linux/fs/cifs
Rabin Vincent 820962dc70 cifs: fix race between call_async() and reconnect()
cifs_call_async() queues the MID to the pending list and calls
smb_send_rqst().  If smb_send_rqst() performs a partial send, it sets
the tcpStatus to CifsNeedReconnect and returns an error code to
cifs_call_async().  In this case, cifs_call_async() removes the MID
from the list and returns to the caller.

However, cifs_call_async() releases the server mutex _before_ removing
the MID.  This means that a cifs_reconnect() can race with this function
and manage to remove the MID from the list and delete the entry before
cifs_call_async() calls cifs_delete_mid().  This leads to various
crashes due to the use after free in cifs_delete_mid().

Task1				Task2

cifs_call_async():
 - rc = -EAGAIN
 - mutex_unlock(srv_mutex)

				cifs_reconnect():
				 - mutex_lock(srv_mutex)
				 - mutex_unlock(srv_mutex)
				 - list_delete(mid)
				 - mid->callback()
				 	cifs_writev_callback():
				 		- mutex_lock(srv_mutex)
						- delete(mid)
				 		- mutex_unlock(srv_mutex)

 - cifs_delete_mid(mid) <---- use after free

Fix this by removing the MID in cifs_call_async() before releasing the
srv_mutex.  Also hold the srv_mutex in cifs_reconnect() until the MIDs
are moved out of the pending list.

Signed-off-by: Rabin Vincent <rabin.vincent@axis.com>
Acked-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Steve French <sfrench@localhost.localdomain>
2016-01-14 14:35:58 -06:00
..
asn1.c [CIFS] cifs: Rename cERROR and cFYI to cifs_dbg 2013-05-04 22:17:23 -05:00
cache.c [CIFS] cifs: Rename cERROR and cFYI to cifs_dbg 2013-05-04 22:17:23 -05:00
cifs_debug.c cifs: Ratelimit kernel log messages 2016-01-14 13:39:02 -06:00
cifs_debug.h cifs: Ratelimit kernel log messages 2016-01-14 13:39:02 -06:00
cifs_dfs_ref.c Fix that several functions handle incorrect value of mapchars 2015-05-10 19:56:35 -05:00
cifs_fs_sb.h Allow conversion of characters in Mac remap range. Part 1 2014-10-16 15:20:20 -05:00
cifs_ioctl.h Add way to query server fs info for smb3 2015-08-20 10:19:25 -05:00
cifs_spnego.c KEYS: Merge the type-specific data with the payload data 2015-10-21 15:18:36 +01:00
cifs_spnego.h
cifs_unicode.c Fix to convert SURROGATE PAIR 2015-05-20 13:12:51 -05:00
cifs_unicode.h Remap reserved posix characters by default (part 3/3) 2014-10-16 15:20:20 -05:00
cifs_uniupr.h
cifsacl.c KEYS: Merge the type-specific data with the payload data 2015-10-21 15:18:36 +01:00
cifsacl.h cifs: fix SID binary to string conversion 2012-12-11 11:48:49 -06:00
cifsencrypt.c cifs: use server timestamp for ntlmv2 authentication 2015-09-22 15:24:02 -05:00
cifsfs.c cifs: Allow using O_DIRECT with cache=loose 2016-01-14 14:29:34 -06:00
cifsfs.h Merge branch 'work.copy_file_range' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-01-12 16:30:34 -08:00
cifsglob.h Prepare for encryption support (first part). Add decryption and encryption key generation. Thanks to Metze for helping with this. 2016-01-14 14:29:42 -06:00
cifspdu.h Add way to query server fs info for smb3 2015-08-20 10:19:25 -05:00
cifsproto.h Prepare for encryption support (first part). Add decryption and encryption key generation. Thanks to Metze for helping with this. 2016-01-14 14:29:42 -06:00
cifssmb.c cifs: Fix use-after-free on mid_q_entry 2015-08-20 10:19:25 -05:00
connect.c cifs: fix race between call_async() and reconnect() 2016-01-14 14:35:58 -06:00
dir.c Fix that several functions handle incorrect value of mapchars 2015-05-10 19:56:35 -05:00
dns_resolve.c cifs: fix composing of mount options for DFS referrals 2013-05-24 13:08:31 -05:00
dns_resolve.h
export.c [CIFS] cifs: Rename cERROR and cFYI to cifs_dbg 2013-05-04 22:17:23 -05:00
file.c mm, fs: introduce mapping_gfp_constraint() 2015-11-06 17:50:42 -08:00
fscache.c NFS client updates for Linux 3.13 2013-11-08 05:57:46 +09:00
fscache.h CIFS: FS-Cache: Uncache unread pages in cifs_readpages() before freeing them 2013-09-18 10:17:03 -05:00
inode.c cifs: Check uniqueid for SMB2+ and return -ESTALE if necessary 2016-01-14 13:39:11 -06:00
ioctl.c vfs: pull btrfs clone API to vfs layer 2015-12-07 23:11:33 -05:00
Kconfig Allow parsing vers=3.11 on cifs mount 2015-06-27 20:23:32 -07:00
link.c switch ->get_link() to delayed_call, kill ->put_link() 2015-12-30 13:01:03 -05:00
Makefile cifs: add new case-insensitive conversion routines that are based on wchar_t's 2013-09-08 14:38:05 -05:00
misc.c Prepare for encryption support (first part). Add decryption and encryption key generation. Thanks to Metze for helping with this. 2016-01-14 14:29:42 -06:00
netmisc.c Fix signed/unsigned pointer warning 2014-12-14 14:55:57 -06:00
nterr.c CIFS: Rename 7 error codes to NT_ style 2012-07-24 10:25:10 -05:00
nterr.h CIFS: Rename 7 error codes to NT_ style 2012-07-24 10:25:10 -05:00
ntlmssp.h CIFS: Add session setup/logoff capability for SMB2 2012-07-24 21:54:57 +04:00
readdir.c fs: Drop unlikely before IS_ERR(_OR_NULL) 2015-09-29 15:13:58 +02:00
rfc1002pdu.h
sess.c KEYS: Merge the type-specific data with the payload data 2015-10-21 15:18:36 +01:00
smb1ops.c Fix that several functions handle incorrect value of mapchars 2015-05-10 19:56:35 -05:00
smb2file.c Add resilienthandles mount parm 2015-11-03 10:10:36 -06:00
smb2glob.h CIFS: Fix too big maxBuf size for SMB3 mounts 2014-02-14 16:50:47 -06:00
smb2inode.c CIFS: Fix wrong filename length for SMB2 2014-08-25 16:45:17 -05:00
smb2maperror.c Fix problem recognizing symlinks 2014-10-02 14:10:04 -05:00
smb2misc.c Prepare for encryption support (first part). Add decryption and encryption key generation. Thanks to Metze for helping with this. 2016-01-14 14:29:42 -06:00
smb2ops.c Prepare for encryption support (first part). Add decryption and encryption key generation. Thanks to Metze for helping with this. 2016-01-14 14:29:42 -06:00
smb2pdu.c Prepare for encryption support (first part). Add decryption and encryption key generation. Thanks to Metze for helping with this. 2016-01-14 14:29:42 -06:00
smb2pdu.h Prepare for encryption support (first part). Add decryption and encryption key generation. Thanks to Metze for helping with this. 2016-01-14 14:29:42 -06:00
smb2proto.h Prepare for encryption support (first part). Add decryption and encryption key generation. Thanks to Metze for helping with this. 2016-01-14 14:29:42 -06:00
smb2status.h CIFS: Add SMB2 status codes 2012-07-24 10:25:13 -05:00
smb2transport.c Prepare for encryption support (first part). Add decryption and encryption key generation. Thanks to Metze for helping with this. 2016-01-14 14:29:42 -06:00
smbencrypt.c cifs: use memzero_explicit to clear stack buffer 2015-01-19 15:32:13 -06:00
smberr.h
smbfsctl.h [SMB3] Send durable handle v2 contexts when use of persistent handles required 2015-11-03 09:26:27 -06:00
transport.c cifs: fix race between call_async() and reconnect() 2016-01-14 14:35:58 -06:00
winucase.c [CIFS] quiet sparse compile warning 2013-09-08 14:54:24 -05:00
xattr.c posix acls: Remove duplicate xattr name definitions 2015-12-06 21:25:17 -05:00