Patch "cifs: Fix warning and UAF when destroy the MR list" has been added to the 5.15-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 4 Mar 2023 22:19:14 -0500

This is a note to let you know that I've just added the patch titled

    cifs: Fix warning and UAF when destroy the MR list

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     cifs-fix-warning-and-uaf-when-destroy-the-mr-list.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit a4e48bddb86f5e065bb988f378e801612ff0876f
Author: Zhang Xiaoxu <zhangxiaoxu5@xxxxxxxxxx>
Date:   Fri Nov 18 16:42:08 2022 +0800

    cifs: Fix warning and UAF when destroy the MR list
    
    [ Upstream commit 3e161c2791f8e661eed24a2c624087084d910215 ]
    
    If the MR allocate failed, the MR recovery work not initialized
    and list not cleared. Then will be warning and UAF when release
    the MR:
    
      WARNING: CPU: 4 PID: 824 at kernel/workqueue.c:3066 __flush_work.isra.0+0xf7/0x110
      CPU: 4 PID: 824 Comm: mount.cifs Not tainted 6.1.0-rc5+ #82
      RIP: 0010:__flush_work.isra.0+0xf7/0x110
      Call Trace:
       <TASK>
       __cancel_work_timer+0x2ba/0x2e0
       smbd_destroy+0x4e1/0x990
       _smbd_get_connection+0x1cbd/0x2110
       smbd_get_connection+0x21/0x40
       cifs_get_tcp_session+0x8ef/0xda0
       mount_get_conns+0x60/0x750
       cifs_mount+0x103/0xd00
       cifs_smb3_do_mount+0x1dd/0xcb0
       smb3_get_tree+0x1d5/0x300
       vfs_get_tree+0x41/0xf0
       path_mount+0x9b3/0xdd0
       __x64_sys_mount+0x190/0x1d0
       do_syscall_64+0x35/0x80
       entry_SYSCALL_64_after_hwframe+0x46/0xb0
    
      BUG: KASAN: use-after-free in smbd_destroy+0x4fc/0x990
      Read of size 8 at addr ffff88810b156a08 by task mount.cifs/824
      CPU: 4 PID: 824 Comm: mount.cifs Tainted: G        W          6.1.0-rc5+ #82
      Call Trace:
       dump_stack_lvl+0x34/0x44
       print_report+0x171/0x472
       kasan_report+0xad/0x130
       smbd_destroy+0x4fc/0x990
       _smbd_get_connection+0x1cbd/0x2110
       smbd_get_connection+0x21/0x40
       cifs_get_tcp_session+0x8ef/0xda0
       mount_get_conns+0x60/0x750
       cifs_mount+0x103/0xd00
       cifs_smb3_do_mount+0x1dd/0xcb0
       smb3_get_tree+0x1d5/0x300
       vfs_get_tree+0x41/0xf0
       path_mount+0x9b3/0xdd0
       __x64_sys_mount+0x190/0x1d0
       do_syscall_64+0x35/0x80
       entry_SYSCALL_64_after_hwframe+0x46/0xb0
    
      Allocated by task 824:
       kasan_save_stack+0x1e/0x40
       kasan_set_track+0x21/0x30
       __kasan_kmalloc+0x7a/0x90
       _smbd_get_connection+0x1b6f/0x2110
       smbd_get_connection+0x21/0x40
       cifs_get_tcp_session+0x8ef/0xda0
       mount_get_conns+0x60/0x750
       cifs_mount+0x103/0xd00
       cifs_smb3_do_mount+0x1dd/0xcb0
       smb3_get_tree+0x1d5/0x300
       vfs_get_tree+0x41/0xf0
       path_mount+0x9b3/0xdd0
       __x64_sys_mount+0x190/0x1d0
       do_syscall_64+0x35/0x80
       entry_SYSCALL_64_after_hwframe+0x46/0xb0
    
      Freed by task 824:
       kasan_save_stack+0x1e/0x40
       kasan_set_track+0x21/0x30
       kasan_save_free_info+0x2a/0x40
       ____kasan_slab_free+0x143/0x1b0
       __kmem_cache_free+0xc8/0x330
       _smbd_get_connection+0x1c6a/0x2110
       smbd_get_connection+0x21/0x40
       cifs_get_tcp_session+0x8ef/0xda0
       mount_get_conns+0x60/0x750
       cifs_mount+0x103/0xd00
       cifs_smb3_do_mount+0x1dd/0xcb0
       smb3_get_tree+0x1d5/0x300
       vfs_get_tree+0x41/0xf0
       path_mount+0x9b3/0xdd0
       __x64_sys_mount+0x190/0x1d0
       do_syscall_64+0x35/0x80
       entry_SYSCALL_64_after_hwframe+0x46/0xb0
    
    Let's initialize the MR recovery work before MR allocate to prevent
    the warning, remove the MRs from the list to prevent the UAF.
    
    Fixes: c7398583340a ("CIFS: SMBD: Implement RDMA memory registration")
    Acked-by: Paulo Alcantara (SUSE) <pc@xxxxxx>
    Reviewed-by: Tom Talpey <tom@xxxxxxxxxx>
    Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@xxxxxxxxxx>
    Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/cifs/smbdirect.c b/fs/cifs/smbdirect.c
index 58f086aabc888..a9a5d27b8d38b 100644
--- a/fs/cifs/smbdirect.c
+++ b/fs/cifs/smbdirect.c
@@ -2251,6 +2251,7 @@ static int allocate_mr_list(struct smbd_connection *info)
 	atomic_set(&info->mr_ready_count, 0);
 	atomic_set(&info->mr_used_count, 0);
 	init_waitqueue_head(&info->wait_for_mr_cleanup);
+	INIT_WORK(&info->mr_recovery_work, smbd_mr_recovery_work);
 	/* Allocate more MRs (2x) than hardware responder_resources */
 	for (i = 0; i < info->responder_resources * 2; i++) {
 		smbdirect_mr = kzalloc(sizeof(*smbdirect_mr), GFP_KERNEL);
@@ -2278,13 +2279,13 @@ static int allocate_mr_list(struct smbd_connection *info)
 		list_add_tail(&smbdirect_mr->list, &info->mr_list);
 		atomic_inc(&info->mr_ready_count);
 	}
-	INIT_WORK(&info->mr_recovery_work, smbd_mr_recovery_work);
 	return 0;
 
 out:
 	kfree(smbdirect_mr);
 
 	list_for_each_entry_safe(smbdirect_mr, tmp, &info->mr_list, list) {
+		list_del(&smbdirect_mr->list);
 		ib_dereg_mr(smbdirect_mr->mr);
 		kfree(smbdirect_mr->sgl);
 		kfree(smbdirect_mr);






