git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Namjae Jeon <linkinjeon@kernel.org>
	Wed, 4 Oct 2023 09:31:03 +0000 (18:31 +0900)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Tue, 10 Oct 2023 20:03:06 +0000 (22:03 +0200)
commit	4e2d581535c3fabe181bfb462ff893007e043eaa
tree	a07239a0c8c4445e03845e812a234639cc1b78c7	tree \| snapshot
parent	d5b0e9d3563e7e314a850e81f42b2ef6f39882f9	commit \| diff

ksmbd: fix race condition from parallel smb2 lock requests

commit 75ac9a3dd65f7eab4d12b0a0f744234b5300a491 upstream.

There is a race condition issue between parallel smb2 lock request.

                                            Time
                                             +
Thread A                                     | Thread A
smb2_lock                                    | smb2_lock
                                             |
insert smb_lock to lock_list                |
spin_unlock(&work->conn->llist_lock)        |
                                             |
                                             |   spin_lock(&conn->llist_lock);
                                             |   kfree(cmp_lock);
                                             |
// UAF!                                     |
list_add(&smb_lock->llist, &rollback_list)  +

This patch swaps the line for adding the smb lock to the rollback list and
adding the lock list of connection to fix the race issue.

Reported-by: luosili <rootlab@huawei.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>