Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 151109 Details for
Bug 234300
smbfs slab corruption
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
patch from mainstream, fixes smbfs slab corruption
diff-smbfs-reqreceived-20070328 (text/plain), 8.28 KB, created by
Vasily Averin
on 2007-03-28 11:23:42 UTC
(
hide
)
Description:
patch from mainstream, fixes smbfs slab corruption
Filename:
MIME Type:
Creator:
Vasily Averin
Created:
2007-03-28 11:23:42 UTC
Size:
8.28 KB
patch
obsolete
>From: Jan Niehusmann <jan@gondor.com> >Date: Mon, 15 May 2006 16:44:12 +0000 (-0700) >Subject: [PATCH] smbfs: Fix slab corruption in samba error path >X-Git-Tag: v2.6.17-rc5~141 >X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=48564e628bd7662d7a0b3ac81c41cd0e4cc36dae > >[PATCH] smbfs: Fix slab corruption in samba error path > >Yesterday, I got the following error with 2.6.16.13 during a file copy from >a smb filesystem over a wireless link. I guess there was some error on the >wireless link, which in turn caused an error condition for the smb >filesystem. > >In the log, smb_file_read reports error=4294966784 (0xfffffe00), which also >shows up in the slab dumps, and also is -ERESTARTSYS. Error code 27499 >corresponds to 0x6b6b, so the rq_errno field seems to be the only one being >set after freeing the slab. > >In smb_add_request (which is the only place in smbfs where I found >ERESTARTSYS), I found the following: > > if (!timeleft || signal_pending(current)) { > /* > * On timeout or on interrupt we want to try and remove the > * request from the recvq/xmitq. > */ > smb_lock_server(server); > if (!(req->rq_flags & SMB_REQ_RECEIVED)) { > list_del_init(&req->rq_queue); > smb_rput(req); > } > smb_unlock_server(server); > } > [...] > if (signal_pending(current)) > req->rq_errno = -ERESTARTSYS; > >I guess that some codepath like smbiod_flush() caused the request to be >removed from the queue, and smb_rput(req) be called, without >SMB_REQ_RECEIVED being set. This violates an asumption made by the quoted >code. > >Then, the above code calls smb_rput(req) again, the req gets freed, and >req->rq_errno = -ERESTARTSYS writes into the already freed slab. As >list_del_init doesn't cause an error if called multiple times, that does >cause the observed behaviour (freed slab with rq_errno=-ERESTARTSYS). > >If this observation is correct, the following patch should fix it. > >I wonder why the smb code uses list_del_init everywhere - using list_del >instead would catch such situations by poisoning the next and prev >pointers. > >May 4 23:29:21 knautsch kernel: [17180085.456000] ipw2200: Firmware error detected. Restarting. >May 4 23:29:21 knautsch kernel: [17180085.456000] ipw2200: Sysfs 'error' log captured. >May 4 23:33:02 knautsch kernel: [17180306.316000] ipw2200: Firmware error detected. Restarting. >May 4 23:33:02 knautsch kernel: [17180306.316000] ipw2200: Sysfs 'error' log already exists. >May 4 23:33:02 knautsch kernel: [17180306.968000] smb_file_read: //some_file validation failed, error=4294966784 >May 4 23:34:18 knautsch kernel: [17180383.256000] smb_file_read: //some_file validation failed, error=4294966784 >May 4 23:34:18 knautsch kernel: [17180383.284000] SMB connection re-established (-5) >May 4 23:37:19 knautsch kernel: [17180563.956000] smb_file_read: //some_file validation failed, error=4294966784 >May 4 23:40:09 knautsch kernel: [17180733.636000] smb_file_read: //some_file validation failed, error=4294966784 >May 4 23:40:26 knautsch kernel: [17180750.700000] smb_file_read: //some_file validation failed, error=4294966784 >May 4 23:43:02 knautsch kernel: [17180907.304000] smb_file_read: //some_file validation failed, error=4294966784 >May 4 23:43:08 knautsch kernel: [17180912.324000] smb_file_read: //some_file validation failed, error=4294966784 >May 4 23:43:34 knautsch kernel: [17180938.416000] smb_errno: class Unknown, code 27499 from command 0x6b >May 4 23:43:34 knautsch kernel: [17180938.416000] Slab corruption: start=c4ebe09c, len=244 >May 4 23:43:34 knautsch kernel: [17180938.416000] Redzone: 0x5a2cf071/0x5a2cf071. >May 4 23:43:34 knautsch kernel: [17180938.416000] Last user: [<e087b903>](smb_rput+0x53/0x90 [smbfs]) >May 4 23:43:34 knautsch kernel: [17180938.416000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b >May 4 23:43:34 knautsch kernel: [17180938.416000] 0f0: 00 fe ff ff >May 4 23:43:34 knautsch kernel: [17180938.416000] Next obj: start=c4ebe19c, len=244 >May 4 23:43:34 knautsch kernel: [17180938.416000] Redzone: 0x5a2cf071/0x5a2cf071. >May 4 23:43:34 knautsch kernel: [17180938.416000] Last user: [<00000000>](_stext+0x3feffde0/0x30) >May 4 23:43:34 knautsch kernel: [17180938.416000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b >May 4 23:43:34 knautsch kernel: [17180938.416000] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b >May 4 23:43:34 knautsch kernel: [17180938.460000] SMB connection re-established (-5) >May 4 23:43:42 knautsch kernel: [17180946.292000] ipw2200: Firmware error detected. Restarting. >May 4 23:43:42 knautsch kernel: [17180946.292000] ipw2200: Sysfs 'error' log already exists. >May 4 23:45:04 knautsch kernel: [17181028.752000] ipw2200: Firmware error detected. Restarting. >May 4 23:45:04 knautsch kernel: [17181028.752000] ipw2200: Sysfs 'error' log already exists. >May 4 23:45:05 knautsch kernel: [17181029.868000] smb_file_read: //some_file validation failed, error=4294966784 >May 4 23:45:36 knautsch kernel: [17181060.984000] smb_errno: class Unknown, code 27499 from command 0x6b >May 4 23:45:36 knautsch kernel: [17181060.984000] Slab corruption: start=c4ebe09c, len=244 >May 4 23:45:36 knautsch kernel: [17181060.984000] Redzone: 0x5a2cf071/0x5a2cf071. >May 4 23:45:36 knautsch kernel: [17181060.984000] Last user: [<e087b903>](smb_rput+0x53/0x90 [smbfs]) >May 4 23:45:36 knautsch kernel: [17181060.984000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b >May 4 23:45:36 knautsch kernel: [17181060.984000] 0f0: 00 fe ff ff >May 4 23:45:36 knautsch kernel: [17181060.984000] Next obj: start=c4ebe19c, len=244 >May 4 23:45:36 knautsch kernel: [17181060.984000] Redzone: 0x5a2cf071/0x5a2cf071. >May 4 23:45:36 knautsch kernel: [17181060.984000] Last user: [<00000000>](_stext+0x3feffde0/0x30) >May 4 23:45:36 knautsch kernel: [17181060.984000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b >May 4 23:45:36 knautsch kernel: [17181060.984000] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b >May 4 23:45:36 knautsch kernel: [17181061.024000] SMB connection re-established (-5) >May 4 23:46:17 knautsch kernel: [17181102.132000] smb_file_read: //some_file validation failed, error=4294966784 >May 4 23:47:46 knautsch kernel: [17181190.468000] smb_errno: class Unknown, code 27499 from command 0x6b >May 4 23:47:46 knautsch kernel: [17181190.468000] Slab corruption: start=c4ebe09c, len=244 >May 4 23:47:46 knautsch kernel: [17181190.468000] Redzone: 0x5a2cf071/0x5a2cf071. >May 4 23:47:46 knautsch kernel: [17181190.468000] Last user: [<e087b903>](smb_rput+0x53/0x90 [smbfs]) >May 4 23:47:46 knautsch kernel: [17181190.468000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b >May 4 23:47:46 knautsch kernel: [17181190.468000] 0f0: 00 fe ff ff >May 4 23:47:46 knautsch kernel: [17181190.468000] Next obj: start=c4ebe19c, len=244 >May 4 23:47:46 knautsch kernel: [17181190.468000] Redzone: 0x5a2cf071/0x5a2cf071. >May 4 23:47:46 knautsch kernel: [17181190.468000] Last user: [<00000000>](_stext+0x3feffde0/0x30) >May 4 23:47:46 knautsch kernel: [17181190.468000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b >May 4 23:47:46 knautsch kernel: [17181190.468000] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b >May 4 23:47:46 knautsch kernel: [17181190.492000] SMB connection re-established (-5) >May 4 23:49:20 knautsch kernel: [17181284.828000] smb_file_read: //some_file validation failed, error=4294966784 >May 4 23:49:39 knautsch kernel: [17181303.896000] smb_file_read: //some_file validation failed, error=4294966784 > >Signed-off-by: Jan Niehusmann <jan@gondor.com> >Cc: <stable@kernel.org> >Signed-off-by: Andrew Morton <akpm@osdl.org> >Signed-off-by: Linus Torvalds <torvalds@osdl.org> >--- > >diff --git a/fs/smbfs/request.c b/fs/smbfs/request.c >index c71c375..c71dd27 100644 >--- a/fs/smbfs/request.c >+++ b/fs/smbfs/request.c >@@ -339,9 +339,11 @@ int smb_add_request(struct smb_request *req) > /* > * On timeout or on interrupt we want to try and remove the > * request from the recvq/xmitq. >+ * First check if the request is still part of a queue. (May >+ * have been removed by some error condition) > */ > smb_lock_server(server); >- if (!(req->rq_flags & SMB_REQ_RECEIVED)) { >+ if (!list_empty(&req->rq_queue)) { > list_del_init(&req->rq_queue); > smb_rput(req); > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=151109">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 234300
:
151106
| 151109