smb: client: fix deadlock in smb2_find_smb_tcon()

Commit Message

Enzo Matsumiya June 6, 2024, 4:13 p.m. UTC

Unlock cifs_tcp_ses_lock before calling cifs_put_smb_ses() to avoid such
deadlock.

Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
---
 fs/smb/client/smb2transport.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Paulo Alcantara June 6, 2024, 4:53 p.m. UTC | #1

Enzo Matsumiya <ematsumiya@suse.de> writes:

> Unlock cifs_tcp_ses_lock before calling cifs_put_smb_ses() to avoid such
> deadlock.
>
> Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
> ---
>  fs/smb/client/smb2transport.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>

Steve French June 6, 2024, 5:51 p.m. UTC | #2

Merged into cifs-2.6.git for-next.  Is this an easy repro scenario?

Shouldn't we Cc: stable or tag Fixes for 24a9799aa8ef smb: client: fix
UAF in smb2_reconnect_server()




On Thu, Jun 6, 2024 at 11:14 AM Enzo Matsumiya <ematsumiya@suse.de> wrote:
>
> Unlock cifs_tcp_ses_lock before calling cifs_put_smb_ses() to avoid such
> deadlock.
>
> Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
> ---
>  fs/smb/client/smb2transport.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/smb/client/smb2transport.c b/fs/smb/client/smb2transport.c
> index 02135a605305..1476c445cadc 100644
> --- a/fs/smb/client/smb2transport.c
> +++ b/fs/smb/client/smb2transport.c
> @@ -216,8 +216,8 @@ smb2_find_smb_tcon(struct TCP_Server_Info *server, __u64 ses_id, __u32  tid)
>         }
>         tcon = smb2_find_smb_sess_tcon_unlocked(ses, tid);
>         if (!tcon) {
> -               cifs_put_smb_ses(ses);
>                 spin_unlock(&cifs_tcp_ses_lock);
> +               cifs_put_smb_ses(ses);
>                 return NULL;
>         }
>         spin_unlock(&cifs_tcp_ses_lock);
> --
> 2.45.1
>


--
Thanks,

Steve

Enzo Matsumiya June 6, 2024, 6:07 p.m. UTC | #3

On 06/06, Steve French wrote:
>Merged into cifs-2.6.git for-next.  Is this an easy repro scenario?

Not really. I'm still assessing the actual root cause, but the whole
superblock got corrupted (my assumption so far is probably because of
an umount + mount + restart of autofs with a very specific timing).

>Shouldn't we Cc: stable or tag Fixes for 24a9799aa8ef smb: client: fix
>UAF in smb2_reconnect_server()

Ok.


>On Thu, Jun 6, 2024 at 11:14 AM Enzo Matsumiya <ematsumiya@suse.de> wrote:
>>
>> Unlock cifs_tcp_ses_lock before calling cifs_put_smb_ses() to avoid such
>> deadlock.
>>
>> Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
>> ---
>>  fs/smb/client/smb2transport.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/fs/smb/client/smb2transport.c b/fs/smb/client/smb2transport.c
>> index 02135a605305..1476c445cadc 100644
>> --- a/fs/smb/client/smb2transport.c
>> +++ b/fs/smb/client/smb2transport.c
>> @@ -216,8 +216,8 @@ smb2_find_smb_tcon(struct TCP_Server_Info *server, __u64 ses_id, __u32  tid)
>>         }
>>         tcon = smb2_find_smb_sess_tcon_unlocked(ses, tid);
>>         if (!tcon) {
>> -               cifs_put_smb_ses(ses);
>>                 spin_unlock(&cifs_tcp_ses_lock);
>> +               cifs_put_smb_ses(ses);
>>                 return NULL;
>>         }
>>         spin_unlock(&cifs_tcp_ses_lock);
>> --
>> 2.45.1
>>
>
>
>--
>Thanks,
>
>Steve

Patch

diff --git a/fs/smb/client/smb2transport.c b/fs/smb/client/smb2transport.c
index 02135a605305..1476c445cadc 100644
--- a/fs/smb/client/smb2transport.c
+++ b/fs/smb/client/smb2transport.c
@@ -216,8 +216,8 @@  smb2_find_smb_tcon(struct TCP_Server_Info *server, __u64 ses_id, __u32  tid)
 	}
 	tcon = smb2_find_smb_sess_tcon_unlocked(ses, tid);
 	if (!tcon) {
-		cifs_put_smb_ses(ses);
 		spin_unlock(&cifs_tcp_ses_lock);
+		cifs_put_smb_ses(ses);
 		return NULL;
 	}
 	spin_unlock(&cifs_tcp_ses_lock);