smb: client: fix potential UAF in cifs_debug_files_proc_show()

Skip sessions that are being teared down (status == SES_EXITING) to
avoid UAF.

Cc: [email protected]
Signed-off-by: Paulo Alcantara (Red Hat) <[email protected]>
Signed-off-by: Steve French <[email protected]>

diff --git a/fs/smb/client/cifs_debug.c b/fs/smb/client/cifs_debug.c
index 226d4835c92db8ba3f1f0540a16643d0b8ac3fd0..c9aec9a38ad36d3c830925a4ce73b4f06a66658a 100644 (file)
--- a/fs/smb/client/cifs_debug.c
+++ b/fs/smb/client/cifs_debug.c
@@ -250,6 +250,8 @@ static int cifs_debug_files_proc_show(struct seq_file *m, void *v)
        spin_lock(&cifs_tcp_ses_lock);
        list_for_each_entry(server, &cifs_tcp_ses_list, tcp_ses_list) {
                list_for_each_entry(ses, &server->smb_ses_list, smb_ses_list) {
+                       if (cifs_ses_exiting(ses))
+                               continue;
                        list_for_each_entry(tcon, &ses->tcon_list, tcon_list) {
                                spin_lock(&tcon->open_file_lock);
                                list_for_each_entry(cfile, &tcon->openFileList, tlist) {

diff --git a/fs/smb/client/cifsglob.h b/fs/smb/client/cifsglob.h
index 77ca7861a2cc84fa4d980a8089c9d13f36eb7e3f..f6a302205f89c456d9fa3adb3dae238deeb97d10 100644 (file)
--- a/fs/smb/client/cifsglob.h
+++ b/fs/smb/client/cifsglob.h
@@ -2325,4 +2325,14 @@ struct smb2_compound_vars {
        struct kvec ea_iov;
 };
 
+static inline bool cifs_ses_exiting(struct cifs_ses *ses)
+{
+       bool ret;
+
+       spin_lock(&ses->ses_lock);
+       ret = ses->ses_status == SES_EXITING;
+       spin_unlock(&ses->ses_lock);
+       return ret;
+}
+
 #endif /* _CIFS_GLOB_H */