In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly: 1. mount CIFS in a non-root netns 2. drop packets from the netns 3. destroy the netns 4. unmount CIFSWe can reproduce the issue quickly with the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket is TCP, it is hard to guarantee the netns lifetimewithout holding refcnt due to async timers.Let s hold netns refcnt for each socket as done for SMC in commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note that we need to move put_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethe code is not under RCU and there is a small chance that the sameaddress happened to be reallocated to another netns.[0]:CIFS: VFS: XXXXXXXXXXX has not responded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel paging request at virtual address 14de99e461f84a07Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation faultData abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0[14de99e461f84a07] address between user and kernel address rangesInternal error: Oops: 0000000096000004 [#1] SMPModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly: 1. mount CIFS in a non-root netns 2. drop packets from the netns 3. destroy the netns 4. unmount CIFSWe can reproduce the issue quickly with the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket is TCP, it is hard to guarantee the netns lifetimewithout holding refcnt due to async timers.Let s hold netns refcnt for each socket as done for SMC in commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note that we need to move put_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethe code is not under RCU and there is a small chance that the sameaddress happened to be reallocated to another netns.[0]:CIFS: VFS: XXXXXXXXXXX has not responded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel paging request at virtual address 14de99e461f84a07Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation faultData abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0[14de99e461f84a07] address between user and kernel address rangesInternal error: Oops: 0000000096000004 [#1] SMPModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly: 1. mount CIFS in a non-root netns 2. drop packets from the netns 3. destroy the netns 4. unmount CIFSWe can reproduce the issue quickly with the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket is TCP, it is hard to guarantee the netns lifetimewithout holding refcnt due to async timers.Let s hold netns refcnt for each socket as done for SMC in commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note that we need to move put_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethe code is not under RCU and there is a small chance that the sameaddress happened to be reallocated to another netns.[0]:CIFS: VFS: XXXXXXXXXXX has not responded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel paging request at virtual address 14de99e461f84a07Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation faultData abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0[14de99e461f84a07] address between user and kernel address rangesInternal error: Oops: 0000000096000004 [#1] SMPModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly: 1. mount CIFS in a non-root netns 2. drop packets from the netns 3. destroy the netns 4. unmount CIFSWe can reproduce the issue quickly with the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket is TCP, it is hard to guarantee the netns lifetimewithout holding refcnt due to async timers.Let s hold netns refcnt for each socket as done for SMC in commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note that we need to move put_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethe code is not under RCU and there is a small chance that the sameaddress happened to be reallocated to another netns.[0]:CIFS: VFS: XXXXXXXXXXX has not responded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel paging request at virtual address 14de99e461f84a07Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation faultData abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0[14de99e461f84a07] address between user and kernel address rangesInternal error: Oops: 0000000096000004 [#1] SMPModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly: 1. mount CIFS ina non-root netns 2. drop packets fromthe netns 3. destroy the netns 4.unmount CIFSWe can reproduce the issuequickly with the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket isTCP, itishard to guarantee the netns lifetimewithoutholding refcnt due to async timers.Let s hold netns refcnt for each socketas donefor SMC in commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note thatweneedto move put_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethecode is not underRCU and there isa small chance that the sameaddress happened to be reallocated toanother netns.[0]:CIFS: VFS: XXXXXXXXXXXhas not responded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel pagingrequestatvirtualaddress 14de99e461f84a07Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA =0, S1PTW = 0 FSC = 0x04: level 0 translation faultData abortinfo: ISV = 0, ISS= 0x00000004 CM = 0, WnR= 0[14de99e461f84a07] address between user and kernel addressrangesInternal error: Oops:0000000096000004 [#1]SMPModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4cifs_md4dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4xt_comment nft_compat nf_tables nfnetlink overlay nls_asciinls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly:1. mount CIFS in anon-root netns2.drop packets from thenetns3. destroy the netns4. unmountCIFSWe can reproduce the issue quicklywith the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket is TCP, itis hardtoguarantee the netns lifetimewithout holdingrefcnt due to async timers.Let s hold netns refcnt for each socket as donefor SMCin commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note that we needtomoveput_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethe code isnot under RCU andthere is a smallchance that the sameaddress happened to be reallocated toanothernetns.[0]:CIFS: VFS: XXXXXXXXXXX has notresponded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel paging requestat virtualaddress14de99e461f84a07Mem abort info:ESR = 0x0000000096000004EC = 0x25:DABT (current EL), IL = 32 bitsSET = 0, FnV= 0EA = 0, S1PTW =0FSC= 0x04: level0 translation faultData abort info:ISV = 0, ISS= 0x00000004CM = 0,WnR = 0[14de99e461f84a07]address between user and kernel address rangesInternal error:Oops: 0000000096000004 [#1]SMPModules linked in:cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolvertcp_diaginet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compatnf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfatfat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace:fib_rules_lookup+0x44/0x238__fib_lookup+0x64/0xbcip_route_output_key_hash_rcu+0x2c4/0x398ip_route_output_key_hash+0x60/0x8ctcp_v4_connect+0x290/0x488__inet_stream_connect+0x108/0x3d0inet_stream_connect+0x50/0x78kernel_connect+0x6c/0xacgeneric_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly:1. mount CIFS in a non-root netns2. drop packets from the netns3. destroy the netns4. unmount CIFSWe can reproduce the issue quickly with the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket is TCP, it is hard to guarantee the netns lifetimewithout holding refcnt due to async timers.Let s hold netns refcnt for each socket as done for SMC in commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note that we need to move put_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethe code is not under RCU and there is a small chance that the sameaddress happened to be reallocated to another netns.[0]:CIFS: VFS: XXXXXXXXXXX has not responded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel paging request at virtual address 14de99e461f84a07Mem abort info:ESR = 0x0000000096000004EC = 0x25: DABT (current EL), IL = 32 bitsSET = 0, FnV = 0EA = 0, S1PTW = 0FSC = 0x04: level 0 translation faultData abort info:ISV = 0, ISS = 0x00000004CM = 0, WnR = 0[14de99e461f84a07] address between user and kernel address rangesInternal error: Oops: 0000000096000004 [#1] SMPModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace:fib_rules_lookup+0x44/0x238__fib_lookup+0x64/0xbcip_route_output_key_hash_rcu+0x2c4/0x398ip_route_output_key_hash+0x60/0x8ctcp_v4_connect+0x290/0x488__inet_stream_connect+0x108/0x3d0inet_stream_connect+0x50/0x78kernel_connect+0x6c/0xacgeneric_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly:1. mount CIFS in a non-root netns2. drop packets from the netns3. destroy the netns4. unmount CIFSWe can reproduce the issue quickly with the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket is TCP, it is hard to guarantee the netns lifetimewithout holding refcnt due to async timers.Let s hold netns refcnt for each socket as done for SMC in commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note that we need to move put_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethe code is not under RCU and there is a small chance that the sameaddress happened to be reallocated to another netns.[0]:CIFS: VFS: XXXXXXXXXXX has not responded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel paging request at virtual address 14de99e461f84a07Mem abort info:ESR = 0x0000000096000004EC = 0x25: DABT (current EL), IL = 32 bitsSET = 0, FnV = 0EA = 0, S1PTW = 0FSC = 0x04: level 0 translation faultData abort info:ISV = 0, ISS = 0x00000004CM = 0, WnR = 0[14de99e461f84a07] address between user and kernel address rangesInternal error: Oops: 0000000096000004 [#1] SMPModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace:fib_rules_lookup+0x44/0x238__fib_lookup+0x64/0xbcip_route_output_key_hash_rcu+0x2c4/0x398ip_route_output_key_hash+0x60/0x8ctcp_v4_connect+0x290/0x488__inet_stream_connect+0x108/0x3d0inet_stream_connect+0x50/0x78kernel_connect+0x6c/0xacgeneric_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly:1. mount CIFS in a non-root netns2. drop packets from the netns3. destroy the netns4. unmount CIFSWe can reproduce the issue quickly with the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket is TCP, it is hard to guarantee the netns lifetimewithout holding refcnt due to async timers.Let s hold netns refcnt for each socket as done for SMC in commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note that we need to move put_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethe code is not under RCU and there is a small chance that the sameaddress happened to be reallocated to another netns.[0]:CIFS: VFS: XXXXXXXXXXX has not responded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel paging request at virtual address 14de99e461f84a07Mem abort info:ESR = 0x0000000096000004EC = 0x25: DABT (current EL), IL = 32 bitsSET = 0, FnV = 0EA = 0, S1PTW = 0FSC = 0x04: level 0 translation faultData abort info:ISV = 0, ISS = 0x00000004CM = 0, WnR = 0[14de99e461f84a07] address between user and kernel address rangesInternal error: Oops: 0000000096000004 [#1] SMPModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace:fib_rules_lookup+0x44/0x238__fib_lookup+0x64/0xbcip_route_output_key_hash_rcu+0x2c4/0x398ip_route_output_key_hash+0x60/0x8ctcp_v4_connect+0x290/0x488__inet_stream_connect+0x108/0x3d0inet_stream_connect+0x50/0x78kernel_connect+0x6c/0xacgeneric_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly:1. mount CIFS in a non-root netns2. drop packets from the netns3. destroy the netns4. unmount CIFSWe can reproduce the issue quickly with the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket is TCP, it is hard to guarantee the netns lifetimewithout holding refcnt due to async timers.Let s hold netns refcnt for each socket as done for SMC in commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note that we need to move put_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethe code is not under RCU and there is a small chance that the sameaddress happened to be reallocated to another netns.[0]:CIFS: VFS: XXXXXXXXXXX has not responded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel paging request at virtual address 14de99e461f84a07Mem abort info:ESR = 0x0000000096000004EC = 0x25: DABT (current EL), IL = 32 bitsSET = 0, FnV = 0EA = 0, S1PTW = 0FSC = 0x04: level 0 translation faultData abort info:ISV = 0, ISS = 0x00000004CM = 0, WnR = 0[14de99e461f84a07] address between user and kernel address rangesInternal error: Oops: 0000000096000004 [#1] SMPModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace:fib_rules_lookup+0x44/0x238__fib_lookup+0x64/0xbcip_route_output_key_hash_rcu+0x2c4/0x398ip_route_output_key_hash+0x60/0x8ctcp_v4_connect+0x290/0x488__inet_stream_connect+0x108/0x3d0inet_stream_connect+0x50/0x78kernel_connect+0x6c/0xacgeneric_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly:1. mount CIFS in anon-root netns2.drop packets from thenetns3. destroy the netns4. unmountCIFSWe can reproduce the issue quicklywith the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket is TCP, itis hardtoguarantee the netns lifetimewithout holdingrefcnt due to async timers.Let s hold netns refcnt for each socket as donefor SMCin commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note that we needtomoveput_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethe code isnot under RCU andthere is a smallchance that the sameaddress happened to be reallocated toanothernetns.[0]:CIFS: VFS: XXXXXXXXXXX has notresponded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel paging requestat virtualaddress14de99e461f84a07Mem abort info:ESR = 0x0000000096000004EC = 0x25:DABT (current EL), IL = 32 bitsSET = 0, FnV= 0EA = 0, S1PTW =0FSC= 0x04: level0 translation faultData abort info:ISV = 0, ISS= 0x00000004CM = 0,WnR = 0[14de99e461f84a07]address between user and kernel address rangesInternal error:Oops: 0000000096000004 [#1]SMPModules linked in:cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolvertcp_diaginet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compatnf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfatfat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace:fib_rules_lookup+0x44/0x238__fib_lookup+0x64/0xbcip_route_output_key_hash_rcu+0x2c4/0x398ip_route_output_key_hash+0x60/0x8ctcp_v4_connect+0x290/0x488__inet_stream_connect+0x108/0x3d0inet_stream_connect+0x50/0x78kernel_connect+0x6c/0xacgeneric_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly: 1. mount CIFS ina non-root netns 2. drop packets fromthe netns 3. destroy the netns 4.unmount CIFSWe can reproduce the issuequickly with the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket isTCP, itishard to guarantee the netns lifetimewithoutholding refcnt due to async timers.Let s hold netns refcnt for each socketas donefor SMC in commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note thatweneedto move put_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethecode is not underRCU and there isa small chance that the sameaddress happened to be reallocated toanother netns.[0]:CIFS: VFS: XXXXXXXXXXXhas not responded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel pagingrequestatvirtualaddress 14de99e461f84a07Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA =0, S1PTW = 0 FSC = 0x04: level 0 translation faultData abortinfo: ISV = 0, ISS= 0x00000004 CM = 0, WnR= 0[14de99e461f84a07] address between user and kernel addressrangesInternal error: Oops:0000000096000004 [#1]SMPModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4cifs_md4dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4xt_comment nft_compat nf_tables nfnetlink overlay nls_asciinls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly: 1. mount CIFS in a non-root netns 2. drop packets from the netns 3. destroy the netns 4. unmount CIFSWe can reproduce the issue quickly with the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket is TCP, it is hard to guarantee the netns lifetimewithout holding refcnt due to async timers.Let s hold netns refcnt for each socket as done for SMC in commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note that we need to move put_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethe code is not under RCU and there is a small chance that the sameaddress happened to be reallocated to another netns.[0]:CIFS: VFS: XXXXXXXXXXX has not responded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel paging request at virtual address 14de99e461f84a07Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation faultData abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0[14de99e461f84a07] address between user and kernel address rangesInternal error: Oops: 0000000096000004 [#1] SMPModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly: 1. mount CIFS in a non-root netns 2. drop packets from the netns 3. destroy the netns 4. unmount CIFSWe can reproduce the issue quickly with the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket is TCP, it is hard to guarantee the netns lifetimewithout holding refcnt due to async timers.Let s hold netns refcnt for each socket as done for SMC in commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note that we need to move put_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethe code is not under RCU and there is a small chance that the sameaddress happened to be reallocated to another netns.[0]:CIFS: VFS: XXXXXXXXXXX has not responded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel paging request at virtual address 14de99e461f84a07Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation faultData abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0[14de99e461f84a07] address between user and kernel address rangesInternal error: Oops: 0000000096000004 [#1] SMPModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly: 1. mount CIFS in a non-root netns 2. drop packets from the netns 3. destroy the netns 4. unmount CIFSWe can reproduce the issue quickly with the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket is TCP, it is hard to guarantee the netns lifetimewithout holding refcnt due to async timers.Let s hold netns refcnt for each socket as done for SMC in commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note that we need to move put_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethe code is not under RCU and there is a small chance that the sameaddress happened to be reallocated to another netns.[0]:CIFS: VFS: XXXXXXXXXXX has not responded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel paging request at virtual address 14de99e461f84a07Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation faultData abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0[14de99e461f84a07] address between user and kernel address rangesInternal error: Oops: 0000000096000004 [#1] SMPModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly: 1. mount CIFS ina non-root netns 2. drop packets fromthe netns 3. destroy the netns 4.unmount CIFSWe can reproduce the issuequickly with the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket isTCP, itishard to guarantee the netns lifetimewithoutholding refcnt due to async timers.Let s hold netns refcnt for each socketas donefor SMC in commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note thatweneedto move put_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethecode is not underRCU and there isa small chance that the sameaddress happened to be reallocated toanother netns.[0]:CIFS: VFS: XXXXXXXXXXXhas not responded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel pagingrequestatvirtualaddress 14de99e461f84a07Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA =0, S1PTW = 0 FSC = 0x04: level 0 translation faultData abortinfo: ISV = 0, ISS= 0x00000004 CM = 0, WnR= 0[14de99e461f84a07] address between user and kernel addressrangesInternal error: Oops:0000000096000004 [#1]SMPModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4cifs_md4dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4xt_comment nft_compat nf_tables nfnetlink overlay nls_asciinls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly: 1. mount CIFS in a non-root netns 2. drop packets from the netns 3. destroy the netns 4. unmount CIFSWe can reproduce the issue quickly with the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket is TCP, it is hard to guarantee the netns lifetimewithout holding refcnt due to async timers.Let s hold netns refcnt for each socket as done for SMC in commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note that we need to move put_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethe code is not under RCU and there is a small chance that the sameaddress happened to be reallocated to another netns.[0]:CIFS: VFS: XXXXXXXXXXX has not responded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel paging request at virtual address 14de99e461f84a07Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation faultData abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0[14de99e461f84a07] address between user and kernel address rangesInternal error: Oops: 0000000096000004 [#1] SMPModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly:1. mount CIFS in anon-root netns2.drop packets from thenetns3. destroy the netns4. unmountCIFSWe can reproduce the issue quicklywith the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket is TCP, itis hardtoguarantee the netns lifetimewithout holdingrefcnt due to async timers.Let s hold netns refcnt for each socket as donefor SMCin commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note that we needtomoveput_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethe code isnot under RCU andthere is a smallchance that the sameaddress happened to be reallocated toanothernetns.[0]:CIFS: VFS: XXXXXXXXXXX has notresponded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel paging requestat virtualaddress14de99e461f84a07Mem abort info:ESR = 0x0000000096000004EC = 0x25:DABT (current EL), IL = 32 bitsSET = 0, FnV= 0EA = 0, S1PTW =0FSC= 0x04: level0 translation faultData abort info:ISV = 0, ISS= 0x00000004CM = 0,WnR = 0[14de99e461f84a07]address between user and kernel address rangesInternal error:Oops: 0000000096000004 [#1]SMPModules linked in:cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolvertcp_diaginet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compatnf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfatfat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace:fib_rules_lookup+0x44/0x238__fib_lookup+0x64/0xbcip_route_output_key_hash_rcu+0x2c4/0x398ip_route_output_key_hash+0x60/0x8ctcp_v4_connect+0x290/0x488__inet_stream_connect+0x108/0x3d0inet_stream_connect+0x50/0x78kernel_connect+0x6c/0xacgeneric_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly: 1. mount CIFS in a non-root netns 2. drop packets from the netns 3. destroy the netns 4. unmount CIFSWe can reproduce the issue quickly with the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket is TCP, it is hard to guarantee the netns lifetimewithout holding refcnt due to async timers.Let s hold netns refcnt for each socket as done for SMC in commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note that we need to move put_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethe code is not under RCU and there is a small chance that the sameaddress happened to be reallocated to another netns.[0]:CIFS: VFS: XXXXXXXXXXX has not responded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel paging request at virtual address 14de99e461f84a07Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation faultData abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0[14de99e461f84a07] address between user and kernel address rangesInternal error: Oops: 0000000096000004 [#1] SMPModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly:1. mount CIFS in a non-root netns2. drop packets from the netns3. destroy the netns4. unmount CIFSWe can reproduce the issue quickly with the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket is TCP, it is hard to guarantee the netns lifetimewithout holding refcnt due to async timers.Let s hold netns refcnt for each socket as done for SMC in commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note that we need to move put_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethe code is not under RCU and there is a small chance that the sameaddress happened to be reallocated to another netns.[0]:CIFS: VFS: XXXXXXXXXXX has not responded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel paging request at virtual address 14de99e461f84a07Mem abort info:ESR = 0x0000000096000004EC = 0x25: DABT (current EL), IL = 32 bitsSET = 0, FnV = 0EA = 0, S1PTW = 0FSC = 0x04: level 0 translation faultData abort info:ISV = 0, ISS = 0x00000004CM = 0, WnR = 0[14de99e461f84a07] address between user and kernel address rangesInternal error: Oops: 0000000096000004 [#1] SMPModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace:fib_rules_lookup+0x44/0x238__fib_lookup+0x64/0xbcip_route_output_key_hash_rcu+0x2c4/0x398ip_route_output_key_hash+0x60/0x8ctcp_v4_connect+0x290/0x488__inet_stream_connect+0x108/0x3d0inet_stream_connect+0x50/0x78kernel_connect+0x6c/0xacgeneric_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly: 1. mount CIFS in a non-root netns 2. drop packets from the netns 3. destroy the netns 4. unmount CIFSWe can reproduce the issue quickly with the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket is TCP, it is hard to guarantee the netns lifetimewithout holding refcnt due to async timers.Let s hold netns refcnt for each socket as done for SMC in commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note that we need to move put_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethe code is not under RCU and there is a small chance that the sameaddress happened to be reallocated to another netns.[0]:CIFS: VFS: XXXXXXXXXXX has not responded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel paging request at virtual address 14de99e461f84a07Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation faultData abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0[14de99e461f84a07] address between user and kernel address rangesInternal error: Oops: 0000000096000004 [#1] SMPModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly:1. mount CIFS in a non-root netns2. drop packets from the netns3. destroy the netns4. unmount CIFSWe can reproduce the issue quickly with the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket is TCP, it is hard to guarantee the netns lifetimewithout holding refcnt due to async timers.Let s hold netns refcnt for each socket as done for SMC in commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note that we need to move put_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethe code is not under RCU and there is a small chance that the sameaddress happened to be reallocated to another netns.[0]:CIFS: VFS: XXXXXXXXXXX has not responded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel paging request at virtual address 14de99e461f84a07Mem abort info:ESR = 0x0000000096000004EC = 0x25: DABT (current EL), IL = 32 bitsSET = 0, FnV = 0EA = 0, S1PTW = 0FSC = 0x04: level 0 translation faultData abort info:ISV = 0, ISS = 0x00000004CM = 0, WnR = 0[14de99e461f84a07] address between user and kernel address rangesInternal error: Oops: 0000000096000004 [#1] SMPModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace:fib_rules_lookup+0x44/0x238__fib_lookup+0x64/0xbcip_route_output_key_hash_rcu+0x2c4/0x398ip_route_output_key_hash+0x60/0x8ctcp_v4_connect+0x290/0x488__inet_stream_connect+0x108/0x3d0inet_stream_connect+0x50/0x78kernel_connect+0x6c/0xacgeneric_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly: 1. mount CIFS in a non-root netns 2. drop packets from the netns 3. destroy the netns 4. unmount CIFSWe can reproduce the issue quickly with the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket is TCP, it is hard to guarantee the netns lifetimewithout holding refcnt due to async timers.Let s hold netns refcnt for each socket as done for SMC in commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note that we need to move put_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethe code is not under RCU and there is a small chance that the sameaddress happened to be reallocated to another netns.[0]:CIFS: VFS: XXXXXXXXXXX has not responded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel paging request at virtual address 14de99e461f84a07Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation faultData abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0[14de99e461f84a07] address between user and kernel address rangesInternal error: Oops: 0000000096000004 [#1] SMPModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly:1. mount CIFS in anon-root netns2.drop packets from thenetns3. destroy the netns4. unmountCIFSWe can reproduce the issue quicklywith the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket is TCP, itis hardtoguarantee the netns lifetimewithout holdingrefcnt due to async timers.Let s hold netns refcnt for each socket as donefor SMCin commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note that we needtomoveput_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethe code isnot under RCU andthere is a smallchance that the sameaddress happened to be reallocated toanothernetns.[0]:CIFS: VFS: XXXXXXXXXXX has notresponded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel paging requestat virtualaddress14de99e461f84a07Mem abort info:ESR = 0x0000000096000004EC = 0x25:DABT (current EL), IL = 32 bitsSET = 0, FnV= 0EA = 0, S1PTW =0FSC= 0x04: level0 translation faultData abort info:ISV = 0, ISS= 0x00000004CM = 0,WnR = 0[14de99e461f84a07]address between user and kernel address rangesInternal error:Oops: 0000000096000004 [#1]SMPModules linked in:cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolvertcp_diaginet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compatnf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfatfat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace:fib_rules_lookup+0x44/0x238__fib_lookup+0x64/0xbcip_route_output_key_hash_rcu+0x2c4/0x398ip_route_output_key_hash+0x60/0x8ctcp_v4_connect+0x290/0x488__inet_stream_connect+0x108/0x3d0inet_stream_connect+0x50/0x78kernel_connect+0x6c/0xacgeneric_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly: 1. mount CIFS in a non-root netns 2. drop packets from the netns 3. destroy the netns 4. unmount CIFSWe can reproduce the issue quickly with the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket is TCP, it is hard to guarantee the netns lifetimewithout holding refcnt due to async timers.Let s hold netns refcnt for each socket as done for SMC in commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note that we need to move put_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethe code is not under RCU and there is a small chance that the sameaddress happened to be reallocated to another netns.[0]:CIFS: VFS: XXXXXXXXXXX has not responded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel paging request at virtual address 14de99e461f84a07Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation faultData abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0[14de99e461f84a07] address between user and kernel address rangesInternal error: Oops: 0000000096000004 [#1] SMPModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly: 1. mount CIFS ina non-root netns 2. drop packets fromthe netns 3. destroy the netns 4.unmount CIFSWe can reproduce the issuequickly with the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket isTCP, itishard to guarantee the netns lifetimewithoutholding refcnt due to async timers.Let s hold netns refcnt for each socketas donefor SMC in commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note thatweneedto move put_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethecode is not underRCU and there isa small chance that the sameaddress happened to be reallocated toanother netns.[0]:CIFS: VFS: XXXXXXXXXXXhas not responded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel pagingrequestatvirtualaddress 14de99e461f84a07Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA =0, S1PTW = 0 FSC = 0x04: level 0 translation faultData abortinfo: ISV = 0, ISS= 0x00000004 CM = 0, WnR= 0[14de99e461f84a07] address between user and kernel addressrangesInternal error: Oops:0000000096000004 [#1]SMPModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4cifs_md4dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4xt_comment nft_compat nf_tables nfnetlink overlay nls_asciinls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly: 1. mount CIFS in a non-root netns 2. drop packets from the netns 3. destroy the netns 4. unmount CIFSWe can reproduce the issue quickly with the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket is TCP, it is hard to guarantee the netns lifetimewithout holding refcnt due to async timers.Let s hold netns refcnt for each socket as done for SMC in commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note that we need to move put_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethe code is not under RCU and there is a small chance that the sameaddress happened to be reallocated to another netns.[0]:CIFS: VFS: XXXXXXXXXXX has not responded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel paging request at virtual address 14de99e461f84a07Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation faultData abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0[14de99e461f84a07] address between user and kernel address rangesInternal error: Oops: 0000000096000004 [#1] SMPModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly: 1. mount CIFS in a non-root netns 2. drop packets from the netns 3. destroy the netns 4. unmount CIFSWe can reproduce the issue quickly with the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket is TCP, it is hard to guarantee the netns lifetimewithout holding refcnt due to async timers.Let s hold netns refcnt for each socket as done for SMC in commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note that we need to move put_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethe code is not under RCU and there is a small chance that the sameaddress happened to be reallocated to another netns.[0]:CIFS: VFS: XXXXXXXXXXX has not responded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel paging request at virtual address 14de99e461f84a07Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation faultData abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0[14de99e461f84a07] address between user and kernel address rangesInternal error: Oops: 0000000096000004 [#1] SMPModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly: 1. mount CIFS in a non-root netns 2. drop packets from the netns 3. destroy the netns 4. unmount CIFSWe can reproduce the issue quickly with the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket is TCP, it is hard to guarantee the netns lifetimewithout holding refcnt due to async timers.Let s hold netns refcnt for each socket as done for SMC in commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note that we need to move put_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethe code is not under RCU and there is a small chance that the sameaddress happened to be reallocated to another netns.[0]:CIFS: VFS: XXXXXXXXXXX has not responded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel paging request at virtual address 14de99e461f84a07Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation faultData abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0[14de99e461f84a07] address between user and kernel address rangesInternal error: Oops: 0000000096000004 [#1] SMPModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly: 1. mount CIFS in a non-root netns 2. drop packets from the netns 3. destroy the netns 4. unmount CIFSWe can reproduce the issue quickly with the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket is TCP, it is hard to guarantee the netns lifetimewithout holding refcnt due to async timers.Let s hold netns refcnt for each socket as done for SMC in commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note that we need to move put_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethe code is not under RCU and there is a small chance that the sameaddress happened to be reallocated to another netns.[0]:CIFS: VFS: XXXXXXXXXXX has not responded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel paging request at virtual address 14de99e461f84a07Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation faultData abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0[14de99e461f84a07] address between user and kernel address rangesInternal error: Oops: 0000000096000004 [#1] SMPModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly: 1. mount CIFS in a non-root netns 2. drop packets from the netns 3. destroy the netns 4. unmount CIFSWe can reproduce the issue quickly with the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket is TCP, it is hard to guarantee the netns lifetimewithout holding refcnt due to async timers.Let s hold netns refcnt for each socket as done for SMC in commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note that we need to move put_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethe code is not under RCU and there is a small chance that the sameaddress happened to be reallocated to another netns.[0]:CIFS: VFS: XXXXXXXXXXX has not responded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel paging request at virtual address 14de99e461f84a07Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation faultData abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0[14de99e461f84a07] address between user and kernel address rangesInternal error: Oops: 0000000096000004 [#1] SMPModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly: 1. mount CIFS in a non-root netns 2. drop packets from the netns 3. destroy the netns 4. unmount CIFSWe can reproduce the issue quickly with the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket is TCP, it is hard to guarantee the netns lifetimewithout holding refcnt due to async timers.Let s hold netns refcnt for each socket as done for SMC in commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note that we need to move put_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethe code is not under RCU and there is a small chance that the sameaddress happened to be reallocated to another netns.[0]:CIFS: VFS: XXXXXXXXXXX has not responded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel paging request at virtual address 14de99e461f84a07Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation faultData abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0[14de99e461f84a07] address between user and kernel address rangesInternal error: Oops: 0000000096000004 [#1] SMPModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly: 1. mount CIFS in a non-root netns 2. drop packets from the netns 3. destroy the netns 4. unmount CIFSWe can reproduce the issue quickly with the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket is TCP, it is hard to guarantee the netns lifetimewithout holding refcnt due to async timers.Let s hold netns refcnt for each socket as done for SMC in commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note that we need to move put_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethe code is not under RCU and there is a small chance that the sameaddress happened to be reallocated to another netns.[0]:CIFS: VFS: XXXXXXXXXXX has not responded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel paging request at virtual address 14de99e461f84a07Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation faultData abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0[14de99e461f84a07] address between user and kernel address rangesInternal error: Oops: 0000000096000004 [#1] SMPModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly: 1. mount CIFS in a non-root netns 2. drop packets from the netns 3. destroy the netns 4. unmount CIFSWe can reproduce the issue quickly with the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket is TCP, it is hard to guarantee the netns lifetimewithout holding refcnt due to async timers.Let s hold netns refcnt for each socket as done for SMC in commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note that we need to move put_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethe code is not under RCU and there is a small chance that the sameaddress happened to be reallocated to another netns.[0]:CIFS: VFS: XXXXXXXXXXX has not responded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel paging request at virtual address 14de99e461f84a07Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation faultData abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0[14de99e461f84a07] address between user and kernel address rangesInternal error: Oops: 0000000096000004 [#1] SMPModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_conne---truncated---
In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix use-after-free of network namespace.Recently, we got a customer report that CIFS triggers oops whilereconnecting to a server. [0]The workload runs on Kubernetes, and some pods mount CIFS serversin non-root network namespaces. The problem rarely happened, butit was always while the pod was dying.The root cause is wrong reference counting for network namespace.CIFS uses kernel sockets, which do not hold refcnt of the netns thatthe socket belongs to. That means CIFS must ensure the socket isalways freed before its netns; otherwise, use-after-free happens.The repro steps are roughly: 1. mount CIFS in a non-root netns 2. drop packets from the netns 3. destroy the netns 4. unmount CIFSWe can reproduce the issue quickly with the script [1] below and seethe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.When the socket is TCP, it is hard to guarantee the netns lifetimewithout holding refcnt due to async timers.Let s hold netns refcnt for each socket as done for SMC in commit9744d2bf1976 ( smc: Fix use-after-free in tcp_write_timer_handler(). ).Note that we need to move put_net() from cifs_put_tcp_session() toclean_demultiplex_info(); otherwise, __sock_create() still could touch afreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().Also, maybe_get_net() cannot be put just before __sock_create() becausethe code is not under RCU and there is a small chance that the sameaddress happened to be reallocated to another netns.[0]:CIFS: VFS: XXXXXXXXXXX has not responded in 15 seconds. Reconnecting...CIFS: Serverclose failed 4 times, giving upUnable to handle kernel paging request at virtual address 14de99e461f84a07Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation faultData abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0[14de99e461f84a07] address between user and kernel address rangesInternal error: Oops: 0000000096000004 [#1] SMPModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfsCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : fib_rules_lookup+0x44/0x238lr : __fib_lookup+0x64/0xbcsp : ffff8000265db790x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_conne---truncated---
