backporting 24a9799aa8ef ("smb: client: fix UAF in smb2_reconnect_server()") to older stable series (was: Re: FAILED: patch "[PATCH] smb: client: fix UAF in smb2_reconnect_server()" failed to apply to 6.1-stable tree)

[Salvatore Bonaccorso <carnil@debian.org>]

Hi Paulo, hi Steve,

On Mon, Apr 08, 2024 at 12:19:35PM +0200, gregkh@linuxfoundation.org wrote:
> 
> The patch below does not apply to the 6.1-stable tree.
> If someone wants it applied there, or to any other stable or longterm
> tree, then please email the backport, including the original git commit
> id to <stable@vger.kernel.org>.
> 
> To reproduce the conflict and resubmit, you may use the following commands:
> 
> git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y
> git checkout FETCH_HEAD
> git cherry-pick -x 24a9799aa8efecd0eb55a75e35f9d8e6400063aa
> # <resolve conflicts, build, test, etc.>
> git commit -s
> git send-email --to '<stable@vger.kernel.org>' --in-reply-to '2024040834-magazine-audience-8aa4@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^..
> 
> Possible dependencies:
> 
> 24a9799aa8ef ("smb: client: fix UAF in smb2_reconnect_server()")
> 7257bcf3bdc7 ("cifs: cifs_chan_is_iface_active should be called with chan_lock held")
> 27e1fd343f80 ("cifs: after disabling multichannel, mark tcon for reconnect")
> fa1d0508bdd4 ("cifs: account for primary channel in the interface list")
> a6d8fb54a515 ("cifs: distribute channels across interfaces based on speed")
> c37ed2d7d098 ("smb: client: remove extra @chan_count check in __cifs_put_smb_ses()")
> ff7d80a9f271 ("cifs: fix session state transition to avoid use-after-free issue")
> 38c8a9a52082 ("smb: move client and server files to common directory fs/smb")
> 943fb67b0902 ("cifs: missing lock when updating session status")
> bc962159e8e3 ("cifs: avoid race conditions with parallel reconnects")
> 1bcd548d935a ("cifs: prevent data race in cifs_reconnect_tcon()")
> e77978de4765 ("cifs: update ip_addr for ses only for primary chan setup")
> 3c0070f54b31 ("cifs: prevent data race in smb2_reconnect()")
> 05844bd661d9 ("cifs: print last update time for interface list")
> 25cf01b7c920 ("cifs: set correct status of tcon ipc when reconnecting")
> abdb1742a312 ("cifs: get rid of mount options string parsing")
> 9fd29a5bae6e ("cifs: use fs_context for automounts")

In Debian we got a report yhsy in s CIFS (DFS) infrastructure and
after mounting at some point later but reproducible they are able to
trigger within few minutes a system hang with a trace:

CIFS: VFS: \\SOME.SERVER.FQDN cifs_put_smb_ses: Session Logoff failure rc=-11
CIFS: VFS: \\(null) cifs_put_smb_ses: Session Logoff failure rc=-11
list_del corruption, ffff966536fe7800->next is NULL
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:49!
invalid opcode: 0000 [#1] PREEMPT SMP PTI
CPU: 6 PID: 2498151 Comm: kworker/6:9 Tainted: G           OE      6.1.0-23-amd64 #1  Debian 6.1.99-1
Hardware name: Dell Inc. PowerEdge R620/0KCKR5, BIOS 2.9.0 12/06/2019
Workqueue: events delayed_mntput
RIP: 0010:__list_del_entry_valid.cold+0xf/0x6f
Code: c7 c7 88 3c fa a0 e8 90 a0 fe ff 0f 0b 48 c7 c7 60 3c fa a0 e8 82 a0 fe ff 0f 0b 48 89 fe 48 c7 c7 70 3d fa a0 e8 71 a0 fe ff <0f> 0b 48 89 d1 48 c7 c7 90 3e fa a0 48 89 c2 e8 5d a0 fe ff 0f 0b
RSP: 0018:ffffad83a63f7dd0 EFLAGS: 00010246
RAX: 0000000000000033 RBX: ffff966536fe7800 RCX: 0000000000000027
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff965e7f8e03a0
RBP: 00000000142d66a6 R08: 0000000000000000 R09: ffffad83a63f7c68
R10: 0000000000000003 R11: ffff966ebff11be0 R12: 00000000fffffff5
R13: ffff966536fe7000 R14: ffff966536fe7020 R15: ffffffffa1770b88
FS:  0000000000000000(0000) GS:ffff965e7f8c0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe35dbcb7b0 CR3: 0000000f36c10001 CR4: 00000000000606e0
Call Trace:
 <TASK>
 ? __die_body.cold+0x1a/0x1f
 ? die+0x2a/0x50
 ? do_trap+0xc5/0x110
 ? __list_del_entry_valid.cold+0xf/0x6f
 ? do_error_trap+0x6a/0x90
 ? __list_del_entry_valid.cold+0xf/0x6f
 ? exc_invalid_op+0x4c/0x60
 ? __list_del_entry_valid.cold+0xf/0x6f
 ? asm_exc_invalid_op+0x16/0x20
 ? __list_del_entry_valid.cold+0xf/0x6f
 cifs_put_smb_ses+0xbb/0x3e0 [cifs]
 mount_group_release+0x82/0xa0 [cifs]
 cifs_umount+0x88/0xa0 [cifs]
 deactivate_locked_super+0x2f/0xa0
 cleanup_mnt+0xbd/0x150
 delayed_mntput+0x28/0x40
 process_one_work+0x1c7/0x380
 worker_thread+0x4d/0x380
 ? rescuer_thread+0x3a0/0x3a0
 kthread+0xda/0x100
 ? kthread_complete_and_exit+0x20/0x20
 ret_from_fork+0x22/0x30
 </TASK>
Modules linked in: bluetooth jitterentropy_rng drbg ansi_cprng ecdh_generic rfkill ecc overlay isofs cmac nls_utf8 cifs cifs_arc4 cifs_md4 rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache netfs tls beegfs(OE) rpcrdma rdma_ucm ib_iser rdma_cm iw_cm ib_cm libiscsi scsi_transport_iscsi rdma_rxe ib_uverbs ip6_udp_tunnel udp_tunnel ib_core nft_chain_nat xt_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nft_compat nf_tables nfnetlink intel_rapl_msr intel_rapl_common sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel ipmi_ssif binfmt_misc kvm irqbypass ghash_clmulni_intel sha512_ssse3 sha512_generic sha256_ssse3 sha1_ssse3 aesni_intel crypto_simd cryptd rapl dcdbas mgag200 intel_cstate joydev evdev drm_shmem_helper intel_uncore iTCO_wdt ipmi_si drm_kms_helper mei_me intel_pmc_bxt ipmi_devintf iTCO_vendor_support pcspkr i2c_algo_bit mei ipmi_msghandler watchdog sg acpi_power_meter button nfsd auth_rpcgss nfs_acl lockd grace sunrpc drm fuse loop efi_pstore configfs
 ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 dm_mod hid_generic usbhid hid sd_mod t10_pi sr_mod cdrom crc64_rocksoft crc64 crc_t10dif crct10dif_generic ahci libahci crct10dif_pclmul crct10dif_common crc32_pclmul libata ehci_pci bnx2x ehci_hcd megaraid_sas usbcore scsi_mod lpc_ich usb_common mdio libcrc32c crc32c_generic scsi_common crc32c_intel wmi
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid.cold+0xf/0x6f
Code: c7 c7 88 3c fa a0 e8 90 a0 fe ff 0f 0b 48 c7 c7 60 3c fa a0 e8 82 a0 fe ff 0f 0b 48 89 fe 48 c7 c7 70 3d fa a0 e8 71 a0 fe ff <0f> 0b 48 89 d1 48 c7 c7 90 3e fa a0 48 89 c2 e8 5d a0 fe ff 0f 0b
RSP: 0018:ffffad83a63f7dd0 EFLAGS: 00010246
RAX: 0000000000000033 RBX: ffff966536fe7800 RCX: 0000000000000027
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff965e7f8e03a0
RBP: 00000000142d66a6 R08: 0000000000000000 R09: ffffad83a63f7c68
R10: 0000000000000003 R11: ffff966ebff11be0 R12: 00000000fffffff5
R13: ffff966536fe7000 R14: ffff966536fe7020 R15: ffffffffa1770b88
FS:  0000000000000000(0000) GS:ffff965e7f8c0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe35dbcb7b0 CR3: 0000000f36c10001 CR4: 00000000000606e0
note: kworker/6:9[2498151] exited with preempt_count 1

Michael, did a manual backport of 24a9799aa8ef ("smb: client: fix UAF
in smb2_reconnect_server()") which seems in fact to solve the issue.

Michael, can you please post your backport here for review from Paulo
and Steve?

Regards,
Salvatore