diff options
| author | Namjae Jeon <linkinjeon@kernel.org> | 2023-10-05 11:22:03 +0900 |
|---|---|---|
| committer | Steve French <stfrench@microsoft.com> | 2023-10-04 21:56:28 -0500 |
| commit | 33b235a6e6ebe0f05f3586a71e8d281d00f71e2e (patch) | |
| tree | da5a5b5679aa447860e4581d4773b72fc04924e8 /fs/smb/server/server.c | |
| parent | 75ac9a3dd65f7eab4d12b0a0f744234b5300a491 (diff) | |
ksmbd: fix race condition between tree conn lookup and disconnect
if thread A in smb2_write is using work-tcon, other thread B use
smb2_tree_disconnect free the tcon, then thread A will use free'd tcon.
Time
+
Thread A | Thread A
smb2_write | smb2_tree_disconnect
|
|
| kfree(tree_conn)
|
// UAF! |
work->tcon->share_conf |
+
This patch add state, reference count and lock for tree conn to fix race
condition issue.
Reported-by: luosili <rootlab@huawei.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'fs/smb/server/server.c')
| -rw-r--r-- | fs/smb/server/server.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/smb/server/server.c b/fs/smb/server/server.c index 32347fec33c4..3079e607c5fe 100644 --- a/fs/smb/server/server.c +++ b/fs/smb/server/server.c @@ -241,6 +241,8 @@ static void __handle_ksmbd_work(struct ksmbd_work *work, } while (is_chained == true); send: + if (work->tcon) + ksmbd_tree_connect_put(work->tcon); smb3_preauth_hash_rsp(work); if (work->sess && work->sess->enc && work->encrypted && conn->ops->encrypt_resp) { |