CVE-2022-48919

In the Linux kernel, the following vulnerability has been resolved:

cifs: fix double free race when mount fails in cifs_get_root()

When cifs_get_root() fails during cifs_smb3_do_mount() we call
deactivate_locked_super() which eventually will call delayed_free() which
will free the context.
In this situation we should not proceed to enter the out: section in
cifs_smb3_do_mount() and free the same resources a second time.

[Thu Feb 10 12:59:06 2022] BUG: KASAN: use-after-free in rcu_cblist_dequeue+0x32/0x60
[Thu Feb 10 12:59:06 2022] Read of size 8 at addr ffff888364f4d110 by task swapper/1/0

[Thu Feb 10 12:59:06 2022] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G           OE     5.17.0-rc3+ #4
[Thu Feb 10 12:59:06 2022] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.0 12/17/2019
[Thu Feb 10 12:59:06 2022] Call Trace:
[Thu Feb 10 12:59:06 2022]  <IRQ>
[Thu Feb 10 12:59:06 2022]  dump_stack_lvl+0x5d/0x78
[Thu Feb 10 12:59:06 2022]  print_address_description.constprop.0+0x24/0x150
[Thu Feb 10 12:59:06 2022]  ? rcu_cblist_dequeue+0x32/0x60
[Thu Feb 10 12:59:06 2022]  kasan_report.cold+0x7d/0x117
[Thu Feb 10 12:59:06 2022]  ? rcu_cblist_dequeue+0x32/0x60
[Thu Feb 10 12:59:06 2022]  __asan_load8+0x86/0xa0
[Thu Feb 10 12:59:06 2022]  rcu_cblist_dequeue+0x32/0x60
[Thu Feb 10 12:59:06 2022]  rcu_core+0x547/0xca0
[Thu Feb 10 12:59:06 2022]  ? call_rcu+0x3c0/0x3c0
[Thu Feb 10 12:59:06 2022]  ? __this_cpu_preempt_check+0x13/0x20
[Thu Feb 10 12:59:06 2022]  ? lock_is_held_type+0xea/0x140
[Thu Feb 10 12:59:06 2022]  rcu_core_si+0xe/0x10
[Thu Feb 10 12:59:06 2022]  __do_softirq+0x1d4/0x67b
[Thu Feb 10 12:59:06 2022]  __irq_exit_rcu+0x100/0x150
[Thu Feb 10 12:59:06 2022]  irq_exit_rcu+0xe/0x30
[Thu Feb 10 12:59:06 2022]  sysvec_hyperv_stimer0+0x9d/0xc0
...
[Thu Feb 10 12:59:07 2022] Freed by task 58179:
[Thu Feb 10 12:59:07 2022]  kasan_save_stack+0x26/0x50
[Thu Feb 10 12:59:07 2022]  kasan_set_track+0x25/0x30
[Thu Feb 10 12:59:07 2022]  kasan_set_free_info+0x24/0x40
[Thu Feb 10 12:59:07 2022]  ____kasan_slab_free+0x137/0x170
[Thu Feb 10 12:59:07 2022]  __kasan_slab_free+0x12/0x20
[Thu Feb 10 12:59:07 2022]  slab_free_freelist_hook+0xb3/0x1d0
[Thu Feb 10 12:59:07 2022]  kfree+0xcd/0x520
[Thu Feb 10 12:59:07 2022]  cifs_smb3_do_mount+0x149/0xbe0 [cifs]
[Thu Feb 10 12:59:07 2022]  smb3_get_tree+0x1a0/0x2e0 [cifs]
[Thu Feb 10 12:59:07 2022]  vfs_get_tree+0x52/0x140
[Thu Feb 10 12:59:07 2022]  path_mount+0x635/0x10c0
[Thu Feb 10 12:59:07 2022]  __x64_sys_mount+0x1bf/0x210
[Thu Feb 10 12:59:07 2022]  do_syscall_64+0x5c/0xc0
[Thu Feb 10 12:59:07 2022]  entry_SYSCALL_64_after_hwframe+0x44/0xae

[Thu Feb 10 12:59:07 2022] Last potentially related work creation:
[Thu Feb 10 12:59:07 2022]  kasan_save_stack+0x26/0x50
[Thu Feb 10 12:59:07 2022]  __kasan_record_aux_stack+0xb6/0xc0
[Thu Feb 10 12:59:07 2022]  kasan_record_aux_stack_noalloc+0xb/0x10
[Thu Feb 10 12:59:07 2022]  call_rcu+0x76/0x3c0
[Thu Feb 10 12:59:07 2022]  cifs_umount+0xce/0xe0 [cifs]
[Thu Feb 10 12:59:07 2022]  cifs_kill_sb+0xc8/0xe0 [cifs]
[Thu Feb 10 12:59:07 2022]  deactivate_locked_super+0x5d/0xd0
[Thu Feb 10 12:59:07 2022]  cifs_smb3_do_mount+0xab9/0xbe0 [cifs]
[Thu Feb 10 12:59:07 2022]  smb3_get_tree+0x1a0/0x2e0 [cifs]
[Thu Feb 10 12:59:07 2022]  vfs_get_tree+0x52/0x140
[Thu Feb 10 12:59:07 2022]  path_mount+0x635/0x10c0
[Thu Feb 10 12:59:07 2022]  __x64_sys_mount+0x1bf/0x210
[Thu Feb 10 12:59:07 2022]  do_syscall_64+0x5c/0xc0
[Thu Feb 10 12:59:07 2022]  entry_SYSCALL_64_after_hwframe+0x44/0xae
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
LinuxCNA
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 9%
VendorProductVersion
linuxlinux_kernel
𝑥
< 4.9.305
linuxlinux_kernel
4.10 ≤
𝑥
< 4.14.270
linuxlinux_kernel
4.15 ≤
𝑥
< 4.19.233
linuxlinux_kernel
4.20 ≤
𝑥
< 5.4.183
linuxlinux_kernel
5.5 ≤
𝑥
< 5.10.104
linuxlinux_kernel
5.11 ≤
𝑥
< 5.15.27
linuxlinux_kernel
5.16 ≤
𝑥
< 5.16.13
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bullseye
5.10.223-1
fixed
bullseye (security)
5.10.226-1
fixed
bookworm
6.1.106-3
fixed
bookworm (security)
6.1.112-1
fixed
trixie
6.11.5-1
fixed
sid
6.11.6-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
linux
noble
not-affected
jammy
not-affected
focal
Fixed 5.4.0-117.132
released
bionic
pending
xenial
ignored
trusty
ignored
linux-allwinner-5.19
noble
dne
jammy
ignored
focal
dne
linux-aws
noble
not-affected
jammy
not-affected
focal
Fixed 5.4.0-1078.84
released
bionic
pending
xenial
ignored
trusty
ignored
linux-aws-5.0
noble
dne
jammy
dne
focal
dne
bionic
ignored
linux-aws-5.11
noble
dne
jammy
dne
focal
ignored
linux-aws-5.13
noble
dne
jammy
dne
focal
ignored
linux-aws-5.15
noble
dne
jammy
dne
focal
not-affected
linux-aws-5.19
noble
dne
jammy
ignored
focal
dne
linux-aws-5.3
noble
dne
jammy
dne
focal
dne
bionic
ignored
linux-aws-5.4
noble
dne
jammy
dne
focal
dne
bionic
pending
linux-aws-5.8
noble
dne
jammy
dne
focal
ignored
linux-aws-6.2
noble
dne
jammy
ignored
focal
dne
linux-aws-6.5
noble
dne
jammy
ignored
focal
dne
linux-aws-fips
noble
dne
jammy
dne
focal
dne
linux-aws-hwe
noble
dne
jammy
dne
focal
dne
xenial
Fixed 4.15.0-1128.137~16.04.1
released
linux-azure
noble
not-affected
jammy
not-affected
focal
Fixed 5.4.0-1083.87
released
bionic
ignored
xenial
Fixed 4.15.0-1138.151~16.04.1
released
trusty
Fixed 4.15.0-1138.151~14.04.1
released
linux-azure-4.15
noble
dne
jammy
dne
focal
dne
bionic
pending
linux-azure-5.11
noble
dne
jammy
dne
focal
ignored
linux-azure-5.13
noble
dne
jammy
dne
focal
ignored
linux-azure-5.15
noble
dne
jammy
dne
focal
not-affected
linux-azure-5.19
noble
dne
jammy
ignored
focal
dne
linux-azure-5.3
noble
dne
jammy
dne
focal
dne
bionic
ignored
linux-azure-5.4
noble
dne
jammy
dne
focal
dne
bionic
pending
linux-azure-5.8
noble
dne
jammy
dne
focal
ignored
linux-azure-6.2
noble
dne
jammy
ignored
focal
dne
linux-azure-6.5
noble
dne
jammy
ignored
focal
dne
linux-azure-edge
noble
dne
jammy
dne
focal
dne
bionic
ignored
linux-azure-fde
noble
dne
jammy
not-affected
focal
ignored
linux-azure-fde-5.15
noble
dne
jammy
dne
focal
not-affected
linux-azure-fde-5.19
noble
dne
jammy
ignored
focal
dne
linux-azure-fde-6.2
noble
dne
jammy
ignored
focal
dne
linux-azure-fips
noble
dne
jammy
dne
focal
dne
linux-bluefield
noble
dne
jammy
dne
focal
Fixed 5.4.0-1040.44
released
linux-fips
noble
dne
jammy
dne
focal
dne
linux-gcp
noble
not-affected
jammy
not-affected
focal
Fixed 5.4.0-1078.84
released
bionic
ignored
xenial
Fixed 4.15.0-1122.136~16.04.1
released
linux-gcp-4.15
noble
dne
jammy
dne
focal
dne
bionic
pending
linux-gcp-5.11
noble
dne
jammy
dne
focal
ignored
linux-gcp-5.13
noble
dne
jammy
dne
focal
ignored
linux-gcp-5.15
noble
dne
jammy
dne
focal
not-affected
linux-gcp-5.19
noble
dne
jammy
ignored
focal
dne
linux-gcp-5.3
noble
dne
jammy
dne
focal
dne
bionic
ignored
linux-gcp-5.4
noble
dne
jammy
dne
focal
dne
bionic
pending
linux-gcp-5.8
noble
dne
jammy
dne
focal
ignored
linux-gcp-6.2
noble
dne
jammy
ignored
focal
dne
linux-gcp-6.5
noble
dne
jammy
ignored
focal
dne
linux-gcp-fips
noble
dne
jammy
dne
focal
dne
linux-gke
noble
not-affected
jammy
not-affected
focal
ignored
linux-gke-4.15
noble
dne
jammy
dne
focal
dne
bionic
ignored
linux-gke-5.15
noble
dne
jammy
dne
focal
ignored
linux-gke-5.4
noble
dne
jammy
dne
focal
dne
bionic
ignored
linux-gkeop
noble
dne
jammy
not-affected
focal
Fixed 5.4.0-1046.48
released
linux-gkeop-5.15
noble
dne
jammy
dne
focal
not-affected
linux-gkeop-5.4
noble
dne
jammy
dne
focal
dne
bionic
ignored
linux-hwe
noble
dne
jammy
dne
focal
dne
bionic
ignored
xenial
Fixed 4.15.0-177.186~16.04.1
released
linux-hwe-5.11
noble
dne
jammy
dne
focal
ignored
linux-hwe-5.13
noble
dne
jammy
dne
focal
ignored
linux-hwe-5.15
noble
dne
jammy
dne
focal
not-affected
linux-hwe-5.19
noble
dne
jammy
ignored
focal
dne
linux-hwe-5.4
noble
dne
jammy
dne
focal
dne
bionic
pending
linux-hwe-5.8
noble
dne
jammy
dne
focal
ignored
linux-hwe-6.2
noble
dne
jammy
ignored
focal
dne
linux-hwe-6.5
noble
dne
jammy
ignored
focal
dne
linux-hwe-6.8
noble
dne
jammy
not-affected
focal
dne
linux-hwe-edge
noble
dne
jammy
dne
focal
dne
bionic
ignored
xenial
ignored
linux-ibm
noble
not-affected
jammy
not-affected
focal
Fixed 5.4.0-1026.29
released
linux-ibm-5.15
noble
dne
jammy
dne
focal
not-affected
linux-ibm-5.4
noble
dne
jammy
dne
focal
dne
bionic
pending
linux-intel
noble
not-affected
jammy
dne
focal
dne
bionic
dne
xenial
dne
trusty
dne
linux-intel-5.13
noble
dne
jammy
dne
focal
ignored
linux-intel-iot-realtime
noble
dne
jammy
dne
focal
dne
bionic
dne
xenial
dne
trusty
dne
linux-intel-iotg
noble
dne
jammy
not-affected
focal
dne
linux-intel-iotg-5.15
noble
dne
jammy
dne
focal
Fixed 5.15.0-1008.11~20.04.1
released
linux-iot
noble
dne
jammy
dne
focal
Fixed 5.4.0-1004.6
released
linux-kvm
noble
dne
jammy
not-affected
focal
Fixed 5.4.0-1068.72
released
bionic
pending
xenial
ignored
linux-lowlatency
noble
not-affected
jammy
not-affected
focal
dne
linux-lowlatency-hwe-5.15
noble
dne
jammy
dne
focal
not-affected
linux-lowlatency-hwe-5.19
noble
dne
jammy
ignored
focal
dne
linux-lowlatency-hwe-6.2
noble
dne
jammy
ignored
focal
dne
linux-lowlatency-hwe-6.5
noble
dne
jammy
ignored
focal
dne
linux-lowlatency-hwe-6.8
noble
dne
jammy
not-affected
focal
dne
linux-lts-xenial
noble
dne
jammy
dne
focal
dne
trusty
ignored
linux-nvidia
noble
not-affected
jammy
not-affected
focal
dne
linux-nvidia-6.2
noble
dne
jammy
ignored
focal
dne
linux-nvidia-6.5
noble
dne
jammy
not-affected
focal
dne
linux-nvidia-6.8
noble
dne
jammy
not-affected
focal
dne
linux-nvidia-lowlatency
noble
not-affected
jammy
dne
focal
dne
linux-oem
noble
dne
jammy
dne
focal
dne
bionic
ignored
linux-oem-5.10
noble
dne
jammy
dne
focal
ignored
linux-oem-5.13
noble
dne
jammy
dne
focal
ignored
linux-oem-5.14
noble
dne
jammy
dne
focal
ignored
linux-oem-5.17
noble
dne
jammy
ignored
focal
dne
linux-oem-5.6
noble
dne
jammy
dne
focal
ignored
linux-oem-6.0
noble
dne
jammy
ignored
focal
dne
linux-oem-6.1
noble
dne
jammy
ignored
focal
dne
linux-oem-6.5
noble
dne
jammy
ignored
focal
dne
linux-oem-6.8
noble
not-affected
jammy
dne
focal
dne
linux-oracle
noble
not-affected
jammy
not-affected
focal
Fixed 5.4.0-1076.83
released
bionic
pending
xenial
Fixed 4.15.0-1093.102~16.04.1
released
linux-oracle-5.0
noble
dne
jammy
dne
focal
dne
bionic
ignored
linux-oracle-5.11
noble
dne
jammy
dne
focal
ignored
linux-oracle-5.13
noble
dne
jammy
dne
focal
ignored
linux-oracle-5.15
noble
dne
jammy
dne
focal
not-affected
linux-oracle-5.3
noble
dne
jammy
dne
focal
dne
bionic
ignored
linux-oracle-5.4
noble
dne
jammy
dne
focal
dne
bionic
pending
linux-oracle-5.8
noble
dne
jammy
dne
focal
ignored
linux-oracle-6.5
noble
dne
jammy
ignored
focal
dne
linux-raspi
noble
not-affected
jammy
not-affected
focal
Fixed 5.4.0-1065.75
released
linux-raspi-5.4
noble
dne
jammy
dne
focal
dne
bionic
pending
linux-raspi-realtime
noble
dne
jammy
dne
focal
dne
bionic
dne
xenial
dne
trusty
dne
linux-raspi2
noble
dne
jammy
dne
focal
ignored
linux-realtime
noble
dne
jammy
ignored
focal
dne
bionic
dne
xenial
dne
trusty
dne
linux-riscv
noble
not-affected
jammy
ignored
focal
ignored
linux-riscv-5.11
noble
dne
jammy
dne
focal
ignored
linux-riscv-5.15
noble
dne
jammy
dne
focal
not-affected
linux-riscv-5.19
noble
dne
jammy
ignored
focal
dne
linux-riscv-5.8
noble
dne
jammy
dne
focal
ignored
linux-riscv-6.5
noble
dne
jammy
ignored
focal
dne
linux-riscv-6.8
noble
dne
jammy
not-affected
focal
dne
linux-starfive-5.19
noble
dne
jammy
ignored
focal
dne
linux-starfive-6.2
noble
dne
jammy
ignored
focal
dne
linux-starfive-6.5
noble
dne
jammy
ignored
focal
dne
linux-xilinx-zynqmp
noble
dne
jammy
not-affected
focal
not-affected
Common Weakness Enumeration
References
https://git.kernel.org/stable/c/147a0e71ccf96df9fc8c2ac500829d8e423ef02c
https://git.kernel.org/stable/c/2fe0e281f7ad0a62259649764228227dd6b2561d
https://git.kernel.org/stable/c/3d6cc9898efdfb062efb74dc18cfc700e082f5d5
https://git.kernel.org/stable/c/546d60859ecf13380fcabcbeace53a5971493a2b
https://git.kernel.org/stable/c/563431c1f3c8f2230e4a9c445fa23758742bc4f0
https://git.kernel.org/stable/c/da834d6c1147c7519a9e55b510a03b7055104749
https://git.kernel.org/stable/c/df9db1a2af37f39ad1653c7b9b0d275d72d0bc67
https://git.kernel.org/stable/c/e208668ef7ba23efcbf76a8200cab8deee501c4d