linux-stable

mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-08-28 03:40:04 +00:00

History

Ronnie Sahlberg e208668ef7 cifs: fix double free race when mount fails in cifs_get_root() [ Upstream commit `3d6cc9898e` ] When cifs_get_root() fails during cifs_smb3_do_mount() we call deactivate_locked_super() which eventually will call delayed_free() which will free the context. In this situation we should not proceed to enter the out: section in cifs_smb3_do_mount() and free the same resources a second time. [Thu Feb 10 12:59:06 2022] BUG: KASAN: use-after-free in rcu_cblist_dequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022] Read of size 8 at addr ffff888364f4d110 by task swapper/1/0 [Thu Feb 10 12:59:06 2022] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G OE 5.17.0-rc3+ #4 [Thu Feb 10 12:59:06 2022] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.0 12/17/2019 [Thu Feb 10 12:59:06 2022] Call Trace: [Thu Feb 10 12:59:06 2022] <IRQ> [Thu Feb 10 12:59:06 2022] dump_stack_lvl+0x5d/0x78 [Thu Feb 10 12:59:06 2022] print_address_description.constprop.0+0x24/0x150 [Thu Feb 10 12:59:06 2022] ? rcu_cblist_dequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022] kasan_report.cold+0x7d/0x117 [Thu Feb 10 12:59:06 2022] ? rcu_cblist_dequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022] __asan_load8+0x86/0xa0 [Thu Feb 10 12:59:06 2022] rcu_cblist_dequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022] rcu_core+0x547/0xca0 [Thu Feb 10 12:59:06 2022] ? call_rcu+0x3c0/0x3c0 [Thu Feb 10 12:59:06 2022] ? __this_cpu_preempt_check+0x13/0x20 [Thu Feb 10 12:59:06 2022] ? lock_is_held_type+0xea/0x140 [Thu Feb 10 12:59:06 2022] rcu_core_si+0xe/0x10 [Thu Feb 10 12:59:06 2022] __do_softirq+0x1d4/0x67b [Thu Feb 10 12:59:06 2022] __irq_exit_rcu+0x100/0x150 [Thu Feb 10 12:59:06 2022] irq_exit_rcu+0xe/0x30 [Thu Feb 10 12:59:06 2022] sysvec_hyperv_stimer0+0x9d/0xc0 ... [Thu Feb 10 12:59:07 2022] Freed by task 58179: [Thu Feb 10 12:59:07 2022] kasan_save_stack+0x26/0x50 [Thu Feb 10 12:59:07 2022] kasan_set_track+0x25/0x30 [Thu Feb 10 12:59:07 2022] kasan_set_free_info+0x24/0x40 [Thu Feb 10 12:59:07 2022] ____kasan_slab_free+0x137/0x170 [Thu Feb 10 12:59:07 2022] __kasan_slab_free+0x12/0x20 [Thu Feb 10 12:59:07 2022] slab_free_freelist_hook+0xb3/0x1d0 [Thu Feb 10 12:59:07 2022] kfree+0xcd/0x520 [Thu Feb 10 12:59:07 2022] cifs_smb3_do_mount+0x149/0xbe0 [cifs] [Thu Feb 10 12:59:07 2022] smb3_get_tree+0x1a0/0x2e0 [cifs] [Thu Feb 10 12:59:07 2022] vfs_get_tree+0x52/0x140 [Thu Feb 10 12:59:07 2022] path_mount+0x635/0x10c0 [Thu Feb 10 12:59:07 2022] __x64_sys_mount+0x1bf/0x210 [Thu Feb 10 12:59:07 2022] do_syscall_64+0x5c/0xc0 [Thu Feb 10 12:59:07 2022] entry_SYSCALL_64_after_hwframe+0x44/0xae [Thu Feb 10 12:59:07 2022] Last potentially related work creation: [Thu Feb 10 12:59:07 2022] kasan_save_stack+0x26/0x50 [Thu Feb 10 12:59:07 2022] __kasan_record_aux_stack+0xb6/0xc0 [Thu Feb 10 12:59:07 2022] kasan_record_aux_stack_noalloc+0xb/0x10 [Thu Feb 10 12:59:07 2022] call_rcu+0x76/0x3c0 [Thu Feb 10 12:59:07 2022] cifs_umount+0xce/0xe0 [cifs] [Thu Feb 10 12:59:07 2022] cifs_kill_sb+0xc8/0xe0 [cifs] [Thu Feb 10 12:59:07 2022] deactivate_locked_super+0x5d/0xd0 [Thu Feb 10 12:59:07 2022] cifs_smb3_do_mount+0xab9/0xbe0 [cifs] [Thu Feb 10 12:59:07 2022] smb3_get_tree+0x1a0/0x2e0 [cifs] [Thu Feb 10 12:59:07 2022] vfs_get_tree+0x52/0x140 [Thu Feb 10 12:59:07 2022] path_mount+0x635/0x10c0 [Thu Feb 10 12:59:07 2022] __x64_sys_mount+0x1bf/0x210 [Thu Feb 10 12:59:07 2022] do_syscall_64+0x5c/0xc0 [Thu Feb 10 12:59:07 2022] entry_SYSCALL_64_after_hwframe+0x44/0xae Reported-by: Shyam Prasad N <sprasad@microsoft.com> Reviewed-by: Shyam Prasad N <sprasad@microsoft.com> Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org>		2022-03-08 19:07:45 +01:00
..
asn1.c	cifs: remove bogus debug code	2020-10-29 09:57:28 +01:00
cache.c
cifs_debug.c	cifs: Don't display RDMA transport on reconnect	2019-12-21 11:04:43 +01:00
cifs_debug.h
cifs_dfs_ref.c	cifs: prevent NULL deref in cifs_compose_mount_options()	2021-07-25 14:35:13 +02:00
cifs_fs_sb.h
cifs_ioctl.h	smb3: allow decryption keys to be dumped by admin for debugging	2019-09-21 06:02:26 -05:00
cifs_spnego.c
cifs_spnego.h
cifs_unicode.c	CIFS: Fix a potencially linear read overflow	2021-09-15 09:47:36 +02:00
cifs_unicode.h
cifs_uniupr.h
cifsacl.c	cifs: fix a memleak with modefromsid	2020-12-02 08:49:45 +01:00
cifsacl.h	smb3: missing ACL related flags	2019-09-26 16:37:43 -05:00
cifsencrypt.c
cifsfs.c	cifs: fix double free race when mount fails in cifs_get_root()	2022-03-08 19:07:45 +01:00
cifsfs.h	cifs: update internal module version number	2019-09-16 19:18:39 -05:00
cifsglob.h	cifs: fix missing spinlock around update to ses->status	2021-07-14 16:53:19 +02:00
cifspdu.h
cifsproto.h	cifs: fix rename() by ensuring source handle opened with DELETE bit	2020-03-12 13:00:18 +01:00
cifsroot.c	cifs: cifsroot: add more err checking	2019-09-16 11:43:39 -05:00
cifssmb.c	cifs: fix leaked reference on requeued write	2020-05-20 08:20:34 +02:00
connect.c	cifs: fix incorrect check for null pointer in header_assemble	2021-09-30 10:09:21 +02:00
dfs_cache.c	cifs: fix unitialized variable poential problem with network I/O cache lock patch	2020-02-24 08:36:58 +01:00
dfs_cache.h
dir.c	cifs: report error instead of invalid when revalidating a dentry fails	2021-02-10 09:25:30 +01:00
dns_resolve.c
dns_resolve.h
export.c
file.c	smb3: do not error on fsync when readonly	2021-12-01 09:23:34 +01:00
fscache.c
fscache.h
inode.c	cifs: handle -EINTR in cifs_setattr	2020-11-05 11:43:21 +01:00
ioctl.c	smb3: allow decryption keys to be dumped by admin for debugging	2019-09-21 06:02:26 -05:00
Kconfig	various cifs/smb3 fixes (including for share deleted cases) and features including improved encrypted read performance, and various debugging improvements	2019-09-19 10:32:16 -07:00
link.c
Makefile
misc.c	CIFS: Properly process SMB3 lease breaks	2020-10-01 13:17:21 +02:00
netmisc.c	fs: cifs: mute -Wunused-const-variable message	2019-10-06 22:04:35 -05:00
nterr.c
nterr.h
ntlmssp.h
readdir.c
rfc1002pdu.h
sess.c	cifs: fix wrong release in sess_alloc_buffer() failed path	2021-09-22 12:26:35 +02:00
smb1ops.c	CIFS: Properly process SMB3 lease breaks	2020-10-01 13:17:21 +02:00
smb2file.c	cifs: Adjust indentation in smb2_open_file	2020-01-17 19:48:27 +01:00
smb2glob.h
smb2inode.c	cifs: fix rename() by ensuring source handle opened with DELETE bit	2020-03-12 13:00:18 +01:00
smb2maperror.c
smb2misc.c	cifs: Silently ignore unknown oplock break handle	2021-04-10 13:34:31 +02:00
smb2ops.c	cifs: fix the out of range assignment to bit fields in parse_server_interfaces	2021-07-31 08:19:38 +02:00
smb2pdu.c	SMB3: incorrect file id in requests compounded with open	2021-06-03 08:59:12 +02:00
smb2pdu.h	smb3: Fix out-of-bounds bug in SMB2_negotiate()	2021-02-10 09:25:30 +01:00
smb2proto.h	smb3: remove unused flag passed into close functions	2021-01-19 18:26:13 +01:00
smb2status.h
smb2transport.c	CIFS: Fix task struct use-after-free on reconnect	2020-02-01 09:34:37 +00:00
smbdirect.c	cifs: smbd: Return -ECONNABORTED when trasnport is not in connected state	2019-12-21 11:04:43 +01:00
smbdirect.h
smbencrypt.c
smberr.h
smbfsctl.h	smb3: Add missing reparse tags	2019-09-24 23:31:32 -05:00
trace.c
trace.h	smb3: add missing worker function for SMB3 change notify	2019-09-16 11:43:39 -05:00
transport.c	cifs: change noisy error message to FYI	2021-03-30 14:35:21 +02:00
winucase.c
xattr.c	CIFS: fix max ea value size	2019-09-23 23:28:59 -05:00