smb: client: fix potential UAF in cifs_stats_proc_show()

Paulo Alcantara · vijay-suman · commit 1fd7ad6a86ff · 2025-06-09T14:32:22.000-07:00
commit 0865ffe upstream. Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. Cc: stable@vger.kernel.org Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com> Signed-off-by: Steve French <stfrench@microsoft.com> [ cifs_debug.c was moved from fs/cifs to fs/smb/client since 38c8a9a ("smb: move client and server files to common directory fs/smb"). The cifs_ses_exiting() was introduced to cifs_debug.c since ca545b7 ("smb: client: fix potential UAF in cifs_debug_files_proc_show()") which has been sent to upstream already. ] Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com> Signed-off-by: He Zhe <zhe.he@windriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit bb6570085826291dc392005f9fec16ea5da3c8ad) Signed-off-by: Vijayendra Suman <vijayendra.suman@oracle.com>
diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c
@@ -613,6 +613,8 @@ static int cifs_stats_proc_show(struct seq_file *m, void *v)
 		list_for_each(tmp2, &server->smb_ses_list) {
 			ses = list_entry(tmp2, struct cifs_ses,
 					 smb_ses_list);
+			if (cifs_ses_exiting(ses))
+				continue;
 			list_for_each(tmp3, &ses->tcon_list) {
 				tcon = list_entry(tmp3,
 						  struct cifs_tcon,
