From patchwork Mon Jun 26 03:42:55 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Winston Wen X-Patchwork-Id: 13292319 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9A254EB64DC for ; Mon, 26 Jun 2023 03:43:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229569AbjFZDna (ORCPT ); Sun, 25 Jun 2023 23:43:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59286 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229490AbjFZDn3 (ORCPT ); Sun, 25 Jun 2023 23:43:29 -0400 Received: from smtpbguseast1.qq.com (smtpbguseast1.qq.com [54.204.34.129]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0FF8B188 for ; Sun, 25 Jun 2023 20:43:26 -0700 (PDT) X-QQ-mid: bizesmtp77t1687750996tygbpvnd Received: from localhost.localdomain ( [113.57.152.160]) by bizesmtp.qq.com (ESMTP) with id ; Mon, 26 Jun 2023 11:43:15 +0800 (CST) X-QQ-SSF: 01400000000000F0H000000A0000000 X-QQ-FEAT: 3M0okmaRx3jaQPzfpSY30cB71JE3+l7VvClHz0nSRgn8ncW8qHqGSJk/f8oaB +NEURMWYhag5gGtMmfqv3lgL1VYfB/rVqMwEEo55njWBSQLWcBLdPUgkCQX+Be99Ghq/Akr RqfxESq/7hySNBtVrz6HzU9yyxuWmY02PUXbo5f4NMJJxFRwsEZvhKROMlhJGaPcVAi4+3n HljNTB5f/vW1F4EbQUZvjAuVgH8j1qAfQ1QIKPp0nLFDUooRoL5qedHb2R6ILrgC/N4Zlvt xVEiGitjnYTZ+4GIK+N4/F+TU2PnmKJmLVSUrDZXSY/cpl0/0jL+Gm0cbmFjGvOP9+nUYYS lrGIcLms6bJaJ9JRxydzaOiS1MCNCrl1BkoXJQUttppVWym9rWPTuCVEqZFwY/KLlOmkZ6Z omMcsyW7YLIjpCxwEPxw1A== X-QQ-GoodBg: 1 X-BIZMAIL-ID: 1665100745496941920 From: Winston Wen To: sfrench@samba.org, linux-cifs@vger.kernel.org, pc@manguebit.com, sprasad@microsoft.com Cc: Winston Wen Subject: [PATCH 1/3] cifs: fix session state transition to avoid use-after-free issue Date: Mon, 26 Jun 2023 11:42:55 +0800 Message-Id: <20230626034257.2078391-2-wentao@uniontech.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230626034257.2078391-1-wentao@uniontech.com> References: <20230626034257.2078391-1-wentao@uniontech.com> MIME-Version: 1.0 X-QQ-SENDSIZE: 520 Feedback-ID: bizesmtp:uniontech.com:qybglogicsvrgz:qybglogicsvrgz6a-1 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org We switch session state to SES_EXITING without cifs_tcp_ses_lock now, it may lead to potential use-after-free issue. Consider the following execution processes: Thread 1: __cifs_put_smb_ses() spin_lock(&cifs_tcp_ses_lock) if (--ses->ses_count > 0) spin_unlock(&cifs_tcp_ses_lock) return spin_unlock(&cifs_tcp_ses_lock) ---> **GAP** spin_lock(&ses->ses_lock) if (ses->ses_status == SES_GOOD) ses->ses_status = SES_EXITING spin_unlock(&ses->ses_lock) Thread 2: cifs_find_smb_ses() spin_lock(&cifs_tcp_ses_lock) list_for_each_entry(ses, ...) spin_lock(&ses->ses_lock) if (ses->ses_status == SES_EXITING) spin_unlock(&ses->ses_lock) continue ... spin_unlock(&ses->ses_lock) if (ret) cifs_smb_ses_inc_refcount(ret) spin_unlock(&cifs_tcp_ses_lock) If thread 1 is preempted in the gap and thread 2 start executing, thread 2 will get the session, and soon thread 1 will switch the session state to SES_EXITING and start releasing it, even though thread 1 had increased the session's refcount and still uses it. So switch session state under cifs_tcp_ses_lock to eliminate this gap. Signed-off-by: Winston Wen --- fs/smb/client/connect.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c index 9d16626e7a66..165ecb222c19 100644 --- a/fs/smb/client/connect.c +++ b/fs/smb/client/connect.c @@ -1963,15 +1963,16 @@ void __cifs_put_smb_ses(struct cifs_ses *ses) spin_unlock(&cifs_tcp_ses_lock); return; } + spin_lock(&ses->ses_lock); + if (ses->ses_status == SES_GOOD) + ses->ses_status = SES_EXITING; + spin_unlock(&ses->ses_lock); spin_unlock(&cifs_tcp_ses_lock); /* ses_count can never go negative */ WARN_ON(ses->ses_count < 0); spin_lock(&ses->ses_lock); - if (ses->ses_status == SES_GOOD) - ses->ses_status = SES_EXITING; - if (ses->ses_status == SES_EXITING && server->ops->logoff) { spin_unlock(&ses->ses_lock); cifs_free_ipc(ses); From patchwork Mon Jun 26 03:42:56 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Winston Wen X-Patchwork-Id: 13292321 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1E39CEB64D7 for ; Mon, 26 Jun 2023 03:43:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229619AbjFZDnd (ORCPT ); Sun, 25 Jun 2023 23:43:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59304 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229490AbjFZDnc (ORCPT ); Sun, 25 Jun 2023 23:43:32 -0400 Received: from smtpbgsg1.qq.com (smtpbgsg1.qq.com [54.254.200.92]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3EFDD188 for ; Sun, 25 Jun 2023 20:43:29 -0700 (PDT) X-QQ-mid: bizesmtp77t1687751000twxojzaf Received: from localhost.localdomain ( [113.57.152.160]) by bizesmtp.qq.com (ESMTP) with id ; Mon, 26 Jun 2023 11:43:20 +0800 (CST) X-QQ-SSF: 01400000000000F0H000000A0000000 X-QQ-FEAT: XBN7tc9DADKXxs760OAG1jn2ehVU5Z3/jKnXCrlsBDF7h33YVS5Sxvemp2c3w 5PB7PbsDeOExDxk/PjBagHOaqXCV0zLNq2sXXxGmtayjUVusidc6M2PEE5Js6JTuzlPgdYO QQRiQ/YCo3+vPMhaj98qrySkOLIhCauDC3c5P9OURY0r5p+Ex6tWbHpYOYEs42isRbdJkBQ tRLGQeZf2uuSv+Go9e/nyiAr4za0Do5LU4cOHEZ2YPH4QoEO5fl9QtmSk1RFUFUcPb3z4JI DMaE7rdq1HhT5m1bt+8GYpeyJGyBj8yZ+M7RtTYYtoq9SQKLv+eDe/XjY4gUI4+net1F0J6 hrAhrHYOB36FI6FJTuMe5AHKeUm4Cy+FUW/Zx8uVT9POeMLyhm4pvjoBj+x5m3fmv+Fg4Pm gF1haFLdKaE6IsIWinodRA== X-QQ-GoodBg: 1 X-BIZMAIL-ID: 3740028053831755796 From: Winston Wen To: sfrench@samba.org, linux-cifs@vger.kernel.org, pc@manguebit.com, sprasad@microsoft.com Cc: Winston Wen Subject: [PATCH 2/3] cifs: fix session state check in reconnect to avoid use-after-free issue Date: Mon, 26 Jun 2023 11:42:56 +0800 Message-Id: <20230626034257.2078391-3-wentao@uniontech.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230626034257.2078391-1-wentao@uniontech.com> References: <20230626034257.2078391-1-wentao@uniontech.com> MIME-Version: 1.0 X-QQ-SENDSIZE: 520 Feedback-ID: bizesmtp:uniontech.com:qybglogicsvrgz:qybglogicsvrgz6a-1 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org Don't collect exiting session in smb2_reconnect_server(), because it will be released soon. Note that the exiting session will stay in server->smb_ses_list until it complete the cifs_free_ipc() and logoff() and then delete itself from the list. Signed-off-by: Winston Wen Reviewed-by: Shyam Prasad N --- fs/smb/client/smb2pdu.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c index 17fe212ab895..e04766fe6f80 100644 --- a/fs/smb/client/smb2pdu.c +++ b/fs/smb/client/smb2pdu.c @@ -3797,6 +3797,12 @@ void smb2_reconnect_server(struct work_struct *work) spin_lock(&cifs_tcp_ses_lock); list_for_each_entry(ses, &pserver->smb_ses_list, smb_ses_list) { + spin_lock(&ses->ses_lock); + if (ses->ses_status == SES_EXITING) { + spin_unlock(&ses->ses_lock); + continue; + } + spin_unlock(&ses->ses_lock); tcon_selected = false; From patchwork Mon Jun 26 03:42:57 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Winston Wen X-Patchwork-Id: 13292322 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D527DEB64D7 for ; Mon, 26 Jun 2023 03:43:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230006AbjFZDnl (ORCPT ); Sun, 25 Jun 2023 23:43:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59322 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229490AbjFZDnk (ORCPT ); Sun, 25 Jun 2023 23:43:40 -0400 Received: from smtpbgeu2.qq.com (smtpbgeu2.qq.com [18.194.254.142]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9BA22188 for ; Sun, 25 Jun 2023 20:43:35 -0700 (PDT) X-QQ-mid: bizesmtp77t1687751006tgvl97yj Received: from localhost.localdomain ( [113.57.152.160]) by bizesmtp.qq.com (ESMTP) with id ; Mon, 26 Jun 2023 11:43:26 +0800 (CST) X-QQ-SSF: 01400000000000F0H000000A0000000 X-QQ-FEAT: 5q30pvLz2id44pY87f29IP/uit38oe9/9nQrs/QNZvsz5dwlR2ZzSOTs9S6Vv xH5BlzOE91CKG5EfiSI1+ghUcIlE+dosixkaY/N9qCwfKQPMcqEz6H3Sshb0+uETJnVv3zB IkPyOSFevOh/mSkVGGxJCZVsChqdJkEowJYu/nQo/Mz/jsi4SC7i/08lyJyOIY58UTTS2Ff ETOTOxG8/QtcpSoN4DnnxhP0wMhX0HU6XyTOzBvnNYAU2CiAS4m4P6miYYHP7TChQfmb6lO onGraGv6JzKq+DMl3hj1nX5RALMqmukeM41f3NCnmRn9LZaMKnsh2pSJziaeK69zV9Pcpqg KpzHH1xz0cv8cppV7DRciR9Wus7eSScfYtC2ZPgEP51ksDHGHX5A7BrVdUlOGH35o0U8YAs L+Yzp4LN2XbMlrS1F1+55w== X-QQ-GoodBg: 1 X-BIZMAIL-ID: 13646095126810630976 From: Winston Wen To: sfrench@samba.org, linux-cifs@vger.kernel.org, pc@manguebit.com, sprasad@microsoft.com Cc: Winston Wen Subject: [PATCH 3/3] cifs: fix session state check in smb2_find_smb_ses Date: Mon, 26 Jun 2023 11:42:57 +0800 Message-Id: <20230626034257.2078391-4-wentao@uniontech.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230626034257.2078391-1-wentao@uniontech.com> References: <20230626034257.2078391-1-wentao@uniontech.com> MIME-Version: 1.0 X-QQ-SENDSIZE: 520 Feedback-ID: bizesmtp:uniontech.com:qybglogicsvrgz:qybglogicsvrgz6a-1 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org Chech the session state and skip it if it's exiting. Signed-off-by: Winston Wen --- fs/smb/client/smb2transport.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fs/smb/client/smb2transport.c b/fs/smb/client/smb2transport.c index 790acf65a092..22954a9c7a6c 100644 --- a/fs/smb/client/smb2transport.c +++ b/fs/smb/client/smb2transport.c @@ -153,7 +153,14 @@ smb2_find_smb_ses_unlocked(struct TCP_Server_Info *server, __u64 ses_id) list_for_each_entry(ses, &pserver->smb_ses_list, smb_ses_list) { if (ses->Suid != ses_id) continue; + + spin_lock(&ses->ses_lock); + if (ses->ses_status == SES_EXITING) { + spin_unlock(&ses->ses_lock); + continue; + } ++ses->ses_count; + spin_unlock(&ses->ses_lock); return ses; }