ksmbd: fix race condition between session lookup and expire

Thread A + Thread B ksmbd_session_lookup | smb2_sess_setup sess = xa_load | | | xa_erase(&conn->sessions, sess->id); | | ksmbd_session_destroy(sess) --> kfree(sess) | // UAF! | sess->last_active = jiffies | + This patch add rwsem to fix race condition between ksmbd_session_lookup and ksmbd_expire_session. Reported-by: luosili <rootlab@huawei.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
author: Namjae Jeon <linkinjeon@kernel.org> 2023-10-04 12:25:01 +0300
committer: Steve French <stfrench@microsoft.com> 2023-10-05 04:21:48 +0300
commit: 53ff5cf89142b978b1a5ca8dc4d4425e6a09745f (patch)
tree: 108b6e8f2851d06b3ed9ad4d83d09e29aad2f107 /fs/smb/server/connection.c
parent: 8a749fd1a8720d4619c91c8b6e7528c0a355c0aa (diff)
download: linux-53ff5cf89142b978b1a5ca8dc4d4425e6a09745f.tar.xz
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/smb/server/connection.c b/fs/smb/server/connection.c
index db7fa704a3f6..4b38c3a285f6 100644
--- a/fs/smb/server/connection.c
+++ b/fs/smb/server/connection.c
@@ -84,6 +84,8 @@ struct ksmbd_conn *ksmbd_conn_alloc(void)
 	spin_lock_init(&conn->llist_lock);
 	INIT_LIST_HEAD(&conn->lock_list);
 
+	init_rwsem(&conn->session_lock);
+
 	down_write(&conn_list_lock);
 	list_add(&conn->conns_list, &conn_list);
 	up_write(&conn_list_lock);
author	Namjae Jeon <linkinjeon@kernel.org>	2023-10-04 12:25:01 +0300
committer	Steve French <stfrench@microsoft.com>	2023-10-05 04:21:48 +0300
commit	53ff5cf89142b978b1a5ca8dc4d4425e6a09745f (patch)
tree	108b6e8f2851d06b3ed9ad4d83d09e29aad2f107 /fs/smb/server/connection.c
parent	8a749fd1a8720d4619c91c8b6e7528c0a355c0aa (diff)
download	linux-53ff5cf89142b978b1a5ca8dc4d4425e6a09745f.tar.xz