cifs-rdma: KASAN-detected UAF when using rxe driver

[David Howells <dhowells@redhat.com>]

Hi Steve,

I was trying to test cifs rdma and KASAN detected a UAF when using the
softRoCE RDMA driver (rxe):

	BUG: KASAN: use-after-free in smbd_reconnect (fs/cifs/smbdirect.c:1427
	if (server->smbd_conn->transport_status == SMBD_CONNECTED) {

I've attached the oops log below.  This is with v6.2-rc5 with no additional
patches.  One thing I'm wondering is if smbd_destroy() should clear
server->smbd_conn before returning since it kfrees the smbd_connection struct
that that was pointing to.

The commands I was using:

	rdma link add rxe0 type rxe netdev enp6s0 # andromeda, softRoCE
	cd ~/xfstests-dev; ./check generic/001

The xfstests config:

	FSTYP=cifs
	TEST_DEV=//carina/test
	TEST_DIR=/xfstest.test
	TEST_FS_MOUNT_OPTS='-ousername=shares,password=foobar,vers=3.1.1,rdma'
	export MOUNT_OPTIONS='-ousername=shares,password=foobar,vers=3.1.1,rdma'
	export SCRATCH_DEV=//carina/scratch
	export SCRATCH_MNT=/xfstest.scratch

The mounted filesystem:

	//carina/test /xfstest.test cifs rw,context=system_u:object_r:root_t:s0,relatime,vers=3.1.1,cache=strict,username=shares,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.6.1,rdma,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=524224,wsize=524224,bsize=1048576,echo_interval=60,actimeo=1,closetimeo=5 0 0

It's talking to ksmbd on carina.

David
---
infiniband rxe0: set active
infiniband rxe0: added enp6s0
RDS/IB: rxe0: added
CIFS: Attempting to mount \\carina\test
CIFS: VFS: RDMA transport established
CIFS: Attempting to mount \\carina\scratch
CIFS: Attempting to mount \\carina\scratch
run fstests generic/001 at 2023-01-24 17:31:24
CIFS: VFS: smbd_recv_buf:1887 disconnected
==================================================================
BUG: KASAN: use-after-free in smbd_reconnect+0xba/0x1a9
Read of size 4 at addr ffff888119014000 by task cifsd/4963

CPU: 0 PID: 4963 Comm: cifsd Not tainted 6.2.0-rc5-build2 #729
Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x4c/0x5f
 print_address_description.constprop.0+0x80/0x2b2
 print_report+0x10f/0x1f2
 ? __virt_addr_valid+0xcd/0x113
 ? smbd_reconnect+0xba/0x1a9
  ? smbd_reconnect+0xba/0x1a9
 kasan_report+0x88/0xa7
 ? smbd_reconnect+0xba/0x1a9
 smbd_reconnect+0xba/0x1a9
 __cifs_reconnect+0x4ca/0x637
 ? cifs_mark_tcp_ses_conns_for_reconnect+0x20a/0x20a
 ? __raw_spin_lock_init+0x83/0x83
 ? cifs_readv_from_socket+0x28f/0x2e6
 ? cifs_readv_from_socket+0x28f/0x2e6
 cifs_readv_from_socket+0x1e7/0x2e6
 cifs_read_from_socket+0xb5/0xef
 ? cifs_readv_from_socket+0x2e6/0x2e6
 ? mempool_kmalloc+0x11/0x11
 ? reacquire_held_locks+0x1bb/0x1bb
 ? memset+0x21/0x3f
 cifs_demultiplex_thread+0x19f/0xbae
 ? cifs_handle_standard+0x277/0x277
 ? reacquire_held_locks+0x1bb/0x1bb
 ? __kthread_parkme+0x65/0xe8
 ? rcu_read_lock_bh_held+0xb1/0xb1
 ? preempt_count_sub+0x18/0xba
 ? _raw_spin_unlock_irqrestore+0x39/0x4c
 ? cifs_handle_standard+0x277/0x277
 kthread+0x164/0x173
 ? kthread_complete_and_exit+0x20/0x20
  ret_from_fork+0x1f/0x30
 </TASK>

Allocated by task 4959:
 stack_trace_save+0x8d/0xba
 kasan_save_stack+0x1c/0x38
 kasan_set_track+0x21/0x26
 ____kasan_kmalloc+0x69/0x73
 _smbd_get_connection+0xcf/0x124c
 smbd_get_connection+0x21/0x3e
 cifs_get_tcp_session.part.0+0x7f6/0xb87
 cifs_mount_get_session+0x53/0x164
 cifs_mount+0x8d/0x227
 cifs_smb3_do_mount+0x168/0x465
 smb3_get_tree+0x55/0x8a
 vfs_get_tree+0x43/0x14d
 do_new_mount+0x197/0x2b4
 path_mount+0x6c7/0x705
 do_mount+0x9c/0xdb
 __do_sys_mount+0x141/0x16e
 do_syscall_64+0x39/0x46
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 4963:
 stack_trace_save+0x8d/0xba
 kasan_save_stack+0x1c/0x38
 kasan_set_track+0x21/0x26
 kasan_save_free_info+0x27/0x37
 ____kasan_slab_free+0xb6/0xd2
 __kmem_cache_free+0x93/0xd2
 smbd_destroy+0x8da/0x91c
 __cifs_reconnect+0x48d/0x637
 cifs_readv_from_socket+0x1e7/0x2e6
 cifs_read_from_socket+0xb5/0xef
 cifs_demultiplex_thread+0x19f/0xbae
 kthread+0x164/0x173
 ret_from_fork+0x1f/0x30

Last potentially related work creation:
 stack_trace_save+0x8d/0xba
 kasan_save_stack+0x1c/0x38
 __kasan_record_aux_stack+0x5f/0x65
 insert_work+0x30/0xaf
 __queue_work+0x3cc/0x3ef
 queue_work_on+0x4e/0x68
 __ib_process_cq+0x228/0x276
 ib_poll_handler+0x41/0x14f
 irq_poll_softirq+0xd9/0x1ad
 __do_softirq+0x201/0x470

Second to last potentially related work creation:
 stack_trace_save+0x8d/0xba
 kasan_save_stack+0x1c/0x38
 __kasan_record_aux_stack+0x5f/0x65
 insert_work+0x30/0xaf
 __queue_work+0x3cc/0x3ef
 queue_work_on+0x4e/0x68
 recv_done+0x171/0x714
 __ib_process_cq+0x228/0x276
 ib_poll_handler+0x41/0x14f
 irq_poll_softirq+0xd9/0x1ad
 __do_softirq+0x201/0x470

The buggy address belongs to the object at ffff888119014000
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 0 bytes inside of
 4096-byte region [ffff888119014000, ffff888119015000)

The buggy address belongs to the physical page:
page:00000000a28ee5c4 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x119014
head:00000000a28ee5c4 order:1 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0
flags: 0x200000000010200(slab|head|node=0|zone=2)
raw: 0200000000010200 ffff888100040900 ffffea0004513490 ffffea0004581e10
raw: 0000000000000000 ffff888119014000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888119013f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888119013f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888119014000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff888119014080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888119014100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb