[lvc-project] [PATCH 5.10] smb: client: fix potential UAF in cifs_stats_proc_write()
Viktoriya Danchenko
v.danchenko at omp.ru
Thu Mar 26 19:20:42 MSK 2026
From: Paulo Alcantara <pc at manguebit.com>
commit d3da25c5ac84430f89875ca7485a3828150a7e0a upstream.
Skip sessions that are being teared down (status == SES_EXITING) to
avoid UAF.
Cc: stable at vger.kernel.org
Signed-off-by: Paulo Alcantara (Red Hat) <pc at manguebit.com>
Signed-off-by: Steve French <stfrench at microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
Signed-off-by: Karina Yankevich <k.yankevich at omp.ru>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Viktoriya Danchenko <v.danchenko at omp.ru>
---
Backport fix for CVE-2024-35868
---
fs/cifs/cifs_debug.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c
index 11d0eaa603ca..9abeeab7594e 100644
--- a/fs/cifs/cifs_debug.c
+++ b/fs/cifs/cifs_debug.c
@@ -512,6 +512,8 @@ static ssize_t cifs_stats_proc_write(struct file *file,
list_for_each(tmp2, &server->smb_ses_list) {
ses = list_entry(tmp2, struct cifs_ses,
smb_ses_list);
+ if (cifs_ses_exiting(ses))
+ continue;
list_for_each(tmp3, &ses->tcon_list) {
tcon = list_entry(tmp3,
struct cifs_tcon,
--
2.43.0
More information about the lvc-project
mailing list