Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S262270AbTEVKAi (ORCPT ); Thu, 22 May 2003 06:00:38 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S262638AbTEVKAi (ORCPT ); Thu, 22 May 2003 06:00:38 -0400 Received: from tux.rsn.bth.se ([194.47.143.135]:42685 "EHLO tux.rsn.bth.se") by vger.kernel.org with ESMTP id S262270AbTEVKAe (ORCPT ); Thu, 22 May 2003 06:00:34 -0400 Subject: use-after-free in smbfs on 2.5.69-mm5 From: Martin Josefsson To: urban@teststation.com Cc: linux-kernel@vger.kernel.org, samba@samba.org Content-Type: text/plain Content-Transfer-Encoding: 7bit Organization: Message-Id: <1053598415.15182.23.camel@tux.rsn.bth.se> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.4 Date: 22 May 2003 12:13:35 +0200 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2285 Lines: 51 Hi Urban smbfs modifies some memory after free... smb_get_length: Invalid NBT packet, code=4a smb_add_request: request [d828617c, mid=1802201963] timed out! Slab corruption: start=d828617c, expend=d8286287, problemat=d8286184 Last user: [](smb_free_request+0x45/0x4c [smbfs]) Data: ********6A ***********************************************************************************************************************************************************************************************************************************************************02 00 58 00 FB FF FF FF Next: 71 F0 2C .35 2E 99 EC 71 F0 2C .******************** slab error in check_poison_obj(): cache `smb_request': object was modified after freeing Call Trace: [] __slab_error+0x21/0x28 [] +0x2b95/0x30e0 [smbfs] [] check_poison_obj+0x174/0x180 [] kmem_cache_alloc+0xaf/0x150 [] smb_do_alloc_request+0x1e/0xb4 [smbfs] [] smb_do_alloc_request+0x1e/0xb4 [smbfs] [] smb_alloc_request+0x20/0x2c [smbfs] [] smb_proc_open+0x3d/0xfc [smbfs] [] smb_proc_readX+0xe5/0xf4 [smbfs] [] smb_open+0x56/0xcc [smbfs] [] smb_readpage_sync+0x85/0x158 [smbfs] [] smb_readpage+0x18/0x50 [smbfs] [] read_pages+0xa6/0x120 [] do_page_cache_readahead+0x2d7/0x324 [] page_cache_readahead+0xf7/0x12c [] do_generic_mapping_read+0x64/0x328 [] __generic_file_aio_read+0x184/0x1a0 [] file_read_actor+0x0/0x110 [] generic_file_read+0x7f/0x9c [] do_sync_write+0x7f/0xb0 [] rtc_wait+0x18/0x20 [rtc] [] default_wake_function+0x17/0x1c [] __wake_up_common+0x3a/0x54 [] rtc_wait+0x0/0x20 [rtc] [] rtc_task_lock+0x0/0x18 [rtc] [] kill_fasync+0x16/0x1c [] smb_file_read+0x4e/0x5c [smbfs] [] vfs_read+0xa2/0xd4 [] sys_read+0x30/0x50 [] syscall_call+0x7/0xb -- /Martin - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/