ksmbd: Fix UAF in __close_file_table_ids - kernel - saturneric's kernel source tree

diff options

author	Sean Heelan <[email protected]>	2025-05-06 13:04:52 +0000
committer	Steve French <[email protected]>	2025-05-06 13:37:02 +0000
commit	36991c1ccde2d5a521577c448ffe07fcccfe104d (patch)
tree	9b640ecda476c5d23b085fd6839320b3fdc7d746 /tools/testing/selftests/drivers/net/lib/py/load.py
parent	ksmbd: prevent out-of-bounds stream writes by validating *pos (diff)
download	kernel-36991c1ccde2d5a521577c448ffe07fcccfe104d.tar.gz kernel-36991c1ccde2d5a521577c448ffe07fcccfe104d.zip

ksmbd: Fix UAF in __close_file_table_ids

A use-after-free is possible if one thread destroys the file via __ksmbd_close_fd while another thread holds a reference to it. The existing checks on fp->refcount are not sufficient to prevent this. The fix takes ft->lock around the section which removes the file from the file table. This prevents two threads acquiring the same file pointer via __close_file_table_ids, as well as the other functions which retrieve a file from the IDR and which already use this same lock. Cc: [email protected] Signed-off-by: Sean Heelan <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]>

Diffstat (limited to 'tools/testing/selftests/drivers/net/lib/py/load.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: