--- /dev/null
+From aa5465aeca3c66fecdf7efcf554aed79b4c4b211 Mon Sep 17 00:00:00 2001
+From: ZhaoLong Wang <wangzhaolong1@huawei.com>
+Date: Mon, 6 Feb 2023 09:10:09 +0800
+Subject: cifs: Fix use-after-free in rdata->read_into_pages()
+
+From: ZhaoLong Wang <wangzhaolong1@huawei.com>
+
+commit aa5465aeca3c66fecdf7efcf554aed79b4c4b211 upstream.
+
+When the network status is unstable, use-after-free may occur when
+read data from the server.
+
+ BUG: KASAN: use-after-free in readpages_fill_pages+0x14c/0x7e0
+
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x38/0x4c
+ print_report+0x16f/0x4a6
+ kasan_report+0xb7/0x130
+ readpages_fill_pages+0x14c/0x7e0
+ cifs_readv_receive+0x46d/0xa40
+ cifs_demultiplex_thread+0x121c/0x1490
+ kthread+0x16b/0x1a0
+ ret_from_fork+0x2c/0x50
+ </TASK>
+
+ Allocated by task 2535:
+ kasan_save_stack+0x22/0x50
+ kasan_set_track+0x25/0x30
+ __kasan_kmalloc+0x82/0x90
+ cifs_readdata_direct_alloc+0x2c/0x110
+ cifs_readdata_alloc+0x2d/0x60
+ cifs_readahead+0x393/0xfe0
+ read_pages+0x12f/0x470
+ page_cache_ra_unbounded+0x1b1/0x240
+ filemap_get_pages+0x1c8/0x9a0
+ filemap_read+0x1c0/0x540
+ cifs_strict_readv+0x21b/0x240
+ vfs_read+0x395/0x4b0
+ ksys_read+0xb8/0x150
+ do_syscall_64+0x3f/0x90
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+ Freed by task 79:
+ kasan_save_stack+0x22/0x50
+ kasan_set_track+0x25/0x30
+ kasan_save_free_info+0x2e/0x50
+ __kasan_slab_free+0x10e/0x1a0
+ __kmem_cache_free+0x7a/0x1a0
+ cifs_readdata_release+0x49/0x60
+ process_one_work+0x46c/0x760
+ worker_thread+0x2a4/0x6f0
+ kthread+0x16b/0x1a0
+ ret_from_fork+0x2c/0x50
+
+ Last potentially related work creation:
+ kasan_save_stack+0x22/0x50
+ __kasan_record_aux_stack+0x95/0xb0
+ insert_work+0x2b/0x130
+ __queue_work+0x1fe/0x660
+ queue_work_on+0x4b/0x60
+ smb2_readv_callback+0x396/0x800
+ cifs_abort_connection+0x474/0x6a0
+ cifs_reconnect+0x5cb/0xa50
+ cifs_readv_from_socket.cold+0x22/0x6c
+ cifs_read_page_from_socket+0xc1/0x100
+ readpages_fill_pages.cold+0x2f/0x46
+ cifs_readv_receive+0x46d/0xa40
+ cifs_demultiplex_thread+0x121c/0x1490
+ kthread+0x16b/0x1a0
+ ret_from_fork+0x2c/0x50
+
+The following function calls will cause UAF of the rdata pointer.
+
+readpages_fill_pages
+ cifs_read_page_from_socket
+ cifs_readv_from_socket
+ cifs_reconnect
+ __cifs_reconnect
+ cifs_abort_connection
+ mid->callback() --> smb2_readv_callback
+ queue_work(&rdata->work) # if the worker completes first,
+ # the rdata is freed
+ cifs_readv_complete
+ kref_put
+ cifs_readdata_release
+ kfree(rdata)
+ return rdata->... # UAF in readpages_fill_pages()
+
+Similarly, this problem also occurs in the uncache_fill_pages().
+
+Fix this by adjusts the order of condition judgment in the return
+statement.
+
+Signed-off-by: ZhaoLong Wang <wangzhaolong1@huawei.com>
+Cc: stable@vger.kernel.org
+Acked-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/file.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -3880,7 +3880,7 @@ uncached_fill_pages(struct TCP_Server_In
+ rdata->got_bytes += result;
+ }
+
+- return rdata->got_bytes > 0 && result != -ECONNABORTED ?
++ return result != -ECONNABORTED && rdata->got_bytes > 0 ?
+ rdata->got_bytes : result;
+ }
+
+@@ -4656,7 +4656,7 @@ readpages_fill_pages(struct TCP_Server_I
+ rdata->got_bytes += result;
+ }
+
+- return rdata->got_bytes > 0 && result != -ECONNABORTED ?
++ return result != -ECONNABORTED && rdata->got_bytes > 0 ?
+ rdata->got_bytes : result;
+ }
+
--- /dev/null
+From 811d581194f7412eda97acc03d17fc77824b561f Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Fri, 3 Feb 2023 14:32:09 -0500
+Subject: net: USB: Fix wrong-direction WARNING in plusb.c
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 811d581194f7412eda97acc03d17fc77824b561f upstream.
+
+The syzbot fuzzer detected a bug in the plusb network driver: A
+zero-length control-OUT transfer was treated as a read instead of a
+write. In modern kernels this error provokes a WARNING:
+
+usb 1-1: BOGUS control dir, pipe 80000280 doesn't match bRequestType c0
+WARNING: CPU: 0 PID: 4645 at drivers/usb/core/urb.c:411
+usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411
+Modules linked in:
+CPU: 1 PID: 4645 Comm: dhcpcd Not tainted
+6.2.0-rc6-syzkaller-00050-g9f266ccaa2f5 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
+01/12/2023
+RIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411
+...
+Call Trace:
+ <TASK>
+ usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58
+ usb_internal_control_msg drivers/usb/core/message.c:102 [inline]
+ usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153
+ __usbnet_read_cmd+0xb9/0x390 drivers/net/usb/usbnet.c:2010
+ usbnet_read_cmd+0x96/0xf0 drivers/net/usb/usbnet.c:2068
+ pl_vendor_req drivers/net/usb/plusb.c:60 [inline]
+ pl_set_QuickLink_features drivers/net/usb/plusb.c:75 [inline]
+ pl_reset+0x2f/0xf0 drivers/net/usb/plusb.c:85
+ usbnet_open+0xcc/0x5d0 drivers/net/usb/usbnet.c:889
+ __dev_open+0x297/0x4d0 net/core/dev.c:1417
+ __dev_change_flags+0x587/0x750 net/core/dev.c:8530
+ dev_change_flags+0x97/0x170 net/core/dev.c:8602
+ devinet_ioctl+0x15a2/0x1d70 net/ipv4/devinet.c:1147
+ inet_ioctl+0x33f/0x380 net/ipv4/af_inet.c:979
+ sock_do_ioctl+0xcc/0x230 net/socket.c:1169
+ sock_ioctl+0x1f8/0x680 net/socket.c:1286
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:870 [inline]
+ __se_sys_ioctl fs/ioctl.c:856 [inline]
+ __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+The fix is to call usbnet_write_cmd() instead of usbnet_read_cmd() and
+remove the USB_DIR_IN flag.
+
+Reported-and-tested-by: syzbot+2a0e7abd24f1eb90ce25@syzkaller.appspotmail.com
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Fixes: 090ffa9d0e90 ("[PATCH] USB: usbnet (9/9) module for pl2301/2302 cables")
+CC: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/00000000000052099f05f3b3e298@google.com/
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/plusb.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/net/usb/plusb.c
++++ b/drivers/net/usb/plusb.c
+@@ -57,9 +57,7 @@
+ static inline int
+ pl_vendor_req(struct usbnet *dev, u8 req, u8 val, u8 index)
+ {
+- return usbnet_read_cmd(dev, req,
+- USB_DIR_IN | USB_TYPE_VENDOR |
+- USB_RECIP_DEVICE,
++ return usbnet_write_cmd(dev, req, USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+ val, index, NULL, 0);
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
