Bug#919290: SMB2_close_free: BUG: unable to handle kernel NULL pointer dereference at 0000000000000000

[Remy Oudompheng]

The corresponding patch has been merged in the 4.19 branch
and is released as 4.19.29.

commit b4d965a37d89cd8611984ea16c85903d01ac967a
Author: Ronnie Sahlberg 
AuthorDate: Wed Oct 24 11:50:33 2018 +1000
Commit: Greg Kroah-Hartman 
CommitDate: Wed Mar 13 14:02:40 2019 -0700

cifs: allow calling SMB2_xxx_free(NULL)

commit 32a1fb36f6e50183871c2c1fcf5493c633e84732 upstream.

Change these free functions to allow passing NULL as the argument and
treat it as a no-op just like free(NULL) would.
Or, if rqst->rq_iov is NULL.

The second scenario could happen for smb2_queryfs() if the call
to SMB2_query_info_init() fails and we go to qfs_exit to clean up
and free all resources.
In that case we have not yet assigned rqst[2].rq_iov and thus
the rq_iov dereference in SMB2_close_free() will cause a NULL pointer
dereference.

[ bp: upstream patch also fixes SMB2_set_info_free which was introduced in 
4.20 ]

Fixes:  1eb9fb52040f ("cifs: create SMB2_open_init()/SMB2_open_free() 
helpers")

Signed-off-by: Ronnie Sahlberg 
Signed-off-by: Steve French 
Reviewed-by: Aurelien Aptel 
CC: Stable 
Signed-off-by: Greg Kroah-Hartman 

Bug#919290: SMB2_close_free: BUG: unable to handle kernel NULL pointer dereference at 0000000000000000

[Bernhard Übelacker]

Package: src:linux
Version: 4.19.12-1
Severity: normal

Dear Maintainer,

I received following crash while having a cifs filesystem mounted
from a qemu VM running on the same host.
Unfortunately forgot to unmount and shut down the VM.
Then after some minutes system froze and restarted.

If it may be important, the mount commmand was:
mount -t cifs -o 
user=Benutzer1,pass=test,port=4445,uid=1000,gid=1000,vers=3.0,noserverino 
//127.0.254.55/C share
That port is a forward on the qemu command line:
...hostfwd=tcp:127.0.254.55:4445-:445...


kdump-tools are installed and collected a core.


Upstream has following bug that looks quite similar [1], and
[2] on the mailing list.
Last year I experienced a crash also related to SMB2 that
may be related that I just reported upstream [3].

Upstream linux-4.20.y contains patch [4] that seems related.


Kind regards,
Bernhard


[1] https://bugzilla.kernel.org/show_bug.cgi?id=202223
[2] https://lkml.org/lkml/2018/10/23/702
[3] https://bugzilla.kernel.org/show_bug.cgi?id=200907
[4] 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/fs/cifs/smb2pdu.c?id=32a1fb36f6e50183871c2c1fcf5493c633e84732


# ls -lisah /var/crash/201901141532/*
2904688  80K -rw-r--r-- 1 root root  78K Jan 14 15:32 
/var/crash/201901141532/dmesg.201901141532
2904805 158M -rw-r--r-- 1 root root 158M Jan 14 15:32 
/var/crash/201901141532/dump.201901141532




[37873.194365] CIFS VFS: Server 127.0.254.55 has not responded in 120 seconds. 
Reconnecting...
[37947.794384] BUG: unable to handle kernel NULL pointer dereference at 

[37947.794393] PGD 0 P4D 0 
[37947.794401] Oops:  [#1] SMP NOPTI
[37947.794407] CPU: 11 PID: 13315 Comm: file.so Kdump: loaded Tainted: G
   OE 4.19.0-1-amd64 #1 Debian 4.19.12-1
[37947.794411] Hardware name: System manufacturer System Product Name/PRIME 
B350M-A, BIOS 4014 05/11/2018
[37947.794466] RIP: 0010:SMB2_close_free+0x8/0x10 [cifs]



$ crash /usr/lib/debug/lib/modules/4.19.0-1-amd64/vmlinux 
/var/crash/201901141532/dump.201901141532

crash> bt
PID: 13315  TASK: 967938300ec0  CPU: 11  COMMAND: "file.so"
 #0 [accec32cb8e0] machine_kexec at 88e558f7
 #1 [accec32cb938] __crash_kexec at 88f1e19d
 #2 [accec32cba00] crash_kexec at 88f1f35d
 #3 [accec32cba18] oops_end at 88e29afd
 #4 [accec32cba38] no_context at 88e640ae
 #5 [accec32cba90] __do_page_fault at 88e64772
 #6 [accec32cbb00] page_fault at 8960108e
[exception RIP: SMB2_close_free+8]
RIP: c0f5bb48  RSP: accec32cbbb8  RFLAGS: 00010246
RAX:   RBX: 967798d61000  RCX: 
RDX: 0007  RSI: 0246  RDI: accec32cbd68
RBP: accec32cbdf0   R8: 000a   R9: 
R10: 0045  R11: 228354df9900  R12: accec32cbc50
R13: 96782d1f4000  R14: 967798d62800  R15: 
ORIG_RAX:   CS: 0010  SS: 0018
 #7 [accec32cbbb8] smb2_queryfs at c0f4e1b8 [cifs]
 #8 [accec32cbe00] cifs_statfs at c0f126fd [cifs]
 #9 [accec32cbe38] statfs_by_dentry at 890907e7
#10 [accec32cbe50] vfs_statfs at 89090a56
#11 [accec32cbe68] user_statfs at 89090b54
#12 [accec32cbea8] __do_sys_statfs at 89090bc0
#13 [accec32cbf38] do_syscall_64 at 88e040d3
#14 [accec32cbf50] entry_SYSCALL_64_after_hwframe at 89600088
RIP: 7f58114bd217  RSP: 7fffeabfea08  RFLAGS: 0246
RAX: ffda  RBX: 55981f7305b8  RCX: 7f58114bd217
RDX:   RSI: 7fffeabfea10  RDI: 55981f7305b8
RBP: 7fffeabfea10   R8: 7f581158ec40   R9: 55981f730630
R10: 0007  R11: 0246  R12: 7fffeabfead0
R13: 7fffeabfeac8  R14: 55981f77de88  R15: 55981f7316f0
ORIG_RAX: 0089  CS: 0033  SS: 002b

crash> dis SMB2_close_free
0xc0f5bb40 :   nopl   0x0(%rax,%rax,1) [FTRACE NOP]
0xc0f5bb45 : mov(%rdi),%rax
0xc0f5bb48 : mov(%rax),%rdi
0xc0f5bb4b :jmpq   0xc0f3f870 




-- Package-specific info:
** Version:
Linux version 4.19.0-1-amd64 (debian-ker...@lists.debian.org) (gcc version 
8.2.0 (Debian 8.2.0-13)) #1 SMP Debian 4.19.12-1 (2018-12-22)

** Command line:
BOOT_IMAGE=/boot/vmlinuz-4.19.0-1-amd64 
root=UUID=64e985dd-8bd3-4051-82a4-a01577abbed4 ro crashkernel=384M-:128M

** Tainted: OE (12288)
 * Out-of-tree module has been loaded.
 * Unsigned module has been loaded.

** Kernel log:
Unable to read kernel log; any relevant messages should be attached

** Model information
sys_vendor: System manufacturer
product_name: System Product Name
product_version: System Version
chassis_vendor: Default string
chassis_version: Default string
bios_vendor: American Megatrends Inc.
bios_version: 4014
board_vendor: ASUSTeK COMPUTER