[PATCH OLK-6.6] ksmbd: add chann_lock to protect ksmbd_chann_list xarray

From: Namjae Jeon <linkinjeon@kernel.org> stable inclusion from stable-v6.18.10 commit e4a8a96a93d08570e0405cfd989a8a07e5b6ff33 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/13791 CVE: CVE-2026-23226 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=t... -------------------------------- commit 4f3a06cc57976cafa8c6f716646be6c79a99e485 upstream. ksmbd_chann_list xarray lacks synchronization, allowing use-after-free in multi-channel sessions (between lookup_chann_list() and ksmbd_chann_del). Adds rw_semaphore chann_lock to struct ksmbd_session and protects all xa_load/xa_store/xa_erase accesses. Cc: stable@vger.kernel.org Reported-by: Igor Stepansky <igor.stepansky@orca.security> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Conflicts: fs/smb/server/smb2pdu.c [Context conflicts] Signed-off-by: Long Li <leo.lilong@huawei.com> --- fs/smb/server/mgmt/user_session.c | 5 +++++ fs/smb/server/mgmt/user_session.h | 1 + fs/smb/server/smb2pdu.c | 12 +++++++++++- 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/fs/smb/server/mgmt/user_session.c b/fs/smb/server/mgmt/user_session.c index 123e00c0ee3a..6cde4acb84b8 100644 --- a/fs/smb/server/mgmt/user_session.c +++ b/fs/smb/server/mgmt/user_session.c @@ -32,12 +32,14 @@ static void free_channel_list(struct ksmbd_session *sess) struct channel *chann; unsigned long index; + down_write(&sess->chann_lock); xa_for_each(&sess->ksmbd_chann_list, index, chann) { xa_erase(&sess->ksmbd_chann_list, index); kfree(chann); } xa_destroy(&sess->ksmbd_chann_list); + up_write(&sess->chann_lock); } static void __session_rpc_close(struct ksmbd_session *sess, @@ -214,7 +216,9 @@ static int ksmbd_chann_del(struct ksmbd_conn *conn, struct ksmbd_session *sess) { struct channel *chann; + down_write(&sess->chann_lock); chann = xa_erase(&sess->ksmbd_chann_list, (long)conn); + up_write(&sess->chann_lock); if (!chann) return -ENOENT; @@ -446,6 +450,7 @@ static struct ksmbd_session *__session_create(int protocol) rwlock_init(&sess->tree_conns_lock); atomic_set(&sess->refcnt, 2); init_rwsem(&sess->rpc_lock); + init_rwsem(&sess->chann_lock); ret = __init_smb2_session(sess); if (ret) diff --git a/fs/smb/server/mgmt/user_session.h b/fs/smb/server/mgmt/user_session.h index c5749d6ec715..cba7f688f6b5 100644 --- a/fs/smb/server/mgmt/user_session.h +++ b/fs/smb/server/mgmt/user_session.h @@ -49,6 +49,7 @@ struct ksmbd_session { char sess_key[CIFS_KEY_SIZE]; struct hlist_node hlist; + struct rw_semaphore chann_lock; struct xarray ksmbd_chann_list; struct xarray tree_conns; struct ida tree_conn_ida; diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index 1ec50a9272ea..010f0d777e83 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -77,7 +77,13 @@ static inline bool check_session_id(struct ksmbd_conn *conn, u64 id) struct channel *lookup_chann_list(struct ksmbd_session *sess, struct ksmbd_conn *conn) { - return xa_load(&sess->ksmbd_chann_list, (long)conn); + struct channel *chann; + + down_read(&sess->chann_lock); + chann = xa_load(&sess->ksmbd_chann_list, (long)conn); + up_read(&sess->chann_lock); + + return chann; } /** @@ -1556,7 +1562,9 @@ static int ntlm_authenticate(struct ksmbd_work *work, return -ENOMEM; chann->conn = conn; + down_write(&sess->chann_lock); xa_store(&sess->ksmbd_chann_list, (long)conn, chann, GFP_KERNEL); + up_write(&sess->chann_lock); } } @@ -1649,7 +1657,9 @@ static int krb5_authenticate(struct ksmbd_work *work, return -ENOMEM; chann->conn = conn; + down_write(&sess->chann_lock); xa_store(&sess->ksmbd_chann_list, (long)conn, chann, GFP_KERNEL); + up_write(&sess->chann_lock); } } -- 2.39.2