android_kernel_motorola_sm6225

asgardius/android_kernel_motorola_sm6225

History

Zhang Xiaoxu 275a3d2b94 cifs: Fix warning and UAF when destroy the MR list [ Upstream commit 3e161c2791f8e661eed24a2c624087084d910215 ] If the MR allocate failed, the MR recovery work not initialized and list not cleared. Then will be warning and UAF when release the MR: WARNING: CPU: 4 PID: 824 at kernel/workqueue.c:3066 __flush_work.isra.0+0xf7/0x110 CPU: 4 PID: 824 Comm: mount.cifs Not tainted 6.1.0-rc5+ #82 RIP: 0010:__flush_work.isra.0+0xf7/0x110 Call Trace: <TASK> __cancel_work_timer+0x2ba/0x2e0 smbd_destroy+0x4e1/0x990 _smbd_get_connection+0x1cbd/0x2110 smbd_get_connection+0x21/0x40 cifs_get_tcp_session+0x8ef/0xda0 mount_get_conns+0x60/0x750 cifs_mount+0x103/0xd00 cifs_smb3_do_mount+0x1dd/0xcb0 smb3_get_tree+0x1d5/0x300 vfs_get_tree+0x41/0xf0 path_mount+0x9b3/0xdd0 __x64_sys_mount+0x190/0x1d0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 BUG: KASAN: use-after-free in smbd_destroy+0x4fc/0x990 Read of size 8 at addr ffff88810b156a08 by task mount.cifs/824 CPU: 4 PID: 824 Comm: mount.cifs Tainted: G W 6.1.0-rc5+ #82 Call Trace: dump_stack_lvl+0x34/0x44 print_report+0x171/0x472 kasan_report+0xad/0x130 smbd_destroy+0x4fc/0x990 _smbd_get_connection+0x1cbd/0x2110 smbd_get_connection+0x21/0x40 cifs_get_tcp_session+0x8ef/0xda0 mount_get_conns+0x60/0x750 cifs_mount+0x103/0xd00 cifs_smb3_do_mount+0x1dd/0xcb0 smb3_get_tree+0x1d5/0x300 vfs_get_tree+0x41/0xf0 path_mount+0x9b3/0xdd0 __x64_sys_mount+0x190/0x1d0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Allocated by task 824: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x7a/0x90 _smbd_get_connection+0x1b6f/0x2110 smbd_get_connection+0x21/0x40 cifs_get_tcp_session+0x8ef/0xda0 mount_get_conns+0x60/0x750 cifs_mount+0x103/0xd00 cifs_smb3_do_mount+0x1dd/0xcb0 smb3_get_tree+0x1d5/0x300 vfs_get_tree+0x41/0xf0 path_mount+0x9b3/0xdd0 __x64_sys_mount+0x190/0x1d0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Freed by task 824: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x40 ____kasan_slab_free+0x143/0x1b0 __kmem_cache_free+0xc8/0x330 _smbd_get_connection+0x1c6a/0x2110 smbd_get_connection+0x21/0x40 cifs_get_tcp_session+0x8ef/0xda0 mount_get_conns+0x60/0x750 cifs_mount+0x103/0xd00 cifs_smb3_do_mount+0x1dd/0xcb0 smb3_get_tree+0x1d5/0x300 vfs_get_tree+0x41/0xf0 path_mount+0x9b3/0xdd0 __x64_sys_mount+0x190/0x1d0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Let's initialize the MR recovery work before MR allocate to prevent the warning, remove the MRs from the list to prevent the UAF. Fixes: `c739858334` ("CIFS: SMBD: Implement RDMA memory registration") Acked-by: Paulo Alcantara (SUSE) <pc@cjr.nz> Reviewed-by: Tom Talpey <tom@talpey.com> Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org>		2023-03-11 16:31:42 +01:00
..
asn1.c	cifs: remove bogus debug code	2020-10-29 09:54:59 +01:00
cache.c	cifs: use 64-bit timestamps for fscache	2018-08-07 14:15:41 -05:00
cifs_debug.c	cifs: Don't display RDMA transport on reconnect	2019-12-21 10:57:33 +01:00
cifs_debug.h	cifs: add server argument to the dump_detail method	2018-05-27 17:56:35 -05:00
cifs_dfs_ref.c	cifs: use correct format characters	2019-04-05 22:32:59 +02:00
cifs_fs_sb.h	cifs: Properly handle auto disabling of serverino option	2019-09-16 08:22:17 +02:00
cifs_ioctl.h	Enable previous version support	2016-10-13 19:48:11 -05:00
cifs_spnego.c	smb3: on kerberos mount if server doesn't specify auth type use krb5	2018-11-13 11:08:48 -08:00
cifs_spnego.h
cifs_unicode.c	CIFS: Fix a potencially linear read overflow	2021-09-22 11:47:54 +02:00
cifs_unicode.h	[SMB3] Remove ifdef since SMB3 (and later) now STRONGLY preferred	2017-07-08 18:57:07 -05:00
cifs_uniupr.h
cifsacl.c	cifs: Fix mode output in debugging statements	2020-03-05 16:42:15 +01:00
cifsacl.h	cifs: For SMB2 security informaion query, check for minimum sized security descriptor instead of sizeof FileAllInformation class	2018-06-04 19:19:24 -05:00
cifsencrypt.c	cifs: Make sure all data pages are signed correctly	2018-08-07 14:15:41 -05:00
cifsfs.c	cifs: Check the IOCB_DIRECT flag, not O_DIRECT	2022-04-27 13:39:43 +02:00
cifsfs.h	cifs: update internal module version number for cifs.ko to 2.12	2018-08-23 15:11:10 -05:00
cifsglob.h	CIFS: Properly process SMB3 lease breaks	2020-10-01 13:14:29 +02:00
cifspdu.h	CIFS: move DFS response parsing out of SMB1 code	2017-03-01 22:26:10 -06:00
cifsproto.h	cifs: Fix cifsInodeInfo lock_sem deadlock when reconnect occurs	2019-11-10 11:27:34 +01:00
cifssmb.c	cifs: fix leaked reference on requeued write	2020-05-20 08:18:49 +02:00
connect.c	smbd: Make upper layer decide when to destroy the transport	2023-02-06 07:49:42 +01:00
dir.c	cifs: report error instead of invalid when revalidating a dentry fails	2021-02-10 09:21:07 +01:00
dns_resolve.c
dns_resolve.h
export.c
file.c	cifs: revalidate mapping when we open files for SMB1 POSIX	2021-04-10 13:21:19 +02:00
fscache.c	cifs: use 64-bit timestamps for fscache	2018-08-07 14:15:41 -05:00
fscache.h	cifs: use 64-bit timestamps for fscache	2018-08-07 14:15:41 -05:00
inode.c	cifs: handle -EINTR in cifs_setattr	2020-11-05 11:08:44 +01:00
ioctl.c	cifs: Fix wrong return value checking when GETFLAGS	2022-11-25 17:40:25 +01:00
Kconfig	cifs: In Kconfig CONFIG_CIFS_POSIX needs depends on legacy (insecure cifs)	2018-12-21 14:15:23 +01:00
link.c	cifs: Fix uninitialized memory read for smb311 posix symlink create	2023-01-18 11:30:52 +01:00
Makefile	smb3: Add ftrace tracepoints for improved SMB3 debugging	2018-05-27 17:56:35 -05:00
misc.c	CIFS: Properly process SMB3 lease breaks	2020-10-01 13:14:29 +02:00
netmisc.c	fs: cifs: mute -Wunused-const-variable message	2019-11-06 13:05:51 +01:00
nterr.c
nterr.h
ntlmssp.h	cifs: dynamic allocation of ntlmssp blob	2016-06-23 23:45:07 -05:00
readdir.c	cifs: check ntwrk_buf_start for NULL before dereferencing it	2019-02-12 19:47:17 +01:00
rfc1002pdu.h
sess.c	cifs: fix wrong release in sess_alloc_buffer() failed path	2021-09-22 11:48:08 +02:00
smb1ops.c	CIFS: Properly process SMB3 lease breaks	2020-10-01 13:14:29 +02:00
smb2file.c	cifs: Adjust indentation in smb2_open_file	2020-01-17 19:47:01 +01:00
smb2glob.h	cifs: remove struct smb2_hdr	2018-06-01 09:14:30 -05:00
smb2inode.c	smb3: Do not send SMB3 SET_INFO if nothing changed	2018-08-07 14:30:59 -05:00
smb2maperror.c	SMB3: retry on STATUS_INSUFFICIENT_RESOURCES instead of failing write	2019-06-25 11:36:01 +08:00
smb2misc.c	cifs: Silently ignore unknown oplock break handle	2021-04-10 13:21:19 +02:00
smb2ops.c	smb3: check xattr value length earlier	2022-08-25 11:15:47 +02:00
smb2pdu.c	cifs: do not include page data when checking signature	2023-01-24 07:11:50 +01:00
smb2pdu.h	smb3: Fix out-of-bounds bug in SMB2_negotiate()	2021-02-10 09:21:07 +01:00
smb2proto.h	CIFS: Close open handle after interrupted close	2019-12-21 10:57:35 +01:00
smb2status.h
smb2transport.c	CIFS: Do not skip SMB2 message IDs on send failures	2019-03-23 20:09:56 +01:00
smbdirect.c	cifs: Fix warning and UAF when destroy the MR list	2023-03-11 16:31:42 +01:00
smbdirect.h	smbd: Make upper layer decide when to destroy the transport	2023-02-06 07:49:42 +01:00
smbencrypt.c	CIFS: refactor crypto shash/sdesc allocation&free	2018-04-01 20:24:39 -05:00
smberr.h
smbfsctl.h	[SMB3] Send durable handle v2 contexts when use of persistent handles required	2015-11-03 09:26:27 -06:00
trace.c	smb3: Add ftrace tracepoints for improved SMB3 debugging	2018-05-27 17:56:35 -05:00
trace.h	smb3: add tracepoint for slow responses	2018-08-07 14:28:01 -05:00
transport.c	cifs: don't send down the destination address to sendmsg for a SOCK_STREAM	2022-09-28 11:02:52 +02:00
winucase.c
xattr.c	CIFS: fix max ea value size	2019-10-05 13:10:12 +02:00