From: Steve French stfrench@microsoft.com
mainline inclusion from mainline-v6.9-rc6 commit 8094a600245e9b28eb36a13036f202ad67c1f887 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QRFJ CVE: CVE-2024-35999
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
Coverity spotted a place where we should have been holding the channel lock when accessing the ses channel index.
Addresses-Coverity: 1582039 ("Data race condition (MISSING_LOCK)") Cc: stable@vger.kernel.org Reviewed-by: Shyam Prasad N sprasad@microsoft.com Signed-off-by: Steve French stfrench@microsoft.com Conflicts: fs/smb/client/transport.c fs/cifs/transport.c [qyf: this file is removed to fs/smb/client later. And also need to fix conflicts due to bda487ac4bebf871255cc6f23e16f702cea0ca7c(cifs: avoid race during socket reconnect between send and recv) and f486ef8e2003f6c308d0db81ea116c880a760d4f(cifs: use the chans_need_reconnect bitmap for reconnect status) are not merged.] Signed-off-by: Yifan Qiao qiaoyifan4@huawei.com --- fs/cifs/transport.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c index 31bec4ce5b58..b8241ebdc6ca 100644 --- a/fs/cifs/transport.c +++ b/fs/cifs/transport.c @@ -1017,6 +1017,7 @@ cifs_cancelled_callback(struct mid_q_entry *mid) struct TCP_Server_Info *cifs_pick_channel(struct cifs_ses *ses) { uint index = 0; + struct TCP_Server_Info *server = NULL;
if (!ses) return NULL; @@ -1028,11 +1029,13 @@ struct TCP_Server_Info *cifs_pick_channel(struct cifs_ses *ses) index = (uint)atomic_inc_return(&ses->chan_seq); index %= ses->chan_count; } + server = ses->chans[index].server; spin_unlock(&ses->chan_lock); - return ses->chans[index].server; + return server; } else { + server = cifs_ses_server(ses); spin_unlock(&ses->chan_lock); - return cifs_ses_server(ses); + return server; } }