From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, David Disseldorp <ddiss@suse.de>,
"Paulo Alcantara (SUSE)" <pc@manguebit.com>,
Ronnie Sahlberg <lsahlber@redhat.com>,
Steve French <stfrench@microsoft.com>
Subject: [PATCH 5.4 090/104] cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL
Date: Mon, 3 Apr 2023 16:09:22 +0200 [thread overview]
Message-ID: <20230403140407.685114272@linuxfoundation.org> (raw)
In-Reply-To: <20230403140403.549815164@linuxfoundation.org>
From: David Disseldorp <ddiss@suse.de>
commit 179a88a8558bbf42991d361595281f3e45d7edfc upstream.
When compiled with CONFIG_CIFS_DFS_UPCALL disabled, cifs_dfs_d_automount
is NULL. cifs.ko logic for mapping CIFS_FATTR_DFS_REFERRAL attributes to
S_AUTOMOUNT and corresponding dentry flags is retained regardless of
CONFIG_CIFS_DFS_UPCALL, leading to a NULL pointer dereference in
VFS follow_automount() when traversing a DFS referral link:
BUG: kernel NULL pointer dereference, address: 0000000000000000
...
Call Trace:
<TASK>
__traverse_mounts+0xb5/0x220
? cifs_revalidate_mapping+0x65/0xc0 [cifs]
step_into+0x195/0x610
? lookup_fast+0xe2/0xf0
path_lookupat+0x64/0x140
filename_lookup+0xc2/0x140
? __create_object+0x299/0x380
? kmem_cache_alloc+0x119/0x220
? user_path_at_empty+0x31/0x50
user_path_at_empty+0x31/0x50
__x64_sys_chdir+0x2a/0xd0
? exit_to_user_mode_prepare+0xca/0x100
do_syscall_64+0x42/0x90
entry_SYSCALL_64_after_hwframe+0x72/0xdc
This fix adds an inline cifs_dfs_d_automount() {return -EREMOTE} handler
when CONFIG_CIFS_DFS_UPCALL is disabled. An alternative would be to
avoid flagging S_AUTOMOUNT, etc. without CONFIG_CIFS_DFS_UPCALL. This
approach was chosen as it provides more control over the error path.
Signed-off-by: David Disseldorp <ddiss@suse.de>
Cc: stable@vger.kernel.org
Reviewed-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/cifsfs.h | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/fs/cifs/cifsfs.h
+++ b/fs/cifs/cifsfs.h
@@ -125,7 +125,10 @@ extern const struct dentry_operations ci
#ifdef CONFIG_CIFS_DFS_UPCALL
extern struct vfsmount *cifs_dfs_d_automount(struct path *path);
#else
-#define cifs_dfs_d_automount NULL
+static inline struct vfsmount *cifs_dfs_d_automount(struct path *path)
+{
+ return ERR_PTR(-EREMOTE);
+}
#endif
/* Functions related to symlinks */
next prev parent reply other threads:[~2023-04-03 14:22 UTC|newest]
Thread overview: 114+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-03 14:07 [PATCH 5.4 000/104] 5.4.240-rc1 review Greg Kroah-Hartman
2023-04-03 14:07 ` [PATCH 5.4 001/104] net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf() Greg Kroah-Hartman
2023-04-03 14:07 ` [PATCH 5.4 002/104] power: supply: da9150: Fix use after free bug in da9150_charger_remove due to race condition Greg Kroah-Hartman
2023-04-03 14:07 ` [PATCH 5.4 003/104] iavf: fix inverted Rx hash condition leading to disabled hash Greg Kroah-Hartman
2023-04-03 14:07 ` [PATCH 5.4 004/104] iavf: fix non-tunneled IPv6 UDP packet type and hashing Greg Kroah-Hartman
2023-04-03 14:07 ` [PATCH 5.4 005/104] intel/igbvf: free irq on the error path in igbvf_request_msix() Greg Kroah-Hartman
2023-04-03 14:07 ` [PATCH 5.4 006/104] igbvf: Regard vf reset nack as success Greg Kroah-Hartman
2023-04-03 14:07 ` [PATCH 5.4 007/104] i2c: imx-lpi2c: check only for enabled interrupt flags Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 008/104] scsi: scsi_dh_alua: Fix memleak for qdata in alua_activate() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 009/104] net: usb: smsc95xx: Limit packet length to skb->len Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 010/104] qed/qed_sriov: guard against NULL derefs from qed_iov_get_vf_info Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 011/104] xirc2ps_cs: Fix use after free bug in xirc2ps_detach Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 012/104] net: qcom/emac: Fix use after free bug in emac_remove due to race condition Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 013/104] net/ps3_gelic_net: Fix RX sk_buff length Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 014/104] net/ps3_gelic_net: Use dma_mapping_error Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 015/104] keys: Do not cache key in task struct if key is requested from kernel thread Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 016/104] bpf: Adjust insufficient default bpf_jit_limit Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 017/104] net/mlx5: Read the TC mapping of all priorities on ETS query Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 018/104] atm: idt77252: fix kmemleak when rmmod idt77252 Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 019/104] erspan: do not use skb_mac_header() in ndo_start_xmit() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 020/104] net/sonic: use dma_mapping_error() for error check Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 021/104] nvme-tcp: fix nvme_tcp_term_pdu to match spec Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 022/104] hvc/xen: prevent concurrent accesses to the shared ring Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 023/104] net: dsa: mt7530: move setting ssc_delta to PHY_INTERFACE_MODE_TRGMII case Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 024/104] net: mdio: thunder: Add missing fwnode_handle_put() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 025/104] Bluetooth: btqcomsmd: Fix command timeout after setting BD address Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 026/104] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 027/104] platform/chrome: cros_ec_chardev: fix kernel data leak from ioctl Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 028/104] hwmon (it87): Fix voltage scaling for chips with 10.9mV ADCs Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 029/104] scsi: qla2xxx: Perform lockless command completion in abort path Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 030/104] uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS583Gen 2 Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 031/104] thunderbolt: Use const qualifier for `ring_interrupt_index` Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 032/104] riscv: Bump COMMAND_LINE_SIZE value to 1024 Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 033/104] ca8210: fix mac_len negative array access Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 034/104] m68k: Only force 030 bus error if PC not in exception table Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 035/104] selftests/bpf: check that modifier resolves after pointer Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 036/104] scsi: target: iscsi: Fix an error message in iscsi_check_key() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 037/104] scsi: ufs: core: Add soft dependency on governor_simpleondemand Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 038/104] scsi: lpfc: Avoid usage of list iterator variable after loop Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 039/104] net: usb: cdc_mbim: avoid altsetting toggling for Telit FE990 Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 040/104] net: usb: qmi_wwan: add Telit 0x1080 composition Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 041/104] sh: sanitize the flags on sigreturn Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 042/104] cifs: empty interface list when server doesnt support query interfaces Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 043/104] scsi: core: Add BLIST_SKIP_VPD_PAGES for SKhynix H28U74301AMR Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 044/104] usb: gadget: u_audio: dont let userspace block driver unbind Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 045/104] fsverity: Remove WQ_UNBOUND from fsverity read workqueue Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 046/104] igb: revert rtnl_lock() that causes deadlock Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 047/104] dm thin: fix deadlock when swapping to thin device Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 048/104] usb: cdns3: Fix issue with using incorrect PCI device function Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 049/104] usb: chipdea: core: fix return -EINVAL if request role is the same with current role Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 050/104] usb: chipidea: core: fix possible concurrent when switch role Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 051/104] wifi: mac80211: fix qos on mesh interfaces Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 052/104] nilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 053/104] i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 054/104] dm stats: check for and propagate alloc_percpu failure Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 055/104] dm crypt: add cond_resched() to dmcrypt_write() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 056/104] sched/fair: sanitize vruntime of entity being placed Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 057/104] sched/fair: Sanitize vruntime of entity being migrated Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 058/104] tun: avoid double free in tun_free_netdev Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 059/104] ocfs2: fix data corruption after failed write Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 060/104] fsverity: dont drop pagecache at end of FS_IOC_ENABLE_VERITY Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 061/104] bus: imx-weim: fix branch condition evaluates to a garbage value Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 062/104] md: avoid signed overflow in slot_store() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 063/104] ALSA: asihpi: check pao in control_message() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 064/104] ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 065/104] fbdev: tgafb: Fix potential divide by zero Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 066/104] sched_getaffinity: dont assume cpumask_size() is fully initialized Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 067/104] fbdev: nvidia: Fix potential divide by zero Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 068/104] fbdev: intelfb: " Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 069/104] fbdev: lxfb: " Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 070/104] fbdev: au1200fb: " Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 071/104] ca8210: Fix unsigned mac_len comparison with zero in ca8210_skb_tx() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 072/104] dma-mapping: drop the dev argument to arch_sync_dma_for_* Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 073/104] mips: bmips: BCM6358: disable RAC flush for TP1 Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 074/104] mtd: rawnand: meson: invalidate cache on polling ECC bit Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 075/104] scsi: megaraid_sas: Fix crash after a double completion Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 076/104] ptp_qoriq: fix memory leak in probe() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 077/104] regulator: fix spelling mistake "Cant" -> "Cant" Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 078/104] regulator: Handle deferred clk Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 079/104] net/net_failover: fix txq exceeding warning Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 080/104] can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 081/104] s390/vfio-ap: fix memory leak in vfio_ap device driver Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 082/104] i40e: fix registers dump after run ethtool adapter self test Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 083/104] bnxt_en: Fix typo in PCI id to device description string mapping Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 084/104] net: dsa: mv88e6xxx: Enable IGMP snooping on user ports only Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 085/104] net: mvneta: make tx buffer array agnostic Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 086/104] pinctrl: ocelot: Fix alt mode for ocelot Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 087/104] Input: alps - fix compatibility with -funsigned-char Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 088/104] Input: focaltech - use explicitly signed char type Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 089/104] cifs: prevent infinite recursion in CIFSGetDFSRefer() Greg Kroah-Hartman
2023-04-03 14:09 ` Greg Kroah-Hartman [this message]
2023-04-03 14:09 ` [PATCH 5.4 091/104] Input: goodix - add Lenovo Yoga Book X90F to nine_bytes_report DMI table Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 092/104] xen/netback: dont do grant copy across page boundary Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 093/104] pinctrl: at91-pio4: fix domain name assignment Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 094/104] NFSv4: Fix hangs when recovering open state after a server reboot Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 095/104] ALSA: hda/conexant: Partial revert of a quirk for Lenovo Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 096/104] ALSA: usb-audio: Fix regression on detection of Roland VS-100 Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 097/104] drm/etnaviv: fix reference leak when mmaping imported buffer Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 098/104] s390/uaccess: add missing earlyclobber annotations to __clear_user() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 099/104] btrfs: scan device in non-exclusive mode Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 100/104] ext4: fix kernel BUG in ext4_write_inline_data_end() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 101/104] net_sched: add __rcu annotation to netdev->qdisc Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 102/104] net: sched: fix race condition in qdisc_graft() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 103/104] firmware: arm_scmi: Fix device node validation for mailbox transport Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 104/104] gfs2: Always check inode size of inline inodes Greg Kroah-Hartman
2023-04-03 23:05 ` [PATCH 5.4 000/104] 5.4.240-rc1 review Shuah Khan
2023-04-04 6:21 ` Naresh Kamboju
2023-04-04 10:51 ` Chris Paterson
2023-04-04 17:21 ` Florian Fainelli
2023-04-04 20:33 ` Tom Saeger
2023-04-05 9:33 ` Greg Kroah-Hartman
2023-04-05 19:50 ` Tom Saeger
2023-04-04 21:25 ` Guenter Roeck
2023-04-05 6:08 ` Harshit Mogalapalli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230403140407.685114272@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ddiss@suse.de \
--cc=lsahlber@redhat.com \
--cc=patches@lists.linux.dev \
--cc=pc@manguebit.com \
--cc=stable@vger.kernel.org \
--cc=stfrench@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox