This is a note to let you know that I've just added the patch titled
ksmbd: destroy expired sessions
to the 5.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
ksmbd-destroy-expired-sessions.patch
and it can be found in the queue-5.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From linkinjeon@xxxxxxxxx Mon Dec 18 16:40:08 2023
From: Namjae Jeon <linkinjeon@xxxxxxxxxx>
Date: Tue, 19 Dec 2023 00:33:49 +0900
Subject: ksmbd: destroy expired sessions
To: gregkh@xxxxxxxxxxxxxxxxxxx, stable@xxxxxxxxxxxxxxx
Cc: smfrench@xxxxxxxxx, Namjae Jeon <linkinjeon@xxxxxxxxxx>, zdi-disclosures@xxxxxxxxxxxxxx, Steve French <stfrench@xxxxxxxxxxxxx>
Message-ID: <20231218153454.8090-90-linkinjeon@xxxxxxxxxx>
From: Namjae Jeon <linkinjeon@xxxxxxxxxx>
[ Upstream commit ea174a91893956450510945a0c5d1a10b5323656 ]
client can indefinitely send smb2 session setup requests with
the SessionId set to 0, thus indefinitely spawning new sessions,
and causing indefinite memory usage. This patch limit to the number
of sessions using expired timeout and session state.
Cc: stable@xxxxxxxxxxxxxxx
Reported-by: zdi-disclosures@xxxxxxxxxxxxxx # ZDI-CAN-20478
Signed-off-by: Namjae Jeon <linkinjeon@xxxxxxxxxx>
Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/ksmbd/mgmt/user_session.c | 68 +++++++++++++++++++++++--------------------
fs/ksmbd/mgmt/user_session.h | 1
fs/ksmbd/smb2pdu.c | 1
fs/ksmbd/smb2pdu.h | 2 +
4 files changed, 41 insertions(+), 31 deletions(-)
--- a/fs/ksmbd/mgmt/user_session.c
+++ b/fs/ksmbd/mgmt/user_session.c
@@ -165,70 +165,73 @@ static struct ksmbd_session *__session_l
struct ksmbd_session *sess;
hash_for_each_possible(sessions_table, sess, hlist, id) {
- if (id == sess->id)
+ if (id == sess->id) {
+ sess->last_active = jiffies;
return sess;
+ }
}
return NULL;
}
+static void ksmbd_expire_session(struct ksmbd_conn *conn)
+{
+ unsigned long id;
+ struct ksmbd_session *sess;
+
+ xa_for_each(&conn->sessions, id, sess) {
+ if (sess->state != SMB2_SESSION_VALID ||
+ time_after(jiffies,
+ sess->last_active + SMB2_SESSION_TIMEOUT)) {
+ xa_erase(&conn->sessions, sess->id);
+ ksmbd_session_destroy(sess);
+ continue;
+ }
+ }
+}
+
int ksmbd_session_register(struct ksmbd_conn *conn,
struct ksmbd_session *sess)
{
sess->dialect = conn->dialect;
memcpy(sess->ClientGUID, conn->ClientGUID, SMB2_CLIENT_GUID_SIZE);
+ ksmbd_expire_session(conn);
return xa_err(xa_store(&conn->sessions, sess->id, sess, GFP_KERNEL));
}
-static int ksmbd_chann_del(struct ksmbd_conn *conn, struct ksmbd_session *sess)
+static void ksmbd_chann_del(struct ksmbd_conn *conn, struct ksmbd_session *sess)
{
struct channel *chann;
chann = xa_erase(&sess->ksmbd_chann_list, (long)conn);
if (!chann)
- return -ENOENT;
+ return;
kfree(chann);
-
- return 0;
}
void ksmbd_sessions_deregister(struct ksmbd_conn *conn)
{
struct ksmbd_session *sess;
+ unsigned long id;
- if (conn->binding) {
- int bkt;
-
- down_write(&sessions_table_lock);
- hash_for_each(sessions_table, bkt, sess, hlist) {
- if (!ksmbd_chann_del(conn, sess)) {
- up_write(&sessions_table_lock);
- goto sess_destroy;
- }
- }
- up_write(&sessions_table_lock);
- } else {
- unsigned long id;
-
- xa_for_each(&conn->sessions, id, sess) {
- if (!ksmbd_chann_del(conn, sess))
- goto sess_destroy;
+ xa_for_each(&conn->sessions, id, sess) {
+ ksmbd_chann_del(conn, sess);
+ if (xa_empty(&sess->ksmbd_chann_list)) {
+ xa_erase(&conn->sessions, sess->id);
+ ksmbd_session_destroy(sess);
}
}
-
- return;
-
-sess_destroy:
- if (xa_empty(&sess->ksmbd_chann_list)) {
- xa_erase(&conn->sessions, sess->id);
- ksmbd_session_destroy(sess);
- }
}
struct ksmbd_session *ksmbd_session_lookup(struct ksmbd_conn *conn,
unsigned long long id)
{
- return xa_load(&conn->sessions, id);
+ struct ksmbd_session *sess;
+
+ sess = xa_load(&conn->sessions, id);
+ if (sess)
+ sess->last_active = jiffies;
+ return sess;
}
struct ksmbd_session *ksmbd_session_lookup_slowpath(unsigned long long id)
@@ -237,6 +240,8 @@ struct ksmbd_session *ksmbd_session_look
down_read(&sessions_table_lock);
sess = __session_lookup(id);
+ if (sess)
+ sess->last_active = jiffies;
up_read(&sessions_table_lock);
return sess;
@@ -315,6 +320,7 @@ static struct ksmbd_session *__session_c
if (ksmbd_init_file_table(&sess->file_table))
goto error;
+ sess->last_active = jiffies;
sess->state = SMB2_SESSION_IN_PROGRESS;
set_session_flag(sess, protocol);
xa_init(&sess->tree_conns);
--- a/fs/ksmbd/mgmt/user_session.h
+++ b/fs/ksmbd/mgmt/user_session.h
@@ -59,6 +59,7 @@ struct ksmbd_session {
__u8 smb3signingkey[SMB3_SIGN_KEY_SIZE];
struct ksmbd_file_table file_table;
+ unsigned long last_active;
};
static inline int test_session_flag(struct ksmbd_session *sess, int bit)
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -1875,6 +1875,7 @@ out_err:
if (sess->user && sess->user->flags & KSMBD_USER_FLAG_DELAY_SESSION)
try_delay = true;
+ sess->last_active = jiffies;
sess->state = SMB2_SESSION_EXPIRED;
if (try_delay)
ssleep(5);
--- a/fs/ksmbd/smb2pdu.h
+++ b/fs/ksmbd/smb2pdu.h
@@ -619,6 +619,8 @@ struct create_context {
__u8 Buffer[0];
} __packed;
+#define SMB2_SESSION_TIMEOUT (10 * HZ)
+
struct create_durable_req_v2 {
struct create_context ccontext;
__u8 Name[8];
Patches currently in stable-queue which might be from linkinjeon@xxxxxxxxx are
queue-5.15/ksmbd-fix-uaf-issue-from-opinfo-conn.patch
queue-5.15/ksmbd-fix-race-condition-from-parallel-smb2-lock-requests.patch
queue-5.15/ksmbd-validate-session-id-and-tree-id-in-compound-request.patch
queue-5.15/ksmbd-reorganize-ksmbd_iov_pin_rsp.patch
queue-5.15/ksmbd-convert-to-use-sysfs_emit-sysfs_emit_at-apis.patch
queue-5.15/ksmbd-validate-length-in-smb2_write.patch
queue-5.15/ksmbd-add-support-for-key-exchange.patch
queue-5.15/ksmbd-request-update-to-stale-share-config.patch
queue-5.15/ksmbd-remove-generic_fillattr-use-in-smb2_open.patch
queue-5.15/ksmbd-fix-uninitialized-pointer-read-in-smb2_create_link.patch
queue-5.15/ksmbd-set-smb2_session_flag_encrypt_data-when-enforcing-data-encryption-for-this-share.patch
queue-5.15/ksmbd-constify-struct-path.patch
queue-5.15/ksmbd-casefold-utf-8-share-names-and-fix-ascii-lowercase-conversion.patch
queue-5.15/ksmbd-validate-smb-request-protocol-id.patch
queue-5.15/ksmbd-avoid-out-of-bounds-access-in-decode_preauth_ctxt.patch
queue-5.15/ksmbd-release-interim-response-after-sending-status-pending-response.patch
queue-5.15/ksmbd-fix-racy-issue-under-cocurrent-smb2-tree-disconnect.patch
queue-5.15/ksmbd-fix-out-of-bounds-read-in-smb2_sess_setup.patch
queue-5.15/ksmbd-decrease-the-number-of-smb3-smbdirect-server-sges.patch
queue-5.15/ksmbd-make-utf-8-file-name-comparison-work-in-__caseless_lookup.patch
queue-5.15/ksmbd-use-f_setlk-when-unlocking-a-file.patch
queue-5.15/fs-introduce-lock_rename_child-helper.patch
queue-5.15/ksmbd-use-kzalloc-instead-of-__gfp_zero.patch
queue-5.15/ksmbd-set-ntlmssp_negotiate_seal-flag-to-challenge-blob.patch
queue-5.15/ksmbd-call-ib_drain_qp-when-disconnected.patch
queue-5.15/ksmbd-fix-posix_acls-and-acls-dereferencing-possible-err_ptr.patch
queue-5.15/ksmbd-destroy-expired-sessions.patch
queue-5.15/ksmbd-fix-resource-leak-in-smb2_lock.patch
queue-5.15/ksmbd-check-iov-vector-index-in-ksmbd_conn_write.patch
queue-5.15/ksmbd-hide-socket-error-message-when-ipv6-config-is-disable.patch
queue-5.15/ksmbd-use-netif_is_bridge_port.patch
queue-5.15/ksmbd-smbd-simplify-tracking-pending-packets.patch
queue-5.15/ksmbd-implements-sess-rpc_handle_list-as-xarray.patch
queue-5.15/ksmbd-remove-duplicate-flag-set-in-smb2_write.patch
queue-5.15/ksmbd-separately-allocate-ci-per-dentry.patch
queue-5.15/ksmbd-fix-racy-issue-from-session-setup-and-logoff.patch
queue-5.15/ksmbd-fix-race-condition-between-session-lookup-and-expire.patch
queue-5.15/ksmbd-fix-wrong-smbd-max-read-write-size-check.patch
queue-5.15/ksmbd-replace-usage-of-found-with-dedicated-list-iterator-variable.patch
queue-5.15/ksmbd-add-support-for-surrogate-pair-conversion.patch
queue-5.15/ksmbd-reduce-server-smbdirect-max-send-receive-segment-sizes.patch
queue-5.15/ksmbd-fix-force-create-mode-and-force-directory-mode.patch
queue-5.15/ksmbd-remove-unneeded-mark_inode_dirty-in-set_info_sec.patch
queue-5.15/ksmbd-fix-potential-double-free-on-smb2_read_pipe-error-path.patch
queue-5.15/ksmbd-remove-unused-ksmbd_tree_conn_share-function.patch
queue-5.15/ksmbd-block-asynchronous-requests-when-making-a-delay-on-session-setup.patch
queue-5.15/ksmbd-call-putname-after-using-the-last-component.patch
queue-5.15/ksmbd-don-t-open-code-file_path.patch
queue-5.15/ksmbd-fix-passing-freed-memory-aux_payload_buf.patch
queue-5.15/ksmbd-fill-sids-in-smb_find_file_posix_info-response.patch
queue-5.15/ksmbd-don-t-open-code-pd.patch
queue-5.15/ksmbd-shorten-experimental-warning-on-loading-the-module.patch
queue-5.15/ksmbd-remove-filename-in-ksmbd_file.patch
queue-5.15/ksmbd-move-oplock-handling-after-unlock-parent-dir.patch
queue-5.15/ksmbd-fix-race-condition-between-tree-conn-lookup-and-disconnect.patch
queue-5.15/ksmbd-smbd-introduce-read-write-credits-for-rdma-read-write.patch
queue-5.15/ksmbd-fix-slab-out-of-bounds-in-init_smb2_rsp_hdr.patch
queue-5.15/ksmbd-fix-recursive-locking-in-vfs-helpers.patch
queue-5.15/ksmbd-fix-some-kernel-doc-comments.patch
queue-5.15/ksmbd-use-struct_size-helper-in-ksmbd_negotiate_smb_dialect.patch
queue-5.15/ksmbd-smbd-relax-the-count-of-sges-required.patch
queue-5.15/ksmbd-fix-wrong-error-response-status-by-using-set_smb2_rsp_status.patch
queue-5.15/ksmbd-fix-spelling-mistake-excceed-exceeded.patch
queue-5.15/ksmbd-fix-null-pointer-dereferences-in-ksmbd_update_fstate.patch
queue-5.15/ksmbd-fix-encryption-failure-issue-for-session-logoff-response.patch
queue-5.15/ksmbd-prevent-memory-leak-on-error-return.patch
queue-5.15/ksmbd-fix-racy-issue-from-using-d_parent-and-d_name.patch
queue-5.15/ksmbd-change-security-id-to-the-one-samba-used-for-posix-extension.patch
queue-5.15/ksmbd-handle-malformed-smb1-message.patch
queue-5.15/ksmbd-don-t-update-op_state-as-oplock_state_none-on-error.patch
queue-5.15/ksmbd-smbd-fix-connection-dropped-issue.patch
queue-5.15/ksmbd-fix-racy-issue-from-smb2-close-and-logoff-with-multichannel.patch
queue-5.15/ksmbd-change-the-return-value-of-ksmbd_vfs_query_maximal_access-to-void.patch
queue-5.15/ksmbd-fix-slub-overflow-in-ksmbd_decode_ntlmssp_auth_blob.patch
queue-5.15/ksmbd-replace-one-element-array-with-flexible-array-member.patch
queue-5.15/ksmbd-fix-uninitialized-pointer-read-in-ksmbd_vfs_rename.patch
queue-5.15/ksmbd-replace-one-element-arrays-with-flexible-array-members.patch
queue-5.15/ksmbd-fix-unsigned-expression-compared-with-zero.patch
queue-5.15/ksmbd-implements-sess-ksmbd_chann_list-as-xarray.patch
queue-5.15/ksmbd-set-file-permission-mode-to-match-samba-server-posix-extension-behavior.patch
queue-5.15/ksmbd-fix-wrong-interim-response-on-compound.patch
queue-5.15/ksmbd-return-invalid-parameter-error-response-if-smb2-request-is-invalid.patch
queue-5.15/ksmbd-smbd-validate-buffer-descriptor-structures.patch
queue-5.15/ksmbd-fix-missing-rdma-capable-flag-for-ipoib-device-in-ksmbd_rdma_capable_netdev.patch
queue-5.15/ksmbd-send-proper-error-response-in-smb2_tree_connect.patch
queue-5.15/ksmbd-set-negotiatecontextcount-once-instead-of-every-inc.patch
queue-5.15/ksmbd-fix-typo-syncronous-synchronous.patch
queue-5.15/ksmbd-validate-share-name-from-share-config-response.patch
queue-5.15/ksmbd-fix-possible-deadlock-in-smb2_open.patch
queue-5.15/ksmbd-fix-multiple-out-of-bounds-read-during-context-decoding.patch
queue-5.15/ksmbd-add-missing-calling-smb2_set_err_rsp-on-error.patch
queue-5.15/ksmbd-remove-unused-ksmbd_share_configs_cleanup-function.patch
queue-5.15/ksmbd-fix-out-of-bound-read-in-parse_lease_state.patch
queue-5.15/ksmbd-remove-duplicated-codes.patch
queue-5.15/ksmbd-remove-a-redundant-zeroing-of-memory.patch
queue-5.15/ksmbd-change-leasekey-data-type-to-u8-array.patch
queue-5.15/ksmbd-add-support-for-read-compound.patch
queue-5.15/ksmbd-fix-kernel-doc-comment-of-ksmbd_vfs_setxattr.patch
queue-5.15/ksmbd-remove-unused-compression-negotiate-ctx-packing.patch
queue-5.15/ksmbd-switch-to-use-kmemdup_nul-helper.patch
queue-5.15/ksmbd-fix-race-condition-from-parallel-smb2-logoff-requests.patch
queue-5.15/ksmbd-fix-out-of-bound-read-in-deassemble_neg_contexts.patch
queue-5.15/ksmbd-remove-unnecessary-generic_fillattr-in-smb2_open.patch
queue-5.15/ksmbd-avoid-duplicate-negotiate-ctx-offset-increments.patch
queue-5.15/ksmbd-remove-experimental-warning.patch
queue-5.15/ksmbd-return-a-literal-instead-of-err-in-ksmbd_vfs_kern_path_locked.patch
queue-5.15/ksmbd-smbd-change-prototypes-of-rdma-read-write-related-functions.patch
queue-5.15/ksmbd-fix-out-of-bounds-in-init_smb2_rsp_hdr.patch
queue-5.15/ksmbd-fix-possible-memory-leak-in-smb2_lock.patch
queue-5.15/ksmbd-remove-unused-field-in-ksmbd_user-struct.patch
queue-5.15/ksmbd-fix-one-kernel-doc-comment.patch
queue-5.15/ksmbd-no-need-to-wait-for-binded-connection-termination-at-logoff.patch
queue-5.15/ksmbd-fix-race-condition-with-fp.patch
queue-5.15/ksmbd-fix-wrong-signingkey-creation-when-encryption-is-aes256.patch
queue-5.15/ksmbd-update-kconfig-to-note-kerberos-support-and-fix-indentation.patch
queue-5.15/ksmbd-move-setting-smb2_flags_async_command-and-asyncid.patch
queue-5.15/smb3-fix-ksmbd-bigendian-bug-in-oplock-break-and-move-its-struct-to-smbfs_common.patch
queue-5.15/ksmbd-store-fids-as-opaque-u64-integers.patch
queue-5.15/ksmbd-delete-asynchronous-work-from-list.patch
queue-5.15/ksmbd-use-kvzalloc-instead-of-kvmalloc.patch
queue-5.15/ksmbd-smbd-change-the-return-value-of-get_sg_list.patch
queue-5.15/ksmbd-add-missing-compound-request-handing-in-some-commands.patch
queue-5.15/ksmbd-remove-unused-is_char_allowed-function.patch
queue-5.15/ksmbd-use-oid-registry-functions-to-decode-oids.patch
queue-5.15/ksmbd-fix-kernel-doc-comment-of-ksmbd_vfs_kern_path_locked.patch
queue-5.15/ksmbd-use-wait_event-instead-of-schedule_timeout.patch
queue-5.15/ksmbd-check-if-a-mount-point-is-crossed-during-path-lookup.patch
queue-5.15/ksmbd-replace-the-ternary-conditional-operator-with-min.patch
