Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp2787288ybg; Mon, 28 Oct 2019 02:21:34 -0700 (PDT) X-Google-Smtp-Source: APXvYqwMjnE32krZlyolt5uHOUbKrj3h1XEFU+Hf5xjCAFRlJiHOy1chZJBRVUaeodibPM0OkQW/ X-Received: by 2002:a05:6402:105a:: with SMTP id e26mr18068009edu.229.1572254494157; Mon, 28 Oct 2019 02:21:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1572254494; cv=none; d=google.com; s=arc-20160816; b=w89UEfBtEVj6861wUIHfAOcu7JyfPpKqyVCgJM46QKymUSMg0tDuA7R6HP8wZLdEyJ HJDKq2AK7FR4XlNAZebWziSU2RG7NqmteAaEjM+neD9t8EVaSNVlI9y1TpYwTn6VSyWW C+2wTmcU2gZ2hMgjSaHHeqFQbKlvctDPCG8gUW0XKv7Yj4hbchen6BEv0QTOFPCzuKbn K8y4Vszj70vHCvBeK80xwaqAehB5sZMIh9p/c0kH0Suvc8TcUn5597vFhpGvvEAqftYs WWkkbTus4WDjBTsVgpkLczfAonKlN0b8EfKokIgCYf0c706gcUGZR2feBZrV8WEQ8OPi tLvw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=j8o9uiGJ66ZPr8c3s6nBOuj/hPpM8QqnPOg/jMmmqn8=; b=hoAAU8gyugwZ820w+mwrwGBAvE+v2oD9Jdf17ba5iMbeDqvO4rwngwsWwFMs3oqa8T SQmBnYcdCnS5DJL7Um+yEzb29LztTA7+I9JASeWEZ+8EAlhHk1kRnjCR3S3bWx+AVgvG 85ANcHGeRFHatjhPiY/ER7UidtF+HaciQ0LS+JoGuWwSkPBmas6LpRdrKaOe7/ONGQvF 4fI4c8X+VrJ9glYQA2fPDdVPvHIaT7O4OAQMdWgQUxLSSGu2LKp0aSMEN/WnWspyhgG1 152CdCXnvPBmCo5Lc2LyAvq0SVM8Sqw0ZYzKjPz+j4chFAijGkp0sxkb+K7Vj51cU+Fz YWXQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="fnlQ/6dQ"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r29si8140841edb.156.2019.10.28.02.21.10; Mon, 28 Oct 2019 02:21:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="fnlQ/6dQ"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732004AbfJ0VYx (ORCPT + 99 others); Sun, 27 Oct 2019 17:24:53 -0400 Received: from mail.kernel.org ([198.145.29.99]:46532 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732607AbfJ0VYv (ORCPT ); Sun, 27 Oct 2019 17:24:51 -0400 Received: from localhost (100.50.158.77.rev.sfr.net [77.158.50.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5232A21848; Sun, 27 Oct 2019 21:24:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1572211490; bh=n5SPVYOGa0Hne9esLU2PNZLxEkZ0+lzMCBm6UmU2O58=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fnlQ/6dQV6iTG8ZitVg8LOVrhposB6kOkGklltZSpEhfFBo2b7QumkI/lEtK5JlL/ rEXmgZ6GDv4HVMyme1a7ADj0cvVEvqcUm0HS59RJvIFZjMMEj8Q+pdD/Wy0KPOk3n8 Jn3/nvhyq7ugV9+4zUEnQaLISYVcZIZEaxZxE1uU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ronnie Sahlberg , Pavel Shilovsky , Steve French Subject: [PATCH 5.3 169/197] CIFS: Fix use after free of file info structures Date: Sun, 27 Oct 2019 22:01:27 +0100 Message-Id: <20191027203403.639707713@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191027203351.684916567@linuxfoundation.org> References: <20191027203351.684916567@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pavel Shilovsky commit 1a67c415965752879e2e9fad407bc44fc7f25f23 upstream. Currently the code assumes that if a file info entry belongs to lists of open file handles of an inode and a tcon then it has non-zero reference. The recent changes broke that assumption when putting the last reference of the file info. There may be a situation when a file is being deleted but nothing prevents another thread to reference it again and start using it. This happens because we do not hold the inode list lock while checking the number of references of the file info structure. Fix this by doing the proper locking when doing the check. Fixes: 487317c99477d ("cifs: add spinlock for the openFileList to cifsInodeInfo") Fixes: cb248819d209d ("cifs: use cifsInodeInfo->open_file_lock while iterating to avoid a panic") Cc: Stable Reviewed-by: Ronnie Sahlberg Signed-off-by: Pavel Shilovsky Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman --- fs/cifs/file.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/fs/cifs/file.c +++ b/fs/cifs/file.c @@ -405,10 +405,11 @@ void _cifsFileInfo_put(struct cifsFileIn bool oplock_break_cancelled; spin_lock(&tcon->open_file_lock); - + spin_lock(&cifsi->open_file_lock); spin_lock(&cifs_file->file_info_lock); if (--cifs_file->count > 0) { spin_unlock(&cifs_file->file_info_lock); + spin_unlock(&cifsi->open_file_lock); spin_unlock(&tcon->open_file_lock); return; } @@ -421,9 +422,7 @@ void _cifsFileInfo_put(struct cifsFileIn cifs_add_pending_open_locked(&fid, cifs_file->tlink, &open); /* remove it from the lists */ - spin_lock(&cifsi->open_file_lock); list_del(&cifs_file->flist); - spin_unlock(&cifsi->open_file_lock); list_del(&cifs_file->tlist); atomic_dec(&tcon->num_local_opens); @@ -440,6 +439,7 @@ void _cifsFileInfo_put(struct cifsFileIn cifs_set_oplock_level(cifsi, 0); } + spin_unlock(&cifsi->open_file_lock); spin_unlock(&tcon->open_file_lock); oplock_break_cancelled = wait_oplock_handler ?