smb: client: fix use-after-free bug in cifs_debug_data_proc_show()
authorPaulo Alcantara <pc@manguebit.com>
Tue, 24 Oct 2023 16:49:15 +0000 (13:49 -0300)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 28 Nov 2023 17:20:09 +0000 (17:20 +0000)
commit d328c09ee9f15ee5a26431f5aad7c9239fa85e62 upstream.

Skip SMB sessions that are being teared down
(e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show()
to avoid use-after-free in @ses.

This fixes the following GPF when reading from /proc/fs/cifs/DebugData
while mounting and umounting

  [ 816.251274] general protection fault, probably for non-canonical
  address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI
  ...
  [  816.260138] Call Trace:
  [  816.260329]  <TASK>
  [  816.260499]  ? die_addr+0x36/0x90
  [  816.260762]  ? exc_general_protection+0x1b3/0x410
  [  816.261126]  ? asm_exc_general_protection+0x26/0x30
  [  816.261502]  ? cifs_debug_tcon+0xbd/0x240 [cifs]
  [  816.261878]  ? cifs_debug_tcon+0xab/0x240 [cifs]
  [  816.262249]  cifs_debug_data_proc_show+0x516/0xdb0 [cifs]
  [  816.262689]  ? seq_read_iter+0x379/0x470
  [  816.262995]  seq_read_iter+0x118/0x470
  [  816.263291]  proc_reg_read_iter+0x53/0x90
  [  816.263596]  ? srso_alias_return_thunk+0x5/0x7f
  [  816.263945]  vfs_read+0x201/0x350
  [  816.264211]  ksys_read+0x75/0x100
  [  816.264472]  do_syscall_64+0x3f/0x90
  [  816.264750]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
  [  816.265135] RIP: 0033:0x7fd5e669d381

Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
fs/smb/client/cifs_debug.c

index 76922fcc4bc6e5c1282e8e6a7e38f1a102cb900b..9a0ccd87468ea4b66e7c4ce966ea963891017b5e 100644 (file)
@@ -452,6 +452,11 @@ skip_rdma:
                seq_printf(m, "\n\n\tSessions: ");
                i = 0;
                list_for_each_entry(ses, &server->smb_ses_list, smb_ses_list) {
+                       spin_lock(&ses->ses_lock);
+                       if (ses->ses_status == SES_EXITING) {
+                               spin_unlock(&ses->ses_lock);
+                               continue;
+                       }
                        i++;
                        if ((ses->serverDomain == NULL) ||
                                (ses->serverOS == NULL) ||
@@ -472,6 +477,7 @@ skip_rdma:
                                ses->ses_count, ses->serverOS, ses->serverNOS,
                                ses->capabilities, ses->ses_status);
                        }
+                       spin_unlock(&ses->ses_lock);
 
                        seq_printf(m, "\n\tSecurity type: %s ",
                                get_security_type_str(server->ops->select_sectype(server, ses->sectype)));