* [PATCH 6.1.y] smb: client: fix potential UAF in cifs_dump_full_key()
@ 2024-12-06 8:14 jianqi.ren.cn
2024-12-06 17:11 ` Sasha Levin
2024-12-11 8:15 ` Greg KH
0 siblings, 2 replies; 15+ messages in thread
From: jianqi.ren.cn @ 2024-12-06 8:14 UTC (permalink / raw)
To: pc, gregkh; +Cc: stable
From: Paulo Alcantara <pc@manguebit.com>
[ Upstream commit 58acd1f497162e7d282077f816faa519487be045 ]
Skip sessions that are being teared down (status == SES_EXITING) to
avoid UAF.
Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
---
fs/smb/client/ioctl.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/fs/smb/client/ioctl.c b/fs/smb/client/ioctl.c
index ae9905e2b9d4..173c8c76d31f 100644
--- a/fs/smb/client/ioctl.c
+++ b/fs/smb/client/ioctl.c
@@ -246,17 +246,23 @@ static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug
spin_lock(&cifs_tcp_ses_lock);
list_for_each_entry(server_it, &cifs_tcp_ses_list, tcp_ses_list) {
list_for_each_entry(ses_it, &server_it->smb_ses_list, smb_ses_list) {
- if (ses_it->Suid == out.session_id) {
+ spin_lock(&ses_it->ses_lock);
+ if (ses_it->ses_status != SES_EXITING &&
+ ses_it->Suid == out.session_id) {
ses = ses_it;
/*
* since we are using the session outside the crit
* section, we need to make sure it won't be released
* so increment its refcount
*/
+
+ lockdep_assert_held(&cifs_tcp_ses_lock);
ses->ses_count++;
+ spin_unlock(&ses_it->ses_lock);
found = true;
goto search_end;
}
+ spin_unlock(&ses_it->ses_lock);
}
}
search_end:
--
2.25.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH 6.1.y] smb: client: fix potential UAF in cifs_dump_full_key()
2024-12-06 8:14 jianqi.ren.cn
@ 2024-12-06 17:11 ` Sasha Levin
2024-12-11 8:15 ` Greg KH
1 sibling, 0 replies; 15+ messages in thread
From: Sasha Levin @ 2024-12-06 17:11 UTC (permalink / raw)
To: stable; +Cc: jianqi.ren.cn, Sasha Levin
[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: 58acd1f497162e7d282077f816faa519487be045
WARNING: Author mismatch between patch and upstream commit:
Backport author: <jianqi.ren.cn@windriver.com>
Commit author: Paulo Alcantara <pc@manguebit.com>
Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.6.y | Present (different SHA1: 10e17ca4000e)
6.1.y | Not found
Note: The patch differs from the upstream commit:
---
1: 58acd1f497162 ! 1: f6a073ae8cb4f smb: client: fix potential UAF in cifs_dump_full_key()
@@ Metadata
## Commit message ##
smb: client: fix potential UAF in cifs_dump_full_key()
+ [ Upstream commit 58acd1f497162e7d282077f816faa519487be045 ]
+
Skip sessions that are being teared down (status == SES_EXITING) to
avoid UAF.
Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
+ Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
## fs/smb/client/ioctl.c ##
@@ fs/smb/client/ioctl.c: static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug
@@ fs/smb/client/ioctl.c: static int cifs_dump_full_key(struct cifs_tcon *tcon, str
ses = ses_it;
/*
* since we are using the session outside the crit
-@@ fs/smb/client/ioctl.c: static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug
+ * section, we need to make sure it won't be released
* so increment its refcount
*/
- cifs_smb_ses_inc_refcount(ses);
++
++ lockdep_assert_held(&cifs_tcp_ses_lock);
+ ses->ses_count++;
+ spin_unlock(&ses_it->ses_lock);
found = true;
goto search_end;
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y | Success | Success |
^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH 6.1.y] smb: client: fix potential UAF in cifs_dump_full_key()
@ 2024-12-09 4:22 jianqi.ren.cn
2024-12-09 6:00 ` Harshit Mogalapalli
2024-12-09 14:35 ` Sasha Levin
0 siblings, 2 replies; 15+ messages in thread
From: jianqi.ren.cn @ 2024-12-09 4:22 UTC (permalink / raw)
To: pc, gregkh
Cc: stable, sfrench, pc, lsahlber, sprasad, tom, linux-cifs,
linux-kernel, samba-technical
From: Paulo Alcantara <pc@manguebit.com>
[ Upstream commit 58acd1f497162e7d282077f816faa519487be045 ]
Skip sessions that are being teared down (status == SES_EXITING) to
avoid UAF.
Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
---
fs/smb/client/ioctl.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/fs/smb/client/ioctl.c b/fs/smb/client/ioctl.c
index ae9905e2b9d4..173c8c76d31f 100644
--- a/fs/smb/client/ioctl.c
+++ b/fs/smb/client/ioctl.c
@@ -246,17 +246,23 @@ static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug
spin_lock(&cifs_tcp_ses_lock);
list_for_each_entry(server_it, &cifs_tcp_ses_list, tcp_ses_list) {
list_for_each_entry(ses_it, &server_it->smb_ses_list, smb_ses_list) {
- if (ses_it->Suid == out.session_id) {
+ spin_lock(&ses_it->ses_lock);
+ if (ses_it->ses_status != SES_EXITING &&
+ ses_it->Suid == out.session_id) {
ses = ses_it;
/*
* since we are using the session outside the crit
* section, we need to make sure it won't be released
* so increment its refcount
*/
+
+ lockdep_assert_held(&cifs_tcp_ses_lock);
ses->ses_count++;
+ spin_unlock(&ses_it->ses_lock);
found = true;
goto search_end;
}
+ spin_unlock(&ses_it->ses_lock);
}
}
search_end:
--
2.25.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH 6.1.y] smb: client: fix potential UAF in cifs_dump_full_key()
2024-12-09 4:22 jianqi.ren.cn
@ 2024-12-09 6:00 ` Harshit Mogalapalli
2024-12-09 14:35 ` Sasha Levin
1 sibling, 0 replies; 15+ messages in thread
From: Harshit Mogalapalli @ 2024-12-09 6:00 UTC (permalink / raw)
To: jianqi.ren.cn, pc, gregkh
Cc: stable, sfrench, pc, lsahlber, sprasad, tom, linux-cifs,
linux-kernel, samba-technical, Vegard Nossum
Hi Jianqi,
On 09/12/24 09:52, jianqi.ren.cn@windriver.com wrote:
> From: Paulo Alcantara <pc@manguebit.com>
>
> [ Upstream commit 58acd1f497162e7d282077f816faa519487be045 ]
>
> Skip sessions that are being teared down (status == SES_EXITING) to
> avoid UAF.
>
> Cc: stable@vger.kernel.org
> Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
> Signed-off-by: Steve French <stfrench@microsoft.com>
> Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
> ---
> fs/smb/client/ioctl.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/fs/smb/client/ioctl.c b/fs/smb/client/ioctl.c
> index ae9905e2b9d4..173c8c76d31f 100644
> --- a/fs/smb/client/ioctl.c
> +++ b/fs/smb/client/ioctl.c
> @@ -246,17 +246,23 @@ static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug
> spin_lock(&cifs_tcp_ses_lock);
> list_for_each_entry(server_it, &cifs_tcp_ses_list, tcp_ses_list) {
> list_for_each_entry(ses_it, &server_it->smb_ses_list, smb_ses_list) {
> - if (ses_it->Suid == out.session_id) {
> + spin_lock(&ses_it->ses_lock);
> + if (ses_it->ses_status != SES_EXITING &&
> + ses_it->Suid == out.session_id) {
> ses = ses_it;
> /*
> * since we are using the session outside the crit
> * section, we need to make sure it won't be released
> * so increment its refcount
> */
> +
> + lockdep_assert_held(&cifs_tcp_ses_lock);
^^ This doesn't exist in upstream commit, why is this needed ?
Thanks,
Harshit
> ses->ses_count++;
> + spin_unlock(&ses_it->ses_lock);
> found = true;
> goto search_end;
> }
> + spin_unlock(&ses_it->ses_lock);
> }
> }
> search_end:
^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH 6.1.y] smb: client: fix potential UAF in cifs_dump_full_key()
@ 2024-12-09 8:58 jianqi.ren.cn
2024-12-09 14:35 ` Sasha Levin
2024-12-12 12:09 ` Greg KH
0 siblings, 2 replies; 15+ messages in thread
From: jianqi.ren.cn @ 2024-12-09 8:58 UTC (permalink / raw)
To: pc, gregkh
Cc: stable, sfrench, pc, lsahlber, sprasad, tom, linux-cifs,
linux-kernel, samba-technical
From: Paulo Alcantara <pc@manguebit.com>
[ Upstream commit 58acd1f497162e7d282077f816faa519487be045 ]
Skip sessions that are being teared down (status == SES_EXITING) to
avoid UAF.
Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
---
fs/smb/client/ioctl.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/smb/client/ioctl.c b/fs/smb/client/ioctl.c
index ae9905e2b9d4..7402070b7a06 100644
--- a/fs/smb/client/ioctl.c
+++ b/fs/smb/client/ioctl.c
@@ -246,7 +246,9 @@ static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug
spin_lock(&cifs_tcp_ses_lock);
list_for_each_entry(server_it, &cifs_tcp_ses_list, tcp_ses_list) {
list_for_each_entry(ses_it, &server_it->smb_ses_list, smb_ses_list) {
- if (ses_it->Suid == out.session_id) {
+ spin_lock(&ses_it->ses_lock);
+ if (ses_it->ses_status != SES_EXITING &&
+ ses_it->Suid == out.session_id) {
ses = ses_it;
/*
* since we are using the session outside the crit
@@ -254,9 +256,11 @@ static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug
* so increment its refcount
*/
ses->ses_count++;
+ spin_unlock(&ses_it->ses_lock);
found = true;
goto search_end;
}
+ spin_unlock(&ses_it->ses_lock);
}
}
search_end:
--
2.25.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH 6.1.y] smb: client: fix potential UAF in cifs_dump_full_key()
2024-12-09 4:22 jianqi.ren.cn
2024-12-09 6:00 ` Harshit Mogalapalli
@ 2024-12-09 14:35 ` Sasha Levin
1 sibling, 0 replies; 15+ messages in thread
From: Sasha Levin @ 2024-12-09 14:35 UTC (permalink / raw)
To: stable; +Cc: jianqi.ren.cn, Sasha Levin
[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: 58acd1f497162e7d282077f816faa519487be045
WARNING: Author mismatch between patch and upstream commit:
Backport author: <jianqi.ren.cn@windriver.com>
Commit author: Paulo Alcantara <pc@manguebit.com>
Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.6.y | Present (different SHA1: 10e17ca4000e)
6.1.y | Not found
Note: The patch differs from the upstream commit:
---
1: 58acd1f497162 ! 1: 805e5ef97956b smb: client: fix potential UAF in cifs_dump_full_key()
@@ Metadata
## Commit message ##
smb: client: fix potential UAF in cifs_dump_full_key()
+ [ Upstream commit 58acd1f497162e7d282077f816faa519487be045 ]
+
Skip sessions that are being teared down (status == SES_EXITING) to
avoid UAF.
Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
+ Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
## fs/smb/client/ioctl.c ##
@@ fs/smb/client/ioctl.c: static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug
@@ fs/smb/client/ioctl.c: static int cifs_dump_full_key(struct cifs_tcon *tcon, str
ses = ses_it;
/*
* since we are using the session outside the crit
-@@ fs/smb/client/ioctl.c: static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug
+ * section, we need to make sure it won't be released
* so increment its refcount
*/
- cifs_smb_ses_inc_refcount(ses);
++
++ lockdep_assert_held(&cifs_tcp_ses_lock);
+ ses->ses_count++;
+ spin_unlock(&ses_it->ses_lock);
found = true;
goto search_end;
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y | Success | Success |
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 6.1.y] smb: client: fix potential UAF in cifs_dump_full_key()
2024-12-09 8:58 jianqi.ren.cn
@ 2024-12-09 14:35 ` Sasha Levin
2024-12-12 12:09 ` Greg KH
1 sibling, 0 replies; 15+ messages in thread
From: Sasha Levin @ 2024-12-09 14:35 UTC (permalink / raw)
To: stable; +Cc: jianqi.ren.cn, Sasha Levin
[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: 58acd1f497162e7d282077f816faa519487be045
WARNING: Author mismatch between patch and upstream commit:
Backport author: <jianqi.ren.cn@windriver.com>
Commit author: Paulo Alcantara <pc@manguebit.com>
Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.6.y | Present (different SHA1: 10e17ca4000e)
6.1.y | Not found
Note: The patch differs from the upstream commit:
---
1: 58acd1f497162 ! 1: 8fb3f4007b3be smb: client: fix potential UAF in cifs_dump_full_key()
@@ Metadata
## Commit message ##
smb: client: fix potential UAF in cifs_dump_full_key()
+ [ Upstream commit 58acd1f497162e7d282077f816faa519487be045 ]
+
Skip sessions that are being teared down (status == SES_EXITING) to
avoid UAF.
Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
+ Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
## fs/smb/client/ioctl.c ##
@@ fs/smb/client/ioctl.c: static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug
@@ fs/smb/client/ioctl.c: static int cifs_dump_full_key(struct cifs_tcon *tcon, str
@@ fs/smb/client/ioctl.c: static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug
* so increment its refcount
*/
- cifs_smb_ses_inc_refcount(ses);
+ ses->ses_count++;
+ spin_unlock(&ses_it->ses_lock);
found = true;
goto search_end;
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y | Success | Success |
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 6.1.y] smb: client: fix potential UAF in cifs_dump_full_key()
2024-12-06 8:14 jianqi.ren.cn
2024-12-06 17:11 ` Sasha Levin
@ 2024-12-11 8:15 ` Greg KH
1 sibling, 0 replies; 15+ messages in thread
From: Greg KH @ 2024-12-11 8:15 UTC (permalink / raw)
To: jianqi.ren.cn; +Cc: pc, stable
On Fri, Dec 06, 2024 at 04:14:36PM +0800, jianqi.ren.cn@windriver.com wrote:
> From: Paulo Alcantara <pc@manguebit.com>
>
> [ Upstream commit 58acd1f497162e7d282077f816faa519487be045 ]
>
> Skip sessions that are being teared down (status == SES_EXITING) to
> avoid UAF.
Please cc: all relevant people on backports.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH 6.1.y] smb: client: fix potential UAF in cifs_dump_full_key()
@ 2024-12-11 9:59 jianqi.ren.cn
2024-12-11 16:32 ` Sasha Levin
0 siblings, 1 reply; 15+ messages in thread
From: jianqi.ren.cn @ 2024-12-11 9:59 UTC (permalink / raw)
To: pc, gregkh
Cc: stfrench, stable, sfrench, pc, lsahlber, sprasad, tom, linux-cifs,
linux-kernel, samba-technical
From: Paulo Alcantara <pc@manguebit.com>
[ Upstream commit 58acd1f497162e7d282077f816faa519487be045 ]
Skip sessions that are being teared down (status == SES_EXITING) to
avoid UAF.
Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
---
fs/smb/client/ioctl.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/smb/client/ioctl.c b/fs/smb/client/ioctl.c
index ae9905e2b9d4..7402070b7a06 100644
--- a/fs/smb/client/ioctl.c
+++ b/fs/smb/client/ioctl.c
@@ -246,7 +246,9 @@ static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug
spin_lock(&cifs_tcp_ses_lock);
list_for_each_entry(server_it, &cifs_tcp_ses_list, tcp_ses_list) {
list_for_each_entry(ses_it, &server_it->smb_ses_list, smb_ses_list) {
- if (ses_it->Suid == out.session_id) {
+ spin_lock(&ses_it->ses_lock);
+ if (ses_it->ses_status != SES_EXITING &&
+ ses_it->Suid == out.session_id) {
ses = ses_it;
/*
* since we are using the session outside the crit
@@ -254,9 +256,11 @@ static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug
* so increment its refcount
*/
ses->ses_count++;
+ spin_unlock(&ses_it->ses_lock);
found = true;
goto search_end;
}
+ spin_unlock(&ses_it->ses_lock);
}
}
search_end:
--
2.25.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH 6.1.y] smb: client: fix potential UAF in cifs_dump_full_key()
@ 2024-12-11 10:15 jianqi.ren.cn
2024-12-11 16:32 ` Sasha Levin
0 siblings, 1 reply; 15+ messages in thread
From: jianqi.ren.cn @ 2024-12-11 10:15 UTC (permalink / raw)
To: pc, gregkh
Cc: patches, stfrench, stable, sfrench, pc, lsahlber, sprasad, tom,
linux-cifs, linux-kernel, samba-technical
From: Paulo Alcantara <pc@manguebit.com>
[ Upstream commit 58acd1f497162e7d282077f816faa519487be045 ]
Skip sessions that are being teared down (status == SES_EXITING) to
avoid UAF.
Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
---
fs/smb/client/ioctl.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/smb/client/ioctl.c b/fs/smb/client/ioctl.c
index ae9905e2b9d4..7402070b7a06 100644
--- a/fs/smb/client/ioctl.c
+++ b/fs/smb/client/ioctl.c
@@ -246,7 +246,9 @@ static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug
spin_lock(&cifs_tcp_ses_lock);
list_for_each_entry(server_it, &cifs_tcp_ses_list, tcp_ses_list) {
list_for_each_entry(ses_it, &server_it->smb_ses_list, smb_ses_list) {
- if (ses_it->Suid == out.session_id) {
+ spin_lock(&ses_it->ses_lock);
+ if (ses_it->ses_status != SES_EXITING &&
+ ses_it->Suid == out.session_id) {
ses = ses_it;
/*
* since we are using the session outside the crit
@@ -254,9 +256,11 @@ static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug
* so increment its refcount
*/
ses->ses_count++;
+ spin_unlock(&ses_it->ses_lock);
found = true;
goto search_end;
}
+ spin_unlock(&ses_it->ses_lock);
}
}
search_end:
--
2.25.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH 6.1.y] smb: client: fix potential UAF in cifs_dump_full_key()
2024-12-11 10:15 [PATCH 6.1.y] smb: client: fix potential UAF in cifs_dump_full_key() jianqi.ren.cn
@ 2024-12-11 16:32 ` Sasha Levin
0 siblings, 0 replies; 15+ messages in thread
From: Sasha Levin @ 2024-12-11 16:32 UTC (permalink / raw)
To: stable; +Cc: jianqi.ren.cn, Sasha Levin
[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: 58acd1f497162e7d282077f816faa519487be045
WARNING: Author mismatch between patch and upstream commit:
Backport author: <jianqi.ren.cn@windriver.com>
Commit author: Paulo Alcantara <pc@manguebit.com>
Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.6.y | Present (different SHA1: 10e17ca4000e)
6.1.y | Not found
Note: The patch differs from the upstream commit:
---
1: 58acd1f497162 ! 1: 9ecdabdf26e97 smb: client: fix potential UAF in cifs_dump_full_key()
@@ Metadata
## Commit message ##
smb: client: fix potential UAF in cifs_dump_full_key()
+ [ Upstream commit 58acd1f497162e7d282077f816faa519487be045 ]
+
Skip sessions that are being teared down (status == SES_EXITING) to
avoid UAF.
Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
+ Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
## fs/smb/client/ioctl.c ##
@@ fs/smb/client/ioctl.c: static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug
@@ fs/smb/client/ioctl.c: static int cifs_dump_full_key(struct cifs_tcon *tcon, str
@@ fs/smb/client/ioctl.c: static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug
* so increment its refcount
*/
- cifs_smb_ses_inc_refcount(ses);
+ ses->ses_count++;
+ spin_unlock(&ses_it->ses_lock);
found = true;
goto search_end;
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y | Success | Success |
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 6.1.y] smb: client: fix potential UAF in cifs_dump_full_key()
2024-12-11 9:59 jianqi.ren.cn
@ 2024-12-11 16:32 ` Sasha Levin
0 siblings, 0 replies; 15+ messages in thread
From: Sasha Levin @ 2024-12-11 16:32 UTC (permalink / raw)
To: stable; +Cc: jianqi.ren.cn, Sasha Levin
[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: 58acd1f497162e7d282077f816faa519487be045
WARNING: Author mismatch between patch and upstream commit:
Backport author: <jianqi.ren.cn@windriver.com>
Commit author: Paulo Alcantara <pc@manguebit.com>
Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.6.y | Present (different SHA1: 10e17ca4000e)
6.1.y | Not found
Note: The patch differs from the upstream commit:
---
1: 58acd1f497162 ! 1: 8f31ad3d67064 smb: client: fix potential UAF in cifs_dump_full_key()
@@ Metadata
## Commit message ##
smb: client: fix potential UAF in cifs_dump_full_key()
+ [ Upstream commit 58acd1f497162e7d282077f816faa519487be045 ]
+
Skip sessions that are being teared down (status == SES_EXITING) to
avoid UAF.
Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
+ Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
## fs/smb/client/ioctl.c ##
@@ fs/smb/client/ioctl.c: static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug
@@ fs/smb/client/ioctl.c: static int cifs_dump_full_key(struct cifs_tcon *tcon, str
@@ fs/smb/client/ioctl.c: static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug
* so increment its refcount
*/
- cifs_smb_ses_inc_refcount(ses);
+ ses->ses_count++;
+ spin_unlock(&ses_it->ses_lock);
found = true;
goto search_end;
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y | Success | Success |
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 6.1.y] smb: client: fix potential UAF in cifs_dump_full_key()
2024-12-09 8:58 jianqi.ren.cn
2024-12-09 14:35 ` Sasha Levin
@ 2024-12-12 12:09 ` Greg KH
1 sibling, 0 replies; 15+ messages in thread
From: Greg KH @ 2024-12-12 12:09 UTC (permalink / raw)
To: jianqi.ren.cn
Cc: pc, stable, sfrench, pc, lsahlber, sprasad, tom, linux-cifs,
linux-kernel, samba-technical
On Mon, Dec 09, 2024 at 04:58:13PM +0800, jianqi.ren.cn@windriver.com wrote:
> From: Paulo Alcantara <pc@manguebit.com>
>
> [ Upstream commit 58acd1f497162e7d282077f816faa519487be045 ]
>
> Skip sessions that are being teared down (status == SES_EXITING) to
> avoid UAF.
>
> Cc: stable@vger.kernel.org
> Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
> Signed-off-by: Steve French <stfrench@microsoft.com>
> Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
> ---
> fs/smb/client/ioctl.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
You sent this twice, both different, so I have no idea what to do at all
:(
^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH 6.1.y] smb: client: fix potential UAF in cifs_dump_full_key()
@ 2025-03-19 2:37 jianqi.ren.cn
2025-03-19 10:54 ` Sasha Levin
0 siblings, 1 reply; 15+ messages in thread
From: jianqi.ren.cn @ 2025-03-19 2:37 UTC (permalink / raw)
To: stable
Cc: patches, gregkh, linux-kernel, sfrench, pc, lsahlber, sprasad,
tom, linux-cifs, samba-technical, pc, stfrench
From: Paulo Alcantara <pc@manguebit.com>
[ Upstream commit 58acd1f497162e7d282077f816faa519487be045 ]
Skip sessions that are being teared down (status == SES_EXITING) to
avoid UAF.
Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
---
Verified the build test
---
fs/smb/client/ioctl.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/smb/client/ioctl.c b/fs/smb/client/ioctl.c
index ae9905e2b9d4..7402070b7a06 100644
--- a/fs/smb/client/ioctl.c
+++ b/fs/smb/client/ioctl.c
@@ -246,7 +246,9 @@ static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug
spin_lock(&cifs_tcp_ses_lock);
list_for_each_entry(server_it, &cifs_tcp_ses_list, tcp_ses_list) {
list_for_each_entry(ses_it, &server_it->smb_ses_list, smb_ses_list) {
- if (ses_it->Suid == out.session_id) {
+ spin_lock(&ses_it->ses_lock);
+ if (ses_it->ses_status != SES_EXITING &&
+ ses_it->Suid == out.session_id) {
ses = ses_it;
/*
* since we are using the session outside the crit
@@ -254,9 +256,11 @@ static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug
* so increment its refcount
*/
ses->ses_count++;
+ spin_unlock(&ses_it->ses_lock);
found = true;
goto search_end;
}
+ spin_unlock(&ses_it->ses_lock);
}
}
search_end:
--
2.25.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH 6.1.y] smb: client: fix potential UAF in cifs_dump_full_key()
2025-03-19 2:37 jianqi.ren.cn
@ 2025-03-19 10:54 ` Sasha Levin
0 siblings, 0 replies; 15+ messages in thread
From: Sasha Levin @ 2025-03-19 10:54 UTC (permalink / raw)
To: stable; +Cc: jianqi.ren.cn, Sasha Levin
[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: 58acd1f497162e7d282077f816faa519487be045
WARNING: Author mismatch between patch and upstream commit:
Backport author: <jianqi.ren.cn@windriver.com>
Commit author: Paulo Alcantara<pc@manguebit.com>
Status in newer kernel trees:
6.13.y | Present (exact SHA1)
6.12.y | Present (exact SHA1)
6.6.y | Present (different SHA1: 10e17ca4000e)
Note: The patch differs from the upstream commit:
---
1: 58acd1f497162 ! 1: 6e0245f6a95d2 smb: client: fix potential UAF in cifs_dump_full_key()
@@ Metadata
## Commit message ##
smb: client: fix potential UAF in cifs_dump_full_key()
+ [ Upstream commit 58acd1f497162e7d282077f816faa519487be045 ]
+
Skip sessions that are being teared down (status == SES_EXITING) to
avoid UAF.
Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
+ Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
+ Signed-off-by: He Zhe <zhe.he@windriver.com>
## fs/smb/client/ioctl.c ##
@@ fs/smb/client/ioctl.c: static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug
@@ fs/smb/client/ioctl.c: static int cifs_dump_full_key(struct cifs_tcon *tcon, str
@@ fs/smb/client/ioctl.c: static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug
* so increment its refcount
*/
- cifs_smb_ses_inc_refcount(ses);
+ ses->ses_count++;
+ spin_unlock(&ses_it->ses_lock);
found = true;
goto search_end;
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y | Success | Success |
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2025-03-19 10:54 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-12-11 10:15 [PATCH 6.1.y] smb: client: fix potential UAF in cifs_dump_full_key() jianqi.ren.cn
2024-12-11 16:32 ` Sasha Levin
-- strict thread matches above, loose matches on Subject: below --
2025-03-19 2:37 jianqi.ren.cn
2025-03-19 10:54 ` Sasha Levin
2024-12-11 9:59 jianqi.ren.cn
2024-12-11 16:32 ` Sasha Levin
2024-12-09 8:58 jianqi.ren.cn
2024-12-09 14:35 ` Sasha Levin
2024-12-12 12:09 ` Greg KH
2024-12-09 4:22 jianqi.ren.cn
2024-12-09 6:00 ` Harshit Mogalapalli
2024-12-09 14:35 ` Sasha Levin
2024-12-06 8:14 jianqi.ren.cn
2024-12-06 17:11 ` Sasha Levin
2024-12-11 8:15 ` Greg KH
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).