Linux-CIFS Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] smb3: fix refcount underflow warning on unmount when no directory leases
@ 2019-12-10  4:48 Steve French
  2019-12-10 19:53 ` Pavel Shilovsky
  0 siblings, 1 reply; 4+ messages in thread
From: Steve French @ 2019-12-10  4:48 UTC (permalink / raw)
  To: CIFS; +Cc: SCSI development list, Arthur Marsh

[-- Attachment #1: Type: text/plain, Size: 1012 bytes --]

Fix refcount underflow warning when unmounting to servers which didn't grant
directory leases.

[  301.680095] refcount_t: underflow; use-after-free.
[  301.680192] WARNING: CPU: 1 PID: 3569 at lib/refcount.c:28
refcount_warn_saturate+0xb4/0xf3
...
[  301.682139] Call Trace:
[  301.682240]  close_shroot+0x97/0xda [cifs]
[  301.682351]  SMB2_tdis+0x7c/0x176 [cifs]
[  301.682456]  ? _get_xid+0x58/0x91 [cifs]
[  301.682563]  cifs_put_tcon.part.0+0x99/0x202 [cifs]
[  301.682637]  ? ida_free+0x99/0x10a
[  301.682727]  ? cifs_umount+0x3d/0x9d [cifs]
[  301.682829]  cifs_put_tlink+0x3a/0x50 [cifs]
[  301.682929]  cifs_umount+0x44/0x9d [cifs]

Fixes: 72e73c78c446 ("cifs: close the shared root handle on tree disconnect")

Signed-off-by: Steve French <stfrench@microsoft.com>
Acked-by: Ronnie Sahlberg <lsahlber@redhat.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Reported-and-tested-by: Arthur Marsh <arthur.marsh@internode.on.net>

-- 
Thanks,

Steve

[-- Attachment #2: 0001-smb3-fix-refcount-underflow-warning-on-unmount-when-.patch --]
[-- Type: text/x-patch, Size: 1811 bytes --]

From 281393894af9cc3f9483204475014e89d728987c Mon Sep 17 00:00:00 2001
From: Steve French <stfrench@microsoft.com>
Date: Mon, 9 Dec 2019 19:47:10 -0600
Subject: [PATCH 1/2] smb3: fix refcount underflow warning on unmount when no
 directory leases

Fix refcount underflow warning when unmounting to servers which didn't grant
directory leases.

[  301.680095] refcount_t: underflow; use-after-free.
[  301.680192] WARNING: CPU: 1 PID: 3569 at lib/refcount.c:28
refcount_warn_saturate+0xb4/0xf3
...
[  301.682139] Call Trace:
[  301.682240]  close_shroot+0x97/0xda [cifs]
[  301.682351]  SMB2_tdis+0x7c/0x176 [cifs]
[  301.682456]  ? _get_xid+0x58/0x91 [cifs]
[  301.682563]  cifs_put_tcon.part.0+0x99/0x202 [cifs]
[  301.682637]  ? ida_free+0x99/0x10a
[  301.682727]  ? cifs_umount+0x3d/0x9d [cifs]
[  301.682829]  cifs_put_tlink+0x3a/0x50 [cifs]
[  301.682929]  cifs_umount+0x44/0x9d [cifs]

Fixes: 72e73c78c446 ("cifs: close the shared root handle on tree disconnect")

Signed-off-by: Steve French <stfrench@microsoft.com>
Acked-by: Ronnie Sahlberg <lsahlber@redhat.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Reported-and-tested-by: Arthur Marsh <arthur.marsh@internode.on.net>
---
 fs/cifs/smb2pdu.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 0ab6b1200288..d2658f51ff60 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1847,7 +1847,8 @@ SMB2_tdis(const unsigned int xid, struct cifs_tcon *tcon)
 	if ((tcon->need_reconnect) || (tcon->ses->need_reconnect))
 		return 0;
 
-	close_shroot(&tcon->crfid);
+	if (tcon->crfid.is_valid)
+		close_shroot(&tcon->crfid);
 
 	rc = smb2_plain_req_init(SMB2_TREE_DISCONNECT, tcon, (void **) &req,
 			     &total_len);
-- 
2.23.0


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] smb3: fix refcount underflow warning on unmount when no directory leases
  2019-12-10  4:48 [PATCH] smb3: fix refcount underflow warning on unmount when no directory leases Steve French
@ 2019-12-10 19:53 ` Pavel Shilovsky
  2019-12-12 19:36   ` ronnie sahlberg
  0 siblings, 1 reply; 4+ messages in thread
From: Pavel Shilovsky @ 2019-12-10 19:53 UTC (permalink / raw)
  To: Steve French, ronnie sahlberg; +Cc: CIFS

[-- Attachment #1: Type: text/plain, Size: 1475 bytes --]

пн, 9 дек. 2019 г. в 20:48, Steve French <smfrench@gmail.com>:
>
> Fix refcount underflow warning when unmounting to servers which didn't grant
> directory leases.
>
> [  301.680095] refcount_t: underflow; use-after-free.
> [  301.680192] WARNING: CPU: 1 PID: 3569 at lib/refcount.c:28
> refcount_warn_saturate+0xb4/0xf3
> ...
> [  301.682139] Call Trace:
> [  301.682240]  close_shroot+0x97/0xda [cifs]
> [  301.682351]  SMB2_tdis+0x7c/0x176 [cifs]
> [  301.682456]  ? _get_xid+0x58/0x91 [cifs]
> [  301.682563]  cifs_put_tcon.part.0+0x99/0x202 [cifs]
> [  301.682637]  ? ida_free+0x99/0x10a
> [  301.682727]  ? cifs_umount+0x3d/0x9d [cifs]
> [  301.682829]  cifs_put_tlink+0x3a/0x50 [cifs]
> [  301.682929]  cifs_umount+0x44/0x9d [cifs]
>
> Fixes: 72e73c78c446 ("cifs: close the shared root handle on tree disconnect")
>
> Signed-off-by: Steve French <stfrench@microsoft.com>
> Acked-by: Ronnie Sahlberg <lsahlber@redhat.com>
> Reviewed-by: Aurelien Aptel <aaptel@suse.com>
> Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
> Reported-and-tested-by: Arthur Marsh <arthur.marsh@internode.on.net>
>
> --
> Thanks,
>
> Steve

Looking at this more, I think that the fact that the handle is valid
doesn't mean that it has a directory lease. So, I think we need to
track that fact separately. I coded a quick follow-on fix (untested)
to describe my idea - see the attached patch.

Thoughts?

--
Best regards,
Pavel Shilovsky

[-- Attachment #2: 0001-CIFS-Close-cached-root-handle-only-if-it-has-a-lease.patch --]
[-- Type: application/octet-stream, Size: 4566 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] smb3: fix refcount underflow warning on unmount when no directory leases
  2019-12-10 19:53 ` Pavel Shilovsky
@ 2019-12-12 19:36   ` ronnie sahlberg
  2019-12-12 23:08     ` Steve French
  0 siblings, 1 reply; 4+ messages in thread
From: ronnie sahlberg @ 2019-12-12 19:36 UTC (permalink / raw)
  To: Pavel Shilovsky; +Cc: Steve French, CIFS

This makes sense. Thanks for this patch.

Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>

On Wed, Dec 11, 2019 at 5:53 AM Pavel Shilovsky <piastryyy@gmail.com> wrote:
>
> пн, 9 дек. 2019 г. в 20:48, Steve French <smfrench@gmail.com>:
> >
> > Fix refcount underflow warning when unmounting to servers which didn't grant
> > directory leases.
> >
> > [  301.680095] refcount_t: underflow; use-after-free.
> > [  301.680192] WARNING: CPU: 1 PID: 3569 at lib/refcount.c:28
> > refcount_warn_saturate+0xb4/0xf3
> > ...
> > [  301.682139] Call Trace:
> > [  301.682240]  close_shroot+0x97/0xda [cifs]
> > [  301.682351]  SMB2_tdis+0x7c/0x176 [cifs]
> > [  301.682456]  ? _get_xid+0x58/0x91 [cifs]
> > [  301.682563]  cifs_put_tcon.part.0+0x99/0x202 [cifs]
> > [  301.682637]  ? ida_free+0x99/0x10a
> > [  301.682727]  ? cifs_umount+0x3d/0x9d [cifs]
> > [  301.682829]  cifs_put_tlink+0x3a/0x50 [cifs]
> > [  301.682929]  cifs_umount+0x44/0x9d [cifs]
> >
> > Fixes: 72e73c78c446 ("cifs: close the shared root handle on tree disconnect")
> >
> > Signed-off-by: Steve French <stfrench@microsoft.com>
> > Acked-by: Ronnie Sahlberg <lsahlber@redhat.com>
> > Reviewed-by: Aurelien Aptel <aaptel@suse.com>
> > Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
> > Reported-and-tested-by: Arthur Marsh <arthur.marsh@internode.on.net>
> >
> > --
> > Thanks,
> >
> > Steve
>
> Looking at this more, I think that the fact that the handle is valid
> doesn't mean that it has a directory lease. So, I think we need to
> track that fact separately. I coded a quick follow-on fix (untested)
> to describe my idea - see the attached patch.
>
> Thoughts?
>
> --
> Best regards,
> Pavel Shilovsky

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] smb3: fix refcount underflow warning on unmount when no directory leases
  2019-12-12 19:36   ` ronnie sahlberg
@ 2019-12-12 23:08     ` Steve French
  0 siblings, 0 replies; 4+ messages in thread
From: Steve French @ 2019-12-12 23:08 UTC (permalink / raw)
  To: ronnie sahlberg; +Cc: Pavel Shilovsky, CIFS

tentatively merged into cifs-2.6.git for-next pending more testing

On Thu, Dec 12, 2019 at 1:36 PM ronnie sahlberg
<ronniesahlberg@gmail.com> wrote:
>
> This makes sense. Thanks for this patch.
>
> Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
>
> On Wed, Dec 11, 2019 at 5:53 AM Pavel Shilovsky <piastryyy@gmail.com> wrote:
> >
> > пн, 9 дек. 2019 г. в 20:48, Steve French <smfrench@gmail.com>:
> > >
> > > Fix refcount underflow warning when unmounting to servers which didn't grant
> > > directory leases.
> > >
> > > [  301.680095] refcount_t: underflow; use-after-free.
> > > [  301.680192] WARNING: CPU: 1 PID: 3569 at lib/refcount.c:28
> > > refcount_warn_saturate+0xb4/0xf3
> > > ...
> > > [  301.682139] Call Trace:
> > > [  301.682240]  close_shroot+0x97/0xda [cifs]
> > > [  301.682351]  SMB2_tdis+0x7c/0x176 [cifs]
> > > [  301.682456]  ? _get_xid+0x58/0x91 [cifs]
> > > [  301.682563]  cifs_put_tcon.part.0+0x99/0x202 [cifs]
> > > [  301.682637]  ? ida_free+0x99/0x10a
> > > [  301.682727]  ? cifs_umount+0x3d/0x9d [cifs]
> > > [  301.682829]  cifs_put_tlink+0x3a/0x50 [cifs]
> > > [  301.682929]  cifs_umount+0x44/0x9d [cifs]
> > >
> > > Fixes: 72e73c78c446 ("cifs: close the shared root handle on tree disconnect")
> > >
> > > Signed-off-by: Steve French <stfrench@microsoft.com>
> > > Acked-by: Ronnie Sahlberg <lsahlber@redhat.com>
> > > Reviewed-by: Aurelien Aptel <aaptel@suse.com>
> > > Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
> > > Reported-and-tested-by: Arthur Marsh <arthur.marsh@internode.on.net>
> > >
> > > --
> > > Thanks,
> > >
> > > Steve
> >
> > Looking at this more, I think that the fact that the handle is valid
> > doesn't mean that it has a directory lease. So, I think we need to
> > track that fact separately. I coded a quick follow-on fix (untested)
> > to describe my idea - see the attached patch.
> >
> > Thoughts?
> >
> > --
> > Best regards,
> > Pavel Shilovsky



-- 
Thanks,

Steve

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-10  4:48 [PATCH] smb3: fix refcount underflow warning on unmount when no directory leases Steve French
2019-12-10 19:53 ` Pavel Shilovsky
2019-12-12 19:36   ` ronnie sahlberg
2019-12-12 23:08     ` Steve French

Linux-CIFS Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-cifs/0 linux-cifs/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-cifs linux-cifs/ https://lore.kernel.org/linux-cifs \
		linux-cifs@vger.kernel.org
	public-inbox-index linux-cifs

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-cifs


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git