Re: NULL pointer dereference in smb2_queryfs with v4.19.2

Re: NULL pointer dereference in smb2_queryfs with v4.19.2

[Steve French]

At first glance it looks like it is missing from the 4.19 stable tree
On Tue, Nov 20, 2018 at 2:14 PM Steve French <smfrench@gmail.com> wrote:
>
> Do you know if you are running with this patch (which was marked for stable)
>
> commit 32a1fb36f6e50183871c2c1fcf5493c633e84732
> Author: Ronnie Sahlberg <lsahlber@redhat.com>
> Date:   Wed Oct 24 11:50:33 2018 +1000
>
>     cifs: allow calling SMB2_xxx_free(NULL)
>
>     Change these free functions to allow passing NULL as the argument and
>     treat it as a no-op just like free(NULL) would.
>     Or, if rqst->rq_iov is NULL.
>
>     The second scenario could happen for smb2_queryfs() if the call
>     to SMB2_query_info_init() fails and we go to qfs_exit to clean up
>     and free all resources.
>     In that case we have not yet assigned rqst[2].rq_iov and thus
>     the rq_iov dereference in SMB2_close_free() will cause a NULL pointer
>     dereference.
>
>     Fixes:  1eb9fb52040f ("cifs: create SMB2_open_init()/SMB2_open_free() helper
> s")
>
>     Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
>     Signed-off-by: Steve French <stfrench@microsoft.com>
>     Reviewed-by: Aurelien Aptel <aaptel@suse.com>
>     CC: Stable <stable@vger.kernel.org>
> On Tue, Nov 20, 2018 at 9:38 AM Stijn Tintel <stijn@linux-ipv6.be> wrote:
> >
> > Hi,
> >
> > My machine just rebooted after the connection to the Samba server
> > hosting a CIFS mount was lost. Kernel version 4.19.2. The oops was
> > recorded in pstore:
> >
> > <3>[533816.847894] CIFS VFS: Server store has not responded in 120
> > seconds. Reconnecting...
> > <1>[533925.390079] BUG: unable to handle kernel NULL pointer dereference
> > at 0000000000000000
> > <6>[533925.390082] PGD 0 P4D 0
> > <4>[533925.390085] Oops: 0000 [#1] PREEMPT SMP PTI
> > <4>[533925.390087] CPU: 1 PID: 30794 Comm: sadc Tainted: P
> > O      4.19.2-gentoo #1
> > <4>[533925.390088] Hardware name: System manufacturer System Product
> > Name/P9X79 WS, BIOS 4802 06/02/2015
> > <4>[533925.390099] RIP: 0010:SMB2_close_free+0x8/0x10 [cifs]
> > <4>[533925.390100] Code: 65 48 33 1c 25 28 00 00 00 75 09 48 83 c4 18 5b
> > 5d 41 5c c3 e8 89 ac 29 e0 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 48
> > 8b 07 <48> 8b 38 e9 50 8d fe ff 66 66 66 66 90 4c 8d 54 24 08 48 83 e4 f0
> > <4>[533925.390101] RSP: 0018:ffffc9002c2dfbb8 EFLAGS: 00010246
> > <4>[533925.390102] RAX: 0000000000000000 RBX: ffff880fae7e5800 RCX:
> > 0000000000000000
> > <4>[533925.390104] RDX: ffff880fdf521180 RSI: 0000000000000206 RDI:
> > ffffc9002c2dfd68
> > <4>[533925.390105] RBP: ffffc9002c2dfdf0 R08: 0000000000000000 R09:
> > 00000000002503ee
> > <4>[533925.390106] R10: ffffc9002c2dfbc0 R11: 00000000000f4240 R12:
> > ffffc9002c2dfc50
> > <4>[533925.390107] R13: ffff880fad03a200 R14: ffff880fdf521000 R15:
> > 0000000000000000
> > <4>[533925.390108] FS:  00007fb5cff85740(0000) GS:ffff88100f840000(0000)
> > knlGS:0000000000000000
> > <4>[533925.390109] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > <4>[533925.390110] CR2: 0000000000000000 CR3: 0000000118d32001 CR4:
> > 00000000000626e0
> > <4>[533925.390111] Call Trace:
> > <4>[533925.390119]  smb2_queryfs+0x162/0x360 [cifs]
> > <4>[533925.390124]  ? lookup_fast+0xc8/0x2d0
> > <4>[533925.390126]  ? legitimize_path.isra.8+0x28/0x50
> > <4>[533925.390127]  ? __vfs_getxattr+0x2a/0x70
> > <4>[533925.390130]  ? get_vfs_caps_from_disk+0x65/0x170
> > <4>[533925.390135]  ? cifs_statfs+0x97/0x1f0 [cifs]
> > <4>[533925.390140]  ? smb2_set_next_command+0x60/0x60 [cifs]
> > <4>[533925.390144]  cifs_statfs+0x97/0x1f0 [cifs]
> > <4>[533925.390147]  statfs_by_dentry+0x42/0x60
> > <4>[533925.390148]  vfs_statfs+0x16/0xc0
> > <4>[533925.390150]  user_statfs+0x54/0xa0
> > <4>[533925.390151]  __se_sys_statfs+0x25/0x60
> > <4>[533925.390153]  do_syscall_64+0x5c/0x160
> > <4>[533925.390156]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> > <4>[533925.390158] RIP: 0033:0x7fb5cf8ca467
> > <4>[533925.390159] Code: 2c 00 64 c7 00 16 00 00 00 b8 ff ff ff ff eb b8
> > e8 6e 4f 02 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 b8 89 00 00 00
> > 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f1 e9 2c 00 f7 d8 64 89 01 48
> > <4>[533925.390160] RSP: 002b:00007ffc47a0c7f8 EFLAGS: 00000246 ORIG_RAX:
> > 0000000000000089
> > <4>[533925.390162] RAX: ffffffffffffffda RBX: 00007ffc47a0c9a0 RCX:
> > 00007fb5cf8ca467
> > <4>[533925.390163] RDX: 00007ffc47a0c9a9 RSI: 00007ffc47a0c800 RDI:
> > 00007ffc47a0c9a0
> > <4>[533925.390164] RBP: 00007ffc47a0c800 R08: 0000000000000000 R09:
> > 000000000000000d
> > <4>[533925.390165] R10: 00007fb5cfb9a560 R11: 0000000000000246 R12:
> > 00007ffc47a0c8b0
> > <4>[533925.390166] R13: 000000000000000b R14: 0000561829c584d4 R15:
> > 00007ffc47a0c920
> > <4>[533925.390167] Modules linked in: xt_nat hfsplus hfs msdos
> > nfnetlink_queue nfnetlink_log cp210x usbserial squashfs cfg80211 drbg
> > seqiv xfrm6_mode_tunnel xfrm4_mode_tunnel nvidia_uvm(PO) rfcomm
> > xt_CHECKSUM iptable_mangle ipt_REJECT nf_reject_ipv4 xt_tcpudp devlink
> > ebtable_filter ebtables ip6table_filter ip6_tables ipt_MASQUERADE
> > nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype iptable_filter
> > ip_tables bpfilter xt_conntrack x_tables br_netfilter bridge stp llc
> > arc4 md4 md5 xfrm_user xfrm4_tunnel tunnel4 ipcomp xfrm_ipcomp esp4 ah4
> > af_key cmac xfrm_algo nls_utf8 cifs ccm sctp bnep nvidia_drm(PO)
> > algif_skcipher nvidia_modeset(PO) nls_iso8859_1 nls_cp437 vfat fat
> > joydev amdkfd iTCO_wdt nvidia(PO) evdev iTCO_vendor_support uinput
> > intel_rapl amdgpu snd_hda_codec_realtek x86_pkg_temp_thermal
> > intel_powerclamp
> > <4>[533925.390197]  snd_hda_codec_hdmi snd_hda_codec_generic
> > crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel
> > snd_usb_audio pcbc snd_hda_intel chash snd_usbmidi_lib aesni_intel
> > snd_hda_codec snd_rawmidi gpu_sched snd_seq_device crypto_simd ttm
> > snd_hda_core bcache btusb snd_hwdep drm_kms_helper btrtl cryptd snd_pcm
> > btbcm uas glue_helper btintel crc64 drm snd_timer intel_cstate bluetooth
> > drm_panel_orientation_quirks snd intel_uncore syscopyarea soundcore
> > i2c_i801 efi_pstore wmi_bmof intel_rapl_perf efivars sysfillrect e1000e
> > ecdh_generic sysimgblt lpc_ich mei_me fb_sys_fops button firewire_ohci
> > sch_fq_codel nct6775 hwmon_vid coretemp openvswitch nsh nf_nat_ipv6
> > nf_nat_ipv4 nf_conncount nf_nat nf_conntrack nf_defrag_ipv6
> > nf_defrag_ipv4 vhost_net tun vhost tap kvm_intel kvm irqbypass msr cpuid
> > <4>[533925.390226]  efivarfs virtio_ring virtio xts aes_x86_64 ecb cbc
> > sha1_generic iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi
> > bonding vxlan ip6_udp_tunnel udp_tunnel macvlan igb i2c_algo_bit dca
> > e1000 fuse overlay nfs lockd grace sunrpc ext4 mbcache jbd2 fscrypto
> > multipath linear raid10 raid1 raid0 dm_raid raid456 async_raid6_recov
> > async_memcpy async_pq async_xor async_tx md_mod dm_snapshot dm_bufio
> > dm_crypt dm_mirror dm_region_hash dm_log dm_mod hid_sony hid_samsung
> > hid_petalynx hid_monterey hid_microsoft hid_logitech ff_memless
> > hid_gyration hid_ezkey hid_cypress hid_chicony hid_cherry hid_belkin
> > hid_apple hid_a4tech hid_generic usbhid ohci_pci ohci_hcd uhci_hcd hid
> > arcmsr sr_mod cdrom sg usb_storage xhci_pci ehci_pci xhci_hcd ehci_hcd
> > ptp usbcore firewire_core pps_core crc_itu_t usb_common
> > <4>[533925.390259] CR2: 0000000000000000
> > <4>[533925.390260] ---[ end trace 66b5055ad278750a ]---
> >
> > CIFS kernel options:
> >
> > CONFIG_CIFS=m
> > # CONFIG_CIFS_STATS2 is not set
> > # CONFIG_CIFS_ALLOW_INSECURE_LEGACY is not set
> > # CONFIG_CIFS_UPCALL is not set
> > CONFIG_CIFS_XATTR=y
> > CONFIG_CIFS_POSIX=y
> > CONFIG_CIFS_ACL=y
> > CONFIG_CIFS_DEBUG=y
> > # CONFIG_CIFS_DEBUG2 is not set
> > # CONFIG_CIFS_DEBUG_DUMP_KEYS is not set
> > CONFIG_CIFS_DFS_UPCALL=y
> > # CONFIG_CIFS_FSCACHE is not set
> >
> > Please include me when replying.
> >
> > Thanks,
> > Stijn
> >
>
>
> --
> Thanks,
>
> Steve



-- 
Thanks,

Steve

Re: NULL pointer dereference in smb2_queryfs with v4.19.2

[Sasha Levin]

On Tue, Nov 20, 2018 at 02:16:15PM -0600, Steve French wrote:
>At first glance it looks like it is missing from the 4.19 stable tree
>On Tue, Nov 20, 2018 at 2:14 PM Steve French <smfrench@gmail.com> wrote:
>>
>> Do you know if you are running with this patch (which was marked for stable)

Hi all,

This commit depends on ba8ca116854 ("cifs: create helpers for
SMB2_set_info_init/free()") which is not marked for stable and is not
trivial.

If anyone wants to send a backport I'd be happy to queue this patch up.

--
Thanks,
Sasha

Fwd: NULL pointer dereference in smb2_queryfs with v4.19.2

[Steve French]

---------- Forwarded message ---------
From: Sasha Levin <sashal@kernel.org>
Date: Fri, Nov 23, 2018 at 1:43 PM
Subject: Re: NULL pointer dereference in smb2_queryfs with v4.19.2
To: Steve French <smfrench@gmail.com>
Cc: <stijn@linux-ipv6.be>, Stable <stable@vger.kernel.org>, CIFS
<linux-cifs@vger.kernel.org>, samba-technical
<samba-technical@lists.samba.org>


On Tue, Nov 20, 2018 at 02:16:15PM -0600, Steve French wrote:
>At first glance it looks like it is missing from the 4.19 stable tree
>On Tue, Nov 20, 2018 at 2:14 PM Steve French <smfrench@gmail.com> wrote:
>>
>> Do you know if you are running with this patch (which was marked for stable)


> This commit depends on ba8ca116854 ("cifs: create helpers for
>SMB2_set_info_init/free()") which is not marked for stable and is not
>trivial.
>
> If anyone wants to send a backport I'd be happy to queue this patch up.

That should not be needed.
The dependency you mention - "create helpers for
SMB2_set_info_init/free..." is already in 4.19 and is the patch which
the stable patch requested ("allow calling SMB2_xxx_free...") fixes.

Thanks,

Steve

Re: Fwd: NULL pointer dereference in smb2_queryfs with v4.19.2

[Sasha Levin]

On Fri, Nov 23, 2018 at 05:21:09PM -0600, Steve French wrote:
>---------- Forwarded message ---------
>From: Sasha Levin <sashal@kernel.org>
>Date: Fri, Nov 23, 2018 at 1:43 PM
>Subject: Re: NULL pointer dereference in smb2_queryfs with v4.19.2
>To: Steve French <smfrench@gmail.com>
>Cc: <stijn@linux-ipv6.be>, Stable <stable@vger.kernel.org>, CIFS
><linux-cifs@vger.kernel.org>, samba-technical
><samba-technical@lists.samba.org>
>
>
>On Tue, Nov 20, 2018 at 02:16:15PM -0600, Steve French wrote:
>>At first glance it looks like it is missing from the 4.19 stable tree
>>On Tue, Nov 20, 2018 at 2:14 PM Steve French <smfrench@gmail.com> wrote:
>>>
>>> Do you know if you are running with this patch (which was marked for stable)
>
>
>> This commit depends on ba8ca116854 ("cifs: create helpers for
>>SMB2_set_info_init/free()") which is not marked for stable and is not
>>trivial.
>>
>> If anyone wants to send a backport I'd be happy to queue this patch up.
>
>That should not be needed.
>The dependency you mention - "create helpers for
>SMB2_set_info_init/free..." is already in 4.19 and is the patch which
>the stable patch requested ("allow calling SMB2_xxx_free...") fixes.

Hm, it's not in 4.19 - it was merged during the 4.20 merge window.

--
Thanks,
Sasha

Re: Fwd: NULL pointer dereference in smb2_queryfs with v4.19.2

[Robin P. Blanchard]

I receive a similar OOPS on 4.19.2 (have updated to 4.19.5 and will
continue to monitor):

Oops: 0000 [#2] SMP PTI
CPU: 3 PID: 15929 Comm: python Kdump: loaded Tainted: G D
4.19.2-1.el7.elrepo.x86_64 #1
Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop
Reference Platform, BIOS 6.00 09/21/2015
RIP: 0010:SMB2_query_info_free+0xc/0x20 [cifs]
Code: c7 c7 b8 6d 63 a0 31 c0 e8 5f 88 ae e0 44 8b 54 24 30 eb d8 66
2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 8b 07 48 89 e5 <48> 8b
38 e8 ac 15 fe ff 5d c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f
RSP: 0018:ffffc90001f43b80 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffc90001f43d10 RCX: 0000000000000006
RDX: 0000000000000000 RSI: 0000000000000086 RDI: ffffc90001f43d38
RBP: ffffc90001f43b80 R08: 0000000000000000 R09: 00000000003b5f65
R10: 0000000000000001 R11: 0000000000aaaaaa R12: ffff880424dd5800
R13: ffffc90001f43bf0 R14: ffff880169abdc00 R15: 0000000000000000
FS: 00007f56e1f36740(0000) GS:ffff88042fac0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000036402006 CR4: 00000000001606e0
Call Trace:
smb2_queryfs+0x13a/0x310 [cifs]
? up+0x32/0x4c
? vprintk_emit+0xc3/0x260
? vprintk_default+0x29/0x50
? vprintk_func+0x44/0xe0
cifs_statfs+0xb2/0x2a0 [cifs]
statfs_by_dentry+0xa1/0x120
vfs_statfs+0x1b/0xc0
user_statfs+0x58/0xa0
__do_sys_statfs+0x27/0x60
__x64_sys_statfs+0x16/0x20
do_syscall_64+0x60/0x190
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f56e0d59787
Code: 2d 00 64 c7 00 16 00 00 00 b8 ff ff ff ff c3 48 8b 15 fd 66 2d
00 f7 d8 64 89 02 48 83 c8 ff c3 0f 1f 00 b8 89 00 00 00 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 8b 0d d9 66 2d 00 f7 d8 64 89 01 48
RSP: 002b:00007ffc18f00108 EFLAGS: 00000202 ORIG_RAX: 0000000000000089
RAX: ffffffffffffffda RBX: 00007f56da1423b4 RCX: 00007f56e0d59787
RDX: 00007f56e1d22068 RSI: 00007ffc18f00110 RDI: 00007f56da1423b4
RBP: 00007f56e1e000d0 R08: 00007f56da1423b4 R09: 00007ffc18f00020
R10: 0000000000000000 R11: 0000000000000202 R12: 00007f56e1ef4240
R13: 00007ffc18f00280 R14: 00007f56da13d410 R15: 00007f56e1ef55f0
Modules linked in: sha512_ssse3 sha512_generic cmac nls_utf8 cifs ccm
dns_resolver nfsv3 nfs_acl nfs lockd grace fscache binfmt_misc
ip6t_rpfilter ipt_REJECT nf_reject_ipv4 ip6t_REJECT nf_reject_ipv6
xt_conntrack ip_set nfnetlink ebtable_nat ebtable_broute ip6table_nat
nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw iptable_nat
nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4
libcrc32c iptable_mangle iptable_security iptable_raw ebtable_filter
ebtables  ip6table_filter ip6_tables iptable_filter
vmw_vsock_vmci_transport vsock sb_edac crct10dif_pclmul crc32_pclmul
ghash_clmulni_intel pcbc aesni_intel crypto_simd cryptd glue_helper
intel_rapl_perf vmw_balloon joydev input_leds pcspkr vmw_vmci sg
i2c_piix4 auth_rpcgss sunrpc tcp_bbr sch_fq ip_tables ext4 mbcache
jbd2
sr_mod cdrom ata_generic pata_acpi sd_mod crc32c_intel vmwgfx
serio_raw drm_kms_helper syscopyarea sysfillrect vmxnet3 sysimgblt
fb_sys_fops ttm ata_piix drm vmw_pvscsi libata dm_mirror
dm_region_hash dm_log dm_mod
Dumping ftrace buffer:
(ftrace buffer empty)
CR2: 0000000000000000
---[ end trace 796e5580f5f00736 ]---
RIP: 0010:SMB2_query_info_free+0xc/0x20 [cifs]
Code: c7 c7 b8 6d 63 a0 31 c0 e8 5f 88 ae e0 44 8b 54 24 30 eb d8 66
2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 8b 07 48 89 e5 <48> 8b
38 e8 ac 15 fe ff 5d c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f
RSP: 0018:ffffc90002b13b80 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffc90002b13d10 RCX: 0000000000000006
RDX: 0000000000000000 RSI: 0000000000000086 RDI: ffffc90002b13d38
RBP: ffffc90002b13b80 R08: 0000000000000000 R09: 00000000000056a6
R10: 0000000000000007 R11: 00000000000056a5 R12: ffff880424dd5800
R13: ffffc90002b13bf0 R14: ffff880169abdc00 R15: 0000000000000000
FS: 00007f56e1f36740(0000) GS:ffff88042fac0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000036402006 CR4: 00000000001606e0
On Sat, Nov 24, 2018 at 3:02 AM Sasha Levin <sashal@kernel.org> wrote:
>
> On Fri, Nov 23, 2018 at 05:21:09PM -0600, Steve French wrote:
> >---------- Forwarded message ---------
> >From: Sasha Levin <sashal@kernel.org>
> >Date: Fri, Nov 23, 2018 at 1:43 PM
> >Subject: Re: NULL pointer dereference in smb2_queryfs with v4.19.2
> >To: Steve French <smfrench@gmail.com>
> >Cc: <stijn@linux-ipv6.be>, Stable <stable@vger.kernel.org>, CIFS
> ><linux-cifs@vger.kernel.org>, samba-technical
> ><samba-technical@lists.samba.org>
> >
> >
> >On Tue, Nov 20, 2018 at 02:16:15PM -0600, Steve French wrote:
> >>At first glance it looks like it is missing from the 4.19 stable tree
> >>On Tue, Nov 20, 2018 at 2:14 PM Steve French <smfrench@gmail.com> wrote:
> >>>
> >>> Do you know if you are running with this patch (which was marked for stable)
> >
> >
> >> This commit depends on ba8ca116854 ("cifs: create helpers for
> >>SMB2_set_info_init/free()") which is not marked for stable and is not
> >>trivial.
> >>
> >> If anyone wants to send a backport I'd be happy to queue this patch up.
> >
> >That should not be needed.
> >The dependency you mention - "create helpers for
> >SMB2_set_info_init/free..." is already in 4.19 and is the patch which
> >the stable patch requested ("allow calling SMB2_xxx_free...") fixes.
>
> Hm, it's not in 4.19 - it was merged during the 4.20 merge window.
>
> --
> Thanks,
> Sasha