diff options
| author | Winston Wen <wentao@uniontech.com> | 2023-06-26 11:42:55 +0800 | 
|---|---|---|
| committer | Steve French <stfrench@microsoft.com> | 2023-07-01 00:08:59 -0500 | 
| commit | ff7d80a9f2711bf3d9fe1cfb70b3fd15c50584b7 (patch) | |
| tree | 43ccd8a78020d79f51d3bc1d9f0bc3953a64a75c /lib/mpi/mpi-sub-ui.c | |
| parent | a507db1d8fdc39802415e4d2ef6d1aecd67927fa (diff) | |
cifs: fix session state transition to avoid use-after-free issue
We switch session state to SES_EXITING without cifs_tcp_ses_lock now,
it may lead to potential use-after-free issue.
Consider the following execution processes:
Thread 1:
__cifs_put_smb_ses()
    spin_lock(&cifs_tcp_ses_lock)
    if (--ses->ses_count > 0)
        spin_unlock(&cifs_tcp_ses_lock)
        return
    spin_unlock(&cifs_tcp_ses_lock)
        ---> **GAP**
    spin_lock(&ses->ses_lock)
    if (ses->ses_status == SES_GOOD)
        ses->ses_status = SES_EXITING
    spin_unlock(&ses->ses_lock)
Thread 2:
cifs_find_smb_ses()
    spin_lock(&cifs_tcp_ses_lock)
    list_for_each_entry(ses, ...)
        spin_lock(&ses->ses_lock)
        if (ses->ses_status == SES_EXITING)
            spin_unlock(&ses->ses_lock)
            continue
        ...
        spin_unlock(&ses->ses_lock)
    if (ret)
        cifs_smb_ses_inc_refcount(ret)
    spin_unlock(&cifs_tcp_ses_lock)
If thread 1 is preempted in the gap and thread 2 start executing, thread 2
will get the session, and soon thread 1 will switch the session state to
SES_EXITING and start releasing it, even though thread 1 had increased the
session's refcount and still uses it.
So switch session state under cifs_tcp_ses_lock to eliminate this gap.
Signed-off-by: Winston Wen <wentao@uniontech.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'lib/mpi/mpi-sub-ui.c')
0 files changed, 0 insertions, 0 deletions
