• Lars Persson's avatar
    cifs: Fix use after free of a mid_q_entry · 696e420b
    Lars Persson authored
    With protocol version 2.0 mounts we have seen crashes with corrupt mid
    entries. Either the server->pending_mid_q list becomes corrupt with a
    cyclic reference in one element or a mid object fetched by the
    demultiplexer thread becomes overwritten during use.
    
    Code review identified a race between the demultiplexer thread and the
    request issuing thread. The demultiplexer thread seems to be written
    with the assumption that it is the sole user of the mid object until
    it calls the mid callback which either wakes the issuer task or
    deletes the mid.
    
    This assumption is not true because the issuer task can be woken up
    earlier by a signal. If the demultiplexer thread has proceeded as far
    as setting the mid_state to MID_RESPONSE_RECEIVED then the issuer
    thread will happily end up calling cifs_delete_mid while the
    demultiplexer thread still is using the mid object.
    
    Inserting a delay in the cifs demultiplexer thread widens the race
    window and makes reproduction of the race very easy:
    
    		if (server->large_buf)
    			buf = server->bigbuf;
    
    +		usleep_range(500, 4000);
    
    		server->lstrp = jiffies;
    
    To resolve this I think the proper solution involves putting a
    reference count on the mid object. This patch makes sure that the
    demultiplexer thread holds a reference until it has finished
    processing the transaction.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: default avatarLars Persson <larper@axis.com>
    Acked-by: default avatarPaulo Alcantara <palcantara@suse.de>
    Reviewed-by: default avatarRonnie Sahlberg <lsahlber@redhat.com>
    Reviewed-by: default avatarPavel Shilovsky <pshilov@microsoft.com>
    Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
    696e420b
cifsglob.h 59.7 KB