Tree - kernel/kernel-source - Pagure for openSUSE

kernel / kernel-source

Source
Stats
Files

Blob Blame History Raw
From: Paulo Alcantara <pc@cjr.nz>
Date: Thu, 29 Dec 2022 12:33:56 -0300
Subject: [PATCH] cifs: fix race in assemble_neg_contexts()
Git-commit: 775e44d6d86dca400d614cbda5dab4def4951fe7
References: bsc#1190317
Patch-mainline: v6.2-rc3

Serialise access of TCP_Server_Info::hostname in
assemble_neg_contexts() by holding the server's mutex otherwise it
might end up accessing an already-freed hostname pointer from
cifs_reconnect() or cifs_resolve_server().

Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Reviewed-by: Enzo Matsumiya <ematsumiya@suse.de>
Signed-off-by: Steve French <stfrench@microsoft.com>
Acked-by: Enzo Matsumiya <ematsumiya@suse.de>
---
 fs/cifs/smb2pdu.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -496,8 +496,9 @@ static void
 assemble_neg_contexts(struct smb2_negotiate_req *req,
 		      struct TCP_Server_Info *server, unsigned int *total_len)
 {
-	char *pneg_ctxt;
 	unsigned int ctxt_len;
+	char *pneg_ctxt;
+	char *hostname;
 
 	if (*total_len > 200) {
 		/* In case length corrupted don't want to overrun smb buffer */
@@ -534,8 +535,11 @@ assemble_neg_contexts(struct smb2_negoti
 	} else
 		req->NegotiateContextCount = cpu_to_le16(4);
 
+	mutex_lock(&server->srv_mutex);
+	hostname = server->hostname;
 	ctxt_len = build_netname_ctxt((struct smb2_netname_neg_context *)pneg_ctxt,
-					server->hostname);
+				      hostname);
+	mutex_unlock(&server->srv_mutex);
 	*total_len += ctxt_len;
 	pneg_ctxt += ctxt_len;
kernel / kernel-source

Source Code

Files
