cifs: fix race in assemble_neg_contexts()

pvts-mat · pvts-mat · commit 601cd8f6b397 · 2026-04-01T22:28:02.000+02:00
jira VULN-169227 cve CVE-2023-53751 commit-author Paulo Alcantara <pc@cjr.nz> commit 775e44d upstream-diff Ignored the introduction of `pserver' variable, as well as the usage of `hostname' local, as they were only needed in the upstream because of the dual source of the server hostname, introduced in the non-backported commit 9de7499 ("smb3: use netname when available on secondary channels") Serialise access of TCP_Server_Info::hostname in assemble_neg_contexts() by holding the server's mutex otherwise it might end up accessing an already-freed hostname pointer from cifs_reconnect() or cifs_resolve_server(). Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz> Reviewed-by: Enzo Matsumiya <ematsumiya@suse.de> Signed-off-by: Steve French <stfrench@microsoft.com> (cherry picked from commit 775e44d) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
@@ -549,8 +549,10 @@ assemble_neg_contexts(struct smb2_negotiate_req *req,
 	} else
 		req->NegotiateContextCount = cpu_to_le16(4);
 
+	cifs_server_lock(server);
 	ctxt_len = build_netname_ctxt((struct smb2_netname_neg_context *)pneg_ctxt,
 					server->hostname);
+	cifs_server_unlock(server);
 	*total_len += ctxt_len;
 	pneg_ctxt += ctxt_len;
 
