Received: by 2002:a05:6a10:eb17:0:0:0:0 with SMTP id hx23csp925690pxb;
        Thu, 9 Sep 2021 15:33:40 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJx7rMvKvGb3TrZ8c8lphK/+3ZcW/q/YQnnvdwB0Ix504JuOV7GB+XiEktGnpEuOGS7JAB3x
X-Received: by 2002:a6b:5819:: with SMTP id m25mr4542719iob.105.1631226820100;
        Thu, 09 Sep 2021 15:33:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1631226820; cv=none;
        d=google.com; s=arc-20160816;
        b=KTxbxm6z2wKazl/tn+UEpsNa1FXgU5oYHVseP1jibC6Fzo+AcqqesmquFpOSYV1CJX
         cv+ewb5PXw3KV/bSQWLL1I7/nMFyGCOHh5w6lpJ86d7EHELfGc0W+ddooaXrsjJpAx2Z
         qeJWsvSCHyXihvAXGsGVu8eJHgHejGjmZ0LMNOULDrLlhGfd6GaNfVvWfuDDbuRV5XTM
         jNLGSIvUkzNzkwF++h9aCWA9+gGbX77ZiTG/mTqv1AzFVl8z/E23xv08jeYn4vgMVC0b
         mnW+UEnXivibVSI++zT3DhAg6ITrr08kESs+jv/W7HBqtqunW7UeUaik1Ysi5kbuZqlM
         nT3Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature:dkim-signature;
        bh=KYEQfeb7GpLEDCgtN3fdOhil68NMIoT4dUWx2CTUaOM=;
        b=zRPn7IZRDSoy2b1YkW+cKdF9XCLOGPzaRRso95fVwyKsMZdMmwqI/HTrwxQQYIbySR
         k8y+7F1wmKUkZORPlAoqst3DxegdNrniBYi7det2jle5M5tVzhMeEaRp856jmJDLbaLz
         2JKMQsfncFU29DXJNAsFWXpL5qsg2HDcnf8h63FP6phV6klcrWBpcCcY9RV+ytKM/G0k
         ZAziETdcqh53sG30n1hpCSgEEXExUU451tuWdnUtbGeVGd1EXSAzuxcmtcp+8QgioKcz
         l/vvYlWRxSmJ5Vrnnh+12qzf0fsTqwKFIOXO/2Rmu+8EZGiEiXldQkF8cgcGGjP58UUd
         6GDw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=mwMdgObU;
       dkim=neutral (no key) header.i=@suse.de header.b=4YH6kkMW;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id f5si2895294ion.100.2021.09.09.15.33.27;
        Thu, 09 Sep 2021 15:33:40 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=mwMdgObU;
       dkim=neutral (no key) header.i=@suse.de header.b=4YH6kkMW;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1347476AbhIIVsG (ORCPT <rfc822;liyi.pear@gmail.com> + 99 others);
        Thu, 9 Sep 2021 17:48:06 -0400
Received: from smtp-out2.suse.de ([195.135.220.29]:40510 "EHLO
        smtp-out2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232371AbhIIVsG (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 9 Sep 2021 17:48:06 -0400
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
        (No client certificate requested)
        by smtp-out2.suse.de (Postfix) with ESMTPS id 013BE1FE36;
        Thu,  9 Sep 2021 21:46:55 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa;
        t=1631224015; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:  content-transfer-encoding:content-transfer-encoding;
        bh=KYEQfeb7GpLEDCgtN3fdOhil68NMIoT4dUWx2CTUaOM=;
        b=mwMdgObUrMFZuMH9wqCZ9lISzl9lK1Y0hbHv++uVjawAgYLlNI0XNt1Dz0h3ndDAeH0r3t
        tcEjX9lb3w2exIv3bRLS8QgPa/tyLSdwZRCgC55v77nVTktzU/9JMBEA4qkS9dUOBc+0Jj
        DNw7dfW383AesXmiJ7UjCiECRX+V9BI=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
        s=susede2_ed25519; t=1631224015;
        h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:  content-transfer-encoding:content-transfer-encoding;
        bh=KYEQfeb7GpLEDCgtN3fdOhil68NMIoT4dUWx2CTUaOM=;
        b=4YH6kkMWx6y1VDuFj5jpY4ZACjleOt5hnhQ+r+csyCYbHdrqNQdFQF/xVswSadDeshciNc
        NcCbO0zK2vS8ldDA==
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
        (No client certificate requested)
        by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 87A9113CDF;
        Thu,  9 Sep 2021 21:46:54 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
        by imap2.suse-dmz.suse.de with ESMTPSA
        id csSOFM6AOmGAbwAAMHmgww
        (envelope-from <ematsumiya@suse.de>); Thu, 09 Sep 2021 21:46:54 +0000
From:   Enzo Matsumiya <ematsumiya@suse.de>
To:     linux-cifs@vger.kernel.org
Cc:     pc@cjr.nz, Enzo Matsumiya <ematsumiya@suse.de>,
        Steve French <sfrench@samba.org>,
        samba-technical@lists.samba.org, linux-kernel@vger.kernel.org
Subject: [PATCH] cifs: properly invalidate cached root handle when closing it
Date:   Thu,  9 Sep 2021 18:46:45 -0300
Message-Id: <20210909214646.8790-1-ematsumiya@suse.de>
X-Mailer: git-send-email 2.33.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Cached root file was not being completely invalidated sometimes.

Reproducing:
- With a DFS share with 2 targets, one disabled and one enabled
- start some I/O on the mount
  # while true; do ls /mnt/dfs; done
- at the same time, disable the enabled target and enable the disabled
  one
- wait for DFS cache to expire
- on reconnect, the previous cached root handle should be invalid, but
  open_cached_dir_by_dentry() will still try to use it, but throws a
  use-after-free warning (kref_get())

Make smb2_close_cached_fid() invalidate all fields every time, but only
send an SMB2_close() when the entry is still valid.

Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
---
 fs/cifs/smb2ops.c | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
index 2dfd0d8297eb..1b9de38a136a 100644
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -689,13 +689,19 @@ smb2_close_cached_fid(struct kref *ref)
 		cifs_dbg(FYI, "clear cached root file handle\n");
 		SMB2_close(0, cfid->tcon, cfid->fid->persistent_fid,
 			   cfid->fid->volatile_fid);
-		cfid->is_valid = false;
-		cfid->file_all_info_is_valid = false;
-		cfid->has_lease = false;
-		if (cfid->dentry) {
-			dput(cfid->dentry);
-			cfid->dentry = NULL;
-		}
+	}
+
+	/*
+	 * We only check validity above to send SMB2_close,
+	 * but we still need to invalidate these entries
+	 * when this function is called
+	 */
+	cfid->is_valid = false;
+	cfid->file_all_info_is_valid = false;
+	cfid->has_lease = false;
+	if (cfid->dentry) {
+		dput(cfid->dentry);
+		cfid->dentry = NULL;
 	}
 }
 
-- 
2.33.0