github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-06 21:45:45 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
e2201ef32f
linux/fs/cifs
History
Ronnie Sahlberg df9db1a2af cifs: fix double free race when mount fails in cifs_get_root() 
[ Upstream commit 3d6cc9898e ]

When cifs_get_root() fails during cifs_smb3_do_mount() we call
deactivate_locked_super() which eventually will call delayed_free() which
will free the context.
In this situation we should not proceed to enter the out: section in
cifs_smb3_do_mount() and free the same resources a second time.

[Thu Feb 10 12:59:06 2022] BUG: KASAN: use-after-free in rcu_cblist_dequeue+0x32/0x60
[Thu Feb 10 12:59:06 2022] Read of size 8 at addr ffff888364f4d110 by task swapper/1/0

[Thu Feb 10 12:59:06 2022] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G           OE     5.17.0-rc3+ #4
[Thu Feb 10 12:59:06 2022] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.0 12/17/2019
[Thu Feb 10 12:59:06 2022] Call Trace:
[Thu Feb 10 12:59:06 2022]  <IRQ>
[Thu Feb 10 12:59:06 2022]  dump_stack_lvl+0x5d/0x78
[Thu Feb 10 12:59:06 2022]  print_address_description.constprop.0+0x24/0x150
[Thu Feb 10 12:59:06 2022]  ? rcu_cblist_dequeue+0x32/0x60
[Thu Feb 10 12:59:06 2022]  kasan_report.cold+0x7d/0x117
[Thu Feb 10 12:59:06 2022]  ? rcu_cblist_dequeue+0x32/0x60
[Thu Feb 10 12:59:06 2022]  __asan_load8+0x86/0xa0
[Thu Feb 10 12:59:06 2022]  rcu_cblist_dequeue+0x32/0x60
[Thu Feb 10 12:59:06 2022]  rcu_core+0x547/0xca0
[Thu Feb 10 12:59:06 2022]  ? call_rcu+0x3c0/0x3c0
[Thu Feb 10 12:59:06 2022]  ? __this_cpu_preempt_check+0x13/0x20
[Thu Feb 10 12:59:06 2022]  ? lock_is_held_type+0xea/0x140
[Thu Feb 10 12:59:06 2022]  rcu_core_si+0xe/0x10
[Thu Feb 10 12:59:06 2022]  __do_softirq+0x1d4/0x67b
[Thu Feb 10 12:59:06 2022]  __irq_exit_rcu+0x100/0x150
[Thu Feb 10 12:59:06 2022]  irq_exit_rcu+0xe/0x30
[Thu Feb 10 12:59:06 2022]  sysvec_hyperv_stimer0+0x9d/0xc0
...
[Thu Feb 10 12:59:07 2022] Freed by task 58179:
[Thu Feb 10 12:59:07 2022]  kasan_save_stack+0x26/0x50
[Thu Feb 10 12:59:07 2022]  kasan_set_track+0x25/0x30
[Thu Feb 10 12:59:07 2022]  kasan_set_free_info+0x24/0x40
[Thu Feb 10 12:59:07 2022]  ____kasan_slab_free+0x137/0x170
[Thu Feb 10 12:59:07 2022]  __kasan_slab_free+0x12/0x20
[Thu Feb 10 12:59:07 2022]  slab_free_freelist_hook+0xb3/0x1d0
[Thu Feb 10 12:59:07 2022]  kfree+0xcd/0x520
[Thu Feb 10 12:59:07 2022]  cifs_smb3_do_mount+0x149/0xbe0 [cifs]
[Thu Feb 10 12:59:07 2022]  smb3_get_tree+0x1a0/0x2e0 [cifs]
[Thu Feb 10 12:59:07 2022]  vfs_get_tree+0x52/0x140
[Thu Feb 10 12:59:07 2022]  path_mount+0x635/0x10c0
[Thu Feb 10 12:59:07 2022]  __x64_sys_mount+0x1bf/0x210
[Thu Feb 10 12:59:07 2022]  do_syscall_64+0x5c/0xc0
[Thu Feb 10 12:59:07 2022]  entry_SYSCALL_64_after_hwframe+0x44/0xae

[Thu Feb 10 12:59:07 2022] Last potentially related work creation:
[Thu Feb 10 12:59:07 2022]  kasan_save_stack+0x26/0x50
[Thu Feb 10 12:59:07 2022]  __kasan_record_aux_stack+0xb6/0xc0
[Thu Feb 10 12:59:07 2022]  kasan_record_aux_stack_noalloc+0xb/0x10
[Thu Feb 10 12:59:07 2022]  call_rcu+0x76/0x3c0
[Thu Feb 10 12:59:07 2022]  cifs_umount+0xce/0xe0 [cifs]
[Thu Feb 10 12:59:07 2022]  cifs_kill_sb+0xc8/0xe0 [cifs]
[Thu Feb 10 12:59:07 2022]  deactivate_locked_super+0x5d/0xd0
[Thu Feb 10 12:59:07 2022]  cifs_smb3_do_mount+0xab9/0xbe0 [cifs]
[Thu Feb 10 12:59:07 2022]  smb3_get_tree+0x1a0/0x2e0 [cifs]
[Thu Feb 10 12:59:07 2022]  vfs_get_tree+0x52/0x140
[Thu Feb 10 12:59:07 2022]  path_mount+0x635/0x10c0
[Thu Feb 10 12:59:07 2022]  __x64_sys_mount+0x1bf/0x210
[Thu Feb 10 12:59:07 2022]  do_syscall_64+0x5c/0xc0
[Thu Feb 10 12:59:07 2022]  entry_SYSCALL_64_after_hwframe+0x44/0xae

Reported-by: Shyam Prasad N <sprasad@microsoft.com>
Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-03-08 19:09:29 +01:00
..
asn1.c cifs: remove bogus debug code 2020-10-22 12:17:52 -05:00
cache.c smb3: extend fscache mount volume coherency check 2020-06-06 11:16:25 -05:00
cifs_debug.c cifs: Display local UID details for SMB sessions in DebugData 2020-07-01 19:38:19 -05:00
cifs_debug.h cifs: Standardize logging output 2020-06-01 00:10:18 -05:00
cifs_dfs_ref.c cifs: prevent NULL deref in cifs_compose_mount_options() 2021-07-25 14:36:17 +02:00
cifs_fs_sb.h smb3: add mount option to allow RW caching of share accessed by only 1 client 2019-09-16 11:43:38 -05:00
cifs_ioctl.h cifs: add SMB3 change notification support 2020-02-06 09:14:28 -06:00
cifs_spnego.c cifs: switch servers depending on binding state 2019-11-25 01:16:30 -06:00
cifs_spnego.h
cifs_unicode.c CIFS: Fix a potencially linear read overflow 2021-09-15 09:50:43 +02:00
cifs_unicode.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
cifs_uniupr.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
cifsacl.c cifs: fix a memleak with modefromsid 2020-11-15 23:05:33 -06:00
cifsacl.h cifs: delete duplicated words in header files 2020-08-02 18:00:26 -05:00
cifsencrypt.c mm, treewide: rename kzfree() to kfree_sensitive() 2020-08-07 11:33:22 -07:00
cifsfs.c cifs: fix double free race when mount fails in cifs_get_root() 2022-03-08 19:09:29 +01:00
cifsfs.h cifs: update internal module version number 2020-10-23 23:41:49 -05:00
cifsglob.h cifs: fix missing spinlock around update to ses->status 2021-07-14 16:56:01 +02:00
cifspdu.h cifs: Adjust key sizes and key generation routines for AES256 encryption 2021-03-30 14:32:07 +02:00
cifsproto.h SMB3.1.1: Fix ids returned in POSIX query dir 2020-10-20 11:51:24 -05:00
cifsroot.c cifs: Standardize logging output 2020-06-01 00:10:18 -05:00
cifssmb.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
connect.c cifs: fix incorrect check for null pointer in header_assemble 2021-09-30 10:10:59 +02:00
dfs_cache.c cifs: check pointer before freeing 2021-01-19 18:27:19 +01:00
dfs_cache.h cifs: handle RESP_GET_DFS_REFERRAL.PathConsumed in reconnect 2020-08-02 18:00:26 -05:00
dir.c cifs: report error instead of invalid when revalidating a dentry fails 2021-02-10 09:29:17 +01:00
dns_resolve.c keys: Pass the network namespace into request_key mechanism 2019-06-27 23:02:12 +01:00
dns_resolve.h
export.c docs: fs: convert docs without extension to ReST 2019-07-31 13:31:05 -06:00
file.c smb3: do not error on fsync when readonly 2021-12-01 09:19:08 +01:00
fs_context.c cifs: move smb version mount options into fs_context.c 2020-10-22 12:17:31 -05:00
fs_context.h cifs: move smb version mount options into fs_context.c 2020-10-22 12:17:31 -05:00
fscache.c smb3: extend fscache mount volume coherency check 2020-06-06 11:16:25 -05:00
fscache.h smb3: extend fscache mount volume coherency check 2020-06-06 11:16:25 -05:00
inode.c new helper: inode_wrong_type() 2021-09-08 08:49:01 +02:00
ioctl.c cifs: fix reference leak for tlink 2020-07-09 10:06:52 -05:00
Kconfig smb3: smbdirect support can be configured by default 2020-04-07 13:39:00 -05:00
link.c smb311: add support for using info level for posix extensions query 2020-06-12 08:54:12 -05:00
Makefile cifs: add files to host new mount api 2020-10-22 12:16:24 -05:00
misc.c Merge branch 'akpm' (patches from Andrew) 2020-08-07 11:39:33 -07:00
netmisc.c cifs`: handle ERRBaduid for SMB1 2020-08-02 18:00:25 -05:00
nterr.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
nterr.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
ntlmssp.h cifs: dynamic allocation of ntlmssp blob 2016-06-23 23:45:07 -05:00
readdir.c SMB3: add support for recognizing WSL reparse tags 2020-10-22 12:17:59 -05:00
rfc1002pdu.h
sess.c cifs: fix wrong release in sess_alloc_buffer() failed path 2021-09-18 13:40:32 +02:00
smb1ops.c cifs: smb1: Try failing back to SetFileInfo if SetPathInfo fails 2020-08-02 18:00:25 -05:00
smb2file.c cifs: allow unlock flock and OFD lock across fork 2020-03-22 22:49:09 -05:00
smb2glob.h cifs: Adjust key sizes and key generation routines for AES256 encryption 2021-03-30 14:32:07 +02:00
smb2inode.c cifs: do not send close in compound create+close requests 2021-03-17 17:06:28 +01:00
smb2maperror.c cifs: map STATUS_ACCOUNT_LOCKED_OUT to -EACCES 2020-10-15 23:58:14 -05:00
smb2misc.c cifs: Silently ignore unknown oplock break handle 2021-04-10 13:36:10 +02:00
smb2ops.c smb3: rc uninitialized in one fallocate path 2021-08-12 13:22:20 +02:00
smb2pdu.c smb3: correct smb3 ACL security descriptor 2021-10-09 14:40:57 +02:00
smb2pdu.h smb3: Fix out-of-bounds bug in SMB2_negotiate() 2021-02-10 09:29:17 +01:00
smb2proto.h cifs: do not send close in compound create+close requests 2021-03-17 17:06:28 +01:00
smb2status.h cifs: don't use __constant_cpu_to_le32() 2019-05-07 23:24:54 -05:00
smb2transport.c cifs: Adjust key sizes and key generation routines for AES256 encryption 2021-03-30 14:32:07 +02:00
smbdirect.c cifs: Standardize logging output 2020-06-01 00:10:18 -05:00
smbdirect.h cifs: smbd: Do not schedule work to send immediate packet on every receive 2020-04-07 12:41:16 -05:00
smbencrypt.c fs: cifs: move from the crypto cipher API to the new DES library interface 2019-08-22 14:57:34 +10:00
smberr.h
smbfsctl.h smb3: add some missing definitions from MS-FSCC 2020-10-23 15:38:10 -05:00
trace.c smb3: Cleanup license mess 2019-01-24 09:37:33 -06:00
trace.h smb3: add dynamic trace point to trace when credits obtained 2020-10-20 11:50:42 -05:00
transport.c cifs: change noisy error message to FYI 2021-03-30 14:31:50 +02:00
winucase.c Replace HTTP links with HTTPS ones: CIFS 2020-07-05 14:23:38 -06:00
xattr.c CIFS: Add support for setting owner info, dos attributes, and create time 2020-01-26 19:24:17 -06:00