From: Marios Makassikis mmakassikis@freebox.fr
mainline inclusion from mainline-5.15-rc1 commit 1fca8038e9f10bc14eb3484d212b3f03b49ac3f5 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA
Reference: https://git.kernel.org/torvalds/linux/c/1fca8038e9f1
-------------------------------
The user field in the session structure is allocated when the client is authenticated. If the client explicitly logs off, the user field is freed, but the session is kept around in case the user reconnects. If the TCP connection hasn't been closed and the client sends a session setup with a PreviousSessionId set, destroy_previous_session() will be called to check if the session needs to be cleaned up.
Signed-off-by: Marios Makassikis mmakassikis@freebox.fr Signed-off-by: Namjae Jeon namjae.jeon@samsung.com Signed-off-by: Steve French stfrench@microsoft.com Signed-off-by: Jason Yan yanaijie@huawei.com Signed-off-by: Zhong Jinghua zhongjinghua@huawei.com --- fs/cifsd/smb2pdu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 54df9a30bd23..ebae992f88a0 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -619,7 +619,8 @@ static void destroy_previous_session(struct ksmbd_user *user, u64 id)
prev_user = prev_sess->user;
- if (strcmp(user->name, prev_user->name) || + if (!prev_user || + strcmp(user->name, prev_user->name) || user->passkey_sz != prev_user->passkey_sz || memcmp(user->passkey, prev_user->passkey, user->passkey_sz)) { put_session(prev_sess);