Re: regression in CIFS(?) between 4.17.14 and 4.18.0

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Still present in 4.18.3

# uname -r
4.18.3-1.el7.elrepo.x86_64
# sysctl -w kernel.panic_on_oops=0
# sysctl -w kernel.ftrace_dump_on_oops=1


[  136.512267] Key type dns_resolver registered
[  136.544790] Key type cifs.spnego registered
[  136.544836] Key type cifs.idmap registered
[  136.574397] BUG: unable to handle kernel NULL pointer dereference
at 0000000000000000
[  136.574436] PGD 0 P4D 0
[  136.574451] Oops: 0000 [#1] SMP PTI
[  136.574469] CPU: 0 PID: 2295 Comm: mount.cifs Kdump: loaded Not
tainted 4.18.3-1.el7.elrepo.x86_64 #1
[  136.574506] Hardware name: VMware, Inc. VMware Virtual
Platform/440BX Desktop Reference Platform, BIOS 6.00 09/21/2015
[  136.574576] RIP: 0010:smb2_calc_signature+0x120/0x2f0 [cifs]
[  136.574609] Code: b1 00 01 00 00 49 8b bf 80 02 00 00 ba 10 00 00
00 e8 d4 ef e4 e0 85 c0 0f 85 8c 00 00 00 48 8b 85 78 f
f ff ff ba 82 ff ff ff <48> 8b 00 f6 40 08 01 0f 84 b1 00 00 00 48 c7
c6 30 a9 55 a0 48 c7
[  136.574704] RSP: 0018:ffffc90001777a40 EFLAGS: 00010246
[  136.574726] RAX: 0000000000000000 RBX: ffff880066c5b540 RCX: 0000000000000000
[  136.574755] RDX: 00000000ffffff82 RSI: ffffc90001777998 RDI: ffff880036052310
[  136.574785] RBP: ffffc90001777ac8 R08: ffffffffa0577280 R09: ffffffffa0577280
[  136.574813] R10: 0000000000000000 R11: 0000000000000000 R12: ffffc90001777bd0
[  136.574842] R13: ffffc90001777bb0 R14: ffff880066c5b570 R15: ffff8800782a5800
[  136.574872] FS:  00007fd114787780(0000) GS:ffff88007fc00000(0000)
knlGS:0000000000000000
[  136.574904] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  136.574928] CR2: 0000000000000000 CR3: 0000000078218004 CR4: 00000000001606f0
[  136.575033] Call Trace:
[  136.575081]  ? kmem_cache_alloc+0xae/0x1d0
[  136.575121]  ? mempool_alloc_slab+0x15/0x20
[  136.575155]  smb2_sign_rqst+0x36/0x50 [cifs]
[  136.575187]  smb2_setup_request+0x10f/0x1d0 [cifs]
[  136.575219]  cifs_send_recv+0xa6/0x3e0 [cifs]
[  136.575250]  SMB2_tcon+0x198/0x580 [cifs]
[  136.575279]  cifs_get_smb_ses+0x741/0xda0 [cifs]
[  136.575309]  cifs_mount+0x62f/0x1090 [cifs]
[  136.575337]  ? kstrdup+0x49/0x60
[  136.575362]  cifs_smb3_do_mount+0x11c/0x5d0 [cifs]
[  136.575392]  cifs_do_mount+0x11/0x20 [cifs]
[  136.575415]  mount_fs+0x3e/0x150
[  136.575437]  vfs_kern_mount+0x67/0x130
[  136.575458]  do_mount+0x1f0/0xca0
[  136.575479]  ksys_mount+0x83/0xd0
[  136.575496]  __x64_sys_mount+0x25/0x30
[  136.575525]  do_syscall_64+0x60/0x190
[  136.575553]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  136.575577] RIP: 0033:0x7fd1140a530a
[  136.575593] Code: 48 8b 0d 89 6b 2c 00 f7 d8 64 89 01 48 83 c8 ff
c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00
00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 56 6b 2c 00 f7 d8 64 89
01 48
[  136.575687] RSP: 002b:00007fff14f9ff98 EFLAGS: 00000202 ORIG_RAX:
00000000000000a5
[  136.575718] RAX: ffffffffffffffda RBX: 00007fd11479891a RCX: 00007fd1140a530a
[  136.576603] RDX: 000056023a4163b2 RSI: 000056023a4163f9 RDI: 00007fff14fa04a0
[  136.577501] RBP: 00007fff14fa0495 R08: 000056023aa17090 R09: 00007fd114787780
[  136.578405] R10: 0000000000000001 R11: 0000000000000202 R12: 00007fd114796000
[  136.579281] R13: 000056023aa17090 R14: 00007fd11479890f R15: 0000000000000000
[  136.580152] Modules linked in: arc4 md4 nls_utf8 cifs ccm
dns_resolver binfmt_misc nf_conntrack_netbios_ns
nf_conntrack_broadcast xt_CT ip6t_rpfilter ipt_REJECT nf_reject_ipv4
ip6t_REJECT nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_nat
ebtable_broute ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6
nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw iptable_nat
nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack
libcrc32c iptable_mangle iptable_security iptable_raw ebtable_filter
ebtables ip6table_filter ip6_tables iptable_filter
vmw_vsock_vmci_transport vsock sb_edac crct10dif_pclmul crc32_pclmul
ghash_clmulni_intel pcbc aesni_intel crypto_simd cryptd glue_helper
intel_rapl_perf vmw_balloon pcspkr joydev input_leds sg vmw_vmci
i2c_piix4 tcp_bbr sch_fq auth_rpcgss sunrpc
[  136.586111]  ip_tables ext4 mbcache jbd2 sr_mod cdrom ata_generic
pata_acpi sd_mod crc32c_intel serio_raw vmwgfx drm_kms_helper
syscopyarea sysfillrect sysimgblt fb_sys_fops ttm vmxnet3 drm ata_piix
vmw_pvscsi libata dm_mirror dm_region_hash dm_log dm_mod
[  136.588312] Dumping ftrace buffer:
[  136.589370]    (ftrace buffer empty)
[  136.590386] CR2: 0000000000000000
[  136.591414] ---[ end trace f43489c82e85d1fc ]---
[  136.592444] RIP: 0010:smb2_calc_signature+0x120/0x2f0 [cifs]
[  136.593466] Code: b1 00 01 00 00 49 8b bf 80 02 00 00 ba 10 00 00
00 e8 d4 ef e4 e0 85 c0 0f 85 8c 00 00 00 48 8b 85 78 ff ff ff ba 82
ff ff ff <48> 8b 00 f6 40 08 01 0f 84 b1 00 00 00 48 c7 c6 30 a9 55 a0
48 c7
[  136.595636] RSP: 0018:ffffc90001777a40 EFLAGS: 00010246
[  136.596714] RAX: 0000000000000000 RBX: ffff880066c5b540 RCX: 0000000000000000
[  136.597814] RDX: 00000000ffffff82 RSI: ffffc90001777998 RDI: ffff880036052310
[  136.598885] RBP: ffffc90001777ac8 R08: ffffffffa0577280 R09: ffffffffa0577280
[  136.599958] R10: 0000000000000000 R11: 0000000000000000 R12: ffffc90001777bd0
[  136.601021] R13: ffffc90001777bb0 R14: ffff880066c5b570 R15: ffff8800782a5800
[  136.602090] FS:  00007fd114787780(0000) GS:ffff88007fc00000(0000)
knlGS:0000000000000000
[  136.603175] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  136.604264] CR2: 0000000000000000 CR3: 0000000078218004 CR4: 00000000001606f0
On Sat, Aug 18, 2018 at 2:28 AM Paulo Alcantara <paulo@xxxxxxxx> wrote:
>
> "Robin P. Blanchard" <robin.blanchard@xxxxxxxxx> writes:
>
> > # sysctl -w kernel.panic_on_oops=0
> > # sysctl -w kernel.ftrace_dump_on_oops=1
> >
> > vers=2.1
> >
> > fs/cifs/cifsfs.c: Devname: -REDACTED- flags: 1
> > fs/cifs/connect.c: Username: -REDACTED-
> > fs/cifs/connect.c: file mode: 0x1ed  dir mode: 0x1ed
> > fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 46 with uid: 0
> > fs/cifs/connect.c: UNC: -REDACTED-
> > fs/cifs/connect.c: Socket created
> > fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380 rcvtimeo 0x1b58
> > fs/cifs/connect.c: CIFS VFS: in cifs_get_smb_ses as Xid: 47 with uid: 0
> > fs/cifs/connect.c: Existing smb sess not found
> > fs/cifs/smb2pdu.c: Negotiate protocol
> > fs/cifs/transport.c: Sending smb: smb_len=106
> > fs/cifs/connect.c: Demultiplex PID: 11712
> > fs/cifs/connect.c: RFC1002 header 0xf8
> > fs/cifs/smb2misc.c: SMB2 data length 120 offset 128
> > fs/cifs/smb2misc.c: SMB2 len 248
> > fs/cifs/transport.c: cifs_sync_mid_result: cmd=0 mid=0 state=4
> > fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
> > fs/cifs/smb2pdu.c: mode 0x3
> > fs/cifs/smb2pdu.c: negotiated smb2.1 dialect
> > fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1
> > fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0xbb92
> > fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0x1bb92
> > fs/cifs/asn1.c: OID len = 8 oid = 0x1 0x2 0x348 0x1bb92
> > fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1
> > fs/cifs/connect.c: Security Mode: 0x3 Capabilities: 0x300007 TimeAdjust: 0
> > fs/cifs/smb2pdu.c: Session Setup
> > fs/cifs/smb2pdu.c: sess setup type 4
> > fs/cifs/transport.c: Sending smb: smb_len=124
> > fs/cifs/connect.c: RFC1002 header 0x13e
> > fs/cifs/smb2misc.c: SMB2 data length 246 offset 72
> > fs/cifs/smb2misc.c: SMB2 len 318
> > fs/cifs/transport.c: cifs_sync_mid_result: cmd=1 mid=1 state=4
> > Status code returned 0xc0000016 STATUS_MORE_PROCESSING_REQUIRED
> > fs/cifs/smb2maperror.c: Mapping SMB2 status code 0xc0000016 to POSIX err -5
> > fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
> > fs/cifs/smb2pdu.c: rawntlmssp session setup challenge phase
> > fs/cifs/transport.c: Sending smb: smb_len=426
> > fs/cifs/connect.c: RFC1002 header 0x48
> > fs/cifs/smb2misc.c: SMB2 data length 0 offset 72
> > fs/cifs/smb2misc.c: SMB2 len 73
> > fs/cifs/smb2misc.c: Calculated size 73 length 72 mismatch mid 2
> > fs/cifs/transport.c: cifs_sync_mid_result: cmd=1 mid=2 state=4
> > fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
> > fs/cifs/smb2pdu.c: SMB2/3 session established successfully
> > fs/cifs/connect.c: CIFS VFS: leaving cifs_get_smb_ses (xid = 47) rc = 0
> > fs/cifs/connect.c: CIFS VFS: in cifs_setup_ipc as Xid: 48 with uid: 0
> > fs/cifs/smb2pdu.c: TCON
> > BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
> > PGD 0 P4D 0
> > Oops: 0000 [#1] SMP PTI
> > CPU: 0 PID: 11706 Comm: mount.cifs Kdump: loaded Not tainted
> > 4.18.1-1.el7.elrepo.x86_64 #1
> > Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop
> > Reference Platform, BIOS 6.00 09/21/2015
> > RIP: 0010:smb2_calc_signature+0x120/0x2f0 [cifs]
> > Code: b1 00 01 00 00 49 8b bf 80 02 00 00 ba 10 00 00 00 e8 b4 86 e4
> > e0 85 c0 0f 85 8c 00 00 00 48 8b 85 78 ff ff ff ba 82 ff ff ff <48> 8b
> > 00 f6 40 08 01 0f 84 b1 00 00 00 48 c7 c6 30 09 56 a0 48 c7
> > RSP: 0018:ffffc90001d9fa40 EFLAGS: 00010246
> > RAX: 0000000000000000 RBX: ffff88007b23d8c0 RCX: 0000000000000000
> > RDX: 00000000ffffff82 RSI: ffffc90001d9f998 RDI: ffff880036196110
> > RBP: ffffc90001d9fac8 R08: ffffffffa057d280 R09: ffffffffa057d280
> > R10: 0000000000000000 R11: 0000000000000000 R12: ffffc90001d9fbd0
> > R13: ffffc90001d9fbb0 R14: ffff88007b23d8f0 R15: ffff88007a491400
> > FS:  00007f6d81b77780(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
> > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 0000000000000000 CR3: 000000007a58c005 CR4: 00000000001606f0
> > Call Trace:
> >  ? kmem_cache_alloc+0xae/0x1d0
> >  ? mempool_alloc_slab+0x15/0x20
> >  smb2_sign_rqst+0x36/0x50 [cifs]
> >  smb2_setup_request+0x10f/0x1d0 [cifs]
> >  cifs_send_recv+0xa6/0x3e0 [cifs]
> >  SMB2_tcon+0x198/0x580 [cifs]
> >  ? __dynamic_pr_debug+0x8c/0xb0
> >  cifs_get_smb_ses+0x741/0xda0 [cifs]
> >  cifs_mount+0x62f/0x1090 [cifs]
> >  ? kstrdup+0x49/0x60
> >  cifs_smb3_do_mount+0x11c/0x5d0 [cifs]
> >  cifs_do_mount+0x11/0x20 [cifs]
> >  mount_fs+0x3e/0x150
> >  vfs_kern_mount+0x67/0x130
> >  do_mount+0x1f0/0xca0
> >  ? copy_mount_options+0xc0/0x140
> >  ksys_mount+0x83/0xd0
> >  __x64_sys_mount+0x25/0x30
> >  do_syscall_64+0x60/0x190
> >  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> > RIP: 0033:0x7f6d8149530a
> > Code: 48 8b 0d 89 6b 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f
> > 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d
> > 01 f0 ff ff 73 01 c3 48 8b 0d 56 6b 2c 00 f7 d8 64 89 01 48
> > RSP: 002b:00007ffeefc36ba8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
> > RAX: ffffffffffffffda RBX: 00007f6d81b8891a RCX: 00007f6d8149530a
> > RDX: 0000558d6cbfe3b2 RSI: 0000558d6cbfe3f9 RDI: 00007ffeefc3748f
> > RBP: 00007ffeefc37484 R08: 0000558d6dfc0090 R09: 00007f6d81b77780
> > R10: 0000000000000001 R11: 0000000000000202 R12: 00007f6d81b86000
> > R13: 0000558d6dfc0090 R14: 00007f6d81b8890f R15: 0000000000000000
> > Modules linked in: cmac arc4 md4 nls_utf8 cifs ccm dns_resolver
> > binfmt_misc nf_conntrack_netbios_ns nf_conntrack_broadcast xt_CT
> > ip6t_rpfilter ipt_REJECT nf_reject_ipv4 ip6t_REJECT nf_reject_ipv6
> > xt_conntrack ip_set nfnetlink ebtable_nat ebtable_broute ip6table_nat
> > nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle
> > ip6table_security ip6table_raw iptable_nat nf_conntrack_ipv4
> > nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack libcrc32c
> > iptable_mangle iptable_security iptable_raw ebtable_filter ebtables
> > ip6table_filter ip6_tables iptable_filter vmw_vsock_vmci_transport
> > vsock sb_edac crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc
> > aesni_intel crypto_simd cryptd glue_helper intel_rapl_perf vmw_balloon
> > pcspkr joydev input_leds sg vmw_vmci i2c_piix4 tcp_bbr sch_fq
> > auth_rpcgss sunrpc
> >  ip_tables ext4 mbcache jbd2 sr_mod cdrom ata_generic pata_acpi sd_mod
> > crc32c_intel serio_raw vmwgfx drm_kms_helper syscopyarea sysfillrect
> > sysimgblt fb_sys_fops vmxnet3 ttm vmw_pvscsi ata_piix drm libata
> > dm_mirror dm_region_hash dm_log dm_mod
> > Dumping ftrace buffer:
> >    (ftrace buffer empty)
> > CR2: 0000000000000000
> > ---[ end trace 8d3d1726ae979933 ]---
> > RIP: 0010:smb2_calc_signature+0x120/0x2f0 [cifs]
> > Code: b1 00 01 00 00 49 8b bf 80 02 00 00 ba 10 00 00 00 e8 b4 86 e4
> > e0 85 c0 0f 85 8c 00 00 00 48 8b 85 78 ff ff ff ba 82 ff ff ff <48> 8b
> > 00 f6 40 08 01 0f 84 b1 00 00 00 48 c7 c6 30 09 56 a0 48 c7
> > RSP: 0018:ffffc90001d9fa40 EFLAGS: 00010246
> > RAX: 0000000000000000 RBX: ffff88007b23d8c0 RCX: 0000000000000000
> > RDX: 00000000ffffff82 RSI: ffffc90001d9f998 RDI: ffff880036196110
> > RBP: ffffc90001d9fac8 R08: ffffffffa057d280 R09: ffffffffa057d280
> > R10: 0000000000000000 R11: 0000000000000000 R12: ffffc90001d9fbd0
> > R13: ffffc90001d9fbb0 R14: ffff88007b23d8f0 R15: ffff88007a491400
> > FS:  00007f6d81b77780(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
> > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 0000000000000000 CR3: 000000007a58c005 CR4: 00000000001606f0
>
> I guess below commit fixes your issue:
>
> commit a5c62f4833c2c8e6e0f35367b99b717b78f5c029
> Author: Aurelien Aptel <aaptel@xxxxxxxx>
> Date:   Thu Aug 2 16:39:52 2018 +0200
>
> CIFS: fix uninitialized ptr deref in smb2 signing
>
> server->secmech.sdeschmacsha256 is not properly initialized before
> smb2_shash_allocate(), set shash after that call.
>
> also fix typo in error message
>
> Fixes: 8de8c4608fe9 ("cifs: Fix validation of signed data in smb2")
>
> Signed-off-by: Aurelien Aptel <aaptel@xxxxxxxx>
> Reviewed-by: Paulo Alcantara <palcantara@xxxxxxxx>
> Reported-by: Xiaoli Feng <xifeng@xxxxxxxxxx>
> Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
> CC: Stable <stable@xxxxxxxxxxxxxxx>
>
> Thanks,
>
>         Paulo
[Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux