From: Ronnie Sahlberg <lsahlber@redhat.com>
To: Frank Sorenson <sorenson@redhat.com>
Cc: linux-cifs <linux-cifs@vger.kernel.org>
Subject: Re: A process killed while opening a file can result in leaked open handle on the server
Date: Tue, 12 Nov 2019 22:28:28 -0500 (EST) [thread overview]
Message-ID: <2126815784.11429957.1573615708414.JavaMail.zimbra@redhat.com> (raw)
In-Reply-To: <0326b8d9-d66c-1df0-2d04-91b9a861c10f@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 3309 bytes --]
----- Original Message -----
> From: "Frank Sorenson" <sorenson@redhat.com>
> To: "linux-cifs" <linux-cifs@vger.kernel.org>
> Sent: Wednesday, 13 November, 2019 5:34:27 AM
> Subject: A process killed while opening a file can result in leaked open handle on the server
>
> If a process opening a file is killed while waiting for a SMB2_CREATE
> response from the server, the response may not be handled by the client,
> leaking an open file handle on the server.
>
> This can be reproduced with the following:
>
> # mount //vm3/user1 /mnt/vm3
> -overs=3,sec=ntlmssp,credentials=/root/.user1_smb_creds
> # cd /mnt/vm3
> # echo foo > foo
>
> # for i in {1..100} ; do cat foo >/dev/null 2>&1 & sleep 0.0001 ; kill -9 $!
> ; done
>
> (increase count if necessary--100 appears sufficient to cause multiple leaked
> file handles)
>
>
> The client will stop waiting for the response, and will output
> the following when the response does arrive:
>
> CIFS VFS: Close unmatched open
>
> on the server side, an open file handle is leaked. If using samba,
> the following will show these open files:
>
>
> # smbstatus | grep -i Locked -A1000
> Locked files:
> Pid Uid DenyMode Access R/W Oplock
> SharePath Name Time
> --------------------------------------------------------------------------------------------------
> 25936 501 DENY_NONE 0x80 RDONLY NONE
> /home/user1 . Tue Nov 12 12:29:24 2019
> 25936 501 DENY_NONE 0x80 RDONLY NONE
> /home/user1 . Tue Nov 12 12:29:24 2019
> 25936 501 DENY_NONE 0x120089 RDONLY LEASE(RWH)
> /home/user1 foo Tue Nov 12 12:29:24 2019
> 25936 501 DENY_NONE 0x120089 RDONLY LEASE(RWH)
> /home/user1 foo Tue Nov 12 12:29:24 2019
> 25936 501 DENY_NONE 0x120089 RDONLY LEASE(RWH)
> /home/user1 foo Tue Nov 12 12:29:24 2019
> 25936 501 DENY_NONE 0x120089 RDONLY LEASE(RWH)
> /home/user1 foo Tue Nov 12 12:29:24 2019
> 25936 501 DENY_NONE 0x120089 RDONLY LEASE(RWH)
> /home/user1 foo Tue Nov 12 12:29:24 2019
>
>
> (also tracked https://bugzilla.redhat.com/show_bug.cgi?id=1771691)
>
I don't think it has to do with "CIFS VFS: Close unmatched open", in fact those are probably the times
where it did not leak. Unless the SMB2_close() fails with an error.
Can you try the patch below and check that these SMB2_close() are successful?
I think it is more likely that we leak because we can not match the SMB2_Create() response with a MID.
Do you get "No task to wake, unknown frame received" in the log?
We need to do two things here.
1, Find out why we can not match this with a MID and second,
This it to fix THIS bug.
2, In the demultiplex_thread, where we get a "No task to wake, unknown frame received" we should check
is this an Open? if so we should invoke server->ops->handle_cancelled_mid()
This is to make sure other similar bugs do not cause leaks like this.
regards
ronnie sahlberg
> Frank
> --
> Frank Sorenson
> sorenson@redhat.com
> Principal Software Maintenance Engineer
> Global Support Services - filesystems
> Red Hat
>
>
[-- Attachment #2: patch --]
[-- Type: text/x-patch, Size: 1575 bytes --]
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index d78bfcc19156..10cb4d4fb122 100644
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -1548,6 +1548,7 @@ struct mid_q_entry {
};
struct close_cancelled_open {
+ __u64 mid;
struct cifs_fid fid;
struct cifs_tcon *tcon;
struct work_struct work;
diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c
index e311f58dc1c8..6120c307d88e 100644
--- a/fs/cifs/smb2misc.c
+++ b/fs/cifs/smb2misc.c
@@ -735,12 +735,19 @@ smb2_cancelled_close_fid(struct work_struct *work)
{
struct close_cancelled_open *cancelled = container_of(work,
struct close_cancelled_open, work);
+ struct cifs_tcon *tcon = cancelled->tcon;
+ int rc;
- cifs_dbg(VFS, "Close unmatched open\n");
+ cifs_tcon_dbg(VFS, "Close unmatched open for MID:%llx\n",
+ cancelled->mid);
- SMB2_close(0, cancelled->tcon, cancelled->fid.persistent_fid,
- cancelled->fid.volatile_fid);
- cifs_put_tcon(cancelled->tcon);
+ rc = SMB2_close(0, tcon, cancelled->fid.persistent_fid,
+ cancelled->fid.volatile_fid);
+ if (rc) {
+ cifs_tcon_dbg(VFS, "Close cancelled mid failed with rc:%d\n", rc);
+ }
+
+ cifs_put_tcon(tcon);
kfree(cancelled);
}
@@ -770,6 +777,7 @@ smb2_handle_cancelled_mid(char *buffer, struct TCP_Server_Info *server)
cancelled->fid.persistent_fid = rsp->PersistentFileId;
cancelled->fid.volatile_fid = rsp->VolatileFileId;
cancelled->tcon = tcon;
+ cancelled->mid = sync_hdr->MessageId;
INIT_WORK(&cancelled->work, smb2_cancelled_close_fid);
queue_work(cifsiod_wq, &cancelled->work);
prev parent reply other threads:[~2019-11-13 3:28 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-12 19:34 A process killed while opening a file can result in leaked open handle on the server Frank Sorenson
2019-11-13 2:37 ` Pavel Shilovsky
2019-11-13 5:19 ` Ronnie Sahlberg
2019-11-13 6:49 ` Ronnie Sahlberg
2019-11-13 22:15 ` Frank Sorenson
2019-11-14 1:39 ` Ronnie Sahlberg
2019-11-15 18:21 ` Pavel Shilovskiy
2019-11-17 16:29 ` Frank Sorenson
2019-11-21 19:41 ` Pavel Shilovsky
2019-11-13 3:28 ` Ronnie Sahlberg [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2126815784.11429957.1573615708414.JavaMail.zimbra@redhat.com \
--to=lsahlber@redhat.com \
--cc=linux-cifs@vger.kernel.org \
--cc=sorenson@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).