CVE-2024-53178

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: Don&amp;#39;t leak cfid when reconnect races with open_cached_dir<br /> <br /> open_cached_dir() may either race with the tcon reconnection even before<br /> compound_send_recv() or directly trigger a reconnection via<br /> SMB2_open_init() or SMB_query_info_init().<br /> <br /> The reconnection process invokes invalidate_all_cached_dirs() via<br /> cifs_mark_open_files_invalid(), which removes all cfids from the<br /> cfids-&gt;entries list but doesn&amp;#39;t drop a ref if has_lease isn&amp;#39;t true. This<br /> results in the currently-being-constructed cfid not being on the list,<br /> but still having a refcount of 2. It leaks if returned from<br /> open_cached_dir().<br /> <br /> Fix this by setting cfid-&gt;has_lease when the ref is actually taken; the<br /> cfid will not be used by other threads until it has a valid time.<br /> <br /> Addresses these kmemleaks:<br /> <br /> unreferenced object 0xffff8881090c4000 (size 1024):<br /> comm "bash", pid 1860, jiffies 4295126592<br /> hex dump (first 32 bytes):<br /> 00 01 00 00 00 00 ad de 22 01 00 00 00 00 ad de ........".......<br /> 00 ca 45 22 81 88 ff ff f8 dc 4f 04 81 88 ff ff ..E"......O.....<br /> backtrace (crc 6f58c20f):<br /> [] __kmalloc_cache_noprof+0x2be/0x350<br /> [] open_cached_dir+0x993/0x1fb0<br /> [] cifs_readdir+0x15a0/0x1d50<br /> [] iterate_dir+0x28f/0x4b0<br /> [] __x64_sys_getdents64+0xfd/0x200<br /> [] do_syscall_64+0x95/0x1a0<br /> [] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> unreferenced object 0xffff8881044fdcf8 (size 8):<br /> comm "bash", pid 1860, jiffies 4295126592<br /> hex dump (first 8 bytes):<br /> 00 cc cc cc cc cc cc cc ........<br /> backtrace (crc 10c106a9):<br /> [] __kmalloc_node_track_caller_noprof+0x363/0x480<br /> [] kstrdup+0x36/0x60<br /> [] open_cached_dir+0x9b0/0x1fb0<br /> [] cifs_readdir+0x15a0/0x1d50<br /> [] iterate_dir+0x28f/0x4b0<br /> [] __x64_sys_getdents64+0xfd/0x200<br /> [] do_syscall_64+0x95/0x1a0<br /> [] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> And addresses these BUG splats when unmounting the SMB filesystem:<br /> <br /> BUG: Dentry ffff888140590ba0{i=1000000000080,n=/} still in use (2) [unmount of cifs cifs]<br /> WARNING: CPU: 3 PID: 3433 at fs/dcache.c:1536 umount_check+0xd0/0x100<br /> Modules linked in:<br /> CPU: 3 UID: 0 PID: 3433 Comm: bash Not tainted 6.12.0-rc4-g850925a8133c-dirty #49<br /> Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020<br /> RIP: 0010:umount_check+0xd0/0x100<br /> Code: 8d 7c 24 40 e8 31 5a f4 ff 49 8b 54 24 40 41 56 49 89 e9 45 89 e8 48 89 d9 41 57 48 89 de 48 c7 c7 80 e7 db ac e8 f0 72 9a ff 0b 58 31 c0 5a 5b 5d 41 5c 41 5d 41 5e 41 5f e9 2b e5 5d 01 41<br /> RSP: 0018:ffff88811cc27978 EFLAGS: 00010286<br /> RAX: 0000000000000000 RBX: ffff888140590ba0 RCX: ffffffffaaf20bae<br /> RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881f6fb6f40<br /> RBP: ffff8881462ec000 R08: 0000000000000001 R09: ffffed1023984ee3<br /> R10: ffff88811cc2771f R11: 00000000016cfcc0 R12: ffff888134383e08<br /> R13: 0000000000000002 R14: ffff8881462ec668 R15: ffffffffaceab4c0<br /> FS: 00007f23bfa98740(0000) GS:ffff8881f6f80000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000556de4a6f808 CR3: 0000000123c80000 CR4: 0000000000350ef0<br /> Call Trace:<br /> <br /> d_walk+0x6a/0x530<br /> shrink_dcache_for_umount+0x6a/0x200<br /> generic_shutdown_super+0x52/0x2a0<br /> kill_anon_super+0x22/0x40<br /> cifs_kill_sb+0x159/0x1e0<br /> deactivate_locked_super+0x66/0xe0<br /> cleanup_mnt+0x140/0x210<br /> task_work_run+0xfb/0x170<br /> syscall_exit_to_user_mode+0x29f/0x2b0<br /> do_syscall_64+0xa1/0x1a0<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> RIP: 0033:0x7f23bfb93ae7<br /> Code: ff ff ff ff c3 66 0f 1f 44 00 00 48 8b 0d 11 93 0d 00 f7 d8 64 89 01 b8 ff ff ff ff eb bf 0f 1f 44 00 00 b8 50 00 00 00 0f 05 3d 01 f0 ff ff 73 01 c3 48 8b 0d e9 92 0d 00 f7 d8 64 89 <br /> ---truncated---