diff options
| author |   Namjae Jeon <linkinjeon@kernel.org> | 2026-03-07 11:32:31 +0900 |
|---|---|---|
| committer |   Steve French <stfrench@microsoft.com> | 2026-03-08 21:28:39 -0500 |
| commit | 1dfd062caa165ec9d7ee0823087930f3ab8a6294 (patch) | |
| tree | f2aede1eaf756939273d2245c7397b2df476bc7a /tools/testing/ktest/examples/include/ssh:/git@git.zx2c4.com | |
| parent | ksmbd: fix use-after-free in proc_show_files due to early rcu_read_unlock (diff) | |
ksmbd: fix use-after-free by using call_rcu() for oplock_info
ksmbd currently frees oplock_info immediately using kfree(), even
though it is accessed under RCU read-side critical sections in places
like opinfo_get() and proc_show_files().
Since there is no RCU grace period delay between nullifying the pointer
and freeing the memory, a reader can still access oplock_info
structure after it has been freed. This can leads to a use-after-free
especially in opinfo_get() where atomic_inc_not_zero() is called on
already freed memory.
Fix this by switching to deferred freeing using call_rcu().
Fixes: 18b4fac5ef17 ("ksmbd: fix use-after-free in smb_break_all_levII_oplock()")
Cc: stable@vger.kernel.org
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'tools/testing/ktest/examples/include/ssh:/git@git.zx2c4.com')
0 files changed, 0 insertions, 0 deletions