iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/fs/cifs
History
Zhang Xiaoxu 275a3d2b94 cifs: Fix warning and UAF when destroy the MR list 
[ Upstream commit 3e161c2791f8e661eed24a2c624087084d910215 ]

If the MR allocate failed, the MR recovery work not initialized
and list not cleared. Then will be warning and UAF when release
the MR:

  WARNING: CPU: 4 PID: 824 at kernel/workqueue.c:3066 __flush_work.isra.0+0xf7/0x110
  CPU: 4 PID: 824 Comm: mount.cifs Not tainted 6.1.0-rc5+ #82
  RIP: 0010:__flush_work.isra.0+0xf7/0x110
  Call Trace:
   <TASK>
   __cancel_work_timer+0x2ba/0x2e0
   smbd_destroy+0x4e1/0x990
   _smbd_get_connection+0x1cbd/0x2110
   smbd_get_connection+0x21/0x40
   cifs_get_tcp_session+0x8ef/0xda0
   mount_get_conns+0x60/0x750
   cifs_mount+0x103/0xd00
   cifs_smb3_do_mount+0x1dd/0xcb0
   smb3_get_tree+0x1d5/0x300
   vfs_get_tree+0x41/0xf0
   path_mount+0x9b3/0xdd0
   __x64_sys_mount+0x190/0x1d0
   do_syscall_64+0x35/0x80
   entry_SYSCALL_64_after_hwframe+0x46/0xb0

  BUG: KASAN: use-after-free in smbd_destroy+0x4fc/0x990
  Read of size 8 at addr ffff88810b156a08 by task mount.cifs/824
  CPU: 4 PID: 824 Comm: mount.cifs Tainted: G        W          6.1.0-rc5+ #82
  Call Trace:
   dump_stack_lvl+0x34/0x44
   print_report+0x171/0x472
   kasan_report+0xad/0x130
   smbd_destroy+0x4fc/0x990
   _smbd_get_connection+0x1cbd/0x2110
   smbd_get_connection+0x21/0x40
   cifs_get_tcp_session+0x8ef/0xda0
   mount_get_conns+0x60/0x750
   cifs_mount+0x103/0xd00
   cifs_smb3_do_mount+0x1dd/0xcb0
   smb3_get_tree+0x1d5/0x300
   vfs_get_tree+0x41/0xf0
   path_mount+0x9b3/0xdd0
   __x64_sys_mount+0x190/0x1d0
   do_syscall_64+0x35/0x80
   entry_SYSCALL_64_after_hwframe+0x46/0xb0

  Allocated by task 824:
   kasan_save_stack+0x1e/0x40
   kasan_set_track+0x21/0x30
   __kasan_kmalloc+0x7a/0x90
   _smbd_get_connection+0x1b6f/0x2110
   smbd_get_connection+0x21/0x40
   cifs_get_tcp_session+0x8ef/0xda0
   mount_get_conns+0x60/0x750
   cifs_mount+0x103/0xd00
   cifs_smb3_do_mount+0x1dd/0xcb0
   smb3_get_tree+0x1d5/0x300
   vfs_get_tree+0x41/0xf0
   path_mount+0x9b3/0xdd0
   __x64_sys_mount+0x190/0x1d0
   do_syscall_64+0x35/0x80
   entry_SYSCALL_64_after_hwframe+0x46/0xb0

  Freed by task 824:
   kasan_save_stack+0x1e/0x40
   kasan_set_track+0x21/0x30
   kasan_save_free_info+0x2a/0x40
   ____kasan_slab_free+0x143/0x1b0
   __kmem_cache_free+0xc8/0x330
   _smbd_get_connection+0x1c6a/0x2110
   smbd_get_connection+0x21/0x40
   cifs_get_tcp_session+0x8ef/0xda0
   mount_get_conns+0x60/0x750
   cifs_mount+0x103/0xd00
   cifs_smb3_do_mount+0x1dd/0xcb0
   smb3_get_tree+0x1d5/0x300
   vfs_get_tree+0x41/0xf0
   path_mount+0x9b3/0xdd0
   __x64_sys_mount+0x190/0x1d0
   do_syscall_64+0x35/0x80
   entry_SYSCALL_64_after_hwframe+0x46/0xb0

Let's initialize the MR recovery work before MR allocate to prevent
the warning, remove the MRs from the list to prevent the UAF.

Fixes: c7398583340a ("CIFS: SMBD: Implement RDMA memory registration")
Acked-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Reviewed-by: Tom Talpey <tom@talpey.com>
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-03-11 16:31:42 +01:00
..
asn1.c
cifs: remove bogus debug code
2020-10-29 09:54:59 +01:00
cache.c
cifs: use 64-bit timestamps for fscache
2018-08-07 14:15:41 -05:00
cifs_debug.c
cifs: Don't display RDMA transport on reconnect
2019-12-21 10:57:33 +01:00
cifs_debug.h
cifs: add server argument to the dump_detail method
2018-05-27 17:56:35 -05:00
cifs_dfs_ref.c
cifs: use correct format characters
2019-04-05 22:32:59 +02:00
cifs_fs_sb.h
cifs: Properly handle auto disabling of serverino option
2019-09-16 08:22:17 +02:00
cifs_ioctl.h
cifs_spnego.c
smb3: on kerberos mount if server doesn't specify auth type use krb5
2018-11-13 11:08:48 -08:00
cifs_spnego.h
cifs_unicode.c
CIFS: Fix a potencially linear read overflow
2021-09-22 11:47:54 +02:00
cifs_unicode.h
cifs_uniupr.h
cifsacl.c
cifs: Fix mode output in debugging statements
2020-03-05 16:42:15 +01:00
cifsacl.h
cifs: For SMB2 security informaion query, check for minimum sized security descriptor instead of sizeof FileAllInformation class
2018-06-04 19:19:24 -05:00
cifsencrypt.c
cifs: Make sure all data pages are signed correctly
2018-08-07 14:15:41 -05:00
cifsfs.c
cifs: Check the IOCB_DIRECT flag, not O_DIRECT
2022-04-27 13:39:43 +02:00
cifsfs.h
cifs: update internal module version number for cifs.ko to 2.12
2018-08-23 15:11:10 -05:00
cifsglob.h
CIFS: Properly process SMB3 lease breaks
2020-10-01 13:14:29 +02:00
cifspdu.h
cifsproto.h
cifs: Fix cifsInodeInfo lock_sem deadlock when reconnect occurs
2019-11-10 11:27:34 +01:00
cifssmb.c
cifs: fix leaked reference on requeued write
2020-05-20 08:18:49 +02:00
connect.c
smbd: Make upper layer decide when to destroy the transport
2023-02-06 07:49:42 +01:00
dir.c
cifs: report error instead of invalid when revalidating a dentry fails
2021-02-10 09:21:07 +01:00
dns_resolve.c
dns_resolve.h
export.c
file.c
cifs: revalidate mapping when we open files for SMB1 POSIX
2021-04-10 13:21:19 +02:00
fscache.c
cifs: use 64-bit timestamps for fscache
2018-08-07 14:15:41 -05:00
fscache.h
cifs: use 64-bit timestamps for fscache
2018-08-07 14:15:41 -05:00
inode.c
cifs: handle -EINTR in cifs_setattr
2020-11-05 11:08:44 +01:00
ioctl.c
cifs: Fix wrong return value checking when GETFLAGS
2022-11-25 17:40:25 +01:00
Kconfig
cifs: In Kconfig CONFIG_CIFS_POSIX needs depends on legacy (insecure cifs)
2018-12-21 14:15:23 +01:00
link.c
cifs: Fix uninitialized memory read for smb311 posix symlink create
2023-01-18 11:30:52 +01:00
Makefile
smb3: Add ftrace tracepoints for improved SMB3 debugging
2018-05-27 17:56:35 -05:00
misc.c
CIFS: Properly process SMB3 lease breaks
2020-10-01 13:14:29 +02:00
netmisc.c
fs: cifs: mute -Wunused-const-variable message
2019-11-06 13:05:51 +01:00
nterr.c
nterr.h
ntlmssp.h
readdir.c
cifs: check ntwrk_buf_start for NULL before dereferencing it
2019-02-12 19:47:17 +01:00
rfc1002pdu.h
sess.c
cifs: fix wrong release in sess_alloc_buffer() failed path
2021-09-22 11:48:08 +02:00
smb1ops.c
CIFS: Properly process SMB3 lease breaks
2020-10-01 13:14:29 +02:00
smb2file.c
cifs: Adjust indentation in smb2_open_file
2020-01-17 19:47:01 +01:00
smb2glob.h
cifs: remove struct smb2_hdr
2018-06-01 09:14:30 -05:00
smb2inode.c
smb3: Do not send SMB3 SET_INFO if nothing changed
2018-08-07 14:30:59 -05:00
smb2maperror.c
SMB3: retry on STATUS_INSUFFICIENT_RESOURCES instead of failing write
2019-06-25 11:36:01 +08:00
smb2misc.c
cifs: Silently ignore unknown oplock break handle
2021-04-10 13:21:19 +02:00
smb2ops.c
smb3: check xattr value length earlier
2022-08-25 11:15:47 +02:00
smb2pdu.c
cifs: do not include page data when checking signature
2023-01-24 07:11:50 +01:00
smb2pdu.h
smb3: Fix out-of-bounds bug in SMB2_negotiate()
2021-02-10 09:21:07 +01:00
smb2proto.h
CIFS: Close open handle after interrupted close
2019-12-21 10:57:35 +01:00
smb2status.h
smb2transport.c
CIFS: Do not skip SMB2 message IDs on send failures
2019-03-23 20:09:56 +01:00
smbdirect.c
cifs: Fix warning and UAF when destroy the MR list
2023-03-11 16:31:42 +01:00
smbdirect.h
smbd: Make upper layer decide when to destroy the transport
2023-02-06 07:49:42 +01:00
smbencrypt.c
smberr.h
smbfsctl.h
trace.c
smb3: Add ftrace tracepoints for improved SMB3 debugging
2018-05-27 17:56:35 -05:00
trace.h
smb3: add tracepoint for slow responses
2018-08-07 14:28:01 -05:00
transport.c
cifs: don't send down the destination address to sendmsg for a SOCK_STREAM
2022-09-28 11:02:52 +02:00
winucase.c
xattr.c
CIFS: fix max ea value size
2019-10-05 13:10:12 +02:00