From nobody Sun Oct 5 01:51:50 2025 Received: from lgeamrelo11.lge.com (lgeamrelo11.lge.com [156.147.23.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4CB6B22172D for ; Mon, 11 Aug 2025 10:17:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=156.147.23.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754907431; cv=none; b=I2Oe1BD49yAqBDcw+v2ZFNTXQsX+ufX+lzgah0lOoT/D69jEJkOtTilb+Sf3jq+3gM+0EyTHAVAuGr9tZyBGUVIVpmKz6SGYAyr/sB7CHmO1qb0tPgob3yDftoyzjWstHd9yKoeEPQLjHZlvg50wxcYeMGqnK15SPTehX4jPBvY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754907431; c=relaxed/simple; bh=B9LsAYkhqTJaDS/bId014jHSBOAIFlr8FZeHb6E9ho8=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References; b=VLW67yRuoDDCRCffDzlMHmLX2VtGkqym6+Yi2dq5fQpfTadZigYht7xIMry/V64c3Rrg2jjLPF7hdqgYNg68oY3snwmkJYk7bWO4s5+KaomPLfrNWc64xuiSsnk3Jjicvq25ej60WFAgUd4GJtF9BqVMu56J8hoFck/8ft8jU2I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=lge.com; spf=pass smtp.mailfrom=lge.com; arc=none smtp.client-ip=156.147.23.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=lge.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=lge.com Received: from unknown (HELO lgemrelse6q.lge.com) (156.147.1.121) by 156.147.23.51 with ESMTP; 11 Aug 2025 18:47:07 +0900 X-Original-SENDERIP: 156.147.1.121 X-Original-MAILFROM: chanho.min@lge.com Received: from unknown (HELO localhost.localdomain) (10.178.31.96) by 156.147.1.121 with ESMTP; 11 Aug 2025 18:47:07 +0900 X-Original-SENDERIP: 10.178.31.96 X-Original-MAILFROM: chanho.min@lge.com From: Chanho Min To: Steve French , linux-cifs@vger.kernel.org Cc: samba-technical@lists.samba.org, linux-kernel@vger.kernel.org, gunho.lee@lge.com, gregkh@linuxfoundation.org, sashal@kernel.org, Paulo Alcantara , stable@vger.kernel.org, Steve French , Jianqi Ren , He Zhe , Chanho Min Subject: [PATCH 1/4] smb: client: fix potential UAF in cifs_debug_files_proc_show() Date: Mon, 11 Aug 2025 18:46:36 +0900 Message-Id: <20250811094639.37446-2-chanho.min@lge.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20250811094639.37446-1-chanho.min@lge.com> References: <20250811094639.37446-1-chanho.min@lge.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Paulo Alcantara commit ca545b7f0823f19db0f1148d59bc5e1a56634502 upstream. Skip sessions that are being teared down (status =3D=3D SES_EXITING) to avoid UAF. Cc: stable@vger.kernel.org # 5.4 Signed-off-by: Paulo Alcantara (Red Hat) Signed-off-by: Steve French [ This patch removes lock/unlock operation in routine cifs_ses_exiting() for ses_lock is not present in v5.10 and not ported yet. ses->status is protected by a global lock, cifs_tcp_ses_lock, in v5.10. ] Signed-off-by: Jianqi Ren Signed-off-by: He Zhe [ chanho: Backport to v5.4.y from v5.10.y's commit 8f8718afd44 ] Signed-off-by: Chanho Min Signed-off-by: Greg Kroah-Hartman --- fs/cifs/cifs_debug.c | 2 ++ fs/cifs/cifsglob.h | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c index efb2928ff6c89..df3dfa611c352 100644 --- a/fs/cifs/cifs_debug.c +++ b/fs/cifs/cifs_debug.c @@ -162,6 +162,8 @@ static int cifs_debug_files_proc_show(struct seq_file *= m, void *v) tcp_ses_list); list_for_each(tmp, &server->smb_ses_list) { ses =3D list_entry(tmp, struct cifs_ses, smb_ses_list); + if (cifs_ses_exiting(ses)) + continue; list_for_each(tmp1, &ses->tcon_list) { tcon =3D list_entry(tmp1, struct cifs_tcon, tcon_list); spin_lock(&tcon->open_file_lock); diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h index 253321adc2664..5f545a240afa6 100644 --- a/fs/cifs/cifsglob.h +++ b/fs/cifs/cifsglob.h @@ -2027,4 +2027,12 @@ static inline struct scatterlist *cifs_sg_set_buf(st= ruct scatterlist *sg, return sg; } =20 +static inline bool cifs_ses_exiting(struct cifs_ses *ses) +{ + bool ret; + + ret =3D ses->status =3D=3D CifsExiting; + return ret; +} + #endif /* _CIFS_GLOB_H */ From nobody Sun Oct 5 01:51:50 2025 Received: from lgeamrelo11.lge.com (lgeamrelo12.lge.com [156.147.23.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 11397223DFF for ; Mon, 11 Aug 2025 10:17:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=156.147.23.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754907434; cv=none; b=XiI3px3JF2XQJwTnsu3cTcbic8dMhw0zanV3405RxSm8jCQER5btRcboFPwc6t8MjdrHJB8TPBOaqZnBlxjHGdtDI2LCDQDzVzZXV6h4PcOn+e+7wzkg+rCrgmKjPdcsqNHLol9+g4NFH6Nh7mw/CQ0MNStVOsfTP9kBBEAQEfE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754907434; c=relaxed/simple; bh=HDwvPzdpHW98oeq7fUUOimJlla8qzlgUCzf5px3FZmI=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References; b=KTf/YI9QMbG37ZJ0JGnAYT1pb36tGSfbfhOGErBAMCxcKNHrHL8WfmlcnZDytHfcV191zrqiZyLDtFpMtuXrwHBeaIPcXiJUaMaZEFLN2x/11f7r/JRjA86W1Qt8vyobbAEPiVi/H3f07DnbVHLY8ZYL3VCaO+tA9attyAI2J28= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=lge.com; spf=pass smtp.mailfrom=lge.com; arc=none smtp.client-ip=156.147.23.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=lge.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=lge.com Received: from unknown (HELO lgemrelse6q.lge.com) (156.147.1.121) by 156.147.23.52 with ESMTP; 11 Aug 2025 18:47:08 +0900 X-Original-SENDERIP: 156.147.1.121 X-Original-MAILFROM: chanho.min@lge.com Received: from unknown (HELO localhost.localdomain) (10.178.31.96) by 156.147.1.121 with ESMTP; 11 Aug 2025 18:47:08 +0900 X-Original-SENDERIP: 10.178.31.96 X-Original-MAILFROM: chanho.min@lge.com From: Chanho Min To: Steve French , linux-cifs@vger.kernel.org Cc: samba-technical@lists.samba.org, linux-kernel@vger.kernel.org, gunho.lee@lge.com, gregkh@linuxfoundation.org, sashal@kernel.org, Paulo Alcantara , stable@vger.kernel.org, Steve French , Chanho Min Subject: [PATCH 2/4] smb: client: fix potential UAF in is_valid_oplock_break() Date: Mon, 11 Aug 2025 18:46:37 +0900 Message-Id: <20250811094639.37446-3-chanho.min@lge.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20250811094639.37446-1-chanho.min@lge.com> References: <20250811094639.37446-1-chanho.min@lge.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Paulo Alcantara commit 69ccf040acddf33a3a85ec0f6b45ef84b0f7ec29 upstream. Skip sessions that are being teared down (status =3D=3D SES_EXITING) to avoid UAF. Cc: stable@vger.kernel.org # 5.4 Signed-off-by: Paulo Alcantara (Red Hat) Signed-off-by: Steve French [ chanho: Backported to v5.4.y, misc.c was moved from fs/cifs to fs/smb/cli= ent ] Signed-off-by: Chanho Min Signed-off-by: Greg Kroah-Hartman --- fs/cifs/misc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c index db1fcdedf289a..4d838d7db7b57 100644 --- a/fs/cifs/misc.c +++ b/fs/cifs/misc.c @@ -473,6 +473,8 @@ is_valid_oplock_break(char *buffer, struct TCP_Server_I= nfo *srv) spin_lock(&cifs_tcp_ses_lock); list_for_each(tmp, &srv->smb_ses_list) { ses =3D list_entry(tmp, struct cifs_ses, smb_ses_list); + if (cifs_ses_exiting(ses)) + continue; list_for_each(tmp1, &ses->tcon_list) { tcon =3D list_entry(tmp1, struct cifs_tcon, tcon_list); if (tcon->tid !=3D buf->Tid) From nobody Sun Oct 5 01:51:50 2025 Received: from lgeamrelo11.lge.com (lgeamrelo12.lge.com [156.147.23.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7151821D5AF for ; Mon, 11 Aug 2025 10:17:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=156.147.23.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754907434; cv=none; b=pk9/pfoKnTKw6OLrH9URYS+dt9J9WCxwBc/sRuCq0tSXC1ZZ2x8NenUSDZFKjdkS4pWjfoA1w1/IEm9lXlCak1wi44mRB/F+Ogff7siSYP8DJilPdGZfis9Ss1MvP4+/hAn+5h+ggwU5TAKdy0Ljgo8FflFPX24aAFB7+MwOaso= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754907434; c=relaxed/simple; bh=42Qj2pu6ZD9kXaMu36PwsauvAotNEEUuPapWHeOC1+w=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References; b=hz+idd4gL0nkOSYHSfCliE2kpVV7ArVhbFTDlWADmEQWrbKvpN3Z0uaLXgytOeRVqW8jAotTO9dYwp5RGgbigdQpInOkLY3P2ANovDU74xYeTVLJIp5/3wog08FR1QSSQID1hRQFGHkKB3mmpAqiQ/RJGZLX7kMrKYHTRsYIn5I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=lge.com; spf=pass smtp.mailfrom=lge.com; arc=none smtp.client-ip=156.147.23.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=lge.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=lge.com Received: from unknown (HELO lgemrelse6q.lge.com) (156.147.1.121) by 156.147.23.52 with ESMTP; 11 Aug 2025 18:47:10 +0900 X-Original-SENDERIP: 156.147.1.121 X-Original-MAILFROM: chanho.min@lge.com Received: from unknown (HELO localhost.localdomain) (10.178.31.96) by 156.147.1.121 with ESMTP; 11 Aug 2025 18:47:09 +0900 X-Original-SENDERIP: 10.178.31.96 X-Original-MAILFROM: chanho.min@lge.com From: Chanho Min To: Steve French , linux-cifs@vger.kernel.org Cc: samba-technical@lists.samba.org, linux-kernel@vger.kernel.org, gunho.lee@lge.com, gregkh@linuxfoundation.org, sashal@kernel.org, Paulo Alcantara , stable@vger.kernel.org, Chanho Min , Steve French Subject: [PATCH 3/4] smb: client: fix potential UAF in smb2_is_valid_lease_break() Date: Mon, 11 Aug 2025 18:46:38 +0900 Message-Id: <20250811094639.37446-4-chanho.min@lge.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20250811094639.37446-1-chanho.min@lge.com> References: <20250811094639.37446-1-chanho.min@lge.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Paulo Alcantara Skip sessions that are being teared down (status =3D=3D SES_EXITING) to avoid UAF. Cc: stable@vger.kernel.org # 5.4 Signed-off-by: Paulo Alcantara (Red Hat) [ chanho: Backported to v5.4.y, smb2misc.c was moved from fs/cifs to fs/smb= /client ] Signed-off-by: Chanho Min Signed-off-by: Steve French --- fs/cifs/smb2misc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c index d7cbf1b07126c..c47927d257635 100644 --- a/fs/cifs/smb2misc.c +++ b/fs/cifs/smb2misc.c @@ -611,7 +611,8 @@ smb2_is_valid_lease_break(char *buffer) =20 list_for_each(tmp1, &server->smb_ses_list) { ses =3D list_entry(tmp1, struct cifs_ses, smb_ses_list); - + if (cifs_ses_exiting(ses)) + continue; list_for_each(tmp2, &ses->tcon_list) { tcon =3D list_entry(tmp2, struct cifs_tcon, tcon_list); From nobody Sun Oct 5 01:51:50 2025 Received: from lgeamrelo11.lge.com (lgeamrelo12.lge.com [156.147.23.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8A7C523371F for ; Mon, 11 Aug 2025 10:17:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=156.147.23.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754907436; cv=none; b=CAqJvuTlo8I6rDZcD/YUz1vKNr/uG6AZuJj1oMPTPJav3xWddapqZ0x0t7iJ+KGtlwet63U6gXy/mUtQptBaXIDLor6z3WmNKikWMd+o3uwgXIfT6mLSepc62lhqbIp1VJZd7xd1lIzkY5B3u6TzQH+bf8223HB9uPGY73VHhl4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754907436; c=relaxed/simple; bh=r9tXkFCKd3yPOLffy2yeY3OwJMYq9y0SXOXHLnhdWFQ=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References; b=GUt5u9kO+wrijKy3+VstONfhYsrnn5fH5/Bs0sQ7Ko8Vm4OAu7nRK0qeqzY67vTk5i0Fxdasp3H9NtyCBGHvl19v5juwcpls1UD7TF5ZecfKMCu6RTXOt9oYGYjBb+/ew01SnMyWCOfHNyr1ZQUnmQy3VeNkU95r1mlu8cYTM2c= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=lge.com; spf=pass smtp.mailfrom=lge.com; arc=none smtp.client-ip=156.147.23.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=lge.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=lge.com Received: from unknown (HELO lgemrelse6q.lge.com) (156.147.1.121) by 156.147.23.52 with ESMTP; 11 Aug 2025 18:47:13 +0900 X-Original-SENDERIP: 156.147.1.121 X-Original-MAILFROM: chanho.min@lge.com Received: from unknown (HELO localhost.localdomain) (10.178.31.96) by 156.147.1.121 with ESMTP; 11 Aug 2025 18:47:13 +0900 X-Original-SENDERIP: 10.178.31.96 X-Original-MAILFROM: chanho.min@lge.com From: Chanho Min To: Steve French , linux-cifs@vger.kernel.org Cc: samba-technical@lists.samba.org, linux-kernel@vger.kernel.org, gunho.lee@lge.com, gregkh@linuxfoundation.org, sashal@kernel.org, Paulo Alcantara , stable@vger.kernel.org, Steve French , Chanho Min Subject: [PATCH 4/4] smb: client: fix potential UAF in cifs_stats_proc_write() Date: Mon, 11 Aug 2025 18:46:39 +0900 Message-Id: <20250811094639.37446-5-chanho.min@lge.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20250811094639.37446-1-chanho.min@lge.com> References: <20250811094639.37446-1-chanho.min@lge.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Paulo Alcantara commit d3da25c5ac84430f89875ca7485a3828150a7e0a upstream. Skip sessions that are being teared down (status =3D=3D SES_EXITING) to avoid UAF. Cc: stable@vger.kernel.org # 5.4 Signed-off-by: Paulo Alcantara (Red Hat) Signed-off-by: Steve French [ chanho: Backported to v5.4.y, cifs_debug.c was moved from fs/cifs to fs/s= mb/client ] Signed-off-by: Chanho Min Signed-off-by: Greg Kroah-Hartman --- fs/cifs/cifs_debug.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c index df3dfa611c352..47190e676aa25 100644 --- a/fs/cifs/cifs_debug.c +++ b/fs/cifs/cifs_debug.c @@ -470,6 +470,8 @@ static ssize_t cifs_stats_proc_write(struct file *file, } #endif /* CONFIG_CIFS_STATS2 */ list_for_each(tmp2, &server->smb_ses_list) { + if (cifs_ses_exiting(ses)) + continue; ses =3D list_entry(tmp2, struct cifs_ses, smb_ses_list); list_for_each(tmp3, &ses->tcon_list) {