git.baikalelectronics.ru Git - kernel.git/commit

author	Namjae Jeon <linkinjeon@kernel.org>
	Wed, 3 May 2023 05:03:40 +0000 (14:03 +0900)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 17 May 2023 09:53:57 +0000 (11:53 +0200)
commit	ec9ad3b88989e9c97b0e1000aa626f693d68ac13
tree	504a3e1c060c1a00aadb3dc523460bf89af36373	tree \| snapshot
parent	6780e7e536e36731e89833e52435ad516ce95867	commit \| diff

ksmbd: fix racy issue from smb2 close and logoff with multichannel

[ Upstream commit abcc506a9a71976a8b4c9bf3ee6efd13229c1e19 ]

When smb client send concurrent smb2 close and logoff request
with multichannel connection, It can cause racy issue. logoff request
free tcon and can cause UAF issues in smb2 close. When receiving logoff
request with multichannel, ksmbd should wait until all remaning requests
complete as well as ones in the current connection, and then make
session expired.

Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-20796 ZDI-CAN-20595
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

fs/ksmbd/connection.c		diff \| blob \| history
fs/ksmbd/connection.h		diff \| blob \| history
fs/ksmbd/mgmt/tree_connect.c		diff \| blob \| history
fs/ksmbd/mgmt/user_session.c		diff \| blob \| history
fs/ksmbd/smb2pdu.c		diff \| blob \| history