From: Paulo Alcantara <pc@cjr.nz>
Date: Thu, 29 Dec 2022 12:33:56 -0300
Subject: [PATCH] cifs: fix race in assemble_neg_contexts()
Git-commit: 775e44d6d86dca400d614cbda5dab4def4951fe7
References: bsc#1190317
Patch-mainline: v6.2-rc3
Serialise access of TCP_Server_Info::hostname in
assemble_neg_contexts() by holding the server's mutex otherwise it
might end up accessing an already-freed hostname pointer from
cifs_reconnect() or cifs_resolve_server().
Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Reviewed-by: Enzo Matsumiya <ematsumiya@suse.de>
Signed-off-by: Steve French <stfrench@microsoft.com>
Acked-by: Enzo Matsumiya <ematsumiya@suse.de>
---
fs/cifs/smb2pdu.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -496,8 +496,9 @@ static void
assemble_neg_contexts(struct smb2_negotiate_req *req,
struct TCP_Server_Info *server, unsigned int *total_len)
{
- char *pneg_ctxt;
unsigned int ctxt_len;
+ char *pneg_ctxt;
+ char *hostname;
if (*total_len > 200) {
/* In case length corrupted don't want to overrun smb buffer */
@@ -534,8 +535,11 @@ assemble_neg_contexts(struct smb2_negoti
} else
req->NegotiateContextCount = cpu_to_le16(4);
+ mutex_lock(&server->srv_mutex);
+ hostname = server->hostname;
ctxt_len = build_netname_ctxt((struct smb2_netname_neg_context *)pneg_ctxt,
- server->hostname);
+ hostname);
+ mutex_unlock(&server->srv_mutex);
*total_len += ctxt_len;
pneg_ctxt += ctxt_len;