diff options
| author | Namjae Jeon <linkinjeon@kernel.org> | 2026-06-28 08:56:09 +0900 |
|---|---|---|
| committer | Steve French <stfrench@microsoft.com> | 2026-06-30 21:29:46 -0500 |
| commit | f363a0fb134a3eb9e47368b1edbd251fd76be84b (patch) | |
| tree | ea29dca5989525d13d16676912344242dbfdad02 /rust/kernel/sync/atomic | |
| parent | 5138c84dbb501363510f6f9c300797b240a119cb (diff) | |
ksmbd: fix app-instance durable supersede session UAF
ksmbd_close_fd_app_instance_id() looks up a prior durable handle by
AppInstanceId and closes it through opinfo->sess->file_table. This is
unsafe after the original session has been torn down. session_fd_check()
preserves reconnectable durable handles in the global table and clears
opinfo->conn/fp->conn, but opinfo->sess can still point to the freed
ksmbd_session.
Use opinfo->conn as the orphan sentinel, but make the check reliable by
serializing it with session_fd_check(). That path clears opinfo->conn
under fp->f_ci->m_lock, so hold the same lock while testing opinfo->conn
and while dereferencing opinfo->sess->file_table. Also avoid closing
through the session file table if the volatile id has already been
unpublished by session teardown.
Durable reconnect must keep the two fields consistent. Rebinding only
opinfo->conn leaves opinfo->sess pointing at the old freed session, so
a later app-instance supersede can pass the conn check and write-lock the
freed session's file table. Clear opinfo->sess when preserving a durable
handle during session teardown, and set it to the reconnecting session
when opinfo->conn is rebound in ksmbd_reopen_durable_fd().
Fixes: 16c30649709d ("ksmbd: handle durable v2 app instance id")
Reported-by: Gil Portnoy <dddhkts1@gmail.com>
Co-developed-by: Gil Portnoy <dddhkts1@gmail.com>
Signed-off-by: Gil Portnoy <dddhkts1@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'rust/kernel/sync/atomic')
0 files changed, 0 insertions, 0 deletions
