git.itanic.dy.fi Git - linux-stable/commit

author	Namjae Jeon <linkinjeon@kernel.org>
	Wed, 3 May 2023 05:03:40 +0000 (14:03 +0900)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 17 May 2023 09:53:57 +0000 (11:53 +0200)
commit	4aba9ab6a007e41182454f84f95c0bddf7d6d7e1
tree	504a3e1c060c1a00aadb3dc523460bf89af36373	tree \| snapshot
parent	502cf9709036d9305495876fa8c33c8a52541b15	commit \| diff

ksmbd: fix racy issue from smb2 close and logoff with multichannel

[ Upstream commit abcc506a9a71976a8b4c9bf3ee6efd13229c1e19 ]

When smb client send concurrent smb2 close and logoff request
with multichannel connection, It can cause racy issue. logoff request
free tcon and can cause UAF issues in smb2 close. When receiving logoff
request with multichannel, ksmbd should wait until all remaning requests
complete as well as ones in the current connection, and then make
session expired.

Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-20796 ZDI-CAN-20595
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

fs/ksmbd/connection.c		diff \| blob \| history
fs/ksmbd/connection.h		diff \| blob \| history
fs/ksmbd/mgmt/tree_connect.c		diff \| blob \| history
fs/ksmbd/mgmt/user_session.c		diff \| blob \| history
fs/ksmbd/smb2pdu.c		diff \| blob \| history