From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, luosili <rootlab@huawei.com>,
Namjae Jeon <linkinjeon@kernel.org>,
Steve French <stfrench@microsoft.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.1 045/100] ksmbd: fix race condition with fp
Date: Wed, 3 Jan 2024 17:54:34 +0100 [thread overview]
Message-ID: <20240103164902.800439898@linuxfoundation.org> (raw)
In-Reply-To: <20240103164856.169912722@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
[ Upstream commit 5a7ee91d1154f35418367a6eaae74046fd06ed89 ]
fp can used in each command. If smb2_close command is coming at the
same time, UAF issue can happen by race condition.
Time
+
Thread A | Thread B1 B2 .... B5
smb2_open | smb2_close
|
__open_id |
insert fp to file_table |
|
| atomic_dec_and_test(&fp->refcount)
| if fp->refcount == 0, free fp by kfree.
// UAF! |
use fp |
+
This patch add f_state not to use freed fp is used and not to free fp in
use.
Reported-by: luosili <rootlab@huawei.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/smb2pdu.c | 4 +++-
fs/smb/server/vfs_cache.c | 23 ++++++++++++++++++++---
fs/smb/server/vfs_cache.h | 9 +++++++++
3 files changed, 32 insertions(+), 4 deletions(-)
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 42697ea86d47b..d5bf1f480700a 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -3370,8 +3370,10 @@ int smb2_open(struct ksmbd_work *work)
}
ksmbd_revert_fsids(work);
err_out1:
- if (!rc)
+ if (!rc) {
+ ksmbd_update_fstate(&work->sess->file_table, fp, FP_INITED);
rc = ksmbd_iov_pin_rsp(work, (void *)rsp, iov_len);
+ }
if (rc) {
if (rc == -EINVAL)
rsp->hdr.Status = STATUS_INVALID_PARAMETER;
diff --git a/fs/smb/server/vfs_cache.c b/fs/smb/server/vfs_cache.c
index 94ad8fa07b46e..f600279b0a9ee 100644
--- a/fs/smb/server/vfs_cache.c
+++ b/fs/smb/server/vfs_cache.c
@@ -332,6 +332,9 @@ static void __ksmbd_close_fd(struct ksmbd_file_table *ft, struct ksmbd_file *fp)
static struct ksmbd_file *ksmbd_fp_get(struct ksmbd_file *fp)
{
+ if (fp->f_state != FP_INITED)
+ return NULL;
+
if (!atomic_inc_not_zero(&fp->refcount))
return NULL;
return fp;
@@ -381,15 +384,20 @@ int ksmbd_close_fd(struct ksmbd_work *work, u64 id)
return 0;
ft = &work->sess->file_table;
- read_lock(&ft->lock);
+ write_lock(&ft->lock);
fp = idr_find(ft->idr, id);
if (fp) {
set_close_state_blocked_works(fp);
- if (!atomic_dec_and_test(&fp->refcount))
+ if (fp->f_state != FP_INITED)
fp = NULL;
+ else {
+ fp->f_state = FP_CLOSED;
+ if (!atomic_dec_and_test(&fp->refcount))
+ fp = NULL;
+ }
}
- read_unlock(&ft->lock);
+ write_unlock(&ft->lock);
if (!fp)
return -EINVAL;
@@ -569,6 +577,7 @@ struct ksmbd_file *ksmbd_open_fd(struct ksmbd_work *work, struct file *filp)
fp->tcon = work->tcon;
fp->volatile_id = KSMBD_NO_FID;
fp->persistent_id = KSMBD_NO_FID;
+ fp->f_state = FP_NEW;
fp->f_ci = ksmbd_inode_get(fp);
if (!fp->f_ci) {
@@ -590,6 +599,14 @@ struct ksmbd_file *ksmbd_open_fd(struct ksmbd_work *work, struct file *filp)
return ERR_PTR(ret);
}
+void ksmbd_update_fstate(struct ksmbd_file_table *ft, struct ksmbd_file *fp,
+ unsigned int state)
+{
+ write_lock(&ft->lock);
+ fp->f_state = state;
+ write_unlock(&ft->lock);
+}
+
static int
__close_file_table_ids(struct ksmbd_file_table *ft,
struct ksmbd_tree_connect *tcon,
diff --git a/fs/smb/server/vfs_cache.h b/fs/smb/server/vfs_cache.h
index fcb13413fa8d9..03d0bf941216f 100644
--- a/fs/smb/server/vfs_cache.h
+++ b/fs/smb/server/vfs_cache.h
@@ -60,6 +60,12 @@ struct ksmbd_inode {
__le32 m_fattr;
};
+enum {
+ FP_NEW = 0,
+ FP_INITED,
+ FP_CLOSED
+};
+
struct ksmbd_file {
struct file *filp;
u64 persistent_id;
@@ -98,6 +104,7 @@ struct ksmbd_file {
/* if ls is happening on directory, below is valid*/
struct ksmbd_readdir_data readdir_data;
int dot_dotdot[2];
+ unsigned int f_state;
};
static inline void set_ctx_actor(struct dir_context *ctx,
@@ -142,6 +149,8 @@ int ksmbd_close_inode_fds(struct ksmbd_work *work, struct inode *inode);
int ksmbd_init_global_file_table(void);
void ksmbd_free_global_file_table(void);
void ksmbd_set_fd_limit(unsigned long limit);
+void ksmbd_update_fstate(struct ksmbd_file_table *ft, struct ksmbd_file *fp,
+ unsigned int state);
/*
* INODE hash
--
2.43.0
next prev parent reply other threads:[~2024-01-03 17:00 UTC|newest]
Thread overview: 121+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-03 16:53 [PATCH 6.1 000/100] 6.1.71-rc1 review Greg Kroah-Hartman
2024-01-03 16:53 ` [PATCH 6.1 001/100] ksmbd: replace one-element arrays with flexible-array members Greg Kroah-Hartman
2024-01-03 16:53 ` [PATCH 6.1 002/100] ksmbd: set SMB2_SESSION_FLAG_ENCRYPT_DATA when enforcing data encryption for this share Greg Kroah-Hartman
2024-01-03 16:53 ` [PATCH 6.1 003/100] ksmbd: use F_SETLK when unlocking a file Greg Kroah-Hartman
2024-01-03 16:53 ` [PATCH 6.1 004/100] ksmbd: Fix resource leak in smb2_lock() Greg Kroah-Hartman
2024-01-03 16:53 ` [PATCH 6.1 005/100] ksmbd: Convert to use sysfs_emit()/sysfs_emit_at() APIs Greg Kroah-Hartman
2024-01-03 16:53 ` [PATCH 6.1 006/100] ksmbd: Implements sess->rpc_handle_list as xarray Greg Kroah-Hartman
2024-01-03 16:53 ` [PATCH 6.1 007/100] ksmbd: fix typo, syncronous->synchronous Greg Kroah-Hartman
2024-01-03 16:53 ` [PATCH 6.1 008/100] ksmbd: Remove duplicated codes Greg Kroah-Hartman
2024-01-03 16:53 ` [PATCH 6.1 009/100] ksmbd: update Kconfig to note Kerberos support and fix indentation Greg Kroah-Hartman
2024-01-03 16:53 ` [PATCH 6.1 010/100] ksmbd: Fix spelling mistake "excceed" -> "exceeded" Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 011/100] ksmbd: Fix parameter name and comment mismatch Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 012/100] ksmbd: remove unused is_char_allowed function Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 013/100] ksmbd: delete asynchronous work from list Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 014/100] ksmbd: set NegotiateContextCount once instead of every inc Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 015/100] ksmbd: avoid duplicate negotiate ctx offset increments Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 016/100] ksmbd: remove unused compression negotiate ctx packing Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 017/100] fs: introduce lock_rename_child() helper Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 018/100] ksmbd: fix racy issue from using ->d_parent and ->d_name Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 019/100] ksmbd: fix uninitialized pointer read in ksmbd_vfs_rename() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 020/100] ksmbd: fix uninitialized pointer read in smb2_create_link() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 021/100] ksmbd: call putname after using the last component Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 022/100] ksmbd: fix posix_acls and acls dereferencing possible ERR_PTR() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 023/100] ksmbd: add mnt_want_write to ksmbd vfs functions Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 024/100] ksmbd: remove unused ksmbd_tree_conn_share function Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 025/100] ksmbd: use kzalloc() instead of __GFP_ZERO Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 026/100] ksmbd: return a literal instead of err in ksmbd_vfs_kern_path_locked() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 027/100] ksmbd: Change the return value of ksmbd_vfs_query_maximal_access to void Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 028/100] ksmbd: use kvzalloc instead of kvmalloc Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 029/100] ksmbd: Replace the ternary conditional operator with min() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 030/100] ksmbd: Use struct_size() helper in ksmbd_negotiate_smb_dialect() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 031/100] ksmbd: Replace one-element array with flexible-array member Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 032/100] ksmbd: Fix unsigned expression compared with zero Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 033/100] ksmbd: check if a mount point is crossed during path lookup Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 034/100] ksmbd: switch to use kmemdup_nul() helper Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 035/100] ksmbd: add support for read compound Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 036/100] ksmbd: fix wrong interim response on compound Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 037/100] ksmbd: fix `force create mode and `force directory mode Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 038/100] ksmbd: Fix one kernel-doc comment Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 039/100] ksmbd: add missing calling smb2_set_err_rsp() on error Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 040/100] ksmbd: remove experimental warning Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 041/100] ksmbd: remove unneeded mark_inode_dirty in set_info_sec() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 042/100] ksmbd: fix passing freed memory aux_payload_buf Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 043/100] ksmbd: return invalid parameter error response if smb2 request is invalid Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 044/100] ksmbd: check iov vector index in ksmbd_conn_write() Greg Kroah-Hartman
2024-01-03 16:54 ` Greg Kroah-Hartman [this message]
2024-01-03 16:54 ` [PATCH 6.1 046/100] ksmbd: fix race condition from parallel smb2 logoff requests Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 047/100] ksmbd: fix race condition from parallel smb2 lock requests Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 048/100] ksmbd: fix race condition between tree conn lookup and disconnect Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 049/100] ksmbd: fix wrong error response status by using set_smb2_rsp_status() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 050/100] ksmbd: fix Null pointer dereferences in ksmbd_update_fstate() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 051/100] ksmbd: fix potential double free on smb2_read_pipe() error path Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 052/100] ksmbd: Remove unused field in ksmbd_user struct Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 053/100] ksmbd: reorganize ksmbd_iov_pin_rsp() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 054/100] ksmbd: fix kernel-doc comment of ksmbd_vfs_setxattr() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 055/100] ksmbd: fix recursive locking in vfs helpers Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 056/100] ksmbd: fix missing RDMA-capable flag for IPoIB device in ksmbd_rdma_capable_netdev() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 057/100] ksmbd: add support for surrogate pair conversion Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 058/100] ksmbd: no need to wait for binded connection termination at logoff Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 059/100] ksmbd: fix kernel-doc comment of ksmbd_vfs_kern_path_locked() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 060/100] ksmbd: prevent memory leak on error return Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 061/100] ksmbd: fix possible deadlock in smb2_open Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 062/100] ksmbd: separately allocate ci per dentry Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 063/100] ksmbd: move oplock handling after unlock parent dir Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 064/100] ksmbd: release interim response after sending status pending response Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 065/100] ksmbd: move setting SMB2_FLAGS_ASYNC_COMMAND and AsyncId Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 066/100] ksmbd: dont update ->op_state as OPLOCK_STATE_NONE on error Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 067/100] ksmbd: set epoch in create context v2 lease Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 068/100] ksmbd: set v2 lease capability Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 069/100] ksmbd: downgrade RWH lease caching state to RH for directory Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 070/100] ksmbd: send v2 lease break notification " Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 071/100] ksmbd: lazy v2 lease break on smb2_write() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 072/100] ksmbd: avoid duplicate opinfo_put() call on error of smb21_lease_break_ack() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 073/100] ksmbd: fix wrong allocation size update in smb2_open() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 074/100] ARM: dts: Fix occasional boot hang for am3 usb Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 075/100] usb: fotg210-hcd: delete an incorrect bounds test Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 076/100] spi: Introduce spi_get_device_match_data() helper Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 077/100] iio: imu: adis16475: add spi_device_id table Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 078/100] nfsd: separate nfsd_last_thread() from nfsd_put() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 079/100] nfsd: call nfsd_last_thread() before final nfsd_put() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 080/100] linux/export: Ensure natural alignment of kcrctab array Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 081/100] spi: Reintroduce spi_set_cs_timing() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 082/100] spi: Add APIs in spi core to set/get spi->chip_select and spi->cs_gpiod Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 083/100] spi: atmel: Fix clock issue when using devices with different polarities Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 084/100] block: renumber QUEUE_FLAG_HW_WC Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 085/100] ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 086/100] platform/x86: p2sb: Allow p2sb_bar() calls during PCI device probe Greg Kroah-Hartman
2024-01-04 8:54 ` Shinichiro Kawasaki
2024-01-04 8:58 ` Greg Kroah-Hartman
2024-01-04 9:11 ` Shinichiro Kawasaki
2024-01-04 9:20 ` Greg Kroah-Hartman
2024-01-04 12:17 ` Shinichiro Kawasaki
2024-01-04 17:02 ` Ilpo Järvinen
2024-01-04 18:20 ` Greg Kroah-Hartman
2024-01-04 18:34 ` Ilpo Järvinen
2024-01-03 16:55 ` [PATCH 6.1 087/100] mm/filemap: avoid buffered read/write race to read inconsistent data Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 088/100] mm: migrate high-order folios in swap cache correctly Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 089/100] mm/memory-failure: cast index to loff_t before shifting it Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 090/100] mm/memory-failure: check the mapcount of the precise page Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 091/100] ring-buffer: Fix wake ups when buffer_percent is set to 100 Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 092/100] tracing: Fix blocked reader of snapshot buffer Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 093/100] ring-buffer: Remove useless update to write_stamp in rb_try_to_discard() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 094/100] netfilter: nf_tables: skip set commit for deleted/destroyed sets Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 095/100] ring-buffer: Fix slowpath of interrupted event Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 096/100] NFSD: fix possible oops when nfsd/pool_stats is closed Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 097/100] spi: Constify spi parameters of chip select APIs Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 098/100] device property: Allow const parameter to dev_fwnode() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 099/100] kallsyms: Make module_kallsyms_on_each_symbol generally available Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 100/100] tracing/kprobes: Fix symbol counting logic by looking at modules as well Greg Kroah-Hartman
2024-01-03 18:56 ` [PATCH 6.1 000/100] 6.1.71-rc1 review SeongJae Park
2024-01-03 19:55 ` Florian Fainelli
2024-01-03 23:37 ` Kelsey Steele
2024-01-04 0:15 ` Shuah Khan
2024-01-04 10:49 ` Naresh Kamboju
2024-01-04 12:12 ` Jon Hunter
2024-01-04 12:15 ` Pavel Machek
2024-01-04 21:45 ` Ron Economos
2024-01-05 1:03 ` Guenter Roeck
2024-01-05 2:42 ` Namjae Jeon
2024-01-05 10:02 ` Yann Sionneau
2024-01-05 11:13 ` Shreeya Patel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240103164902.800439898@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linkinjeon@kernel.org \
--cc=patches@lists.linux.dev \
--cc=rootlab@huawei.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=stfrench@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox