[{"id":3685421,"web_url":"http://patchwork.ozlabs.org/comment/3685421/","msgid":"<20260503143410.item002-ksmbd-66@kernel.org>","list_archive_url":null,"date":"2026-05-03T18:17:48","subject":"Re: [PATCH 6.6.y] ksmbd: add chann_lock to protect ksmbd_chann_list\n xarray","submitter":{"id":75065,"url":"http://patchwork.ozlabs.org/api/people/75065/","name":"Sasha Levin","email":"sashal@kernel.org"},"content":"On Sat, May 02, 2026 at 01:51:50AM +0300, Kai Aizen wrote:\n> From: Namjae Jeon <linkinjeon@kernel.org>\n>\n> [ Upstream commit 4f3a06cc57976cafa8c6f716646be6c79a99e485 ]\n>\n> ksmbd_chann_list xarray lacks synchronization, allowing use-after-free in\n> multi-channel sessions (between lookup_chann_list() and ksmbd_chann_del).\n>\n> Adds rw_semaphore chann_lock to struct ksmbd_session and protects\n> all xa_load/xa_store/xa_erase accesses.\n\nThanks for the backport. Unfortunately I'm holding off on queuing this\n(and the 6.1.y / 5.15.y siblings) for now.\n\nThe backport is faithful to upstream, but on closer review the upstream\ncommit 4f3a06cc5797 itself does not fully cover the race: there are\nxa_for_each() / xa_empty() / xa_load() call sites that remain unprotected\nafter the patch. Shipping just this commit to the LTS trees would leave\nthe same UAF window open.\n\n--\nThanks,\nSasha","headers":{"Return-Path":"\n <linux-cifs+bounces-11379-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256\n header.s=k20201202 header.b=lvZAmaKT;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c15:e001:75::12fc:5321; helo=sin.lore.kernel.org;\n envelope-from=linux-cifs+bounces-11379-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=\"lvZAmaKT\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=10.30.226.201"],"Received":["from sin.lore.kernel.org (sin.lore.kernel.org\n [IPv6:2600:3c15:e001:75::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g7tLb3qZkz1xvV\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 04 May 2026 04:18:15 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sin.lore.kernel.org (Postfix) with ESMTP id BE3CD3001A5A\n\tfor <incoming@patchwork.ozlabs.org>; Sun,  3 May 2026 18:17:53 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 8ED583D092A;\n\tSun,  3 May 2026 18:17:52 +0000 (UTC)","from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org\n [10.30.226.201])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 6AB9F3D091E;\n\tSun,  3 May 2026 18:17:52 +0000 (UTC)","by smtp.kernel.org (Postfix) with ESMTPSA id 76E34C2BCB4;\n\tSun,  3 May 2026 18:17:50 +0000 (UTC)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777832272; cv=none;\n b=Rf/lraHVlO8FmuCzS4y12hrq5UZtVqAE3KxZj+MdYtNidWq5c4tLuTT4PBQqMg/gOp0dAENFfyok3JuECeMaQL0bVCqg2h5dvHuoK0TU04+0xrI/XsF30e4tUXuiUrn8qrvMnU/wnXJ3exhfOnFRONCKXh+rKapzAHK2tfMzgXY=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777832272; c=relaxed/simple;\n\tbh=K2ZsK7aHnkiscMKQuW5eEQeMVLWjvtX361I1jQXLeYA=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=Wwcm7J+97JVquNZiKW0NQKByPNH/B6NPg3+WWViC8smGqt1NUkIqWujMRd+wSIVdIYB3wr5aEHQvANnNfZY9N53RL5M/k9BdJAkZVm/chYWs8VTKO/Q50Gl5FDLU71N3vRI7VQtw9PWRfitO+Xl9MJ1DQgUNkfLQ3YH/DYluunc=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=lvZAmaKT; arc=none smtp.client-ip=10.30.226.201","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;\n\ts=k20201202; t=1777832272;\n\tbh=K2ZsK7aHnkiscMKQuW5eEQeMVLWjvtX361I1jQXLeYA=;\n\th=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n\tb=lvZAmaKTMW+BFgsE/O93gul4+5v696+j0jt41AU7VzK5jdHc4weXI7vRotpD6NCT9\n\t OvrO+SdL+WDqK10eCX2uymjpnGVDREw3JF4fqVRtGUOpvJsH5Fxf13EDJDFyonLbMO\n\t jiOkDwfgZkvtPC/WbBRVnOyHqy7W4Yvo9H/vHsVU1kmKeKldpe0cWVwuyR//gJgtEK\n\t cJjah13Qy9z39aDYklwtsqxOI3rGfjqmO30mVGCGyO8Kjp4zW77ZLFZDuFFoxdGOD7\n\t GZXXCAC4BAZdurGpgCzmLTZxnA5avrhgnYBGBvP45nc8JDyITgyaVoT4sojMj+8Rb5\n\t a/MjxKTIF6neA==","From":"Sasha Levin <sashal@kernel.org>","To":"stable@vger.kernel.org","Cc":"gregkh@linuxfoundation.org,\n\tlinkinjeon@kernel.org,\n\tlinux-cifs@vger.kernel.org,\n\tsamba-technical@lists.samba.org,\n\tKai Aizen <kai.aizen.dev@gmail.com>","Subject":"Re: [PATCH 6.6.y] ksmbd: add chann_lock to protect ksmbd_chann_list\n xarray","Date":"Sun,  3 May 2026 14:17:48 -0400","Message-ID":"<20260503143410.item002-ksmbd-66@kernel.org>","X-Mailer":"git-send-email 2.53.0","In-Reply-To":"<20260501225152.90136-1-kai.aizen.dev@gmail.com>","References":"<20260501225152.90136-1-kai.aizen.dev@gmail.com>","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"<linux-cifs.vger.kernel.org>","List-Subscribe":"<mailto:linux-cifs+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:linux-cifs+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit"}}]