mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-08-23 17:30:02 +00:00
Code Issues Releases Wiki Activity
linux-stable/fs/cifs
History
Ronnie Sahlberg 147a0e71cc cifs: fix double free race when mount fails in cifs_get_root() 
[ Upstream commit 3d6cc9898e ]

When cifs_get_root() fails during cifs_smb3_do_mount() we call
deactivate_locked_super() which eventually will call delayed_free() which
will free the context.
In this situation we should not proceed to enter the out: section in
cifs_smb3_do_mount() and free the same resources a second time.

[Thu Feb 10 12:59:06 2022] BUG: KASAN: use-after-free in rcu_cblist_dequeue+0x32/0x60
[Thu Feb 10 12:59:06 2022] Read of size 8 at addr ffff888364f4d110 by task swapper/1/0

[Thu Feb 10 12:59:06 2022] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G           OE     5.17.0-rc3+ #4
[Thu Feb 10 12:59:06 2022] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.0 12/17/2019
[Thu Feb 10 12:59:06 2022] Call Trace:
[Thu Feb 10 12:59:06 2022]  <IRQ>
[Thu Feb 10 12:59:06 2022]  dump_stack_lvl+0x5d/0x78
[Thu Feb 10 12:59:06 2022]  print_address_description.constprop.0+0x24/0x150
[Thu Feb 10 12:59:06 2022]  ? rcu_cblist_dequeue+0x32/0x60
[Thu Feb 10 12:59:06 2022]  kasan_report.cold+0x7d/0x117
[Thu Feb 10 12:59:06 2022]  ? rcu_cblist_dequeue+0x32/0x60
[Thu Feb 10 12:59:06 2022]  __asan_load8+0x86/0xa0
[Thu Feb 10 12:59:06 2022]  rcu_cblist_dequeue+0x32/0x60
[Thu Feb 10 12:59:06 2022]  rcu_core+0x547/0xca0
[Thu Feb 10 12:59:06 2022]  ? call_rcu+0x3c0/0x3c0
[Thu Feb 10 12:59:06 2022]  ? __this_cpu_preempt_check+0x13/0x20
[Thu Feb 10 12:59:06 2022]  ? lock_is_held_type+0xea/0x140
[Thu Feb 10 12:59:06 2022]  rcu_core_si+0xe/0x10
[Thu Feb 10 12:59:06 2022]  __do_softirq+0x1d4/0x67b
[Thu Feb 10 12:59:06 2022]  __irq_exit_rcu+0x100/0x150
[Thu Feb 10 12:59:06 2022]  irq_exit_rcu+0xe/0x30
[Thu Feb 10 12:59:06 2022]  sysvec_hyperv_stimer0+0x9d/0xc0
...
[Thu Feb 10 12:59:07 2022] Freed by task 58179:
[Thu Feb 10 12:59:07 2022]  kasan_save_stack+0x26/0x50
[Thu Feb 10 12:59:07 2022]  kasan_set_track+0x25/0x30
[Thu Feb 10 12:59:07 2022]  kasan_set_free_info+0x24/0x40
[Thu Feb 10 12:59:07 2022]  ____kasan_slab_free+0x137/0x170
[Thu Feb 10 12:59:07 2022]  __kasan_slab_free+0x12/0x20
[Thu Feb 10 12:59:07 2022]  slab_free_freelist_hook+0xb3/0x1d0
[Thu Feb 10 12:59:07 2022]  kfree+0xcd/0x520
[Thu Feb 10 12:59:07 2022]  cifs_smb3_do_mount+0x149/0xbe0 [cifs]
[Thu Feb 10 12:59:07 2022]  smb3_get_tree+0x1a0/0x2e0 [cifs]
[Thu Feb 10 12:59:07 2022]  vfs_get_tree+0x52/0x140
[Thu Feb 10 12:59:07 2022]  path_mount+0x635/0x10c0
[Thu Feb 10 12:59:07 2022]  __x64_sys_mount+0x1bf/0x210
[Thu Feb 10 12:59:07 2022]  do_syscall_64+0x5c/0xc0
[Thu Feb 10 12:59:07 2022]  entry_SYSCALL_64_after_hwframe+0x44/0xae

[Thu Feb 10 12:59:07 2022] Last potentially related work creation:
[Thu Feb 10 12:59:07 2022]  kasan_save_stack+0x26/0x50
[Thu Feb 10 12:59:07 2022]  __kasan_record_aux_stack+0xb6/0xc0
[Thu Feb 10 12:59:07 2022]  kasan_record_aux_stack_noalloc+0xb/0x10
[Thu Feb 10 12:59:07 2022]  call_rcu+0x76/0x3c0
[Thu Feb 10 12:59:07 2022]  cifs_umount+0xce/0xe0 [cifs]
[Thu Feb 10 12:59:07 2022]  cifs_kill_sb+0xc8/0xe0 [cifs]
[Thu Feb 10 12:59:07 2022]  deactivate_locked_super+0x5d/0xd0
[Thu Feb 10 12:59:07 2022]  cifs_smb3_do_mount+0xab9/0xbe0 [cifs]
[Thu Feb 10 12:59:07 2022]  smb3_get_tree+0x1a0/0x2e0 [cifs]
[Thu Feb 10 12:59:07 2022]  vfs_get_tree+0x52/0x140
[Thu Feb 10 12:59:07 2022]  path_mount+0x635/0x10c0
[Thu Feb 10 12:59:07 2022]  __x64_sys_mount+0x1bf/0x210
[Thu Feb 10 12:59:07 2022]  do_syscall_64+0x5c/0xc0
[Thu Feb 10 12:59:07 2022]  entry_SYSCALL_64_after_hwframe+0x44/0xae

Reported-by: Shyam Prasad N <sprasad@microsoft.com>
Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-03-08 19:01:55 +01:00
..
asn1.c cifs: remove bogus debug code 2020-10-29 09:07:00 +01:00
cache.c fscache: remove unused ->now_uncached callback 2017-09-06 17:27:26 -07:00
cifs_debug.c smb3: allow stats which track session and share reconnects to be reset 2018-11-13 11:15:09 -08:00
cifs_debug.h
cifs_dfs_ref.c cifs: use correct format characters 2019-04-05 22:31:28 +02:00
cifs_fs_sb.h cifs: Convert to separately allocated bdi 2017-04-20 12:09:55 -06:00
cifs_ioctl.h
cifs_spnego.c smb3: on kerberos mount if server doesn't specify auth type use krb5 2018-11-13 11:15:09 -08:00
cifs_spnego.h
cifs_unicode.c CIFS: Fix a potencially linear read overflow 2021-09-22 11:45:22 +02:00
cifs_unicode.h [SMB3] Remove ifdef since SMB3 (and later) now STRONGLY preferred 2017-07-08 18:57:07 -05:00
cifs_uniupr.h
cifsacl.c cifs: Fix mode output in debugging statements 2020-03-11 18:02:46 +01:00
cifsacl.h cifs: For SMB2 security informaion query, check for minimum sized security descriptor instead of sizeof FileAllInformation class 2018-06-26 08:06:31 +08:00
cifsencrypt.c CIFS: fix sha512 check in cifs_crypto_secmech_release 2018-04-24 09:36:27 +02:00
cifsfs.c cifs: fix double free race when mount fails in cifs_get_root() 2022-03-08 19:01:55 +01:00
cifsfs.h Update version of cifs module 2017-09-17 23:10:48 -05:00
cifsglob.h CIFS: Properly process SMB3 lease breaks 2020-10-01 13:12:30 +02:00
cifspdu.h CIFS: move DFS response parsing out of SMB1 code 2017-03-01 22:26:10 -06:00
cifsproto.h cifs: Fix cifsInodeInfo lock_sem deadlock when reconnect occurs 2019-11-10 11:25:19 +01:00
cifssmb.c CIFS: Fix credits calculations for reads with errors 2019-01-31 08:13:44 +01:00
connect.c cifs: fix incorrect check for null pointer in header_assemble 2021-10-06 15:05:04 +02:00
dir.c cifs: report error instead of invalid when revalidating a dentry fails 2021-02-10 09:12:09 +01:00
dns_resolve.c
dns_resolve.h
export.c
file.c cifs: revalidate mapping when we open files for SMB1 POSIX 2021-04-10 13:20:11 +02:00
fscache.c
fscache.h
inode.c Revert "cifs: Fix the target file was deleted when rename failed." 2020-07-29 07:42:56 +02:00
ioctl.c [SMB3] Remove ifdef since SMB3 (and later) now STRONGLY preferred 2017-07-08 18:57:07 -05:00
Kconfig cifs: allow disabling insecure dialects in the config 2019-01-26 09:37:07 +01:00
link.c smb3: don't request leases in symlink creation and query 2018-09-05 09:26:33 +02:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
misc.c CIFS: Properly process SMB3 lease breaks 2020-10-01 13:12:30 +02:00
netmisc.c fs: cifs: mute -Wunused-const-variable message 2019-11-06 12:43:10 +01:00
nterr.c
nterr.h
ntlmssp.h
readdir.c cifs: check ntwrk_buf_start for NULL before dereferencing it 2019-02-12 19:46:08 +01:00
rfc1002pdu.h
sess.c cifs: fix wrong release in sess_alloc_buffer() failed path 2021-09-22 11:45:31 +02:00
smb1ops.c CIFS: Properly process SMB3 lease breaks 2020-10-01 13:12:30 +02:00
smb2file.c cifs: Adjust indentation in smb2_open_file 2020-01-17 19:45:45 +01:00
smb2glob.h CIFS: Separate SMB2 header structure 2017-02-01 16:46:34 -06:00
smb2inode.c smb3: Do not send SMB3 SET_INFO if nothing changed 2018-09-05 09:26:33 +02:00
smb2maperror.c SMB3: retry on STATUS_INSUFFICIENT_RESOURCES instead of failing write 2019-06-25 11:36:54 +08:00
smb2misc.c cifs: Silently ignore unknown oplock break handle 2021-04-10 13:20:11 +02:00
smb2ops.c cifs: fix memory leak in smb2_copychunk_range 2021-05-26 11:46:58 +02:00
smb2pdu.c SMB3: incorrect file id in requests compounded with open 2021-06-03 08:36:22 +02:00
smb2pdu.h smb3: Fix out-of-bounds bug in SMB2_negotiate() 2021-02-10 09:12:09 +01:00
smb2proto.h CIFS: add sha512 secmech 2018-04-24 09:36:27 +02:00
smb2status.h
smb2transport.c cifs: Fix use after free of a mid_q_entry 2018-07-11 16:29:15 +02:00
smbencrypt.c CIFS: refactor crypto shash/sdesc allocation&free 2018-04-24 09:36:27 +02:00
smberr.h
smbfsctl.h
transport.c CIFS: Do not hide EINTR after sending network packets 2019-01-16 22:07:10 +01:00
winucase.c
xattr.c CIFS: fix max ea value size 2019-10-05 12:48:12 +02:00