From: Jan Niehusmann <jan@gondor.com>
To: Andrew Morton <akpm@osdl.org>
Cc: urban@teststation.com, linux-kernel@vger.kernel.org, samba@samba.org
Subject: Re: [PATCH] smbfs: Fix slab corruption in samba error path
Date: Wed, 10 May 2006 12:32:03 +0200 [thread overview]
Message-ID: <20060510103202.GA5913@knautsch.gondor.com> (raw)
In-Reply-To: <20060510022529.24e15d28.akpm@osdl.org>
On Wed, May 10, 2006 at 02:25:29AM -0700, Andrew Morton wrote:
> I think the bug is actually that this code is accessing *req after having
> doen the smb_rput(). I worry that your patch "fixes" this by accidentally
> leaking the request.
>
> We can fairly simply restructure this code so that it doesn't touch the
> request after that possible smb_rput().
>
> How does this look? If "OK", are you able to test it?
No, it doesn't look ok: The callers of smb_add_request (which are all in
fs/smbfs/proc.c) do touch the req structure after calling
smb_add_request, even if an error is returned. So your code would still
cause access after release and double frees on the req object.
As I understand the code smb_add_request is not allowed to completely
release the req structure at all.
What smb_add_request should do is
- increase the req usage counter by one (by calling smb_rget), and add
the req to one of the work queues
- or leave the usage counter alone, and don't add the req to one of the
work queues
On error, one has to be careful: If we actively remove the req from the
work queues again, we have to decrease the usage counter (otherwise we
leak requests). But if some other function already removed the req from
the queue, that function already did decrease the counter, so we are not
allowed to do it again.
The original code did get the latter case partly wrong. It assumed that
the only way a req could be removed from the work queue would be in
smb_request_recv, where the SMB_REQ_RECEIVED flag gets set. But it did
miss the error cases in smbiod.c, eg. smbiod_flush(), where the req gets
removed from the queues (and the usage counter decreased), without the
SMB_REQ_RECEIVED flag being set.
Therefore I changed the code to not check SMB_REQ_RECEIVED, but test if
the req is still on one of the work queue linked lists.
After that change, smb_add_request never releases the req, so reordering
is not necessary.
Unfortunately it's not easy to test the patch: Of course I did check
that it properly compiles, but the bug is not easily reproducible.
Jan
next prev parent reply other threads:[~2006-05-10 10:32 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-05-05 12:18 [PATCH] smbfs: Fix slab corruption in samba error path Jan Niehusmann
2006-05-10 9:25 ` Andrew Morton
2006-05-10 10:32 ` Jan Niehusmann [this message]
2006-05-11 3:16 ` Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060510103202.GA5913@knautsch.gondor.com \
--to=jan@gondor.com \
--cc=akpm@osdl.org \
--cc=linux-kernel@vger.kernel.org \
--cc=samba@samba.org \
--cc=urban@teststation.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox