diff options
| author | Namjae Jeon <linkinjeon@kernel.org> | 2023-12-19 00:34:31 +0900 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2023-12-23 10:41:58 +0100 |
| commit | c77fd3e25a51ac92b0f1b347a96eff6a0b4f066f (patch) | |
| tree | 54a516b5ff98ad68a8fc48f7e059b729e454f8fd | |
| parent | b9a3e4549676857bf4b1b5f92200fbb1740dfa2e (diff) | |
| download | linux-c77fd3e25a51ac92b0f1b347a96eff6a0b4f066f.tar.gz linux-c77fd3e25a51ac92b0f1b347a96eff6a0b4f066f.tar.bz2 linux-c77fd3e25a51ac92b0f1b347a96eff6a0b4f066f.zip | |
ksmbd: fix race condition between session lookup and expire
[ Upstream commit 53ff5cf89142b978b1a5ca8dc4d4425e6a09745f ]
Thread A + Thread B
ksmbd_session_lookup | smb2_sess_setup
sess = xa_load |
|
| xa_erase(&conn->sessions, sess->id);
|
| ksmbd_session_destroy(sess) --> kfree(sess)
|
// UAF! |
sess->last_active = jiffies |
+
This patch add rwsem to fix race condition between ksmbd_session_lookup
and ksmbd_expire_session.
Reported-by: luosili <rootlab@huawei.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | fs/ksmbd/connection.c | 2 | ||||
| -rw-r--r-- | fs/ksmbd/connection.h | 1 | ||||
| -rw-r--r-- | fs/ksmbd/mgmt/user_session.c | 10 |
3 files changed, 10 insertions, 3 deletions
diff --git a/fs/ksmbd/connection.c b/fs/ksmbd/connection.c index 9e12738a56c6..28b65a43fa39 100644 --- a/fs/ksmbd/connection.c +++ b/fs/ksmbd/connection.c @@ -84,6 +84,8 @@ struct ksmbd_conn *ksmbd_conn_alloc(void) spin_lock_init(&conn->llist_lock); INIT_LIST_HEAD(&conn->lock_list); + init_rwsem(&conn->session_lock); + down_write(&conn_list_lock); list_add(&conn->conns_list, &conn_list); up_write(&conn_list_lock); diff --git a/fs/ksmbd/connection.h b/fs/ksmbd/connection.h index ab2583f030ce..3c005246a32e 100644 --- a/fs/ksmbd/connection.h +++ b/fs/ksmbd/connection.h @@ -50,6 +50,7 @@ struct ksmbd_conn { struct nls_table *local_nls; struct unicode_map *um; struct list_head conns_list; + struct rw_semaphore session_lock; /* smb session 1 per user */ struct xarray sessions; unsigned long last_active; diff --git a/fs/ksmbd/mgmt/user_session.c b/fs/ksmbd/mgmt/user_session.c index 8a5dcab05614..b8be14a96cf6 100644 --- a/fs/ksmbd/mgmt/user_session.c +++ b/fs/ksmbd/mgmt/user_session.c @@ -174,7 +174,7 @@ static void ksmbd_expire_session(struct ksmbd_conn *conn) unsigned long id; struct ksmbd_session *sess; - down_write(&sessions_table_lock); + down_write(&conn->session_lock); xa_for_each(&conn->sessions, id, sess) { if (sess->state != SMB2_SESSION_VALID || time_after(jiffies, @@ -185,7 +185,7 @@ static void ksmbd_expire_session(struct ksmbd_conn *conn) continue; } } - up_write(&sessions_table_lock); + up_write(&conn->session_lock); } int ksmbd_session_register(struct ksmbd_conn *conn, @@ -227,7 +227,9 @@ void ksmbd_sessions_deregister(struct ksmbd_conn *conn) } } } + up_write(&sessions_table_lock); + down_write(&conn->session_lock); xa_for_each(&conn->sessions, id, sess) { unsigned long chann_id; struct channel *chann; @@ -244,7 +246,7 @@ void ksmbd_sessions_deregister(struct ksmbd_conn *conn) ksmbd_session_destroy(sess); } } - up_write(&sessions_table_lock); + up_write(&conn->session_lock); } struct ksmbd_session *ksmbd_session_lookup(struct ksmbd_conn *conn, @@ -252,9 +254,11 @@ struct ksmbd_session *ksmbd_session_lookup(struct ksmbd_conn *conn, { struct ksmbd_session *sess; + down_read(&conn->session_lock); sess = xa_load(&conn->sessions, id); if (sess) sess->last_active = jiffies; + up_read(&conn->session_lock); return sess; } |