From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Igor Stepansky <igor.stepansky@orca.security>,
Namjae Jeon <linkinjeon@kernel.org>,
Steve French <stfrench@microsoft.com>
Subject: [PATCH 6.19 05/49] ksmbd: add chann_lock to protect ksmbd_chann_list xarray
Date: Fri, 13 Feb 2026 14:47:24 +0100 [thread overview]
Message-ID: <20260213134708.923682208@linuxfoundation.org> (raw)
In-Reply-To: <20260213134708.713126210@linuxfoundation.org>
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
commit 4f3a06cc57976cafa8c6f716646be6c79a99e485 upstream.
ksmbd_chann_list xarray lacks synchronization, allowing use-after-free in
multi-channel sessions (between lookup_chann_list() and ksmbd_chann_del).
Adds rw_semaphore chann_lock to struct ksmbd_session and protects
all xa_load/xa_store/xa_erase accesses.
Cc: stable@vger.kernel.org
Reported-by: Igor Stepansky <igor.stepansky@orca.security>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/mgmt/user_session.c | 5 +++++
fs/smb/server/mgmt/user_session.h | 1 +
fs/smb/server/smb2pdu.c | 12 +++++++++++-
3 files changed, 17 insertions(+), 1 deletion(-)
--- a/fs/smb/server/mgmt/user_session.c
+++ b/fs/smb/server/mgmt/user_session.c
@@ -32,12 +32,14 @@ static void free_channel_list(struct ksm
struct channel *chann;
unsigned long index;
+ down_write(&sess->chann_lock);
xa_for_each(&sess->ksmbd_chann_list, index, chann) {
xa_erase(&sess->ksmbd_chann_list, index);
kfree(chann);
}
xa_destroy(&sess->ksmbd_chann_list);
+ up_write(&sess->chann_lock);
}
static void __session_rpc_close(struct ksmbd_session *sess,
@@ -220,7 +222,9 @@ static int ksmbd_chann_del(struct ksmbd_
{
struct channel *chann;
+ down_write(&sess->chann_lock);
chann = xa_erase(&sess->ksmbd_chann_list, (long)conn);
+ up_write(&sess->chann_lock);
if (!chann)
return -ENOENT;
@@ -454,6 +458,7 @@ static struct ksmbd_session *__session_c
rwlock_init(&sess->tree_conns_lock);
atomic_set(&sess->refcnt, 2);
init_rwsem(&sess->rpc_lock);
+ init_rwsem(&sess->chann_lock);
ret = __init_smb2_session(sess);
if (ret)
--- a/fs/smb/server/mgmt/user_session.h
+++ b/fs/smb/server/mgmt/user_session.h
@@ -49,6 +49,7 @@ struct ksmbd_session {
char sess_key[CIFS_KEY_SIZE];
struct hlist_node hlist;
+ struct rw_semaphore chann_lock;
struct xarray ksmbd_chann_list;
struct xarray tree_conns;
struct ida tree_conn_ida;
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -79,7 +79,13 @@ static inline bool check_session_id(stru
struct channel *lookup_chann_list(struct ksmbd_session *sess, struct ksmbd_conn *conn)
{
- return xa_load(&sess->ksmbd_chann_list, (long)conn);
+ struct channel *chann;
+
+ down_read(&sess->chann_lock);
+ chann = xa_load(&sess->ksmbd_chann_list, (long)conn);
+ up_read(&sess->chann_lock);
+
+ return chann;
}
/**
@@ -1558,8 +1564,10 @@ binding_session:
return -ENOMEM;
chann->conn = conn;
+ down_write(&sess->chann_lock);
old = xa_store(&sess->ksmbd_chann_list, (long)conn, chann,
KSMBD_DEFAULT_GFP);
+ up_write(&sess->chann_lock);
if (xa_is_err(old)) {
kfree(chann);
return xa_err(old);
@@ -1651,8 +1659,10 @@ binding_session:
return -ENOMEM;
chann->conn = conn;
+ down_write(&sess->chann_lock);
old = xa_store(&sess->ksmbd_chann_list, (long)conn,
chann, KSMBD_DEFAULT_GFP);
+ up_write(&sess->chann_lock);
if (xa_is_err(old)) {
kfree(chann);
return xa_err(old);
next prev parent reply other threads:[~2026-02-13 13:50 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-13 13:47 [PATCH 6.19 00/49] 6.19.1-rc1 review Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 01/49] io_uring/io-wq: add exit-on-idle state Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 02/49] io_uring: allow io-wq workers to exit when unused Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 03/49] smb: client: split cached_fid bitfields to avoid shared-byte RMW races Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 04/49] ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths Greg Kroah-Hartman
2026-02-13 13:47 ` Greg Kroah-Hartman [this message]
2026-02-13 13:47 ` [PATCH 6.19 06/49] smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection() Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 07/49] smb: smbdirect: introduce smbdirect_socket.recv_io.credits.available Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 08/49] smb: smbdirect: introduce smbdirect_socket.send_io.bcredits.* Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 09/49] smb: server: make use of smbdirect_socket.recv_io.credits.available Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 10/49] smb: server: let recv_done() queue a refill when the peer is low on credits Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 11/49] smb: server: make use of smbdirect_socket.send_io.bcredits Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 12/49] smb: server: fix last send credit problem causing disconnects Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 13/49] smb: server: let send_done handle a completion without IB_SEND_SIGNALED Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 14/49] smb: client: make use of smbdirect_socket.recv_io.credits.available Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 15/49] smb: client: let recv_done() queue a refill when the peer is low on credits Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 16/49] smb: client: let smbd_post_send() make use of request->wr Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 17/49] smb: client: remove pointless sc->recv_io.credits.count rollback Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 18/49] smb: client: remove pointless sc->send_io.pending handling in smbd_post_send_iter() Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 19/49] smb: client: port and use the wait_for_credits logic used by server Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 20/49] smb: client: split out smbd_ib_post_send() Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 21/49] smb: client: introduce and use smbd_{alloc, free}_send_io() Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 22/49] smb: client: use smbdirect_send_batch processing Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 23/49] smb: client: make use of smbdirect_socket.send_io.bcredits Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 24/49] smb: client: fix last send credit problem causing disconnects Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 25/49] smb: client: let smbd_post_send_negotiate_req() use smbd_post_send() Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 26/49] smb: client: let send_done handle a completion without IB_SEND_SIGNALED Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 27/49] driver core: enforce device_lock for driver_match_device() Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 28/49] Bluetooth: btusb: Add USB ID 7392:e611 for Edimax EW-7611UXB Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 29/49] ALSA: hda/conexant: Add quirk for HP ZBook Studio G4 Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 30/49] crypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_mode Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 31/49] crypto: octeontx - Fix length check to avoid truncation in ucode_load_store Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 32/49] crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 33/49] crypto: virtio - Add spinlock protection with virtqueue notification Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 34/49] crypto: virtio - Remove duplicated virtqueue_kick in virtio_crypto_skcipher_crypt_req Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 35/49] nilfs2: Fix potential block overflow that cause system hang Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 36/49] hfs: ensure sb->s_fs_info is always cleaned up Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 37/49] wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon() Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 38/49] scsi: qla2xxx: Validate sp before freeing associated memory Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 39/49] scsi: qla2xxx: Allow recovery for tape devices Greg Kroah-Hartman
2026-02-13 13:47 ` [PATCH 6.19 40/49] scsi: qla2xxx: Delay module unload while fabric scan in progress Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.19 41/49] scsi: qla2xxx: Free sp in error path to fix system crash Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.19 42/49] scsi: qla2xxx: Query FW again before proceeding with login Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.19 43/49] sched/mmcid: Dont assume CID is CPU owned on mode switch Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.19 44/49] bus: fsl-mc: fix use-after-free in driver_override_show() Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.19 45/49] erofs: fix UAF issue for file-backed mounts w/ directio option Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.19 46/49] xfs: fix UAF in xchk_btree_check_block_owner Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.19 47/49] drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.19 48/49] PCI: endpoint: Avoid creating sub-groups asynchronously Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.19 49/49] wifi: rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add Greg Kroah-Hartman
2026-02-13 14:48 ` [PATCH 6.19 00/49] 6.19.1-rc1 review Achill Gilgenast
2026-02-13 15:35 ` Greg Kroah-Hartman
2026-02-13 15:36 ` Greg Kroah-Hartman
2026-02-13 15:57 ` Greg Kroah-Hartman
2026-02-13 16:26 ` Peter Schneider
2026-02-13 16:37 ` Greg Kroah-Hartman
2026-02-13 16:41 ` Konstantin Ryabitsev
2026-02-13 16:45 ` Peter Schneider
2026-02-13 17:53 ` Achill Gilgenast
2026-02-13 16:33 ` Peter Schneider
2026-02-13 17:37 ` Justin Forbes
2026-02-13 21:25 ` Florian Fainelli
2026-02-13 22:20 ` Jon Hunter
2026-02-14 0:49 ` Takeshi Ogasawara
2026-02-14 5:49 ` Luna Jernberg
2026-02-14 10:30 ` Ron Economos
2026-02-14 16:02 ` Brett A C Sheffield
2026-02-15 2:36 ` Miguel Ojeda
2026-02-15 10:59 ` Dileep malepu
2026-02-16 14:33 ` Mark Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260213134708.923682208@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=igor.stepansky@orca.security \
--cc=linkinjeon@kernel.org \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=stfrench@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox