aboutsummaryrefslogtreecommitdiff
path: root/rust/kernel/sync/atomic
diff options
context:
space:
mode:
authorNamjae Jeon <linkinjeon@kernel.org>2026-06-28 08:56:09 +0900
committerSteve French <stfrench@microsoft.com>2026-06-30 21:29:46 -0500
commitf363a0fb134a3eb9e47368b1edbd251fd76be84b (patch)
treeea29dca5989525d13d16676912344242dbfdad02 /rust/kernel/sync/atomic
parent5138c84dbb501363510f6f9c300797b240a119cb (diff)
ksmbd: fix app-instance durable supersede session UAF
ksmbd_close_fd_app_instance_id() looks up a prior durable handle by AppInstanceId and closes it through opinfo->sess->file_table. This is unsafe after the original session has been torn down. session_fd_check() preserves reconnectable durable handles in the global table and clears opinfo->conn/fp->conn, but opinfo->sess can still point to the freed ksmbd_session. Use opinfo->conn as the orphan sentinel, but make the check reliable by serializing it with session_fd_check(). That path clears opinfo->conn under fp->f_ci->m_lock, so hold the same lock while testing opinfo->conn and while dereferencing opinfo->sess->file_table. Also avoid closing through the session file table if the volatile id has already been unpublished by session teardown. Durable reconnect must keep the two fields consistent. Rebinding only opinfo->conn leaves opinfo->sess pointing at the old freed session, so a later app-instance supersede can pass the conn check and write-lock the freed session's file table. Clear opinfo->sess when preserving a durable handle during session teardown, and set it to the reconnecting session when opinfo->conn is rebound in ksmbd_reopen_durable_fd(). Fixes: 16c30649709d ("ksmbd: handle durable v2 app instance id") Reported-by: Gil Portnoy <dddhkts1@gmail.com> Co-developed-by: Gil Portnoy <dddhkts1@gmail.com> Signed-off-by: Gil Portnoy <dddhkts1@gmail.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'rust/kernel/sync/atomic')
0 files changed, 0 insertions, 0 deletions