linux/fs/cifs
Lars Persson 696e420bb2 cifs: Fix use after free of a mid_q_entry
With protocol version 2.0 mounts we have seen crashes with corrupt mid
entries. Either the server->pending_mid_q list becomes corrupt with a
cyclic reference in one element or a mid object fetched by the
demultiplexer thread becomes overwritten during use.

Code review identified a race between the demultiplexer thread and the
request issuing thread. The demultiplexer thread seems to be written
with the assumption that it is the sole user of the mid object until
it calls the mid callback which either wakes the issuer task or
deletes the mid.

This assumption is not true because the issuer task can be woken up
earlier by a signal. If the demultiplexer thread has proceeded as far
as setting the mid_state to MID_RESPONSE_RECEIVED then the issuer
thread will happily end up calling cifs_delete_mid while the
demultiplexer thread still is using the mid object.

Inserting a delay in the cifs demultiplexer thread widens the race
window and makes reproduction of the race very easy:

		if (server->large_buf)
			buf = server->bigbuf;

+		usleep_range(500, 4000);

		server->lstrp = jiffies;

To resolve this I think the proper solution involves putting a
reference count on the mid object. This patch makes sure that the
demultiplexer thread holds a reference until it has finished
processing the transaction.

Cc: stable@vger.kernel.org
Signed-off-by: Lars Persson <larper@axis.com>
Acked-by: Paulo Alcantara <palcantara@suse.de>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
2018-07-05 13:48:24 -05:00
..
asn1.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
cache.c vfs: change inode times to use struct timespec64 2018-06-05 16:57:31 -07:00
cifs_debug.c smb3: do not display empty interface list 2018-06-15 02:38:08 -05:00
cifs_debug.h cifs: add server argument to the dump_detail method 2018-05-27 17:56:35 -05:00
cifs_dfs_ref.c CIFS: add build_path_from_dentry_optional_prefix() 2017-03-01 22:26:10 -06:00
cifs_fs_sb.h smb3: fix redundant opens on root 2018-05-27 17:56:35 -05:00
cifs_ioctl.h Enable previous version support 2016-10-13 19:48:11 -05:00
cifs_spnego.c cifs: Create dedicated keyring for spnego operations 2016-05-19 21:56:30 -05:00
cifs_spnego.h [CIFS] Rename three structures to avoid camel case 2011-05-27 04:34:02 +00:00
cifs_unicode.c [SMB3] Remove ifdef since SMB3 (and later) now STRONGLY preferred 2017-07-08 18:57:07 -05:00
cifs_unicode.h [SMB3] Remove ifdef since SMB3 (and later) now STRONGLY preferred 2017-07-08 18:57:07 -05:00
cifs_uniupr.h
cifsacl.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
cifsacl.h cifs: For SMB2 security informaion query, check for minimum sized security descriptor instead of sizeof FileAllInformation class 2018-06-04 19:19:24 -05:00
cifsencrypt.c cifs: Fix invalid check in __cifs_calc_signature() 2018-06-15 19:17:40 -05:00
cifsfs.c smb3: do not allow insecure cifs mounts when using smb3 2018-06-07 08:36:39 -05:00
cifsfs.h cifs: update internal module version number for cifs.ko to 2.12 2018-05-27 17:56:35 -05:00
cifsglob.h cifs: Fix use after free of a mid_q_entry 2018-07-05 13:48:24 -05:00
cifspdu.h CIFS: move DFS response parsing out of SMB1 code 2017-03-01 22:26:10 -06:00
cifsproto.h cifs: Fix use after free of a mid_q_entry 2018-07-05 13:48:24 -05:00
cifssmb.c cifs: add lease tracking to the cached root fid 2018-06-15 02:38:07 -05:00
connect.c cifs: Fix use after free of a mid_q_entry 2018-07-05 13:48:24 -05:00
dir.c some smb3 fixes for stable, as well as addition of ftrace hooks for cifs.ko, and improvements in compounding and smbdirect (RDMA) 2018-06-04 14:42:46 -07:00
dns_resolve.c cifs: fix composing of mount options for DFS referrals 2013-05-24 13:08:31 -05:00
dns_resolve.h
export.c [CIFS] cifs: Rename cERROR and cFYI to cifs_dbg 2013-05-04 22:17:23 -05:00
file.c treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
fscache.c vfs: change inode times to use struct timespec64 2018-06-05 16:57:31 -07:00
fscache.h fscache: Attach the index key and aux data to the cookie 2018-04-04 13:41:28 +01:00
inode.c smb3: Fix mode on mkdir on smb311 mounts 2018-06-15 02:38:08 -05:00
ioctl.c [SMB3] Remove ifdef since SMB3 (and later) now STRONGLY preferred 2017-07-08 18:57:07 -05:00
Kconfig IB: remove redundant INFINIBAND kconfig dependencies 2018-05-09 08:51:03 -04:00
link.c cifs: fix a buffer leak in smb2_query_symlink 2018-06-07 23:39:41 -05:00
Makefile smb3: Add ftrace tracepoints for improved SMB3 debugging 2018-05-27 17:56:35 -05:00
misc.c CIFS: add iface info to struct cifs_ses 2018-06-15 02:38:08 -05:00
netmisc.c cifs: update calc_size to take a server argument 2018-05-27 17:56:35 -05:00
nterr.c CIFS: Rename 7 error codes to NT_ style 2012-07-24 10:25:10 -05:00
nterr.h CIFS: Rename 7 error codes to NT_ style 2012-07-24 10:25:10 -05:00
ntlmssp.h cifs: dynamic allocation of ntlmssp blob 2016-06-23 23:45:07 -05:00
readdir.c cifs: update calc_size to take a server argument 2018-05-27 17:56:35 -05:00
rfc1002pdu.h
sess.c smb2: Enforce sec= mount option 2017-03-02 23:13:37 -06:00
smb1ops.c cifs: Fix use after free of a mid_q_entry 2018-07-05 13:48:24 -05:00
smb2file.c cifs: fix a buffer leak in smb2_query_symlink 2018-06-07 23:39:41 -05:00
smb2glob.h cifs: remove struct smb2_hdr 2018-06-01 09:14:30 -05:00
smb2inode.c cifs: fix a buffer leak in smb2_query_symlink 2018-06-07 23:39:41 -05:00
smb2maperror.c cifs: remove struct smb2_hdr 2018-06-01 09:14:30 -05:00
smb2misc.c smb3: fix corrupt path in subdirs on smb311 with posix 2018-06-15 02:38:08 -05:00
smb2ops.c cifs: Fix use after free of a mid_q_entry 2018-07-05 13:48:24 -05:00
smb2pdu.c smb3: Fix mode on mkdir on smb311 mounts 2018-06-15 02:38:08 -05:00
smb2pdu.h CIFS: complete PDU definitions for interface queries 2018-06-15 02:38:08 -05:00
smb2proto.h cifs: Use correct packet length in SMB2_TRANSFORM header 2018-06-15 19:17:40 -05:00
smb2status.h CIFS: Add SMB2 status codes 2012-07-24 10:25:13 -05:00
smb2transport.c cifs: Fix use after free of a mid_q_entry 2018-07-05 13:48:24 -05:00
smbdirect.c cifs: Use correct packet length in SMB2_TRANSFORM header 2018-06-15 19:17:40 -05:00
smbdirect.h CIFS: SMBD: Support page offset in memory registration 2018-06-05 17:43:59 -05:00
smbencrypt.c CIFS: refactor crypto shash/sdesc allocation&free 2018-04-01 20:24:39 -05:00
smberr.h
smbfsctl.h [SMB3] Send durable handle v2 contexts when use of persistent handles required 2015-11-03 09:26:27 -06:00
trace.c smb3: Add ftrace tracepoints for improved SMB3 debugging 2018-05-27 17:56:35 -05:00
trace.h smb3: Fix mode on mkdir on smb311 mounts 2018-06-15 02:38:08 -05:00
transport.c cifs: Fix use after free of a mid_q_entry 2018-07-05 13:48:24 -05:00
winucase.c [CIFS] quiet sparse compile warning 2013-09-08 14:54:24 -05:00
xattr.c Rename superblock flags (MS_xyz -> SB_xyz) 2017-11-27 13:05:09 -08:00