git.hungrycats.org Git - linux/commit

author	Namjae Jeon <linkinjeon@kernel.org>
	Wed, 3 May 2023 05:03:40 +0000 (14:03 +0900)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 17 May 2023 11:58:55 +0000 (13:58 +0200)
commit	de428966b40c8b8abe35592ded2e9f4d366ffc38
tree	d059bf19d6d9ed776f8c7f4e58f4bdc4c1a80991	tree \| snapshot
parent	750a2d772e9d9ff377fd32e3b6797bf2cd847a7a	commit \| diff

ksmbd: fix racy issue from smb2 close and logoff with multichannel

[ Upstream commit abcc506a9a71976a8b4c9bf3ee6efd13229c1e19 ]

When smb client send concurrent smb2 close and logoff request
with multichannel connection, It can cause racy issue. logoff request
free tcon and can cause UAF issues in smb2 close. When receiving logoff
request with multichannel, ksmbd should wait until all remaning requests
complete as well as ones in the current connection, and then make
session expired.

Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-20796 ZDI-CAN-20595
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

fs/ksmbd/connection.c		diff \| blob \| history
fs/ksmbd/connection.h		diff \| blob \| history
fs/ksmbd/mgmt/tree_connect.c		diff \| blob \| history
fs/ksmbd/mgmt/user_session.c		diff \| blob \| history
fs/ksmbd/smb2pdu.c		diff \| blob \| history