<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/fs/cifs, branch linux-4.3.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>mm, fs: obey gfp_mapping for add_to_page_cache()</title>
<updated>2015-10-16T18:42:28+00:00</updated>
<author>
<name>Michal Hocko</name>
<email>mhocko@suse.com</email>
</author>
<published>2015-10-15T22:28:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=063d99b4fa762cbae9324dbbf9b6bff4b3a8cfdc'/>
<id>063d99b4fa762cbae9324dbbf9b6bff4b3a8cfdc</id>
<content type='text'>
Commit 6afdb859b710 ("mm: do not ignore mapping_gfp_mask in page cache
allocation paths") has caught some users of hardcoded GFP_KERNEL used in
the page cache allocation paths.  This, however, wasn't complete and
there were others which went unnoticed.

Dave Chinner has reported the following deadlock for xfs on loop device:
: With the recent merge of the loop device changes, I'm now seeing
: XFS deadlock on my single CPU, 1GB RAM VM running xfs/073.
:
: The deadlocked is as follows:
:
: kloopd1: loop_queue_read_work
:       xfs_file_iter_read
:       lock XFS inode XFS_IOLOCK_SHARED (on image file)
:       page cache read (GFP_KERNEL)
:       radix tree alloc
:       memory reclaim
:       reclaim XFS inodes
:       log force to unpin inodes
:       &lt;wait for log IO completion&gt;
:
: xfs-cil/loop1: &lt;does log force IO work&gt;
:       xlog_cil_push
:       xlog_write
:       &lt;loop issuing log writes&gt;
:               xlog_state_get_iclog_space()
:               &lt;blocks due to all log buffers under write io&gt;
:               &lt;waits for IO completion&gt;
:
: kloopd1: loop_queue_write_work
:       xfs_file_write_iter
:       lock XFS inode XFS_IOLOCK_EXCL (on image file)
:       &lt;wait for inode to be unlocked&gt;
:
: i.e. the kloopd, with it's split read and write work queues, has
: introduced a dependency through memory reclaim. i.e. that writes
: need to be able to progress for reads make progress.
:
: The problem, fundamentally, is that mpage_readpages() does a
: GFP_KERNEL allocation, rather than paying attention to the inode's
: mapping gfp mask, which is set to GFP_NOFS.
:
: The didn't used to happen, because the loop device used to issue
: reads through the splice path and that does:
:
:       error = add_to_page_cache_lru(page, mapping, index,
:                       GFP_KERNEL &amp; mapping_gfp_mask(mapping));

This has changed by commit aa4d86163e4 ("block: loop: switch to VFS
ITER_BVEC").

This patch changes mpage_readpage{s} to follow gfp mask set for the
mapping.  There are, however, other places which are doing basically the
same.

lustre:ll_dir_filler is doing GFP_KERNEL from the function which
apparently uses GFP_NOFS for other allocations so let's make this
consistent.

cifs:readpages_get_pages is called from cifs_readpages and
__cifs_readpages_from_fscache called from the same path obeys mapping
gfp.

ramfs_nommu_expand_for_mapping is hardcoding GFP_KERNEL as well
regardless it uses mapping_gfp_mask for the page allocation.

ext4_mpage_readpages is the called from the page cache allocation path
same as read_pages and read_cache_pages

As I've noticed in my previous post I cannot say I would be happy about
sprinkling mapping_gfp_mask all over the place and it sounds like we
should drop gfp_mask argument altogether and use it internally in
__add_to_page_cache_locked that would require all the filesystems to use
mapping gfp consistently which I am not sure is the case here.  From a
quick glance it seems that some file system use it all the time while
others are selective.

Signed-off-by: Michal Hocko &lt;mhocko@suse.com&gt;
Reported-by: Dave Chinner &lt;david@fromorbit.com&gt;
Cc: "Theodore Ts'o" &lt;tytso@mit.edu&gt;
Cc: Ming Lei &lt;ming.lei@canonical.com&gt;
Cc: Andreas Dilger &lt;andreas.dilger@intel.com&gt;
Cc: Oleg Drokin &lt;oleg.drokin@intel.com&gt;
Cc: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Cc: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Commit 6afdb859b710 ("mm: do not ignore mapping_gfp_mask in page cache
allocation paths") has caught some users of hardcoded GFP_KERNEL used in
the page cache allocation paths.  This, however, wasn't complete and
there were others which went unnoticed.

Dave Chinner has reported the following deadlock for xfs on loop device:
: With the recent merge of the loop device changes, I'm now seeing
: XFS deadlock on my single CPU, 1GB RAM VM running xfs/073.
:
: The deadlocked is as follows:
:
: kloopd1: loop_queue_read_work
:       xfs_file_iter_read
:       lock XFS inode XFS_IOLOCK_SHARED (on image file)
:       page cache read (GFP_KERNEL)
:       radix tree alloc
:       memory reclaim
:       reclaim XFS inodes
:       log force to unpin inodes
:       &lt;wait for log IO completion&gt;
:
: xfs-cil/loop1: &lt;does log force IO work&gt;
:       xlog_cil_push
:       xlog_write
:       &lt;loop issuing log writes&gt;
:               xlog_state_get_iclog_space()
:               &lt;blocks due to all log buffers under write io&gt;
:               &lt;waits for IO completion&gt;
:
: kloopd1: loop_queue_write_work
:       xfs_file_write_iter
:       lock XFS inode XFS_IOLOCK_EXCL (on image file)
:       &lt;wait for inode to be unlocked&gt;
:
: i.e. the kloopd, with it's split read and write work queues, has
: introduced a dependency through memory reclaim. i.e. that writes
: need to be able to progress for reads make progress.
:
: The problem, fundamentally, is that mpage_readpages() does a
: GFP_KERNEL allocation, rather than paying attention to the inode's
: mapping gfp mask, which is set to GFP_NOFS.
:
: The didn't used to happen, because the loop device used to issue
: reads through the splice path and that does:
:
:       error = add_to_page_cache_lru(page, mapping, index,
:                       GFP_KERNEL &amp; mapping_gfp_mask(mapping));

This has changed by commit aa4d86163e4 ("block: loop: switch to VFS
ITER_BVEC").

This patch changes mpage_readpage{s} to follow gfp mask set for the
mapping.  There are, however, other places which are doing basically the
same.

lustre:ll_dir_filler is doing GFP_KERNEL from the function which
apparently uses GFP_NOFS for other allocations so let's make this
consistent.

cifs:readpages_get_pages is called from cifs_readpages and
__cifs_readpages_from_fscache called from the same path obeys mapping
gfp.

ramfs_nommu_expand_for_mapping is hardcoding GFP_KERNEL as well
regardless it uses mapping_gfp_mask for the page allocation.

ext4_mpage_readpages is the called from the page cache allocation path
same as read_pages and read_cache_pages

As I've noticed in my previous post I cannot say I would be happy about
sprinkling mapping_gfp_mask all over the place and it sounds like we
should drop gfp_mask argument altogether and use it internally in
__add_to_page_cache_locked that would require all the filesystems to use
mapping gfp consistently which I am not sure is the case here.  From a
quick glance it seems that some file system use it all the time while
others are selective.

Signed-off-by: Michal Hocko &lt;mhocko@suse.com&gt;
Reported-by: Dave Chinner &lt;david@fromorbit.com&gt;
Cc: "Theodore Ts'o" &lt;tytso@mit.edu&gt;
Cc: Ming Lei &lt;ming.lei@canonical.com&gt;
Cc: Andreas Dilger &lt;andreas.dilger@intel.com&gt;
Cc: Oleg Drokin &lt;oleg.drokin@intel.com&gt;
Cc: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Cc: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[CIFS] Update cifs version number</title>
<updated>2015-10-03T21:54:17+00:00</updated>
<author>
<name>Steve French</name>
<email>smfrench@gmail.com</email>
</author>
<published>2015-10-03T21:54:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=616a5399b8f11a526cedcbaeb68bc0a1b08a3f43'/>
<id>616a5399b8f11a526cedcbaeb68bc0a1b08a3f43</id>
<content type='text'>
Update modinfo cifs.ko version number to 2.08

Signed-off-by: Steve French &lt;steve.french@primarydata.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Update modinfo cifs.ko version number to 2.08

Signed-off-by: Steve French &lt;steve.french@primarydata.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[SMB3] Do not fall back to SMBWriteX in set_file_size error cases</title>
<updated>2015-10-02T03:48:37+00:00</updated>
<author>
<name>Steve French</name>
<email>smfrench@gmail.com</email>
</author>
<published>2015-09-28T22:21:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=646200a041203f440fb6fcf9cacd9efeda9de74c'/>
<id>646200a041203f440fb6fcf9cacd9efeda9de74c</id>
<content type='text'>
The error paths in set_file_size for cifs and smb3 are incorrect.

In the unlikely event that a server did not support set file info
of the file size, the code incorrectly falls back to trying SMBWriteX
(note that only the original core SMB Write, used for example by DOS,
can set the file size this way - this actually  does not work for the more
recent SMBWriteX).  The idea was since the old DOS SMB Write could set
the file size if you write zero bytes at that offset then use that if
server rejects the normal set file info call.

Fortunately the SMBWriteX will never be sent on the wire (except when
file size is zero) since the length and offset fields were reversed
in the two places in this function that call SMBWriteX causing
the fall back path to return an error. It is also important to never call
an SMB request from an SMB2/sMB3 session (which theoretically would
be possible, and can cause a brief session drop, although the client
recovers) so this should be fixed.  In practice this path does not happen
with modern servers but the error fall back to SMBWriteX is clearly wrong.

Removing the calls to SMBWriteX in the error paths in cifs_set_file_size

Pointed out by PaX/grsecurity team

Signed-off-by: Steve French &lt;steve.french@primarydata.com&gt;
Reported-by: PaX Team &lt;pageexec@freemail.hu&gt;
CC: Emese Revfy &lt;re.emese@gmail.com&gt;
CC: Brad Spengler &lt;spender@grsecurity.net&gt;
CC: Stable &lt;stable@vger.kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The error paths in set_file_size for cifs and smb3 are incorrect.

In the unlikely event that a server did not support set file info
of the file size, the code incorrectly falls back to trying SMBWriteX
(note that only the original core SMB Write, used for example by DOS,
can set the file size this way - this actually  does not work for the more
recent SMBWriteX).  The idea was since the old DOS SMB Write could set
the file size if you write zero bytes at that offset then use that if
server rejects the normal set file info call.

Fortunately the SMBWriteX will never be sent on the wire (except when
file size is zero) since the length and offset fields were reversed
in the two places in this function that call SMBWriteX causing
the fall back path to return an error. It is also important to never call
an SMB request from an SMB2/sMB3 session (which theoretically would
be possible, and can cause a brief session drop, although the client
recovers) so this should be fixed.  In practice this path does not happen
with modern servers but the error fall back to SMBWriteX is clearly wrong.

Removing the calls to SMBWriteX in the error paths in cifs_set_file_size

Pointed out by PaX/grsecurity team

Signed-off-by: Steve French &lt;steve.french@primarydata.com&gt;
Reported-by: PaX Team &lt;pageexec@freemail.hu&gt;
CC: Emese Revfy &lt;re.emese@gmail.com&gt;
CC: Brad Spengler &lt;spender@grsecurity.net&gt;
CC: Stable &lt;stable@vger.kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[SMB3] Missing null tcon check</title>
<updated>2015-09-26T14:48:58+00:00</updated>
<author>
<name>Steve French</name>
<email>smfrench@gmail.com</email>
</author>
<published>2015-09-26T14:48:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ff9f84b7d79ddccab4c293c9d3e289f95ae594f7'/>
<id>ff9f84b7d79ddccab4c293c9d3e289f95ae594f7</id>
<content type='text'>
Pointed out by Dan Carpenter via smatch code analysis tool

CC: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Signed-off-by: Steve French &lt;steve.french@primarydata.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pointed out by Dan Carpenter via smatch code analysis tool

CC: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Signed-off-by: Steve French &lt;steve.french@primarydata.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fix encryption error checks on mount</title>
<updated>2015-09-24T05:53:31+00:00</updated>
<author>
<name>Steve French</name>
<email>smfrench@gmail.com</email>
</author>
<published>2015-09-22T08:16:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=88627148400e37b4bff197285d348fc05c9de013'/>
<id>88627148400e37b4bff197285d348fc05c9de013</id>
<content type='text'>
Signed-off-by: Steve French &lt;steve.french@primarydata.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Signed-off-by: Steve French &lt;steve.french@primarydata.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[SMB3] Fix sec=krb5 on smb3 mounts</title>
<updated>2015-09-24T05:52:37+00:00</updated>
<author>
<name>Steve French</name>
<email>smfrench@gmail.com</email>
</author>
<published>2015-09-24T05:52:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ceb1b0b9b4d1089e9f2731a314689ae17784c861'/>
<id>ceb1b0b9b4d1089e9f2731a314689ae17784c861</id>
<content type='text'>
Kerberos, which is very important for security, was only enabled for
CIFS not SMB2/SMB3 mounts (e.g. vers=3.0)

Patch based on the information detailed in
http://thread.gmane.org/gmane.linux.kernel.cifs/10081/focus=10307
to enable Kerberized SMB2/SMB3

a) SMB2_negotiate: enable/use decode_negTokenInit in SMB2_negotiate
b) SMB2_sess_setup: handle Kerberos sectype and replicate Kerberos
   SMB1 processing done in sess_auth_kerberos

Signed-off-by: Noel Power &lt;noel.power@suse.com&gt;
Signed-off-by: Jim McDonough &lt;jmcd@samba.org&gt;
CC: Stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Steve French &lt;steve.french@primarydata.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Kerberos, which is very important for security, was only enabled for
CIFS not SMB2/SMB3 mounts (e.g. vers=3.0)

Patch based on the information detailed in
http://thread.gmane.org/gmane.linux.kernel.cifs/10081/focus=10307
to enable Kerberized SMB2/SMB3

a) SMB2_negotiate: enable/use decode_negTokenInit in SMB2_negotiate
b) SMB2_sess_setup: handle Kerberos sectype and replicate Kerberos
   SMB1 processing done in sess_auth_kerberos

Signed-off-by: Noel Power &lt;noel.power@suse.com&gt;
Signed-off-by: Jim McDonough &lt;jmcd@samba.org&gt;
CC: Stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Steve French &lt;steve.french@primarydata.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>cifs: use server timestamp for ntlmv2 authentication</title>
<updated>2015-09-22T20:24:02+00:00</updated>
<author>
<name>Peter Seiderer</name>
<email>ps.report@gmx.net</email>
</author>
<published>2015-09-17T19:40:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=98ce94c8df762d413b3ecb849e2b966b21606d04'/>
<id>98ce94c8df762d413b3ecb849e2b966b21606d04</id>
<content type='text'>
Linux cifs mount with ntlmssp against an Mac OS X (Yosemite
10.10.5) share fails in case the clocks differ more than +/-2h:

digest-service: digest-request: od failed with 2 proto=ntlmv2
digest-service: digest-request: kdc failed with -1561745592 proto=ntlmv2

Fix this by (re-)using the given server timestamp for the
ntlmv2 authentication (as Windows 7 does).

A related problem was also reported earlier by Namjae Jaen (see below):

Windows machine has extended security feature which refuse to allow
authentication when there is time difference between server time and
client time when ntlmv2 negotiation is used. This problem is prevalent
in embedded enviornment where system time is set to default 1970.

Modern servers send the server timestamp in the TargetInfo Av_Pair
structure in the challenge message [see MS-NLMP 2.2.2.1]
In [MS-NLMP 3.1.5.1.2] it is explicitly mentioned that the client must
use the server provided timestamp if present OR current time if it is
not

Reported-by: Namjae Jeon &lt;namjae.jeon@samsung.com&gt;
Signed-off-by: Peter Seiderer &lt;ps.report@gmx.net&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
CC: Stable &lt;stable@vger.kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Linux cifs mount with ntlmssp against an Mac OS X (Yosemite
10.10.5) share fails in case the clocks differ more than +/-2h:

digest-service: digest-request: od failed with 2 proto=ntlmv2
digest-service: digest-request: kdc failed with -1561745592 proto=ntlmv2

Fix this by (re-)using the given server timestamp for the
ntlmv2 authentication (as Windows 7 does).

A related problem was also reported earlier by Namjae Jaen (see below):

Windows machine has extended security feature which refuse to allow
authentication when there is time difference between server time and
client time when ntlmv2 negotiation is used. This problem is prevalent
in embedded enviornment where system time is set to default 1970.

Modern servers send the server timestamp in the TargetInfo Av_Pair
structure in the challenge message [see MS-NLMP 2.2.2.1]
In [MS-NLMP 3.1.5.1.2] it is explicitly mentioned that the client must
use the server provided timestamp if present OR current time if it is
not

Reported-by: Namjae Jeon &lt;namjae.jeon@samsung.com&gt;
Signed-off-by: Peter Seiderer &lt;ps.report@gmx.net&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
CC: Stable &lt;stable@vger.kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>disabling oplocks/leases via module parm enable_oplocks broken for SMB3</title>
<updated>2015-09-22T20:23:57+00:00</updated>
<author>
<name>Steve French</name>
<email>smfrench@gmail.com</email>
</author>
<published>2015-09-22T14:29:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e0ddde9d44e37fbc21ce893553094ecf1a633ab5'/>
<id>e0ddde9d44e37fbc21ce893553094ecf1a633ab5</id>
<content type='text'>
leases (oplocks) were always requested for SMB2/SMB3 even when oplocks
disabled in the cifs.ko module.

Signed-off-by: Steve French &lt;steve.french@primarydata.com&gt;
Reviewed-by: Chandrika Srinivasan &lt;chandrika.srinivasan@citrix.com&gt;
CC: Stable &lt;stable@vger.kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
leases (oplocks) were always requested for SMB2/SMB3 even when oplocks
disabled in the cifs.ko module.

Signed-off-by: Steve French &lt;steve.french@primarydata.com&gt;
Reviewed-by: Chandrika Srinivasan &lt;chandrika.srinivasan@citrix.com&gt;
CC: Stable &lt;stable@vger.kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[CIFS] mount option sec=none not displayed properly in /proc/mounts</title>
<updated>2015-09-12T00:37:06+00:00</updated>
<author>
<name>Steve French</name>
<email>smfrench@gmail.com</email>
</author>
<published>2015-09-12T00:24:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=eda2116f4ab6d79cfcffc202b5d2bbb0797ba013'/>
<id>eda2116f4ab6d79cfcffc202b5d2bbb0797ba013</id>
<content type='text'>
When the user specifies "sec=none" in a cifs mount, we set
sec_type as unspecified (and set a flag and the username will be
null) rather than setting sectype as "none" so
cifs_show_security was not properly displaying it in
cifs /proc/mounts entries.

Signed-off-by: Steve French &lt;steve.french@primarydata.com&gt;
Reviewed-by: Jeff Layton &lt;jlayton@poochiereds.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When the user specifies "sec=none" in a cifs mount, we set
sec_type as unspecified (and set a flag and the username will be
null) rather than setting sectype as "none" so
cifs_show_security was not properly displaying it in
cifs /proc/mounts entries.

Signed-off-by: Steve French &lt;steve.french@primarydata.com&gt;
Reviewed-by: Jeff Layton &lt;jlayton@poochiereds.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>CIFS: fix type confusion in copy offload ioctl</title>
<updated>2015-09-11T14:54:03+00:00</updated>
<author>
<name>Jann Horn</name>
<email>jann@thejh.net</email>
</author>
<published>2015-09-11T14:27:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4c17a6d56bb0cad3066a714e94f7185a24b40f49'/>
<id>4c17a6d56bb0cad3066a714e94f7185a24b40f49</id>
<content type='text'>
This might lead to local privilege escalation (code execution as
kernel) for systems where the following conditions are met:

 - CONFIG_CIFS_SMB2 and CONFIG_CIFS_POSIX are enabled
 - a cifs filesystem is mounted where:
  - the mount option "vers" was used and set to a value &gt;=2.0
  - the attacker has write access to at least one file on the filesystem

To attack this, an attacker would have to guess the target_tcon
pointer (but guessing wrong doesn't cause a crash, it just returns an
error code) and win a narrow race.

CC: Stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Jann Horn &lt;jann@thejh.net&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This might lead to local privilege escalation (code execution as
kernel) for systems where the following conditions are met:

 - CONFIG_CIFS_SMB2 and CONFIG_CIFS_POSIX are enabled
 - a cifs filesystem is mounted where:
  - the mount option "vers" was used and set to a value &gt;=2.0
  - the attacker has write access to at least one file on the filesystem

To attack this, an attacker would have to guess the target_tcon
pointer (but guessing wrong doesn't cause a crash, it just returns an
error code) and win a narrow race.

CC: Stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Jann Horn &lt;jann@thejh.net&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
