23 Sep, 2022
3 commits
-
commit bedc8f76b3539ac4f952114b316bcc2251e808ce upstream.
So far we were just lucky because the uninitialized members
of struct msghdr are not used by default on a SOCK_STREAM tcp
socket.But as new things like msg_ubuf and sg_from_iter where added
recently, we should play on the safe side and avoid potention
problems in future.Signed-off-by: Stefan Metzmacher
Cc: stable@vger.kernel.org
Reviewed-by: Paulo Alcantara (SUSE)
Reviewed-by: Ronnie Sahlberg
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman -
commit 17d3df38dc5f4cec9b0ac6eb79c1859b6e2693a4 upstream.
This is ignored anyway by the tcp layer.
Signed-off-by: Stefan Metzmacher
Cc: stable@vger.kernel.org
Reviewed-by: Ronnie Sahlberg
Reviewed-by: Paulo Alcantara (SUSE)
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman -
commit 7500a99281dfed2d4a84771c933bcb9e17af279b upstream.
Kernel bugzilla: 216301
When doing direct writes we need to also invalidate the mapping in case
we have a cached copy of the affected page(s) in memory or else
subsequent reads of the data might return the old/stale content
before we wrote an update to the server.Cc: stable@vger.kernel.org
Reviewed-by: Paulo Alcantara (SUSE)
Signed-off-by: Ronnie Sahlberg
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman
08 Sep, 2022
1 commit
-
commit 27893dfc1285f80f80f46b3b8c95f5d15d2e66d0 upstream.
In some cases of failure (dialect mismatches) in SMB2_negotiate(), after
the request is sent, the checks would return -EIO when they should be
rather setting rc = -EIO and jumping to neg_exit to free the response
buffer from mempool.Signed-off-by: Enzo Matsumiya
Cc: stable@vger.kernel.org
Reviewed-by: Ronnie Sahlberg
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman
31 Aug, 2022
1 commit
-
commit ba0803050d610d5072666be727bca5e03e55b242 upstream.
smb3 fallocate punch hole was not grabbing the inode or filemap_invalidate
locks so could have race with pagemap reinstantiating the page.Cc: stable@vger.kernel.org
Signed-off-by: David Howells
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman
25 Aug, 2022
2 commits
-
[ Upstream commit 5fa2cffba0b82336a2244d941322eb1627ff787b ]
Coverity complains about assigning a pointer based on
value length before checking that value length goes
beyond the end of the SMB. Although this is even more
unlikely as value length is a single byte, and the
pointer is not dereferenced until laterm, it is clearer
to check the lengths first.Addresses-Coverity: 1467704 ("Speculative execution data leak")
Reviewed-by: Ronnie Sahlberg
Signed-off-by: Steve French
Signed-off-by: Sasha Levin -
commit ca08d0eac020d48a3141dbec0a3cf64fbdb17cde upstream.
xfstests on smb21 report kmemleak as below:
unreferenced object 0xffff8881767d6200 (size 64):
comm "xfs_io", pid 1284, jiffies 4294777434 (age 20.789s)
hex dump (first 32 bytes):
80 5a d0 11 81 88 ff ff 78 8a aa 63 81 88 ff ff .Z......x..c....
00 71 99 76 81 88 ff ff 00 00 00 00 00 00 00 00 .q.v............
backtrace:
[] cifs_close+0x92/0x2c0
[] __fput+0xff/0x3f0
[] task_work_run+0x85/0xc0
[] do_exit+0x5e5/0x1240
[] do_group_exit+0x58/0xe0
[] __x64_sys_exit_group+0x28/0x30
[] do_syscall_64+0x35/0x80
[] entry_SYSCALL_64_after_hwframe+0x46/0xb0When cancel the deferred close work, we should also cleanup the struct
cifs_deferred_close.Fixes: 9e992755be8f2 ("cifs: Call close synchronously during unlink/rename/lease break.")
Fixes: e3fc065682ebb ("cifs: Deferred close performance improvements")
Cc: stable@vger.kernel.org
Reviewed-by: Shyam Prasad N
Signed-off-by: Zhang Xiaoxu
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman
17 Aug, 2022
1 commit
-
commit 9e31678fb403eae0f4fe37c6374be098835c73cd upstream.
Solution is to send lease break ack immediately even in case of
deferred close handles to avoid lease break request timing out
and let deferred closed handle gets closed as scheduled.
Later patches could optimize cases where we then close some
of these handles sooner for the cases where lease break is to 'none'Cc: stable@kernel.org
Signed-off-by: Bharath SM
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman
15 Jun, 2022
3 commits
-
commit c36ee7dab7749f7be21f7a72392744490b2a9a2b upstream.
cifs.ko defines two file system types: cifs & smb3, and
__cifs_get_super() was not including smb3 file system type when
looking up superblocks, therefore failing to reconnect tcons in
cifs_tree_connect().Fix this by calling iterate_supers_type() on both file system types.
Link: https://lore.kernel.org/r/CAFrh3J9soC36+BVuwHB=g9z_KB5Og2+p2_W+BBoBOZveErz14w@mail.gmail.com
Cc: stable@vger.kernel.org
Tested-by: Satadru Pramanik
Reported-by: Satadru Pramanik
Signed-off-by: Paulo Alcantara (SUSE)
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman -
commit 8ea21823aa584b55ba4b861307093b78054b0c1b upstream.
During reconnects, we check the return value from
cifs_negotiate_protocol, and have handlers for both success
and failures. But if that passes, and cifs_setup_session
returns any errors other than -EACCES, we do not handle
that. This fix adds a handler for that, so that we don't
go ahead and try a tree_connect on a failed session.Signed-off-by: Shyam Prasad N
Reviewed-by: Enzo Matsumiya
Cc: stable@vger.kernel.org
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit 7ef93ffccd55fb0ba000ed16ef6a81cd7dee07b5 ]
We should not be including unused smb20 specific code when legacy
support is disabled (CONFIG_CIFS_ALLOW_INSECURE_LEGACY turned
off). For example smb2_operations and smb2_values aren't used
in that case. Over time we can move more and more SMB1/CIFS and SMB2.0
code into the insecure legacy ifdefsReviewed-by: Ronnie Sahlberg
Signed-off-by: Steve French
Signed-off-by: Sasha Levin
09 Jun, 2022
4 commits
-
commit 0a55cf74ffb5d004b93647e4389096880ce37d6b upstream.
There is a race condition in smb2_compound_op:
after_close:
num_rqst++;if (cfile) {
cifsFileInfo_put(cfile); // sends SMB2_CLOSE to the server
cfile = NULL;This is triggered by smb2_query_path_info operation that happens during
revalidate_dentry. In smb2_query_path_info, get_readable_path is called to
load the cfile, increasing the reference counter. If in the meantime, this
reference becomes the very last, this call to cifsFileInfo_put(cfile) will
trigger a SMB2_CLOSE request sent to the server just before sending this compound
request – and so then the compound request fails either with EBADF/EIO depending
on the timing at the server, because the handle is already closed.In the first scenario, the race seems to be happening between smb2_query_path_info
triggered by the rename operation, and between “cleanup” of asynchronous writes – while
fsync(fd) likely waits for the asynchronous writes to complete, releasing the writeback
structures can happen after the close(fd) call. So the EBADF/EIO errors will pop up if
the timing is such that:
1) There are still outstanding references after close(fd) in the writeback structures
2) smb2_query_path_info successfully fetches the cfile, increasing the refcounter by 1
3) All writeback structures release the same cfile, reducing refcounter to 1
4) smb2_compound_op is called with that cfileIn the second scenario, the race seems to be similar – here open triggers the
smb2_query_path_info operation, and if all other threads in the meantime decrease the
refcounter to 1 similarly to the first scenario, again SMB2_CLOSE will be sent to the
server just before issuing the compound request. This case is harder to reproduce.See https://bugzilla.samba.org/show_bug.cgi?id=15051
Cc: stable@vger.kernel.org
Fixes: 8de9e86c67ba ("cifs: create a helper to find a writeable handle by path name")
Signed-off-by: Ondrej Hubsch
Reviewed-by: Ronnie Sahlberg
Reviewed-by: Paulo Alcantara (SUSE)
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit bbdf6cf56c88845fb0b713cbf5c6623c53fe40d8 ]
Although unlikely to be null, it is confusing to use a pointer
before checking for it to be null so move the use down after
null check.Addresses-Coverity: 1517586 ("Null pointer dereferences (REVERSE_INULL)")
Reviewed-by: Ronnie Sahlberg
Signed-off-by: Steve French
Signed-off-by: Sasha Levin -
commit f66f8b94e7f2f4ac9fffe710be231ca8f25c5057 upstream.
as this is the only way to make sure the region is allocated.
Fix the conditional that was wrong and only tried to make already
non-sparse files non-sparse.Cc: stable@vger.kernel.org
Signed-off-by: Ronnie Sahlberg
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman -
commit 8378a51e3f8140f60901fb27208cc7a6e47047b5 upstream.
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2088799
Cc: stable@vger.kernel.org
Signed-off-by: Roberto Bergantinos
Signed-off-by: Ronnie Sahlberg
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman
09 May, 2022
1 commit
-
[ Upstream commit f5d0f921ea362636e4a2efb7c38d1ead373a8700 ]
because the copychunk_write might cover a region of the file that has not yet
been sent to the server and thus fail.A simple way to reproduce this is:
truncate -s 0 /mnt/testfile; strace -f -o x -ttT xfs_io -i -f -c 'pwrite 0k 128k' -c 'fcollapse 16k 24k' /mnt/testfilethe issue is that the 'pwrite 0k 128k' becomes rearranged on the wire with
the 'fcollapse 16k 24k' due to write-back caching.fcollapse is implemented in cifs.ko as a SMB2 IOCTL(COPYCHUNK_WRITE) call
and it will fail serverside since the file is still 0b in size serverside
until the writes have been destaged.
To avoid this we must ensure that we destage any unwritten data to the
server before calling COPYCHUNK_WRITE.Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1997373
Reported-by: Xiaoli Feng
Signed-off-by: Ronnie Sahlberg
Signed-off-by: Steve French
Signed-off-by: Sasha Levin
27 Apr, 2022
1 commit
-
[ Upstream commit 994fd530a512597ffcd713b0f6d5bc916c5698f0 ]
Use the IOCB_DIRECT indicator flag on the I/O context rather than checking to
see if the file was opened O_DIRECT.Signed-off-by: David Howells
cc: Steve French
cc: Shyam Prasad N
cc: Rohith Surabattula
cc: linux-cifs@vger.kernel.org
Signed-off-by: Steve French
Signed-off-by: Sasha Levin
20 Apr, 2022
3 commits
-
commit 8b6c58458ee3206dde345fce327a4cb83e69caf9 upstream.
On umount, cifs_sb->tlink_tree might contain entries that do not represent
a valid tcon.
Check the tcon for error before we dereference it.Signed-off-by: Ronnie Sahlberg
Cc: stable@vger.kernel.org
Reviewed-by: Shyam Prasad N
Reported-by: Xiaoli Feng
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit 64c4a37ac04eeb43c42d272f6e6c8c12bfcf4304 ]
Smatch printed a warning:
arch/x86/crypto/poly1305_glue.c:198 poly1305_update_arch() error:
__memcpy() 'dctx->buf' too small (16 vs u32max)It's caused because Smatch marks 'link_len' as untrusted since it comes
from sscanf(). Add a check to ensure that 'link_len' is not larger than
the size of the 'link_str' buffer.Fixes: c69c1b6eaea1 ("cifs: implement CIFSParseMFSymlink()")
Signed-off-by: Harshit Mogalapalli
Reviewed-by: Ronnie Sahlberg
Signed-off-by: Steve French
Signed-off-by: Sasha Levin -
[ Upstream commit d788e51636462e61c6883f7d96b07b06bc291650 ]
During cifs_kill_sb, we first dput all the dentries that we have cached.
However this function can also get called for mount failures.
So dput the cached dentries only if the filesystem mount is complete.
i.e. cifs_sb->root is populated.Fixes: 5e9c89d43fa6 ("cifs: Grab a reference for the dentry of the cached directory during the lifetime of the cache")
Signed-off-by: Shyam Prasad N
Reviewed-by: Ronnie Sahlberg
Signed-off-by: Steve French
Signed-off-by: Sasha Levin
08 Apr, 2022
5 commits
-
[ Upstream commit 06a466565d54a1a42168f9033a062a3f5c40e73b ]
When session gets reconnected during mount then read size in super block fs context
gets set to zero and after negotiate, rsize is not modified which results in
incorrect read with requested bytes as zero. Fixes intermittent failure
of xfstest generic/240Note that stable requires a different version of this patch which will be
sent to the stable mailing list.Signed-off-by: Rohith Surabattula
Acked-by: Paulo Alcantara (SUSE)
Signed-off-by: Steve French
Signed-off-by: Sasha Levin -
commit d6f5e358452479fa8a773b5c6ccc9e4ec5a20880 upstream.
When calling smb2_ioctl_query_info() with invalid
smb_query_info::flags, a NULL ptr dereference is triggered when trying
to kfree() uninitialised rqst[n].rq_iov array.This also fixes leaked paths that are created in SMB2_open_init()
which required SMB2_open_free() to properly free them.Here is a small C reproducer that triggers it
#include
#include
#include
#include
#include
#include#define die(s) perror(s), exit(1)
#define QUERY_INFO 0xc018cf07int main(int argc, char *argv[])
{
int fd;if (argc < 2)
exit(1);
fd = open(argv[1], O_RDONLY);
if (fd == -1)
die("open");
if (ioctl(fd, QUERY_INFO, (uint32_t[]) { 0, 0, 0, 4, 0, 0}) == -1)
die("ioctl");
close(fd);
return 0;
}mount.cifs //srv/share /mnt -o ...
gcc repro.c && ./a.out /mnt/f0[ 1832.124468] CIFS: VFS: \\w22-dc.zelda.test\test Invalid passthru query flags: 0x4
[ 1832.125043] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
[ 1832.125764] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
[ 1832.126241] CPU: 3 PID: 1133 Comm: a.out Not tainted 5.17.0-rc8 #2
[ 1832.126630] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014
[ 1832.127322] RIP: 0010:smb2_ioctl_query_info+0x7a3/0xe30 [cifs]
[ 1832.127749] Code: 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 6c 05 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 74 24 28 4c 89 f2 48 c1 ea 03 3c 02 00 0f 85 cb 04 00 00 49 8b 3e e8 bb fc fa ff 48 89 da 48
[ 1832.128911] RSP: 0018:ffffc90000957b08 EFLAGS: 00010256
[ 1832.129243] RAX: dffffc0000000000 RBX: ffff888117e9b850 RCX: ffffffffa020580d
[ 1832.129691] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a2c0
[ 1832.130137] RBP: ffff888117e9b878 R08: 0000000000000001 R09: 0000000000000003
[ 1832.130585] R10: fffffbfff4087458 R11: 0000000000000001 R12: ffff888117e9b800
[ 1832.131037] R13: 00000000ffffffea R14: 0000000000000000 R15: ffff888117e9b8a8
[ 1832.131485] FS: 00007fcee9900740(0000) GS:ffff888151a00000(0000) knlGS:0000000000000000
[ 1832.131993] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1832.132354] CR2: 00007fcee9a1ef5e CR3: 0000000114cd2000 CR4: 0000000000350ee0
[ 1832.132801] Call Trace:
[ 1832.132962]
[ 1832.133104] ? smb2_query_reparse_tag+0x890/0x890 [cifs]
[ 1832.133489] ? cifs_mapchar+0x460/0x460 [cifs]
[ 1832.133822] ? rcu_read_lock_sched_held+0x3f/0x70
[ 1832.134125] ? cifs_strndup_to_utf16+0x15b/0x250 [cifs]
[ 1832.134502] ? lock_downgrade+0x6f0/0x6f0
[ 1832.134760] ? cifs_convert_path_to_utf16+0x198/0x220 [cifs]
[ 1832.135170] ? smb2_check_message+0x1080/0x1080 [cifs]
[ 1832.135545] cifs_ioctl+0x1577/0x3320 [cifs]
[ 1832.135864] ? lock_downgrade+0x6f0/0x6f0
[ 1832.136125] ? cifs_readdir+0x2e60/0x2e60 [cifs]
[ 1832.136468] ? rcu_read_lock_sched_held+0x3f/0x70
[ 1832.136769] ? __rseq_handle_notify_resume+0x80b/0xbe0
[ 1832.137096] ? __up_read+0x192/0x710
[ 1832.137327] ? __ia32_sys_rseq+0xf0/0xf0
[ 1832.137578] ? __x64_sys_openat+0x11f/0x1d0
[ 1832.137850] __x64_sys_ioctl+0x127/0x190
[ 1832.138103] do_syscall_64+0x3b/0x90
[ 1832.138378] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 1832.138702] RIP: 0033:0x7fcee9a253df
[ 1832.138937] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00
[ 1832.140107] RSP: 002b:00007ffeba94a8a0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 1832.140606] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcee9a253df
[ 1832.141058] RDX: 00007ffeba94a910 RSI: 00000000c018cf07 RDI: 0000000000000003
[ 1832.141503] RBP: 00007ffeba94a930 R08: 00007fcee9b24db0 R09: 00007fcee9b45c4e
[ 1832.141948] R10: 00007fcee9918d40 R11: 0000000000000246 R12: 00007ffeba94aa48
[ 1832.142396] R13: 0000000000401176 R14: 0000000000403df8 R15: 00007fcee9b78000
[ 1832.142851]
[ 1832.142994] Modules linked in: cifs cifs_arc4 cifs_md4 bpf_preload [last unloaded: cifs]Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (SUSE)
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman -
commit b92e358757b91c2827af112cae9af513f26a3f34 upstream.
When calling smb2_ioctl_query_info() with
smb_query_info::flags=PASSTHRU_FSCTL and
smb_query_info::output_buffer_length=0, the following would return
0x10buffer = memdup_user(arg + sizeof(struct smb_query_info),
qi.output_buffer_length);
if (IS_ERR(buffer)) {
kfree(vars);
return PTR_ERR(buffer);
}rather than a valid pointer thus making IS_ERR() check fail. This
would then cause a NULL ptr deference in @buffer when accessing it
later in smb2_ioctl_query_ioctl(). While at it, prevent having a
@buffer smaller than 8 bytes to correctly handle SMB2_SET_INFO
FileEndOfFileInformation requests when
smb_query_info::flags=PASSTHRU_SET_INFO.Here is a small C reproducer which triggers a NULL ptr in @buffer when
passing an invalid smb_query_info::flags#include
#include
#include
#include
#include
#include#define die(s) perror(s), exit(1)
#define QUERY_INFO 0xc018cf07int main(int argc, char *argv[])
{
int fd;if (argc < 2)
exit(1);
fd = open(argv[1], O_RDONLY);
if (fd == -1)
die("open");
if (ioctl(fd, QUERY_INFO, (uint32_t[]) { 0, 0, 0, 4, 0, 0}) == -1)
die("ioctl");
close(fd);
return 0;
}mount.cifs //srv/share /mnt -o ...
gcc repro.c && ./a.out /mnt/f0[ 114.138620] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
[ 114.139310] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
[ 114.139775] CPU: 2 PID: 995 Comm: a.out Not tainted 5.17.0-rc8 #1
[ 114.140148] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014
[ 114.140818] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs]
[ 114.141221] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24
[ 114.142348] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256
[ 114.142692] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d
[ 114.143119] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380
[ 114.143544] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003
[ 114.143983] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288
[ 114.144424] R13: 00000000ffffffea R14: ffff888115503228 R15: 0000000000000000
[ 114.144852] FS: 00007f7aeabdf740(0000) GS:ffff888151600000(0000) knlGS:0000000000000000
[ 114.145338] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 114.145692] CR2: 00007f7aeacfdf5e CR3: 000000012000e000 CR4: 0000000000350ee0
[ 114.146131] Call Trace:
[ 114.146291]
[ 114.146432] ? smb2_query_reparse_tag+0x890/0x890 [cifs]
[ 114.146800] ? cifs_mapchar+0x460/0x460 [cifs]
[ 114.147121] ? rcu_read_lock_sched_held+0x3f/0x70
[ 114.147412] ? cifs_strndup_to_utf16+0x15b/0x250 [cifs]
[ 114.147775] ? dentry_path_raw+0xa6/0xf0
[ 114.148024] ? cifs_convert_path_to_utf16+0x198/0x220 [cifs]
[ 114.148413] ? smb2_check_message+0x1080/0x1080 [cifs]
[ 114.148766] ? rcu_read_lock_sched_held+0x3f/0x70
[ 114.149065] cifs_ioctl+0x1577/0x3320 [cifs]
[ 114.149371] ? lock_downgrade+0x6f0/0x6f0
[ 114.149631] ? cifs_readdir+0x2e60/0x2e60 [cifs]
[ 114.149956] ? rcu_read_lock_sched_held+0x3f/0x70
[ 114.150250] ? __rseq_handle_notify_resume+0x80b/0xbe0
[ 114.150562] ? __up_read+0x192/0x710
[ 114.150791] ? __ia32_sys_rseq+0xf0/0xf0
[ 114.151025] ? __x64_sys_openat+0x11f/0x1d0
[ 114.151296] __x64_sys_ioctl+0x127/0x190
[ 114.151549] do_syscall_64+0x3b/0x90
[ 114.151768] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 114.152079] RIP: 0033:0x7f7aead043df
[ 114.152306] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00
[ 114.153431] RSP: 002b:00007ffc2e0c1f80 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 114.153890] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7aead043df
[ 114.154315] RDX: 00007ffc2e0c1ff0 RSI: 00000000c018cf07 RDI: 0000000000000003
[ 114.154747] RBP: 00007ffc2e0c2010 R08: 00007f7aeae03db0 R09: 00007f7aeae24c4e
[ 114.155192] R10: 00007f7aeabf7d40 R11: 0000000000000246 R12: 00007ffc2e0c2128
[ 114.155642] R13: 0000000000401176 R14: 0000000000403df8 R15: 00007f7aeae57000
[ 114.156071]
[ 114.156218] Modules linked in: cifs cifs_arc4 cifs_md4 bpf_preload
[ 114.156608] ---[ end trace 0000000000000000 ]---
[ 114.156898] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs]
[ 114.157792] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24
[ 114.159293] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256
[ 114.159641] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d
[ 114.160093] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380
[ 114.160699] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003
[ 114.161196] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288
[ 114.155642] R13: 0000000000401176 R14: 0000000000403df8 R15: 00007f7aeae57000
[ 114.156071]
[ 114.156218] Modules linked in: cifs cifs_arc4 cifs_md4 bpf_preload
[ 114.156608] ---[ end trace 0000000000000000 ]---
[ 114.156898] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs]
[ 114.157792] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24
[ 114.159293] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256
[ 114.159641] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d
[ 114.160093] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380
[ 114.160699] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003
[ 114.161196] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288
[ 114.161823] R13: 00000000ffffffea R14: ffff888115503228 R15: 0000000000000000
[ 114.162274] FS: 00007f7aeabdf740(0000) GS:ffff888151600000(0000) knlGS:0000000000000000
[ 114.162853] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 114.163218] CR2: 00007f7aeacfdf5e CR3: 000000012000e000 CR4: 0000000000350ee0
[ 114.163691] Kernel panic - not syncing: Fatal exception
[ 114.164087] Kernel Offset: disabled
[ 114.164316] ---[ end Kernel panic - not syncing: Fatal exception ]---Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (SUSE)
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman -
commit 9a14b65d590105d393b63f5320e1594edda7c672 upstream.
Remove the spinlock around the tree traversal as we are calling possibly
sleeping functions.
We do not need a spinlock here as there will be no modifications to this
tree at this point.This prevents warnings like this to occur in dmesg:
[ 653.774996] BUG: sleeping function called from invalid context at kernel/loc\
king/mutex.c:280
[ 653.775088] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1827, nam\
e: umount
[ 653.775152] preempt_count: 1, expected: 0
[ 653.775191] CPU: 0 PID: 1827 Comm: umount Tainted: G W OE 5.17.0\
-rc7-00006-g4eb628dd74df #135
[ 653.775195] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-\
1.fc33 04/01/2014
[ 653.775197] Call Trace:
[ 653.775199]
[ 653.775202] dump_stack_lvl+0x34/0x44
[ 653.775209] __might_resched.cold+0x13f/0x172
[ 653.775213] mutex_lock+0x75/0xf0
[ 653.775217] ? __mutex_lock_slowpath+0x10/0x10
[ 653.775220] ? _raw_write_lock_irq+0xd0/0xd0
[ 653.775224] ? dput+0x6b/0x360
[ 653.775228] cifs_kill_sb+0xff/0x1d0 [cifs]
[ 653.775285] deactivate_locked_super+0x85/0x130
[ 653.775289] cleanup_mnt+0x32c/0x4d0
[ 653.775292] ? path_umount+0x228/0x380
[ 653.775296] task_work_run+0xd8/0x180
[ 653.775301] exit_to_user_mode_loop+0x152/0x160
[ 653.775306] exit_to_user_mode_prepare+0x89/0xd0
[ 653.775315] syscall_exit_to_user_mode+0x12/0x30
[ 653.775322] do_syscall_64+0x48/0x90
[ 653.775326] entry_SYSCALL_64_after_hwframe+0x44/0xaeFixes: 187af6e98b44e5d8f25e1d41a92db138eb54416f ("cifs: fix handlecache and multiuser")
Reported-by: kernel test robot
Cc: stable@vger.kernel.org
Signed-off-by: Ronnie Sahlberg
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman -
commit 47178c7722ac528ea08aa82c3ef9ffa178962d7a upstream.
In multiuser each individual user has their own tcon structure for the
share and thus their own handle for a cached directory.
When we umount such a share we much make sure to release the pinned down dentry
for each such tcon and not just the master tcon.Otherwise we will get nasty warnings on umount that dentries are still in use:
[ 3459.590047] BUG: Dentry 00000000115c6f41{i=12000000019d95,n=/} still in use\
(2) [unmount of cifs cifs]
...
[ 3459.590492] Call Trace:
[ 3459.590500] d_walk+0x61/0x2a0
[ 3459.590518] ? shrink_lock_dentry.part.0+0xe0/0xe0
[ 3459.590526] shrink_dcache_for_umount+0x49/0x110
[ 3459.590535] generic_shutdown_super+0x1a/0x110
[ 3459.590542] kill_anon_super+0x14/0x30
[ 3459.590549] cifs_kill_sb+0xf5/0x104 [cifs]
[ 3459.590773] deactivate_locked_super+0x36/0xa0
[ 3459.590782] cleanup_mnt+0x131/0x190
[ 3459.590789] task_work_run+0x5c/0x90
[ 3459.590798] exit_to_user_mode_loop+0x151/0x160
[ 3459.590809] exit_to_user_mode_prepare+0x83/0xd0
[ 3459.590818] syscall_exit_to_user_mode+0x12/0x30
[ 3459.590828] do_syscall_64+0x48/0x90
[ 3459.590833] entry_SYSCALL_64_after_hwframe+0x44/0xaeSigned-off-by: Ronnie Sahlberg
Acked-by: Paulo Alcantara (SUSE)
Cc: stable@vger.kernel.org
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman
09 Mar, 2022
5 commits
-
[ Upstream commit 53923e0fe2098f90f339510aeaa0e1413ae99a16 ]
When mounting with SMB2.1 or earlier, even with nomultichannel, we
log the confusing warning message:
"CIFS: VFS: multichannel is not supported on this protocol version, use 3.0 or above"Fix this so that we don't log this unless they really are trying
to mount with multichannel.BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=215608
Reported-by: Kim Scarborough
Cc: stable@vger.kernel.org # 5.11+
Reviewed-by: Paulo Alcantara (SUSE)
Signed-off-by: Steve French
Signed-off-by: Sasha Levin -
[ Upstream commit 724244cdb3828522109c88e56a0242537aefabe9 ]
Introducing a new spin lock to protect all the channel related
fields in a cifs_ses struct. This lock should be taken
whenever dealing with the channel fields, and should be held
only for very short intervals which will not sleep.Currently, all channel related fields in cifs_ses structure
are protected by session_mutex. However, this mutex is held for
long periods (sometimes while waiting for a reply from server).
This makes the codepath quite tricky to change.Signed-off-by: Shyam Prasad N
Reviewed-by: Paulo Alcantara (SUSE)
Signed-off-by: Steve French
Signed-off-by: Sasha Levin -
[ Upstream commit 0c6f4ebf8835d01866eb686d47578cde80097981 ]
When we create a file with modefromsids we set an ACL that
has one ACE for the magic modefromsid as well as a second ACE that
grants full access to all authenticated users.When later we chante the mode on the file we strip away this, and other,
ACE for authenticated users in set_chmod_dacl() and then just add back/update
the modefromsid ACE.
Thus leaving the file with a single ACE that is for the mode and no ACE
to grant any user any rights to access the file.
Fix this by always adding back also the modefromsid ACE so that we do not
drop the rights to access the file.Signed-off-by: Ronnie Sahlberg
Reviewed-by: Shyam Prasad N
Signed-off-by: Steve French
Signed-off-by: Sasha Levin -
[ Upstream commit 3d6cc9898efdfb062efb74dc18cfc700e082f5d5 ]
When cifs_get_root() fails during cifs_smb3_do_mount() we call
deactivate_locked_super() which eventually will call delayed_free() which
will free the context.
In this situation we should not proceed to enter the out: section in
cifs_smb3_do_mount() and free the same resources a second time.[Thu Feb 10 12:59:06 2022] BUG: KASAN: use-after-free in rcu_cblist_dequeue+0x32/0x60
[Thu Feb 10 12:59:06 2022] Read of size 8 at addr ffff888364f4d110 by task swapper/1/0[Thu Feb 10 12:59:06 2022] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G OE 5.17.0-rc3+ #4
[Thu Feb 10 12:59:06 2022] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.0 12/17/2019
[Thu Feb 10 12:59:06 2022] Call Trace:
[Thu Feb 10 12:59:06 2022]
[Thu Feb 10 12:59:06 2022] dump_stack_lvl+0x5d/0x78
[Thu Feb 10 12:59:06 2022] print_address_description.constprop.0+0x24/0x150
[Thu Feb 10 12:59:06 2022] ? rcu_cblist_dequeue+0x32/0x60
[Thu Feb 10 12:59:06 2022] kasan_report.cold+0x7d/0x117
[Thu Feb 10 12:59:06 2022] ? rcu_cblist_dequeue+0x32/0x60
[Thu Feb 10 12:59:06 2022] __asan_load8+0x86/0xa0
[Thu Feb 10 12:59:06 2022] rcu_cblist_dequeue+0x32/0x60
[Thu Feb 10 12:59:06 2022] rcu_core+0x547/0xca0
[Thu Feb 10 12:59:06 2022] ? call_rcu+0x3c0/0x3c0
[Thu Feb 10 12:59:06 2022] ? __this_cpu_preempt_check+0x13/0x20
[Thu Feb 10 12:59:06 2022] ? lock_is_held_type+0xea/0x140
[Thu Feb 10 12:59:06 2022] rcu_core_si+0xe/0x10
[Thu Feb 10 12:59:06 2022] __do_softirq+0x1d4/0x67b
[Thu Feb 10 12:59:06 2022] __irq_exit_rcu+0x100/0x150
[Thu Feb 10 12:59:06 2022] irq_exit_rcu+0xe/0x30
[Thu Feb 10 12:59:06 2022] sysvec_hyperv_stimer0+0x9d/0xc0
...
[Thu Feb 10 12:59:07 2022] Freed by task 58179:
[Thu Feb 10 12:59:07 2022] kasan_save_stack+0x26/0x50
[Thu Feb 10 12:59:07 2022] kasan_set_track+0x25/0x30
[Thu Feb 10 12:59:07 2022] kasan_set_free_info+0x24/0x40
[Thu Feb 10 12:59:07 2022] ____kasan_slab_free+0x137/0x170
[Thu Feb 10 12:59:07 2022] __kasan_slab_free+0x12/0x20
[Thu Feb 10 12:59:07 2022] slab_free_freelist_hook+0xb3/0x1d0
[Thu Feb 10 12:59:07 2022] kfree+0xcd/0x520
[Thu Feb 10 12:59:07 2022] cifs_smb3_do_mount+0x149/0xbe0 [cifs]
[Thu Feb 10 12:59:07 2022] smb3_get_tree+0x1a0/0x2e0 [cifs]
[Thu Feb 10 12:59:07 2022] vfs_get_tree+0x52/0x140
[Thu Feb 10 12:59:07 2022] path_mount+0x635/0x10c0
[Thu Feb 10 12:59:07 2022] __x64_sys_mount+0x1bf/0x210
[Thu Feb 10 12:59:07 2022] do_syscall_64+0x5c/0xc0
[Thu Feb 10 12:59:07 2022] entry_SYSCALL_64_after_hwframe+0x44/0xae[Thu Feb 10 12:59:07 2022] Last potentially related work creation:
[Thu Feb 10 12:59:07 2022] kasan_save_stack+0x26/0x50
[Thu Feb 10 12:59:07 2022] __kasan_record_aux_stack+0xb6/0xc0
[Thu Feb 10 12:59:07 2022] kasan_record_aux_stack_noalloc+0xb/0x10
[Thu Feb 10 12:59:07 2022] call_rcu+0x76/0x3c0
[Thu Feb 10 12:59:07 2022] cifs_umount+0xce/0xe0 [cifs]
[Thu Feb 10 12:59:07 2022] cifs_kill_sb+0xc8/0xe0 [cifs]
[Thu Feb 10 12:59:07 2022] deactivate_locked_super+0x5d/0xd0
[Thu Feb 10 12:59:07 2022] cifs_smb3_do_mount+0xab9/0xbe0 [cifs]
[Thu Feb 10 12:59:07 2022] smb3_get_tree+0x1a0/0x2e0 [cifs]
[Thu Feb 10 12:59:07 2022] vfs_get_tree+0x52/0x140
[Thu Feb 10 12:59:07 2022] path_mount+0x635/0x10c0
[Thu Feb 10 12:59:07 2022] __x64_sys_mount+0x1bf/0x210
[Thu Feb 10 12:59:07 2022] do_syscall_64+0x5c/0xc0
[Thu Feb 10 12:59:07 2022] entry_SYSCALL_64_after_hwframe+0x44/0xaeReported-by: Shyam Prasad N
Reviewed-by: Shyam Prasad N
Signed-off-by: Ronnie Sahlberg
Signed-off-by: Steve French
Signed-off-by: Sasha Levin -
[ Upstream commit 26d3dadebbcbddfaf1d9caad42527a28a0ed28d8 ]
When idsfromsid is used we create a special SID for owner/group.
This structure must be initialized or else the first 5 bytes
of the Authority field of the SID will contain uninitialized data
and thus not be a valid SID.Signed-off-by: Ronnie Sahlberg
Signed-off-by: Steve French
Signed-off-by: Sasha Levin
23 Feb, 2022
2 commits
-
commit 9405b5f8b20c2bfa6523a555279a0379640dc136 upstream.
The conversion to the new API broke the snapshot mount option
due to 32 vs. 64 bit type mismatchFixes: 24e0a1eff9e2 ("cifs: switch to new mount api")
Cc: stable@vger.kernel.org # 5.11+
Reported-by:
Acked-by: Ronnie Sahlberg
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman -
commit dd5a927e411836eaef44eb9b00fece615e82e242 upstream.
'setcifsacl -g ' silently fails to set the group SID on server.
Actually, the bug existed since commit 438471b67963 ("CIFS: Add support
for setting owner info, dos attributes, and create time"), but this fix
will not apply cleanly to kernel versions
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman
22 Dec, 2021
1 commit
-
commit a31080899d5fdafcccf7f39dd214a814a2c82626 upstream.
mount.cifs can pass a device with multiple delimiters in it. This will
cause rename(2) to fail with ENOENT.V2:
- Make sanitize_path more readable.
- Fix multiple delimiters between UNC and prepath.
- Avoid a memory leak if a bad user starts putting a lot of delimiters
in the path on purpose.BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=2031200
Fixes: 24e0a1eff9e2 ("cifs: switch to new mount api")
Cc: stable@vger.kernel.org # 5.11+
Acked-by: Ronnie Sahlberg
Signed-off-by: Thiago Rafael Becker
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman
01 Dec, 2021
2 commits
-
commit b9ad6b5b687e798746024e5fc4574d8fa8bdfade upstream.
Recent fix to maintain a nosharesock state on the
server struct caused a regression. It updated this
field in the old tcp session, and not the new one.This caused the multichannel scenario to misbehave.
Fixes: c9f1c19cf7c5 (cifs: nosharesock should not share socket with future sessions)
Signed-off-by: Shyam Prasad N
Reviewed-by: Paulo Alcantara (SUSE)
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit c9f1c19cf7c50949885fa5afdb2cb242d61a7fac ]
Today, when a new mount is done with nosharesock, we ensure
that we don't select an existing matching session. However,
we don't mark the connection as nosharesock, which means that
those could be shared with future sessions.Fixed it with this commit. Also printing this info in DebugData.
Signed-off-by: Shyam Prasad N
Reviewed-by: Paulo Alcantara (SUSE)
Signed-off-by: Steve French
Signed-off-by: Sasha Levin
19 Nov, 2021
4 commits
-
commit 869da64d071142d4ed562a3e909deb18e4e72c4e upstream.
Fix memory leak of smb3_fs_context_dup::server_hostname when parsing
and duplicating fs contexts during mount(2) as reported by kmemleak:unreferenced object 0xffff888125715c90 (size 16):
comm "mount.cifs", pid 3832, jiffies 4304535868 (age 190.094s)
hex dump (first 16 bytes):
7a 65 6c 64 61 2e 74 65 73 74 00 6b 6b 6b 6b a5 zelda.test.kkkk.
backtrace:
[] kstrdup+0x2e/0x60
[] smb3_fs_context_dup+0x392/0x8d0 [cifs]
[] cifs_smb3_do_mount+0x143/0x1700 [cifs]
[] smb3_get_tree+0x2e8/0x520 [cifs]
[] vfs_get_tree+0x8a/0x2d0
[] path_mount+0x423/0x1a10
[] __x64_sys_mount+0x1fa/0x270
[] do_syscall_64+0x3b/0x90
[] entry_SYSCALL_64_after_hwframe+0x44/0xae
unreferenced object 0xffff888111deed20 (size 32):
comm "mount.cifs", pid 3832, jiffies 4304536044 (age 189.918s)
hex dump (first 32 bytes):
44 46 53 52 4f 4f 54 31 2e 5a 45 4c 44 41 2e 54 DFSROOT1.ZELDA.T
45 53 54 00 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 EST.kkkkkkkkkkk.
backtrace:
[] kstrndup+0x2d/0x90
[] smb3_parse_devname+0x9e/0x360 [cifs]
[] cifs_setup_volume_info+0xa8/0x470 [cifs]
[] connect_dfs_target+0x309/0xc80 [cifs]
[] cifs_mount+0x8eb/0x17f0 [cifs]
[] cifs_smb3_do_mount+0x265/0x1700 [cifs]
[] smb3_get_tree+0x2e8/0x520 [cifs]
[] vfs_get_tree+0x8a/0x2d0
[] path_mount+0x423/0x1a10
[] __x64_sys_mount+0x1fa/0x270
[] do_syscall_64+0x3b/0x90
[] entry_SYSCALL_64_after_hwframe+0x44/0xaeFixes: 7be3248f3139 ("cifs: To match file servers, make sure the server hostname matches")
Signed-off-by: Paulo Alcantara (SUSE)
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman -
commit 71e6864eacbef0b2645ca043cdfbac272cb6cea3 upstream.
Linux allows doing a flush/fsync on a file open for read-only,
but the protocol does not allow that. If the file passed in
on the flush is read-only try to find a writeable handle for
the same inode, if that is not possible skip sending the
fsync call to the server to avoid breaking the apps.Reported-by: Julian Sikorski
Tested-by: Julian Sikorski
Suggested-by: Jeremy Allison
Reviewed-by: Paulo Alcantara (SUSE)
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman -
commit 4ac0536f8874a903a72bddc57eb88db774261e3a upstream.
With commit 506c1da44fee ("cifs: use the expiry output of dns_query to
schedule next resolution") and after triggering the first reconnect,
the next async dns resolution of tcp server's hostname would be
scheduled based on dns_resolver's key expiry default, which happens to
default to 5s on most systems that use key.dns_resolver for upcall.As per key.dns_resolver.conf(5):
default_ttl=
The number of seconds to set as the expiration on a cached
record. This will be overridden if the program manages to re-
trieve TTL information along with the addresses (if, for exam-
ple, it accesses the DNS directly). The default is 5 seconds.
The value must be in the range 1 to INT_MAX.Make the next async dns resolution no shorter than 120s as we do not
want to be upcalling too often.Cc: stable@vger.kernel.org
Fixes: 506c1da44fee ("cifs: use the expiry output of dns_query to schedule next resolution")
Signed-off-by: Paulo Alcantara (SUSE)
Reviewed-by: Shyam Prasad N
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman -
commit 7be3248f313930ff3d3436d4e9ddbe9fccc1f541 upstream.
We generally rely on a bunch of factors to differentiate between servers.
For example, IP address, port etc.For certain server types (like Azure), it is important to make sure
that the server hostname matches too, even if the both hostnames currently
resolve to the same IP address.Signed-off-by: Shyam Prasad N
Cc: stable@vger.kernel.org
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman
24 Sep, 2021
1 commit
-
Although very unlikely that the tlink pointer would be null in this case,
get_next_mid function can in theory return null (but not an error)
so need to check for null (not for IS_ERR, which can not be returned
here).Address warning:
fs/smbfs_client/connect.c:2392 cifs_match_super()
warn: 'tlink' isn't an ERR_PTRPointed out by Dan Carpenter via smatch code analysis tool
CC: stable@vger.kernel.org
Reported-by: Dan Carpenter
Acked-by: Ronnie Sahlberg
Signed-off-by: Steve French