lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 1 Dec 2020 09:52:13 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-kernel@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, stable@...r.kernel.org, Rohith Surabattula <rohiths@...rosoft.com>, Pavel Shilovsky <pshilov@...rosoft.com>, Steve French <stfrench@...rosoft.com> Subject: [PATCH 5.9 018/152] smb3: Handle error case during offload read path From: Rohith Surabattula <rohiths@...rosoft.com> commit 1254100030b3377e8302f9c75090ab191d73ee7c upstream. Mid callback needs to be called only when valid data is read into pages. These patches address a problem found during decryption offload: CIFS: VFS: trying to dequeue a deleted mid that could cause a refcount use after free: Workqueue: smb3decryptd smb2_decrypt_offload [cifs] Signed-off-by: Rohith Surabattula <rohiths@...rosoft.com> Reviewed-by: Pavel Shilovsky <pshilov@...rosoft.com> CC: Stable <stable@...r.kernel.org> #5.4+ Signed-off-by: Steve French <stfrench@...rosoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org> --- fs/cifs/smb2ops.c | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -4415,7 +4415,25 @@ static void smb2_decrypt_offload(struct dw->server->vals->read_rsp_size, dw->ppages, dw->npages, dw->len, true); - mid->callback(mid); + if (rc >= 0) { +#ifdef CONFIG_CIFS_STATS2 + mid->when_received = jiffies; +#endif + mid->callback(mid); + } else { + spin_lock(&GlobalMid_Lock); + if (dw->server->tcpStatus == CifsNeedReconnect) { + mid->mid_state = MID_RETRY_NEEDED; + spin_unlock(&GlobalMid_Lock); + mid->callback(mid); + } else { + mid->mid_state = MID_REQUEST_SUBMITTED; + mid->mid_flags &= ~(MID_DELETED); + list_add_tail(&mid->qhead, + &dw->server->pending_mid_q); + spin_unlock(&GlobalMid_Lock); + } + } cifs_mid_q_entry_release(mid); }
Powered by blists - more mailing lists