From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Vincent Whitchurch <vincent.whitchurch@axis.com>,
Steve French <stfrench@microsoft.com>,
"Paulo Alcantara (SUSE)" <pc@cjr.nz>,
Pavel Shilovsky <pshilov@microsoft.com>
Subject: [PATCH 5.5 29/56] CIFS: Fix task struct use-after-free on reconnect
Date: Thu, 30 Jan 2020 19:38:46 +0100 [thread overview]
Message-ID: <20200130183614.397453624@linuxfoundation.org> (raw)
In-Reply-To: <20200130183608.849023566@linuxfoundation.org>
From: Vincent Whitchurch <vincent.whitchurch@axis.com>
commit f1f27ad74557e39f67a8331a808b860f89254f2d upstream.
The task which created the MID may be gone by the time cifsd attempts to
call the callbacks on MIDs from cifs_reconnect().
This leads to a use-after-free of the task struct in cifs_wake_up_task:
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x31a0/0x3270
Read of size 8 at addr ffff8880103e3a68 by task cifsd/630
CPU: 0 PID: 630 Comm: cifsd Not tainted 5.5.0-rc6+ #119
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
Call Trace:
dump_stack+0x8e/0xcb
print_address_description.constprop.5+0x1d3/0x3c0
? __lock_acquire+0x31a0/0x3270
__kasan_report+0x152/0x1aa
? __lock_acquire+0x31a0/0x3270
? __lock_acquire+0x31a0/0x3270
kasan_report+0xe/0x20
__lock_acquire+0x31a0/0x3270
? __wake_up_common+0x1dc/0x630
? _raw_spin_unlock_irqrestore+0x4c/0x60
? mark_held_locks+0xf0/0xf0
? _raw_spin_unlock_irqrestore+0x39/0x60
? __wake_up_common_lock+0xd5/0x130
? __wake_up_common+0x630/0x630
lock_acquire+0x13f/0x330
? try_to_wake_up+0xa3/0x19e0
_raw_spin_lock_irqsave+0x38/0x50
? try_to_wake_up+0xa3/0x19e0
try_to_wake_up+0xa3/0x19e0
? cifs_compound_callback+0x178/0x210
? set_cpus_allowed_ptr+0x10/0x10
cifs_reconnect+0xa1c/0x15d0
? generic_ip_connect+0x1860/0x1860
? rwlock_bug.part.0+0x90/0x90
cifs_readv_from_socket+0x479/0x690
cifs_read_from_socket+0x9d/0xe0
? cifs_readv_from_socket+0x690/0x690
? mempool_resize+0x690/0x690
? rwlock_bug.part.0+0x90/0x90
? memset+0x1f/0x40
? allocate_buffers+0xff/0x340
cifs_demultiplex_thread+0x388/0x2a50
? cifs_handle_standard+0x610/0x610
? rcu_read_lock_held_common+0x120/0x120
? mark_lock+0x11b/0xc00
? __lock_acquire+0x14ed/0x3270
? __kthread_parkme+0x78/0x100
? lockdep_hardirqs_on+0x3e8/0x560
? lock_downgrade+0x6a0/0x6a0
? lockdep_hardirqs_on+0x3e8/0x560
? _raw_spin_unlock_irqrestore+0x39/0x60
? cifs_handle_standard+0x610/0x610
kthread+0x2bb/0x3a0
? kthread_create_worker_on_cpu+0xc0/0xc0
ret_from_fork+0x3a/0x50
Allocated by task 649:
save_stack+0x19/0x70
__kasan_kmalloc.constprop.5+0xa6/0xf0
kmem_cache_alloc+0x107/0x320
copy_process+0x17bc/0x5370
_do_fork+0x103/0xbf0
__x64_sys_clone+0x168/0x1e0
do_syscall_64+0x9b/0xec0
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 0:
save_stack+0x19/0x70
__kasan_slab_free+0x11d/0x160
kmem_cache_free+0xb5/0x3d0
rcu_core+0x52f/0x1230
__do_softirq+0x24d/0x962
The buggy address belongs to the object at ffff8880103e32c0
which belongs to the cache task_struct of size 6016
The buggy address is located 1960 bytes inside of
6016-byte region [ffff8880103e32c0, ffff8880103e4a40)
The buggy address belongs to the page:
page:ffffea000040f800 refcount:1 mapcount:0 mapping:ffff8880108da5c0
index:0xffff8880103e4c00 compound_mapcount: 0
raw: 4000000000010200 ffffea00001f2208 ffffea00001e3408 ffff8880108da5c0
raw: ffff8880103e4c00 0000000000050003 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880103e3900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880103e3980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880103e3a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880103e3a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880103e3b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
This can be reliably reproduced by adding the below delay to
cifs_reconnect(), running find(1) on the mount, restarting the samba
server while find is running, and killing find during the delay:
spin_unlock(&GlobalMid_Lock);
mutex_unlock(&server->srv_mutex);
+ msleep(10000);
+
cifs_dbg(FYI, "%s: issuing mid callbacks\n", __func__);
list_for_each_safe(tmp, tmp2, &retry_list) {
mid_entry = list_entry(tmp, struct mid_q_entry, qhead);
Fix this by holding a reference to the task struct until the MID is
freed.
Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
CC: Stable <stable@vger.kernel.org>
Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/cifsglob.h | 1 +
fs/cifs/smb2transport.c | 2 ++
fs/cifs/transport.c | 3 +++
3 files changed, 6 insertions(+)
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -1588,6 +1588,7 @@ struct mid_q_entry {
mid_callback_t *callback; /* call completion callback */
mid_handle_t *handle; /* call handle mid callback */
void *callback_data; /* general purpose pointer for callback */
+ struct task_struct *creator;
void *resp_buf; /* pointer to received SMB header */
unsigned int resp_buf_size;
int mid_state; /* wish this were enum but can not pass to wait_event */
--- a/fs/cifs/smb2transport.c
+++ b/fs/cifs/smb2transport.c
@@ -685,6 +685,8 @@ smb2_mid_entry_alloc(const struct smb2_s
* The default is for the mid to be synchronous, so the
* default callback just wakes up the current task.
*/
+ get_task_struct(current);
+ temp->creator = current;
temp->callback = cifs_wake_up_task;
temp->callback_data = current;
--- a/fs/cifs/transport.c
+++ b/fs/cifs/transport.c
@@ -76,6 +76,8 @@ AllocMidQEntry(const struct smb_hdr *smb
* The default is for the mid to be synchronous, so the
* default callback just wakes up the current task.
*/
+ get_task_struct(current);
+ temp->creator = current;
temp->callback = cifs_wake_up_task;
temp->callback_data = current;
@@ -158,6 +160,7 @@ static void _cifs_mid_q_entry_release(st
}
}
#endif
+ put_task_struct(midEntry->creator);
mempool_free(midEntry, cifs_mid_poolp);
}
next prev parent reply other threads:[~2020-01-30 18:40 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-30 18:38 [PATCH 5.5 00/56] 5.5.1-stable review Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 01/56] Bluetooth: btusb: fix non-atomic allocation in completion handler Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 02/56] orinoco_usb: fix interface sanity check Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 03/56] rsi_91x_usb: " Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 04/56] usb: dwc3: pci: add ID for the Intel Comet Lake -V variant Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 05/56] usb: host: xhci-tegra: set MODULE_FIRMWARE for tegra186 Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 06/56] USB: serial: ir-usb: add missing endpoint sanity check Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 07/56] USB: serial: ir-usb: fix link-speed handling Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 08/56] USB: serial: ir-usb: fix IrLAP framing Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 09/56] usb: dwc3: turn off VBUS when leaving host mode Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 10/56] usb: typec: wcove: fix "op-sink-microwatt" default that was in mW Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 11/56] usb: typec: fusb302: " Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 12/56] staging: most: net: fix buffer overflow Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 13/56] staging: wlan-ng: ensure error return is actually returned Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 14/56] staging: vt6656: correct packet types for CTS protect, mode Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 15/56] staging: vt6656: use NULLFUCTION stack on mac80211 Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 16/56] staging: vt6656: Fix false Tx excessive retries reporting Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 17/56] serial: 8250_bcm2835aux: Fix line mismatch on driver unbind Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 18/56] serial: imx: fix a race condition in receive path Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 19/56] debugfs: Return -EPERM when locked down Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 20/56] component: do not dereference opaque pointer in debugfs Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 21/56] binder: fix log spam for existing debugfs file creation Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 22/56] mei: hdcp: bind only with i915 on the same PCH Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 23/56] mei: me: add comet point (lake) H device ids Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 24/56] mei: me: add jasper point DID Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 25/56] iio: adc: stm32-dfsdm: fix single conversion Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 26/56] iio: st_gyro: Correct data for LSM9DS0 gyro Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 27/56] driver core: Fix test_async_driver_probe if NUMA is disabled Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 28/56] crypto: chelsio - fix writing tfm flags to wrong place Greg Kroah-Hartman
2020-01-30 18:38 ` Greg Kroah-Hartman [this message]
2020-01-30 18:38 ` [PATCH 5.5 30/56] cifs: set correct max-buffer-size for smb2_ioctl_init() Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 31/56] cifs: Fix memory allocation in __smb2_handle_cancelled_cmd() Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 32/56] ath9k: fix storage endpoint lookup Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 33/56] brcmfmac: fix interface sanity check Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 34/56] rtl8xxxu: " Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 35/56] zd1211rw: fix storage endpoint lookup Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 36/56] mvneta driver disallow XDP program on hardware buffer management Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 37/56] net_sched: ematch: reject invalid TCF_EM_SIMPLE Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 38/56] net_sched: fix ops->bind_class() implementations Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 39/56] net_sched: walk through all child classes in tc_bind_tclass() Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 40/56] net: socionext: fix possible user-after-free in netsec_process_rx Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 41/56] net: socionext: fix xdp_result initialization " Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 42/56] udp: segment looped gso packets correctly Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 43/56] mlxsw: minimal: Fix an error handling path in mlxsw_m_port_create() Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 44/56] net: include struct nhmsg size in nh nlmsg size Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 45/56] rxrpc: Fix use-after-free in rxrpc_receive_data() Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 46/56] rsi: fix use-after-free on failed probe and unbind Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 47/56] rsi: fix use-after-free on probe errors Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 48/56] rsi: fix memory leak on failed URB submission Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 49/56] rsi: fix non-atomic allocation in completion handler Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 50/56] crypto: af_alg - Use bh_lock_sock in sk_destruct Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 51/56] crypto: vmx - reject xts inputs that are too short Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 52/56] crypto: caam - do not reset pointer size from MCFGR register Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 53/56] crypto: pcrypt - Fix user-after-free on module unload Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 54/56] KVM: arm64: Write arch.mdcr_el2 changes since last vcpu_load on VHE Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 55/56] Revert "um: Enable CONFIG_CONSTRUCTORS" Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 56/56] power/supply: ingenic-battery: Dont change scale if theres only one Greg Kroah-Hartman
2020-01-31 4:40 ` [PATCH 5.5 00/56] 5.5.1-stable review shuah
2020-01-31 6:06 ` Greg Kroah-Hartman
2020-01-31 11:04 ` Jon Hunter
2020-01-31 21:24 ` Greg Kroah-Hartman
2020-01-31 14:54 ` Naresh Kamboju
2020-01-31 21:26 ` Greg Kroah-Hartman
2020-01-31 17:32 ` Guenter Roeck
2020-01-31 21:25 ` Greg Kroah-Hartman
2020-01-31 22:33 ` Jeffrin Jose
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200130183614.397453624@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pc@cjr.nz \
--cc=pshilov@microsoft.com \
--cc=stable@vger.kernel.org \
--cc=stfrench@microsoft.com \
--cc=vincent.whitchurch@axis.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).