• Jeff Layton's avatar
    cifs: fix bad error handling in crypto code · ba482029
    Jeff Layton authored
    Jarod reported an Oops like when testing with fips=1:
    
    CIFS VFS: could not allocate crypto hmacmd5
    CIFS VFS: could not crypto alloc hmacmd5 rc -2
    CIFS VFS: Error -2 during NTLMSSP authentication
    CIFS VFS: Send error in SessSetup = -2
    BUG: unable to handle kernel NULL pointer dereference at 000000000000004e
    IP: [<ffffffff812b5c7a>] crypto_destroy_tfm+0x1a/0x90
    PGD 0
    Oops: 0000 [#1] SMP
    Modules linked in: md4 nls_utf8 cifs dns_resolver fscache kvm serio_raw virtio_balloon virtio_net mperf i2c_piix4 cirrus drm_kms_helper ttm drm i2c_core virtio_blk ata_generic pata_acpi
    CPU: 1 PID: 639 Comm: mount.cifs Not tainted 3.11.0-0.rc3.git0.1.fc20.x86_64 #1
    Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
    task: ffff88007bf496e0 ti: ffff88007b080000 task.ti: ffff88007b080000
    RIP: 0010:[<ffffffff812b5c7a>]  [<ffffffff812b5c7a>] crypto_destroy_tfm+0x1a/0x90
    RSP: 0018:ffff88007b081d10  EFLAGS: 00010282
    RAX: 0000000000001f1f RBX: ffff880037422000 RCX: ffff88007b081fd8
    RDX: 000000000000001f RSI: 0000000000000006 RDI: fffffffffffffffe
    RBP: ffff88007b081d30 R08: ffff880037422000 R09: ffff88007c090100
    R10: 0000000000000000 R11: 00000000fffffffe R12: fffffffffffffffe
    R13: ffff880037422000 R14: ffff880037422000 R15: 00000000fffffffe
    FS:  00007fc322f4f780(0000) GS:ffff88007fc80000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    CR2: 000000000000004e CR3: 000000007bdaa000 CR4: 00000000000006e0
    Stack:
     ffffffff81085845 ffff880037422000 ffff8800375e7400 ffff880037422000
     ffff88007b081d48 ffffffffa0176022 ffff880037422000 ffff88007b081d60
     ffffffffa015c07b ffff880037600600 ffff88007b081dc8 ffffffffa01610e1
    Call Trace:
     [<ffffffff81085845>] ? __cancel_work_timer+0x75/0xf0
     [<ffffffffa0176022>] cifs_crypto_shash_release+0x82/0xf0 [cifs]
     [<ffffffffa015c07b>] cifs_put_tcp_session+0x8b/0xe0 [cifs]
     [<ffffffffa01610e1>] cifs_mount+0x9d1/0xad0 [cifs]
     [<ffffffffa014ff50>] cifs_do_mount+0xa0/0x4d0 [cifs]
     [<ffffffff811ab6e9>] mount_fs+0x39/0x1b0
     [<ffffffff811c466f>] vfs_kern_mount+0x5f/0xf0
     [<ffffffff811c6a9e>] do_mount+0x23e/0xa20
     [<ffffffff811c66e6>] ? copy_mount_options+0x36/0x170
     [<ffffffff811c7303>] SyS_mount+0x83/0xc0
     [<ffffffff8165c8d9>] system_call_fastpath+0x16/0x1b
    Code: eb 9e 66 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 41 55 41 54 49 89 fc 53 48 83 ec 08 48 85 ff 74 46 <48> 83 7e 48 00 48 8b 5e 50 74 4b 48 89 f7 e8 83 fc ff ff 4c 8b
    RIP  [<ffffffff812b5c7a>] crypto_destroy_tfm+0x1a/0x90
     RSP <ffff88007b081d10>
    CR2: 000000000000004e
    
    The cifs code allocates some crypto structures. If that fails, it
    returns an error, but it leaves the pointers set to their PTR_ERR
    values. Then later when it tries to clean up, it sees that those values
    are non-NULL and then passes them to the routine that frees them.
    
    Fix this by setting the pointers to NULL after collecting the error code
    in this situation.
    
    Cc: Sachin Prabhu <sprabhu@redhat.com>
    Reported-by: default avatarJarod Wilson <jarod@redhat.com>
    Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
    Signed-off-by: default avatarSteve French <smfrench@gmail.com>
    ba482029
cifsencrypt.c 21.9 KB