diff options
| author | Ali Khaledi <ali.khaledi1989@gmail.com> | 2026-03-02 10:15:48 +0900 |
|---|---|---|
| committer | Steve French <stfrench@microsoft.com> | 2026-03-08 21:28:39 -0500 |
| commit | 40955015fae4908157ac6c959ea696d05e6e9b31 (patch) | |
| tree | fb7cbad1d16f8a63a0d13946e47d1321c77fe7f2 /tools/lib/python/kdoc/python_version.py | |
| parent | c15e7c62feb3751cbdd458555819df1d70374890 (diff) | |
| download | linux-40955015fae4908157ac6c959ea696d05e6e9b31.tar.gz linux-40955015fae4908157ac6c959ea696d05e6e9b31.zip | |
ksmbd: fix use-after-free in proc_show_files due to early rcu_read_unlock
The opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is
dereferenced after rcu_read_unlock(), creating a use-after-free
window. A concurrent opinfo_put() can free the opinfo between the
unlock and the subsequent access to opinfo->is_lease,
opinfo->o_lease->state, and opinfo->level.
Fix this by deferring rcu_read_unlock() until after all opinfo
field accesses are complete. The values needed (const_names, count,
level) are copied into local variables under the RCU read lock,
and the potentially-sleeping seq_printf calls happen after the
lock is released.
Found by AI-assisted code review (Claude Opus 4.6, Anthropic)
in collaboration with Ali Khaledi.
Cc: stable@vger.kernel.org
Fixes: b38f99c1217a ("ksmbd: add procfs interface for runtime monitoring and statistics")
Signed-off-by: Ali Khaledi <ali.khaledi1989@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'tools/lib/python/kdoc/python_version.py')
0 files changed, 0 insertions, 0 deletions