[SRU][F][PATCH 1/2] smb: client: fix potential UAF in cifs_debug_files_proc_show()

[Yuxuan Luo]

From: Paulo Alcantara <pc at manguebit.com>

Skip sessions that are being teared down (status == SES_EXITING) to
avoid UAF.

Cc: stable at vger.kernel.org
Signed-off-by: Paulo Alcantara (Red Hat) <pc at manguebit.com>
Signed-off-by: Steve French <stfrench at microsoft.com>
(backported from commit ca545b7f0823f19db0f1148d59bc5e1a56634502)
[yuxuan.luo:
- cifs_debug.c: ignored context conflicts and added the if statement.
- cifsglob.h:
  - ses_lock --> GlobalMid_Lock
  - ses_status --> status
  - SES_EXITING --> CifsExiting
]
CVE-2024-35864/CVE-2024-26928
Signed-off-by: Yuxuan Luo <yuxuan.luo at canonical.com>
---
 fs/cifs/cifs_debug.c |  2 ++
 fs/cifs/cifsglob.h   | 10 ++++++++++
 2 files changed, 12 insertions(+)

diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c
index f246768e3e8a..0f2afad92a66 100644
--- a/fs/cifs/cifs_debug.c
+++ b/fs/cifs/cifs_debug.c
@@ -161,6 +161,8 @@ static int cifs_debug_files_proc_show(struct seq_file *m, void *v)
 		server = list_entry(stmp, struct TCP_Server_Info,
 				    tcp_ses_list);
 		list_for_each(tmp, &server->smb_ses_list) {
+			if (cifs_ses_exiting(ses))
+				continue;
 			ses = list_entry(tmp, struct cifs_ses, smb_ses_list);
 			list_for_each(tmp1, &ses->tcon_list) {
 				tcon = list_entry(tmp1, struct cifs_tcon, tcon_list);
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index 30c486e6c109..0fbd2e74a78c 100644
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -2032,4 +2032,14 @@ static inline struct scatterlist *cifs_sg_set_buf(struct scatterlist *sg,
 	return sg;
 }
 
+static inline bool cifs_ses_exiting(struct cifs_ses *ses)
+{
+	bool ret;
+
+	spin_lock(&GlobalMid_Lock);
+	ret = ses->status == CifsExiting;
+	spin_unlock(&GlobalMid_Lock);
+	return ret;
+}
+
 #endif	/* _CIFS_GLOB_H */
-- 
2.43.0