In the Linux kernel, the following vulnerability has been resolved:
cifs: Fix use-after-free in rdata->readintopages()
When the network status is unstable, use-after-free may occur when read data from the server.
BUG: KASAN: use-after-free in readpagesfillpages+0x14c/0x7e0
Call Trace: <TASK> dumpstacklvl+0x38/0x4c printreport+0x16f/0x4a6 kasanreport+0xb7/0x130 readpagesfillpages+0x14c/0x7e0 cifsreadvreceive+0x46d/0xa40 cifsdemultiplexthread+0x121c/0x1490 kthread+0x16b/0x1a0 retfromfork+0x2c/0x50 </TASK>
Allocated by task 2535: kasansavestack+0x22/0x50 kasansettrack+0x25/0x30 _kasankmalloc+0x82/0x90 cifsreaddatadirectalloc+0x2c/0x110 cifsreaddataalloc+0x2d/0x60 cifsreadahead+0x393/0xfe0 readpages+0x12f/0x470 pagecacheraunbounded+0x1b1/0x240 filemapgetpages+0x1c8/0x9a0 filemapread+0x1c0/0x540 cifsstrictreadv+0x21b/0x240 vfsread+0x395/0x4b0 ksysread+0xb8/0x150 dosyscall64+0x3f/0x90 entrySYSCALL64after_hwframe+0x72/0xdc
Freed by task 79: kasansavestack+0x22/0x50 kasansettrack+0x25/0x30 kasansavefreeinfo+0x2e/0x50 _kasanslabfree+0x10e/0x1a0 _kmemcachefree+0x7a/0x1a0 cifsreaddatarelease+0x49/0x60 processonework+0x46c/0x760 workerthread+0x2a4/0x6f0 kthread+0x16b/0x1a0 retfromfork+0x2c/0x50
Last potentially related work creation: kasansavestack+0x22/0x50 _kasanrecordauxstack+0x95/0xb0 insertwork+0x2b/0x130 _queuework+0x1fe/0x660 queueworkon+0x4b/0x60 smb2readvcallback+0x396/0x800 cifsabortconnection+0x474/0x6a0 cifsreconnect+0x5cb/0xa50 cifsreadvfromsocket.cold+0x22/0x6c cifsreadpagefromsocket+0xc1/0x100 readpagesfillpages.cold+0x2f/0x46 cifsreadvreceive+0x46d/0xa40 cifsdemultiplexthread+0x121c/0x1490 kthread+0x16b/0x1a0 retfrom_fork+0x2c/0x50
The following function calls will cause UAF of the rdata pointer.
readpagesfillpages cifsreadpagefromsocket cifsreadvfromsocket cifsreconnect _cifsreconnect cifsabortconnection mid->callback() --> smb2readvcallback queuework(&rdata->work) # if the worker completes first, # the rdata is freed cifsreadvcomplete krefput cifsreaddatarelease kfree(rdata) return rdata->... # UAF in readpagesfillpages()
Similarly, this problem also occurs in the uncachefillpages().
Fix this by adjusts the order of condition judgment in the return statement.