From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6B1BACA9EAF for ; Sun, 27 Oct 2019 21:17:14 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 398D12070B for ; Sun, 27 Oct 2019 21:17:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1572211034; bh=/Xw7BhYA+kwXh7NFcln0984td5k3Pk8C3Zla/ek6nGc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=RCkxuzrS+FZ84TdXaecBQxLTxotumH0uYlqUSnv8aC47K+u+3lEtGhwt0Cj15ZEkN OBT+c1uhCPzOkQzIovDrqJhTYCsMcQM0gtVChC7ii8i7yZ6UvTvqLMhI/CwSW35Rrn Kp8lS9zPbvrN0Lo2RakxQdBKBsd5w0a2MQjj5THs= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731007AbfJ0VRN (ORCPT ); Sun, 27 Oct 2019 17:17:13 -0400 Received: from mail.kernel.org ([198.145.29.99]:36976 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730990AbfJ0VRK (ORCPT ); Sun, 27 Oct 2019 17:17:10 -0400 Received: from localhost (100.50.158.77.rev.sfr.net [77.158.50.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D8BCF2070B; Sun, 27 Oct 2019 21:17:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1572211029; bh=/Xw7BhYA+kwXh7NFcln0984td5k3Pk8C3Zla/ek6nGc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=o7w4klHQIWPEkdl19ZJ2T+NlgGk7Oa3z0Vg4L1bV1Kf0ms5ZYYK7vydOxZFkDiob6 eAoOy5ds7+nx39h0Fqv/Z9IJZiIhTh1/k12tHQwa9fGChnSxCyghPXB5ifHihEJKvR VumveiPwG1XbVA8owD+St+dZ/zB/PVj1VgVcWMeU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ronnie Sahlberg , Pavel Shilovsky , Steve French Subject: [PATCH 4.19 75/93] CIFS: Fix use after free of file info structures Date: Sun, 27 Oct 2019 22:01:27 +0100 Message-Id: <20191027203310.813651313@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191027203251.029297948@linuxfoundation.org> References: <20191027203251.029297948@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pavel Shilovsky commit 1a67c415965752879e2e9fad407bc44fc7f25f23 upstream. Currently the code assumes that if a file info entry belongs to lists of open file handles of an inode and a tcon then it has non-zero reference. The recent changes broke that assumption when putting the last reference of the file info. There may be a situation when a file is being deleted but nothing prevents another thread to reference it again and start using it. This happens because we do not hold the inode list lock while checking the number of references of the file info structure. Fix this by doing the proper locking when doing the check. Fixes: 487317c99477d ("cifs: add spinlock for the openFileList to cifsInodeInfo") Fixes: cb248819d209d ("cifs: use cifsInodeInfo->open_file_lock while iterating to avoid a panic") Cc: Stable Reviewed-by: Ronnie Sahlberg Signed-off-by: Pavel Shilovsky Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman --- fs/cifs/file.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/fs/cifs/file.c +++ b/fs/cifs/file.c @@ -403,10 +403,11 @@ void _cifsFileInfo_put(struct cifsFileIn bool oplock_break_cancelled; spin_lock(&tcon->open_file_lock); - + spin_lock(&cifsi->open_file_lock); spin_lock(&cifs_file->file_info_lock); if (--cifs_file->count > 0) { spin_unlock(&cifs_file->file_info_lock); + spin_unlock(&cifsi->open_file_lock); spin_unlock(&tcon->open_file_lock); return; } @@ -419,9 +420,7 @@ void _cifsFileInfo_put(struct cifsFileIn cifs_add_pending_open_locked(&fid, cifs_file->tlink, &open); /* remove it from the lists */ - spin_lock(&cifsi->open_file_lock); list_del(&cifs_file->flist); - spin_unlock(&cifsi->open_file_lock); list_del(&cifs_file->tlist); if (list_empty(&cifsi->openFileList)) { @@ -437,6 +436,7 @@ void _cifsFileInfo_put(struct cifsFileIn cifs_set_oplock_level(cifsi, 0); } + spin_unlock(&cifsi->open_file_lock); spin_unlock(&tcon->open_file_lock); oplock_break_cancelled = wait_oplock_handler ?