Hi all, I'm seeing this use-after-free in the latest mainline kernel. But I cannot make much sense out of it. It complains that the buffer was freed before cifsd could finish. I cannot see how that can happen. Worried about this as we've been seeing some possible corruptions during some internal stress testing in Microsoft. That's the reason I was running a KASAN enabled kernel. Any clues? ================================================================== May 24 10:58:11 xrqubcgiz kernel: [ 2976.847655] BUG: KASAN: slab-use-after-free in smb2_is_network_name_deleted+0x2a/0x180 [cifs] May 24 10:58:11 xrqubcgiz kernel: [ 2976.859483] Read of size 4 at addr ffff888111638008 by task cifsd/563833 May 24 10:58:11 xrqubcgiz kernel: [ 2976.865664] May 24 10:58:11 xrqubcgiz kernel: [ 2976.868354] CPU: 0 PID: 563833 Comm: cifsd Not tainted 6.4.0-rc3-wkasan #5 May 24 10:58:11 xrqubcgiz kernel: [ 2976.877390] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 090008 12/07/2018 May 24 10:58:11 xrqubcgiz kernel: [ 2976.885226] Call Trace: May 24 10:58:11 xrqubcgiz kernel: [ 2976.888530] <TASK> May 24 10:58:11 xrqubcgiz kernel: [ 2976.896455] dump_stack_lvl+0x48/0x70 May 24 10:58:11 xrqubcgiz kernel: [ 2976.903888] print_report+0xcf/0x630 May 24 10:58:11 xrqubcgiz kernel: [ 2976.908427] ? kasan_complete_mode_report_info+0x8a/0x220 May 24 10:58:11 xrqubcgiz kernel: [ 2976.915694] ? smb2_is_network_name_deleted+0x2a/0x180 [cifs] May 24 10:58:11 xrqubcgiz kernel: [ 2976.923587] kasan_report+0xbb/0x100 May 24 10:58:11 xrqubcgiz kernel: [ 2976.927889] ? smb2_is_network_name_deleted+0x2a/0x180 [cifs] May 24 10:58:11 xrqubcgiz kernel: [ 2976.937541] kasan_check_range+0x3a/0x220 May 24 10:58:11 xrqubcgiz kernel: [ 2976.942920] __asan_loadN+0xf/0x20 May 24 10:58:11 xrqubcgiz kernel: [ 2976.946734] smb2_is_network_name_deleted+0x2a/0x180 [cifs] May 24 10:58:11 xrqubcgiz kernel: [ 2976.956230] cifs_demultiplex_thread+0xcfc/0x17a0 [cifs] May 24 10:58:11 xrqubcgiz kernel: [ 2976.963011] ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] May 24 10:58:11 xrqubcgiz kernel: [ 2976.971733] ? __pfx___schedule+0x10/0x10 May 24 10:58:11 xrqubcgiz kernel: [ 2976.975674] ? try_to_wake_up+0x370/0xc70 May 24 10:58:11 xrqubcgiz kernel: [ 2976.982190] ? _raw_spin_lock_irqsave+0x96/0x110 May 24 10:58:11 xrqubcgiz kernel: [ 2976.990334] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 May 24 10:58:11 xrqubcgiz kernel: [ 2976.995407] ? __kasan_check_read+0x11/0x20 May 24 10:58:11 xrqubcgiz kernel: [ 2977.001204] ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] May 24 10:58:11 xrqubcgiz kernel: [ 2977.010165] kthread+0x188/0x1d0 May 24 10:58:11 xrqubcgiz kernel: [ 2977.014228] ? __pfx_kthread+0x10/0x10 May 24 10:58:11 xrqubcgiz kernel: [ 2977.020605] ret_from_fork+0x2c/0x50 May 24 10:58:11 xrqubcgiz kernel: [ 2977.024091] </TASK> May 24 10:58:11 xrqubcgiz kernel: [ 2977.030697] May 24 10:58:11 xrqubcgiz kernel: [ 2977.033211] Allocated by task 563833: May 24 10:58:11 xrqubcgiz kernel: [ 2977.041106] kasan_save_stack+0x26/0x60 May 24 10:58:11 xrqubcgiz kernel: [ 2977.041120] kasan_set_track+0x25/0x40 May 24 10:58:11 xrqubcgiz kernel: [ 2977.041126] kasan_save_alloc_info+0x1e/0x40 May 24 10:58:11 xrqubcgiz kernel: [ 2977.041133] __kasan_slab_alloc+0x9d/0xa0 May 24 10:58:11 xrqubcgiz kernel: [ 2977.041140] kmem_cache_alloc+0x176/0x3a0 May 24 10:58:11 xrqubcgiz kernel: [ 2977.041146] mempool_alloc_slab+0x17/0x30 May 24 10:58:11 xrqubcgiz kernel: [ 2977.041153] mempool_alloc+0xf0/0x290 May 24 10:58:11 xrqubcgiz kernel: [ 2977.041159] cifs_buf_get+0x28/0x70 [cifs] May 24 10:58:11 xrqubcgiz kernel: [ 2977.041421] smb3_receive_transform+0x2dc/0xcd0 [cifs] May 24 10:58:11 xrqubcgiz kernel: [ 2977.041913] cifs_demultiplex_thread+0xba7/0x17a0 [cifs] May 24 10:58:11 xrqubcgiz kernel: [ 2977.042163] kthread+0x188/0x1d0 May 24 10:58:11 xrqubcgiz kernel: [ 2977.042171] ret_from_fork+0x2c/0x50 May 24 10:58:11 xrqubcgiz kernel: [ 2977.042177] May 24 10:58:11 xrqubcgiz kernel: [ 2977.049147] Freed by task 1300137: May 24 10:58:11 xrqubcgiz kernel: [ 2977.052171] kasan_save_stack+0x26/0x60 May 24 10:58:11 xrqubcgiz kernel: [ 2977.052181] kasan_set_track+0x25/0x40 May 24 10:58:11 xrqubcgiz kernel: [ 2977.052188] kasan_save_free_info+0x2e/0x60 May 24 10:58:11 xrqubcgiz kernel: [ 2977.052194] ____kasan_slab_free+0x17f/0x200 May 24 10:58:11 xrqubcgiz kernel: [ 2977.052200] __kasan_slab_free+0x12/0x30 May 24 10:58:11 xrqubcgiz kernel: [ 2977.052207] slab_free_freelist_hook+0xd0/0x1a0 May 24 10:58:11 xrqubcgiz kernel: [ 2977.052213] kmem_cache_free+0x1a9/0x340 May 24 10:58:11 xrqubcgiz kernel: [ 2977.052219] mempool_free_slab+0x17/0x30 May 24 10:58:11 xrqubcgiz kernel: [ 2977.052226] mempool_free+0x66/0x190 May 24 10:58:11 xrqubcgiz kernel: [ 2977.052231] free_rsp_buf+0x60/0x90 [cifs] May 24 10:58:11 xrqubcgiz kernel: [ 2977.052487] smb2_compound_op+0xbe3/0x2c00 [cifs] May 24 10:58:11 xrqubcgiz kernel: [ 2977.052756] smb2_query_path_info+0x1e8/0x530 [cifs] May 24 10:58:11 xrqubcgiz kernel: [ 2977.053024] cifs_get_inode_info+0x661/0x1170 [cifs] May 24 10:58:11 xrqubcgiz kernel: [ 2977.053274] cifs_lookup+0x2bb/0xbf0 [cifs] May 24 10:58:11 xrqubcgiz kernel: [ 2977.058107] __lookup_slow+0x116/0x220 May 24 10:58:11 xrqubcgiz kernel: [ 2977.058117] walk_component+0x193/0x240 May 24 10:58:11 xrqubcgiz kernel: [ 2977.058124] path_lookupat+0xb2/0x2f0 May 24 10:58:11 xrqubcgiz kernel: [ 2977.058130] filename_lookup+0x16f/0x340 May 24 10:58:11 xrqubcgiz kernel: [ 2977.058138] vfs_statx+0xf4/0x260 May 24 10:58:11 xrqubcgiz kernel: [ 2977.058144] vfs_fstatat+0x59/0x80 May 24 10:58:11 xrqubcgiz kernel: [ 2977.058150] __do_sys_newlstat+0x86/0xf0 May 24 10:58:11 xrqubcgiz kernel: [ 2977.058156] __x64_sys_newlstat+0x31/0x40 May 24 10:58:11 xrqubcgiz kernel: [ 2977.058162] do_syscall_64+0x5c/0x90 May 24 10:58:11 xrqubcgiz kernel: [ 2977.058172] entry_SYSCALL_64_after_hwframe+0x72/0xdc May 24 10:58:11 xrqubcgiz kernel: [ 2977.058182] May 24 10:58:11 xrqubcgiz kernel: [ 2977.060882] The buggy address belongs to the object at ffff888111638000 May 24 10:58:11 xrqubcgiz kernel: [ 2977.060882] which belongs to the cache cifs_request of size 16588 May 24 10:58:11 xrqubcgiz kernel: [ 2977.070701] The buggy address is located 8 bytes inside of May 24 10:58:11 xrqubcgiz kernel: [ 2977.070701] freed 16588-byte region [ffff888111638000, ffff88811163c0cc) May 24 10:58:11 xrqubcgiz kernel: [ 2977.087315] May 24 10:58:11 xrqubcgiz kernel: [ 2977.090437] The buggy address belongs to the physical page: May 24 10:58:11 xrqubcgiz kernel: [ 2977.097263] page:000000004133fcae refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x111638 May 24 10:58:11 xrqubcgiz kernel: [ 2977.097274] head:000000004133fcae order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 May 24 10:58:11 xrqubcgiz kernel: [ 2977.097280] anon flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff) May 24 10:58:11 xrqubcgiz kernel: [ 2977.097288] page_type: 0xffffffff() May 24 10:58:11 xrqubcgiz kernel: [ 2977.097295] raw: 0017ffffc0010200 ffff88811245d900 ffffea0004ba7a00 dead000000000005 May 24 10:58:11 xrqubcgiz kernel: [ 2977.097301] raw: 0000000000000000 0000000000010001 00000001ffffffff 0000000000000000 May 24 10:58:11 xrqubcgiz kernel: [ 2977.097305] page dumped because: kasan: bad access detected May 24 10:58:11 xrqubcgiz kernel: [ 2977.097309] May 24 10:58:11 xrqubcgiz kernel: [ 2977.099757] Memory state around the buggy address: May 24 10:58:11 xrqubcgiz kernel: [ 2977.107368] ffff888111637f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc May 24 10:58:11 xrqubcgiz kernel: [ 2977.115239] ffff888111637f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc May 24 10:58:11 xrqubcgiz kernel: [ 2977.122563] >ffff888111638000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb May 24 10:58:11 xrqubcgiz kernel: [ 2977.128714] ^ May 24 10:58:11 xrqubcgiz kernel: [ 2977.135152] ffff888111638080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb May 24 10:58:11 xrqubcgiz kernel: [ 2977.142552] ffff888111638100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb May 24 10:58:11 xrqubcgiz kernel: [ 2977.148569] ================================================================== -- Regards, Shyam
