Created attachment 296403 [details] notify.c Kernel: git://git.samba.org/sfrench/cifs-2.6, commit c89698c5ea9212bc6673a7d89f3674940584e697 Kernel version: 5.12.0-rc7+ Steps to reproduce: 1. Compile the kernel with CONFIG_KASAN=y 2. Compile the test program ``` $ gcc notify.c -o /tmp/a.out ``` 3. Run test program with superuser privileges at CIFS mountpoint: ``` $ cd `mount|grep cifs|head -n1|awk '{print $3}'` $ sudo /tmp/a.out CIFS_IOC_NOTIFY returned -1, errno:2 ``` dmesg messages: ``` [ 63.137757] ================================================================== [ 63.138849] BUG: KASAN: slab-out-of-bounds in cifs_convert_path_to_utf16+0x8a/0x130 [cifs] [ 63.139831] Read of size 1 at addr ffff8880037e9000 by task a.out/229 [ 63.140520] [ 63.140735] CPU: 0 PID: 229 Comm: a.out Not tainted 5.12.0-rc7+ #1 [ 63.141244] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 [ 63.142059] Call Trace: [ 63.142371] dump_stack+0x89/0xb4 [ 63.142748] ? cifs_convert_path_to_utf16+0x8a/0x130 [cifs] [ 63.143304] print_address_description.constprop.8+0x1a/0x150 [ 63.143840] ? cifs_convert_path_to_utf16+0x8a/0x130 [cifs] [ 63.144439] ? cifs_convert_path_to_utf16+0x8a/0x130 [cifs] [ 63.144938] kasan_report.cold.13+0x7f/0x111 [ 63.145328] ? cifs_convert_path_to_utf16+0x8a/0x130 [cifs] [ 63.146602] cifs_convert_path_to_utf16+0x8a/0x130 [cifs] [ 63.147224] ? smb2_check_message+0x580/0x580 [cifs] [ 63.147705] ? build_path_from_dentry_optional_prefix+0x119/0x240 [cifs] [ 63.148333] smb3_notify+0x1a0/0x2d0 [cifs] [ 63.148737] ? smb3_downgrade_oplock+0xf0/0xf0 [cifs] [ 63.149202] ? kasan_save_stack+0x19/0x40 [ 63.149644] ? __kasan_kmalloc+0x70/0xa0 [ 63.150062] ? kasan_set_free_info+0x20/0x30 [ 63.150448] ? avc_ss_reset+0xa0/0xa0 [ 63.150817] ? do_syscall_64+0x33/0x40 [ 63.151322] ? trace_page_fault_kernel+0x80/0x80 [ 63.151785] ? next_uptodate_page+0x3a0/0x3a0 [ 63.152149] ? restore_nameidata+0x76/0xa0 [ 63.152824] ? do_filp_open+0x13e/0x1b0 [ 63.153957] ? cifs_sb_tlink+0x1e4/0xc70 [cifs] [ 63.154589] ? _raw_read_lock_irq+0x30/0x30 [ 63.154949] cifs_ioctl+0xadf/0xf80 [cifs] [ 63.155483] ? cifs_readdir+0xba0/0xba0 [cifs] [ 63.156038] ? do_vfs_ioctl+0xf7/0x890 [ 63.156468] ? ioctl_file_clone+0xd0/0xd0 [ 63.156814] ? selinux_file_ioctl+0x2b2/0x360 [ 63.157184] ? selinux_capable+0x20/0x20 [ 63.157560] ? do_sys_openat2+0x25b/0x410 [ 63.157935] ? file_open_root+0x220/0x220 [ 63.158423] ? do_user_addr_fault+0x3ac/0x870 [ 63.158826] __x64_sys_ioctl+0xb5/0xf0 [ 63.159269] do_syscall_64+0x33/0x40 [ 63.159695] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 63.160241] RIP: 0033:0x7f18331463c7 [ 63.160720] Code: c0 75 b5 49 8d 3c 1c e8 17 ff ff ff 85 c0 78 b6 4c 89 e0 5b 5d 41 5c c3 66 2e 0f 1f 84 00 00 00 00 00 90 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 71 9a 0c 00 f7 d8 64 89 01 48 [ 63.162309] RSP: 002b:00007ffd8319d278 EFLAGS: 00000206 ORIG_RAX: 0000000000000010 [ 63.163009] RAX: ffffffffffffffda RBX: 000055d325601220 RCX: 00007f18331463c7 [ 63.164076] RDX: 00007ffd8319d283 RSI: 000000004005cf09 RDI: 0000000000000003 [ 63.164870] RBP: 00007ffd8319d290 R08: 0000000000000000 R09: 00007f1833227e70 [ 63.165552] R10: 00007f1833235120 R11: 0000000000000206 R12: 000055d3256010a0 [ 63.166318] R13: 00007ffd8319d380 R14: 0000000000000000 R15: 0000000000000000 [ 63.166924] [ 63.167119] Allocated by task 229: [ 63.169326] kasan_save_stack+0x19/0x40 [ 63.169957] __kasan_slab_alloc+0x5b/0x70 [ 63.170482] kmem_cache_alloc+0xbb/0x1c0 [ 63.171104] smb3_notify+0xe9/0x2d0 [cifs] [ 63.171636] cifs_ioctl+0xadf/0xf80 [cifs] [ 63.172091] __x64_sys_ioctl+0xb5/0xf0 [ 63.172577] do_syscall_64+0x33/0x40 [ 63.173296] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 63.174003] [ 63.174253] The buggy address belongs to the object at ffff8880037e8000 [ 63.174253] which belongs to the cache names_cache of size 4096 [ 63.176299] The buggy address is located 0 bytes to the right of [ 63.176299] 4096-byte region [ffff8880037e8000, ffff8880037e9000) [ 63.177700] The buggy address belongs to the page: [ 63.178256] page:0000000074828ba6 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x37e8 [ 63.180977] head:0000000074828ba6 order:3 compound_mapcount:0 compound_pincount:0 [ 63.181790] flags: 0x100000000010200(slab|head) [ 63.182204] raw: 0100000000010200 dead000000000100 dead000000000122 ffff8880011358c0 [ 63.183158] raw: 0000000000000000 0000000080070007 00000001ffffffff 0000000000000000 [ 63.183934] page dumped because: kasan: bad access detected [ 63.184695] [ 63.184897] Memory state around the buggy address: [ 63.185511] ffff8880037e8f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 63.186130] ffff8880037e8f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 63.186850] >ffff8880037e9000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 63.187457] ^ [ 63.187766] ffff8880037e9080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 63.188606] ffff8880037e9100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.189744] ================================================================== [ 63.190445] Disabling lock debugging due to kernel taint ```
Patch merged into cifs-2.6.git for-next and marked for cc: stable