Hi Paulo, hi Steve, On Mon, Apr 08, 2024 at 12:19:35PM +0200, gregkh@xxxxxxxxxxxxxxxxxxx wrote: > > The patch below does not apply to the 6.1-stable tree. > If someone wants it applied there, or to any other stable or longterm > tree, then please email the backport, including the original git commit > id to <stable@xxxxxxxxxxxxxxx>. > > To reproduce the conflict and resubmit, you may use the following commands: > > git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y > git checkout FETCH_HEAD > git cherry-pick -x 24a9799aa8efecd0eb55a75e35f9d8e6400063aa > # <resolve conflicts, build, test, etc.> > git commit -s > git send-email --to '<stable@xxxxxxxxxxxxxxx>' --in-reply-to '2024040834-magazine-audience-8aa4@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. > > Possible dependencies: > > 24a9799aa8ef ("smb: client: fix UAF in smb2_reconnect_server()") > 7257bcf3bdc7 ("cifs: cifs_chan_is_iface_active should be called with chan_lock held") > 27e1fd343f80 ("cifs: after disabling multichannel, mark tcon for reconnect") > fa1d0508bdd4 ("cifs: account for primary channel in the interface list") > a6d8fb54a515 ("cifs: distribute channels across interfaces based on speed") > c37ed2d7d098 ("smb: client: remove extra @chan_count check in __cifs_put_smb_ses()") > ff7d80a9f271 ("cifs: fix session state transition to avoid use-after-free issue") > 38c8a9a52082 ("smb: move client and server files to common directory fs/smb") > 943fb67b0902 ("cifs: missing lock when updating session status") > bc962159e8e3 ("cifs: avoid race conditions with parallel reconnects") > 1bcd548d935a ("cifs: prevent data race in cifs_reconnect_tcon()") > e77978de4765 ("cifs: update ip_addr for ses only for primary chan setup") > 3c0070f54b31 ("cifs: prevent data race in smb2_reconnect()") > 05844bd661d9 ("cifs: print last update time for interface list") > 25cf01b7c920 ("cifs: set correct status of tcon ipc when reconnecting") > abdb1742a312 ("cifs: get rid of mount options string parsing") > 9fd29a5bae6e ("cifs: use fs_context for automounts") In Debian we got a report yhsy in s CIFS (DFS) infrastructure and after mounting at some point later but reproducible they are able to trigger within few minutes a system hang with a trace: CIFS: VFS: \\SOME.SERVER.FQDN cifs_put_smb_ses: Session Logoff failure rc=-11 CIFS: VFS: \\(null) cifs_put_smb_ses: Session Logoff failure rc=-11 list_del corruption, ffff966536fe7800->next is NULL ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:49! invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 6 PID: 2498151 Comm: kworker/6:9 Tainted: G OE 6.1.0-23-amd64 #1 Debian 6.1.99-1 Hardware name: Dell Inc. PowerEdge R620/0KCKR5, BIOS 2.9.0 12/06/2019 Workqueue: events delayed_mntput RIP: 0010:__list_del_entry_valid.cold+0xf/0x6f Code: c7 c7 88 3c fa a0 e8 90 a0 fe ff 0f 0b 48 c7 c7 60 3c fa a0 e8 82 a0 fe ff 0f 0b 48 89 fe 48 c7 c7 70 3d fa a0 e8 71 a0 fe ff <0f> 0b 48 89 d1 48 c7 c7 90 3e fa a0 48 89 c2 e8 5d a0 fe ff 0f 0b RSP: 0018:ffffad83a63f7dd0 EFLAGS: 00010246 RAX: 0000000000000033 RBX: ffff966536fe7800 RCX: 0000000000000027 RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff965e7f8e03a0 RBP: 00000000142d66a6 R08: 0000000000000000 R09: ffffad83a63f7c68 R10: 0000000000000003 R11: ffff966ebff11be0 R12: 00000000fffffff5 R13: ffff966536fe7000 R14: ffff966536fe7020 R15: ffffffffa1770b88 FS: 0000000000000000(0000) GS:ffff965e7f8c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe35dbcb7b0 CR3: 0000000f36c10001 CR4: 00000000000606e0 Call Trace: <TASK> ? __die_body.cold+0x1a/0x1f ? die+0x2a/0x50 ? do_trap+0xc5/0x110 ? __list_del_entry_valid.cold+0xf/0x6f ? do_error_trap+0x6a/0x90 ? __list_del_entry_valid.cold+0xf/0x6f ? exc_invalid_op+0x4c/0x60 ? __list_del_entry_valid.cold+0xf/0x6f ? asm_exc_invalid_op+0x16/0x20 ? __list_del_entry_valid.cold+0xf/0x6f cifs_put_smb_ses+0xbb/0x3e0 [cifs] mount_group_release+0x82/0xa0 [cifs] cifs_umount+0x88/0xa0 [cifs] deactivate_locked_super+0x2f/0xa0 cleanup_mnt+0xbd/0x150 delayed_mntput+0x28/0x40 process_one_work+0x1c7/0x380 worker_thread+0x4d/0x380 ? rescuer_thread+0x3a0/0x3a0 kthread+0xda/0x100 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 </TASK> Modules linked in: bluetooth jitterentropy_rng drbg ansi_cprng ecdh_generic rfkill ecc overlay isofs cmac nls_utf8 cifs cifs_arc4 cifs_md4 rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache netfs tls beegfs(OE) rpcrdma rdma_ucm ib_iser rdma_cm iw_cm ib_cm libiscsi scsi_transport_iscsi rdma_rxe ib_uverbs ip6_udp_tunnel udp_tunnel ib_core nft_chain_nat xt_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nft_compat nf_tables nfnetlink intel_rapl_msr intel_rapl_common sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel ipmi_ssif binfmt_misc kvm irqbypass ghash_clmulni_intel sha512_ssse3 sha512_generic sha256_ssse3 sha1_ssse3 aesni_intel crypto_simd cryptd rapl dcdbas mgag200 intel_cstate joydev evdev drm_shmem_helper intel_uncore iTCO_wdt ipmi_si drm_kms_helper mei_me intel_pmc_bxt ipmi_devintf iTCO_vendor_support pcspkr i2c_algo_bit mei ipmi_msghandler watchdog sg acpi_power_meter button nfsd auth_rpcgss nfs_acl lockd grace sunrpc drm fuse loop efi_pstore configfs ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 dm_mod hid_generic usbhid hid sd_mod t10_pi sr_mod cdrom crc64_rocksoft crc64 crc_t10dif crct10dif_generic ahci libahci crct10dif_pclmul crct10dif_common crc32_pclmul libata ehci_pci bnx2x ehci_hcd megaraid_sas usbcore scsi_mod lpc_ich usb_common mdio libcrc32c crc32c_generic scsi_common crc32c_intel wmi ---[ end trace 0000000000000000 ]--- RIP: 0010:__list_del_entry_valid.cold+0xf/0x6f Code: c7 c7 88 3c fa a0 e8 90 a0 fe ff 0f 0b 48 c7 c7 60 3c fa a0 e8 82 a0 fe ff 0f 0b 48 89 fe 48 c7 c7 70 3d fa a0 e8 71 a0 fe ff <0f> 0b 48 89 d1 48 c7 c7 90 3e fa a0 48 89 c2 e8 5d a0 fe ff 0f 0b RSP: 0018:ffffad83a63f7dd0 EFLAGS: 00010246 RAX: 0000000000000033 RBX: ffff966536fe7800 RCX: 0000000000000027 RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff965e7f8e03a0 RBP: 00000000142d66a6 R08: 0000000000000000 R09: ffffad83a63f7c68 R10: 0000000000000003 R11: ffff966ebff11be0 R12: 00000000fffffff5 R13: ffff966536fe7000 R14: ffff966536fe7020 R15: ffffffffa1770b88 FS: 0000000000000000(0000) GS:ffff965e7f8c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe35dbcb7b0 CR3: 0000000f36c10001 CR4: 00000000000606e0 note: kworker/6:9[2498151] exited with preempt_count 1 Michael, did a manual backport of 24a9799aa8ef ("smb: client: fix UAF in smb2_reconnect_server()") which seems in fact to solve the issue. Michael, can you please post your backport here for review from Paulo and Steve? Regards, Salvatore
