[PATCH 0/4] smb: Backport UAF fixes for v5.4.y

[PATCH 0/4] smb: Backport UAF fixes for v5.4.y

[Chanho Min]

This patch series backports four fixes from v5.10.y and later to the v5.4.y,
addressing potential UAF issues in the SMB client implementation.
The patches have been adapted to account for the directory rename from fs/smb/client/*
to fs/cifs/* in v5.4.y, ensuring compatibility with the target kernel.

Paulo Alcantara (4):
  smb: client: fix potential UAF in cifs_debug_files_proc_show()
  smb: client: fix potential UAF in is_valid_oplock_break()
  smb: client: fix potential UAF in smb2_is_valid_lease_break()
  smb: client: fix potential UAF in cifs_stats_proc_write()

 fs/cifs/cifs_debug.c | 4 ++++
 fs/cifs/cifsglob.h   | 8 ++++++++
 fs/cifs/misc.c       | 2 ++
 fs/cifs/smb2misc.c   | 3 ++-
 4 files changed, 16 insertions(+), 1 deletion(-)

[PATCH 1/4] smb: client: fix potential UAF in cifs_debug_files_proc_show()

[Chanho Min]

From: Paulo Alcantara <pc@manguebit.com>

commit ca545b7f0823f19db0f1148d59bc5e1a56634502 upstream.

Skip sessions that are being teared down (status == SES_EXITING) to
avoid UAF.

Cc: stable@vger.kernel.org # 5.4
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ This patch removes lock/unlock operation in routine cifs_ses_exiting()
  for ses_lock is not present in v5.10 and not ported yet. ses->status
  is protected by a global lock, cifs_tcp_ses_lock, in v5.10. ]
Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
[ chanho: Backport to v5.4.y from v5.10.y's commit 8f8718afd44 ]
Signed-off-by: Chanho Min <chanho.min@lge.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/cifs/cifs_debug.c | 2 ++
 fs/cifs/cifsglob.h   | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c
index efb2928ff6c89..df3dfa611c352 100644
--- a/fs/cifs/cifs_debug.c
+++ b/fs/cifs/cifs_debug.c
@@ -162,6 +162,8 @@ static int cifs_debug_files_proc_show(struct seq_file *m, void *v)
 				    tcp_ses_list);
 		list_for_each(tmp, &server->smb_ses_list) {
 			ses = list_entry(tmp, struct cifs_ses, smb_ses_list);
+			if (cifs_ses_exiting(ses))
+				continue;
 			list_for_each(tmp1, &ses->tcon_list) {
 				tcon = list_entry(tmp1, struct cifs_tcon, tcon_list);
 				spin_lock(&tcon->open_file_lock);
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index 253321adc2664..5f545a240afa6 100644
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -2027,4 +2027,12 @@ static inline struct scatterlist *cifs_sg_set_buf(struct scatterlist *sg,
 	return sg;
 }
 
+static inline bool cifs_ses_exiting(struct cifs_ses *ses)
+{
+	bool ret;
+
+	ret = ses->status == CifsExiting;
+	return ret;
+}
+
 #endif	/* _CIFS_GLOB_H */

[PATCH 2/4] smb: client: fix potential UAF in is_valid_oplock_break()

[Chanho Min]

From: Paulo Alcantara <pc@manguebit.com>

commit 69ccf040acddf33a3a85ec0f6b45ef84b0f7ec29 upstream.

Skip sessions that are being teared down (status == SES_EXITING) to
avoid UAF.

Cc: stable@vger.kernel.org # 5.4
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ chanho: Backported to v5.4.y, misc.c was moved from fs/cifs to fs/smb/client ]
Signed-off-by: Chanho Min <chanho.min@lge.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/cifs/misc.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c
index db1fcdedf289a..4d838d7db7b57 100644
--- a/fs/cifs/misc.c
+++ b/fs/cifs/misc.c
@@ -473,6 +473,8 @@ is_valid_oplock_break(char *buffer, struct TCP_Server_Info *srv)
 	spin_lock(&cifs_tcp_ses_lock);
 	list_for_each(tmp, &srv->smb_ses_list) {
 		ses = list_entry(tmp, struct cifs_ses, smb_ses_list);
+		if (cifs_ses_exiting(ses))
+			continue;
 		list_for_each(tmp1, &ses->tcon_list) {
 			tcon = list_entry(tmp1, struct cifs_tcon, tcon_list);
 			if (tcon->tid != buf->Tid)

[PATCH 3/4] smb: client: fix potential UAF in smb2_is_valid_lease_break()

[Chanho Min]

From: Paulo Alcantara <pc@manguebit.com>

Skip sessions that are being teared down (status == SES_EXITING) to
avoid UAF.

Cc: stable@vger.kernel.org # 5.4
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
[ chanho: Backported to v5.4.y, smb2misc.c was moved from fs/cifs to fs/smb/client ]
Signed-off-by: Chanho Min <chanho.min@lge.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
---
 fs/cifs/smb2misc.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c
index d7cbf1b07126c..c47927d257635 100644
--- a/fs/cifs/smb2misc.c
+++ b/fs/cifs/smb2misc.c
@@ -611,7 +611,8 @@ smb2_is_valid_lease_break(char *buffer)
 
 		list_for_each(tmp1, &server->smb_ses_list) {
 			ses = list_entry(tmp1, struct cifs_ses, smb_ses_list);
-
+			if (cifs_ses_exiting(ses))
+				continue;
 			list_for_each(tmp2, &ses->tcon_list) {
 				tcon = list_entry(tmp2, struct cifs_tcon,
 						  tcon_list);

[PATCH 4/4] smb: client: fix potential UAF in cifs_stats_proc_write()

[Chanho Min]

From: Paulo Alcantara <pc@manguebit.com>

commit d3da25c5ac84430f89875ca7485a3828150a7e0a upstream.

Skip sessions that are being teared down (status == SES_EXITING) to
avoid UAF.

Cc: stable@vger.kernel.org # 5.4
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ chanho: Backported to v5.4.y, cifs_debug.c was moved from fs/cifs to fs/smb/client ]
Signed-off-by: Chanho Min <chanho.min@lge.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/cifs/cifs_debug.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c
index df3dfa611c352..47190e676aa25 100644
--- a/fs/cifs/cifs_debug.c
+++ b/fs/cifs/cifs_debug.c
@@ -470,6 +470,8 @@ static ssize_t cifs_stats_proc_write(struct file *file,
 			}
 #endif /* CONFIG_CIFS_STATS2 */
 			list_for_each(tmp2, &server->smb_ses_list) {
+				if (cifs_ses_exiting(ses))
+					continue;
 				ses = list_entry(tmp2, struct cifs_ses,
 						 smb_ses_list);
 				list_for_each(tmp3, &ses->tcon_list) {

Re: [PATCH 0/4] smb: Backport UAF fixes for v5.4.y

[Greg KH]

On Mon, Aug 11, 2025 at 06:46:35PM +0900, Chanho Min wrote:
> This patch series backports four fixes from v5.10.y and later to the v5.4.y,
> addressing potential UAF issues in the SMB client implementation.
> The patches have been adapted to account for the directory rename from fs/smb/client/*
> to fs/cifs/* in v5.4.y, ensuring compatibility with the target kernel.
> 
> Paulo Alcantara (4):
>   smb: client: fix potential UAF in cifs_debug_files_proc_show()
>   smb: client: fix potential UAF in is_valid_oplock_break()
>   smb: client: fix potential UAF in smb2_is_valid_lease_break()
>   smb: client: fix potential UAF in cifs_stats_proc_write()
> 
>  fs/cifs/cifs_debug.c | 4 ++++
>  fs/cifs/cifsglob.h   | 8 ++++++++
>  fs/cifs/misc.c       | 2 ++
>  fs/cifs/smb2misc.c   | 3 ++-
>  4 files changed, 16 insertions(+), 1 deletion(-)
> 

We need these in newer kernels as well, otherwise you will have a
regression when moving to a new tree.  Please resend patches for all of
the relevant trees and we will be glad to take them.

thanks,

greg k-h