From: Paulo Alcantara pc@manguebit.com
commit d3da25c5ac84430f89875ca7485a3828150a7e0a upstream.
Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.
Cc: stable@vger.kernel.org Signed-off-by: Paulo Alcantara (Red Hat) pc@manguebit.com Signed-off-by: Steve French stfrench@microsoft.com [ cifs_debug.c was moved from fs/cifs to fs/smb/client since 38c8a9a52082 ("smb: move client and server files to common directory fs/smb"). The cifs_ses_exiting() was introduced to cifs_debug.c since ca545b7f0823 ("smb: client: fix potential UAF in cifs_debug_files_proc_show()"). and the SES_EXITING in cifs_ses_exiting() instead of CifsExiting since dd3cd8709ed5 ("cifs: use new enum for ses_status"). The ses_lock in cifs_ses_exiting() was introduced in commmit d7d7a66aacd6 ("cifs: avoid use of global locks for high contention data"), on 5.15/5.10, there is a global lock take care of ses->status. So use "if (ses->status == CifsExiting)" instead of "if (cifs_ses_exiting(ses))" ] Signed-off-by: Xiangyu Chen xiangyu.chen@windriver.com Signed-off-by: He Zhe zhe.he@windriver.com --- Try to merge commit d3da25c5ac84430f89875ca7485a3828150a7e0a to 5.15 Verified the code compile on linux 5.15 --- fs/cifs/cifs_debug.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c index e7501533c2ec..ce02cc71e117 100644 --- a/fs/cifs/cifs_debug.c +++ b/fs/cifs/cifs_debug.c @@ -528,6 +528,8 @@ static ssize_t cifs_stats_proc_write(struct file *file, list_for_each(tmp2, &server->smb_ses_list) { ses = list_entry(tmp2, struct cifs_ses, smb_ses_list); + if (ses->status == CifsExiting) + continue; list_for_each(tmp3, &ses->tcon_list) { tcon = list_entry(tmp3, struct cifs_tcon,