ksmbd: fix race condition with fp (5a7ee91d) · Commits · Mirrors / git.yoctoproject.org / linux-yocto · GitLab

Commit 5a7ee91d authored Oct 04, 2023 by

Namjae Jeon Committed by Steve French Oct 04, 2023

ksmbd: fix race condition with fp



fp can used in each command. If smb2_close command is coming at the
same time, UAF issue can happen by race condition.

                           Time
                            +
Thread A                    | Thread B1 B2 .... B5
smb2_open                   | smb2_close
                            |
 __open_id                  |
   insert fp to file_table  |
                            |
                            |   atomic_dec_and_test(&fp->refcount)
                            |   if fp->refcount == 0, free fp by kfree.
 // UAF!                    |
 use fp                     |
                            +
This patch add f_state not to use freed fp is used and not to free fp in
use.

Reported-by: luosili <rootlab@huawei.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

parent 53ff5cf8

Hide whitespace changes

Inline Side-by-side

mirror @mirror
mentioned in commit f99d5d1d
· Dec 29, 2023

mentioned in commit f99d5d1d

mentioned in commit f99d5d1d2a255c517ffe2ffab8bc7563c651aafb

Toggle commit list

Please register or to comment