Commit 0a77715d authored by Namjae Jeon's avatar Namjae Jeon
Browse files

ksmbd: fix slab-use-after-free in ksmbd_smb2_session_create 



There is a race condition between ksmbd_smb2_session_create and
ksmbd_expire_session. This patch add missing sessions_table_lock
while adding/deleting session from global session table.

Cc: stable@vger.kernel.org # v5.15+
Reported-by: default avatarNorbert Szetei <norbert@doyensec.com>
Tested-by: default avatarNorbert Szetei <norbert@doyensec.com>
Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent 3abab905

fs/smb/server/mgmt/user_session.c

+3 −1
Original line number Diff line number Diff line
@@ -178,6 +178,7 @@ static void ksmbd_expire_session(struct ksmbd_conn *conn) 
	unsigned long id;

	struct ksmbd_session *sess;



	down_write(&sessions_table_lock);

	down_write(&conn->session_lock);

	xa_for_each(&conn->sessions, id, sess) {

		if (atomic_read(&sess->refcnt) == 0 &&
@@ -191,6 +192,7 @@ static void ksmbd_expire_session(struct ksmbd_conn *conn) 
		}

	}

	up_write(&conn->session_lock);

	up_write(&sessions_table_lock);

}



int ksmbd_session_register(struct ksmbd_conn *conn,
@@ -232,7 +234,6 @@ void ksmbd_sessions_deregister(struct ksmbd_conn *conn) 
			}

		}

	}

	up_write(&sessions_table_lock);



	down_write(&conn->session_lock);

	xa_for_each(&conn->sessions, id, sess) {
@@ -252,6 +253,7 @@ void ksmbd_sessions_deregister(struct ksmbd_conn *conn) 
		}

	}

	up_write(&conn->session_lock);

	up_write(&sessions_table_lock);

}



struct ksmbd_session *ksmbd_session_lookup(struct ksmbd_conn *conn,