* [PATCH] smb: client: fix NULL ptr deref in cifs_mark_open_handles_for_deleted_file()
@ 2024-04-08 21:32 Paulo Alcantara
2024-04-08 22:09 ` Steve French
0 siblings, 1 reply; 3+ messages in thread
From: Paulo Alcantara @ 2024-04-08 21:32 UTC (permalink / raw)
To: smfrench; +Cc: linux-cifs, Paulo Alcantara
cifs_get_fattr() may be called with a NULL inode, so check for a
non-NULL inode before calling
cifs_mark_open_handles_for_deleted_file().
This fixes the following oops:
mount.cifs //srv/share /mnt -o ...,vers=3.1.1
cd /mnt
touch foo; tail -f foo &
rm foo
cat foo
BUG: kernel NULL pointer dereference, address: 00000000000005c0
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 2 PID: 696 Comm: cat Not tainted 6.9.0-rc2 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.16.3-1.fc39 04/01/2014
RIP: 0010:__lock_acquire+0x5d/0x1c70
Code: 00 00 44 8b a4 24 a0 00 00 00 45 85 f6 0f 84 bb 06 00 00 8b 2d
48 e2 95 01 45 89 c3 41 89 d2 45 89 c8 85 ed 0 0 <48> 81 3f 40 7a 76
83 44 0f 44 d8 83 fe 01 0f 86 1b 03 00 00 31 d2
RSP: 0018:ffffc90000b37490 EFLAGS: 00010002
RAX: 0000000000000000 RBX: ffff888110021ec0 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000000005c0
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000200
FS: 00007f2a1fa08740(0000) GS:ffff888157a00000(0000)
knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
CR2: 00000000000005c0 CR3: 000000011ac7c000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
? __die+0x23/0x70
? page_fault_oops+0x180/0x490
? srso_alias_return_thunk+0x5/0xfbef5
? exc_page_fault+0x70/0x230
? asm_exc_page_fault+0x26/0x30
? __lock_acquire+0x5d/0x1c70
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
lock_acquire+0xc0/0x2d0
? cifs_mark_open_handles_for_deleted_file+0x3a/0x100 [cifs]
? srso_alias_return_thunk+0x5/0xfbef5
? kmem_cache_alloc+0x2d9/0x370
_raw_spin_lock+0x34/0x80
? cifs_mark_open_handles_for_deleted_file+0x3a/0x100 [cifs]
cifs_mark_open_handles_for_deleted_file+0x3a/0x100 [cifs]
cifs_get_fattr+0x24c/0x940 [cifs]
? srso_alias_return_thunk+0x5/0xfbef5
cifs_get_inode_info+0x96/0x120 [cifs]
cifs_lookup+0x16e/0x800 [cifs]
cifs_atomic_open+0xc7/0x5d0 [cifs]
? lookup_open.isra.0+0x3ce/0x5f0
? __pfx_cifs_atomic_open+0x10/0x10 [cifs]
lookup_open.isra.0+0x3ce/0x5f0
path_openat+0x42b/0xc30
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
do_filp_open+0xc4/0x170
do_sys_openat2+0xab/0xe0
__x64_sys_openat+0x57/0xa0
do_syscall_64+0xc1/0x1e0
entry_SYSCALL_64_after_hwframe+0x72/0x7a
Fixes: ffceb7640cbf ("smb: client: do not defer close open handles to deleted files")
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
---
fs/smb/client/inode.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/smb/client/inode.c b/fs/smb/client/inode.c
index 91b07ef9e25c..60afab5c83d4 100644
--- a/fs/smb/client/inode.c
+++ b/fs/smb/client/inode.c
@@ -1105,7 +1105,8 @@ static int cifs_get_fattr(struct cifs_open_info_data *data,
} else {
cifs_open_info_to_fattr(fattr, data, sb);
}
- if (!rc && fattr->cf_flags & CIFS_FATTR_DELETE_PENDING)
+ if (!rc && *inode &&
+ (fattr->cf_flags & CIFS_FATTR_DELETE_PENDING))
cifs_mark_open_handles_for_deleted_file(*inode, full_path);
break;
case -EREMOTE:
--
2.44.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] smb: client: fix NULL ptr deref in cifs_mark_open_handles_for_deleted_file()
2024-04-08 21:32 [PATCH] smb: client: fix NULL ptr deref in cifs_mark_open_handles_for_deleted_file() Paulo Alcantara
@ 2024-04-08 22:09 ` Steve French
2024-04-09 6:31 ` Meetakshi Setiya
0 siblings, 1 reply; 3+ messages in thread
From: Steve French @ 2024-04-08 22:09 UTC (permalink / raw)
To: Paulo Alcantara; +Cc: linux-cifs
merged into cifs-2.6.git for-next
Good catch
On Mon, Apr 8, 2024 at 4:32 PM Paulo Alcantara <pc@manguebit.com> wrote:
>
> cifs_get_fattr() may be called with a NULL inode, so check for a
> non-NULL inode before calling
> cifs_mark_open_handles_for_deleted_file().
>
> This fixes the following oops:
>
> mount.cifs //srv/share /mnt -o ...,vers=3.1.1
> cd /mnt
> touch foo; tail -f foo &
> rm foo
> cat foo
>
> BUG: kernel NULL pointer dereference, address: 00000000000005c0
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 0 P4D 0
> Oops: 0000 [#1] PREEMPT SMP NOPTI
> CPU: 2 PID: 696 Comm: cat Not tainted 6.9.0-rc2 #1
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
> 1.16.3-1.fc39 04/01/2014
> RIP: 0010:__lock_acquire+0x5d/0x1c70
> Code: 00 00 44 8b a4 24 a0 00 00 00 45 85 f6 0f 84 bb 06 00 00 8b 2d
> 48 e2 95 01 45 89 c3 41 89 d2 45 89 c8 85 ed 0 0 <48> 81 3f 40 7a 76
> 83 44 0f 44 d8 83 fe 01 0f 86 1b 03 00 00 31 d2
> RSP: 0018:ffffc90000b37490 EFLAGS: 00010002
> RAX: 0000000000000000 RBX: ffff888110021ec0 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000000005c0
> RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
> R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000200
> FS: 00007f2a1fa08740(0000) GS:ffff888157a00000(0000)
> knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0:
> 0000000080050033
> CR2: 00000000000005c0 CR3: 000000011ac7c000 CR4: 0000000000750ef0
> PKRU: 55555554
> Call Trace:
> <TASK>
> ? __die+0x23/0x70
> ? page_fault_oops+0x180/0x490
> ? srso_alias_return_thunk+0x5/0xfbef5
> ? exc_page_fault+0x70/0x230
> ? asm_exc_page_fault+0x26/0x30
> ? __lock_acquire+0x5d/0x1c70
> ? srso_alias_return_thunk+0x5/0xfbef5
> ? srso_alias_return_thunk+0x5/0xfbef5
> lock_acquire+0xc0/0x2d0
> ? cifs_mark_open_handles_for_deleted_file+0x3a/0x100 [cifs]
> ? srso_alias_return_thunk+0x5/0xfbef5
> ? kmem_cache_alloc+0x2d9/0x370
> _raw_spin_lock+0x34/0x80
> ? cifs_mark_open_handles_for_deleted_file+0x3a/0x100 [cifs]
> cifs_mark_open_handles_for_deleted_file+0x3a/0x100 [cifs]
> cifs_get_fattr+0x24c/0x940 [cifs]
> ? srso_alias_return_thunk+0x5/0xfbef5
> cifs_get_inode_info+0x96/0x120 [cifs]
> cifs_lookup+0x16e/0x800 [cifs]
> cifs_atomic_open+0xc7/0x5d0 [cifs]
> ? lookup_open.isra.0+0x3ce/0x5f0
> ? __pfx_cifs_atomic_open+0x10/0x10 [cifs]
> lookup_open.isra.0+0x3ce/0x5f0
> path_openat+0x42b/0xc30
> ? srso_alias_return_thunk+0x5/0xfbef5
> ? srso_alias_return_thunk+0x5/0xfbef5
> ? srso_alias_return_thunk+0x5/0xfbef5
> do_filp_open+0xc4/0x170
> do_sys_openat2+0xab/0xe0
> __x64_sys_openat+0x57/0xa0
> do_syscall_64+0xc1/0x1e0
> entry_SYSCALL_64_after_hwframe+0x72/0x7a
>
> Fixes: ffceb7640cbf ("smb: client: do not defer close open handles to deleted files")
> Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
> ---
> fs/smb/client/inode.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/fs/smb/client/inode.c b/fs/smb/client/inode.c
> index 91b07ef9e25c..60afab5c83d4 100644
> --- a/fs/smb/client/inode.c
> +++ b/fs/smb/client/inode.c
> @@ -1105,7 +1105,8 @@ static int cifs_get_fattr(struct cifs_open_info_data *data,
> } else {
> cifs_open_info_to_fattr(fattr, data, sb);
> }
> - if (!rc && fattr->cf_flags & CIFS_FATTR_DELETE_PENDING)
> + if (!rc && *inode &&
> + (fattr->cf_flags & CIFS_FATTR_DELETE_PENDING))
> cifs_mark_open_handles_for_deleted_file(*inode, full_path);
> break;
> case -EREMOTE:
> --
> 2.44.0
>
--
Thanks,
Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] smb: client: fix NULL ptr deref in cifs_mark_open_handles_for_deleted_file()
2024-04-08 22:09 ` Steve French
@ 2024-04-09 6:31 ` Meetakshi Setiya
0 siblings, 0 replies; 3+ messages in thread
From: Meetakshi Setiya @ 2024-04-09 6:31 UTC (permalink / raw)
To: Steve French; +Cc: Paulo Alcantara, linux-cifs
Thanks, looks good.
Meetakshi
On Tue, Apr 9, 2024 at 3:39 AM Steve French <smfrench@gmail.com> wrote:
>
> merged into cifs-2.6.git for-next
>
> Good catch
>
>
> On Mon, Apr 8, 2024 at 4:32 PM Paulo Alcantara <pc@manguebit.com> wrote:
> >
> > cifs_get_fattr() may be called with a NULL inode, so check for a
> > non-NULL inode before calling
> > cifs_mark_open_handles_for_deleted_file().
> >
> > This fixes the following oops:
> >
> > mount.cifs //srv/share /mnt -o ...,vers=3.1.1
> > cd /mnt
> > touch foo; tail -f foo &
> > rm foo
> > cat foo
> >
> > BUG: kernel NULL pointer dereference, address: 00000000000005c0
> > #PF: supervisor read access in kernel mode
> > #PF: error_code(0x0000) - not-present page
> > PGD 0 P4D 0
> > Oops: 0000 [#1] PREEMPT SMP NOPTI
> > CPU: 2 PID: 696 Comm: cat Not tainted 6.9.0-rc2 #1
> > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
> > 1.16.3-1.fc39 04/01/2014
> > RIP: 0010:__lock_acquire+0x5d/0x1c70
> > Code: 00 00 44 8b a4 24 a0 00 00 00 45 85 f6 0f 84 bb 06 00 00 8b 2d
> > 48 e2 95 01 45 89 c3 41 89 d2 45 89 c8 85 ed 0 0 <48> 81 3f 40 7a 76
> > 83 44 0f 44 d8 83 fe 01 0f 86 1b 03 00 00 31 d2
> > RSP: 0018:ffffc90000b37490 EFLAGS: 00010002
> > RAX: 0000000000000000 RBX: ffff888110021ec0 RCX: 0000000000000000
> > RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000000005c0
> > RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
> > R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
> > R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000200
> > FS: 00007f2a1fa08740(0000) GS:ffff888157a00000(0000)
> > knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0:
> > 0000000080050033
> > CR2: 00000000000005c0 CR3: 000000011ac7c000 CR4: 0000000000750ef0
> > PKRU: 55555554
> > Call Trace:
> > <TASK>
> > ? __die+0x23/0x70
> > ? page_fault_oops+0x180/0x490
> > ? srso_alias_return_thunk+0x5/0xfbef5
> > ? exc_page_fault+0x70/0x230
> > ? asm_exc_page_fault+0x26/0x30
> > ? __lock_acquire+0x5d/0x1c70
> > ? srso_alias_return_thunk+0x5/0xfbef5
> > ? srso_alias_return_thunk+0x5/0xfbef5
> > lock_acquire+0xc0/0x2d0
> > ? cifs_mark_open_handles_for_deleted_file+0x3a/0x100 [cifs]
> > ? srso_alias_return_thunk+0x5/0xfbef5
> > ? kmem_cache_alloc+0x2d9/0x370
> > _raw_spin_lock+0x34/0x80
> > ? cifs_mark_open_handles_for_deleted_file+0x3a/0x100 [cifs]
> > cifs_mark_open_handles_for_deleted_file+0x3a/0x100 [cifs]
> > cifs_get_fattr+0x24c/0x940 [cifs]
> > ? srso_alias_return_thunk+0x5/0xfbef5
> > cifs_get_inode_info+0x96/0x120 [cifs]
> > cifs_lookup+0x16e/0x800 [cifs]
> > cifs_atomic_open+0xc7/0x5d0 [cifs]
> > ? lookup_open.isra.0+0x3ce/0x5f0
> > ? __pfx_cifs_atomic_open+0x10/0x10 [cifs]
> > lookup_open.isra.0+0x3ce/0x5f0
> > path_openat+0x42b/0xc30
> > ? srso_alias_return_thunk+0x5/0xfbef5
> > ? srso_alias_return_thunk+0x5/0xfbef5
> > ? srso_alias_return_thunk+0x5/0xfbef5
> > do_filp_open+0xc4/0x170
> > do_sys_openat2+0xab/0xe0
> > __x64_sys_openat+0x57/0xa0
> > do_syscall_64+0xc1/0x1e0
> > entry_SYSCALL_64_after_hwframe+0x72/0x7a
> >
> > Fixes: ffceb7640cbf ("smb: client: do not defer close open handles to deleted files")
> > Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
> > ---
> > fs/smb/client/inode.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/fs/smb/client/inode.c b/fs/smb/client/inode.c
> > index 91b07ef9e25c..60afab5c83d4 100644
> > --- a/fs/smb/client/inode.c
> > +++ b/fs/smb/client/inode.c
> > @@ -1105,7 +1105,8 @@ static int cifs_get_fattr(struct cifs_open_info_data *data,
> > } else {
> > cifs_open_info_to_fattr(fattr, data, sb);
> > }
> > - if (!rc && fattr->cf_flags & CIFS_FATTR_DELETE_PENDING)
> > + if (!rc && *inode &&
> > + (fattr->cf_flags & CIFS_FATTR_DELETE_PENDING))
> > cifs_mark_open_handles_for_deleted_file(*inode, full_path);
> > break;
> > case -EREMOTE:
> > --
> > 2.44.0
> >
>
>
> --
> Thanks,
>
> Steve
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-04-09 6:31 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-08 21:32 [PATCH] smb: client: fix NULL ptr deref in cifs_mark_open_handles_for_deleted_file() Paulo Alcantara
2024-04-08 22:09 ` Steve French
2024-04-09 6:31 ` Meetakshi Setiya
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).