[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: 58acd1f497162e7d282077f816faa519487be045
WARNING: Author mismatch between patch and upstream commit: Backport author: jianqi.ren.cn@windriver.com Commit author: Paulo Alcantara pc@manguebit.com
Status in newer kernel trees: 6.12.y | Present (exact SHA1) 6.6.y | Present (different SHA1: 10e17ca4000e) 6.1.y | Not found
Note: The patch differs from the upstream commit: --- 1: 58acd1f497162 ! 1: f6a073ae8cb4f smb: client: fix potential UAF in cifs_dump_full_key() @@ Metadata ## Commit message ## smb: client: fix potential UAF in cifs_dump_full_key()
+ [ Upstream commit 58acd1f497162e7d282077f816faa519487be045 ] + Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.
Cc: stable@vger.kernel.org Signed-off-by: Paulo Alcantara (Red Hat) pc@manguebit.com Signed-off-by: Steve French stfrench@microsoft.com + Signed-off-by: Jianqi Ren jianqi.ren.cn@windriver.com
## fs/smb/client/ioctl.c ## @@ fs/smb/client/ioctl.c: static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug @@ fs/smb/client/ioctl.c: static int cifs_dump_full_key(struct cifs_tcon *tcon, str ses = ses_it; /* * since we are using the session outside the crit -@@ fs/smb/client/ioctl.c: static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug + * section, we need to make sure it won't be released * so increment its refcount */ - cifs_smb_ses_inc_refcount(ses); ++ ++ lockdep_assert_held(&cifs_tcp_ses_lock); + ses->ses_count++; + spin_unlock(&ses_it->ses_lock); found = true; goto search_end; ---
Results of testing on various branches:
| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-6.1.y | Success | Success |