From patchwork Tue Dec 10 04:48:33 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve French X-Patchwork-Id: 11281319 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2D334930 for ; Tue, 10 Dec 2019 04:48:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 0A59A206E0 for ; Tue, 10 Dec 2019 04:48:46 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="j04JV50r" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726917AbfLJEsp (ORCPT ); Mon, 9 Dec 2019 23:48:45 -0500 Received: from mail-io1-f41.google.com ([209.85.166.41]:38554 "EHLO mail-io1-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726841AbfLJEsp (ORCPT ); Mon, 9 Dec 2019 23:48:45 -0500 Received: by mail-io1-f41.google.com with SMTP id v3so350634ioj.5; Mon, 09 Dec 2019 20:48:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=JqQAW5M+Dz64POoDX3kKE3QnRN5AZsvU4kacJVjWMM4=; b=j04JV50rUqL7yGGFbW3486OoTYcm+k/Ph4IrE8Wr5bzFIqw9Fu4P19kh6cS9+LZiBI uuwgj9CQC3kMZ4apOPi2gn6zamVxj+VryOEH7MDfiX2/1NVYnJLhZTB4VEbsp/Ax8OdQ 9NqEOrde+mq24Rk6mLKGZe0vngnekkzuxdO6YqxtnFjpu1xDw3X1Qul+GExFEWHEyRMw RXKGO2TSQk94uW8BeOEiixKF+W7w62InRIWPG5KU35UJ0lJWWtGjq2X/WIz4hMFW9Lgf C5FjVtWJPNrv82aoCdvVFXgzhwG4lDdS1x3j8C89iNBxsF4h1kgT6o/I576gLBamaNDy 7pVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=JqQAW5M+Dz64POoDX3kKE3QnRN5AZsvU4kacJVjWMM4=; b=qCjCkjf97/NrHLoRGNVCbePKacpg1c/YEA2WvfUcvFaS2XK7qdPt+wj2Of5d8rNxix fQGVGm7dhMkzY56hthoTEQ31SmWgxZTna0vv2zaNUh3lkq5mtjiqcZJCYPgqHy3dkgQf JUIlP+CyPMQPFrDH0VK+X3PhS9lZ6SsH1dRJ1v6HXY93kV6EGAxNzhOpS6d3YJUstf2z KoaJ4wepOhiMKaergPYqgua3bfdOY7SYmyekVlB8PYAnOFhui+AceZCb8OGCNN3lj1fq X0IyBhYDjhz+Zon85e17Oe0HJfsnjCC2vUPTYHDDF9MVQdeHjYW7uRtErtkfgIbRiNij 5TtA== X-Gm-Message-State: APjAAAULSZwWDyM66lYoMomucPE6IbTZn8V5jhWv2Nz3RJuMhxOMs2nQ ZyLuw9XMotAv2iA7IfL8RohQrUt7fZL/M5YTujZQEU7d X-Google-Smtp-Source: APXvYqyntXLSfPVP66IHT6eRdhPoTzNH7GkZzI4IZCWKH2x2QrDgqMvPQI3fzTaFKqL1SEz26LgGFxxJKZdJG6aEDp0= X-Received: by 2002:a05:6638:762:: with SMTP id y2mr27583524jad.78.1575953324305; Mon, 09 Dec 2019 20:48:44 -0800 (PST) MIME-Version: 1.0 From: Steve French Date: Mon, 9 Dec 2019 22:48:33 -0600 Message-ID: Subject: [PATCH] smb3: fix refcount underflow warning on unmount when no directory leases To: CIFS Cc: SCSI development list , Arthur Marsh Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org Fix refcount underflow warning when unmounting to servers which didn't grant directory leases. [ 301.680095] refcount_t: underflow; use-after-free. [ 301.680192] WARNING: CPU: 1 PID: 3569 at lib/refcount.c:28 refcount_warn_saturate+0xb4/0xf3 ... [ 301.682139] Call Trace: [ 301.682240] close_shroot+0x97/0xda [cifs] [ 301.682351] SMB2_tdis+0x7c/0x176 [cifs] [ 301.682456] ? _get_xid+0x58/0x91 [cifs] [ 301.682563] cifs_put_tcon.part.0+0x99/0x202 [cifs] [ 301.682637] ? ida_free+0x99/0x10a [ 301.682727] ? cifs_umount+0x3d/0x9d [cifs] [ 301.682829] cifs_put_tlink+0x3a/0x50 [cifs] [ 301.682929] cifs_umount+0x44/0x9d [cifs] Fixes: 72e73c78c446 ("cifs: close the shared root handle on tree disconnect") Signed-off-by: Steve French Acked-by: Ronnie Sahlberg Reviewed-by: Aurelien Aptel Reviewed-by: Pavel Shilovsky Reported-and-tested-by: Arthur Marsh Reviewed-by: Ronnie Sahlberg From 281393894af9cc3f9483204475014e89d728987c Mon Sep 17 00:00:00 2001 From: Steve French Date: Mon, 9 Dec 2019 19:47:10 -0600 Subject: [PATCH 1/2] smb3: fix refcount underflow warning on unmount when no directory leases Fix refcount underflow warning when unmounting to servers which didn't grant directory leases. [ 301.680095] refcount_t: underflow; use-after-free. [ 301.680192] WARNING: CPU: 1 PID: 3569 at lib/refcount.c:28 refcount_warn_saturate+0xb4/0xf3 ... [ 301.682139] Call Trace: [ 301.682240] close_shroot+0x97/0xda [cifs] [ 301.682351] SMB2_tdis+0x7c/0x176 [cifs] [ 301.682456] ? _get_xid+0x58/0x91 [cifs] [ 301.682563] cifs_put_tcon.part.0+0x99/0x202 [cifs] [ 301.682637] ? ida_free+0x99/0x10a [ 301.682727] ? cifs_umount+0x3d/0x9d [cifs] [ 301.682829] cifs_put_tlink+0x3a/0x50 [cifs] [ 301.682929] cifs_umount+0x44/0x9d [cifs] Fixes: 72e73c78c446 ("cifs: close the shared root handle on tree disconnect") Signed-off-by: Steve French Acked-by: Ronnie Sahlberg Reviewed-by: Aurelien Aptel Reviewed-by: Pavel Shilovsky Reported-and-tested-by: Arthur Marsh --- fs/cifs/smb2pdu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 0ab6b1200288..d2658f51ff60 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -1847,7 +1847,8 @@ SMB2_tdis(const unsigned int xid, struct cifs_tcon *tcon) if ((tcon->need_reconnect) || (tcon->ses->need_reconnect)) return 0; - close_shroot(&tcon->crfid); + if (tcon->crfid.is_valid) + close_shroot(&tcon->crfid); rc = smb2_plain_req_init(SMB2_TREE_DISCONNECT, tcon, (void **) &req, &total_len); -- 2.23.0