This is a note to let you know that I've just added the patch titled cifs: lock chan_lock outside match_session to the 6.1-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: cifs-lock-chan_lock-outside-match_session.patch and it can be found in the queue-6.1 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 2f4e429c846972c8405951a9ff7a82aceeca7461 Mon Sep 17 00:00:00 2001 From: Shyam Prasad N <sprasad@xxxxxxxxxxxxx> Date: Mon, 20 Feb 2023 13:02:11 +0000 Subject: cifs: lock chan_lock outside match_session From: Shyam Prasad N <sprasad@xxxxxxxxxxxxx> commit 2f4e429c846972c8405951a9ff7a82aceeca7461 upstream. Coverity had rightly indicated a possible deadlock due to chan_lock being done inside match_session. All callers of match_* functions should pick up the necessary locks and call them. Signed-off-by: Shyam Prasad N <sprasad@xxxxxxxxxxxxx> Reviewed-by: Paulo Alcantara (SUSE) <pc@xxxxxxxxxxxxx> Cc: stable@xxxxxxxxxxxxxxx Fixes: 724244cdb382 ("cifs: protect session channel fields with chan_lock") Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/cifs/connect.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c @@ -1774,7 +1774,7 @@ out_err: return ERR_PTR(rc); } -/* this function must be called with ses_lock held */ +/* this function must be called with ses_lock and chan_lock held */ static int match_session(struct cifs_ses *ses, struct smb3_fs_context *ctx) { if (ctx->sectype != Unspecified && @@ -1785,12 +1785,8 @@ static int match_session(struct cifs_ses * If an existing session is limited to less channels than * requested, it should not be reused */ - spin_lock(&ses->chan_lock); - if (ses->chan_max < ctx->max_channels) { - spin_unlock(&ses->chan_lock); + if (ses->chan_max < ctx->max_channels) return 0; - } - spin_unlock(&ses->chan_lock); switch (ses->sectype) { case Kerberos: @@ -1918,10 +1914,13 @@ cifs_find_smb_ses(struct TCP_Server_Info spin_unlock(&ses->ses_lock); continue; } + spin_lock(&ses->chan_lock); if (!match_session(ses, ctx)) { + spin_unlock(&ses->chan_lock); spin_unlock(&ses->ses_lock); continue; } + spin_unlock(&ses->chan_lock); spin_unlock(&ses->ses_lock); ++ses->ses_count; @@ -2742,6 +2741,7 @@ cifs_match_super(struct super_block *sb, spin_lock(&tcp_srv->srv_lock); spin_lock(&ses->ses_lock); + spin_lock(&ses->chan_lock); spin_lock(&tcon->tc_lock); if (!match_server(tcp_srv, ctx) || !match_session(ses, ctx) || @@ -2754,6 +2754,7 @@ cifs_match_super(struct super_block *sb, rc = compare_mount_options(sb, mnt_data); out: spin_unlock(&tcon->tc_lock); + spin_unlock(&ses->chan_lock); spin_unlock(&ses->ses_lock); spin_unlock(&tcp_srv->srv_lock); Patches currently in stable-queue which might be from sprasad@xxxxxxxxxxxxx are queue-6.1/cifs-lock-chan_lock-outside-match_session.patch queue-6.1/smb3-lower-default-deferred-close-timeout-to-address-perf-regression.patch queue-6.1/cifs-do-not-poll-server-interfaces-too-regularly.patch queue-6.1/cifs-dump-pending-mids-for-all-channels-in-debugdata.patch queue-6.1/smb3-fix-unusable-share-after-force-unmount-failure.patch queue-6.1/cifs-empty-interface-list-when-server-doesn-t-support-query-interfaces.patch queue-6.1/cifs-print-session-id-while-listing-open-files.patch queue-6.1/cifs-append-path-to-open_enter-trace-event.patch