Zhang Xiaoxu cfd85a0922 cifs: Fix warning and UAF when destroy the MR list ... [ Upstream commit 3e161c2791 ] If the MR allocate failed, the MR recovery work not initialized and list not cleared. Then will be warning and UAF when release the MR: WARNING: CPU: 4 PID: 824 at kernel/workqueue.c:3066 __flush_work.isra.0+0xf7/0x110 CPU: 4 PID: 824 Comm: mount.cifs Not tainted 6.1.0-rc5+ #82 RIP: 0010:__flush_work.isra.0+0xf7/0x110 Call Trace: <TASK> __cancel_work_timer+0x2ba/0x2e0 smbd_destroy+0x4e1/0x990 _smbd_get_connection+0x1cbd/0x2110 smbd_get_connection+0x21/0x40 cifs_get_tcp_session+0x8ef/0xda0 mount_get_conns+0x60/0x750 cifs_mount+0x103/0xd00 cifs_smb3_do_mount+0x1dd/0xcb0 smb3_get_tree+0x1d5/0x300 vfs_get_tree+0x41/0xf0 path_mount+0x9b3/0xdd0 __x64_sys_mount+0x190/0x1d0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 BUG: KASAN: use-after-free in smbd_destroy+0x4fc/0x990 Read of size 8 at addr ffff88810b156a08 by task mount.cifs/824 CPU: 4 PID: 824 Comm: mount.cifs Tainted: G W 6.1.0-rc5+ #82 Call Trace: dump_stack_lvl+0x34/0x44 print_report+0x171/0x472 kasan_report+0xad/0x130 smbd_destroy+0x4fc/0x990 _smbd_get_connection+0x1cbd/0x2110 smbd_get_connection+0x21/0x40 cifs_get_tcp_session+0x8ef/0xda0 mount_get_conns+0x60/0x750 cifs_mount+0x103/0xd00 cifs_smb3_do_mount+0x1dd/0xcb0 smb3_get_tree+0x1d5/0x300 vfs_get_tree+0x41/0xf0 path_mount+0x9b3/0xdd0 __x64_sys_mount+0x190/0x1d0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Allocated by task 824: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x7a/0x90 _smbd_get_connection+0x1b6f/0x2110 smbd_get_connection+0x21/0x40 cifs_get_tcp_session+0x8ef/0xda0 mount_get_conns+0x60/0x750 cifs_mount+0x103/0xd00 cifs_smb3_do_mount+0x1dd/0xcb0 smb3_get_tree+0x1d5/0x300 vfs_get_tree+0x41/0xf0 path_mount+0x9b3/0xdd0 __x64_sys_mount+0x190/0x1d0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Freed by task 824: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x40 ____kasan_slab_free+0x143/0x1b0 __kmem_cache_free+0xc8/0x330 _smbd_get_connection+0x1c6a/0x2110 smbd_get_connection+0x21/0x40 cifs_get_tcp_session+0x8ef/0xda0 mount_get_conns+0x60/0x750 cifs_mount+0x103/0xd00 cifs_smb3_do_mount+0x1dd/0xcb0 smb3_get_tree+0x1d5/0x300 vfs_get_tree+0x41/0xf0 path_mount+0x9b3/0xdd0 __x64_sys_mount+0x190/0x1d0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Let's initialize the MR recovery work before MR allocate to prevent the warning, remove the MRs from the list to prevent the UAF. Fixes: c739858334 ("CIFS: SMBD: Implement RDMA memory registration") Acked-by: Paulo Alcantara (SUSE) <pc@cjr.nz> Reviewed-by: Tom Talpey <tom@talpey.com> Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org>		2023-03-11 16:39:39 +01:00
..
asn1.c	cifs: remove bogus debug code	2020-10-22 12:17:52 -05:00
cache.c	smb3: extend fscache mount volume coherency check	2020-06-06 11:16:25 -05:00
cifs_debug.c	cifs: Display local UID details for SMB sessions in DebugData	2020-07-01 19:38:19 -05:00
cifs_debug.h	cifs: Standardize logging output	2020-06-01 00:10:18 -05:00
cifs_dfs_ref.c	cifs: prevent NULL deref in cifs_compose_mount_options()	2021-07-25 14:36:17 +02:00
cifs_fs_sb.h	smb3: add mount option to allow RW caching of share accessed by only 1 client	2019-09-16 11:43:38 -05:00
cifs_ioctl.h	cifs: add SMB3 change notification support	2020-02-06 09:14:28 -06:00
cifs_spnego.c	cifs: switch servers depending on binding state	2019-11-25 01:16:30 -06:00
cifs_spnego.h
cifs_unicode.c	CIFS: Fix a potencially linear read overflow	2021-09-15 09:50:43 +02:00
cifs_unicode.h
cifs_uniupr.h
cifsacl.c	cifs: fix a memleak with modefromsid	2020-11-15 23:05:33 -06:00
cifsacl.h	cifs: delete duplicated words in header files	2020-08-02 18:00:26 -05:00
cifsencrypt.c	mm, treewide: rename kzfree() to kfree_sensitive()	2020-08-07 11:33:22 -07:00
cifsfs.c	cifs: fix missing display of three mount options	2023-01-14 10:16:34 +01:00
cifsfs.h	cifs: fix reconnect on smb3 mount types	2022-06-14 18:32:45 +02:00
cifsglob.h	cifs: fix oops during encryption	2023-01-14 10:16:25 +01:00
cifspdu.h	cifs: Adjust key sizes and key generation routines for AES256 encryption	2021-03-30 14:32:07 +02:00
cifsproto.h	cifs: fix oops during encryption	2023-01-14 10:16:25 +01:00
cifsroot.c	cifs: Standardize logging output	2020-06-01 00:10:18 -05:00
cifssmb.c	cifs: use discard iterator to discard unneeded network data more efficiently	2022-09-28 11:10:38 +02:00
connect.c	cifs: fix confusing debug message	2023-01-14 10:16:34 +01:00
dfs_cache.c	cifs: check pointer before freeing	2021-01-19 18:27:19 +01:00
dfs_cache.h	cifs: handle RESP_GET_DFS_REFERRAL.PathConsumed in reconnect	2020-08-02 18:00:26 -05:00
dir.c	cifs: report error instead of invalid when revalidating a dentry fails	2021-02-10 09:29:17 +01:00
dns_resolve.c
dns_resolve.h
export.c	docs: fs: convert docs without extension to ReST	2019-07-31 13:31:05 -06:00
file.c	cifs: Fix use-after-free in rdata->read_into_pages()	2023-02-15 17:22:26 +01:00
fs_context.c	cifs: move smb version mount options into fs_context.c	2020-10-22 12:17:31 -05:00
fs_context.h	cifs: move smb version mount options into fs_context.c	2020-10-22 12:17:31 -05:00
fscache.c	smb3: extend fscache mount volume coherency check	2020-06-06 11:16:25 -05:00
fscache.h	smb3: extend fscache mount volume coherency check	2020-06-06 11:16:25 -05:00
inode.c	new helper: inode_wrong_type()	2021-09-08 08:49:01 +02:00
ioctl.c	cifs: Fix wrong return value checking when GETFLAGS	2022-11-25 17:45:48 +01:00
Kconfig	smb3: smbdirect support can be configured by default	2020-04-07 13:39:00 -05:00
link.c	cifs: Fix uninitialized memory read for smb311 posix symlink create	2023-01-18 11:44:54 +01:00
Makefile	cifs: add files to host new mount api	2020-10-22 12:16:24 -05:00
misc.c	cifs: fix oops during encryption	2023-01-14 10:16:25 +01:00
netmisc.c	cifs`: handle ERRBaduid for SMB1	2020-08-02 18:00:25 -05:00
nterr.c
nterr.h
ntlmssp.h
readdir.c	SMB3: add support for recognizing WSL reparse tags	2020-10-22 12:17:59 -05:00
rfc1002pdu.h
sess.c	cifs: Fix xid leak in cifs_ses_add_channel()	2022-10-30 09:41:17 +01:00
smb1ops.c	cifs: smb1: Try failing back to SetFileInfo if SetPathInfo fails	2020-08-02 18:00:25 -05:00
smb2file.c	cifs: remove useless parameter 'is_fsctl' from SMB2_ioctl()	2022-09-15 11:32:04 +02:00
smb2glob.h	cifs: Adjust key sizes and key generation routines for AES256 encryption	2021-03-30 14:32:07 +02:00
smb2inode.c	SMB3: EBADF/EIO errors in rename/open caused by race condition in smb2_compound_op	2022-06-09 10:21:28 +02:00
smb2maperror.c	cifs: map STATUS_ACCOUNT_LOCKED_OUT to -EACCES	2020-10-15 23:58:14 -05:00
smb2misc.c	cifs: Silently ignore unknown oplock break handle	2021-04-10 13:36:10 +02:00
smb2ops.c	cifs: fix oops during encryption	2023-01-14 10:16:25 +01:00
smb2pdu.c	cifs: do not include page data when checking signature	2023-01-24 07:19:59 +01:00
smb2pdu.h	smb3: Fix out-of-bounds bug in SMB2_negotiate()	2021-02-10 09:29:17 +01:00
smb2proto.h	cifs: remove useless parameter 'is_fsctl' from SMB2_ioctl()	2022-09-15 11:32:04 +02:00
smb2status.h
smb2transport.c	cifs: Adjust key sizes and key generation routines for AES256 encryption	2021-03-30 14:32:07 +02:00
smbdirect.c	cifs: Fix warning and UAF when destroy the MR list	2023-03-11 16:39:39 +01:00
smbdirect.h	cifs: smbd: Do not schedule work to send immediate packet on every receive	2020-04-07 12:41:16 -05:00
smbencrypt.c	fs: cifs: move from the crypto cipher API to the new DES library interface	2019-08-22 14:57:34 +10:00
smberr.h
smbfsctl.h	smb3: add some missing definitions from MS-FSCC	2020-10-23 15:38:10 -05:00
trace.c
trace.h	smb3: add dynamic trace point to trace when credits obtained	2020-10-20 11:50:42 -05:00
transport.c	cifs: always initialize struct msghdr smb_msg completely	2022-09-28 11:10:39 +02:00
winucase.c	Replace HTTP links with HTTPS ones: CIFS	2020-07-05 14:23:38 -06:00
xattr.c	CIFS: Add support for setting owner info, dos attributes, and create time	2020-01-26 19:24:17 -06:00