smb: client: fix potential UAF in cifs_stats_proc_show()

commit 0865ffefea197b437ba78b5dd8d8e256253efd65 upstream.

Skip sessions that are being teared down (status == SES_EXITING) to
avoid UAF.

Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ cifs_debug.c was moved from fs/cifs to fs/smb/client since
  38c8a9a52082 ("smb: move client and server files to common directory fs/smb").
  The cifs_ses_exiting() was introduced to cifs_debug.c since
  ca545b7f0823 ("smb: client: fix potential UAF in cifs_debug_files_proc_show()")
  which has been sent to upstream already. ]
Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c
index e98755968bba51c6fffacc0a5c705752e2750c07..11d0eaa603cade0e54159832135e4dc7868a6ed8 100644 (file)
--- a/fs/cifs/cifs_debug.c
+++ b/fs/cifs/cifs_debug.c
@@ -595,6 +595,8 @@ static int cifs_stats_proc_show(struct seq_file *m, void *v)
                list_for_each(tmp2, &server->smb_ses_list) {
                        ses = list_entry(tmp2, struct cifs_ses,
                                         smb_ses_list);
+                       if (cifs_ses_exiting(ses))
+                               continue;
                        list_for_each(tmp3, &ses->tcon_list) {
                                tcon = list_entry(tmp3,
                                                  struct cifs_tcon,