Bug 213565 - BUG: KASAN: use-after-free in rcu_segcblist_accelerate+0x462/0x5f0
Summary: BUG: KASAN: use-after-free in rcu_segcblist_accelerate+0x462/0x5f0
Status: RESOLVED CODE_FIX
Alias: None
Product: File System
Classification: Unclassified
Component: CIFS (show other bugs)
Hardware: All Linux
: P1 high
Assignee: fs_cifs
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-06-24 02:39 UTC by Xiaoli Feng
Modified: 2021-07-29 09:45 UTC (History)
1 user (show)

See Also:
Kernel Version: 5.13.0-rc7
Subsystem:
Regression: No
Bisected commit-id:


Attachments
dmesg log (192.91 KB, text/plain)
2021-06-24 02:39 UTC, Xiaoli Feng
Details

Description Xiaoli Feng 2021-06-24 02:39:24 UTC
Created attachment 297585 [details]
dmesg log

Mount cifs with specified cruid. When access dfs with invalid "krbuser0". Then kernel print "BUG: KASAN: use-after-free in rcu_segcblist_accelerate+0x462/0x5f0".
It can be reproduced by 100%.

Setup samba server with  this config.
# cat /etc/samba/smb.conf
[global]
    workgroup = RHTS
    realm = RHQE.COM
    server signing = auto
    kerberos method = system keytab

[cifs]
    path = /mnt/testarea/server
    msdfs root = yes
    writeable = yes
[dfsshare]
   path = /mnt/testarea/server1
   writeable = no
   invalid users = krbuser0

Create dfs file. ln -s "msdfs:$HOSTNAME\\dfsshare" /mnt/testarea/server/testlink.

Client:
# su krbAccount --session-command="echo redhat |kinit krbAccount"
# mount //$SERVERS/cifs /mnt/testarea/client/ -o vers=3.11,sec=krb5,multiuser,cruid=$(id -u krbAccount)
# su krbuser0 --session-command="ls /mnt/testarea/client/testlink"

Then kernel print some user-after-free message.
[71960.135586] BUG: KASAN: use-after-free in rcu_segcblist_accelerate+0x462/0x5f0
[71960.137056] Read of size 8 at addr ffff8881032f8b88 by task swapper/0/0

[71960.138730] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G    B             5.13.0-rc7.kasan+ #1
[71960.140454] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
[71960.141621] Call Trace:
[71960.142144]  <IRQ>
[71960.142570]  dump_stack+0x89/0xb4
[71960.143251]  ? rcu_segcblist_accelerate+0x462/0x5f0
[71960.144204]  print_address_description.constprop.8+0x1a/0x150
[71960.145335]  ? rcu_segcblist_accelerate+0x462/0x5f0
[71960.146283]  ? rcu_segcblist_accelerate+0x462/0x5f0
[71960.147242]  kasan_report.cold.17+0x7f/0x111
[71960.148119]  ? rcu_segcblist_accelerate+0x462/0x5f0
[71960.149106]  rcu_segcblist_accelerate+0x462/0x5f0
[71960.150061]  ? _raw_spin_lock_irqsave+0x80/0xe0
[71960.150989]  ? _raw_write_lock_irqsave+0xe0/0xe0
[71960.151927]  rcu_accelerate_cbs+0x7d/0x110
[71960.152764]  rcu_core+0x6aa/0x900
[71960.153446]  __do_softirq+0x18a/0x558
[71960.154190]  irq_exit_rcu+0x1c3/0x200
[71960.154942]  sysvec_apic_timer_interrupt+0x6b/0x80
[71960.155926]  </IRQ>
[71960.156372]  asm_sysvec_apic_timer_interrupt+0x12/0x20
[71960.157411] RIP: 0010:default_idle+0x13/0x20
[71960.158283] Code: 98 fe e9 17 ff ff ff e8 7b 98 98 fe e9 ee fe ff ff cc cc cc cc cc cc 0f 1f 44 00 00 e9 07 00 00 00 0f 00 2d ff 0d 56 00 fb f4 <c3> 66 66 2e 0f 1f 84 00 00 00 00 00 90 0f 1f 44 00 00 53 be 08 00



# grep -r "BUG: KASAN:" dmesg.log 
[71960.135586] BUG: KASAN: use-after-free in rcu_segcblist_accelerate+0x462/0x5f0
[71960.266689] BUG: KASAN: use-after-free in rcu_accelerate_cbs+0x101/0x110
[71960.395701] BUG: KASAN: use-after-free in rcu_segcblist_pend_cbs+0x8a/0x90
[71960.510469] BUG: KASAN: use-after-free in rcu_segcblist_accelerate+0x414/0x5f0
[71960.625780] BUG: KASAN: use-after-free in rcu_segcblist_accelerate+0x462/0x5f0
[71960.741539] BUG: KASAN: use-after-free in rcu_segcblist_extract_done_cbs+0x298/0x2e0
[71960.872066] BUG: KASAN: use-after-free in rcu_cblist_dequeue+0xa9/0xe0
[71961.003160] BUG: KASAN: use-after-free in rcu_do_batch+0x936/0xad0
[71961.132112] BUG: KASAN: use-after-free in rcu_do_batch+0x955/0xad0
[71961.260988] BUG: KASAN: use-after-free in delayed_free+0x68/0x80 [cifs]
[71961.391857] BUG: KASAN: use-after-free in delayed_free+0x6f/0x80 [cifs]
[71961.521391] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x2be/0x3a0 [cifs]
[71961.632876] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x395/0x3a0 [cifs]
[71961.743155] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x388/0x3a0 [cifs]
[71961.853038] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x37b/0x3a0 [cifs]
[71961.963236] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x36e/0x3a0 [cifs]
[71962.073980] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x361/0x3a0 [cifs]
[71962.185051] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x354/0x3a0 [cifs]
[71962.295942] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x347/0x3a0 [cifs]
[71962.406730] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x33a/0x3a0 [cifs]
[71962.517568] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x32d/0x3a0 [cifs]
[71962.628406] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x320/0x3a0 [cifs]
[71962.740102] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x313/0x3a0 [cifs]
[71962.851072] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x306/0x3a0 [cifs]
[71962.963433] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x2f9/0x3a0 [cifs]
[71963.074229] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x2ec/0x3a0 [cifs]
[71963.185770] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x2df/0x3a0 [cifs]
[71963.297376] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x2d5/0x3a0 [cifs]
[71963.410548] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x2cb/0x3a0 [cifs]
[71963.522637] BUG: KASAN: double-free or invalid-free in delayed_free+0x59/0x80 [cifs]
[71963.627237] BUG: KASAN: double-free or invalid-free in rcu_do_batch+0x2e6/0xad0

More info please check dmesg.log.
Comment 1 Ronnie Sahlberg 2021-07-29 09:45:35 UTC
This is fixed in:
commit 50630b3f1ada0bf412d3f28e73bac310448d9d6f
Author: Ronnie Sahlberg <lsahlber@redhat.com>
Date:   Tue Jul 13 12:22:59 2021 +1000

    cifs: Do not use the original cruid when following DFS links for multiuser mounts
    
    Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=213565
    
    cruid should only be used for the initial mount and after this we should use the current
    users credentials.
    Ignore the original cruid mount argument when creating a new context for a multiuser mount
    following a DFS link.
    
    Fixes: 24e0a1eff9e2 ("cifs: switch to new mount api")
    Cc: stable@vger.kernel.org # 5.11+
    Reported-by: Xiaoli Feng <xifeng@redhat.com>
    Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
    Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
    Signed-off-by: Steve French <stfrench@microsoft.com>

Note You need to log in before you can comment on or make changes to this bug.