Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-10-24 14:10:59 +00:00
Code Issues Packages Projects Releases Wiki Activity
396935de14
linux/fs/cifs
History
Paulo Alcantara 396935de14 cifs: fix use-after-free bug in refresh_cache_worker() 
The UAF bug occurred because we were putting DFS root sessions in
cifs_umount() while DFS cache refresher was being executed.

Make DFS root sessions have same lifetime as DFS tcons so we can avoid
the use-after-free bug is DFS cache refresher and other places that
require IPCs to get new DFS referrals on.  Also, get rid of mount
group handling in DFS cache as we no longer need it.

This fixes below use-after-free bug catched by KASAN

[ 379.946955] BUG: KASAN: use-after-free in __refresh_tcon.isra.0+0x10b/0xc10 [cifs]
[ 379.947642] Read of size 8 at addr ffff888018f57030 by task kworker/u4:3/56
[ 379.948096]
[ 379.948208] CPU: 0 PID: 56 Comm: kworker/u4:3 Not tainted 6.2.0-rc7-lku #23
[ 379.948661] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
rel-1.16.0-0-gd239552-rebuilt.opensuse.org 04/01/2014
[ 379.949368] Workqueue: cifs-dfscache refresh_cache_worker [cifs]
[ 379.949942] Call Trace:
[ 379.950113] <TASK>
[ 379.950260] dump_stack_lvl+0x50/0x67
[ 379.950510] print_report+0x16a/0x48e
[ 379.950759] ? __virt_addr_valid+0xd8/0x160
[ 379.951040] ? __phys_addr+0x41/0x80
[ 379.951285] kasan_report+0xdb/0x110
[ 379.951533] ? __refresh_tcon.isra.0+0x10b/0xc10 [cifs]
[ 379.952056] ? __refresh_tcon.isra.0+0x10b/0xc10 [cifs]
[ 379.952585] __refresh_tcon.isra.0+0x10b/0xc10 [cifs]
[ 379.953096] ? __pfx___refresh_tcon.isra.0+0x10/0x10 [cifs]
[ 379.953637] ? __pfx___mutex_lock+0x10/0x10
[ 379.953915] ? lock_release+0xb6/0x720
[ 379.954167] ? __pfx_lock_acquire+0x10/0x10
[ 379.954443] ? refresh_cache_worker+0x34e/0x6d0 [cifs]
[ 379.954960] ? __pfx_wb_workfn+0x10/0x10
[ 379.955239] refresh_cache_worker+0x4ad/0x6d0 [cifs]
[ 379.955755] ? __pfx_refresh_cache_worker+0x10/0x10 [cifs]
[ 379.956323] ? __pfx_lock_acquired+0x10/0x10
[ 379.956615] ? read_word_at_a_time+0xe/0x20
[ 379.956898] ? lockdep_hardirqs_on_prepare+0x12/0x220
[ 379.957235] process_one_work+0x535/0x990
[ 379.957509] ? __pfx_process_one_work+0x10/0x10
[ 379.957812] ? lock_acquired+0xb7/0x5f0
[ 379.958069] ? __list_add_valid+0x37/0xd0
[ 379.958341] ? __list_add_valid+0x37/0xd0
[ 379.958611] worker_thread+0x8e/0x630
[ 379.958861] ? __pfx_worker_thread+0x10/0x10
[ 379.959148] kthread+0x17d/0x1b0
[ 379.959369] ? __pfx_kthread+0x10/0x10
[ 379.959630] ret_from_fork+0x2c/0x50
[ 379.959879] </TASK>

Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
Cc: stable@vger.kernel.org # 6.2
Signed-off-by: Steve French <stfrench@microsoft.com>
2023-03-14 21:07:44 -05:00
..
asn1.c cifs: decoding negTokenInit with generic ASN1 decoder 2021-06-20 21:28:17 -05:00
cached_dir.c cifs: return a single-use cfid if we did not get a lease 2023-02-20 11:48:48 -06:00
cached_dir.h cifs: drop the lease for cached directories on rmdir or rename 2022-10-19 17:57:41 -05:00
cifs_debug.c cifs: print last update time for interface list 2023-02-20 11:48:47 -06:00
cifs_debug.h smb3: add dynamic trace points for tree disconnect 2022-10-05 01:31:18 -05:00
cifs_dfs_ref.c cifs: set DFS root session in cifs_get_smb_ses() 2023-03-14 21:05:53 -05:00
cifs_fs_sb.h cifs: fix use-after-free bug in refresh_cache_worker() 2023-03-14 21:07:44 -05:00
cifs_ioctl.h cifs: minor cleanup of some headers 2022-12-12 13:08:06 -06:00
cifs_spnego_negtokeninit.asn1 cifs: decoding negTokenInit with generic ASN1 decoder 2021-06-20 21:28:17 -05:00
cifs_spnego.c cred: Do not default to init_cred in prepare_kernel_cred() 2022-11-01 10:04:52 -07:00
cifs_spnego.h cifs: Replace remaining 1-element arrays 2023-02-20 11:48:48 -06:00
cifs_swn.c smb3: add dynamic trace points for tree disconnect 2022-10-05 01:31:18 -05:00
cifs_swn.h cifs: simplify SWN code with dummy funcs instead of ifdefs 2021-04-25 16:28:22 -05:00
cifs_unicode.c cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
cifs_unicode.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
cifs_uniupr.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
cifsacl.c 46 fs/cifs (smb3 client) changesets, 37 in fs/cifs and 9 for related helper functions and cleanup outside from Dave Howells and Willy 2023-02-22 17:12:44 -08:00
cifsacl.h cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
cifsencrypt.c cifs: Change the I/O paths to use an iterator rather than a page list 2023-02-20 18:36:02 -06:00
cifsfs.c 46 fs/cifs (smb3 client) changesets, 37 in fs/cifs and 9 for related helper functions and cleanup outside from Dave Howells and Willy 2023-02-22 17:12:44 -08:00
cifsfs.h 46 fs/cifs (smb3 client) changesets, 37 in fs/cifs and 9 for related helper functions and cleanup outside from Dave Howells and Willy 2023-02-22 17:12:44 -08:00
cifsglob.h cifs: fix use-after-free bug in refresh_cache_worker() 2023-03-14 21:07:44 -05:00
cifspdu.h cifs: Replace remaining 1-element arrays 2023-02-20 11:48:48 -06:00
cifsproto.h cifs: prevent data race in cifs_reconnect_tcon() 2023-03-01 18:18:25 -06:00
cifsroot.c cifs: move from strlcpy with unused retval to strscpy 2022-08-19 11:02:26 -05:00
cifssmb.c cifs: prevent data race in cifs_reconnect_tcon() 2023-03-01 18:18:25 -06:00
connect.c cifs: fix use-after-free bug in refresh_cache_worker() 2023-03-14 21:07:44 -05:00
dfs_cache.c cifs: fix use-after-free bug in refresh_cache_worker() 2023-03-14 21:07:44 -05:00
dfs_cache.h cifs: fix use-after-free bug in refresh_cache_worker() 2023-03-14 21:07:44 -05:00
dfs.c cifs: fix use-after-free bug in refresh_cache_worker() 2023-03-14 21:07:44 -05:00
dfs.h cifs: fix use-after-free bug in refresh_cache_worker() 2023-03-14 21:07:44 -05:00
dir.c 46 fs/cifs (smb3 client) changesets, 37 in fs/cifs and 9 for related helper functions and cleanup outside from Dave Howells and Willy 2023-02-22 17:12:44 -08:00
dns_resolve.c cifs: set resolved ip in sockaddr 2022-12-19 08:03:11 -06:00
dns_resolve.h cifs: set resolved ip in sockaddr 2022-12-19 08:03:11 -06:00
export.c cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
file.c cifs: Fix memory leak in direct I/O 2023-03-01 18:18:25 -06:00
fs_context.c cifs: share dfs connections and supers 2022-12-19 08:03:12 -06:00
fs_context.h cifs: set DFS root session in cifs_get_smb_ses() 2023-03-14 21:05:53 -05:00
fscache.c 46 fs/cifs (smb3 client) changesets, 37 in fs/cifs and 9 for related helper functions and cleanup outside from Dave Howells and Willy 2023-02-22 17:12:44 -08:00
fscache.h cifs: Change the I/O paths to use an iterator rather than a page list 2023-02-20 18:36:02 -06:00
inode.c 46 fs/cifs (smb3 client) changesets, 37 in fs/cifs and 9 for related helper functions and cleanup outside from Dave Howells and Willy 2023-02-22 17:12:44 -08:00
ioctl.c cifs: Fix wrong return value checking when GETFLAGS 2022-11-16 00:21:04 -06:00
Kconfig cifs: Change the I/O paths to use an iterator rather than a page list 2023-02-20 18:36:02 -06:00
link.c 46 fs/cifs (smb3 client) changesets, 37 in fs/cifs and 9 for related helper functions and cleanup outside from Dave Howells and Willy 2023-02-22 17:12:44 -08:00
Makefile cifs: get rid of mount options string parsing 2022-12-19 08:03:11 -06:00
misc.c cifs: fix use-after-free bug in refresh_cache_worker() 2023-03-14 21:07:44 -05:00
netlink.c genetlink: start to validate reserved header bytes 2022-08-29 12:47:15 +01:00
netlink.h cifs: Register generic netlink family 2020-12-14 09:16:22 -06:00
netmisc.c cifs: remove unused server parameter from calc_smb_size() 2022-08-17 18:07:13 -05:00
nterr.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
nterr.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
ntlmssp.h cifs: Replace zero-length arrays with flexible-array members 2023-02-20 11:48:47 -06:00
readdir.c cifs: Replace remaining 1-element arrays 2023-02-20 11:48:48 -06:00
rfc1002pdu.h cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
sess.c cifs: get rid of dns resolve worker 2023-02-20 17:25:43 -06:00
smb1ops.c cifs: Fix uninitialized memory reads for oparms.mode 2023-02-20 11:48:48 -06:00
smb2file.c 46 fs/cifs (smb3 client) changesets, 37 in fs/cifs and 9 for related helper functions and cleanup outside from Dave Howells and Willy 2023-02-22 17:12:44 -08:00
smb2glob.h smb3: move defines for ioctl protocol header and SMB2 sizes to smbfs_common 2022-03-26 23:09:20 -05:00
smb2inode.c cifs: Fix smb2_set_path_size() 2023-03-14 17:36:44 -05:00
smb2maperror.c cifs: Create a new shared file holding smb2 pdu definitions 2021-11-05 09:50:57 -05:00
smb2misc.c smb3: Replace smb2pdu 1-element arrays with flex-arrays 2023-02-20 17:25:43 -06:00
smb2ops.c cifs: improve checking of DFS links over STATUS_OBJECT_NAME_INVALID 2023-03-01 18:18:25 -06:00
smb2pdu.c cifs: prevent data race in cifs_reconnect_tcon() 2023-03-01 18:18:25 -06:00
smb2pdu.h smb3: Replace smb2pdu 1-element arrays with flex-arrays 2023-02-20 17:25:43 -06:00
smb2proto.h cifs: Parse owner/group for stat in smb311 posix extensions 2022-12-08 09:51:53 -06:00
smb2status.h cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
smb2transport.c cifs: generate signkey for the channel that's reconnecting 2023-03-14 17:36:49 -05:00
smbdirect.c cifs: Fix an uninitialised variable 2023-03-01 18:17:36 -06:00
smbdirect.h cifs: Build the RDMA SGE list directly from an iterator 2023-02-20 18:36:02 -06:00
smbencrypt.c cifs: rename cifs_common to smbfs_common 2021-09-08 23:59:26 -05:00
smberr.h cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
trace.c smb3: Cleanup license mess 2019-01-24 09:37:33 -06:00
trace.h smb3: add dynamic trace points for tree disconnect 2022-10-05 01:31:18 -05:00
transport.c cifs: Move the in_send statistic to __smb_send_rqst() 2023-03-05 17:50:38 -06:00
unc.c cifs: don't cargo-cult strndup() 2021-04-25 16:28:23 -05:00
winucase.c cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
xattr.c fs: port xattr to mnt_idmap 2023-01-19 09:24:28 +01:00