From 61fd683ce891ec1f482ecb2da70a1f7f247a9288 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 15 Jul 2025 14:01:09 +0200 Subject: [PATCH] 6.6-stable patches added patches: kasan-remove-kasan_find_vm_area-to-prevent-possible-deadlock.patch ksmbd-fix-potential-use-after-free-in-oplock-lease-break-ack.patch --- ...vm_area-to-prevent-possible-deadlock.patch | 71 +++++++++++++++ ...after-free-in-oplock-lease-break-ack.patch | 90 +++++++++++++++++++ queue-6.6/series | 2 + 3 files changed, 163 insertions(+) create mode 100644 queue-6.6/kasan-remove-kasan_find_vm_area-to-prevent-possible-deadlock.patch create mode 100644 queue-6.6/ksmbd-fix-potential-use-after-free-in-oplock-lease-break-ack.patch diff --git a/queue-6.6/kasan-remove-kasan_find_vm_area-to-prevent-possible-deadlock.patch b/queue-6.6/kasan-remove-kasan_find_vm_area-to-prevent-possible-deadlock.patch new file mode 100644 index 0000000000..5a4e32716b --- /dev/null +++ b/queue-6.6/kasan-remove-kasan_find_vm_area-to-prevent-possible-deadlock.patch @@ -0,0 +1,71 @@ +From 6ee9b3d84775944fb8c8a447961cd01274ac671c Mon Sep 17 00:00:00 2001 +From: Yeoreum Yun +Date: Thu, 3 Jul 2025 19:10:18 +0100 +Subject: kasan: remove kasan_find_vm_area() to prevent possible deadlock + +From: Yeoreum Yun + +commit 6ee9b3d84775944fb8c8a447961cd01274ac671c upstream. + +find_vm_area() couldn't be called in atomic_context. If find_vm_area() is +called to reports vm area information, kasan can trigger deadlock like: + +CPU0 CPU1 +vmalloc(); + alloc_vmap_area(); + spin_lock(&vn->busy.lock) + spin_lock_bh(&some_lock); + + + spin_lock(&some_lock); + + kasan_report(); + print_report(); + print_address_description(); + kasan_find_vm_area(); + find_vm_area(); + spin_lock(&vn->busy.lock) // deadlock! + +To prevent possible deadlock while kasan reports, remove kasan_find_vm_area(). + +Link: https://lkml.kernel.org/r/20250703181018.580833-1-yeoreum.yun@arm.com +Fixes: c056a364e954 ("kasan: print virtual mapping info in reports") +Signed-off-by: Yeoreum Yun +Reported-by: Yunseong Kim +Reviewed-by: Andrey Ryabinin +Cc: Alexander Potapenko +Cc: Andrey Konovalov +Cc: Byungchul Park +Cc: Dmitriy Vyukov +Cc: Sebastian Andrzej Siewior +Cc: Steven Rostedt +Cc: Vincenzo Frascino +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/kasan/report.c | 13 ++----------- + 1 file changed, 2 insertions(+), 11 deletions(-) + +--- a/mm/kasan/report.c ++++ b/mm/kasan/report.c +@@ -385,17 +385,8 @@ static void print_address_description(vo + } + + if (is_vmalloc_addr(addr)) { +- struct vm_struct *va = find_vm_area(addr); +- +- if (va) { +- pr_err("The buggy address belongs to the virtual mapping at\n" +- " [%px, %px) created by:\n" +- " %pS\n", +- va->addr, va->addr + va->size, va->caller); +- pr_err("\n"); +- +- page = vmalloc_to_page(addr); +- } ++ pr_err("The buggy address %px belongs to a vmalloc virtual mapping\n", addr); ++ page = vmalloc_to_page(addr); + } + + if (page) { diff --git a/queue-6.6/ksmbd-fix-potential-use-after-free-in-oplock-lease-break-ack.patch b/queue-6.6/ksmbd-fix-potential-use-after-free-in-oplock-lease-break-ack.patch new file mode 100644 index 0000000000..562d720ebe --- /dev/null +++ b/queue-6.6/ksmbd-fix-potential-use-after-free-in-oplock-lease-break-ack.patch @@ -0,0 +1,90 @@ +From 50f930db22365738d9387c974416f38a06e8057e Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Tue, 8 Jul 2025 07:47:40 +0900 +Subject: ksmbd: fix potential use-after-free in oplock/lease break ack + +From: Namjae Jeon + +commit 50f930db22365738d9387c974416f38a06e8057e upstream. + +If ksmbd_iov_pin_rsp return error, use-after-free can happen by +accessing opinfo->state and opinfo_put and ksmbd_fd_put could +called twice. + +Reported-by: Ziyan Xu +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 29 +++++++++-------------------- + 1 file changed, 9 insertions(+), 20 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -8503,11 +8503,6 @@ static void smb20_oplock_break_ack(struc + goto err_out; + } + +- opinfo->op_state = OPLOCK_STATE_NONE; +- wake_up_interruptible_all(&opinfo->oplock_q); +- opinfo_put(opinfo); +- ksmbd_fd_put(work, fp); +- + rsp->StructureSize = cpu_to_le16(24); + rsp->OplockLevel = rsp_oplevel; + rsp->Reserved = 0; +@@ -8515,16 +8510,15 @@ static void smb20_oplock_break_ack(struc + rsp->VolatileFid = volatile_id; + rsp->PersistentFid = persistent_id; + ret = ksmbd_iov_pin_rsp(work, rsp, sizeof(struct smb2_oplock_break)); +- if (!ret) +- return; +- ++ if (ret) { + err_out: ++ smb2_set_err_rsp(work); ++ } ++ + opinfo->op_state = OPLOCK_STATE_NONE; + wake_up_interruptible_all(&opinfo->oplock_q); +- + opinfo_put(opinfo); + ksmbd_fd_put(work, fp); +- smb2_set_err_rsp(work); + } + + static int check_lease_state(struct lease *lease, __le32 req_state) +@@ -8654,11 +8648,6 @@ static void smb21_lease_break_ack(struct + } + + lease_state = lease->state; +- opinfo->op_state = OPLOCK_STATE_NONE; +- wake_up_interruptible_all(&opinfo->oplock_q); +- atomic_dec(&opinfo->breaking_cnt); +- wake_up_interruptible_all(&opinfo->oplock_brk); +- opinfo_put(opinfo); + + rsp->StructureSize = cpu_to_le16(36); + rsp->Reserved = 0; +@@ -8667,16 +8656,16 @@ static void smb21_lease_break_ack(struct + rsp->LeaseState = lease_state; + rsp->LeaseDuration = 0; + ret = ksmbd_iov_pin_rsp(work, rsp, sizeof(struct smb2_lease_ack)); +- if (!ret) +- return; +- ++ if (ret) { + err_out: ++ smb2_set_err_rsp(work); ++ } ++ ++ opinfo->op_state = OPLOCK_STATE_NONE; + wake_up_interruptible_all(&opinfo->oplock_q); + atomic_dec(&opinfo->breaking_cnt); + wake_up_interruptible_all(&opinfo->oplock_brk); +- + opinfo_put(opinfo); +- smb2_set_err_rsp(work); + } + + /** diff --git a/queue-6.6/series b/queue-6.6/series index eb9eb7cffc..ae31e21050 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -105,3 +105,5 @@ hid-quirks-add-quirk-for-2-chicony-electronics-hp-5m.patch input-atkbd-do-not-skip-atkbd_deactivate-when-skipping-atkbd_cmd_getid.patch selftests-bpf-adapt-one-more-case-in-test_lru_map-to-the-new-target_free.patch smb-client-fix-potential-race-in-cifs_put_tcon.patch +kasan-remove-kasan_find_vm_area-to-prevent-possible-deadlock.patch +ksmbd-fix-potential-use-after-free-in-oplock-lease-break-ack.patch -- 2.47.2