From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Ronnie Sahlberg <lsahlber@redhat.com>,
Shyam Prasad N <sprasad@microsoft.com>,
Steve French <stfrench@microsoft.com>,
Sasha Levin <sashal@kernel.org>,
sfrench@samba.org, linux-cifs@vger.kernel.org,
samba-technical@lists.samba.org
Subject: [PATCH AUTOSEL 5.15 13/28] cifs: fix double free race when mount fails in cifs_get_root()
Date: Tue, 22 Feb 2022 21:29:14 -0500 [thread overview]
Message-ID: <20220223022929.241127-13-sashal@kernel.org> (raw)
In-Reply-To: <20220223022929.241127-1-sashal@kernel.org>
From: Ronnie Sahlberg <lsahlber@redhat.com>
[ Upstream commit 3d6cc9898efdfb062efb74dc18cfc700e082f5d5 ]
When cifs_get_root() fails during cifs_smb3_do_mount() we call
deactivate_locked_super() which eventually will call delayed_free() which
will free the context.
In this situation we should not proceed to enter the out: section in
cifs_smb3_do_mount() and free the same resources a second time.
[Thu Feb 10 12:59:06 2022] BUG: KASAN: use-after-free in rcu_cblist_dequeue+0x32/0x60
[Thu Feb 10 12:59:06 2022] Read of size 8 at addr ffff888364f4d110 by task swapper/1/0
[Thu Feb 10 12:59:06 2022] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G OE 5.17.0-rc3+ #4
[Thu Feb 10 12:59:06 2022] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.0 12/17/2019
[Thu Feb 10 12:59:06 2022] Call Trace:
[Thu Feb 10 12:59:06 2022] <IRQ>
[Thu Feb 10 12:59:06 2022] dump_stack_lvl+0x5d/0x78
[Thu Feb 10 12:59:06 2022] print_address_description.constprop.0+0x24/0x150
[Thu Feb 10 12:59:06 2022] ? rcu_cblist_dequeue+0x32/0x60
[Thu Feb 10 12:59:06 2022] kasan_report.cold+0x7d/0x117
[Thu Feb 10 12:59:06 2022] ? rcu_cblist_dequeue+0x32/0x60
[Thu Feb 10 12:59:06 2022] __asan_load8+0x86/0xa0
[Thu Feb 10 12:59:06 2022] rcu_cblist_dequeue+0x32/0x60
[Thu Feb 10 12:59:06 2022] rcu_core+0x547/0xca0
[Thu Feb 10 12:59:06 2022] ? call_rcu+0x3c0/0x3c0
[Thu Feb 10 12:59:06 2022] ? __this_cpu_preempt_check+0x13/0x20
[Thu Feb 10 12:59:06 2022] ? lock_is_held_type+0xea/0x140
[Thu Feb 10 12:59:06 2022] rcu_core_si+0xe/0x10
[Thu Feb 10 12:59:06 2022] __do_softirq+0x1d4/0x67b
[Thu Feb 10 12:59:06 2022] __irq_exit_rcu+0x100/0x150
[Thu Feb 10 12:59:06 2022] irq_exit_rcu+0xe/0x30
[Thu Feb 10 12:59:06 2022] sysvec_hyperv_stimer0+0x9d/0xc0
...
[Thu Feb 10 12:59:07 2022] Freed by task 58179:
[Thu Feb 10 12:59:07 2022] kasan_save_stack+0x26/0x50
[Thu Feb 10 12:59:07 2022] kasan_set_track+0x25/0x30
[Thu Feb 10 12:59:07 2022] kasan_set_free_info+0x24/0x40
[Thu Feb 10 12:59:07 2022] ____kasan_slab_free+0x137/0x170
[Thu Feb 10 12:59:07 2022] __kasan_slab_free+0x12/0x20
[Thu Feb 10 12:59:07 2022] slab_free_freelist_hook+0xb3/0x1d0
[Thu Feb 10 12:59:07 2022] kfree+0xcd/0x520
[Thu Feb 10 12:59:07 2022] cifs_smb3_do_mount+0x149/0xbe0 [cifs]
[Thu Feb 10 12:59:07 2022] smb3_get_tree+0x1a0/0x2e0 [cifs]
[Thu Feb 10 12:59:07 2022] vfs_get_tree+0x52/0x140
[Thu Feb 10 12:59:07 2022] path_mount+0x635/0x10c0
[Thu Feb 10 12:59:07 2022] __x64_sys_mount+0x1bf/0x210
[Thu Feb 10 12:59:07 2022] do_syscall_64+0x5c/0xc0
[Thu Feb 10 12:59:07 2022] entry_SYSCALL_64_after_hwframe+0x44/0xae
[Thu Feb 10 12:59:07 2022] Last potentially related work creation:
[Thu Feb 10 12:59:07 2022] kasan_save_stack+0x26/0x50
[Thu Feb 10 12:59:07 2022] __kasan_record_aux_stack+0xb6/0xc0
[Thu Feb 10 12:59:07 2022] kasan_record_aux_stack_noalloc+0xb/0x10
[Thu Feb 10 12:59:07 2022] call_rcu+0x76/0x3c0
[Thu Feb 10 12:59:07 2022] cifs_umount+0xce/0xe0 [cifs]
[Thu Feb 10 12:59:07 2022] cifs_kill_sb+0xc8/0xe0 [cifs]
[Thu Feb 10 12:59:07 2022] deactivate_locked_super+0x5d/0xd0
[Thu Feb 10 12:59:07 2022] cifs_smb3_do_mount+0xab9/0xbe0 [cifs]
[Thu Feb 10 12:59:07 2022] smb3_get_tree+0x1a0/0x2e0 [cifs]
[Thu Feb 10 12:59:07 2022] vfs_get_tree+0x52/0x140
[Thu Feb 10 12:59:07 2022] path_mount+0x635/0x10c0
[Thu Feb 10 12:59:07 2022] __x64_sys_mount+0x1bf/0x210
[Thu Feb 10 12:59:07 2022] do_syscall_64+0x5c/0xc0
[Thu Feb 10 12:59:07 2022] entry_SYSCALL_64_after_hwframe+0x44/0xae
Reported-by: Shyam Prasad N <sprasad@microsoft.com>
Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/cifs/cifsfs.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
index 9fa930dfd78d6..21bf82fc22783 100644
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -909,6 +909,7 @@ cifs_smb3_do_mount(struct file_system_type *fs_type,
out_super:
deactivate_locked_super(sb);
+ return root;
out:
if (cifs_sb) {
kfree(cifs_sb->prepath);
--
2.34.1
next prev parent reply other threads:[~2022-02-23 2:31 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-23 2:29 [PATCH AUTOSEL 5.15 01/28] mac80211_hwsim: report NOACK frames in tx_status Sasha Levin
2022-02-23 2:29 ` [PATCH AUTOSEL 5.15 02/28] mac80211_hwsim: initialize ieee80211_tx_info at hw_scan_work Sasha Levin
2022-02-23 2:29 ` [PATCH AUTOSEL 5.15 03/28] i2c: bcm2835: Avoid clock stretching timeouts Sasha Levin
2022-02-23 2:29 ` Sasha Levin
2022-02-23 2:29 ` [PATCH AUTOSEL 5.15 04/28] ASoC: rt5668: do not block workqueue if card is unbound Sasha Levin
2022-02-23 2:29 ` Sasha Levin
2022-02-23 2:29 ` [PATCH AUTOSEL 5.15 05/28] ASoC: rt5682: " Sasha Levin
2022-02-23 2:29 ` Sasha Levin
2022-02-23 2:29 ` [PATCH AUTOSEL 5.15 06/28] regulator: core: fix false positive in regulator_late_cleanup() Sasha Levin
2022-02-23 2:29 ` [PATCH AUTOSEL 5.15 07/28] Input: clear BTN_RIGHT/MIDDLE on buttonpads Sasha Levin
2022-02-23 2:29 ` [PATCH AUTOSEL 5.15 08/28] btrfs: get rid of warning on transaction commit when using flushoncommit Sasha Levin
2022-02-23 2:29 ` [PATCH AUTOSEL 5.15 09/28] KVM: arm64: vgic: Read HW interrupt pending state from the HW Sasha Levin
2022-02-23 2:29 ` Sasha Levin
2022-02-23 2:29 ` Sasha Levin
2022-02-23 2:29 ` [PATCH AUTOSEL 5.15 10/28] block: loop:use kstatfs.f_bsize of backing file to set discard granularity Sasha Levin
2022-02-23 2:29 ` [PATCH AUTOSEL 5.15 11/28] tipc: fix a bit overflow in tipc_crypto_key_rcv() Sasha Levin
2022-02-23 2:29 ` [PATCH AUTOSEL 5.15 12/28] cifs: do not use uninitialized data in the owner/group sid Sasha Levin
2022-02-23 2:29 ` Sasha Levin [this message]
2022-02-23 2:29 ` [PATCH AUTOSEL 5.15 14/28] USB: zaurus: support another broken Zaurus Sasha Levin
2022-02-23 2:29 ` [PATCH AUTOSEL 5.15 15/28] HID: amd_sfh: Handle amd_sfh work buffer in PM ops Sasha Levin
2022-02-23 2:29 ` [PATCH AUTOSEL 5.15 16/28] HID: amd_sfh: Add functionality to clear interrupts Sasha Levin
2022-02-23 2:29 ` [PATCH AUTOSEL 5.15 17/28] HID: amd_sfh: Add interrupt handler to process interrupts Sasha Levin
2022-02-23 2:29 ` [PATCH AUTOSEL 5.15 18/28] cifs: modefromsids must add an ACE for authenticated users Sasha Levin
2022-02-23 2:29 ` [PATCH AUTOSEL 5.15 19/28] selftests/seccomp: Fix seccomp failure by adding missing headers Sasha Levin
2022-02-23 2:29 ` [PATCH AUTOSEL 5.15 20/28] drm/amd/pm: correct UMD pstate clocks for Dimgrey Cavefish and Beige Goby Sasha Levin
2022-02-23 2:29 ` Sasha Levin
2022-02-23 2:29 ` Sasha Levin
2022-02-23 2:29 ` [PATCH AUTOSEL 5.15 21/28] selftests/ftrace: Do not trace do_softirq because of PREEMPT_RT Sasha Levin
2022-02-23 2:29 ` [PATCH AUTOSEL 5.15 22/28] dmaengine: shdma: Fix runtime PM imbalance on error Sasha Levin
2022-02-23 2:29 ` [PATCH AUTOSEL 5.15 23/28] i2c: cadence: allow COMPILE_TEST Sasha Levin
2022-02-23 2:29 ` [PATCH AUTOSEL 5.15 24/28] i2c: imx: " Sasha Levin
2022-02-23 2:29 ` [PATCH AUTOSEL 5.15 25/28] i2c: qup: " Sasha Levin
2022-02-23 2:29 ` [PATCH AUTOSEL 5.15 26/28] CDC-NCM: avoid overflow in sanity checking Sasha Levin
2022-02-23 2:29 ` [PATCH AUTOSEL 5.15 27/28] net: usb: cdc_mbim: avoid altsetting toggling for Telit FN990 Sasha Levin
2022-02-23 2:29 ` [PATCH AUTOSEL 5.15 28/28] block-map: add __GFP_ZERO flag for alloc_page in function bio_copy_kern Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220223022929.241127-13-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lsahlber@redhat.com \
--cc=samba-technical@lists.samba.org \
--cc=sfrench@samba.org \
--cc=sprasad@microsoft.com \
--cc=stable@vger.kernel.org \
--cc=stfrench@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.