diff options
| author | Namjae Jeon <linkinjeon@kernel.org> | 2023-10-05 11:22:03 +0900 |
|---|---|---|
| committer | Steve French <stfrench@microsoft.com> | 2023-10-04 21:56:28 -0500 |
| commit | 33b235a6e6ebe0f05f3586a71e8d281d00f71e2e (patch) | |
| tree | da5a5b5679aa447860e4581d4773b72fc04924e8 /fs/smb/server/mgmt/user_session.h | |
| parent | 75ac9a3dd65f7eab4d12b0a0f744234b5300a491 (diff) | |
ksmbd: fix race condition between tree conn lookup and disconnect
if thread A in smb2_write is using work-tcon, other thread B use
smb2_tree_disconnect free the tcon, then thread A will use free'd tcon.
Time
+
Thread A | Thread A
smb2_write | smb2_tree_disconnect
|
|
| kfree(tree_conn)
|
// UAF! |
work->tcon->share_conf |
+
This patch add state, reference count and lock for tree conn to fix race
condition issue.
Reported-by: luosili <rootlab@huawei.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'fs/smb/server/mgmt/user_session.h')
| -rw-r--r-- | fs/smb/server/mgmt/user_session.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/fs/smb/server/mgmt/user_session.h b/fs/smb/server/mgmt/user_session.h index f99d475b28db..63cb08fffde8 100644 --- a/fs/smb/server/mgmt/user_session.h +++ b/fs/smb/server/mgmt/user_session.h @@ -60,6 +60,7 @@ struct ksmbd_session { struct ksmbd_file_table file_table; unsigned long last_active; + rwlock_t tree_conns_lock; }; static inline int test_session_flag(struct ksmbd_session *sess, int bit) |