Re: [PATCH 4.14 12/53] cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting

Re: [PATCH 4.14 12/53] cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting

[Philip Müller]

Hi Greg, hi Stefano,

seems adding "cifs: Fix slab-out-of-bounds in send_set_info() on SMB2
ACE setting" (commit 748144f) [1] created a regression within linux
v4.14 kernel series. Writing to a mounted cifs either freezes on writing
or crashes the PC. A more detailed explanation you may find in our
forums [2]. Reverting the patch, seems to "fix" it. Thoughts?

Best, Philip
----------------------
Manjaro Project Lead

---

[1]
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/fs/cifs?h=linux-4.14.y&id=748144f35514aef14c4fdef5bcaa0db99cb9367a
[2] https://forum.manjaro.org/t/53250

---

FSTAB entries:

//192.168.0.100/TRANSFER /mnt/TRANSFER cifs
noperm,x-systemd.automount,iocharset=utf8,file_mode=0775,dir_mode=0775,user=xxx,pass=yyy,_netdev,noacl
0 0
//192.168.0.100/MEDIA /mnt/MEDIA cifs
noperm,x-systemd.automount,iocharset=utf8,file_mode=0775,dir_mode=0775,user=xxx,pass=yyy,_netdev,noacl
0 0

Message log:

[ 19.785788] No dialect specified on mount. Default has changed to a
more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To
use the less secure SMB1 dialect to access old servers which do not
support SMB3 (or SMB2.1) specify vers=1.0 on mount.
[ 20.652361] CIFS VFS: ioctl error in smb2_get_dfs_refer rc=-2
[ 20.814693] No dialect specified on mount. Default has changed to a
more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To
use the less secure SMB1 dialect to access old servers which do not
support SMB3 (or SMB2.1) specify vers=1.0 on mount.
[ 20.992157] CIFS VFS: ioctl error in smb2_get_dfs_refer rc=-2
[ 212.648892] cache_from_obj: Wrong slab cache. cifs_request but object
is from xfrm_dst_cache
[ 212.648951] ------------[ cut here ]------------
[ 212.648978] WARNING: CPU: 1 PID: 1379 at mm/slab.h:377
kmem_cache_free+0x14d/0x200
[ 212.648985] Modules linked in: md4 nls_utf8 cifs ccm dns_resolver
fscache cmac rfcomm fuse snd_hda_codec_hdmi snd_hda_codec_realtek
snd_hda_codec_generic snd_soc_skl snd_soc_skl_ipc snd_soc_sst_ipc
snd_soc_sst_dsp snd_hda_ext_core snd_soc_sst_match snd_soc_core bnep
snd_compress snd_pcm_dmaengine ac97_bus vmnet(O) intel_rapl
x86_pkg_temp_thermal intel_powerclamp coretemp arc4 kvm_intel i915
iTCO_wdt iTCO_vendor_support kvm iwlmvm ext4 mac80211 crc32c_generic
mbcache jbd2 fscrypto irqbypass crct10dif_pclmul crc32_pclmul
ghash_clmulni_intel pcbc wmi_bmof i2c_algo_bit snd_hda_intel
drm_kms_helper iwlwifi uvcvideo snd_hda_codec aesni_intel snd_hda_core
videobuf2_vmalloc aes_x86_64 videobuf2_memops crypto_simd glue_helper
btusb cryptd btrtl videobuf2_v4l2 btbcm intel_cstate videobuf2_core
snd_hwdep intel_rapl_perf
[ 212.649203] btintel drm e1000e cfg80211 bluetooth snd_pcm videodev
psmouse media snd_timer pcspkr ptp pps_core thinkpad_acpi i2c_i801 evdev
joydev mousedev input_leds mac_hid rtsx_pci_ms ecdh_generic crc16
memstick intel_gtt nvram agpgart snd shpchp soundcore mei_me syscopyarea
rfkill sysfillrect sysimgblt mei fb_sys_fops intel_pch_thermal thermal
led_class wmi battery ac video acpi_pad button sch_fq_codel vmmon(O)
vmw_vmci uinput crypto_user ip_tables x_tables btrfs xor zstd_decompress
zstd_compress xxhash hid_logitech_hidpp raid6_pq hid_logitech_dj usbhid
hid sd_mod rtsx_pci_sdmmc mmc_core serio_raw atkbd libps2 ahci libahci
xhci_pci libata xhci_hcd rtsx_pci usbcore scsi_mod usb_common i8042
serio crc32c_intel
[ 212.649453] CPU: 1 PID: 1379 Comm: pool Tainted: G O 4.14.57-1-MANJARO #1
[ 212.649457] Hardware name: LENOVO 20J4000LGE/20J4000LGE, BIOS R0GET60W
(1.60 ) 12/15/2017
[ 212.649465] task: ffff88a7197f8f00 task.stack: ffffb1dac2184000
[ 212.649481] RIP: 0010:kmem_cache_free+0x14d/0x200
[ 212.649488] RSP: 0018:ffffb1dac2187c90 EFLAGS: 00010246
[ 212.649497] RAX: 0000000000000050 RBX: ffff88a75ba90000 RCX:
0000000000000000
[ 212.649503] RDX: 0000000000000000 RSI: ffff88a77f4965d8 RDI:
ffff88a77f4965d8
[ 212.649509] RBP: ffff88a73962f380 R08: ffffffff8d474920 R09:
000000000000035c
[ 212.649515] R10: 0000000000000004 R11: ffffffff8e56a36d R12:
ffff88a75812c000
[ 212.649521] R13: ffff88a77489b600 R14: ffffb1dac2187d78 R15:
0000000000000000
[ 212.649531] FS: 00007f253ccc3700(0000) GS:ffff88a77f480000(0000)
knlGS:0000000000000000
[ 212.649538] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 212.649545] CR2: 00007f386b887810 CR3: 0000000211452003 CR4:
00000000003606e0
[ 212.649549] Call Trace:
[ 212.649657] cifs_buf_release.part.6+0x11/0x20 [cifs]
[ 212.649763] send_set_info+0x1ac/0x210 [cifs]
[ 212.649878] SMB2_rmdir+0x5d/0x80 [cifs]
[ 212.649977] smb2_open_op_close+0x1bd/0x220 [cifs]
[ 212.649992] ? __kmalloc+0x19e/0x220
[ 212.650080] ? build_path_from_dentry_optional_prefix+0x1c1/0x400 [cifs]
[ 212.650176] smb2_rmdir+0x25/0x30 [cifs]
[ 212.650271] cifs_rmdir+0xb8/0x290 [cifs]
[ 212.650287] vfs_rmdir+0xd1/0x140
[ 212.650300] do_rmdir+0x17d/0x1e0
[ 212.650318] do_syscall_64+0x67/0x100
[ 212.650332] entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[ 212.650342] RIP: 0033:0x7f2558e5f647
[ 212.650348] RSP: 002b:00007f253ccc2b38 EFLAGS: 00000246 ORIG_RAX:
0000000000000054
[ 212.650359] RAX: ffffffffffffffda RBX: 00007f253801f500 RCX:
00007f2558e5f647
[ 212.650364] RDX: 00007f253ccc2b90 RSI: 0000563e90e93d40 RDI:
00007f253801f500
[ 212.650369] RBP: 0000563e90ab08c0 R08: 0000563e908c3468 R09:
0000563e908c3470
[ 212.650375] R10: 0000563e908df8c8 R11: 0000000000000246 R12:
00007f253ccc2b90
[ 212.650380] R13: 00007f253ccc2c20 R14: 00007f253ccc2b90 R15:
0000563e8ead215b
[ 212.650389] Code: fe ff ff 48 3b a8 d8 00 00 00 0f 84 83 00 00 00 48
8b 48 60 48 8b 55 60 48 c7 c6 20 44 c3 8d 48 c7 c7 00 48 e1 8d e8 8e 44
ed ff <0f> 0b e9 ca fe ff ff 65 8b 05 6d 51 e0 72 89 c0 48 0f a3 05 8b
[ 212.650572] —[ end trace 05a8377b2d80ea1c ]—
[ 212.680246] cache_from_obj: Wrong slab cache. cifs_request but object
is from xfrm_dst_cache
[ 212.725303] cache_from_obj: Wrong slab cache. cifs_request but object
is from xfrm_dst_cache
[ 212.740595] general protection fault: 0000 [#1] PREEMPT SMP PTI
[ 212.740602] Modules linked in: md4 nls_utf8 cifs ccm dns_resolver
fscache cmac rfcomm fuse snd_hda_codec_hdmi snd_hda_codec_realtek
snd_hda_codec_generic snd_soc_skl snd_soc_skl_ipc snd_soc_sst_ipc
snd_soc_sst_dsp snd_hda_ext_core snd_soc_sst_match snd_soc_core bnep
snd_compress snd_pcm_dmaengine ac97_bus vmnet(O) intel_rapl
x86_pkg_temp_thermal intel_powerclamp coretemp arc4 kvm_intel i915
iTCO_wdt iTCO_vendor_support kvm iwlmvm ext4 mac80211 crc32c_generic
mbcache jbd2 fscrypto irqbypass crct10dif_pclmul crc32_pclmul
ghash_clmulni_intel pcbc wmi_bmof i2c_algo_bit snd_hda_intel
drm_kms_helper iwlwifi uvcvideo snd_hda_codec aesni_intel snd_hda_core
videobuf2_vmalloc aes_x86_64 videobuf2_memops crypto_simd glue_helper
btusb cryptd btrtl videobuf2_v4l2 btbcm intel_cstate videobuf2_core
snd_hwdep intel_rapl_perf
[ 212.740687] btintel drm e1000e cfg80211 bluetooth snd_pcm videodev
psmouse media snd_timer pcspkr ptp pps_core thinkpad_acpi i2c_i801 evdev
joydev mousedev input_leds mac_hid rtsx_pci_ms ecdh_generic crc16
memstick intel_gtt nvram agpgart snd shpchp soundcore mei_me syscopyarea
rfkill sysfillrect sysimgblt mei fb_sys_fops intel_pch_thermal thermal
led_class wmi battery ac video acpi_pad button sch_fq_codel vmmon(O)
vmw_vmci uinput crypto_user ip_tables x_tables btrfs xor zstd_decompress
zstd_compress xxhash hid_logitech_hidpp raid6_pq hid_logitech_dj usbhid
hid sd_mod rtsx_pci_sdmmc mmc_core serio_raw atkbd libps2 ahci libahci
xhci_pci libata xhci_hcd rtsx_pci usbcore scsi_mod usb_common i8042
serio crc32c_intel
[ 212.740793] CPU: 1 PID: 1162 Comm: cifsd Tainted: G W O
4.14.57-1-MANJARO #1
[ 212.740797] Hardware name: LENOVO 20J4000LGE/20J4000LGE, BIOS R0GET60W
(1.60 ) 12/15/2017
[ 212.740802] task: ffff88a772a99e00 task.stack: ffffb1dac1ec8000
[ 212.740810] RIP: 0010:prefetch_freepointer+0x11/0x20
[ 212.740815] RSP: 0018:ffffb1dac1ecbde0 EFLAGS: 00010202
[ 212.740820] RAX: 0000000000000000 RBX: 0c24ecb2149c4fdf RCX:
0000000000012681
[ 212.740824] RDX: 0000000000012601 RSI: 0c24ecb2149c4fdf RDI:
ffff88a775401c80
[ 212.740828] RBP: 0000000001011200 R08: ffff88a775e78f00 R09:
0000000000000000
[ 212.740832] R10: 0000000000000000 R11: 000000002f32988b R12:
ffff88a75ba90000
[ 212.740836] R13: ffff88a775401c80 R14: ffff88a775401c80 R15:
ffffffff8d19a8b5
[ 212.740841] FS: 0000000000000000(0000) GS:ffff88a77f480000(0000)
knlGS:0000000000000000
[ 212.740845] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 212.740849] CR2: 00007f386b887810 CR3: 000000013200a006 CR4:
00000000003606e0
[ 212.740852] Call Trace:
[ 212.740861] kmem_cache_alloc+0x94/0x1a0
[ 212.740870] ? wait_woken+0x80/0x80
[ 212.740878] mempool_alloc+0x65/0x190
[ 212.740886] ? try_to_wake_up+0x54/0x4b0
[ 212.740925] cifs_small_buf_get+0x16/0x20 [cifs]
[ 212.740957] cifs_demultiplex_thread+0x619/0xb10 [cifs]
[ 212.740989] ? cifs_handle_standard+0x190/0x190 [cifs]
[ 212.740996] kthread+0x119/0x130
[ 212.741003] ? kthread_create_on_node+0x60/0x60
[ 212.741011] ret_from_fork+0x35/0x40
[ 212.741016] Code: 89 d3 e8 63 f9 47 00 85 c0 0f 85 b1 70 00 00 48 83
c4 08 5b 5d 41 5c 41 5d c3 0f 1f 44 00 00 48 85 f6 74 14 48 63 47 20 48
01 c6 <48> 33 36 48 33 b7 40 01 00 00 0f 18 0e c3 90 0f 1f 44 00 00 55
[ 212.741096] RIP: prefetch_freepointer+0x11/0x20 RSP: ffffb1dac1ecbde0
[ 212.741101] —[ end trace 05a8377b2d80ea1d ]—

Re: [PATCH 4.14 12/53] cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting

[Stefano Brivio]

On Wed, 25 Jul 2018 18:06:25 +0200
Philip Müller <philm@manjaro.org> wrote:

> Hi Greg, hi Stefano,
> 
> seems adding "cifs: Fix slab-out-of-bounds in send_set_info() on SMB2
> ACE setting" (commit 748144f) [1] created a regression within linux
> v4.14 kernel series. Writing to a mounted cifs either freezes on writing
> or crashes the PC. A more detailed explanation you may find in our
> forums [2]. Reverting the patch, seems to "fix" it. Thoughts?

Hi Philip,

thanks for reporting this.

My bad, I didn't check how the backport of f46ecbd97f50 ("cifs: Fix
slab-out-of-bounds in send_set_info() on SMB2 ACE setting") looked like on
4.14. As 4.14 doesn't have commit 2fc803efe614 ("cifs: remove rfc1002
header from smb2_set_info_req"), the effect is substantially different.

Greg, I would need some time to check if we actually need this at all on
4.14, to do a proper backport in case and to run tests. Could you please
revert this on 4.14.y for the moment being? If a backport is needed, I'll
send it later on. Thanks!

-- 
Stefano

Re: [PATCH 4.14 12/53] cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting

[Greg Kroah-Hartman]

On Thu, Jul 26, 2018 at 08:12:02AM +1000, Stefano Brivio wrote:
> On Wed, 25 Jul 2018 18:06:25 +0200
> Philip M�ller <philm@manjaro.org> wrote:
> 
> > Hi Greg, hi Stefano,
> > 
> > seems adding "cifs: Fix slab-out-of-bounds in send_set_info() on SMB2
> > ACE setting" (commit 748144f) [1] created a regression within linux
> > v4.14 kernel series. Writing to a mounted cifs either freezes on writing
> > or crashes the PC. A more detailed explanation you may find in our
> > forums [2]. Reverting the patch, seems to "fix" it. Thoughts?
> 
> Hi Philip,
> 
> thanks for reporting this.
> 
> My bad, I didn't check how the backport of f46ecbd97f50 ("cifs: Fix
> slab-out-of-bounds in send_set_info() on SMB2 ACE setting") looked like on
> 4.14. As 4.14 doesn't have commit 2fc803efe614 ("cifs: remove rfc1002
> header from smb2_set_info_req"), the effect is substantially different.
> 
> Greg, I would need some time to check if we actually need this at all on
> 4.14, to do a proper backport in case and to run tests. Could you please
> revert this on 4.14.y for the moment being? If a backport is needed, I'll
> send it later on. Thanks!

Now reverted, thanks.

greg k-h

[PATCH 4.14 00/53] 4.14.55-stable review

[Greg Kroah-Hartman]

This is the start of the stable review cycle for the 4.14.55 release.
There are 53 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Thu Jul 12 18:24:36 UTC 2018.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.55-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 4.14.55-rc1

Sebastian Andrzej Siewior <bigeasy@linutronix.de>
    Revert mm/vmstat.c: fix vmstat_update() preemption BUG

Sebastian Andrzej Siewior <bigeasy@linutronix.de>
    sched, tracing: Fix trace_sched_pi_setprio() for deboosting

Dan Carpenter <dan.carpenter@oracle.com>
    staging: comedi: quatech_daqp_cs: fix no-op loop daqp_ao_insn_write()

Jann Horn <jannh@google.com>
    netfilter: nf_log: don't hold nf_log_mutex during user access

Tokunori Ikegami <ikegami@allied-telesis.co.jp>
    mtd: cfi_cmdset_0002: Change erase functions to check chip good only

Tokunori Ikegami <ikegami@allied-telesis.co.jp>
    mtd: cfi_cmdset_0002: Change erase functions to retry for error

Tokunori Ikegami <ikegami@allied-telesis.co.jp>
    mtd: cfi_cmdset_0002: Change definition naming to retry write operation

Ross Zwisler <ross.zwisler@linux.intel.com>
    dm: prevent DAX mounts if not supported

Mike Snitzer <snitzer@redhat.com>
    dm: set QUEUE_FLAG_DAX accordingly in dm_table_set_restrictions()

Ross Zwisler <ross.zwisler@linux.intel.com>
    dax: check for QUEUE_FLAG_DAX in bdev_dax_supported()

Dave Jiang <dave.jiang@intel.com>
    dax: change bdev_dax_supported() to support boolean returns

Darrick J. Wong <darrick.wong@oracle.com>
    fs: allow per-device dax status checking for filesystems

Martin Kaiser <martin@kaiser.cx>
    mtd: rawnand: mxc: set spare area size register explicitly

Brad Love <brad@nextdimension.cc>
    media: cx25840: Use subdev host data for PLL override

Rasmus Villemoes <linux@rasmusvillemoes.dk>
    Kbuild: fix # escaping in .cmd files for future Make

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Revert "dpaa_eth: fix error in dpaa_remove()"

Jaegeuk Kim <jaegeuk@kernel.org>
    f2fs: truncate preallocated blocks in error case

Sakari Ailus <sakari.ailus@linux.intel.com>
    media: vb2: core: Finish buffers at the end of the stream

Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
    mm: hwpoison: disable memory error handling on 1GB hugepage

Rakib Mullick <rakib.mullick@gmail.com>
    irq/core: Fix boot crash when the irqaffinity= boot parameter is passed on CPUMASK_OFFSTACK=y kernels(v1)

Daniel Rosenberg <drosen@google.com>
    HID: debug: check length before copy_to_user()

Gustavo A. R. Silva <gustavo@embeddedor.com>
    HID: hiddev: fix potential Spectre v1

Jason Andryuk <jandryuk@gmail.com>
    HID: i2c-hid: Fix "incomplete report" noise

Ilya Dryomov <idryomov@gmail.com>
    block: cope with WRITE ZEROES failing in blkdev_issue_zeroout()

Ilya Dryomov <idryomov@gmail.com>
    block: factor out __blkdev_issue_zero_pages()

Jon Derrick <jonathan.derrick@intel.com>
    ext4: check superblock mapped prior to committing

Theodore Ts'o <tytso@mit.edu>
    ext4: add more mount time checks of the superblock

Theodore Ts'o <tytso@mit.edu>
    ext4: add more inode number paranoia checks

Theodore Ts'o <tytso@mit.edu>
    ext4: avoid running out of journal credits when appending to an inline file

Theodore Ts'o <tytso@mit.edu>
    ext4: never move the system.data xattr out of the inode body

Theodore Ts'o <tytso@mit.edu>
    ext4: clear i_data in ext4_inode_info when removing inline data

Theodore Ts'o <tytso@mit.edu>
    ext4: include the illegal physical block in the bad map ext4_error msg

Theodore Ts'o <tytso@mit.edu>
    ext4: verify the depth of extent tree in ext4_find_extent()

Theodore Ts'o <tytso@mit.edu>
    ext4: only look at the bg_flags field if it is valid

Theodore Ts'o <tytso@mit.edu>
    ext4: always check block group bounds in ext4_init_block_bitmap()

Theodore Ts'o <tytso@mit.edu>
    ext4: make sure bitmaps and the inode table don't overlap with bg descriptors

Theodore Ts'o <tytso@mit.edu>
    ext4: always verify the magic number in xattr blocks

Theodore Ts'o <tytso@mit.edu>
    ext4: add corruption check in ext4_xattr_set_entry()

Theodore Ts'o <tytso@mit.edu>
    jbd2: don't mark block as modified if the handle is out of credits

Mikulas Patocka <mpatocka@redhat.com>
    drm/udl: fix display corruption of the last line

Michel Dänzer <michel.daenzer@amd.com>
    drm: Use kvzalloc for allocating blob property memory

Stefano Brivio <sbrivio@redhat.com>
    cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting

Paulo Alcantara <paulo@paulo.ac>
    cifs: Fix infinite loop when using hard mount option

Paulo Alcantara <paulo@paulo.ac>
    cifs: Fix memory leak in smb2_set_ea()

Lars Persson <lars.persson@axis.com>
    cifs: Fix use after free of a mid_q_entry

Jason Gunthorpe <jgg@mellanox.com>
    vfio: Use get_user_pages_longterm correctly

Lars Ellenberg <lars.ellenberg@linbit.com>
    drbd: fix access after free

Christian Borntraeger <borntraeger@de.ibm.com>
    s390: Correct register corruption in critical section cleanup

David Disseldorp <ddiss@suse.de>
    scsi: target: Fix truncated PR-in ReadKeys response

Jann Horn <jannh@google.com>
    scsi: sg: mitigate read/write abuse

Changbin Du <changbin.du@intel.com>
    tracing: Fix missing return symbol in function_graph output

Cannon Matthews <cannonmatthews@google.com>
    mm: hugetlb: yield when prepping struct pages

Janosch Frank <frankja@linux.ibm.com>
    userfaultfd: hugetlbfs: fix userfaultfd_huge_must_wait() pte access


-------------

Diffstat:

 Makefile                                         |   4 +-
 arch/s390/kernel/entry.S                         |   4 +-
 block/blk-lib.c                                  | 108 +++++++++++++++--------
 drivers/block/drbd/drbd_worker.c                 |   2 +-
 drivers/dax/super.c                              |  42 +++++----
 drivers/gpu/drm/drm_property.c                   |   6 +-
 drivers/gpu/drm/udl/udl_fb.c                     |   5 +-
 drivers/gpu/drm/udl/udl_transfer.c               |  11 ++-
 drivers/hid/hid-debug.c                          |   8 +-
 drivers/hid/i2c-hid/i2c-hid.c                    |   2 +-
 drivers/hid/usbhid/hiddev.c                      |  11 +++
 drivers/md/dm-table.c                            |   9 +-
 drivers/md/dm.c                                  |   6 +-
 drivers/media/i2c/cx25840/cx25840-core.c         |  28 ++++--
 drivers/media/v4l2-core/videobuf2-core.c         |   9 ++
 drivers/mtd/chips/cfi_cmdset_0002.c              |  30 +++++--
 drivers/mtd/nand/mxc_nand.c                      |   5 +-
 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c   |   2 +-
 drivers/scsi/sg.c                                |  42 ++++++++-
 drivers/staging/comedi/drivers/quatech_daqp_cs.c |   2 +-
 drivers/target/target_core_pr.c                  |  15 ++--
 drivers/vfio/vfio_iommu_type1.c                  |  16 ++--
 fs/cifs/cifsglob.h                               |   1 +
 fs/cifs/cifsproto.h                              |   1 +
 fs/cifs/cifssmb.c                                |  10 ++-
 fs/cifs/connect.c                                |   8 +-
 fs/cifs/smb1ops.c                                |   1 +
 fs/cifs/smb2ops.c                                |   3 +
 fs/cifs/smb2pdu.c                                |  25 ++++--
 fs/cifs/smb2transport.c                          |   1 +
 fs/cifs/transport.c                              |  18 +++-
 fs/ext2/super.c                                  |   3 +-
 fs/ext4/balloc.c                                 |  21 +++--
 fs/ext4/ext4.h                                   |   8 --
 fs/ext4/ext4_extents.h                           |   1 +
 fs/ext4/extents.c                                |   6 ++
 fs/ext4/ialloc.c                                 |  14 ++-
 fs/ext4/inline.c                                 |  39 +-------
 fs/ext4/inode.c                                  |   7 +-
 fs/ext4/mballoc.c                                |   6 +-
 fs/ext4/super.c                                  |  89 ++++++++++++++++---
 fs/ext4/xattr.c                                  |  40 ++++-----
 fs/f2fs/file.c                                   |   9 ++
 fs/jbd2/transaction.c                            |   9 +-
 fs/userfaultfd.c                                 |  12 +--
 fs/xfs/xfs_ioctl.c                               |   3 +-
 fs/xfs/xfs_iops.c                                |  30 +++++--
 fs/xfs/xfs_super.c                               |  10 ++-
 include/linux/dax.h                              |  11 +--
 include/linux/mm.h                               |   1 +
 include/trace/events/sched.h                     |   4 +-
 kernel/irq/irqdesc.c                             |   6 +-
 kernel/trace/trace_functions_graph.c             |   5 +-
 mm/hugetlb.c                                     |   1 +
 mm/memory-failure.c                              |  16 ++++
 mm/vmstat.c                                      |   2 -
 net/netfilter/nf_log.c                           |   9 +-
 scripts/Kbuild.include                           |   5 +-
 tools/build/Build.include                        |   5 +-
 tools/objtool/Makefile                           |   2 +-
 tools/scripts/Makefile.include                   |   2 +
 61 files changed, 556 insertions(+), 255 deletions(-)

[PATCH 4.14 12/53] cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stefano Brivio <sbrivio@redhat.com>

commit f46ecbd97f508e68a7806291a139499794874f3d upstream.

A "small" CIFS buffer is not big enough in general to hold a
setacl request for SMB2, and we end up overflowing the buffer in
send_set_info(). For instance:

 # mount.cifs //127.0.0.1/test /mnt/test -o username=test,password=test,nounix,cifsacl
 # touch /mnt/test/acltest
 # getcifsacl /mnt/test/acltest
 REVISION:0x1
 CONTROL:0x9004
 OWNER:S-1-5-21-2926364953-924364008-418108241-1000
 GROUP:S-1-22-2-1001
 ACL:S-1-5-21-2926364953-924364008-418108241-1000:ALLOWED/0x0/0x1e01ff
 ACL:S-1-22-2-1001:ALLOWED/0x0/R
 ACL:S-1-22-2-1001:ALLOWED/0x0/R
 ACL:S-1-5-21-2926364953-924364008-418108241-1000:ALLOWED/0x0/0x1e01ff
 ACL:S-1-1-0:ALLOWED/0x0/R
 # setcifsacl -a "ACL:S-1-22-2-1004:ALLOWED/0x0/R" /mnt/test/acltest

this setacl will cause the following KASAN splat:

[  330.777927] BUG: KASAN: slab-out-of-bounds in send_set_info+0x4dd/0xc20 [cifs]
[  330.779696] Write of size 696 at addr ffff88010d5e2860 by task setcifsacl/1012

[  330.781882] CPU: 1 PID: 1012 Comm: setcifsacl Not tainted 4.18.0-rc2+ #2
[  330.783140] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[  330.784395] Call Trace:
[  330.784789]  dump_stack+0xc2/0x16b
[  330.786777]  print_address_description+0x6a/0x270
[  330.787520]  kasan_report+0x258/0x380
[  330.788845]  memcpy+0x34/0x50
[  330.789369]  send_set_info+0x4dd/0xc20 [cifs]
[  330.799511]  SMB2_set_acl+0x76/0xa0 [cifs]
[  330.801395]  set_smb2_acl+0x7ac/0xf30 [cifs]
[  330.830888]  cifs_xattr_set+0x963/0xe40 [cifs]
[  330.840367]  __vfs_setxattr+0x84/0xb0
[  330.842060]  __vfs_setxattr_noperm+0xe6/0x370
[  330.843848]  vfs_setxattr+0xc2/0xd0
[  330.845519]  setxattr+0x258/0x320
[  330.859211]  path_setxattr+0x15b/0x1b0
[  330.864392]  __x64_sys_setxattr+0xc0/0x160
[  330.866133]  do_syscall_64+0x14e/0x4b0
[  330.876631]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  330.878503] RIP: 0033:0x7ff2e507db0a
[  330.880151] Code: 48 8b 0d 89 93 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 56 93 2c 00 f7 d8 64 89 01 48
[  330.885358] RSP: 002b:00007ffdc4903c18 EFLAGS: 00000246 ORIG_RAX: 00000000000000bc
[  330.887733] RAX: ffffffffffffffda RBX: 000055d1170de140 RCX: 00007ff2e507db0a
[  330.890067] RDX: 000055d1170de7d0 RSI: 000055d115b39184 RDI: 00007ffdc4904818
[  330.892410] RBP: 0000000000000001 R08: 0000000000000000 R09: 000055d1170de7e4
[  330.894785] R10: 00000000000002b8 R11: 0000000000000246 R12: 0000000000000007
[  330.897148] R13: 000055d1170de0c0 R14: 0000000000000008 R15: 000055d1170de550

[  330.901057] Allocated by task 1012:
[  330.902888]  kasan_kmalloc+0xa0/0xd0
[  330.904714]  kmem_cache_alloc+0xc8/0x1d0
[  330.906615]  mempool_alloc+0x11e/0x380
[  330.908496]  cifs_small_buf_get+0x35/0x60 [cifs]
[  330.910510]  smb2_plain_req_init+0x4a/0xd60 [cifs]
[  330.912551]  send_set_info+0x198/0xc20 [cifs]
[  330.914535]  SMB2_set_acl+0x76/0xa0 [cifs]
[  330.916465]  set_smb2_acl+0x7ac/0xf30 [cifs]
[  330.918453]  cifs_xattr_set+0x963/0xe40 [cifs]
[  330.920426]  __vfs_setxattr+0x84/0xb0
[  330.922284]  __vfs_setxattr_noperm+0xe6/0x370
[  330.924213]  vfs_setxattr+0xc2/0xd0
[  330.926008]  setxattr+0x258/0x320
[  330.927762]  path_setxattr+0x15b/0x1b0
[  330.929592]  __x64_sys_setxattr+0xc0/0x160
[  330.931459]  do_syscall_64+0x14e/0x4b0
[  330.933314]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[  330.936843] Freed by task 0:
[  330.938588] (stack is not available)

[  330.941886] The buggy address belongs to the object at ffff88010d5e2800
 which belongs to the cache cifs_small_rq of size 448
[  330.946362] The buggy address is located 96 bytes inside of
 448-byte region [ffff88010d5e2800, ffff88010d5e29c0)
[  330.950722] The buggy address belongs to the page:
[  330.952789] page:ffffea0004357880 count:1 mapcount:0 mapping:ffff880108fdca80 index:0x0 compound_mapcount: 0
[  330.955665] flags: 0x17ffffc0008100(slab|head)
[  330.957760] raw: 0017ffffc0008100 dead000000000100 dead000000000200 ffff880108fdca80
[  330.960356] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[  330.963005] page dumped because: kasan: bad access detected

[  330.967039] Memory state around the buggy address:
[  330.969255]  ffff88010d5e2880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  330.971833]  ffff88010d5e2900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  330.974397] >ffff88010d5e2980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[  330.976956]                                            ^
[  330.979226]  ffff88010d5e2a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  330.981755]  ffff88010d5e2a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  330.984225] ==================================================================

Fix this by allocating a regular CIFS buffer in
smb2_plain_req_init() if the request command is SMB2_SET_INFO.

Reported-by: Jianhong Yin <jiyin@redhat.com>
Fixes: 366ed846df60 ("cifs: Use smb 2 - 3 and cifsacl mount options setacl function")
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-and-tested-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/smb2pdu.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -338,7 +338,10 @@ smb2_plain_req_init(__le16 smb2_command,
 		return rc;
 
 	/* BB eventually switch this to SMB2 specific small buf size */
-	*request_buf = cifs_small_buf_get();
+	if (smb2_command == SMB2_SET_INFO)
+		*request_buf = cifs_buf_get();
+	else
+		*request_buf = cifs_small_buf_get();
 	if (*request_buf == NULL) {
 		/* BB should we add a retry in here if not a writepage? */
 		return -ENOMEM;
@@ -3168,7 +3171,7 @@ send_set_info(const unsigned int xid, st
 	}
 
 	rc = SendReceive2(xid, ses, iov, num, &resp_buftype, flags, &rsp_iov);
-	cifs_small_buf_release(req);
+	cifs_buf_release(req);
 	rsp = (struct smb2_set_info_rsp *)rsp_iov.iov_base;
 
 	if (rc != 0)