CVE-2024-46796

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: fix double put of @cfile in smb2_set_path_size()<br /> <br /> If smb2_compound_op() is called with a valid @cfile and returned<br /> -EINVAL, we need to call cifs_get_writable_path() before retrying it<br /> as the reference of @cfile was already dropped by previous call.<br /> <br /> This fixes the following KASAN splat when running fstests generic/013<br /> against Windows Server 2022:<br /> <br /> CIFS: Attempting to mount //w22-fs0/scratch<br /> run fstests generic/013 at 2024-09-02 19:48:59<br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200<br /> Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176<br /> <br /> CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40<br /> 04/01/2014<br /> Workqueue: cifsoplockd cifs_oplock_break [cifs]<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x5d/0x80<br /> ? detach_if_pending+0xab/0x200<br /> print_report+0x156/0x4d9<br /> ? detach_if_pending+0xab/0x200<br /> ? __virt_addr_valid+0x145/0x300<br /> ? __phys_addr+0x46/0x90<br /> ? detach_if_pending+0xab/0x200<br /> kasan_report+0xda/0x110<br /> ? detach_if_pending+0xab/0x200<br /> detach_if_pending+0xab/0x200<br /> timer_delete+0x96/0xe0<br /> ? __pfx_timer_delete+0x10/0x10<br /> ? rcu_is_watching+0x20/0x50<br /> try_to_grab_pending+0x46/0x3b0<br /> __cancel_work+0x89/0x1b0<br /> ? __pfx___cancel_work+0x10/0x10<br /> ? kasan_save_track+0x14/0x30<br /> cifs_close_deferred_file+0x110/0x2c0 [cifs]<br /> ? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]<br /> ? __pfx_down_read+0x10/0x10<br /> cifs_oplock_break+0x4c1/0xa50 [cifs]<br /> ? __pfx_cifs_oplock_break+0x10/0x10 [cifs]<br /> ? lock_is_held_type+0x85/0xf0<br /> ? mark_held_locks+0x1a/0x90<br /> process_one_work+0x4c6/0x9f0<br /> ? find_held_lock+0x8a/0xa0<br /> ? __pfx_process_one_work+0x10/0x10<br /> ? lock_acquired+0x220/0x550<br /> ? __list_add_valid_or_report+0x37/0x100<br /> worker_thread+0x2e4/0x570<br /> ? __kthread_parkme+0xd1/0xf0<br /> ? __pfx_worker_thread+0x10/0x10<br /> kthread+0x17f/0x1c0<br /> ? kthread+0xda/0x1c0<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x31/0x60<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> <br /> Allocated by task 1118:<br /> kasan_save_stack+0x30/0x50<br /> kasan_save_track+0x14/0x30<br /> __kasan_kmalloc+0xaa/0xb0<br /> cifs_new_fileinfo+0xc8/0x9d0 [cifs]<br /> cifs_atomic_open+0x467/0x770 [cifs]<br /> lookup_open.isra.0+0x665/0x8b0<br /> path_openat+0x4c3/0x1380<br /> do_filp_open+0x167/0x270<br /> do_sys_openat2+0x129/0x160<br /> __x64_sys_creat+0xad/0xe0<br /> do_syscall_64+0xbb/0x1d0<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Freed by task 83:<br /> kasan_save_stack+0x30/0x50<br /> kasan_save_track+0x14/0x30<br /> kasan_save_free_info+0x3b/0x70<br /> poison_slab_object+0xe9/0x160<br /> __kasan_slab_free+0x32/0x50<br /> kfree+0xf2/0x300<br /> process_one_work+0x4c6/0x9f0<br /> worker_thread+0x2e4/0x570<br /> kthread+0x17f/0x1c0<br /> ret_from_fork+0x31/0x60<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> Last potentially related work creation:<br /> kasan_save_stack+0x30/0x50<br /> __kasan_record_aux_stack+0xad/0xc0<br /> insert_work+0x29/0xe0<br /> __queue_work+0x5ea/0x760<br /> queue_work_on+0x6d/0x90<br /> _cifsFileInfo_put+0x3f6/0x770 [cifs]<br /> smb2_compound_op+0x911/0x3940 [cifs]<br /> smb2_set_path_size+0x228/0x270 [cifs]<br /> cifs_set_file_size+0x197/0x460 [cifs]<br /> cifs_setattr+0xd9c/0x14b0 [cifs]<br /> notify_change+0x4e3/0x740<br /> do_truncate+0xfa/0x180<br /> vfs_truncate+0x195/0x200<br /> __x64_sys_truncate+0x109/0x150<br /> do_syscall_64+0xbb/0x1d0<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f