From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 22 Apr 2025 09:45:38 +0000 (+0200)
Subject: 5.10-stable patches
X-Git-Tag: v6.1.135~57
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4a45f07ca43e6d37b50a0c06ece7526820bc0899;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	smb-client-fix-potential-uaf-in-cifs_debug_files_proc_show.patch
---

diff --git a/queue-5.10/series b/queue-5.10/series
index 1795fe7d90..8c0cd3a011 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -156,3 +156,4 @@ wifi-ath10k-avoid-null-pointer-error-during-sdio-remove.patch
 drm-amd-display-stop-amdgpu_dm-initialize-when-link-nums-greater-than-max_links.patch
 drm-amd-display-fix-out-of-bounds-access-in-dcn21_link_encoder_create.patch
 nvmet-fc-remove-unused-functions.patch
+smb-client-fix-potential-uaf-in-cifs_debug_files_proc_show.patch
diff --git a/queue-5.10/smb-client-fix-potential-uaf-in-cifs_debug_files_proc_show.patch b/queue-5.10/smb-client-fix-potential-uaf-in-cifs_debug_files_proc_show.patch
new file mode 100644
index 0000000000..5fa70e0c85
--- /dev/null
+++ b/queue-5.10/smb-client-fix-potential-uaf-in-cifs_debug_files_proc_show.patch
@@ -0,0 +1,52 @@
+From ca545b7f0823f19db0f1148d59bc5e1a56634502 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@manguebit.com>
+Date: Tue, 2 Apr 2024 16:33:53 -0300
+Subject: smb: client: fix potential UAF in cifs_debug_files_proc_show()
+
+From: Paulo Alcantara <pc@manguebit.com>
+
+commit ca545b7f0823f19db0f1148d59bc5e1a56634502 upstream.
+
+Skip sessions that are being teared down (status == SES_EXITING) to
+avoid UAF.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+[ This patch removes lock/unlock operation in routine cifs_ses_exiting()
+  for ses_lock is not present in v5.10 and not ported yet. ses->status
+  is protected by a global lock, cifs_tcp_ses_lock, in v5.10. ]
+Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/cifs_debug.c |    2 ++
+ fs/cifs/cifsglob.h   |    8 ++++++++
+ 2 files changed, 10 insertions(+)
+
+--- a/fs/cifs/cifs_debug.c
++++ b/fs/cifs/cifs_debug.c
+@@ -183,6 +183,8 @@ static int cifs_debug_files_proc_show(st
+ 				    tcp_ses_list);
+ 		list_for_each(tmp, &server->smb_ses_list) {
+ 			ses = list_entry(tmp, struct cifs_ses, smb_ses_list);
++			if (cifs_ses_exiting(ses))
++				continue;
+ 			list_for_each(tmp1, &ses->tcon_list) {
+ 				tcon = list_entry(tmp1, struct cifs_tcon, tcon_list);
+ 				spin_lock(&tcon->open_file_lock);
+--- a/fs/cifs/cifsglob.h
++++ b/fs/cifs/cifsglob.h
+@@ -2115,4 +2115,12 @@ static inline struct scatterlist *cifs_s
+ 	return sg;
+ }
+ 
++static inline bool cifs_ses_exiting(struct cifs_ses *ses)
++{
++	bool ret;
++
++	ret = ses->status == CifsExiting;
++	return ret;
++}
++
+ #endif	/* _CIFS_GLOB_H */