From: Greg Kroah-Hartman Date: Sun, 7 May 2023 18:22:29 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v5.15.111~60 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=47576bd3e41e8187b9ac3f712a9ce95f13106799;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: cifs-fix-potential-use-after-free-bugs-in-tcp_server_info-hostname.patch cifs-protect-session-status-check-in-smb2_reconnect.patch --- diff --git a/queue-6.1/cifs-fix-potential-use-after-free-bugs-in-tcp_server_info-hostname.patch b/queue-6.1/cifs-fix-potential-use-after-free-bugs-in-tcp_server_info-hostname.patch new file mode 100644 index 00000000000..ab3e001de50 --- /dev/null +++ b/queue-6.1/cifs-fix-potential-use-after-free-bugs-in-tcp_server_info-hostname.patch @@ -0,0 +1,153 @@ +From 90c49fce1c43e1cc152695e20363ff5087897c09 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Fri, 21 Apr 2023 15:52:32 -0300 +Subject: cifs: fix potential use-after-free bugs in TCP_Server_Info::hostname + +From: Paulo Alcantara + +commit 90c49fce1c43e1cc152695e20363ff5087897c09 upstream. + +TCP_Server_Info::hostname may be updated once or many times during +reconnect, so protect its access outside reconnect path as well and +then prevent any potential use-after-free bugs. + +Cc: stable@vger.kernel.org +Signed-off-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/cifs_debug.c | 7 ++++++- + fs/cifs/cifs_debug.h | 12 ++++++------ + fs/cifs/connect.c | 10 +++++++--- + fs/cifs/sess.c | 7 ++++--- + 4 files changed, 23 insertions(+), 13 deletions(-) + +--- a/fs/cifs/cifs_debug.c ++++ b/fs/cifs/cifs_debug.c +@@ -279,8 +279,10 @@ static int cifs_debug_data_proc_show(str + seq_printf(m, "\n%d) ConnectionId: 0x%llx ", + c, server->conn_id); + ++ spin_lock(&server->srv_lock); + if (server->hostname) + seq_printf(m, "Hostname: %s ", server->hostname); ++ spin_unlock(&server->srv_lock); + #ifdef CONFIG_CIFS_SMB_DIRECT + if (!server->rdma) + goto skip_rdma; +@@ -607,10 +609,13 @@ static int cifs_stats_proc_show(struct s + server->fastest_cmd[j], + server->slowest_cmd[j]); + for (j = 0; j < NUMBER_OF_SMB2_COMMANDS; j++) +- if (atomic_read(&server->smb2slowcmd[j])) ++ if (atomic_read(&server->smb2slowcmd[j])) { ++ spin_lock(&server->srv_lock); + seq_printf(m, " %d slow responses from %s for command %d\n", + atomic_read(&server->smb2slowcmd[j]), + server->hostname, j); ++ spin_unlock(&server->srv_lock); ++ } + #endif /* STATS2 */ + list_for_each_entry(ses, &server->smb_ses_list, smb_ses_list) { + list_for_each_entry(tcon, &ses->tcon_list, tcon_list) { +--- a/fs/cifs/cifs_debug.h ++++ b/fs/cifs/cifs_debug.h +@@ -81,19 +81,19 @@ do { \ + + #define cifs_server_dbg_func(ratefunc, type, fmt, ...) \ + do { \ +- const char *sn = ""; \ +- if (server && server->hostname) \ +- sn = server->hostname; \ ++ spin_lock(&server->srv_lock); \ + if ((type) & FYI && cifsFYI & CIFS_INFO) { \ + pr_debug_ ## ratefunc("%s: \\\\%s " fmt, \ +- __FILE__, sn, ##__VA_ARGS__); \ ++ __FILE__, server->hostname, \ ++ ##__VA_ARGS__); \ + } else if ((type) & VFS) { \ + pr_err_ ## ratefunc("VFS: \\\\%s " fmt, \ +- sn, ##__VA_ARGS__); \ ++ server->hostname, ##__VA_ARGS__); \ + } else if ((type) & NOISY && (NOISY != 0)) { \ + pr_debug_ ## ratefunc("\\\\%s " fmt, \ +- sn, ##__VA_ARGS__); \ ++ server->hostname, ##__VA_ARGS__); \ + } \ ++ spin_unlock(&server->srv_lock); \ + } while (0) + + #define cifs_server_dbg(type, fmt, ...) \ +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -452,8 +452,10 @@ static int __reconnect_target_unlocked(s + if (server->hostname != target) { + hostname = extract_hostname(target); + if (!IS_ERR(hostname)) { ++ spin_lock(&server->srv_lock); + kfree(server->hostname); + server->hostname = hostname; ++ spin_unlock(&server->srv_lock); + } else { + cifs_dbg(FYI, "%s: couldn't extract hostname or address from dfs target: %ld\n", + __func__, PTR_ERR(hostname)); +@@ -620,9 +622,7 @@ cifs_echo_request(struct work_struct *wo + goto requeue_echo; + + rc = server->ops->echo ? server->ops->echo(server) : -ENOSYS; +- if (rc) +- cifs_dbg(FYI, "Unable to send echo request to server: %s\n", +- server->hostname); ++ cifs_server_dbg(FYI, "send echo request: rc = %d\n", rc); + + /* Check witness registrations */ + cifs_swn_check(); +@@ -1462,6 +1462,8 @@ static int match_server(struct TCP_Serve + { + struct sockaddr *addr = (struct sockaddr *)&ctx->dstaddr; + ++ lockdep_assert_held(&server->srv_lock); ++ + if (ctx->nosharesock) + return 0; + +@@ -1863,7 +1865,9 @@ cifs_setup_ipc(struct cifs_ses *ses, str + if (tcon == NULL) + return -ENOMEM; + ++ spin_lock(&server->srv_lock); + scnprintf(unc, sizeof(unc), "\\\\%s\\IPC$", server->hostname); ++ spin_unlock(&server->srv_lock); + + xid = get_xid(); + tcon->ses = ses; +--- a/fs/cifs/sess.c ++++ b/fs/cifs/sess.c +@@ -159,6 +159,7 @@ cifs_chan_is_iface_active(struct cifs_se + /* returns number of channels added */ + int cifs_try_adding_channels(struct cifs_sb_info *cifs_sb, struct cifs_ses *ses) + { ++ struct TCP_Server_Info *server = ses->server; + int old_chan_count, new_chan_count; + int left; + int rc = 0; +@@ -178,16 +179,16 @@ int cifs_try_adding_channels(struct cifs + return 0; + } + +- if (ses->server->dialect < SMB30_PROT_ID) { ++ if (server->dialect < SMB30_PROT_ID) { + spin_unlock(&ses->chan_lock); + cifs_dbg(VFS, "multichannel is not supported on this protocol version, use 3.0 or above\n"); + return 0; + } + +- if (!(ses->server->capabilities & SMB2_GLOBAL_CAP_MULTI_CHANNEL)) { ++ if (!(server->capabilities & SMB2_GLOBAL_CAP_MULTI_CHANNEL)) { + ses->chan_max = 1; + spin_unlock(&ses->chan_lock); +- cifs_dbg(VFS, "server %s does not support multichannel\n", ses->server->hostname); ++ cifs_server_dbg(VFS, "no multichannel support\n"); + return 0; + } + spin_unlock(&ses->chan_lock); diff --git a/queue-6.1/cifs-protect-session-status-check-in-smb2_reconnect.patch b/queue-6.1/cifs-protect-session-status-check-in-smb2_reconnect.patch new file mode 100644 index 00000000000..b15f09d1cad --- /dev/null +++ b/queue-6.1/cifs-protect-session-status-check-in-smb2_reconnect.patch @@ -0,0 +1,50 @@ +From 5bff9f741af60b143a5ae73417a8ec47fd5ff2f4 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Thu, 27 Apr 2023 16:07:38 -0300 +Subject: cifs: protect session status check in smb2_reconnect() + +From: Paulo Alcantara + +commit 5bff9f741af60b143a5ae73417a8ec47fd5ff2f4 upstream. + +Use @ses->ses_lock to protect access of @ses->ses_status. + +Cc: stable@vger.kernel.org +Signed-off-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2pdu.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -175,8 +175,17 @@ smb2_reconnect(__le16 smb2_command, stru + } + } + spin_unlock(&tcon->tc_lock); +- if ((!tcon->ses) || (tcon->ses->ses_status == SES_EXITING) || +- (!tcon->ses->server) || !server) ++ ++ ses = tcon->ses; ++ if (!ses) ++ return -EIO; ++ spin_lock(&ses->ses_lock); ++ if (ses->ses_status == SES_EXITING) { ++ spin_unlock(&ses->ses_lock); ++ return -EIO; ++ } ++ spin_unlock(&ses->ses_lock); ++ if (!ses->server || !server) + return -EIO; + + spin_lock(&server->srv_lock); +@@ -204,8 +213,6 @@ again: + if (rc) + return rc; + +- ses = tcon->ses; +- + spin_lock(&ses->chan_lock); + if (!cifs_chan_needs_reconnect(ses, server) && !tcon->need_reconnect) { + spin_unlock(&ses->chan_lock); diff --git a/queue-6.1/series b/queue-6.1/series index 2f4c03950e7..6edf91f93a4 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -603,3 +603,5 @@ dm-integrity-call-kmem_cache_destroy-in-dm_integrity_init-error-path.patch dm-flakey-fix-a-crash-with-invalid-table-line.patch dm-ioctl-fix-nested-locking-in-table_clear-to-remove-deadlock-concern.patch dm-don-t-lock-fs-when-the-map-is-null-in-process-of-resume.patch +cifs-fix-potential-use-after-free-bugs-in-tcp_server_info-hostname.patch +cifs-protect-session-status-check-in-smb2_reconnect.patch