Skip to content

[LTS 8.6] cifs: CVE-2023-53751 #1059

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
pvts-mat wants to merge 4 commits into
base: ciqlts8_6
Choose a base branch
from
Open

[LTS 8.6] cifs: CVE-2023-53751 #1059

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c746f8a
cifs: fix potential deadlock in direct reclaim
pvts-mat Mar 26, 2026
601cd8f
cifs: fix race in assemble_neg_contexts()
pvts-mat Mar 26, 2026
9d7bba3
cifs: protect access of TCP_Server_Info::{dstaddr,hostname}
pvts-mat Mar 27, 2026
ac27ef5
cifs: fix potential use-after-free bugs in TCP_Server_Info::hostname
pvts-mat Mar 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion fs/cifs/cifs_debug.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -609,10 +609,13 @@ static int cifs_stats_proc_show(struct seq_file *m, void *v)
server->fastest_cmd[j],
server->slowest_cmd[j]);
for (j = 0; j < NUMBER_OF_SMB2_COMMANDS; j++)
if (atomic_read(&server->smb2slowcmd[j]))
if (atomic_read(&server->smb2slowcmd[j])) {
spin_lock(&server->srv_lock);
seq_printf(m, " %d slow responses from %s for command %d\n",
atomic_read(&server->smb2slowcmd[j]),
server->hostname, j);
spin_unlock(&server->srv_lock);
}
#endif /* STATS2 */
list_for_each(tmp2, &server->smb_ses_list) {
ses = list_entry(tmp2, struct cifs_ses,
Expand Down
12 changes: 6 additions & 6 deletions fs/cifs/cifs_debug.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,19 +95,19 @@ do { \

#define cifs_server_dbg_func(ratefunc, type, fmt, ...) \
do { \
const char *sn = ""; \
if (server && server->hostname) \
sn = server->hostname; \
spin_lock(&server->srv_lock); \
if ((type) & FYI && cifsFYI & CIFS_INFO) { \
pr_debug_ ## ratefunc("%s: \\\\%s " fmt, \
__FILE__, sn, ##__VA_ARGS__); \
__FILE__, server->hostname, \
##__VA_ARGS__); \
} else if ((type) & VFS) { \
pr_err_ ## ratefunc("VFS: \\\\%s " fmt, \
sn, ##__VA_ARGS__); \
server->hostname, ##__VA_ARGS__); \
} else if ((type) & NOISY && (NOISY != 0)) { \
pr_debug_ ## ratefunc("\\\\%s " fmt, \
sn, ##__VA_ARGS__); \
server->hostname, ##__VA_ARGS__); \
} \
spin_unlock(&server->srv_lock); \
} while (0)

#define cifs_server_dbg(type, fmt, ...) \
Expand Down
4 changes: 2 additions & 2 deletions fs/cifs/cifs_swn.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -482,7 +482,7 @@ static int cifs_swn_store_swn_addr(const struct sockaddr_storage *new,
static int cifs_swn_reconnect(struct cifs_tcon *tcon, struct sockaddr_storage *addr)
{
/* Store the reconnect address */
mutex_lock(&tcon->ses->server->srv_mutex);
cifs_server_lock(tcon->ses->server);
if (!cifs_sockaddr_equal(&tcon->ses->server->dstaddr, addr)) {
int ret;

Expand Down Expand Up @@ -520,7 +520,7 @@ static int cifs_swn_reconnect(struct cifs_tcon *tcon, struct sockaddr_storage *a
tcon->ses->server->tcpStatus = CifsNeedReconnect;
spin_unlock(&GlobalMid_Lock);
}
mutex_unlock(&tcon->ses->server->srv_mutex);
cifs_server_unlock(tcon->ses->server);

return 0;
}
Expand Down
8 changes: 4 additions & 4 deletions fs/cifs/cifsencrypt.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -245,9 +245,9 @@ int cifs_verify_signature(struct smb_rqst *rqst,
cpu_to_le32(expected_sequence_number);
cifs_pdu->Signature.Sequence.Reserved = 0;

mutex_lock(&server->srv_mutex);
cifs_server_lock(server);
rc = cifs_calc_signature(rqst, server, what_we_think_sig_should_be);
mutex_unlock(&server->srv_mutex);
cifs_server_unlock(server);

if (rc)
return rc;
Expand Down Expand Up @@ -716,7 +716,7 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp)

memcpy(ses->auth_key.response + baselen, tiblob, tilen);

mutex_lock(&ses->server->srv_mutex);
cifs_server_lock(ses->server);

rc = cifs_alloc_hash("hmac(md5)",
&ses->server->secmech.hmacmd5,
Expand Down Expand Up @@ -768,7 +768,7 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp)
cifs_dbg(VFS, "%s: Could not generate md5 hash\n", __func__);

unlock:
mutex_unlock(&ses->server->srv_mutex);
cifs_server_unlock(ses->server);
setup_ntlmv2_rsp_ret:
kfree(tiblob);

Expand Down
21 changes: 20 additions & 1 deletion fs/cifs/cifsglob.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
#include <linux/mm.h>
#include <linux/mempool.h>
#include <linux/workqueue.h>
#include <linux/sched/mm.h>
#include "cifs_fs_sb.h"
#include "cifsacl.h"
#include <crypto/internal/hash.h>
Expand Down Expand Up @@ -579,6 +580,7 @@ inc_rfc1001_len(void *buf, int count)
struct TCP_Server_Info {
struct list_head tcp_ses_list;
struct list_head smb_ses_list;
spinlock_t srv_lock; /* protect anything here that is not protected */
int srv_count; /* reference counter */
/* 15 character server name + 0x20 16th byte indicating type = srv */
char server_RFC1001_name[RFC1001_NAME_LEN_WITH_NULL];
Expand All @@ -603,7 +605,8 @@ struct TCP_Server_Info {
unsigned int in_flight; /* number of requests on the wire to server */
unsigned int max_in_flight; /* max number of requests that were on wire */
spinlock_t req_lock; /* protect the two values above */
struct mutex srv_mutex;
struct mutex _srv_mutex;
unsigned int nofs_flag;
struct task_struct *tsk;
char server_GUID[16];
__u16 sec_mode;
Expand Down Expand Up @@ -695,6 +698,22 @@ struct TCP_Server_Info {
#endif
};

static inline void cifs_server_lock(struct TCP_Server_Info *server)
{
unsigned int nofs_flag = memalloc_nofs_save();

mutex_lock(&server->_srv_mutex);
server->nofs_flag = nofs_flag;
}

static inline void cifs_server_unlock(struct TCP_Server_Info *server)
{
unsigned int nofs_flag = server->nofs_flag;

mutex_unlock(&server->_srv_mutex);
memalloc_nofs_restore(nofs_flag);
}

struct cifs_credits {
unsigned int value;
unsigned int instance;
Expand Down
43 changes: 28 additions & 15 deletions fs/cifs/connect.c
View file
Open in desktop
Copy link
Copy Markdown
Collaborator

@kerneltoast kerneltoast Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cifs_set_port((struct sockaddr *)&server->dstaddr, CIFS_PORT); modifies server->dstaddr without any lock held. This was fixed in the large upstream rework commit 665e187 ("cifs: Improve handling of NetBIOS packets").

That being said, there's a bigger problem with this commit: cifs_find_tcp_session() reads server->dstaddr from match_server() without taking the server mutex lock. So the loop in cifs_find_tcp_session() needs to take the server mutex lock, but wait: that loop's linked list traversal is protected by the cifs_tcp_ses_lock spin lock. So each server's mutex lock cannot be taken inside the loop, because it would sleep in atomic context:

struct TCP_Server_Info *
cifs_find_tcp_session(struct smb3_fs_context *ctx)
{
	struct TCP_Server_Info *server;

	spin_lock(&cifs_tcp_ses_lock);
	list_for_each_entry(server, &cifs_tcp_ses_list, tcp_ses_list) {
		//  <-- NEED cifs_server_lock(server) HERE BUT CAN'T SLEEP HERE
		/*
		 * Skip ses channels since they're only handled in lower layers
		 * (e.g. cifs_send_recv).
		 */
		if (server->is_channel || !match_server(server, ctx)) // <-- THIS READS server->dstaddr
			continue;

		++server->srv_count;
		spin_unlock(&cifs_tcp_ses_lock);
		cifs_dbg(FYI, "Existing tcp session with server found\n");
		return server;
	}
	spin_unlock(&cifs_tcp_ses_lock);
	return NULL;
}

Upstream commit d7d7a66 ("cifs: avoid use of global locks for high contention data") is a mandatory prerequisite for this commit. That upstream commit also fixes the missing locking in cifs_find_tcp_session() to protect the server->dstaddr access.

I stopped reviewing this commit at that point, since it was clear that this needed to be reworked.

Copy link
Copy Markdown
Contributor Author

@pvts-mat pvts-mat Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That being said, there's a bigger problem with this commit: cifs_find_tcp_session() reads server->dstaddr from match_server() without taking the server mutex lock.

It takes the cifs_tcp_ses_lock spinlock which protects from cifs_reconnect() writing as explained in #1059 (comment).

cifs_set_port((struct sockaddr *)&server->dstaddr, CIFS_PORT); modifies server->dstaddr without any lock held. This was fixed in the large upstream rework commit 665e187 ("cifs: Improve handling of NetBIOS packets").

Yes, this write is unprotected, and this time it does seem to be compiled into ciqlts8_6, but - again - fixing dstaddr synchronization issues is out of scope of CVE-2023-53751.

I stopped reviewing this commit at that point, since it was clear that this needed to be reworked.

Please continue. It's not clear at all unless it's decided to widen the scope of this PR beyond the CVE-2023-53751 fix, which AFAIK from @PlaidCat already got too large from the business perspective.

Original file line number Diff line number Diff line change
Expand Up @@ -147,9 +147,11 @@ static void reconn_set_next_dfs_target(struct TCP_Server_Info *server,

name = dfs_cache_get_tgt_name(*tgt_it);

spin_lock(&server->srv_lock);
kfree(server->hostname);

server->hostname = extract_hostname(name);
spin_unlock(&server->srv_lock);
if (IS_ERR(server->hostname)) {
cifs_dbg(FYI,
"%s: failed to extract hostname from target: %ld\n",
Expand Down Expand Up @@ -261,7 +263,7 @@ cifs_reconnect(struct TCP_Server_Info *server)

/* do not want to be sending data on a socket we are freeing */
cifs_dbg(FYI, "%s: tearing down socket\n", __func__);
mutex_lock(&server->srv_mutex);
cifs_server_lock(server);
if (server->ssocket) {
cifs_dbg(FYI, "State: 0x%x Flags: 0x%lx\n",
server->ssocket->state, server->ssocket->flags);
Expand Down Expand Up @@ -291,7 +293,7 @@ cifs_reconnect(struct TCP_Server_Info *server)
mid_entry->mid_flags |= MID_DELETED;
}
spin_unlock(&GlobalMid_Lock);
mutex_unlock(&server->srv_mutex);
cifs_server_unlock(server);

cifs_dbg(FYI, "%s: issuing mid callbacks\n", __func__);
list_for_each_safe(tmp, tmp2, &retry_list) {
Expand All @@ -302,15 +304,15 @@ cifs_reconnect(struct TCP_Server_Info *server)
}

if (cifs_rdma_enabled(server)) {
mutex_lock(&server->srv_mutex);
cifs_server_lock(server);
smbd_destroy(server);
mutex_unlock(&server->srv_mutex);
cifs_server_unlock(server);
}

do {
try_to_freeze();

mutex_lock(&server->srv_mutex);
cifs_server_lock(server);

#ifdef CONFIG_CIFS_SWN_UPCALL
if (server->use_swn_dstaddr) {
Expand Down Expand Up @@ -352,7 +354,7 @@ cifs_reconnect(struct TCP_Server_Info *server)
rc = generic_ip_connect(server);
if (rc) {
cifs_dbg(FYI, "reconnect error %d\n", rc);
mutex_unlock(&server->srv_mutex);
cifs_server_unlock(server);
msleep(3000);
} else {
atomic_inc(&tcpSesReconnectCount);
Expand All @@ -364,7 +366,7 @@ cifs_reconnect(struct TCP_Server_Info *server)
#ifdef CONFIG_CIFS_SWN_UPCALL
server->use_swn_dstaddr = false;
#endif
mutex_unlock(&server->srv_mutex);
cifs_server_unlock(server);
}
} while (server->tcpStatus == CifsNeedReconnect);

Expand Down Expand Up @@ -418,9 +420,7 @@ cifs_echo_request(struct work_struct *work)
goto requeue_echo;

rc = server->ops->echo ? server->ops->echo(server) : -ENOSYS;
if (rc)
cifs_dbg(FYI, "Unable to send echo request to server: %s\n",
server->hostname);
cifs_server_dbg(FYI, "send echo request: rc = %d\n", rc);

#ifdef CONFIG_CIFS_SWN_UPCALL
/* Check witness registrations */
Expand Down Expand Up @@ -1177,6 +1177,8 @@ static int match_server(struct TCP_Server_Info *server, struct smb3_fs_context *
{
struct sockaddr *addr = (struct sockaddr *)&ctx->dstaddr;

lockdep_assert_held(&cifs_tcp_ses_lock);

if (ctx->nosharesock)
return 0;

Expand All @@ -1194,8 +1196,12 @@ static int match_server(struct TCP_Server_Info *server, struct smb3_fs_context *
if (!net_eq(cifs_net_ns(server), current->nsproxy->net_ns))
return 0;

if (strcasecmp(server->hostname, ctx->server_hostname))
spin_lock(&server->srv_lock);
if (strcasecmp(server->hostname, ctx->server_hostname)) {
spin_unlock(&server->srv_lock);
return 0;
}
spin_unlock(&server->srv_lock);

if (!match_address(server, addr,
(struct sockaddr *)&ctx->srcaddr))
Expand Down Expand Up @@ -1332,7 +1338,7 @@ cifs_get_tcp_session(struct smb3_fs_context *ctx)
init_waitqueue_head(&tcp_ses->response_q);
init_waitqueue_head(&tcp_ses->request_q);
INIT_LIST_HEAD(&tcp_ses->pending_mid_q);
mutex_init(&tcp_ses->srv_mutex);
mutex_init(&tcp_ses->_srv_mutex);
memcpy(tcp_ses->workstation_RFC1001_name,
ctx->source_rfc1001_name, RFC1001_NAME_LEN_WITH_NULL);
memcpy(tcp_ses->server_RFC1001_name,
Expand All @@ -1343,6 +1349,7 @@ cifs_get_tcp_session(struct smb3_fs_context *ctx)
tcp_ses->lstrp = jiffies;
tcp_ses->compress_algorithm = cpu_to_le16(ctx->compression);
spin_lock_init(&tcp_ses->req_lock);
spin_lock_init(&tcp_ses->srv_lock);
INIT_LIST_HEAD(&tcp_ses->tcp_ses_list);
INIT_LIST_HEAD(&tcp_ses->smb_ses_list);
INIT_DELAYED_WORK(&tcp_ses->echo, cifs_echo_request);
Expand Down Expand Up @@ -1512,7 +1519,9 @@ cifs_setup_ipc(struct cifs_ses *ses, struct smb3_fs_context *ctx)
if (tcon == NULL)
return -ENOMEM;

spin_lock(&server->srv_lock);
scnprintf(unc, sizeof(unc), "\\\\%s\\IPC$", server->hostname);
spin_unlock(&server->srv_lock);

xid = get_xid();
tcon->ses = ses;
Expand Down Expand Up @@ -4081,7 +4090,9 @@ int cifs_tree_connect(const unsigned int xid, struct cifs_tcon *tcon, const stru

if (!tcon->dfs_path) {
if (tcon->ipc) {
cifs_server_lock(server);
scnprintf(tree, MAX_TREE_SIZE, "\\\\%s\\IPC$", server->hostname);
cifs_server_unlock(server);
rc = ops->tree_connect(xid, tcon->ses, tree, tcon, nlsc);
} else {
rc = ops->tree_connect(xid, tcon->ses, tcon->treeName, tcon, nlsc);
Expand All @@ -4095,8 +4106,6 @@ int cifs_tree_connect(const unsigned int xid, struct cifs_tcon *tcon, const stru
isroot = ref.server_type == DFS_TYPE_ROOT;
free_dfs_info_param(&ref);

extract_unc_hostname(server->hostname, &tcp_host, &tcp_host_len);

for (it = dfs_cache_get_tgt_iterator(&tl); it; it = dfs_cache_get_next_tgt(&tl, it)) {
bool target_match;

Expand All @@ -4114,10 +4123,13 @@ int cifs_tree_connect(const unsigned int xid, struct cifs_tcon *tcon, const stru

extract_unc_hostname(share, &dfs_host, &dfs_host_len);

cifs_server_lock(server);
extract_unc_hostname(server->hostname, &tcp_host, &tcp_host_len);
if (dfs_host_len != tcp_host_len
|| strncasecmp(dfs_host, tcp_host, dfs_host_len) != 0) {
cifs_dbg(FYI, "%s: %.*s doesn't match %.*s\n", __func__, (int)dfs_host_len,
dfs_host, (int)tcp_host_len, tcp_host);
cifs_server_unlock(server);

rc = match_target_ip(server, dfs_host, dfs_host_len, &target_match);
if (rc) {
Expand All @@ -4129,7 +4141,8 @@ int cifs_tree_connect(const unsigned int xid, struct cifs_tcon *tcon, const stru
cifs_dbg(FYI, "%s: skipping target\n", __func__);
continue;
}
}
} else
cifs_server_unlock(server);

if (tcon->ipc) {
scnprintf(tree, MAX_TREE_SIZE, "\\\\%s\\IPC$", share);
Expand Down
2 changes: 2 additions & 0 deletions fs/cifs/misc.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1123,8 +1123,10 @@ int match_target_ip(struct TCP_Server_Info *server,
goto out;
}

spin_lock(&cifs_tcp_ses_lock);
*result = cifs_match_ipaddr((struct sockaddr *)&server->dstaddr,
&tipaddr);
spin_unlock(&cifs_tcp_ses_lock);
Comment on lines +1126 to +1129
Copy link
Copy Markdown
Collaborator

@kerneltoast kerneltoast Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cifs_reconnect() modifies server->dstaddr with only the server mutex held:

		cifs_server_lock(server);

#ifdef CONFIG_CIFS_SWN_UPCALL
		if (server->use_swn_dstaddr) {
			server->dstaddr = server->swn_dstaddr;
		} else {
#endif

cifs_tcp_ses_lock doesn't protect against that. Don't change this though; this backport will need to be completely reworked (see my other comment).

Copy link
Copy Markdown
Contributor Author

@pvts-mat pvts-mat Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The dstaddr setting is protected by cifs_tcp_ses_lock in cifs_reconnect() - see reconn_set_ipaddr_from_hostname()

kernel-src-tree/fs/cifs/connect.c

Lines 116 to 119 in ac27ef5

spin_lock(&cifs_tcp_ses_lock);
rc = cifs_convert_address((struct sockaddr *)&server->dstaddr, ipaddr,
strlen(ipaddr));
spin_unlock(&cifs_tcp_ses_lock);

and its call in cifs_reconnect():

kernel-src-tree/fs/cifs/connect.c

Line 336 in ac27ef5

rc = reconn_set_ipaddr_from_hostname(server);

The usage you highlighted is not compiled into ciqlts8_6.

grep -e "CONFIG_CIFS_SWN_UPCALL" .config

# CONFIG_CIFS_SWN_UPCALL is not set

Even if CONFIG_CIFS_SWN_UPCALL was enabled then protecting dstaddr is not in the scope of fixing CVE-2023-53751. The only reason this read was protected in this PR was the fact that the commit 39a154f fixing hostname usage also mixed in the protection of dstaddr, which gave 3 options:

  1. omit the dstaddr protection, mangling the backported commit and possibly confusing those making the fixes in the future,
  2. omit the 39a154f backport entirely, making the protection of hostname incomplete,
  3. include the protection of dstaddr after necessary adaptation to the LTS 8.6 codebase.

The last option was chosen as making the most sense, but it should be treated as a bonus, certainly not as a prompt for scratching the whole solution which wasn't even concerned with protecting dstaddr in the first place.

Copy link
Copy Markdown
Collaborator

@kerneltoast kerneltoast Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see, the CVE itself only cares about hostname, while the commit fixing it also mixed in some fixes for dstaddr.

The last option was chosen as making the most sense, but it should be treated as a bonus, certainly not as a prompt for scratching the whole solution which wasn't even concerned with protecting dstaddr in the first place.

When we diverge from upstream, we need to make sure that our own solutions won't create an unfixable conflict for future CVE fixes. And we should be prudent that our divergence won't create a snowball of extra work for every subsequent fix too.

If you look through the outstanding CIFS-related CVEs that need to be fixed in 8.6 and none of them seem like they'll create a big headache due to this PR, then we can move forward with the approach in this PR.

But if it seems like there's a big CIFS headache waiting for us that could've been avoided by biting the bullet now and backporting the big locking overhaul, then we should scratch this solution and do just that.

CC @PlaidCat if you have some thoughts here.

Copy link
Copy Markdown
Contributor Author

@pvts-mat pvts-mat Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you look through the outstanding CIFS-related CVEs that need to be fixed in 8.6 and none of them seem like they'll create a big headache due to this PR, then we can move forward with the approach in this PR.

Sorry, I do not have this knowledge, I'm only handled CVEs to fix a few at the time.

But if it seems like there's a big CIFS headache waiting for us that could've been avoided by biting the bullet now and backporting the big locking overhaul, then we should scratch this solution and do just that.

It's not my decision to make and I don't have much useful input on that matter either, so I'll refrain from suggesting anything. If CIQ decides to go that way then I can backport this locking overhaul and rework this PR to suit it. It's not like much effort will be discarded, maybe 25%. However, there may be a lot of additional effort needed to backport d7d7a66. Certainly not less than this PR, no idea about the upper bound though. Doing a quick ch-p I can see 13 files modified and conflicts in every single one of them. Also it's all locks, which must be approached very carefully.

Copy link
Copy Markdown
Collaborator

@PlaidCat PlaidCat Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My stance from this was that @pvts-mat looked at the CVE and attempted to address the missing protections on hostname which we found were not previously CVEs (a little frustrating). I was reviewing this it felt like it was turtles all the way down and exposes other gaps which will probably expose additional gaps.

This is the joy of managing an LTS, its not ideal for correctness to upstream state but its the hand we're dealt. I think we went above and beyond to address the problem holistically to the original intent of the CVE.

We have also ran into this problem when the upstream injects fixes with features, netfliter has been the prime instigator for us. So given this LTS is supposed to end at the end of the year i'd like to avoid another lengthy subsystem sync (due to turtles) like we did with netfliter (several times)
https://ciq.com/services/long-term-support/

There are a total of 3 outstanding CVEs and 2 of them below our official support level.

We also have the problem of can we even rebase the subsystem (is that viable). The other outstanding CVEs are for cifs are smb2 related and another use_after_free unrelated at a glance to the d7d7a66 called out here.

In addition this commit called out wasn't clean anyways and was added late into the 8.10 process
5a18869
https://github.com/ctrliq/kernel-src-tree/tree/resf_kernel-4.18.0-553.82.1.el8_10
and looks like the did a lot of syncing to the upstream here:

[kernel-src-tree]$ git log --oneline fs/cifs
48e11f31ca38 (tag: resf_kernel-4.18.0-553.82.1.el8_10) Rebuild rocky8_10 with kernel-4.18.0-553.82.1.el8_10
aa7b0dfd8e64 cifs: fix leak of iface for primary channel
b6a878b50327 smb3: missing lock when picking channel
168d21ca8f9e smb: client: fix oops due to unset link speed
6c057e6e94b1 cifs: failure to add channel on iface should bump up weight
84ac0fd0d4e2 cifs: do not depend on release_iface for maintaining iface_list
bded332245d9 cifs: do not reset chan_max if multichannel is not supported at mount
925ff7a23f2c smb: client: fix use-after-free bug in cifs_debug_data_proc_show()
1ac81678ef0f cifs: print last update time for interface list
f50321e8a53b cifs: log session id when a matching ses is not found
31cf57c29f4c cifs: fix session state check in smb2_find_smb_ses
c72f7bb37c55 cifs: fix potential use-after-free bugs in TCP_Server_Info::hostname
ebcdb59306d8 cifs: print smb3_fs_context::source when mounting
c66267ab4216 cifs: refcount only the selected iface during interface update
765aa45b298e cifs: get rid of dead check in smb2_reconnect()
57f24a9451e2 cifs: empty interface list when server doesn't support query interfaces
36b6f0b0c1aa cifs: do not poll server interfaces too regularly
a6c65926012f cifs: Move the in_send statistic to __smb_send_rqst()
937a1b179ca5 cifs: reuse cifs_match_ipaddr for comparison of dstaddr too
51b964e40a90 cifs: match even the scope id for ipv6 addresses
9334f3bfc7c4 cifs: do not query ifaces on smb1 mounts
eb3eb89030b5 cifs: fix interface count calculation during refresh
e467b633bf40 cifs: fix race in assemble_neg_contexts()
1fd7616fb0e1 cifs: set correct ipc status after initial tree connect
ef9e18c2939a cifs: set correct tcon status after initial tree connect
d31926bc6b7d cifs: Use after free in debug code
1b53023e9a92 smb3: interface count displayed incorrectly
9ab2344f6803 smb3: clarify multichannel warning
6e82b4f9b687 smb3: do not log confusing message when server returns no network interfaces
866dfa3270f0 cifs: return correct error in ->calc_signature()
d219e22da5a1 cifs: add missing spinlock around tcon refcount
01af8b087314 cifs: fix small mempool leak in SMB2_negotiate()
d98f37f03122 cifs: remove useless parameter 'is_fsctl' from SMB2_ioctl()
fcdd12c22144 smb3: limit noisy error
6bd5959d21fd cifs: alloc_mid function should be marked as static
7ec195478942 cifs: remove "cifs_" prefix from init/destroy mids functions
641b911293d2 cifs: remove remaining build warnings
21f591520018 cifs: remove minor build warning
eddb7a613072 cifs: remove some camelCase and also some static build warnings
ec60bfa93ce7 cifs: remove unnecessary (void*) conversions.
e5f483bcc71f cifs: remove unnecessary type castings
69341beb3b66 cifs: remove redundant initialization to variable mnt_sign_enabled
578f8978fd63 smb3: check xattr value length earlier
999213235740 cifs: remove unnecessary locking of chan_lock while freeing session
3dd7d9d300ef cifs: periodically query network interfaces from server
ae839c366e72 cifs: during reconnect, update interface if necessary
3a7da544ed5d cifs: change iface_list from array to sorted linked list
2eea6e8cf330 cifs: when a channel is not found for server, log its connection id
0563d5193d16 cifs: return errors during session setup during reconnects
01682af4b1ca cifs: remove repeated debug message on cifs_put_smb_ses()
0437e41c96a8 cifs: use correct lock type in cifs_reconnect()
65403970e6b2 cifs: Use kzalloc instead of kmalloc/memset
542688f957a8 cifs: unlock chan_lock before calling cifs_put_tcp_session
f412c956b62e cifs: fix the cifs_reconnect path for DFS
007bf8fef70c cifs: add WARN_ON for when chan_count goes below minimum
4bd76ee38034 cifs: adjust DebugData to use chans_need_reconnect for conn status
4b13da85b20f cifs: use the chans_need_reconnect bitmap for reconnect status
51c49fc391fc cifs: track individual channel status using chans_need_reconnect
2c5d9a5edd1f cifs: Adjust key sizes and key generation routines for AES256 encryption
5e3c681d8291 cifs: fix allocation size on newly created files
6e81cfe76a48 (tag: resf_kernel-4.18.0-553.78.1.el8_10) Rebuild rocky8_10 with kernel-4.18.0-553.78.1.el8_10

It also looks like there is a huge number of changes since this LTS forked as well.

[ kernel-src-tree]$ git log --oneline centos_kernel-4.18.0-338.el8..HEAD fs/cifs/ | wc -l
302

cifs_dbg(FYI, "%s: ip addresses match: %u\n", __func__, *result);
rc = 0;

Expand Down
6 changes: 3 additions & 3 deletions fs/cifs/sess.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -903,14 +903,14 @@ sess_establish_session(struct sess_data *sess_data)
{
struct cifs_ses *ses = sess_data->ses;

mutex_lock(&ses->server->srv_mutex);
cifs_server_lock(ses->server);
if (!ses->server->session_estab) {
if (ses->server->sign) {
ses->server->session_key.response =
kmemdup(ses->auth_key.response,
ses->auth_key.len, GFP_KERNEL);
if (!ses->server->session_key.response) {
mutex_unlock(&ses->server->srv_mutex);
cifs_server_unlock(ses->server);
return -ENOMEM;
}
ses->server->session_key.len =
Expand All @@ -919,7 +919,7 @@ sess_establish_session(struct sess_data *sess_data)
ses->server->sequence_number = 0x2;
ses->server->session_estab = true;
}
mutex_unlock(&ses->server->srv_mutex);
cifs_server_unlock(ses->server);

cifs_dbg(FYI, "CIFS session established successfully\n");
spin_lock(&GlobalMid_Lock);
Expand Down
6 changes: 3 additions & 3 deletions fs/cifs/smb1ops.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,10 +49,10 @@ send_nt_cancel(struct TCP_Server_Info *server, struct smb_rqst *rqst,
in_buf->WordCount = 0;
put_bcc(0, in_buf);

mutex_lock(&server->srv_mutex);
cifs_server_lock(server);
rc = cifs_sign_smb(in_buf, server, &mid->sequence_number);
if (rc) {
mutex_unlock(&server->srv_mutex);
cifs_server_unlock(server);
return rc;
}

Expand All @@ -66,7 +66,7 @@ send_nt_cancel(struct TCP_Server_Info *server, struct smb_rqst *rqst,
if (rc < 0)
server->sequence_number--;

mutex_unlock(&server->srv_mutex);
cifs_server_unlock(server);

cifs_dbg(FYI, "issued NT_CANCEL for mid %u, rc = %d\n",
get_mid(in_buf), rc);
Expand Down
Loading
Loading