]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/blob - releases/2.6.16.17/smbfs-fix-slab-corruption-in-samba-error-path.patch
projects / thirdparty / kernel / stable-queue.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
4.9-stable patches
[thirdparty/kernel/stable-queue.git] / releases / 2.6.16.17 / smbfs-fix-slab-corruption-in-samba-error-path.patch
1 From stable-bounces@linux.kernel.org Mon May 15 09:56:20 2006
2 Date: Mon, 15 May 2006 09:44:12 -0700
3 From: akpm@osdl.org
4 To: torvalds@osdl.org
5 Cc: jan@gondor.com, stable@kernel.org
6 Subject: smbfs: Fix slab corruption in samba error path
7
8 From: Jan Niehusmann <jan@gondor.com>
9
10 Yesterday, I got the following error with 2.6.16.13 during a file copy from
11 a smb filesystem over a wireless link. I guess there was some error on the
12 wireless link, which in turn caused an error condition for the smb
13 filesystem.
14
15 In the log, smb_file_read reports error=4294966784 (0xfffffe00), which also
16 shows up in the slab dumps, and also is -ERESTARTSYS. Error code 27499
17 corresponds to 0x6b6b, so the rq_errno field seems to be the only one being
18 set after freeing the slab.
19
20 In smb_add_request (which is the only place in smbfs where I found
21 ERESTARTSYS), I found the following:
22
23 if (!timeleft || signal_pending(current)) {
24 /*
25 * On timeout or on interrupt we want to try and remove the
26 * request from the recvq/xmitq.
27 */
28 smb_lock_server(server);
29 if (!(req->rq_flags & SMB_REQ_RECEIVED)) {
30 list_del_init(&req->rq_queue);
31 smb_rput(req);
32 }
33 smb_unlock_server(server);
34 }
35 [...]
36 if (signal_pending(current))
37 req->rq_errno = -ERESTARTSYS;
38
39 I guess that some codepath like smbiod_flush() caused the request to be
40 removed from the queue, and smb_rput(req) be called, without
41 SMB_REQ_RECEIVED being set. This violates an asumption made by the quoted
42 code.
43
44 Then, the above code calls smb_rput(req) again, the req gets freed, and
45 req->rq_errno = -ERESTARTSYS writes into the already freed slab. As
46 list_del_init doesn't cause an error if called multiple times, that does
47 cause the observed behaviour (freed slab with rq_errno=-ERESTARTSYS).
48
49 If this observation is correct, the following patch should fix it.
50
51 I wonder why the smb code uses list_del_init everywhere - using list_del
52 instead would catch such situations by poisoning the next and prev
53 pointers.
54
55 May 4 23:29:21 knautsch kernel: [17180085.456000] ipw2200: Firmware error detected. Restarting.
56 May 4 23:29:21 knautsch kernel: [17180085.456000] ipw2200: Sysfs 'error' log captured.
57 May 4 23:33:02 knautsch kernel: [17180306.316000] ipw2200: Firmware error detected. Restarting.
58 May 4 23:33:02 knautsch kernel: [17180306.316000] ipw2200: Sysfs 'error' log already exists.
59 May 4 23:33:02 knautsch kernel: [17180306.968000] smb_file_read: //some_file validation failed, error=4294966784
60 May 4 23:34:18 knautsch kernel: [17180383.256000] smb_file_read: //some_file validation failed, error=4294966784
61 May 4 23:34:18 knautsch kernel: [17180383.284000] SMB connection re-established (-5)
62 May 4 23:37:19 knautsch kernel: [17180563.956000] smb_file_read: //some_file validation failed, error=4294966784
63 May 4 23:40:09 knautsch kernel: [17180733.636000] smb_file_read: //some_file validation failed, error=4294966784
64 May 4 23:40:26 knautsch kernel: [17180750.700000] smb_file_read: //some_file validation failed, error=4294966784
65 May 4 23:43:02 knautsch kernel: [17180907.304000] smb_file_read: //some_file validation failed, error=4294966784
66 May 4 23:43:08 knautsch kernel: [17180912.324000] smb_file_read: //some_file validation failed, error=4294966784
67 May 4 23:43:34 knautsch kernel: [17180938.416000] smb_errno: class Unknown, code 27499 from command 0x6b
68 May 4 23:43:34 knautsch kernel: [17180938.416000] Slab corruption: start=c4ebe09c, len=244
69 May 4 23:43:34 knautsch kernel: [17180938.416000] Redzone: 0x5a2cf071/0x5a2cf071.
70 May 4 23:43:34 knautsch kernel: [17180938.416000] Last user: [<e087b903>](smb_rput+0x53/0x90 [smbfs])
71 May 4 23:43:34 knautsch kernel: [17180938.416000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b
72 May 4 23:43:34 knautsch kernel: [17180938.416000] 0f0: 00 fe ff ff
73 May 4 23:43:34 knautsch kernel: [17180938.416000] Next obj: start=c4ebe19c, len=244
74 May 4 23:43:34 knautsch kernel: [17180938.416000] Redzone: 0x5a2cf071/0x5a2cf071.
75 May 4 23:43:34 knautsch kernel: [17180938.416000] Last user: [<00000000>](_stext+0x3feffde0/0x30)
76 May 4 23:43:34 knautsch kernel: [17180938.416000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
77 May 4 23:43:34 knautsch kernel: [17180938.416000] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
78 May 4 23:43:34 knautsch kernel: [17180938.460000] SMB connection re-established (-5)
79 May 4 23:43:42 knautsch kernel: [17180946.292000] ipw2200: Firmware error detected. Restarting.
80 May 4 23:43:42 knautsch kernel: [17180946.292000] ipw2200: Sysfs 'error' log already exists.
81 May 4 23:45:04 knautsch kernel: [17181028.752000] ipw2200: Firmware error detected. Restarting.
82 May 4 23:45:04 knautsch kernel: [17181028.752000] ipw2200: Sysfs 'error' log already exists.
83 May 4 23:45:05 knautsch kernel: [17181029.868000] smb_file_read: //some_file validation failed, error=4294966784
84 May 4 23:45:36 knautsch kernel: [17181060.984000] smb_errno: class Unknown, code 27499 from command 0x6b
85 May 4 23:45:36 knautsch kernel: [17181060.984000] Slab corruption: start=c4ebe09c, len=244
86 May 4 23:45:36 knautsch kernel: [17181060.984000] Redzone: 0x5a2cf071/0x5a2cf071.
87 May 4 23:45:36 knautsch kernel: [17181060.984000] Last user: [<e087b903>](smb_rput+0x53/0x90 [smbfs])
88 May 4 23:45:36 knautsch kernel: [17181060.984000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b
89 May 4 23:45:36 knautsch kernel: [17181060.984000] 0f0: 00 fe ff ff
90 May 4 23:45:36 knautsch kernel: [17181060.984000] Next obj: start=c4ebe19c, len=244
91 May 4 23:45:36 knautsch kernel: [17181060.984000] Redzone: 0x5a2cf071/0x5a2cf071.
92 May 4 23:45:36 knautsch kernel: [17181060.984000] Last user: [<00000000>](_stext+0x3feffde0/0x30)
93 May 4 23:45:36 knautsch kernel: [17181060.984000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
94 May 4 23:45:36 knautsch kernel: [17181060.984000] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
95 May 4 23:45:36 knautsch kernel: [17181061.024000] SMB connection re-established (-5)
96 May 4 23:46:17 knautsch kernel: [17181102.132000] smb_file_read: //some_file validation failed, error=4294966784
97 May 4 23:47:46 knautsch kernel: [17181190.468000] smb_errno: class Unknown, code 27499 from command 0x6b
98 May 4 23:47:46 knautsch kernel: [17181190.468000] Slab corruption: start=c4ebe09c, len=244
99 May 4 23:47:46 knautsch kernel: [17181190.468000] Redzone: 0x5a2cf071/0x5a2cf071.
100 May 4 23:47:46 knautsch kernel: [17181190.468000] Last user: [<e087b903>](smb_rput+0x53/0x90 [smbfs])
101 May 4 23:47:46 knautsch kernel: [17181190.468000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b
102 May 4 23:47:46 knautsch kernel: [17181190.468000] 0f0: 00 fe ff ff
103 May 4 23:47:46 knautsch kernel: [17181190.468000] Next obj: start=c4ebe19c, len=244
104 May 4 23:47:46 knautsch kernel: [17181190.468000] Redzone: 0x5a2cf071/0x5a2cf071.
105 May 4 23:47:46 knautsch kernel: [17181190.468000] Last user: [<00000000>](_stext+0x3feffde0/0x30)
106 May 4 23:47:46 knautsch kernel: [17181190.468000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
107 May 4 23:47:46 knautsch kernel: [17181190.468000] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
108 May 4 23:47:46 knautsch kernel: [17181190.492000] SMB connection re-established (-5)
109 May 4 23:49:20 knautsch kernel: [17181284.828000] smb_file_read: //some_file validation failed, error=4294966784
110 May 4 23:49:39 knautsch kernel: [17181303.896000] smb_file_read: //some_file validation failed, error=4294966784
111
112 Signed-off-by: Jan Niehusmann <jan@gondor.com>
113 Signed-off-by: Andrew Morton <akpm@osdl.org>
114 Signed-off-by: Chris Wright <chrisw@sous-sol.org>
115 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
116 ---
117
118 fs/smbfs/request.c | 4 +++-
119 1 file changed, 3 insertions(+), 1 deletion(-)
120
121 --- linux-2.6.16.16.orig/fs/smbfs/request.c
122 +++ linux-2.6.16.16/fs/smbfs/request.c
123 @@ -339,9 +339,11 @@ int smb_add_request(struct smb_request *
124 /*
125 * On timeout or on interrupt we want to try and remove the
126 * request from the recvq/xmitq.
127 + * First check if the request is still part of a queue. (May
128 + * have been removed by some error condition)
129 */
130 smb_lock_server(server);
131 - if (!(req->rq_flags & SMB_REQ_RECEIVED)) {
132 + if (!list_empty(&req->rq_queue)) {
133 list_del_init(&req->rq_queue);
134 smb_rput(req);
135 }
Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git