RHEL9: kernel panic with cifs_put_smb_ses
Issue
- What is CVE-2024-35870?
- Kernel panic with logs:
[91886.159777] CIFS: VFS: \\__DFS__\IPC$ smb2_get_dfs_refer: ioctl error: rc=-78
[91951.736761] CIFS: VFS: \\__DFS__ cifs_put_smb_ses: Session Logoff failure rc=-11
[91951.753851] CIFS: VFS: \\__DFS__ cifs_put_smb_ses: Session Logoff failure rc=-11
[91951.763567] CIFS: VFS: Null session
[91951.763680] CIFS: VFS: \\__DFS__ Send error in SessSetup = -5
[91951.763791] CIFS: VFS: unable to get chan index for server: 0x1a
[91951.763799] ------------[ cut here ]------------
[91951.764030] WARNING: CPU: 8 PID: 45588 at fs/cifs/sess.c:87 cifs_chan_clear_in_reconnect+0x6b/0x90 [cifs]
[91951.764242] Modules linked in: mgc(OE) lustre(OE) lmv(OE) mdc(OE) fid(OE) lov(OE) fld(OE) osc(OE) ptlrpc(OE) nls_utf8 cifs cifs_arc4 cifs_md4 ko2iblnd(OE) obdclass(OE) lnet(OE) rpcsec_gss_krb5 nfsv4 dns_resolver nfs lockd grace fscache libcfs(OE) netfs 8021q garp mrp stp llc bonding ipt_REJECT xt_multiport nft_compat nft_counter nft_objref nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill ip_set nf_tables nfnetlink ipmi_ssif rpcrdma rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod vfat fat ib_iser intel_rapl_msr libiscsi intel_rapl_common scsi_transport_iscsi amd64_edac rdma_cm edac_mce_amd iw_cm ib_umad kvm_amd kvm ast i2c_algo_bit drm_shmem_helper irqbypass drm_kms_helper acpi_ipmi syscopyarea sysfillrect rapl wmi_bmof pcspkr sysimgblt ipmi_si fb_sys_fops ipmi_devintf joydev mlx5_ib k10temp ptdma
[91951.764280] i2c_piix4 ipmi_msghandler ib_uverbs acpi_cpufreq fuse drm auth_rpcgss sunrpc xfs libcrc32c raid1 sd_mod t10_pi sg mlx5_core crct10dif_pclmul crc32_pclmul ahci crc32c_intel libahci mlxfw ghash_clmulni_intel libata tls ccp psample sp5100_tco wmi pci_hyperv_intf dm_mirror dm_region_hash dm_log dm_mod ib_ipoib ib_cm ib_core
[91951.766647] CPU: 8 PID: 45588 Comm: kworker/8:0 Kdump: loaded Tainted: G OE -------- --- 5.14.0-284.40.1.el9_2.x86_64 #1
[91951.767244] Hardware name: Supermicro AS -2014TP-HTR/H12SST-PS, BIOS 2.1 05/07/2021
[91951.767558] Workqueue: cifsiod smb2_reconnect_server [cifs]
[91951.767929] RIP: 0010:cifs_chan_clear_in_reconnect+0x6b/0x90 [cifs]
[91951.768299] Code: 00 00 fe 5b 5d c3 cc cc cc cc 48 85 db 74 1b 48 c7 c6 b0 12 ef c1 48 c7 c7 00 3a fb c1 e8 0d 2b 53 d7 85 c0 0f 85 d5 08 04 00 <0f> 0b 31 c9 48 8d 04 89 80 a4 c5 18 02 00 00 fe 5b 5d c3 cc cc cc
[91951.768952] RSP: 0018:ffffb0f4ffe07d28 EFLAGS: 00010246
[91951.769292] RAX: 0000000000000034 RBX: ffff96eda88d6800 RCX: 0000000000000027
[91951.769639] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff96ed0ee198a0
[91951.769989] RBP: ffff96eda88d1800 R08: 0000000000000000 R09: 00000000fffeffff
[91951.770348] R10: ffffb0f4ffe07bd0 R11: ffff972d8f1fdfe8 R12: ffff96eda88d6800
[91951.770712] R13: ffff96eda88d1838 R14: 00000000fffffffb R15: ffff96edc0ae2740
[91951.771096] FS: 0000000000000000(0000) GS:ffff96ed0ee00000(0000) knlGS:0000000000000000
[91951.771473] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[91951.771851] CR2: 00007efe80750000 CR3: 000000405a672006 CR4: 0000000000770ee0
[91951.772244] PKRU: 55555554
[91951.772631] Call Trace:
[91951.773026] <TASK>
[91951.773419] cifs_setup_session+0x1a1/0x350 [cifs]
[91951.773882] smb2_reconnect.part.0+0x2d1/0x5f0 [cifs]
[91951.774350] ? kmem_cache_alloc_trace+0x174/0x2f0
[91951.774760] smb2_reconnect_server+0x3b7/0x5f0 [cifs]
[91951.775237] process_one_work+0x1e5/0x3b0
[91951.775657] worker_thread+0x50/0x3a0
[91951.776088] ? rescuer_thread+0x390/0x390
[91951.776510] kthread+0xd9/0x100
[91951.776932] ? kthread_complete_and_exit+0x20/0x20
[91951.777369] ret_from_fork+0x22/0x30
[91951.777804] </TASK>
[91951.778230] ---[ end trace fcb80b793d77bcb8 ]---
[91951.778662] BUG: kernel NULL pointer dereference, address: 0000000000000000
[91951.779113] #PF: supervisor read access in kernel mode
[91951.779548] #PF: error_code(0x0000) - not-present page
[91951.779975] PGD 0 P4D 0
[91951.780399] Oops: 0000 [#1] PREEMPT SMP NOPTI
[91951.780818] CPU: 8 PID: 45588 Comm: kworker/8:0 Kdump: loaded Tainted: G W OE -------- --- 5.14.0-284.40.1.el9_2.x86_64 #1
[91951.781659] Hardware name: Supermicro AS -2014TP-HTR/H12SST-PS, BIOS 2.1 05/07/2021
[91951.782075] Workqueue: cifsiod smb2_reconnect_server [cifs]
[91951.782544] RIP: 0010:__list_del_entry_valid+0x2d/0x50
[91951.782945] Code: 4c 8b 47 08 48 b8 00 01 00 00 00 00 ad de 48 39 c2 0f 84 36 da 57 00 48 b8 22 01 00 00 00 00 ad de 49 39 c0 0f 84 56 da 57 00 <49> 8b 30 48 39 fe 0f 85 36 da 57 00 48 8b 52 08 48 39 f2 0f 85 1b
[91951.783747] RSP: 0018:ffffb0f4ffe07df8 EFLAGS: 00010217
[91951.784138] RAX: dead000000000122 RBX: ffffb0f4ffe07e38 RCX: 0000000000000000
[91951.784523] RDX: 0000000000000000 RSI: ffffffffc1381040 RDI: ffff96eda88d1810
[91951.784899] RBP: ffff970db4405800 R08: 0000000000000000 R09: 00000000fffeffff
[91951.785268] R10: ffffb0f4ffe07bd0 R11: ffff972d8f1fdfe8 R12: 0000000000000001
[91951.785630] R13: ffff96eda88d1800 R14: ffff96eda88d1810 R15: ffff96eda88d6800
[91951.785983] FS: 0000000000000000(0000) GS:ffff96ed0ee00000(0000) knlGS:0000000000000000
[91951.786340] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[91951.786690] CR2: 0000000000000000 CR3: 000000405a672006 CR4: 0000000000770ee0
[91951.787044] PKRU: 55555554
[91951.787387] Call Trace:
[91951.787725] <TASK>
[91951.788055] smb2_reconnect_server+0x3ca/0x5f0 [cifs]
[91951.788442] process_one_work+0x1e5/0x3b0
[91951.788766] worker_thread+0x50/0x3a0
[91951.789090] ? rescuer_thread+0x390/0x390
[91951.789408] kthread+0xd9/0x100
[91951.789725] ? kthread_complete_and_exit+0x20/0x20
[91951.790041] ret_from_fork+0x22/0x30
[91951.790351] </TASK>
[91951.794768] CR2: 0000000000000000
Environment
- Red Hat Enterprise Linux 9
- OCP 4.13/4.14/4.15
- [cifs]
- Seen on
5.14.0-427.14.1.el9_4
- Seen on
5.14.0-362.13.1.el9_3
- Seen on
5.14.0-284.55.1.el9_2
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.