In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called with avalid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size 8at addr ffff88811f1a3730 by task kworker/3:2/176 CPU: 3UID: 0PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35 +ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ?detach_if_pending+0xab/0x200 print_report+0x156/0x4d9 ?detach_if_pending+0xab/0x200 ?__virt_addr_valid+0x145/0x300 ?__phys_addr+0x46/0x90 ?detach_if_pending+0xab/0x200 kasan_report+0xda/0x110 ?detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0 ?__pfx_timer_delete+0x10/0x10 ?rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0 ?__pfx___cancel_work+0x10/0x10 ?kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs] ?__pfx_cifs_close_deferred_file+0x10/0x10 [cifs] ?__pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs] ?__pfx_cifs_oplock_break+0x10/0x10 [cifs] ?lock_is_held_type+0x85/0xf0 ?mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0 ?find_held_lock+0x8a/0xa0 ?__pfx_process_one_work+0x10/0x10 ?lock_acquired+0x220/0x550 ?__list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570 ?__kthread_parkme+0xd1/0xf0 ?__pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0 ?kthread+0xda/0x1c0 ?__pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ?__pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.
In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called witha valid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size8 at addr ffff88811f1a3730 by task kworker/3:2/176 CPU:3 UID:0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35+ ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80? detach_if_pending+0xab/0x200 print_report+0x156/0x4d9? detach_if_pending+0xab/0x200? __virt_addr_valid+0x145/0x300? __phys_addr+0x46/0x90? detach_if_pending+0xab/0x200 kasan_report+0xda/0x110? detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0? __pfx_timer_delete+0x10/0x10? rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0? __pfx___cancel_work+0x10/0x10? kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs]? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]? __pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs]? __pfx_cifs_oplock_break+0x10/0x10 [cifs]? lock_is_held_type+0x85/0xf0? mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0? find_held_lock+0x8a/0xa0? __pfx_process_one_work+0x10/0x10? lock_acquired+0x220/0x550? __list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570? __kthread_parkme+0xd1/0xf0? __pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0? kthread+0xda/0x1c0? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.
In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called with avalid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size 8at addr ffff88811f1a3730 by task kworker/3:2/176 CPU: 3UID: 0PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35 +ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ?detach_if_pending+0xab/0x200 print_report+0x156/0x4d9 ?detach_if_pending+0xab/0x200 ?__virt_addr_valid+0x145/0x300 ?__phys_addr+0x46/0x90 ?detach_if_pending+0xab/0x200 kasan_report+0xda/0x110 ?detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0 ?__pfx_timer_delete+0x10/0x10 ?rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0 ?__pfx___cancel_work+0x10/0x10 ?kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs] ?__pfx_cifs_close_deferred_file+0x10/0x10 [cifs] ?__pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs] ?__pfx_cifs_oplock_break+0x10/0x10 [cifs] ?lock_is_held_type+0x85/0xf0 ?mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0 ?find_held_lock+0x8a/0xa0 ?__pfx_process_one_work+0x10/0x10 ?lock_acquired+0x220/0x550 ?__list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570 ?__kthread_parkme+0xd1/0xf0 ?__pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0 ?kthread+0xda/0x1c0 ?__pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ?__pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.
In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called witha valid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size8 at addr ffff88811f1a3730 by task kworker/3:2/176 CPU:3 UID:0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35+ ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80? detach_if_pending+0xab/0x200 print_report+0x156/0x4d9? detach_if_pending+0xab/0x200? __virt_addr_valid+0x145/0x300? __phys_addr+0x46/0x90? detach_if_pending+0xab/0x200 kasan_report+0xda/0x110? detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0? __pfx_timer_delete+0x10/0x10? rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0? __pfx___cancel_work+0x10/0x10? kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs]? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]? __pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs]? __pfx_cifs_oplock_break+0x10/0x10 [cifs]? lock_is_held_type+0x85/0xf0? mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0? find_held_lock+0x8a/0xa0? __pfx_process_one_work+0x10/0x10? lock_acquired+0x220/0x550? __list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570? __kthread_parkme+0xd1/0xf0? __pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0? kthread+0xda/0x1c0? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.
In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called with avalid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size 8at addr ffff88811f1a3730 by task kworker/3:2/176 CPU: 3UID: 0PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35 +ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ?detach_if_pending+0xab/0x200 print_report+0x156/0x4d9 ?detach_if_pending+0xab/0x200 ?__virt_addr_valid+0x145/0x300 ?__phys_addr+0x46/0x90 ?detach_if_pending+0xab/0x200 kasan_report+0xda/0x110 ?detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0 ?__pfx_timer_delete+0x10/0x10 ?rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0 ?__pfx___cancel_work+0x10/0x10 ?kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs] ?__pfx_cifs_close_deferred_file+0x10/0x10 [cifs] ?__pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs] ?__pfx_cifs_oplock_break+0x10/0x10 [cifs] ?lock_is_held_type+0x85/0xf0 ?mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0 ?find_held_lock+0x8a/0xa0 ?__pfx_process_one_work+0x10/0x10 ?lock_acquired+0x220/0x550 ?__list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570 ?__kthread_parkme+0xd1/0xf0 ?__pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0 ?kthread+0xda/0x1c0 ?__pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ?__pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.
In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called witha valid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size8 at addr ffff88811f1a3730 by task kworker/3:2/176 CPU:3 UID:0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35+ ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80? detach_if_pending+0xab/0x200 print_report+0x156/0x4d9? detach_if_pending+0xab/0x200? __virt_addr_valid+0x145/0x300? __phys_addr+0x46/0x90? detach_if_pending+0xab/0x200 kasan_report+0xda/0x110? detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0? __pfx_timer_delete+0x10/0x10? rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0? __pfx___cancel_work+0x10/0x10? kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs]? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]? __pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs]? __pfx_cifs_oplock_break+0x10/0x10 [cifs]? lock_is_held_type+0x85/0xf0? mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0? find_held_lock+0x8a/0xa0? __pfx_process_one_work+0x10/0x10? lock_acquired+0x220/0x550? __list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570? __kthread_parkme+0xd1/0xf0? __pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0? kthread+0xda/0x1c0? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.
In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called witha valid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size8 at addr ffff88811f1a3730 by task kworker/3:2/176 CPU:3 UID:0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35+ ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80? detach_if_pending+0xab/0x200 print_report+0x156/0x4d9? detach_if_pending+0xab/0x200? __virt_addr_valid+0x145/0x300? __phys_addr+0x46/0x90? detach_if_pending+0xab/0x200 kasan_report+0xda/0x110? detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0? __pfx_timer_delete+0x10/0x10? rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0? __pfx___cancel_work+0x10/0x10? kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs]? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]? __pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs]? __pfx_cifs_oplock_break+0x10/0x10 [cifs]? lock_is_held_type+0x85/0xf0? mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0? find_held_lock+0x8a/0xa0? __pfx_process_one_work+0x10/0x10? lock_acquired+0x220/0x550? __list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570? __kthread_parkme+0xd1/0xf0? __pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0? kthread+0xda/0x1c0? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.
In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called with avalid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size 8at addr ffff88811f1a3730 by task kworker/3:2/176 CPU: 3UID: 0PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35 +ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ?detach_if_pending+0xab/0x200 print_report+0x156/0x4d9 ?detach_if_pending+0xab/0x200 ?__virt_addr_valid+0x145/0x300 ?__phys_addr+0x46/0x90 ?detach_if_pending+0xab/0x200 kasan_report+0xda/0x110 ?detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0 ?__pfx_timer_delete+0x10/0x10 ?rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0 ?__pfx___cancel_work+0x10/0x10 ?kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs] ?__pfx_cifs_close_deferred_file+0x10/0x10 [cifs] ?__pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs] ?__pfx_cifs_oplock_break+0x10/0x10 [cifs] ?lock_is_held_type+0x85/0xf0 ?mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0 ?find_held_lock+0x8a/0xa0 ?__pfx_process_one_work+0x10/0x10 ?lock_acquired+0x220/0x550 ?__list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570 ?__kthread_parkme+0xd1/0xf0 ?__pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0 ?kthread+0xda/0x1c0 ?__pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ?__pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.
In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called with avalid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size 8at addr ffff88811f1a3730 by task kworker/3:2/176 CPU: 3UID: 0PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35 +ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ?detach_if_pending+0xab/0x200 print_report+0x156/0x4d9 ?detach_if_pending+0xab/0x200 ?__virt_addr_valid+0x145/0x300 ?__phys_addr+0x46/0x90 ?detach_if_pending+0xab/0x200 kasan_report+0xda/0x110 ?detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0 ?__pfx_timer_delete+0x10/0x10 ?rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0 ?__pfx___cancel_work+0x10/0x10 ?kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs] ?__pfx_cifs_close_deferred_file+0x10/0x10 [cifs] ?__pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs] ?__pfx_cifs_oplock_break+0x10/0x10 [cifs] ?lock_is_held_type+0x85/0xf0 ?mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0 ?find_held_lock+0x8a/0xa0 ?__pfx_process_one_work+0x10/0x10 ?lock_acquired+0x220/0x550 ?__list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570 ?__kthread_parkme+0xd1/0xf0 ?__pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0 ?kthread+0xda/0x1c0 ?__pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ?__pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.
In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called witha valid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size8 at addr ffff88811f1a3730 by task kworker/3:2/176 CPU:3 UID:0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35+ ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80? detach_if_pending+0xab/0x200 print_report+0x156/0x4d9? detach_if_pending+0xab/0x200? __virt_addr_valid+0x145/0x300? __phys_addr+0x46/0x90? detach_if_pending+0xab/0x200 kasan_report+0xda/0x110? detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0? __pfx_timer_delete+0x10/0x10? rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0? __pfx___cancel_work+0x10/0x10? kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs]? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]? __pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs]? __pfx_cifs_oplock_break+0x10/0x10 [cifs]? lock_is_held_type+0x85/0xf0? mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0? find_held_lock+0x8a/0xa0? __pfx_process_one_work+0x10/0x10? lock_acquired+0x220/0x550? __list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570? __kthread_parkme+0xd1/0xf0? __pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0? kthread+0xda/0x1c0? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.
In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called witha valid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size8 at addr ffff88811f1a3730 by task kworker/3:2/176 CPU:3 UID:0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35+ ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80? detach_if_pending+0xab/0x200 print_report+0x156/0x4d9? detach_if_pending+0xab/0x200? __virt_addr_valid+0x145/0x300? __phys_addr+0x46/0x90? detach_if_pending+0xab/0x200 kasan_report+0xda/0x110? detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0? __pfx_timer_delete+0x10/0x10? rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0? __pfx___cancel_work+0x10/0x10? kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs]? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]? __pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs]? __pfx_cifs_oplock_break+0x10/0x10 [cifs]? lock_is_held_type+0x85/0xf0? mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0? find_held_lock+0x8a/0xa0? __pfx_process_one_work+0x10/0x10? lock_acquired+0x220/0x550? __list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570? __kthread_parkme+0xd1/0xf0? __pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0? kthread+0xda/0x1c0? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.
In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called with avalid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size 8at addr ffff88811f1a3730 by task kworker/3:2/176 CPU: 3UID: 0PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35 +ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ?detach_if_pending+0xab/0x200 print_report+0x156/0x4d9 ?detach_if_pending+0xab/0x200 ?__virt_addr_valid+0x145/0x300 ?__phys_addr+0x46/0x90 ?detach_if_pending+0xab/0x200 kasan_report+0xda/0x110 ?detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0 ?__pfx_timer_delete+0x10/0x10 ?rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0 ?__pfx___cancel_work+0x10/0x10 ?kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs] ?__pfx_cifs_close_deferred_file+0x10/0x10 [cifs] ?__pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs] ?__pfx_cifs_oplock_break+0x10/0x10 [cifs] ?lock_is_held_type+0x85/0xf0 ?mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0 ?find_held_lock+0x8a/0xa0 ?__pfx_process_one_work+0x10/0x10 ?lock_acquired+0x220/0x550 ?__list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570 ?__kthread_parkme+0xd1/0xf0 ?__pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0 ?kthread+0xda/0x1c0 ?__pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ?__pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.
In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called with avalid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size 8at addr ffff88811f1a3730 by task kworker/3:2/176 CPU: 3UID: 0PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35 +ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ?detach_if_pending+0xab/0x200 print_report+0x156/0x4d9 ?detach_if_pending+0xab/0x200 ?__virt_addr_valid+0x145/0x300 ?__phys_addr+0x46/0x90 ?detach_if_pending+0xab/0x200 kasan_report+0xda/0x110 ?detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0 ?__pfx_timer_delete+0x10/0x10 ?rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0 ?__pfx___cancel_work+0x10/0x10 ?kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs] ?__pfx_cifs_close_deferred_file+0x10/0x10 [cifs] ?__pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs] ?__pfx_cifs_oplock_break+0x10/0x10 [cifs] ?lock_is_held_type+0x85/0xf0 ?mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0 ?find_held_lock+0x8a/0xa0 ?__pfx_process_one_work+0x10/0x10 ?lock_acquired+0x220/0x550 ?__list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570 ?__kthread_parkme+0xd1/0xf0 ?__pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0 ?kthread+0xda/0x1c0 ?__pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ?__pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.
In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called witha valid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size8 at addr ffff88811f1a3730 by task kworker/3:2/176 CPU:3 UID:0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35+ ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80? detach_if_pending+0xab/0x200 print_report+0x156/0x4d9? detach_if_pending+0xab/0x200? __virt_addr_valid+0x145/0x300? __phys_addr+0x46/0x90? detach_if_pending+0xab/0x200 kasan_report+0xda/0x110? detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0? __pfx_timer_delete+0x10/0x10? rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0? __pfx___cancel_work+0x10/0x10? kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs]? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]? __pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs]? __pfx_cifs_oplock_break+0x10/0x10 [cifs]? lock_is_held_type+0x85/0xf0? mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0? find_held_lock+0x8a/0xa0? __pfx_process_one_work+0x10/0x10? lock_acquired+0x220/0x550? __list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570? __kthread_parkme+0xd1/0xf0? __pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0? kthread+0xda/0x1c0? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.
In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called with avalid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size 8at addr ffff88811f1a3730 by task kworker/3:2/176 CPU: 3UID: 0PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35 +ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ?detach_if_pending+0xab/0x200 print_report+0x156/0x4d9 ?detach_if_pending+0xab/0x200 ?__virt_addr_valid+0x145/0x300 ?__phys_addr+0x46/0x90 ?detach_if_pending+0xab/0x200 kasan_report+0xda/0x110 ?detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0 ?__pfx_timer_delete+0x10/0x10 ?rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0 ?__pfx___cancel_work+0x10/0x10 ?kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs] ?__pfx_cifs_close_deferred_file+0x10/0x10 [cifs] ?__pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs] ?__pfx_cifs_oplock_break+0x10/0x10 [cifs] ?lock_is_held_type+0x85/0xf0 ?mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0 ?find_held_lock+0x8a/0xa0 ?__pfx_process_one_work+0x10/0x10 ?lock_acquired+0x220/0x550 ?__list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570 ?__kthread_parkme+0xd1/0xf0 ?__pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0 ?kthread+0xda/0x1c0 ?__pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ?__pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.
In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called witha valid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size8 at addr ffff88811f1a3730 by task kworker/3:2/176 CPU:3 UID:0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35+ ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80? detach_if_pending+0xab/0x200 print_report+0x156/0x4d9? detach_if_pending+0xab/0x200? __virt_addr_valid+0x145/0x300? __phys_addr+0x46/0x90? detach_if_pending+0xab/0x200 kasan_report+0xda/0x110? detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0? __pfx_timer_delete+0x10/0x10? rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0? __pfx___cancel_work+0x10/0x10? kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs]? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]? __pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs]? __pfx_cifs_oplock_break+0x10/0x10 [cifs]? lock_is_held_type+0x85/0xf0? mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0? find_held_lock+0x8a/0xa0? __pfx_process_one_work+0x10/0x10? lock_acquired+0x220/0x550? __list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570? __kthread_parkme+0xd1/0xf0? __pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0? kthread+0xda/0x1c0? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.
In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called with avalid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size 8at addr ffff88811f1a3730 by task kworker/3:2/176 CPU: 3UID: 0PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35 +ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ?detach_if_pending+0xab/0x200 print_report+0x156/0x4d9 ?detach_if_pending+0xab/0x200 ?__virt_addr_valid+0x145/0x300 ?__phys_addr+0x46/0x90 ?detach_if_pending+0xab/0x200 kasan_report+0xda/0x110 ?detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0 ?__pfx_timer_delete+0x10/0x10 ?rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0 ?__pfx___cancel_work+0x10/0x10 ?kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs] ?__pfx_cifs_close_deferred_file+0x10/0x10 [cifs] ?__pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs] ?__pfx_cifs_oplock_break+0x10/0x10 [cifs] ?lock_is_held_type+0x85/0xf0 ?mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0 ?find_held_lock+0x8a/0xa0 ?__pfx_process_one_work+0x10/0x10 ?lock_acquired+0x220/0x550 ?__list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570 ?__kthread_parkme+0xd1/0xf0 ?__pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0 ?kthread+0xda/0x1c0 ?__pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ?__pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.
In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called witha valid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size8 at addr ffff88811f1a3730 by task kworker/3:2/176 CPU:3 UID:0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35+ ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80? detach_if_pending+0xab/0x200 print_report+0x156/0x4d9? detach_if_pending+0xab/0x200? __virt_addr_valid+0x145/0x300? __phys_addr+0x46/0x90? detach_if_pending+0xab/0x200 kasan_report+0xda/0x110? detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0? __pfx_timer_delete+0x10/0x10? rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0? __pfx___cancel_work+0x10/0x10? kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs]? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]? __pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs]? __pfx_cifs_oplock_break+0x10/0x10 [cifs]? lock_is_held_type+0x85/0xf0? mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0? find_held_lock+0x8a/0xa0? __pfx_process_one_work+0x10/0x10? lock_acquired+0x220/0x550? __list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570? __kthread_parkme+0xd1/0xf0? __pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0? kthread+0xda/0x1c0? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.
In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called with avalid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size 8at addr ffff88811f1a3730 by task kworker/3:2/176 CPU: 3UID: 0PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35 +ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ?detach_if_pending+0xab/0x200 print_report+0x156/0x4d9 ?detach_if_pending+0xab/0x200 ?__virt_addr_valid+0x145/0x300 ?__phys_addr+0x46/0x90 ?detach_if_pending+0xab/0x200 kasan_report+0xda/0x110 ?detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0 ?__pfx_timer_delete+0x10/0x10 ?rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0 ?__pfx___cancel_work+0x10/0x10 ?kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs] ?__pfx_cifs_close_deferred_file+0x10/0x10 [cifs] ?__pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs] ?__pfx_cifs_oplock_break+0x10/0x10 [cifs] ?lock_is_held_type+0x85/0xf0 ?mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0 ?find_held_lock+0x8a/0xa0 ?__pfx_process_one_work+0x10/0x10 ?lock_acquired+0x220/0x550 ?__list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570 ?__kthread_parkme+0xd1/0xf0 ?__pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0 ?kthread+0xda/0x1c0 ?__pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ?__pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.
In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called witha valid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size8 at addr ffff88811f1a3730 by task kworker/3:2/176 CPU:3 UID:0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35+ ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80? detach_if_pending+0xab/0x200 print_report+0x156/0x4d9? detach_if_pending+0xab/0x200? __virt_addr_valid+0x145/0x300? __phys_addr+0x46/0x90? detach_if_pending+0xab/0x200 kasan_report+0xda/0x110? detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0? __pfx_timer_delete+0x10/0x10? rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0? __pfx___cancel_work+0x10/0x10? kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs]? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]? __pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs]? __pfx_cifs_oplock_break+0x10/0x10 [cifs]? lock_is_held_type+0x85/0xf0? mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0? find_held_lock+0x8a/0xa0? __pfx_process_one_work+0x10/0x10? lock_acquired+0x220/0x550? __list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570? __kthread_parkme+0xd1/0xf0? __pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0? kthread+0xda/0x1c0? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.
In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called with avalid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size 8at addr ffff88811f1a3730 by task kworker/3:2/176 CPU: 3UID: 0PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35 +ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ?detach_if_pending+0xab/0x200 print_report+0x156/0x4d9 ?detach_if_pending+0xab/0x200 ?__virt_addr_valid+0x145/0x300 ?__phys_addr+0x46/0x90 ?detach_if_pending+0xab/0x200 kasan_report+0xda/0x110 ?detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0 ?__pfx_timer_delete+0x10/0x10 ?rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0 ?__pfx___cancel_work+0x10/0x10 ?kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs] ?__pfx_cifs_close_deferred_file+0x10/0x10 [cifs] ?__pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs] ?__pfx_cifs_oplock_break+0x10/0x10 [cifs] ?lock_is_held_type+0x85/0xf0 ?mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0 ?find_held_lock+0x8a/0xa0 ?__pfx_process_one_work+0x10/0x10 ?lock_acquired+0x220/0x550 ?__list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570 ?__kthread_parkme+0xd1/0xf0 ?__pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0 ?kthread+0xda/0x1c0 ?__pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ?__pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.
In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called witha valid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size8 at addr ffff88811f1a3730 by task kworker/3:2/176 CPU:3 UID:0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35+ ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80? detach_if_pending+0xab/0x200 print_report+0x156/0x4d9? detach_if_pending+0xab/0x200? __virt_addr_valid+0x145/0x300? __phys_addr+0x46/0x90? detach_if_pending+0xab/0x200 kasan_report+0xda/0x110? detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0? __pfx_timer_delete+0x10/0x10? rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0? __pfx___cancel_work+0x10/0x10? kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs]? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]? __pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs]? __pfx_cifs_oplock_break+0x10/0x10 [cifs]? lock_is_held_type+0x85/0xf0? mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0? find_held_lock+0x8a/0xa0? __pfx_process_one_work+0x10/0x10? lock_acquired+0x220/0x550? __list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570? __kthread_parkme+0xd1/0xf0? __pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0? kthread+0xda/0x1c0? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.
In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called with avalid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size 8at addr ffff88811f1a3730 by task kworker/3:2/176 CPU: 3UID: 0PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35 +ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ?detach_if_pending+0xab/0x200 print_report+0x156/0x4d9 ?detach_if_pending+0xab/0x200 ?__virt_addr_valid+0x145/0x300 ?__phys_addr+0x46/0x90 ?detach_if_pending+0xab/0x200 kasan_report+0xda/0x110 ?detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0 ?__pfx_timer_delete+0x10/0x10 ?rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0 ?__pfx___cancel_work+0x10/0x10 ?kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs] ?__pfx_cifs_close_deferred_file+0x10/0x10 [cifs] ?__pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs] ?__pfx_cifs_oplock_break+0x10/0x10 [cifs] ?lock_is_held_type+0x85/0xf0 ?mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0 ?find_held_lock+0x8a/0xa0 ?__pfx_process_one_work+0x10/0x10 ?lock_acquired+0x220/0x550 ?__list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570 ?__kthread_parkme+0xd1/0xf0 ?__pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0 ?kthread+0xda/0x1c0 ?__pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ?__pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.
In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called witha valid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size8 at addr ffff88811f1a3730 by task kworker/3:2/176 CPU:3 UID:0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35+ ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80? detach_if_pending+0xab/0x200 print_report+0x156/0x4d9? detach_if_pending+0xab/0x200? __virt_addr_valid+0x145/0x300? __phys_addr+0x46/0x90? detach_if_pending+0xab/0x200 kasan_report+0xda/0x110? detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0? __pfx_timer_delete+0x10/0x10? rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0? __pfx___cancel_work+0x10/0x10? kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs]? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]? __pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs]? __pfx_cifs_oplock_break+0x10/0x10 [cifs]? lock_is_held_type+0x85/0xf0? mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0? find_held_lock+0x8a/0xa0? __pfx_process_one_work+0x10/0x10? lock_acquired+0x220/0x550? __list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570? __kthread_parkme+0xd1/0xf0? __pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0? kthread+0xda/0x1c0? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.
In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called with avalid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size 8at addr ffff88811f1a3730 by task kworker/3:2/176 CPU: 3UID: 0PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35 +ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ?detach_if_pending+0xab/0x200 print_report+0x156/0x4d9 ?detach_if_pending+0xab/0x200 ?__virt_addr_valid+0x145/0x300 ?__phys_addr+0x46/0x90 ?detach_if_pending+0xab/0x200 kasan_report+0xda/0x110 ?detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0 ?__pfx_timer_delete+0x10/0x10 ?rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0 ?__pfx___cancel_work+0x10/0x10 ?kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs] ?__pfx_cifs_close_deferred_file+0x10/0x10 [cifs] ?__pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs] ?__pfx_cifs_oplock_break+0x10/0x10 [cifs] ?lock_is_held_type+0x85/0xf0 ?mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0 ?find_held_lock+0x8a/0xa0 ?__pfx_process_one_work+0x10/0x10 ?lock_acquired+0x220/0x550 ?__list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570 ?__kthread_parkme+0xd1/0xf0 ?__pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0 ?kthread+0xda/0x1c0 ?__pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ?__pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.
In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called witha valid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size8 at addr ffff88811f1a3730 by task kworker/3:2/176 CPU:3 UID:0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35+ ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80? detach_if_pending+0xab/0x200 print_report+0x156/0x4d9? detach_if_pending+0xab/0x200? __virt_addr_valid+0x145/0x300? __phys_addr+0x46/0x90? detach_if_pending+0xab/0x200 kasan_report+0xda/0x110? detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0? __pfx_timer_delete+0x10/0x10? rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0? __pfx___cancel_work+0x10/0x10? kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs]? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]? __pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs]? __pfx_cifs_oplock_break+0x10/0x10 [cifs]? lock_is_held_type+0x85/0xf0? mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0? find_held_lock+0x8a/0xa0? __pfx_process_one_work+0x10/0x10? lock_acquired+0x220/0x550? __list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570? __kthread_parkme+0xd1/0xf0? __pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0? kthread+0xda/0x1c0? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.
In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called with avalid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size 8at addr ffff88811f1a3730 by task kworker/3:2/176 CPU: 3UID: 0PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35 +ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ?detach_if_pending+0xab/0x200 print_report+0x156/0x4d9 ?detach_if_pending+0xab/0x200 ?__virt_addr_valid+0x145/0x300 ?__phys_addr+0x46/0x90 ?detach_if_pending+0xab/0x200 kasan_report+0xda/0x110 ?detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0 ?__pfx_timer_delete+0x10/0x10 ?rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0 ?__pfx___cancel_work+0x10/0x10 ?kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs] ?__pfx_cifs_close_deferred_file+0x10/0x10 [cifs] ?__pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs] ?__pfx_cifs_oplock_break+0x10/0x10 [cifs] ?lock_is_held_type+0x85/0xf0 ?mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0 ?find_held_lock+0x8a/0xa0 ?__pfx_process_one_work+0x10/0x10 ?lock_acquired+0x220/0x550 ?__list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570 ?__kthread_parkme+0xd1/0xf0 ?__pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0 ?kthread+0xda/0x1c0 ?__pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ?__pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.
In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called witha valid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size8 at addr ffff88811f1a3730 by task kworker/3:2/176 CPU:3 UID:0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35+ ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80? detach_if_pending+0xab/0x200 print_report+0x156/0x4d9? detach_if_pending+0xab/0x200? __virt_addr_valid+0x145/0x300? __phys_addr+0x46/0x90? detach_if_pending+0xab/0x200 kasan_report+0xda/0x110? detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0? __pfx_timer_delete+0x10/0x10? rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0? __pfx___cancel_work+0x10/0x10? kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs]? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]? __pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs]? __pfx_cifs_oplock_break+0x10/0x10 [cifs]? lock_is_held_type+0x85/0xf0? mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0? find_held_lock+0x8a/0xa0? __pfx_process_one_work+0x10/0x10? lock_acquired+0x220/0x550? __list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570? __kthread_parkme+0xd1/0xf0? __pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0? kthread+0xda/0x1c0? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.
In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called with avalid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size 8at addr ffff88811f1a3730 by task kworker/3:2/176 CPU: 3UID: 0PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35 +ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ?detach_if_pending+0xab/0x200 print_report+0x156/0x4d9 ?detach_if_pending+0xab/0x200 ?__virt_addr_valid+0x145/0x300 ?__phys_addr+0x46/0x90 ?detach_if_pending+0xab/0x200 kasan_report+0xda/0x110 ?detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0 ?__pfx_timer_delete+0x10/0x10 ?rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0 ?__pfx___cancel_work+0x10/0x10 ?kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs] ?__pfx_cifs_close_deferred_file+0x10/0x10 [cifs] ?__pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs] ?__pfx_cifs_oplock_break+0x10/0x10 [cifs] ?lock_is_held_type+0x85/0xf0 ?mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0 ?find_held_lock+0x8a/0xa0 ?__pfx_process_one_work+0x10/0x10 ?lock_acquired+0x220/0x550 ?__list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570 ?__kthread_parkme+0xd1/0xf0 ?__pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0 ?kthread+0xda/0x1c0 ?__pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ?__pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.
In the Linux kernel, the following vulnerability has been resolved:smb: client: fix double put of @cfile in smb2_set_path_size()If smb2_compound_op() is called witha valid @cfile and returned-EINVAL, we need to call cifs_get_writable_path() before retrying itas the reference of @cfile was already dropped by previous call.This fixes the following KASAN splat when running fstests generic/013against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size8 at addr ffff88811f1a3730 by task kworker/3:2/176 CPU:3 UID:0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35+ ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80? detach_if_pending+0xab/0x200 print_report+0x156/0x4d9? detach_if_pending+0xab/0x200? __virt_addr_valid+0x145/0x300? __phys_addr+0x46/0x90? detach_if_pending+0xab/0x200 kasan_report+0xda/0x110? detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0? __pfx_timer_delete+0x10/0x10? rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0? __pfx___cancel_work+0x10/0x10? kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs]? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]? __pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs]? __pfx_cifs_oplock_break+0x10/0x10 [cifs]? lock_is_held_type+0x85/0xf0? mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0? find_held_lock+0x8a/0xa0? __pfx_process_one_work+0x10/0x10? lock_acquired+0x220/0x550? __list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570? __kthread_parkme+0xd1/0xf0? __pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0? kthread+0xda/0x1c0? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe Linux kernel CVE team has assigned CVE-2024-46796 to this issue.
