q3k
/
linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
linux/fs
History
Jan Niehusmann 48564e628b [PATCH] smbfs: Fix slab corruption in samba error path 
Yesterday, I got the following error with 2.6.16.13 during a file copy from
a smb filesystem over a wireless link.  I guess there was some error on the
wireless link, which in turn caused an error condition for the smb
filesystem.

In the log, smb_file_read reports error=4294966784 (0xfffffe00), which also
shows up in the slab dumps, and also is -ERESTARTSYS.  Error code 27499
corresponds to 0x6b6b, so the rq_errno field seems to be the only one being
set after freeing the slab.

In smb_add_request (which is the only place in smbfs where I found
ERESTARTSYS), I found the following:

        if (!timeleft || signal_pending(current)) {
                /*
                 * On timeout or on interrupt we want to try and remove the
                 * request from the recvq/xmitq.
                 */
                smb_lock_server(server);
                if (!(req->rq_flags & SMB_REQ_RECEIVED)) {
                        list_del_init(&req->rq_queue);
                        smb_rput(req);
                }
                smb_unlock_server(server);
        }
	[...]
        if (signal_pending(current))
                req->rq_errno = -ERESTARTSYS;

I guess that some codepath like smbiod_flush() caused the request to be
removed from the queue, and smb_rput(req) be called, without
SMB_REQ_RECEIVED being set.  This violates an asumption made by the quoted
code.

Then, the above code calls smb_rput(req) again, the req gets freed, and
req->rq_errno = -ERESTARTSYS writes into the already freed slab.  As
list_del_init doesn't cause an error if called multiple times, that does
cause the observed behaviour (freed slab with rq_errno=-ERESTARTSYS).

If this observation is correct, the following patch should fix it.

I wonder why the smb code uses list_del_init everywhere - using list_del
instead would catch such situations by poisoning the next and prev
pointers.

May  4 23:29:21 knautsch kernel: [17180085.456000] ipw2200: Firmware error detected.  Restarting.
May  4 23:29:21 knautsch kernel: [17180085.456000] ipw2200: Sysfs 'error' log captured.
May  4 23:33:02 knautsch kernel: [17180306.316000] ipw2200: Firmware error detected.  Restarting.
May  4 23:33:02 knautsch kernel: [17180306.316000] ipw2200: Sysfs 'error' log already exists.
May  4 23:33:02 knautsch kernel: [17180306.968000] smb_file_read: //some_file validation failed, error=4294966784
May  4 23:34:18 knautsch kernel: [17180383.256000] smb_file_read: //some_file validation failed, error=4294966784
May  4 23:34:18 knautsch kernel: [17180383.284000] SMB connection re-established (-5)
May  4 23:37:19 knautsch kernel: [17180563.956000] smb_file_read: //some_file validation failed, error=4294966784
May  4 23:40:09 knautsch kernel: [17180733.636000] smb_file_read: //some_file validation failed, error=4294966784
May  4 23:40:26 knautsch kernel: [17180750.700000] smb_file_read: //some_file validation failed, error=4294966784
May  4 23:43:02 knautsch kernel: [17180907.304000] smb_file_read: //some_file validation failed, error=4294966784
May  4 23:43:08 knautsch kernel: [17180912.324000] smb_file_read: //some_file validation failed, error=4294966784
May  4 23:43:34 knautsch kernel: [17180938.416000] smb_errno: class Unknown, code 27499 from command 0x6b
May  4 23:43:34 knautsch kernel: [17180938.416000] Slab corruption: start=c4ebe09c, len=244
May  4 23:43:34 knautsch kernel: [17180938.416000] Redzone: 0x5a2cf071/0x5a2cf071.
May  4 23:43:34 knautsch kernel: [17180938.416000] Last user: [<e087b903>](smb_rput+0x53/0x90 [smbfs])
May  4 23:43:34 knautsch kernel: [17180938.416000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b
May  4 23:43:34 knautsch kernel: [17180938.416000] 0f0: 00 fe ff ff
May  4 23:43:34 knautsch kernel: [17180938.416000] Next obj: start=c4ebe19c, len=244
May  4 23:43:34 knautsch kernel: [17180938.416000] Redzone: 0x5a2cf071/0x5a2cf071.
May  4 23:43:34 knautsch kernel: [17180938.416000] Last user: [<00000000>](_stext+0x3feffde0/0x30)
May  4 23:43:34 knautsch kernel: [17180938.416000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
May  4 23:43:34 knautsch kernel: [17180938.416000] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
May  4 23:43:34 knautsch kernel: [17180938.460000] SMB connection re-established (-5)
May  4 23:43:42 knautsch kernel: [17180946.292000] ipw2200: Firmware error detected.  Restarting.
May  4 23:43:42 knautsch kernel: [17180946.292000] ipw2200: Sysfs 'error' log already exists.
May  4 23:45:04 knautsch kernel: [17181028.752000] ipw2200: Firmware error detected.  Restarting.
May  4 23:45:04 knautsch kernel: [17181028.752000] ipw2200: Sysfs 'error' log already exists.
May  4 23:45:05 knautsch kernel: [17181029.868000] smb_file_read: //some_file validation failed, error=4294966784
May  4 23:45:36 knautsch kernel: [17181060.984000] smb_errno: class Unknown, code 27499 from command 0x6b
May  4 23:45:36 knautsch kernel: [17181060.984000] Slab corruption: start=c4ebe09c, len=244
May  4 23:45:36 knautsch kernel: [17181060.984000] Redzone: 0x5a2cf071/0x5a2cf071.
May  4 23:45:36 knautsch kernel: [17181060.984000] Last user: [<e087b903>](smb_rput+0x53/0x90 [smbfs])
May  4 23:45:36 knautsch kernel: [17181060.984000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b
May  4 23:45:36 knautsch kernel: [17181060.984000] 0f0: 00 fe ff ff
May  4 23:45:36 knautsch kernel: [17181060.984000] Next obj: start=c4ebe19c, len=244
May  4 23:45:36 knautsch kernel: [17181060.984000] Redzone: 0x5a2cf071/0x5a2cf071.
May  4 23:45:36 knautsch kernel: [17181060.984000] Last user: [<00000000>](_stext+0x3feffde0/0x30)
May  4 23:45:36 knautsch kernel: [17181060.984000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
May  4 23:45:36 knautsch kernel: [17181060.984000] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
May  4 23:45:36 knautsch kernel: [17181061.024000] SMB connection re-established (-5)
May  4 23:46:17 knautsch kernel: [17181102.132000] smb_file_read: //some_file validation failed, error=4294966784
May  4 23:47:46 knautsch kernel: [17181190.468000] smb_errno: class Unknown, code 27499 from command 0x6b
May  4 23:47:46 knautsch kernel: [17181190.468000] Slab corruption: start=c4ebe09c, len=244
May  4 23:47:46 knautsch kernel: [17181190.468000] Redzone: 0x5a2cf071/0x5a2cf071.
May  4 23:47:46 knautsch kernel: [17181190.468000] Last user: [<e087b903>](smb_rput+0x53/0x90 [smbfs])
May  4 23:47:46 knautsch kernel: [17181190.468000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b
May  4 23:47:46 knautsch kernel: [17181190.468000] 0f0: 00 fe ff ff
May  4 23:47:46 knautsch kernel: [17181190.468000] Next obj: start=c4ebe19c, len=244
May  4 23:47:46 knautsch kernel: [17181190.468000] Redzone: 0x5a2cf071/0x5a2cf071.
May  4 23:47:46 knautsch kernel: [17181190.468000] Last user: [<00000000>](_stext+0x3feffde0/0x30)
May  4 23:47:46 knautsch kernel: [17181190.468000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
May  4 23:47:46 knautsch kernel: [17181190.468000] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
May  4 23:47:46 knautsch kernel: [17181190.492000] SMB connection re-established (-5)
May  4 23:49:20 knautsch kernel: [17181284.828000] smb_file_read: //some_file validation failed, error=4294966784
May  4 23:49:39 knautsch kernel: [17181303.896000] smb_file_read: //some_file validation failed, error=4294966784

Signed-off-by: Jan Niehusmann <jan@gondor.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
 		2006-05-15 11:20:56 -07:00
..
9p [PATCH] 9p: handle sget() failure 2006-04-11 06:18:41 -07:00
adfs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
affs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
afs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
autofs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
autofs4 [PATCH] autofs4: NFY_NONE wait race fix 2006-05-15 11:20:54 -07:00
befs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
bfs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
cifs [CIFS] Fix compile error when CONFIG_CIFS_EXPERIMENTAL is undefined 2006-04-24 16:24:54 +00:00
coda [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
configfs [PATCH] Bogus NULL pointer check in fs/configfs/dir.c 2006-04-10 11:16:17 -07:00
cramfs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
debugfs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
devfs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
devpts [PATCH] devpts: use lib/parser.c for parsing mount options 2006-03-23 07:38:17 -08:00
efs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
exportfs [PATCH] exportfs: add find_acceptable_alias helper 2006-01-18 19:20:28 -08:00
ext2 [PATCH] Introduce sys_splice() system call 2006-03-30 12:28:18 -08:00
ext3 [PATCH] ext3: multile block allocate little endian fixes 2006-05-03 20:05:41 -07:00
fat [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
freevxfs BUG_ON() Conversion in fs/freevxfs/ 2006-04-02 13:41:02 +02:00
fuse [fuse] fix race between checking and setting file->private_data 2006-04-26 10:49:16 +02:00
hfs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
hfsplus BUG_ON() Conversion in fs/hfsplus/ 2006-04-01 01:14:43 +02:00
hostfs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
hpfs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
hppfs [PATCH] uml: __user annotations 2006-03-31 12:18:51 -08:00
hugetlbfs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
isofs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
jbd [PATCH] Make address_space_operations->invalidatepage return void 2006-03-26 08:56:55 -08:00
jffs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
jffs2 BUG_ON() Conversion in fs/jffs2/ 2006-04-01 01:15:35 +02:00
jfs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
lockd NFS: make 2 functions static 2006-04-19 12:43:47 -04:00
minix [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
msdos [PATCH] fat: kill reserved names 2006-03-31 12:18:55 -08:00
ncpfs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
nfs NFS: remove needless check in nfs_opendir() 2006-04-19 13:06:37 -04:00
nfs_common
nfsd [PATCH] knfsd: nfsd4: grant delegations more frequently 2006-04-11 06:18:53 -07:00
nls [PATCH] fs: Use ARRAY_SIZE macro 2006-03-24 07:33:19 -08:00
ntfs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
ocfs2 ocfs2: Better I/O error handling in heartbeat 2006-04-07 18:03:09 -07:00
openpromfs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
partitions Alternative fix for MMC oops on unmount after removal 2006-05-12 18:42:09 -07:00
proc [PATCH] Fix file lookup without ref 2006-04-19 09:13:51 -07:00
qnx4 [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
ramfs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
reiserfs [PATCH] Fix reiserfs deadlock 2006-04-22 09:19:53 -07:00
romfs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
smbfs [PATCH] smbfs: Fix slab corruption in samba error path 2006-05-15 11:20:56 -07:00
sysfs [PATCH] sysfs: Allow sysfs attribute files to be pollable 2006-04-14 11:41:24 -07:00
sysv BUG_ON() Conversion in fs/sysv/ 2006-04-02 13:39:21 +02:00
udf BUG_ON() Conversion in fs/udf/ 2006-04-02 13:40:13 +02:00
ufs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
vfat [PATCH] fat: kill reserved names 2006-03-31 12:18:55 -08:00
xfs [XFS] Fix a possible metadata buffer (AGFL) refcount leak when fixing an 2006-05-08 19:51:58 +10:00
Kconfig [PATCH] hugetlbfs: add Kconfig help text 2006-04-19 09:13:50 -07:00
Kconfig.binfmt [PATCH] frv: suppress configuration of certain features for FRV 2006-01-08 20:13:36 -08:00
Makefile [PATCH] sys_sync_file_range() 2006-03-31 12:18:54 -08:00
aio.c [PATCH] use kzalloc and kcalloc in core fs code 2006-03-25 08:23:00 -08:00
attr.c [PATCH] capable/capability.h (fs/) 2006-01-11 18:42:13 -08:00
bad_inode.c [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
binfmt_aout.c [PATCH] dump_thread() cleanup 2006-01-10 08:01:25 -08:00
binfmt_elf.c [PATCH] x86_64: Increase the variability of the process stack on 64bit architectures 2006-03-25 09:10:52 -08:00
binfmt_elf_fdpic.c BUG_ON() Conversion in fs/binfmt_elf_fdpic.c 2006-03-24 18:38:48 +01:00
binfmt_em86.c
binfmt_flat.c [PATCH] flat binary loader doesn't check fd table full 2006-03-25 08:23:01 -08:00
binfmt_misc.c [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
binfmt_script.c
binfmt_som.c
bio.c [PATCH] mempool: use mempool_create_slab_pool() 2006-03-26 08:57:00 -08:00
block_dev.c [PATCH] Add ->splice_read/splice_write to def_blk_fops 2006-05-01 19:59:32 +02:00
buffer.c [PATCH] for_each_online_pgdat: renaming for_each_pgdat 2006-03-27 08:44:48 -08:00
char_dev.c [PATCH] Simplify proc/devices and fix early termination regression 2006-03-31 12:18:53 -08:00
compat.c [PATCH] compat_sys_vmsplice: one-off in UIO_MAXIOV check 2006-05-04 09:13:49 +02:00
compat_ioctl.c [PATCH] fs: Use ARRAY_SIZE macro 2006-03-24 07:33:19 -08:00
dcache.c [PATCH] dcache: Add helper d_hash_and_lookup 2006-03-31 12:19:00 -08:00
dcookies.c [PATCH] Use __read_mostly on some hot fs variables 2006-03-26 08:56:56 -08:00
direct-io.c BUG_ON() Conversion in fs/direct-io.c 2006-04-01 01:10:13 +02:00
dnotify.c [PATCH] Use __read_mostly on some hot fs variables 2006-03-26 08:56:56 -08:00
dquot.c BUG_ON() Conversion in fs/dquot.c 2006-04-02 13:36:13 +02:00
drop_caches.c [PATCH] drop-pagecache 2006-01-08 20:12:40 -08:00
eventpoll.c [PATCH] uniform POLLRDHUP handling between epoll and poll/select 2006-04-11 06:18:42 -07:00
exec.c [PATCH] task: Make task list manipulations RCU safe 2006-04-19 09:13:49 -07:00
fcntl.c BUG_ON() Conversion in fs/fcntl.c 2006-04-02 13:37:19 +02:00
fifo.c [PATCH] pipe.c/fifo.c code cleanups 2006-04-11 13:53:33 +02:00
file.c [PATCH] for_each_possible_cpu: fixes for generic part 2006-03-28 09:16:05 -08:00
file_table.c [PATCH] get_empty_filp tweaks, inline epoll_init_file() 2006-03-23 07:38:17 -08:00
filesystems.c
fs-writeback.c [PATCH] Move cond_resched() after iput() in sync_sb_inodes() 2006-03-25 08:22:56 -08:00
inode.c BUG_ON() Conversion in fs/inode.c 2006-04-02 13:38:18 +02:00
inotify.c [PATCH] inotify: check for NULL inode in inotify_d_instantiate 2006-04-11 06:18:45 -07:00
ioctl.c [PATCH] capable/capability.h (fs/) 2006-01-11 18:42:13 -08:00
ioprio.c [PATCH] capable/capability.h (fs/) 2006-01-11 18:42:13 -08:00
libfs.c [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
locks.c [PATCH] fs/locks.c: Fix lease_init 2006-05-08 08:07:17 -07:00
mbcache.c [PATCH] Typo fixes 2006-03-28 09:16:08 -08:00
mpage.c [PATCH] map multiple blocks for mpage_readpages() 2006-03-26 08:57:01 -08:00
namei.c [PATCH] fs/namei.c: make lookup_hash() static 2006-03-31 12:19:01 -08:00
namespace.c [PATCH] vfs: propagate mnt_flags into do_loopback/vfsmount 2006-04-11 06:18:41 -07:00
nfsctl.c [PATCH] fs: Use ARRAY_SIZE macro 2006-03-24 07:33:19 -08:00
open.c [PATCH] fs/open.c: unexport sys_openat 2006-05-15 11:20:54 -07:00
pipe.c [PATCH] vmsplice: restrict stealing a little more 2006-05-02 15:29:57 +02:00
pnode.c [PATCH] s/;;/;/g 2006-03-24 07:33:24 -08:00
pnode.h
posix_acl.c
quota.c [PATCH] sem2mutex: quota 2006-03-23 07:38:11 -08:00
quota_v1.c
quota_v2.c [PATCH] sem2mutex: quota 2006-03-23 07:38:11 -08:00
read_write.c [PATCH] splice: unlikely() optimizations 2006-04-11 13:56:09 +02:00
readdir.c [PATCH] mutex subsystem, semaphore to mutex: VFS, ->i_sem 2006-01-09 15:59:24 -08:00
select.c [PATCH] select: don't overflow if (SELECT_STACK_ALLOC % sizeof(long) != 0) 2006-04-11 06:18:41 -07:00
seq_file.c [PATCH] sem2mutex: fs/seq_file.c 2006-03-23 07:38:12 -08:00
splice.c [PATCH] splice: redo page lookup if add_to_page_cache() returns -EEXIST 2006-05-04 06:55:12 +02:00
stat.c [PATCH] powerpc: Wire up *at syscalls 2006-04-28 21:04:59 +10:00
super.c [PATCH] sem2mutex: fs/ 2006-03-26 08:56:55 -08:00
sync.c [PATCH] sync_file_range(): use unsigned for flags 2006-04-11 06:18:40 -07:00
xattr.c [PATCH] Collect more inode information during syscall processing. 2006-03-20 14:08:53 -05:00
xattr_acl.c