Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp3617958ybl; Sun, 8 Dec 2019 19:29:17 -0800 (PST) X-Google-Smtp-Source: APXvYqwg6m0lfI/1veI/+g2uHhjG3QgO3lskyvuw+Un7j04lA0S573kCQEY7YR6XTIOXmX5eM9M1 X-Received: by 2002:a05:6830:1e37:: with SMTP id t23mr20157185otr.16.1575862157391; Sun, 08 Dec 2019 19:29:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1575862157; cv=none; d=google.com; s=arc-20160816; b=udhtMn0k90MRVnDuT838RF8Hxm/aYODgKYNQbc5S5znj3ZD/QWU8ufE6h7e32cAZqa WMMcPgA58FokIHEjB7SIAWsfNSYvMaACHUpe9RihBCcxrMhVAbndlIoYgae6w4DFQQLT To5cQsIwjbfBwf49xnKH18fgLbZ0nICIAj3qq3xrBWfKQJPzMISIMzoUzPka5Bz5R6zX ojVCxnNnYQnVGSx0Dq32wUiwglWBbgVFTq75XrLxhq9U+tXaSxcrB7MLus6fkQstIeBE bNtegJ/L4lkPHXlwrpBS6vcjHbrHKX1rFjAKwc3i2vNm5ClOG0jMlFSX8pS467D9+gya CGeQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=0FouoOQuKK8TWngYJA/GA/cY7odjlRWi1G+ri92AHok=; b=Ywz882UEYNgUioOlEzoEXiiJEMQql9UgET9f8sg6ItfgkQIvgqJtsbzbWuLF/irZOi vHt07yAC3RA0+ipKcNWh8h9o7x0b2md8r12cMImcmPQusI1KEL1Fz/juaDYSgkCwZ5fB kkf+BI4x6GN4MD3avR02f47L3MOxj/5Ww9kFrKXfFoU4Jx14wKgg38KKNKT0+shBMe9n i9Q18t2LScWppV12dETXXqygkDpGA7x3V3vaBDmAZbFIWQMtSOnoMIzlc5juwTAqW3O1 eixHp0CxyYVhnhysezgxHkRc7EuuKw6wP/NKWi5LEwjnqPLxUuTBday3mXZyZ5e0GqAf d/jA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=GJ0pnG1f; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w2si11340087otq.31.2019.12.08.19.29.05; Sun, 08 Dec 2019 19:29:17 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=GJ0pnG1f; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726988AbfLID16 (ORCPT + 99 others); Sun, 8 Dec 2019 22:27:58 -0500 Received: from mail-io1-f66.google.com ([209.85.166.66]:38709 "EHLO mail-io1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726894AbfLID16 (ORCPT ); Sun, 8 Dec 2019 22:27:58 -0500 Received: by mail-io1-f66.google.com with SMTP id u7so13214711iop.5; Sun, 08 Dec 2019 19:27:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0FouoOQuKK8TWngYJA/GA/cY7odjlRWi1G+ri92AHok=; b=GJ0pnG1fwCKvZfvUNbmR+mXbDxy7BDiJ8XjhFpM4PDyg8/gsH0Lk7kx7OVwjyQcttF n0UHUF/IxkMIvtz/WsvPZCZXQXAcK4JfFI6wpzWPgUFutBzzPwTsbVeNW3AqlZnKcM06 3UgLdjBiKL2FH0994RZ8l+S4hruLeq2ZrQYFvA7s8wsBaVOD7MdmodOvjqHqAZwLdiEL BlepVE6oQDNXI5vcEvseqe52VkgtxigV9ZUftuukoRrUcUb+GXYauv4CNvy8OAq4tBvL 2/21cQ7CXH/4v7qkZWGmtzMEH6dX0/ChY8JcFjV9QOmBGHrttbVhUSIWPqD6MhqIMG21 yCDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0FouoOQuKK8TWngYJA/GA/cY7odjlRWi1G+ri92AHok=; b=JwACYYIrG+bGTUTaXeuYy8xnjA4azM295CKW56QZZTTYOYH52gSlCPNJArETvPh1Bi 6iGUdDQgTdH/sFg0+U8mMsFLUk6JVYAT7HRcGM1I8oHE0B4DkGvYVnNys2vasGaGstbN PZIuuciLkP4swy/Cr0NaeE0GpD05KW3vqsGUOSzv/l1e5UgWMiua6S2mteHEWYayKDbK RNOolipqYmTQOa4994QpTWiiLKAQJyiVPryUFb5mln3Gdq39cRDNySU+2rX7aloTti7e 603NENQlWBrJpzzSCeNGqXUD1S9efmOmpp0EzyesYT5pvAshsonvCL3BTK2fCjmrvY2b nbrg== X-Gm-Message-State: APjAAAXz1iBoDSYvclIZ04G3F/mXfLU+ygDldorvhnrEEZ7MuHSPyE3P zqwrHVQpjZLq9oVLaXO1BNGKVyD5D3gRjgJ4uYU= X-Received: by 2002:a05:6602:2504:: with SMTP id i4mr19728124ioe.173.1575862077258; Sun, 08 Dec 2019 19:27:57 -0800 (PST) MIME-Version: 1.0 References: <30808b0b-367a-266a-7ef4-de69c08e1319@internode.on.net> <09396dca-3643-9a4b-070a-e7db2a07235e@internode.on.net> In-Reply-To: From: Steve French Date: Sun, 8 Dec 2019 21:27:46 -0600 Message-ID: Subject: Re: refcount_t: underflow; use-after-free with CIFS umount after scsi-misc commit ef2cc88e2a205b8a11a19e78db63a70d3728cdf5 To: Linus Torvalds Cc: Arthur Marsh , SCSI development list , Linux Kernel Mailing List , CIFS , "James E.J. Bottomley" , ronnie sahlberg Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Arthur, If you want to avoid the issue which causes the oops you can remove this one line change (see below) but I (or Ronnie) will post a patch for this - but wanted to discuss with him briefly first. # git show 72e73c78c446e commit 72e73c78c446e3c009a29b017c7fa3d79463e2aa Author: Ronnie Sahlberg Date: Thu Nov 7 17:00:38 2019 +1000 cifs: close the shared root handle on tree disconnect Signed-off-by: Ronnie Sahlberg Signed-off-by: Steve French diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 05149862aea4..acb70f67efc9 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -1807,6 +1807,8 @@ SMB2_tdis(const unsigned int xid, struct cifs_tcon *tcon) if ((tcon->need_reconnect) || (tcon->ses->need_reconnect)) return 0; + close_shroot(&tcon->crfid); + rc = smb2_plain_req_init(SMB2_TREE_DISCONNECT, tcon, (void **) &req, &total_len); if (rc) On Sun, Dec 8, 2019 at 9:18 PM Steve French wrote: > > On Sun, Dec 8, 2019 at 8:23 PM Linus Torvalds > wrote: > > > > On Sun, Dec 8, 2019 at 5:49 PM Arthur Marsh > > wrote: > > > > > > This still happens with 5.5.0-rc1: > > > > Does it happen 100% of the time? > > I can reproduce it (although it was a little more difficult since WiFi doesn't > work on RC1 on some of my hardware - due to the 802.11 driver regression oops. > I was able to reproduce it to Samba localhost). > > > > Your bisection result looks pretty nonsensical - not that it's > > impossible (anything is possible), but it really doesn't look very > > likely. Which makes me think maybe it's slightly timing-sensitive or > > something? > > The bisection result is implausible. I just did some experiments and > it looks far more likely is that it is related to commit > 72e73c78c446e ("cifs: close the shared root handle on tree disconnect") > so added Ronnie to the cc. That patch added a call (at unmount time) > to close_shroot. > The idea of that patch made sense - although tree disconnect (and then > logoff of the session) > will indirectly free any open handles on the server for that session, > it is a little > cleaner to close the cached root SMB3 file handle explicitly. > > void close_shroot(struct cached_fid *cfid) > { > mutex_lock(&cfid->fid_mutex); > kref_put(&cfid->refcount, smb2_close_cached_fid); > mutex_unlock(&cfid->fid_mutex); > } > > > Taking out the one line change in the patch from last week that calls > close_shroot from > umount (SMB2_tdis, ie tree_disconnect) I don't see the problem so far > more likely > that it is related to that commit. The problem seems to be related > to servers which > don't support directory leases. Will spin up a patch to fix this if > Ronnie hasn't already fixed it -- Thanks, Steve