mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-01-07 13:43:51 +00:00
ksmbd: fix slab-use-after-free in ksmbd_smb2_session_create
There is a race condition between ksmbd_smb2_session_create and ksmbd_expire_session. This patch add missing sessions_table_lock while adding/deleting session from global session table. Cc: stable@vger.kernel.org # v5.15+ Reported-by: Norbert Szetei <norbert@doyensec.com> Tested-by: Norbert Szetei <norbert@doyensec.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
This commit is contained in:
parent
3abab905b1
commit
0a77715db2
@ -178,6 +178,7 @@ static void ksmbd_expire_session(struct ksmbd_conn *conn)
|
|||||||
unsigned long id;
|
unsigned long id;
|
||||||
struct ksmbd_session *sess;
|
struct ksmbd_session *sess;
|
||||||
|
|
||||||
|
down_write(&sessions_table_lock);
|
||||||
down_write(&conn->session_lock);
|
down_write(&conn->session_lock);
|
||||||
xa_for_each(&conn->sessions, id, sess) {
|
xa_for_each(&conn->sessions, id, sess) {
|
||||||
if (atomic_read(&sess->refcnt) == 0 &&
|
if (atomic_read(&sess->refcnt) == 0 &&
|
||||||
@ -191,6 +192,7 @@ static void ksmbd_expire_session(struct ksmbd_conn *conn)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
up_write(&conn->session_lock);
|
up_write(&conn->session_lock);
|
||||||
|
up_write(&sessions_table_lock);
|
||||||
}
|
}
|
||||||
|
|
||||||
int ksmbd_session_register(struct ksmbd_conn *conn,
|
int ksmbd_session_register(struct ksmbd_conn *conn,
|
||||||
@ -232,7 +234,6 @@ void ksmbd_sessions_deregister(struct ksmbd_conn *conn)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
up_write(&sessions_table_lock);
|
|
||||||
|
|
||||||
down_write(&conn->session_lock);
|
down_write(&conn->session_lock);
|
||||||
xa_for_each(&conn->sessions, id, sess) {
|
xa_for_each(&conn->sessions, id, sess) {
|
||||||
@ -252,6 +253,7 @@ void ksmbd_sessions_deregister(struct ksmbd_conn *conn)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
up_write(&conn->session_lock);
|
up_write(&conn->session_lock);
|
||||||
|
up_write(&sessions_table_lock);
|
||||||
}
|
}
|
||||||
|
|
||||||
struct ksmbd_session *ksmbd_session_lookup(struct ksmbd_conn *conn,
|
struct ksmbd_session *ksmbd_session_lookup(struct ksmbd_conn *conn,
|
||||||
|
Loading…
Reference in New Issue
Block a user