* [PATCH v2 0/2] Fix some bug in cifs
@ 2022-11-16 3:11 Zhang Xiaoxu
2022-11-16 3:11 ` [PATCH v2 1/2] cifs: Fix UAF in cifs_demultiplex_thread() Zhang Xiaoxu
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Zhang Xiaoxu @ 2022-11-16 3:11 UTC (permalink / raw)
To: linux-cifs, zhangxiaoxu5, sfrench, smfrench, pc, lsahlber, sprasad, tom
v2:
- remove the 1st patch since steve already merged it into repo.
- fix cifs 1.0 hung since not set READY flag when wakeup task
on 2nd patch.
Zhang Xiaoxu (2):
cifs: Fix UAF in cifs_demultiplex_thread()
cifs: Move the in_send statistic to __smb_send_rqst()
fs/cifs/cifsglob.h | 1 +
fs/cifs/transport.c | 55 ++++++++++++++++++++++++++-------------------
2 files changed, 33 insertions(+), 23 deletions(-)
--
2.31.1
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH v2 1/2] cifs: Fix UAF in cifs_demultiplex_thread()
2022-11-16 3:11 [PATCH v2 0/2] Fix some bug in cifs Zhang Xiaoxu
@ 2022-11-16 3:11 ` Zhang Xiaoxu
2022-11-16 3:11 ` [PATCH v2 2/2] cifs: Move the in_send statistic to __smb_send_rqst() Zhang Xiaoxu
2023-03-03 2:02 ` [PATCH v2 0/2] Fix some bug in cifs ChenXiaoSong
2 siblings, 0 replies; 8+ messages in thread
From: Zhang Xiaoxu @ 2022-11-16 3:11 UTC (permalink / raw)
To: linux-cifs, zhangxiaoxu5, sfrench, smfrench, pc, lsahlber, sprasad, tom
There is a UAF when xfstests on cifs:
BUG: KASAN: use-after-free in smb2_is_network_name_deleted+0x27/0x160
Read of size 4 at addr ffff88810103fc08 by task cifsd/923
CPU: 1 PID: 923 Comm: cifsd Not tainted 6.1.0-rc4+ #45
...
Call Trace:
<TASK>
dump_stack_lvl+0x34/0x44
print_report+0x171/0x472
kasan_report+0xad/0x130
kasan_check_range+0x145/0x1a0
smb2_is_network_name_deleted+0x27/0x160
cifs_demultiplex_thread.cold+0x172/0x5a4
kthread+0x165/0x1a0
ret_from_fork+0x1f/0x30
</TASK>
Allocated by task 923:
kasan_save_stack+0x1e/0x40
kasan_set_track+0x21/0x30
__kasan_slab_alloc+0x54/0x60
kmem_cache_alloc+0x147/0x320
mempool_alloc+0xe1/0x260
cifs_small_buf_get+0x24/0x60
allocate_buffers+0xa1/0x1c0
cifs_demultiplex_thread+0x199/0x10d0
kthread+0x165/0x1a0
ret_from_fork+0x1f/0x30
Freed by task 921:
kasan_save_stack+0x1e/0x40
kasan_set_track+0x21/0x30
kasan_save_free_info+0x2a/0x40
____kasan_slab_free+0x143/0x1b0
kmem_cache_free+0xe3/0x4d0
cifs_small_buf_release+0x29/0x90
SMB2_negotiate+0x8b7/0x1c60
smb2_negotiate+0x51/0x70
cifs_negotiate_protocol+0xf0/0x160
cifs_get_smb_ses+0x5fa/0x13c0
mount_get_conns+0x7a/0x750
cifs_mount+0x103/0xd00
cifs_smb3_do_mount+0x1dd/0xcb0
smb3_get_tree+0x1d5/0x300
vfs_get_tree+0x41/0xf0
path_mount+0x9b3/0xdd0
__x64_sys_mount+0x190/0x1d0
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
The UAF is because:
mount(pid: 921) | cifsd(pid: 923)
-------------------------------|-------------------------------
| cifs_demultiplex_thread
SMB2_negotiate |
cifs_send_recv |
compound_send_recv |
smb_send_rqst |
wait_for_response |
wait_event_state [1] |
| standard_receive3
| cifs_handle_standard
| handle_mid
| mid->resp_buf = buf; [2]
| dequeue_mid [3]
KILL the process [4] |
resp_iov[i].iov_base = buf |
free_rsp_buf [5] |
| is_network_name_deleted [6]
| callback
1. After send request to server, wait the response until
mid->mid_state != SUBMITTED;
2. Receive response from server, and set it to mid;
3. Set the mid state to RECEIVED;
4. Kill the process, the mid state already RECEIVED, get 0;
5. Handle and release the negotiate response;
6. UAF.
It can be easily reproduce with add some delay in [3] - [6].
Only sync call has the problem since async call's callback is
executed in cifsd process.
Add an extra state to mark the mid state to READY before wakeup the
waitter, then it can get the resp safely.
Fixes: ec637e3ffb6b ("[CIFS] Avoid extra large buffer allocation (and memcpy) in cifs_readpages")
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
---
fs/cifs/cifsglob.h | 1 +
fs/cifs/transport.c | 34 +++++++++++++++++++++++-----------
2 files changed, 24 insertions(+), 11 deletions(-)
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index 1420acf987f0..637b33b355c6 100644
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -1810,6 +1810,7 @@ static inline bool is_retryable_error(int error)
#define MID_RETRY_NEEDED 8 /* session closed while this request out */
#define MID_RESPONSE_MALFORMED 0x10
#define MID_SHUTDOWN 0x20
+#define MID_RESPONSE_READY 0x40 /* ready for other process handle the rsp */
/* Flags */
#define MID_WAIT_CANCELLED 1 /* Cancelled while waiting for response */
diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c
index 575fa8f58342..bc551738dabb 100644
--- a/fs/cifs/transport.c
+++ b/fs/cifs/transport.c
@@ -35,6 +35,8 @@
void
cifs_wake_up_task(struct mid_q_entry *mid)
{
+ if (mid->mid_state == MID_RESPONSE_RECEIVED)
+ mid->mid_state = MID_RESPONSE_READY;
wake_up_process(mid->callback_data);
}
@@ -87,7 +89,8 @@ static void __release_mid(struct kref *refcount)
struct TCP_Server_Info *server = midEntry->server;
if (midEntry->resp_buf && (midEntry->mid_flags & MID_WAIT_CANCELLED) &&
- midEntry->mid_state == MID_RESPONSE_RECEIVED &&
+ (midEntry->mid_state == MID_RESPONSE_RECEIVED ||
+ midEntry->mid_state == MID_RESPONSE_READY) &&
server->ops->handle_cancelled_mid)
server->ops->handle_cancelled_mid(midEntry, server);
@@ -754,7 +757,8 @@ wait_for_response(struct TCP_Server_Info *server, struct mid_q_entry *midQ)
int error;
error = wait_event_state(server->response_q,
- midQ->mid_state != MID_REQUEST_SUBMITTED,
+ midQ->mid_state != MID_REQUEST_SUBMITTED &&
+ midQ->mid_state != MID_RESPONSE_RECEIVED,
(TASK_KILLABLE|TASK_FREEZABLE_UNSAFE));
if (error < 0)
return -ERESTARTSYS;
@@ -909,7 +913,7 @@ cifs_sync_mid_result(struct mid_q_entry *mid, struct TCP_Server_Info *server)
spin_lock(&server->mid_lock);
switch (mid->mid_state) {
- case MID_RESPONSE_RECEIVED:
+ case MID_RESPONSE_READY:
spin_unlock(&server->mid_lock);
return rc;
case MID_RETRY_NEEDED:
@@ -1008,6 +1012,9 @@ cifs_compound_callback(struct mid_q_entry *mid)
credits.instance = server->reconnect_instance;
add_credits(server, &credits, mid->optype);
+
+ if (mid->mid_state == MID_RESPONSE_RECEIVED)
+ mid->mid_state = MID_RESPONSE_READY;
}
static void
@@ -1205,7 +1212,8 @@ compound_send_recv(const unsigned int xid, struct cifs_ses *ses,
send_cancel(server, &rqst[i], midQ[i]);
spin_lock(&server->mid_lock);
midQ[i]->mid_flags |= MID_WAIT_CANCELLED;
- if (midQ[i]->mid_state == MID_REQUEST_SUBMITTED) {
+ if (midQ[i]->mid_state == MID_REQUEST_SUBMITTED ||
+ midQ[i]->mid_state == MID_RESPONSE_RECEIVED) {
midQ[i]->callback = cifs_cancelled_callback;
cancelled_mid[i] = true;
credits[i].value = 0;
@@ -1226,7 +1234,7 @@ compound_send_recv(const unsigned int xid, struct cifs_ses *ses,
}
if (!midQ[i]->resp_buf ||
- midQ[i]->mid_state != MID_RESPONSE_RECEIVED) {
+ midQ[i]->mid_state != MID_RESPONSE_READY) {
rc = -EIO;
cifs_dbg(FYI, "Bad MID state?\n");
goto out;
@@ -1415,7 +1423,8 @@ SendReceive(const unsigned int xid, struct cifs_ses *ses,
if (rc != 0) {
send_cancel(server, &rqst, midQ);
spin_lock(&server->mid_lock);
- if (midQ->mid_state == MID_REQUEST_SUBMITTED) {
+ if (midQ->mid_state == MID_REQUEST_SUBMITTED ||
+ midQ->mid_state == MID_RESPONSE_RECEIVED) {
/* no longer considered to be "in-flight" */
midQ->callback = release_mid;
spin_unlock(&server->mid_lock);
@@ -1432,7 +1441,7 @@ SendReceive(const unsigned int xid, struct cifs_ses *ses,
}
if (!midQ->resp_buf || !out_buf ||
- midQ->mid_state != MID_RESPONSE_RECEIVED) {
+ midQ->mid_state != MID_RESPONSE_READY) {
rc = -EIO;
cifs_server_dbg(VFS, "Bad MID state?\n");
goto out;
@@ -1558,14 +1567,16 @@ SendReceiveBlockingLock(const unsigned int xid, struct cifs_tcon *tcon,
/* Wait for a reply - allow signals to interrupt. */
rc = wait_event_interruptible(server->response_q,
- (!(midQ->mid_state == MID_REQUEST_SUBMITTED)) ||
+ (!(midQ->mid_state == MID_REQUEST_SUBMITTED ||
+ midQ->mid_state == MID_RESPONSE_RECEIVED)) ||
((server->tcpStatus != CifsGood) &&
(server->tcpStatus != CifsNew)));
/* Were we interrupted by a signal ? */
spin_lock(&server->srv_lock);
if ((rc == -ERESTARTSYS) &&
- (midQ->mid_state == MID_REQUEST_SUBMITTED) &&
+ (midQ->mid_state == MID_REQUEST_SUBMITTED ||
+ midQ->mid_state == MID_RESPONSE_RECEIVED) &&
((server->tcpStatus == CifsGood) ||
(server->tcpStatus == CifsNew))) {
spin_unlock(&server->srv_lock);
@@ -1596,7 +1607,8 @@ SendReceiveBlockingLock(const unsigned int xid, struct cifs_tcon *tcon,
if (rc) {
send_cancel(server, &rqst, midQ);
spin_lock(&server->mid_lock);
- if (midQ->mid_state == MID_REQUEST_SUBMITTED) {
+ if (midQ->mid_state == MID_REQUEST_SUBMITTED ||
+ midQ->mid_state == MID_RESPONSE_RECEIVED) {
/* no longer considered to be "in-flight" */
midQ->callback = release_mid;
spin_unlock(&server->mid_lock);
@@ -1616,7 +1628,7 @@ SendReceiveBlockingLock(const unsigned int xid, struct cifs_tcon *tcon,
return rc;
/* rcvd frame is ok */
- if (out_buf == NULL || midQ->mid_state != MID_RESPONSE_RECEIVED) {
+ if (out_buf == NULL || midQ->mid_state != MID_RESPONSE_READY) {
rc = -EIO;
cifs_tcon_dbg(VFS, "Bad MID state?\n");
goto out;
--
2.31.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH v2 2/2] cifs: Move the in_send statistic to __smb_send_rqst()
2022-11-16 3:11 [PATCH v2 0/2] Fix some bug in cifs Zhang Xiaoxu
2022-11-16 3:11 ` [PATCH v2 1/2] cifs: Fix UAF in cifs_demultiplex_thread() Zhang Xiaoxu
@ 2022-11-16 3:11 ` Zhang Xiaoxu
2023-09-01 15:25 ` Paulo Alcantara
2023-03-03 2:02 ` [PATCH v2 0/2] Fix some bug in cifs ChenXiaoSong
2 siblings, 1 reply; 8+ messages in thread
From: Zhang Xiaoxu @ 2022-11-16 3:11 UTC (permalink / raw)
To: linux-cifs, zhangxiaoxu5, sfrench, smfrench, pc, lsahlber, sprasad, tom
When send SMB_COM_NT_CANCEL and RFC1002_SESSION_REQUEST, the
in_send statistic was lost.
Let's move the in_send statistic to the send function to avoid
this scenario.
Fixes: 7ee1af765dfa ("[CIFS]")
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
---
fs/cifs/transport.c | 21 +++++++++------------
1 file changed, 9 insertions(+), 12 deletions(-)
diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c
index bc551738dabb..2ce7206446a9 100644
--- a/fs/cifs/transport.c
+++ b/fs/cifs/transport.c
@@ -300,7 +300,7 @@ static int
__smb_send_rqst(struct TCP_Server_Info *server, int num_rqst,
struct smb_rqst *rqst)
{
- int rc = 0;
+ int rc;
struct kvec *iov;
int n_vec;
unsigned int send_length = 0;
@@ -311,6 +311,7 @@ __smb_send_rqst(struct TCP_Server_Info *server, int num_rqst,
struct msghdr smb_msg = {};
__be32 rfc1002_marker;
+ cifs_in_send_inc(server);
if (cifs_rdma_enabled(server)) {
/* return -EAGAIN when connecting or reconnecting */
rc = -EAGAIN;
@@ -319,14 +320,17 @@ __smb_send_rqst(struct TCP_Server_Info *server, int num_rqst,
goto smbd_done;
}
+ rc = -EAGAIN;
if (ssocket == NULL)
- return -EAGAIN;
+ goto out;
+ rc = -ERESTARTSYS;
if (fatal_signal_pending(current)) {
cifs_dbg(FYI, "signal pending before send request\n");
- return -ERESTARTSYS;
+ goto out;
}
+ rc = 0;
/* cork the socket */
tcp_sock_set_cork(ssocket->sk, true);
@@ -437,7 +441,8 @@ __smb_send_rqst(struct TCP_Server_Info *server, int num_rqst,
rc);
else if (rc > 0)
rc = 0;
-
+out:
+ cifs_in_send_dec(server);
return rc;
}
@@ -857,9 +862,7 @@ cifs_call_async(struct TCP_Server_Info *server, struct smb_rqst *rqst,
* I/O response may come back and free the mid entry on another thread.
*/
cifs_save_when_sent(mid);
- cifs_in_send_inc(server);
rc = smb_send_rqst(server, 1, rqst, flags);
- cifs_in_send_dec(server);
if (rc < 0) {
revert_current_mid(server, mid->credits);
@@ -1153,9 +1156,7 @@ compound_send_recv(const unsigned int xid, struct cifs_ses *ses,
else
midQ[i]->callback = cifs_compound_last_callback;
}
- cifs_in_send_inc(server);
rc = smb_send_rqst(server, num_rqst, rqst, flags);
- cifs_in_send_dec(server);
for (i = 0; i < num_rqst; i++)
cifs_save_when_sent(midQ[i]);
@@ -1406,9 +1407,7 @@ SendReceive(const unsigned int xid, struct cifs_ses *ses,
midQ->mid_state = MID_REQUEST_SUBMITTED;
- cifs_in_send_inc(server);
rc = smb_send(server, in_buf, len);
- cifs_in_send_dec(server);
cifs_save_when_sent(midQ);
if (rc < 0)
@@ -1550,9 +1549,7 @@ SendReceiveBlockingLock(const unsigned int xid, struct cifs_tcon *tcon,
}
midQ->mid_state = MID_REQUEST_SUBMITTED;
- cifs_in_send_inc(server);
rc = smb_send(server, in_buf, len);
- cifs_in_send_dec(server);
cifs_save_when_sent(midQ);
if (rc < 0)
--
2.31.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH v2 0/2] Fix some bug in cifs
2022-11-16 3:11 [PATCH v2 0/2] Fix some bug in cifs Zhang Xiaoxu
2022-11-16 3:11 ` [PATCH v2 1/2] cifs: Fix UAF in cifs_demultiplex_thread() Zhang Xiaoxu
2022-11-16 3:11 ` [PATCH v2 2/2] cifs: Move the in_send statistic to __smb_send_rqst() Zhang Xiaoxu
@ 2023-03-03 2:02 ` ChenXiaoSong
2023-03-03 21:55 ` Paulo Alcantara
2 siblings, 1 reply; 8+ messages in thread
From: ChenXiaoSong @ 2023-03-03 2:02 UTC (permalink / raw)
To: Zhang Xiaoxu, linux-cifs, sfrench, smfrench, pc; +Cc: lsahlber, sprasad, tom
Hi Steve and Paulo:
Do you have any suggestions for this patchset ?
xfstests generic/011 always report this bug, our mount option is: -o
mfsymlinks,vers=3.0
在 2022/11/16 11:11, Zhang Xiaoxu 写道:
> v2:
> - remove the 1st patch since steve already merged it into repo.
> - fix cifs 1.0 hung since not set READY flag when wakeup task
> on 2nd patch.
>
> Zhang Xiaoxu (2):
> cifs: Fix UAF in cifs_demultiplex_thread()
> cifs: Move the in_send statistic to __smb_send_rqst()
>
> fs/cifs/cifsglob.h | 1 +
> fs/cifs/transport.c | 55 ++++++++++++++++++++++++++-------------------
> 2 files changed, 33 insertions(+), 23 deletions(-)
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v2 0/2] Fix some bug in cifs
2023-03-03 2:02 ` [PATCH v2 0/2] Fix some bug in cifs ChenXiaoSong
@ 2023-03-03 21:55 ` Paulo Alcantara
0 siblings, 0 replies; 8+ messages in thread
From: Paulo Alcantara @ 2023-03-03 21:55 UTC (permalink / raw)
To: ChenXiaoSong, Zhang Xiaoxu, linux-cifs, sfrench, smfrench
Cc: lsahlber, sprasad, tom
ChenXiaoSong <chenxiaosong2@huawei.com> writes:
> Do you have any suggestions for this patchset ?
Nope. LGTM.
I was able to reproduce this use-after-free bug as well.
So, for the whole series
Reviewed-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v2 2/2] cifs: Move the in_send statistic to __smb_send_rqst()
2022-11-16 3:11 ` [PATCH v2 2/2] cifs: Move the in_send statistic to __smb_send_rqst() Zhang Xiaoxu
@ 2023-09-01 15:25 ` Paulo Alcantara
2023-09-01 16:25 ` Steve French
0 siblings, 1 reply; 8+ messages in thread
From: Paulo Alcantara @ 2023-09-01 15:25 UTC (permalink / raw)
To: Zhang Xiaoxu, linux-cifs, zhangxiaoxu5, sfrench, smfrench,
lsahlber, sprasad, tom
Hi Steve,
Zhang Xiaoxu <zhangxiaoxu5@huawei.com> writes:
> When send SMB_COM_NT_CANCEL and RFC1002_SESSION_REQUEST, the
> in_send statistic was lost.
>
> Let's move the in_send statistic to the send function to avoid
> this scenario.
>
> Fixes: 7ee1af765dfa ("[CIFS]")
> Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
> ---
> fs/cifs/transport.c | 21 +++++++++------------
> 1 file changed, 9 insertions(+), 12 deletions(-)
Could you please pick this up?
Thanks.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v2 2/2] cifs: Move the in_send statistic to __smb_send_rqst()
2023-09-01 15:25 ` Paulo Alcantara
@ 2023-09-01 16:25 ` Steve French
2023-09-01 16:49 ` Paulo Alcantara
0 siblings, 1 reply; 8+ messages in thread
From: Steve French @ 2023-09-01 16:25 UTC (permalink / raw)
To: Paulo Alcantara; +Cc: Zhang Xiaoxu, linux-cifs, sfrench, lsahlber, sprasad, tom
That patch was already been merged last year
commit d0dc41119905f740e8d5594adce277f7c0de8c92
Author: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Date: Wed Nov 16 11:11:36 2022 +0800
cifs: Move the in_send statistic to __smb_send_rqst()
When send SMB_COM_NT_CANCEL and RFC1002_SESSION_REQUEST, the
in_send statistic was lost.
Let's move the in_send statistic to the send function to avoid
this scenario.
Fixes: 7ee1af765dfa ("[CIFS]")
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
On Fri, Sep 1, 2023 at 10:25 AM Paulo Alcantara <pc@manguebit.com> wrote:
>
> Hi Steve,
>
> Zhang Xiaoxu <zhangxiaoxu5@huawei.com> writes:
>
> > When send SMB_COM_NT_CANCEL and RFC1002_SESSION_REQUEST, the
> > in_send statistic was lost.
> >
> > Let's move the in_send statistic to the send function to avoid
> > this scenario.
> >
> > Fixes: 7ee1af765dfa ("[CIFS]")
> > Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
> > ---
> > fs/cifs/transport.c | 21 +++++++++------------
> > 1 file changed, 9 insertions(+), 12 deletions(-)
>
> Could you please pick this up?
>
> Thanks.
--
Thanks,
Steve
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v2 2/2] cifs: Move the in_send statistic to __smb_send_rqst()
2023-09-01 16:25 ` Steve French
@ 2023-09-01 16:49 ` Paulo Alcantara
0 siblings, 0 replies; 8+ messages in thread
From: Paulo Alcantara @ 2023-09-01 16:49 UTC (permalink / raw)
To: Steve French; +Cc: Zhang Xiaoxu, linux-cifs, sfrench, lsahlber, sprasad, tom
Whopps - I replied to wrong email, sorry.
I meant patch 1/2 [1].
[1] https://lore.kernel.org/linux-cifs/20221116031136.3967579-2-zhangxiaoxu5@huawei.com/
On 1 September 2023 13:25:10 GMT-03:00, Steve French <smfrench@gmail.com> wrote:
>That patch was already been merged last year
>
>commit d0dc41119905f740e8d5594adce277f7c0de8c92
>Author: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
>Date: Wed Nov 16 11:11:36 2022 +0800
>
> cifs: Move the in_send statistic to __smb_send_rqst()
>
> When send SMB_COM_NT_CANCEL and RFC1002_SESSION_REQUEST, the
> in_send statistic was lost.
>
> Let's move the in_send statistic to the send function to avoid
> this scenario.
>
> Fixes: 7ee1af765dfa ("[CIFS]")
> Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
> Signed-off-by: Steve French <stfrench@microsoft.com>
>
>On Fri, Sep 1, 2023 at 10:25 AM Paulo Alcantara <pc@manguebit.com> wrote:
>>
>> Hi Steve,
>>
>> Zhang Xiaoxu <zhangxiaoxu5@huawei.com> writes:
>>
>> > When send SMB_COM_NT_CANCEL and RFC1002_SESSION_REQUEST, the
>> > in_send statistic was lost.
>> >
>> > Let's move the in_send statistic to the send function to avoid
>> > this scenario.
>> >
>> > Fixes: 7ee1af765dfa ("[CIFS]")
>> > Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
>> > ---
>> > fs/cifs/transport.c | 21 +++++++++------------
>> > 1 file changed, 9 insertions(+), 12 deletions(-)
>>
>> Could you please pick this up?
>>
>> Thanks.
>
>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2023-09-01 16:49 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-16 3:11 [PATCH v2 0/2] Fix some bug in cifs Zhang Xiaoxu
2022-11-16 3:11 ` [PATCH v2 1/2] cifs: Fix UAF in cifs_demultiplex_thread() Zhang Xiaoxu
2022-11-16 3:11 ` [PATCH v2 2/2] cifs: Move the in_send statistic to __smb_send_rqst() Zhang Xiaoxu
2023-09-01 15:25 ` Paulo Alcantara
2023-09-01 16:25 ` Steve French
2023-09-01 16:49 ` Paulo Alcantara
2023-03-03 2:02 ` [PATCH v2 0/2] Fix some bug in cifs ChenXiaoSong
2023-03-03 21:55 ` Paulo Alcantara
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).