Bug#973613: cifs-utils: CIFS kernel module crash

[Salvatore Bonaccorso <carnil@debian.org>]

Control: tags -1 + moreinfo
Control: severity - 1 important

Hi,

On Mon, Nov 02, 2020 at 09:30:56AM -0500, Koutheir Attouchi wrote:
> Package: cifs-utils
> Version: 2:6.9-1
> Severity: critical
> Justification: breaks unrelated software
> X-Debbugs-Cc: koutheir@gmail.com
> 
> Dear Maintainer,
> 
> Attempting to mount a CIFS share crashes the CIFS module, and makes the system
> unstable.
> 
> Here is the mounting command:
> $ sudo mount -v -t cifs -o
> nodfs,_netdev,sec=ntlmssp,user,rw,nounix,iocharset=utf8,file_mode=0777,dir_mode=0777,credentials=<somewhere>/credentials.conf
> //10.10.1.22/shares <mount-point-path>
> 
> $ sudo dmesg
> ...
> [  211.588679] CIFS: Attempting to mount //10.10.1.22/shares
> [  211.588710] CIFS: No dialect specified on mount. Default has changed to a
> more secure dialect, SMB2.1 or later (e.g. SMB3.1.1), from CIFS (SMB1). To use
> the less secure SMB1 dialect to access old servers which do not support
> SMB3.1.1 (or even SMB3 or SMB2.1) specify vers=1.0 on mount.
> [  213.409379] CIFS: VFS: \\10.10.1.22\IPC$ DFS capability contradicts DFS flag
> [  213.614168] CIFS: VFS: \\10.10.1.22\IPC$ validate protocol negotiate failed:
> -9
> [  213.614177] CIFS: VFS: \\10.10.1.22 failed to connect to IPC (rc=-5)
> [  213.818979] CIFS: VFS: \\10.10.1.22\shares DFS capability contradicts DFS
> flag
> [  214.024488] CIFS: VFS: \\10.10.1.22\shares Server does not support validate
> negotiate
> [  216.072372] BUG: kernel NULL pointer dereference, address: 00000000000007a0
> [  216.072380] #PF: supervisor read access in kernel mode
> [  216.072383] #PF: error_code(0x0000) - not-present page
> [  216.072386] PGD 0 P4D 0
> [  216.072392] Oops: 0000 [#1] SMP PTI
> [  216.072399] CPU: 0 PID: 3551 Comm: mount.cifs Tainted: G           OE
> 5.9.0-1-amd64 #1 Debian 5.9.1-1
> [  216.072402] Hardware name: LENOVO 20BE00CQGE/20BE00CQGE, BIOS GMET90WW (2.38
> ) 04/13/2020
> [  216.072460] RIP: 0010:cifs_mount+0x23b/0xcf0 [cifs]
> [  216.072466] Code: 85 ff 74 42 48 c7 c7 e8 10 9a c1 e8 ef 14 b8 ea 41 83 47
> 50 01 48 89 ef e8 f2 0a 02 00 49 8b 4f 20 48 c7 c7 e8 10 9a c1 89 c2 <0f> b6 81
> a0 07 00 00 83 e2 03 83 e0 fc 09 d0 88 81 a0 07 00 00 c6
> [  216.072470] RSP: 0018:ffffb4148295fd50 EFLAGS: 00010206
> [  216.072474] RAX: 0000000000000001 RBX: ffff9ff677a31400 RCX:
> 0000000000000000
> [  216.072477] RDX: 0000000000000001 RSI: 000000000000002f RDI:
> ffffffffc19a10e8
> [  216.072480] RBP: ffff9ff67777a900 R08: ffffb4148295fcd0 R09:
> ffff9ff70bb71b00
> [  216.072483] R10: ffffb4148295fd08 R11: 0000000000000000 R12:
> ffff9ff6777f7f00
> [  216.072486] R13: ffff9ff677a31400 R14: 0000000000000000 R15:
> ffff9ff79c8ed800
> [  216.072490] FS:  00007f5fddec1740(0000) GS:ffff9ff82e600000(0000)
> knlGS:0000000000000000
> [  216.072493] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [  216.072496] CR2: 00000000000007a0 CR3: 000000023fedc004 CR4:
> 00000000001706f0
> [  216.072499] Call Trace:
> [  216.072516]  ? slab_pre_alloc_hook.constprop.0+0xd0/0x110
> [  216.072556]  cifs_smb3_do_mount+0xc5/0x6a0 [cifs]
> [  216.072566]  legacy_get_tree+0x27/0x40
> [  216.072574]  vfs_get_tree+0x25/0xb0
> [  216.072581]  path_mount+0x43d/0xa60
> [  216.072589]  __x64_sys_mount+0x103/0x140
> [  216.072596]  do_syscall_64+0x33/0x80
> [  216.072604]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [  216.072609] RIP: 0033:0x7f5fddfc294a
> [  216.072615] Code: 48 8b 0d 49 f5 0b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e
> 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01
> f0 ff ff 73 01 c3 48 8b 0d 16 f5 0b 00 f7 d8 64 89 01 48
> [  216.072618] RSP: 002b:00007ffd8ce9ecd8 EFLAGS: 00000206 ORIG_RAX:
> 00000000000000a5
> [  216.072622] RAX: ffffffffffffffda RBX: 00007ffd8ce9f790 RCX:
> 00007f5fddfc294a
> [  216.072625] RDX: 000055826fdf73fa RSI: 000055826fdf7441 RDI:
> 00007ffd8ce9f790
> [  216.072628] RBP: 00005582712878d0 R08: 0000558271288990 R09:
> 0000000000000000
> [  216.072631] R10: 000000000000000e R11: 0000000000000206 R12:
> 0000558271288990
> [  216.072633] R13: 0000000000000000 R14: 00007f5fde0c070e R15:
> 00007f5fde0be000
> [  216.072638] Modules linked in: md4 sha512_ssse3 sha512_generic cmac nls_utf8
> cifs dns_resolver fscache libdes tun veth xt_conntrack nf_conntrack_netlink
> xfrm_user xfrm_algo xt_addrtype br_netfilter overlay xt_CHECKSUM nft_chain_nat
> xt_MASQUERADE nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nft_counter
> vboxnetadp(OE) vboxnetflt(OE) xt_tcpudp nft_compat bridge stp llc vboxdrv(OE)
> nf_tables nfnetlink ctr ccm bnep snd_seq_dummy snd_hrtimer snd_seq
> snd_seq_device bbswitch(OE) binfmt_misc intel_rapl_msr intel_rapl_common btusb
> btrtl btbcm btintel x86_pkg_temp_thermal bluetooth intel_powerclamp kvm_intel
> jitterentropy_rng drbg kvm irqbypass iwlmvm ghash_clmulni_intel
> snd_hda_codec_hdmi mac80211 rapl uvcvideo snd_hda_codec_realtek aes_generic
> intel_cstate videobuf2_vmalloc libarc4 snd_hda_codec_generic videobuf2_memops
> videobuf2_v4l2 aesni_intel mei_wdt cdc_mbim videobuf2_common fuse snd_hda_intel
> cdc_wdm crypto_simd i915 iwlwifi intel_uncore videodev snd_intel_dspcfg cryptd
> snd_hda_codec
> [  216.072704]  glue_helper pcspkr serio_raw wmi_bmof snd_hda_core ansi_cprng
> cdc_ncm snd_hwdep iTCO_wdt snd_pcm intel_pmc_bxt iTCO_vendor_support
> ecdh_generic cdc_ether mc joydev evdev rmi_smbus usbnet ecc rmi_core mii at24
> libaes thinkpad_acpi sg cfg80211 drm_kms_helper watchdog cdc_acm snd_timer
> tpm_tis nvram mei_me ledtrig_audio cec snd tpm_tis_core mei soundcore
> i2c_algo_bit rfkill ac tpm rng_core button coretemp parport_pc ppdev drm lp
> sunrpc parport ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2
> crc32c_generic btrfs zstd_compress raid10 raid456 async_raid6_recov
> async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0
> multipath linear md_mod hid_generic usbhid hid sd_mod sr_mod cdrom t10_pi
> crc_t10dif crct10dif_generic ahci rtsx_pci_sdmmc libahci mmc_core libata
> xhci_pci xhci_hcd ehci_pci crct10dif_pclmul ehci_hcd crct10dif_common psmouse
> e1000e crc32_pclmul scsi_mod usbcore crc32c_intel i2c_i801 lpc_ich i2c_smbus
> ptp rtsx_pci pps_core usb_common wmi video
> [  216.072821]  battery
> [  216.072832] CR2: 00000000000007a0
> [  216.072855] ---[ end trace 9abcbe4330f8212e ]---
> [  216.072895] RIP: 0010:cifs_mount+0x23b/0xcf0 [cifs]
> [  216.072900] Code: 85 ff 74 42 48 c7 c7 e8 10 9a c1 e8 ef 14 b8 ea 41 83 47
> 50 01 48 89 ef e8 f2 0a 02 00 49 8b 4f 20 48 c7 c7 e8 10 9a c1 89 c2 <0f> b6 81
> a0 07 00 00 83 e2 03 83 e0 fc 09 d0 88 81 a0 07 00 00 c6
> [  216.072903] RSP: 0018:ffffb4148295fd50 EFLAGS: 00010206
> [  216.072907] RAX: 0000000000000001 RBX: ffff9ff677a31400 RCX:
> 0000000000000000
> [  216.072909] RDX: 0000000000000001 RSI: 000000000000002f RDI:
> ffffffffc19a10e8
> [  216.072912] RBP: ffff9ff67777a900 R08: ffffb4148295fcd0 R09:
> ffff9ff70bb71b00
> [  216.072915] R10: ffffb4148295fd08 R11: 0000000000000000 R12:
> ffff9ff6777f7f00
> [  216.072917] R13: ffff9ff677a31400 R14: 0000000000000000 R15:
> ffff9ff79c8ed800
> [  216.072921] FS:  00007f5fddec1740(0000) GS:ffff9ff82e600000(0000)
> knlGS:0000000000000000
> [  216.072924] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [  216.072927] CR2: 00000000000007a0 CR3: 000000023fedc004 CR4:
> 00000000001706f0

Can you still replicate the issue with current kernel in
testing/unstable?

If so, you seem to have OOT modules loaded and tainting the kernel,
please try to replicate the issue without those loaded. Then we can
possibly check with upstream.

Regards,
Salvatore