[ Sasha's backport helper bot ] Hi, The upstream commit SHA1 provided is correct: 58acd1f497162e7d282077f816faa519487be045 WARNING: Author mismatch between patch and upstream commit: Backport author: <jianqi.ren.cn@xxxxxxxxxxxxx> Commit author: Paulo Alcantara <pc@xxxxxxxxxxxxx> Status in newer kernel trees: 6.12.y | Present (exact SHA1) 6.6.y | Present (different SHA1: 10e17ca4000e) 6.1.y | Not found Note: The patch differs from the upstream commit: --- 1: 58acd1f497162 ! 1: 9ecdabdf26e97 smb: client: fix potential UAF in cifs_dump_full_key() @@ Metadata ## Commit message ## smb: client: fix potential UAF in cifs_dump_full_key() + [ Upstream commit 58acd1f497162e7d282077f816faa519487be045 ] + Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Paulo Alcantara (Red Hat) <pc@xxxxxxxxxxxxx> Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx> + Signed-off-by: Jianqi Ren <jianqi.ren.cn@xxxxxxxxxxxxx> ## fs/smb/client/ioctl.c ## @@ fs/smb/client/ioctl.c: static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug @@ fs/smb/client/ioctl.c: static int cifs_dump_full_key(struct cifs_tcon *tcon, str @@ fs/smb/client/ioctl.c: static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug * so increment its refcount */ - cifs_smb_ses_inc_refcount(ses); + ses->ses_count++; + spin_unlock(&ses_it->ses_lock); found = true; goto search_end; --- Results of testing on various branches: | Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-6.1.y | Success | Success |