From: Dominik Brodowski <linux@dominikbrodowski.net>
To: sfrench@samba.org
Cc: linux-cifs@vger.kernel.org
Subject: v5.1-rc1 cifs bug: underflow; use-after-free.
Date: Tue, 19 Mar 2019 12:51:51 +0100 [thread overview]
Message-ID: <20190319115151.GA2092@light.dominikbrodowski.net> (raw)
Steve,
when mounting a cifs (vers=2.0, unfortunately...) volume on v5.1-rc1, I get
the following warning (slightly edited to avoid information leaks):
[ 118.326535] CIFS: Attempting to mount //some/what
[ 118.667347] ------------[ cut here ]------------
[ 118.667367] refcount_t: underflow; use-after-free.
[ 118.667384] WARNING: CPU: 1 PID: 1966 at lib/refcount.c:190 refcount_sub_and_test_checked+0x5c/0x70
[ 118.667387] Modules linked in:
[ 118.667392] CPU: 1 PID: 1966 Comm: mount.cifs Tainted: G T 5.1.0-rc1 #1
[ 118.667395] Hardware name: Dell Inc. XPS 13 9343/0TM99H, BIOS A11 12/08/2016
[ 118.667400] RIP: 0010:refcount_sub_and_test_checked+0x5c/0x70
[ 118.667432] Call Trace:
[ 118.667439] close_shroot+0x21/0xa0
[ 118.667444] smb2_query_path_info+0x16b/0x1f0
[ 118.667454] cifs_get_inode_info+0x2b3/0x860
[ 118.667467] cifs_root_iget+0x12c/0x670
[ 118.667473] cifs_smb3_do_mount+0x4f7/0x680
[ 118.667479] ? rcu_read_lock_sched_held+0x74/0x80
[ 118.667483] ? kfree+0x248/0x290
[ 118.667490] legacy_get_tree+0x24/0x40
[ 118.667494] vfs_get_tree+0x3d/0x110
[ 118.667500] do_mount+0x30a/0xef0
[ 118.667504] ? rcu_read_lock_sched_held+0x74/0x80
[ 118.667512] ksys_mount+0xbd/0xe0
[ 118.667517] __x64_sys_mount+0x22/0x30
[ 118.667522] do_syscall_64+0x50/0x160
[ 118.667527] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 118.667531] RIP: 0033:0x754fd3d1d68e
Thanks,
Dominik
next reply other threads:[~2019-03-19 12:01 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-19 11:51 Dominik Brodowski [this message]
2019-03-19 15:26 ` v5.1-rc1 cifs bug: underflow; use-after-free Aurélien Aptel
2019-03-19 15:47 ` Aurélien Aptel
2019-03-19 16:26 ` Dominik Brodowski
2019-03-20 11:12 ` Aurélien Aptel
2019-03-26 7:18 ` Dominik Brodowski
2019-03-26 12:39 ` [PATCH v1] CIFS: prevent refcount underflow Aurelien Aptel
2019-03-26 15:46 ` Dominik Brodowski
2019-03-26 16:53 ` Aurélien Aptel
2019-03-26 16:53 ` Dominik Brodowski
2019-03-27 22:36 ` Pavel Shilovsky
2019-03-27 23:44 ` ronnie sahlberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190319115151.GA2092@light.dominikbrodowski.net \
--to=linux@dominikbrodowski.net \
--cc=linux-cifs@vger.kernel.org \
--cc=sfrench@samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox