Skip sessions that are being teared down (status == SES_EXITING) to
avoid UAF.
Signed-off-by: Paulo Alcantara (Red Hat) <pc@xxxxxxxxxxxxx>
---
fs/smb/client/smb2transport.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/fs/smb/client/smb2transport.c b/fs/smb/client/smb2transport.c
index 1d6e54f7879e..400175b9ef47 100644
--- a/fs/smb/client/smb2transport.c
+++ b/fs/smb/client/smb2transport.c
@@ -89,8 +89,10 @@ int smb2_get_sign_key(__u64 ses_id, struct TCP_Server_Info *server, u8 *key)
pserver = SERVER_IS_CHAN(server) ? server->primary_server : server;
list_for_each_entry(ses, &pserver->smb_ses_list, smb_ses_list) {
- if (ses->Suid == ses_id)
+ spin_lock(&ses->ses_lock);
+ if (ses->ses_status != SES_EXITING && ses->Suid == ses_id)
goto found;
+ spin_unlock(&ses->ses_lock);
}
trace_smb3_ses_not_found(ses_id);
cifs_server_dbg(FYI, "%s: Could not find session 0x%llx\n",
@@ -99,7 +101,6 @@ int smb2_get_sign_key(__u64 ses_id, struct TCP_Server_Info *server, u8 *key)
goto out;
found:
- spin_lock(&ses->ses_lock);
spin_lock(&ses->chan_lock);
is_binding = (cifs_chan_needs_reconnect(ses, server) &&
--
2.44.0
