Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp408308pxu; Tue, 1 Dec 2020 14:31:19 -0800 (PST) X-Google-Smtp-Source: ABdhPJxKH/171csEl/gKLk7Q8KILmBR5R+iSHllgQ6svHbmJlh24Dd59x0+3V/uhNU2n1NrYqlcu X-Received: by 2002:a05:6402:17d6:: with SMTP id s22mr5496389edy.20.1606861879570; Tue, 01 Dec 2020 14:31:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606861879; cv=none; d=google.com; s=arc-20160816; b=jKEzfUtVWNo2H/Qk37VC1aE6QH3uXRlomJ9sS2Pt0ssNnw6ss4aBK19PZWQm9zulQU eNoL7jYU7EbleF6SelkEf41kyY2nj29kn05b2I0qIVknZiUjUCncy0/COAxcOp/qQfg/ 2MOaUP604dnQrzfz+Jz+NaHdwSfx71xHVq3fK0RkkcpBhvV5dd/6gjTs+VLWIkA+Uvn1 UOkTu38nSMv6hNj/19i6EwqIzZI0vQoC2U3nAA6dWy8fP3wavbfDo4EGbohXfoUaLFtd oE+t+R51owuJDN8RdK8brBYkJTS0eGEmhSOmFaK/yvpLwNxuJqhCdTbsP3/w4XZdZ8jh MGYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Jep+pPqYilvn9VmPJ+cUmUgzjFEv46RkSY+OLSb+4LM=; b=Lo6f+zyZx37/w6MoLeW8ahJ0ts5uwJzCx0eqZJRQ3AvigRe0uDE2SbKd+kiouTkYX7 wZGhxIH2GDHuna+BaqLZwrccL8K253FJqcVkjk3jI/PD6HLCv/h7+d23G1tjVVdFUjFz bBVq16/br7AphUrOVTmfuKad4vZtL8/trI9WfBeuTeoUz0Fsmsvjmc6+o6bnmUJks9vg eLQqGCXGurkrBLW7M1/Wd18qfqgEILgWGqAb25snxTmKzuXgYNGyIMVKdryIm+m5Eazw 0I70ZbEGtuo/k0asF32btReimW5Uz3N8hlj7sdWrWABr1FsEFuYDGkzaC2KvYH1zAQna S5Zw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=FemZaRVh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k12si822404edh.105.2020.12.01.14.30.56; Tue, 01 Dec 2020 14:31:19 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=FemZaRVh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390776AbgLAJTp (ORCPT + 99 others); Tue, 1 Dec 2020 04:19:45 -0500 Received: from mail.kernel.org ([198.145.29.99]:47532 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389603AbgLAJJz (ORCPT ); Tue, 1 Dec 2020 04:09:55 -0500 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B235321D7F; Tue, 1 Dec 2020 09:09:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1606813754; bh=NzpnM0QwTYGbEwxTRq1ZrCywJwaacQc8/KtSmpm6z4k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FemZaRVhYEc5HUqPx9tiU20LN2H1l4eem8X/qUxBNk1QL9qumKnfvURkyKf14YvX2 RWMyt7BE5RT0Ir4uWT8Q6xkReJUcC4PDxnc/Rim3q6i0nW04w/2EMEh6z2HD9Nsavm 1Kig0At2attH5DWyNO4qwyleH3Hco8me9Sn2L0O8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Rohith Surabattula , Pavel Shilovsky , Steve French Subject: [PATCH 5.9 017/152] smb3: Avoid Mid pending list corruption Date: Tue, 1 Dec 2020 09:52:12 +0100 Message-Id: <20201201084714.127688902@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201201084711.707195422@linuxfoundation.org> References: <20201201084711.707195422@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Rohith Surabattula commit ac873aa3dc21707c47db5db6608b38981c731afe upstream. When reconnect happens Mid queue can be corrupted when both demultiplex and offload thread try to dequeue the MID from the pending list. These patches address a problem found during decryption offload: CIFS: VFS: trying to dequeue a deleted mid that could cause a refcount use after free: Workqueue: smb3decryptd smb2_decrypt_offload [cifs] Signed-off-by: Rohith Surabattula Reviewed-by: Pavel Shilovsky CC: Stable #5.4+ Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman --- fs/cifs/smb2ops.c | 55 +++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 46 insertions(+), 9 deletions(-) --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -262,7 +262,7 @@ smb2_revert_current_mid(struct TCP_Serve } static struct mid_q_entry * -smb2_find_mid(struct TCP_Server_Info *server, char *buf) +__smb2_find_mid(struct TCP_Server_Info *server, char *buf, bool dequeue) { struct mid_q_entry *mid; struct smb2_sync_hdr *shdr = (struct smb2_sync_hdr *)buf; @@ -279,6 +279,10 @@ smb2_find_mid(struct TCP_Server_Info *se (mid->mid_state == MID_REQUEST_SUBMITTED) && (mid->command == shdr->Command)) { kref_get(&mid->refcount); + if (dequeue) { + list_del_init(&mid->qhead); + mid->mid_flags |= MID_DELETED; + } spin_unlock(&GlobalMid_Lock); return mid; } @@ -287,6 +291,18 @@ smb2_find_mid(struct TCP_Server_Info *se return NULL; } +static struct mid_q_entry * +smb2_find_mid(struct TCP_Server_Info *server, char *buf) +{ + return __smb2_find_mid(server, buf, false); +} + +static struct mid_q_entry * +smb2_find_dequeue_mid(struct TCP_Server_Info *server, char *buf) +{ + return __smb2_find_mid(server, buf, true); +} + static void smb2_dump_detail(void *buf, struct TCP_Server_Info *server) { @@ -4260,7 +4276,10 @@ handle_read_data(struct TCP_Server_Info cifs_dbg(FYI, "%s: server returned error %d\n", __func__, rdata->result); /* normal error on read response */ - dequeue_mid(mid, false); + if (is_offloaded) + mid->mid_state = MID_RESPONSE_RECEIVED; + else + dequeue_mid(mid, false); return 0; } @@ -4284,7 +4303,10 @@ handle_read_data(struct TCP_Server_Info cifs_dbg(FYI, "%s: data offset (%u) beyond end of smallbuf\n", __func__, data_offset); rdata->result = -EIO; - dequeue_mid(mid, rdata->result); + if (is_offloaded) + mid->mid_state = MID_RESPONSE_MALFORMED; + else + dequeue_mid(mid, rdata->result); return 0; } @@ -4300,21 +4322,30 @@ handle_read_data(struct TCP_Server_Info cifs_dbg(FYI, "%s: data offset (%u) beyond 1st page of response\n", __func__, data_offset); rdata->result = -EIO; - dequeue_mid(mid, rdata->result); + if (is_offloaded) + mid->mid_state = MID_RESPONSE_MALFORMED; + else + dequeue_mid(mid, rdata->result); return 0; } if (data_len > page_data_size - pad_len) { /* data_len is corrupt -- discard frame */ rdata->result = -EIO; - dequeue_mid(mid, rdata->result); + if (is_offloaded) + mid->mid_state = MID_RESPONSE_MALFORMED; + else + dequeue_mid(mid, rdata->result); return 0; } rdata->result = init_read_bvec(pages, npages, page_data_size, cur_off, &bvec); if (rdata->result != 0) { - dequeue_mid(mid, rdata->result); + if (is_offloaded) + mid->mid_state = MID_RESPONSE_MALFORMED; + else + dequeue_mid(mid, rdata->result); return 0; } @@ -4329,7 +4360,10 @@ handle_read_data(struct TCP_Server_Info /* read response payload cannot be in both buf and pages */ WARN_ONCE(1, "buf can not contain only a part of read data"); rdata->result = -EIO; - dequeue_mid(mid, rdata->result); + if (is_offloaded) + mid->mid_state = MID_RESPONSE_MALFORMED; + else + dequeue_mid(mid, rdata->result); return 0; } @@ -4340,7 +4374,10 @@ handle_read_data(struct TCP_Server_Info if (length < 0) return length; - dequeue_mid(mid, false); + if (is_offloaded) + mid->mid_state = MID_RESPONSE_RECEIVED; + else + dequeue_mid(mid, false); return length; } @@ -4369,7 +4406,7 @@ static void smb2_decrypt_offload(struct } dw->server->lstrp = jiffies; - mid = smb2_find_mid(dw->server, dw->buf); + mid = smb2_find_dequeue_mid(dw->server, dw->buf); if (mid == NULL) cifs_dbg(FYI, "mid not found\n"); else {