Created attachment 297585 [details] dmesg log Mount cifs with specified cruid. When access dfs with invalid "krbuser0". Then kernel print "BUG: KASAN: use-after-free in rcu_segcblist_accelerate+0x462/0x5f0". It can be reproduced by 100%. Setup samba server with this config. # cat /etc/samba/smb.conf [global] workgroup = RHTS realm = RHQE.COM server signing = auto kerberos method = system keytab [cifs] path = /mnt/testarea/server msdfs root = yes writeable = yes [dfsshare] path = /mnt/testarea/server1 writeable = no invalid users = krbuser0 Create dfs file. ln -s "msdfs:$HOSTNAME\\dfsshare" /mnt/testarea/server/testlink. Client: # su krbAccount --session-command="echo redhat |kinit krbAccount" # mount //$SERVERS/cifs /mnt/testarea/client/ -o vers=3.11,sec=krb5,multiuser,cruid=$(id -u krbAccount) # su krbuser0 --session-command="ls /mnt/testarea/client/testlink" Then kernel print some user-after-free message. [71960.135586] BUG: KASAN: use-after-free in rcu_segcblist_accelerate+0x462/0x5f0 [71960.137056] Read of size 8 at addr ffff8881032f8b88 by task swapper/0/0 [71960.138730] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 5.13.0-rc7.kasan+ #1 [71960.140454] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 [71960.141621] Call Trace: [71960.142144] <IRQ> [71960.142570] dump_stack+0x89/0xb4 [71960.143251] ? rcu_segcblist_accelerate+0x462/0x5f0 [71960.144204] print_address_description.constprop.8+0x1a/0x150 [71960.145335] ? rcu_segcblist_accelerate+0x462/0x5f0 [71960.146283] ? rcu_segcblist_accelerate+0x462/0x5f0 [71960.147242] kasan_report.cold.17+0x7f/0x111 [71960.148119] ? rcu_segcblist_accelerate+0x462/0x5f0 [71960.149106] rcu_segcblist_accelerate+0x462/0x5f0 [71960.150061] ? _raw_spin_lock_irqsave+0x80/0xe0 [71960.150989] ? _raw_write_lock_irqsave+0xe0/0xe0 [71960.151927] rcu_accelerate_cbs+0x7d/0x110 [71960.152764] rcu_core+0x6aa/0x900 [71960.153446] __do_softirq+0x18a/0x558 [71960.154190] irq_exit_rcu+0x1c3/0x200 [71960.154942] sysvec_apic_timer_interrupt+0x6b/0x80 [71960.155926] </IRQ> [71960.156372] asm_sysvec_apic_timer_interrupt+0x12/0x20 [71960.157411] RIP: 0010:default_idle+0x13/0x20 [71960.158283] Code: 98 fe e9 17 ff ff ff e8 7b 98 98 fe e9 ee fe ff ff cc cc cc cc cc cc 0f 1f 44 00 00 e9 07 00 00 00 0f 00 2d ff 0d 56 00 fb f4 <c3> 66 66 2e 0f 1f 84 00 00 00 00 00 90 0f 1f 44 00 00 53 be 08 00 # grep -r "BUG: KASAN:" dmesg.log [71960.135586] BUG: KASAN: use-after-free in rcu_segcblist_accelerate+0x462/0x5f0 [71960.266689] BUG: KASAN: use-after-free in rcu_accelerate_cbs+0x101/0x110 [71960.395701] BUG: KASAN: use-after-free in rcu_segcblist_pend_cbs+0x8a/0x90 [71960.510469] BUG: KASAN: use-after-free in rcu_segcblist_accelerate+0x414/0x5f0 [71960.625780] BUG: KASAN: use-after-free in rcu_segcblist_accelerate+0x462/0x5f0 [71960.741539] BUG: KASAN: use-after-free in rcu_segcblist_extract_done_cbs+0x298/0x2e0 [71960.872066] BUG: KASAN: use-after-free in rcu_cblist_dequeue+0xa9/0xe0 [71961.003160] BUG: KASAN: use-after-free in rcu_do_batch+0x936/0xad0 [71961.132112] BUG: KASAN: use-after-free in rcu_do_batch+0x955/0xad0 [71961.260988] BUG: KASAN: use-after-free in delayed_free+0x68/0x80 [cifs] [71961.391857] BUG: KASAN: use-after-free in delayed_free+0x6f/0x80 [cifs] [71961.521391] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x2be/0x3a0 [cifs] [71961.632876] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x395/0x3a0 [cifs] [71961.743155] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x388/0x3a0 [cifs] [71961.853038] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x37b/0x3a0 [cifs] [71961.963236] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x36e/0x3a0 [cifs] [71962.073980] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x361/0x3a0 [cifs] [71962.185051] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x354/0x3a0 [cifs] [71962.295942] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x347/0x3a0 [cifs] [71962.406730] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x33a/0x3a0 [cifs] [71962.517568] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x32d/0x3a0 [cifs] [71962.628406] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x320/0x3a0 [cifs] [71962.740102] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x313/0x3a0 [cifs] [71962.851072] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x306/0x3a0 [cifs] [71962.963433] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x2f9/0x3a0 [cifs] [71963.074229] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x2ec/0x3a0 [cifs] [71963.185770] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x2df/0x3a0 [cifs] [71963.297376] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x2d5/0x3a0 [cifs] [71963.410548] BUG: KASAN: use-after-free in smb3_cleanup_fs_context_contents.part.6+0x2cb/0x3a0 [cifs] [71963.522637] BUG: KASAN: double-free or invalid-free in delayed_free+0x59/0x80 [cifs] [71963.627237] BUG: KASAN: double-free or invalid-free in rcu_do_batch+0x2e6/0xad0 More info please check dmesg.log.
This is fixed in: commit 50630b3f1ada0bf412d3f28e73bac310448d9d6f Author: Ronnie Sahlberg <lsahlber@redhat.com> Date: Tue Jul 13 12:22:59 2021 +1000 cifs: Do not use the original cruid when following DFS links for multiuser mounts Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=213565 cruid should only be used for the initial mount and after this we should use the current users credentials. Ignore the original cruid mount argument when creating a new context for a multiuser mount following a DFS link. Fixes: 24e0a1eff9e2 ("cifs: switch to new mount api") Cc: stable@vger.kernel.org # 5.11+ Reported-by: Xiaoli Feng <xifeng@redhat.com> Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com> Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz> Signed-off-by: Steve French <stfrench@microsoft.com>