[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: 58acd1f497162e7d282077f816faa519487be045
WARNING: Author mismatch between patch and upstream commit:
Backport author: <jianqi.ren.cn@xxxxxxxxxxxxx>
Commit author: Paulo Alcantara <pc@xxxxxxxxxxxxx>
Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.6.y | Present (different SHA1: 10e17ca4000e)
6.1.y | Not found
Note: The patch differs from the upstream commit:
---
1: 58acd1f497162 ! 1: 805e5ef97956b smb: client: fix potential UAF in cifs_dump_full_key()
@@ Metadata
## Commit message ##
smb: client: fix potential UAF in cifs_dump_full_key()
+ [ Upstream commit 58acd1f497162e7d282077f816faa519487be045 ]
+
Skip sessions that are being teared down (status == SES_EXITING) to
avoid UAF.
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Paulo Alcantara (Red Hat) <pc@xxxxxxxxxxxxx>
Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
+ Signed-off-by: Jianqi Ren <jianqi.ren.cn@xxxxxxxxxxxxx>
## fs/smb/client/ioctl.c ##
@@ fs/smb/client/ioctl.c: static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug
@@ fs/smb/client/ioctl.c: static int cifs_dump_full_key(struct cifs_tcon *tcon, str
ses = ses_it;
/*
* since we are using the session outside the crit
-@@ fs/smb/client/ioctl.c: static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug
+ * section, we need to make sure it won't be released
* so increment its refcount
*/
- cifs_smb_ses_inc_refcount(ses);
++
++ lockdep_assert_held(&cifs_tcp_ses_lock);
+ ses->ses_count++;
+ spin_unlock(&ses_it->ses_lock);
found = true;
goto search_end;
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y | Success | Success |
