Cifsd next #1

namjaejeon · 2019-02-26T01:45:12Z

No description provided.

Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>

add force uid/gid params to share config Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>

Cifsd ss

[ 98.201610] ============================================ [ 98.201611] WARNING: possible recursive locking detected [ 98.201612] 5.1.0-rc2-next-20190329-dbg-00002-gfde3b766bb09-dirty #3230 Not tainted [ 98.201613] -------------------------------------------- [ 98.201614] kworker/0:1/12 is trying to acquire lock: [ 98.201615] 00000000cdd84f20 (&type->i_mutex_dir_key#6){++++}, at: vfs_rmdir+0x51/0x140 [ 98.201618] but task is already holding lock: [ 98.201619] 000000004f138e05 (&type->i_mutex_dir_key#6){++++}, at: cifsd_vfs_unlink+0x30/0xc0 [cifsd] [ 98.201625] other info that might help us debug this: [ 98.201625] Possible unsafe locking scenario: [ 98.201626] CPU0 [ 98.201627] ---- [ 98.201627] lock(&type->i_mutex_dir_key#6); [ 98.201628] lock(&type->i_mutex_dir_key#6); [ 98.201629] *** DEADLOCK *** [ 98.201630] May be due to missing lock nesting notation [ 98.201631] 3 locks held by kworker/0:1/12: [ 98.201631] #0: 00000000b05e76c6 ((wq_completion)events){+.+.}, at: process_one_work+0x198/0x570 [ 98.201634] #1: 00000000dc7a5814 ((work_completion)(&work->work)){+.+.}, at: process_one_work+0x198/0x570 [ 98.201636] #2: 000000004f138e05 (&type->i_mutex_dir_key#6){++++}, at: cifsd_vfs_unlink+0x30/0xc0 [cifsd] [ 98.201640] stack backtrace: [ 98.201642] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc2-next-20190329-dbg-00002-gfde3b766bb09-dirty #3230 [ 98.201647] Workqueue: events handle_cifsd_work [cifsd] [ 98.201648] Call Trace: [ 98.201650] dump_stack+0x67/0x90 [ 98.201652] __lock_acquire.cold+0x1ec/0x2f1 [ 98.201655] ? get_cached_acl+0x2e/0x220 [ 98.201656] lock_acquire+0x9a/0x170 [ 98.201657] ? vfs_rmdir+0x51/0x140 [ 98.201658] down_write+0x38/0x70 [ 98.201660] ? vfs_rmdir+0x51/0x140 [ 98.201660] vfs_rmdir+0x51/0x140 [ 98.201664] cifsd_vfs_unlink+0xbb/0xc0 [cifsd] [ 98.201668] close_fp+0x267/0x2b0 [cifsd] [ 98.201672] smb2_close+0x18a/0x250 [cifsd] [ 98.201677] handle_cifsd_work+0x17f/0x3a0 [cifsd] [ 98.201679] process_one_work+0x21b/0x570 [ 98.201681] worker_thread+0x50/0x3b0 [ 98.201682] kthread+0x105/0x140 [ 98.201684] ? process_one_work+0x570/0x570 [ 98.201685] ? kthread_create_on_node+0x40/0x40 [ 98.201687] ret_from_fork+0x3a/0x50 Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>

SMBD patch set introduce a NULL pointer deref regression. The problem is that we now have two task_struct *handler in `struct cifsd_conn' and in `struct cifsd_transport'. TCP and SMBD transport set `struct cifsd_transport' handler. While core kcifsd still uses `struct cifsd_conn' handler, which is never set and is always NULL. BUG: kernel NULL pointer dereference, address: 00000000000003a8 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP KASAN PTI CPU: 5 PID: 157 Comm: kworker/5:2 Tainted: G B 5.2.0-rc6-next-20190625-dbg-00015-g3cff3aba2ff6-dirty #3470 Workqueue: events_long server_ctrl_handle_work [cifsd] RIP: 0010:stop_sessions.cold+0x33/0x7a [cifsd] Code: c8 bd da 48 8d bd 88 00 00 00 c7 45 40 02 00 00 00 e8 a4 c8 bd da 4c 8b a5 88 00 00 00 49 8d bc 24 a8 03 00 00 e8 a0 c7 bd da <45> 8b 84 24 a8 03 00 00 49 8d 8c 24 48 05 00 00 ba 7d 01 00 00 48 RSP: 0018:ffff8883c2747dd8 EFLAGS: 00010282 RAX: ffff8883c6429cc0 RBX: 00000000fffffe00 RCX: ffffffff9ba68772 RDX: 1ffffffff3ddcde6 RSI: 0000000000000282 RDI: ffffffff9eee6f30 RBP: ffff88837161db68 R08: 000000000000002c R09: fffffbfff39dab39 R10: fffffbfff39dab38 R11: ffffffff9ced59c7 R12: 0000000000000000 R13: ffff8883c1cf01c0 R14: ffff8883c23f99a0 R15: ffff8883ceb70dc0 FS: 0000000000000000(0000) GS:ffff8883ceb40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000003a8 CR3: 000000027c60c004 CR4: 00000000001706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: cifsd_conn_transport_destroy+0x1b/0x30 [cifsd] server_ctrl_handle_work+0x48/0x90 [cifsd] process_one_work+0x376/0x690 worker_thread+0x7a/0x5e0 kthread+0x1a8/0x200 ? process_one_work+0x690/0x690 ? kthread_create_on_node+0xa0/0xa0 ret_from_fork+0x35/0x40 Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>

alloc_iface() should use cifsd_alloc(), so we will add to the iface list properly zero-initialized ifaces. Currently we add iface with garbage in ->cifsd_kthread and ->cifsd_socket, which may result in Oops-es once we want to destroy such interfaces. Oops dereferencing garbage ->cifsd_socket BUG: unable to handle page fault for address: 000000000000638e PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI RIP: 0010:kernel_sock_shutdown+0x9/0x20 Call Trace: tcp_destroy_socket.part.0+0x13/0x3b [cifsd] cifsd_tcp_destroy+0xa8/0xfc [cifsd] cifsd_conn_transport_destroy+0x1d/0xa0 [cifsd] server_ctrl_handle_work+0x40/0x80 [cifsd] process_one_work+0x19e/0x370 worker_thread+0x41/0x3a0 kthread+0x105/0x140 ? process_one_work+0x370/0x370 ? kthread_create_on_node+0x40/0x40 ret_from_fork+0x35/0x40 Oops dereferencing garbage ->cifsd_kthread BUG: unable to handle page fault for address: 0000000000007970 PF: supervisor write access in kernel mode PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] SMP PTI RIP: 0010:kthread_stop+0x2c/0x120 Call Trace: cifsd_tcp_destroy+0x7f/0xc0 [cifsd] cifsd_conn_transport_destroy+0x1d/0xa0 [cifsd] server_ctrl_handle_work+0x40/0x80 [cifsd] process_one_work+0x19e/0x370 worker_thread+0x41/0x3a0 kthread+0x105/0x140 ? process_one_work+0x370/0x370 ? kthread_create_on_node+0x40/0x40 ret_from_fork+0x35/0x40 Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>

I found racy issue between sock_release and kernel_accept. need to protect cifsd_socket using mutex lock. sh-3.2# killall cifsd sending signal 15 to procs [2-635.6220] send signal SIG : 15, killall(288)->cifsd(282) handler:0x155d0 __send_signal [2-635.6221] send signal SIG : 15, cifsd(282)->cifsd(283) handler:0x15a60 __send_signal [2-635.6221] send signal SIG : 15, killall(288)->cifsd(283) handler:0x15a60 __send_signal [cifsd-worker/283]: ERROR: Child received signal: 15 (Terminated) [cifsd-manager/282]: INFO: Exiting. Bye! sh-3.2# [1]+ Interrupt ./cifsd -n sh-3.2# sh-3.2# sh-3.2# sh-3.2# sh-3.2# sh-3.2# [1-721.3681] kcifsd: cifsd_ipc_heartbeat:493: No IPC daemon response for 100s [1-721.3694] Unable to handle kernel NULL pointer dereference at virtual address 00000141 [1-721.3773] pc : [<c0522704>] lr : [<c02325e4>] psr: 60000013 [1-721.3773] sp : e1a57ed0 ip : e1a57ef0 fp : e1a57eec [1-721.3773] r10: c0a27800 r9 : e3a16a00 r8 : c0a35fb8 [1-721.3773] r7 : 00000800 r6 : e3a16a00 r5 : e3a16a00 r4 : e1a57f08 [1-721.3773] r3 : e1a57f08 r2 : 00000800 r1 : 00000142 r0 : 00000000 [1-721.3773] Code: e1a04001 e3001142 e1a07002 e1a03004 (e5d02141) [1-721.3773] pgd = c0003000 [1-721.3773] [00000141] *pgd=80000040004003, *pmd=00000000 [1-721.3773] [1-721.3773] Die cpu info : [1-721.3773] Internal error: Oops: 206 [#1] PREEMPT SMP ARM [1-721.3773] CPU: 1 PID: 284 Comm: kcifsd-eth0 Tainted: PO 4.1.10 #1 PPID: 2 PComm: kthreadd [1-721.3773] SCHED_NORMAL (p:120, static_p:120, normal_p:120, rt_p:0) [1-721.3773] Hardware name: Samsung SDP1601(Flattened Device Tree) [1-721.3773] task: e3100600 ti: e1a56000 task.ti: e1a56000 [1-721.3773] PC is at kernel_accept+0x2c/0xa8 [1-721.3773] LR is at cifsd_kthread_fn+0xac/0x240 [1-721.3773] pc : [<c0522704>] lr : [<c02325e4>] psr: 60000013 [1-721.3773] sp : e1a57ed0 ip : e1a57ef0 fp : e1a57eec [1-721.3773] r10: c0a27800 r9 : e3a16a00 r8 : c0a35fb8 [1-721.3773] r7 : 00000800 r6 : e3a16a00 r5 : e3a16a00 r4 : e1a57f08 [1-721.3774] r3 : e1a57f08 r2 : 00000800 r1 : 00000142 r0 : 00000000 [1-721.3774] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel [1-721.3774] Control: 30c5383d Table: 8c218f80 DAC: 55555555 [1-721.3774] Process kcifsd-eth0 (pid: 284, stack limit = 0xe1a56210) [1-721.3774] Stack: (0xe1a57ed0 to 0xe1a58000) [1-721.3774] 7ec0: fffffff5 e197df80 e3a16a00 c0232538 [1-721.3774] 7ee0: e1a57f3c e1a57ef0 c02325e4 c05226e4 a0000013 c0232538 c0234fb0 c07d3c24 [1-721.3774] 7f00: c0901430 e3a16a00 00000000 00000000 00000000 00000000 e197df80 e3a16a00 [1-721.3774] 7f20: c0232538 00000000 00000000 00000000 e1a57fac e1a57f40 c00501a4 c0232544 [1-721.3774] 7f40: e1a57f64 00000002 e507b880 e3a16a00 00000000 00000000 dead4ead ffffffff Signed-off-by: Namjae Jeon <linkinjeon@gmail.com>

We have no way to debug xfstest/smbtorture test failures, mainly because travis-ci is configured to panic() the kernel whenever it encounters any problems. Add a simple script, which makes it possible to debug oops-es and so on. The basic usage is quite simple. Just replace the direct test execution command: sudo ./check generic/117 with ~/travis_cmd_wrapper.pl "sudo ./check generic/117" 180 180 is an optional timeout value (in seconds). If the test does not finish on time then the script will print top, free and dmesg to std out. This is how we managed to figure out that generic/117 panics the kernel in cifs client code: [ 692.974544] CIFS VFS: ioctl error in smb2_get_dfs_refer rc=-5 [ 693.008812] CIFS VFS: buffer length 0 smaller than minimum size 8 [ 693.038229] general protection fault: 0000 [#1] SMP PTI [ 693.043767] Modules linked in: cmac md4 cifs ccm fscache cifsd(OE) ipt_MASQUERADE nf_nat_masquerade_ipv4 xfrm_user xfrm_algo iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 xt_addrtype iptable_filter xt_conntrack nf_nat br_netfilter bridge stp llc overlay aufs binfmt_misc nls_iso8859_1 kvm_intel kvm irqbypass input_leds pvpanic serio_raw sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd glue_helper cryptd psmouse virtio_net [ 693.108816] CPU: 0 PID: 32470 Comm: cifsd Tainted: G OE 4.15.0-1040-gcp #42-Ubuntu [ 693.117625] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 693.126963] RIP: 0010:prefetch_freepointer+0x15/0x30 [ 693.132038] RSP: 0018:ffffc37a43d1bda0 EFLAGS: 00010286 [ 693.137377] RAX: 0000000000000000 RBX: ee209060bb22d805 RCX: 000000000055e56e [ 693.144620] RDX: 000000000055e56d RSI: ee209060bb22d805 RDI: ffffa0fc16aeb980 [ 693.151871] RBP: ffffc37a43d1bda0 R08: ffffa0fc1fc2b480 R09: 0000000000000000 [ 693.159119] R10: afb504000afb5041 R11: 00000000000002f7 R12: 0000000001011200 [ 693.166370] R13: ffffa0fc16aeb980 R14: ffffa0fa84eba700 R15: ffffa0fc16aeb980 [ 693.173660] FS: 0000000000000000(0000) GS:ffffa0fc1fc00000(0000) knlGS:0000000000000000 [ 693.181907] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 693.187758] CR2: 00007f57f53aebb0 CR3: 0000000145a0a006 CR4: 00000000001606f0 [ 693.195040] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 693.202283] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 693.209534] Call Trace: [ 693.212096] kmem_cache_alloc+0xa2/0x1b0 [ 693.216138] ? mempool_alloc_slab+0x15/0x20 [ 693.220453] ? wait_woken+0x80/0x80 [ 693.224056] mempool_alloc_slab+0x15/0x20 [ 693.228175] mempool_alloc+0x71/0x190 [ 693.231981] cifs_small_buf_get+0x1a/0x30 [cifs] [ 693.236724] cifs_demultiplex_thread+0x5c7/0xb30 [cifs] [ 693.242060] ? __schedule+0x29e/0x8a0 [ 693.245840] 1m kthread+0x121/0x140 [ 693.249186] ? cifs_handle_standard+0x190/0x190 [cifs] [ 693.254434] ? kthread_create_worker_on_cpu+0x70/0x70 [ 693.259604] ret_from_fork+0x3a/0x50 [ 693.263287] Code: eb bb 49 8b 74 24 60 48 c7 c7 80 65 ce a1 e8 93 89 ea ff eb 90 90 0f 1f 44 00 00 55 48 85 f6 48 89 e5 74 14 48 63 47 20 48 01 c6 <48> 33 36 48 33 b7 40 01 00 00 0f 18 0e 5d c3 66 90 66 2e 0f 1f [ 693.282278] RIP: prefetch_freepointer+0x15/0x30 RSP: ffffc37a43d1bda0 [ 693.288896] ---[ end trace 44c8fa8f0f46542d ]--- There was no way for us to figure this out previously. Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>

@offset

sh-3.2# [0-176.3676] ============================================================================= [0-176.3677] BUG kmalloc-64 (Tainted: PO): Object already free [0-176.3677] ----------------------------------------------------------------------------- [0-176.3677] [0-176.3677] Disabling lock debugging due to kernel taint [0-176.3677] INFO: Allocated in cifsd_vfs_getxattr+0x40/0x78 age=0 cpu=0 pid=46 [0-176.3677] __kmalloc+0xfc/0x25c [0-176.3677] cifsd_vfs_getxattr+0x40/0x78 [0-176.3677] smb2_open+0x1860/0x19f0 [0-176.3677] handle_cifsd_work+0x234/0x418 [0-176.3677] process_one_work+0x214/0x570 [0-176.3677] worker_thread+0x60/0x580 [0-176.3677] kthread+0xec/0x104 [0-176.3677] ret_from_fork+0x14/0x3c [0-176.3677] INFO: Freed in cifsd_free_response+0x58/0x60 age=0 cpu=0 pid=46 [0-176.3677] kfree+0x224/0x2a4 [0-176.3677] cifsd_free_response+0x58/0x60 [0-176.3677] cifsd_free+0x18/0x20 [0-176.3678] smb2_open+0x1880/0x19f0 [0-176.3678] handle_cifsd_work+0x234/0x418 [0-176.3678] process_one_work+0x214/0x570 [0-176.3678] worker_thread+0x60/0x580 [0-176.3678] kthread+0xec/0x104 [0-176.3678] INFO: Slab 0xe5ac3340 objects=32 used=29 fp=0xe2a1a300 flags=0x45800081 [0-176.3678] INFO: Object 0xe2a1a300 @offset=768 fp=0xe2a1a980 [0-176.3678] [0-176.3678] Bytes b4 e2a1a2f0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ [0-176.3678] Object e2a1a300: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [0-176.3678] Object e2a1a310: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [0-176.3678] Object e2a1a320: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [0-176.3678] Object e2a1a330: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk. [0-176.3678] Redzone e2a1a340: bb bb bb bb .... [0-176.3678] Padding e2a1a368: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ [0-176.3678] Padding e2a1a378: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ [0-176.3678] CPU: 0 PID: 46 Comm: kworker/0:1 Tainted: PBO 4.1.10 #1 PPID: 2 PComm: kthreadd [0-176.3678] SCHED_NORMAL (p:120, static_p:120, normal_p:120, rt_p:0) [0-176.3678] Hardware name: Samsung SDP1601(Flattened Device Tree) [0-176.3678] Workqueue: kcifsd-io handle_cifsd_work [0-176.3679] Backtrace: [0-176.3679] [<c0014af0>] (dump_backtrace) from [<c0015de0>] (show_stack+0x20/0x28) [0-176.3679] r7:c0951dfc r6:00000000 r5:60000093 r4:c0980058 [0-176.3679] [<c0015dc0>] (show_stack) from [<c0689168>] (dump_stack+0xf4/0x148) [0-176.3679] [<c0689074>] (dump_stack) from [<c01872e4>] (print_trailer+0x128/0x1b8) [0-176.3679] r10:c02793fc r9:e35b6000 r8:e35b7cbc r7:e2a1a010 r6:e2a1a340 r5:e45010c0 [0-176.3679] r4:e2a1a368 [0-176.3679] [<c01871bc>] (print_trailer) from [<c0187cd0>] (free_debug_processing+0x21c/0x344) [0-176.3679] r7:e2a1a300 r6:e4500f80 r5:e45010c0 r4:e5ac3340 [0-176.3679] [<c0187ab4>] (free_debug_processing) from [<c018aa94>] (__slab_free+0x348/0x4bc) [0-176.3679] r10:00000000 r9:e45010c0 r8:e35b7d30 r7:e45010c0 r6:c02793fc r5:00010d00 [0-176.3680] r4:e5ac3340 [0-176.3680] [<c018a74c>] (__slab_free) from [<c018b2c0>] (kfree+0x224/0x2a4) [0-176.3680] r10:00000000 r9:e35b6000 r8:e35b7d30 r7:e45010c0 r6:c02793fc r5:e2a1a300 [0-176.3680] r4:e5ac3340 [0-176.3680] [<c018b09c>] (kfree) from [<c02793fc>] (cifsd_free_response+0x58/0x60) [0-176.3680] r10:e273ac00 r9:00000000 r8:e1a19680 r7:00000000 r6:e198e400 r5:e1a05b80 [0-176.3680] r4:e196e180 [0-176.3680] [<c02793a4>] (cifsd_free_response) from [<c027943c>] (cifsd_free+0x18/0x20) [0-176.3680] [<c0279424>] (cifsd_free) from [<c0282b0c>] (smb2_open+0x18b0/0x19f0) [0-176.3680] [<c028125c>] (smb2_open) from [<c027bd74>] (handle_cifsd_work+0x234/0x418) [0-176.3680] r10:c0979a68 r9:c06d48a4 r8:c0845b5c r7:e196e1d0 r6:00000005 r5:e196e180 [0-176.3680] r4:e198d680 [0-176.3680] [<c027bb40>] (handle_cifsd_work) from [<c0049e90>] (process_one_work+0x214/0x570) [0-176.3681] r10:00000000 r9:e35b6000 r8:e5072b00 r7:00000000 r6:e506d440 r5:e357ea80 [0-176.3681] r4:e196e1d0 [0-176.3681] [<c0049c7c>] (process_one_work) from [<c004a24c>] (worker_thread+0x60/0x580) [0-176.3681] r10:e506d440 r9:e35b6000 r8:e506d464 r7:00000008 r6:e506d440 r5:e357ea98 [0-176.3681] r4:e357ea80 [0-176.3681] [<c004a1ec>] (worker_thread) from [<c00501a4>] (kthread+0xec/0x104) [0-176.3681] r10:00000000 r9:00000000 r8:00000000 r7:c004a1ec r6:e357ea80 r5:e3594180 [0-176.3681] r4:00000000 [0-176.3681] [<c00500b8>] (kthread) from [<c00107d8>] (ret_from_fork+0x14/0x3c) [0-176.3681] r7:00000000 r6:00000000 r5:c00500b8 r4:e3594180 [0-176.3854] FIX kmalloc-64: Object at 0xe2a1a300 not freed [0-183.8486] ============================================================================= [0-183.8487] BUG kmalloc-64 (Tainted: PBO): Object already free [0-183.8487] ----------------------------------------------------------------------------- [0-183.8487] [0-183.8487] INFO: Allocated in cifsd_vfs_getxattr+0x40/0x78 age=0 cpu=0 pid=46 [0-183.8487] __kmalloc+0xfc/0x25c [0-183.8487] cifsd_vfs_getxattr+0x40/0x78 [0-183.8487] smb2_open+0x1860/0x19f0 [0-183.8487] handle_cifsd_work+0x234/0x418 [0-183.8487] process_one_work+0x214/0x570 [0-183.8487] worker_thread+0x60/0x580 [0-183.8487] kthread+0xec/0x104 [0-183.8487] ret_from_fork+0x14/0x3c [0-183.8487] INFO: Freed in cifsd_free_response+0x58/0x60 age=0 cpu=0 pid=46 [0-183.8487] kfree+0x224/0x2a4 [0-183.8487] cifsd_free_response+0x58/0x60 [0-183.8487] cifsd_free+0x18/0x20 [0-183.8487] smb2_open+0x1880/0x19f0 [0-183.8488] handle_cifsd_work+0x234/0x418 [0-183.8488] process_one_work+0x214/0x570 [0-183.8488] worker_thread+0x60/0x580 [0-183.8488] kthread+0xec/0x104 [0-183.8488] INFO: Slab 0xe5ac1ba0 objects=32 used=30 fp=0xe295d800 flags=0x45800081 [0-183.8488] INFO: Object 0xe295d800 @offset=2048 fp=0xe295d880 [0-183.8488] [0-183.8488] Bytes b4 e295d7f0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ [0-183.8488] Object e295d800: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [0-183.8488] Object e295d810: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [0-183.8488] Object e295d820: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [0-183.8488] Object e295d830: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk. [0-183.8488] Redzone e295d840: bb bb bb bb .... [0-183.8488] Padding e295d868: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ [0-183.8488] Padding e295d878: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ [0-183.8488] CPU: 0 PID: 46 Comm: kworker/0:1 Tainted: PBO 4.1.10 #1 PPID: 2 PComm: kthreadd [0-183.8488] SCHED_NORMAL (p:120, static_p:120, normal_p:120, rt_p:0) [0-183.8488] Hardware name: Samsung SDP1601(Flattened Device Tree) [0-183.8488] Workqueue: kcifsd-io handle_cifsd_work [0-183.8488] Backtrace: [0-183.8488] [<c0014af0>] (dump_backtrace) from [<c0015de0>] (show_stack+0x20/0x28) [0-183.8488] r7:c0951dfc r6:00000000 r5:60000093 r4:c0980058 [0-183.8489] [<c0015dc0>] (show_stack) from [<c0689168>] (dump_stack+0xf4/0x148) [0-183.8489] [<c0689074>] (dump_stack) from [<c01872e4>] (print_trailer+0x128/0x1b8) [0-183.8489] r10:c02793fc r9:e35b6000 r8:e35b7cbc r7:e295d010 r6:e295d840 r5:e45010c0 [0-183.8489] r4:e295d868 [0-183.8489] [<c01871bc>] (print_trailer) from [<c0187cd0>] (free_debug_processing+0x21c/0x344) [0-183.8489] r7:e295d800 r6:e4500f80 r5:e45010c0 r4:e5ac1ba0 [0-183.8489] [<c0187ab4>] (free_debug_processing) from [<c018aa94>] (__slab_free+0x348/0x4bc) [0-183.8489] r10:00000000 r9:e45010c0 r8:e35b7d30 r7:e45010c0 r6:c02793fc r5:00010d00 [0-183.8489] r4:e5ac1ba0 [0-183.8489] [<c018a74c>] (__slab_free) from [<c018b2c0>] (kfree+0x224/0x2a4) [0-183.8489] r10:00000000 r9:e35b6000 r8:e35b7d30 r7:e45010c0 r6:c02793fc r5:e295d800 [0-183.8489] r4:e5ac1ba0 [0-183.8489] [<c018b09c>] (kfree) from [<c02793fc>] (cifsd_free_response+0x58/0x60) [0-183.8489] r10:e273ac00 r9:00000000 r8:e14e8500 r7:00000000 r6:e198e400 r5:e1943340 [0-183.8489] r4:e196ecc0 [0-183.8489] [<c02793a4>] (cifsd_free_response) from [<c027943c>] (cifsd_free+0x18/0x20) [0-183.8490] [<c0279424>] (cifsd_free) from [<c0282b0c>] (smb2_open+0x18b0/0x19f0) [0-183.8490] [<c028125c>] (smb2_open) from [<c027bd74>] (handle_cifsd_work+0x234/0x418) [0-183.8490] r10:c0979a68 r9:c06d48a4 r8:c0845b5c r7:e196ed10 r6:00000005 r5:e196ecc0 [0-183.8490] r4:e198d680 [0-183.8490] [<c027bb40>] (handle_cifsd_work) from [<c0049e90>] (process_one_work+0x214/0x570) [0-183.8490] r10:00000000 r9:e35b6000 r8:e5072b00 r7:00000000 r6:e506d440 r5:e357ea80 [0-183.8490] r4:e196ed10 [0-183.8490] [<c0049c7c>] (process_one_work) from [<c004a24c>] (worker_thread+0x60/0x580) [0-183.8490] r10:e506d440 r9:e35b6000 r8:e506d464 r7:00000008 r6:e506d440 r5:e357ea98 [0-183.8490] r4:e357ea80 [0-183.8490] [<c004a1ec>] (worker_thread) from [<c00501a4>] (kthread+0xec/0x104) [0-183.8490] r10:00000000 r9:00000000 r8:00000000 r7:c004a1ec r6:e357ea80 r5:e3594180 [0-183.8490] r4:00000000 [0-183.8490] [<c00500b8>] (kthread) from [<c00107d8>] (ret_from_fork+0x14/0x3c) [0-183.8490] r7:00000000 r6:00000000 r5:c00500b8 r4:e3594180 [0-183.8491] FIX kmalloc-64: Object at 0xe295d800 not freed Signed-off-by: Namjae Jeon <linkinjeon@gmail.com>

BUG_ON trap is coming when running xfstests generic/591 and smb2 leases = yes in smb.conf. [ 597.224978] list_add double add: new=ffff9110d292bb20, prev=ffff9110d292bb20, next=ffff9110d6c389e8. [ 597.225073] ------------[ cut here ]------------ [ 597.225077] kernel BUG at lib/list_debug.c:31! [ 597.225090] invalid opcode: 0000 [#1] SMP PTI [ 597.225095] CPU: 2 PID: 501 Comm: kworker/2:3 Tainted: G OE 5.13.0-rc1+ #2 [ 597.225099] Hardware name: SAMSUNG ELECTRONICS CO., LTD. Samsung DeskTop System/SAMSUNG_DT1234567890, BIOS P04KBM.022.121023.SK 10/23/2012 [ 597.225102] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] [ 597.225125] RIP: 0010:__list_add_valid+0x66/0x70 [ 597.225132] Code: 0b 48 89 c1 4c 89 c6 48 c7 c7 c8 08 c0 95 e8 fd 54 66 00 0f 0b 48 89 f2 4c 89 c1 48 89 fe 48 c7 c7 20 09 c0 95 e8 e6 54 66 00 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 8b 07 48 b9 00 01 00 00 00 00 [ 597.225136] RSP: 0018:ffffb9c9408dbac0 EFLAGS: 00010282 [ 597.225139] RAX: 0000000000000058 RBX: ffff9110d292ba40 RCX: 0000000000000000 [ 597.225142] RDX: 0000000000000000 RSI: ffff9111da328c30 RDI: ffff9111da328c30 [ 597.225144] RBP: ffffb9c9408dbac0 R08: 0000000000000001 R09: 0000000000000001 [ 597.225147] R10: 0000000003dd35ed R11: ffffb9c9408db888 R12: ffff9110d6c38998 [ 597.225149] R13: ffff9110d6c38800 R14: ffff9110d292bb20 R15: ffff9110d292bb20 [ 597.225152] FS: 0000000000000000(0000) GS:ffff9111da300000(0000) knlGS:0000000000000000 [ 597.225155] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 597.225157] CR2: 00007fd1629f84d0 CR3: 00000000c9a12006 CR4: 00000000001706e0 [ 597.225160] Call Trace: [ 597.225163] setup_async_work+0xa2/0x120 [ksmbd] [ 597.225191] oplock_break+0x396/0x5d0 [ksmbd] [ 597.225206] smb_grant_oplock+0x7a1/0x900 [ksmbd] [ 597.225218] ? smb_grant_oplock+0x7a1/0x900 [ksmbd] [ 597.225231] smb2_open+0xbbb/0x2960 [ksmbd] [ 597.225243] ? smb2_open+0xbbb/0x2960 [ksmbd] [ 597.225257] ? find_held_lock+0x35/0xa0 [ 597.225261] ? xa_load+0xaf/0x160 [ 597.225268] handle_ksmbd_work+0x2e0/0x420 [ksmbd] [ 597.225280] ? handle_ksmbd_work+0x2e0/0x420 [ksmbd] [ 597.225292] process_one_work+0x25a/0x5d0 [ 597.225298] worker_thread+0x3f/0x3a0 [ 597.225302] ? __kthread_parkme+0x6f/0xa0 [ 597.225306] ? process_one_work+0x5d0/0x5d0 [ 597.225309] kthread+0x142/0x160 [ 597.225313] ? kthread_park+0x90/0x90 [ 597.225316] ret_from_fork+0x22/0x30 same work struct can be add to list in smb_break_all_write_oplock() and smb_grant_oplock(). If client send invalid lease break ack to server, This issue can occur by calling both functions. Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com>

the wait can be canceled by SMB2_CANCEL, SMB2_CLOSE, SMB2_LOGOFF, disconnection or shutdown, we don't have to use wait_event_interruptible. And this remove the warning from Coverity: CID 1502834 (#1 of 1): Unused value (UNUSED_VALUE) returned_value: Assigning value from ksmbd_vfs_posix_lock_wait(flock) to err here, but that stored value is overwritten before it can be used. Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com>

CID 1502845 (#1 of 1): Unused value (UNUSED_VALUE) value_overwrite: Overwriting previous write to err with value from vfs_lock_file(filp, 0U, rlock, NULL). 6880 err = vfs_lock_file(filp, 0, rlock, NULL); 6881 if (err) 6882 pr_err("rollback unlock fail : %d\n", err); Reported-by: Coverity Scan <scan-admin@coverity.com> Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com>

To negotiate either the SMB2 protocol or SMB protocol, a client must send a SMB_COM_NEGOTIATE message containing the list of dialects it supports, to which the server will respond with either a SMB_COM_NEGOTIATE or a SMB2_NEGOTIATE response. The current implementation responds with the highest common dialect, rather than looking explicitly for "SMB 2.???" and "SMB 2.002", as indicated in [MS-SMB2]: [MS-SMB2] 3.3.5.3.1: If the server does not implement the SMB 2.1 or 3.x dialect family, processing MUST continue as specified in 3.3.5.3.2. Otherwise, the server MUST scan the dialects provided for the dialect string "SMB 2.???". If the string is not present, continue to section 3.3.5.3.2. If the string is present, the server MUST respond with an SMB2 NEGOTIATE Response as specified in 2.2.4. [MS-SMB2] 3.3.5.3.2: The server MUST scan the dialects provided for the dialect string "SMB 2.002". If the string is present, the client understands SMB2, and the server MUST respond with an SMB2 NEGOTIATE Response. This is an issue if a client attempts to negotiate SMB3.1.1 using a SMB_COM_NEGOTIATE, as it will trigger the following NULL pointer dereference: 8<--- cut here --- Unable to handle kernel NULL pointer dereference at virtual address 00000000 pgd = 1917455e [00000000] *pgd=00000000 Internal error: Oops: 17 [#1] ARM CPU: 0 PID: 60 Comm: kworker/0:1 Not tainted 5.4.60-00027-g0518c02b5c5b #35 Hardware name: Marvell Kirkwood (Flattened Device Tree) Workqueue: ksmbd-io handle_ksmbd_work PC is at ksmbd_gen_preauth_integrity_hash+0x24/0x190 LR is at smb3_preauth_hash_rsp+0x50/0xa0 pc : [<802b7044>] lr : [<802d6ac0>] psr: 40000013 sp : bf199ed8 ip : 00000000 fp : 80d1edb0 r10: 80a3471b r9 : 8091af16 r8 : 80d70640 r7 : 00000072 r6 : be95e198 r5 : ca000000 r4 : b97fee00 r3 : 00000000 r2 : 00000002 r1 : b97fea00 r0 : b97fee00 Flags: nZcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 0005317f Table: 3e7f4000 DAC: 00000055 Process kworker/0:1 (pid: 60, stack limit = 0x3dd1fdb4) Stack: (0xbf199ed8 to 0xbf19a000) 9ec0: b97fee00 00000000 9ee0: be95e198 00000072 80d70640 802d6ac0 b3da2680 b97fea00 424d53ff be95e140 9f00: b97fee00 802bd7b0 bf10fa58 80128a78 00000000 000001c8 b6220000 bf0b7720 9f20: be95e198 80d0c410 bf7e2a00 00000000 00000000 be95e19c 80d0c370 80123b90 9f40: bf0b7720 be95e198 bf0b7720 bf0b7734 80d0c410 bf198000 80d0c424 80d116e0 9f60: bf10fa58 801240c0 00000000 bf10fa40 bf1463a0 bf198000 bf0b7720 80123ed0 9f80: bf077ee4 bf10fa58 00000000 80127f80 bf1463a0 80127e88 00000000 00000000 9fa0: 00000000 00000000 00000000 801010d0 00000000 00000000 00000000 00000000 9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000 [<802b7044>] (ksmbd_gen_preauth_integrity_hash) from [<802d6ac0>] (smb3_preauth_hash_rsp+0x50/0xa0) [<802d6ac0>] (smb3_preauth_hash_rsp) from [<802bd7b0>] (handle_ksmbd_work+0x348/0x3f8) [<802bd7b0>] (handle_ksmbd_work) from [<80123b90>] (process_one_work+0x160/0x200) [<80123b90>] (process_one_work) from [<801240c0>] (worker_thread+0x1f0/0x2e4) [<801240c0>] (worker_thread) from [<80127f80>] (kthread+0xf8/0x10c) [<80127f80>] (kthread) from [<801010d0>] (ret_from_fork+0x14/0x24) Exception stack(0xbf199fb0 to 0xbf199ff8) 9fa0: 00000000 00000000 00000000 00000000 9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9fe0: 00000000 00000000 00000000 00000000 00000013 00000000 Code: e1855803 e5d13003 e1855c03 e5903094 (e1d330b0) ---[ end trace 8d03be3ed09e5699 ]--- Kernel panic - not syncing: Fatal exception smb3_preauth_hash_rsp() panics because conn->preauth_info is only allocated when processing a SMB2 NEGOTIATE request. Fix this by splitting the smb_protos array into two, each containing only SMB1 and SMB2 dialects respectively. While here, make ksmbd_negotiate_smb_dialect() static as it not called from anywhere else. Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr> Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com>

BUG_ON trap is coming when running xfstests generic/591 and smb2 leases = yes in smb.conf. [ 597.224978] list_add double add: new=ffff9110d292bb20, prev=ffff9110d292bb20, next=ffff9110d6c389e8. [ 597.225073] ------------[ cut here ]------------ [ 597.225077] kernel BUG at lib/list_debug.c:31! [ 597.225090] invalid opcode: 0000 [cifsd-team#1] SMP PTI [ 597.225095] CPU: 2 PID: 501 Comm: kworker/2:3 Tainted: G OE 5.13.0-rc1+ cifsd-team#2 [ 597.225099] Hardware name: SAMSUNG ELECTRONICS CO., LTD. Samsung DeskTop System/SAMSUNG_DT1234567890, BIOS P04KBM.022.121023.SK 10/23/2012 [ 597.225102] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] [ 597.225125] RIP: 0010:__list_add_valid+0x66/0x70 [ 597.225132] Code: 0b 48 89 c1 4c 89 c6 48 c7 c7 c8 08 c0 95 e8 fd 54 66 00 0f 0b 48 89 f2 4c 89 c1 48 89 fe 48 c7 c7 20 09 c0 95 e8 e6 54 66 00 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 8b 07 48 b9 00 01 00 00 00 00 [ 597.225136] RSP: 0018:ffffb9c9408dbac0 EFLAGS: 00010282 [ 597.225139] RAX: 0000000000000058 RBX: ffff9110d292ba40 RCX: 0000000000000000 [ 597.225142] RDX: 0000000000000000 RSI: ffff9111da328c30 RDI: ffff9111da328c30 [ 597.225144] RBP: ffffb9c9408dbac0 R08: 0000000000000001 R09: 0000000000000001 [ 597.225147] R10: 0000000003dd35ed R11: ffffb9c9408db888 R12: ffff9110d6c38998 [ 597.225149] R13: ffff9110d6c38800 R14: ffff9110d292bb20 R15: ffff9110d292bb20 [ 597.225152] FS: 0000000000000000(0000) GS:ffff9111da300000(0000) knlGS:0000000000000000 [ 597.225155] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 597.225157] CR2: 00007fd1629f84d0 CR3: 00000000c9a12006 CR4: 00000000001706e0 [ 597.225160] Call Trace: [ 597.225163] setup_async_work+0xa2/0x120 [ksmbd] [ 597.225191] oplock_break+0x396/0x5d0 [ksmbd] [ 597.225206] smb_grant_oplock+0x7a1/0x900 [ksmbd] [ 597.225218] ? smb_grant_oplock+0x7a1/0x900 [ksmbd] [ 597.225231] smb2_open+0xbbb/0x2960 [ksmbd] [ 597.225243] ? smb2_open+0xbbb/0x2960 [ksmbd] [ 597.225257] ? find_held_lock+0x35/0xa0 [ 597.225261] ? xa_load+0xaf/0x160 [ 597.225268] handle_ksmbd_work+0x2e0/0x420 [ksmbd] [ 597.225280] ? handle_ksmbd_work+0x2e0/0x420 [ksmbd] [ 597.225292] process_one_work+0x25a/0x5d0 [ 597.225298] worker_thread+0x3f/0x3a0 [ 597.225302] ? __kthread_parkme+0x6f/0xa0 [ 597.225306] ? process_one_work+0x5d0/0x5d0 [ 597.225309] kthread+0x142/0x160 [ 597.225313] ? kthread_park+0x90/0x90 [ 597.225316] ret_from_fork+0x22/0x30 same work struct can be add to list in smb_break_all_write_oplock() and smb_grant_oplock(). If client send invalid lease break ack to server, This issue can occur by calling both functions. Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com>

the wait can be canceled by SMB2_CANCEL, SMB2_CLOSE, SMB2_LOGOFF, disconnection or shutdown, we don't have to use wait_event_interruptible. And this remove the warning from Coverity: CID 1502834 (cifsd-team#1 of 1): Unused value (UNUSED_VALUE) returned_value: Assigning value from ksmbd_vfs_posix_lock_wait(flock) to err here, but that stored value is overwritten before it can be used. Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com> Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com>

CID 1502845 (cifsd-team#1 of 1): Unused value (UNUSED_VALUE) value_overwrite: Overwriting previous write to err with value from vfs_lock_file(filp, 0U, rlock, NULL). 6880 err = vfs_lock_file(filp, 0, rlock, NULL); 6881 if (err) 6882 pr_err("rollback unlock fail : %d\n", err); Reported-by: Coverity Scan <scan-admin@coverity.com> Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com>

To negotiate either the SMB2 protocol or SMB protocol, a client must send a SMB_COM_NEGOTIATE message containing the list of dialects it supports, to which the server will respond with either a SMB_COM_NEGOTIATE or a SMB2_NEGOTIATE response. The current implementation responds with the highest common dialect, rather than looking explicitly for "SMB 2.???" and "SMB 2.002", as indicated in [MS-SMB2]: [MS-SMB2] 3.3.5.3.1: If the server does not implement the SMB 2.1 or 3.x dialect family, processing MUST continue as specified in 3.3.5.3.2. Otherwise, the server MUST scan the dialects provided for the dialect string "SMB 2.???". If the string is not present, continue to section 3.3.5.3.2. If the string is present, the server MUST respond with an SMB2 NEGOTIATE Response as specified in 2.2.4. [MS-SMB2] 3.3.5.3.2: The server MUST scan the dialects provided for the dialect string "SMB 2.002". If the string is present, the client understands SMB2, and the server MUST respond with an SMB2 NEGOTIATE Response. This is an issue if a client attempts to negotiate SMB3.1.1 using a SMB_COM_NEGOTIATE, as it will trigger the following NULL pointer dereference: 8<--- cut here --- Unable to handle kernel NULL pointer dereference at virtual address 00000000 pgd = 1917455e [00000000] *pgd=00000000 Internal error: Oops: 17 [cifsd-team#1] ARM CPU: 0 PID: 60 Comm: kworker/0:1 Not tainted 5.4.60-00027-g0518c02b5c5b cifsd-team#35 Hardware name: Marvell Kirkwood (Flattened Device Tree) Workqueue: ksmbd-io handle_ksmbd_work PC is at ksmbd_gen_preauth_integrity_hash+0x24/0x190 LR is at smb3_preauth_hash_rsp+0x50/0xa0 pc : [<802b7044>] lr : [<802d6ac0>] psr: 40000013 sp : bf199ed8 ip : 00000000 fp : 80d1edb0 r10: 80a3471b r9 : 8091af16 r8 : 80d70640 r7 : 00000072 r6 : be95e198 r5 : ca000000 r4 : b97fee00 r3 : 00000000 r2 : 00000002 r1 : b97fea00 r0 : b97fee00 Flags: nZcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 0005317f Table: 3e7f4000 DAC: 00000055 Process kworker/0:1 (pid: 60, stack limit = 0x3dd1fdb4) Stack: (0xbf199ed8 to 0xbf19a000) 9ec0: b97fee00 00000000 9ee0: be95e198 00000072 80d70640 802d6ac0 b3da2680 b97fea00 424d53ff be95e140 9f00: b97fee00 802bd7b0 bf10fa58 80128a78 00000000 000001c8 b6220000 bf0b7720 9f20: be95e198 80d0c410 bf7e2a00 00000000 00000000 be95e19c 80d0c370 80123b90 9f40: bf0b7720 be95e198 bf0b7720 bf0b7734 80d0c410 bf198000 80d0c424 80d116e0 9f60: bf10fa58 801240c0 00000000 bf10fa40 bf1463a0 bf198000 bf0b7720 80123ed0 9f80: bf077ee4 bf10fa58 00000000 80127f80 bf1463a0 80127e88 00000000 00000000 9fa0: 00000000 00000000 00000000 801010d0 00000000 00000000 00000000 00000000 9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000 [<802b7044>] (ksmbd_gen_preauth_integrity_hash) from [<802d6ac0>] (smb3_preauth_hash_rsp+0x50/0xa0) [<802d6ac0>] (smb3_preauth_hash_rsp) from [<802bd7b0>] (handle_ksmbd_work+0x348/0x3f8) [<802bd7b0>] (handle_ksmbd_work) from [<80123b90>] (process_one_work+0x160/0x200) [<80123b90>] (process_one_work) from [<801240c0>] (worker_thread+0x1f0/0x2e4) [<801240c0>] (worker_thread) from [<80127f80>] (kthread+0xf8/0x10c) [<80127f80>] (kthread) from [<801010d0>] (ret_from_fork+0x14/0x24) Exception stack(0xbf199fb0 to 0xbf199ff8) 9fa0: 00000000 00000000 00000000 00000000 9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9fe0: 00000000 00000000 00000000 00000000 00000013 00000000 Code: e1855803 e5d13003 e1855c03 e5903094 (e1d330b0) ---[ end trace 8d03be3ed09e5699 ]--- Kernel panic - not syncing: Fatal exception smb3_preauth_hash_rsp() panics because conn->preauth_info is only allocated when processing a SMB2 NEGOTIATE request. Fix this by splitting the smb_protos array into two, each containing only SMB1 and SMB2 dialects respectively. While here, make ksmbd_negotiate_smb_dialect() static as it not called from anywhere else. Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr> Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com>

The testcase use SMB2_SET_INFO_HE command to set a malformed file attribute under the label `security.NTACL`. SMB2_QUERY_INFO_HE command in testcase trigger the following overflow. [ 4712.003781] ================================================================== [ 4712.003790] BUG: KASAN: slab-out-of-bounds in build_sec_desc+0x842/0x1dd0 [ksmbd] [ 4712.003807] Write of size 1060 at addr ffff88801e34c068 by task kworker/0:0/4190 [ 4712.003813] CPU: 0 PID: 4190 Comm: kworker/0:0 Not tainted 5.19.0-rc5 #1 [ 4712.003850] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] [ 4712.003867] Call Trace: [ 4712.003870] <TASK> [ 4712.003873] dump_stack_lvl+0x49/0x5f [ 4712.003935] print_report.cold+0x5e/0x5cf [ 4712.003972] ? ksmbd_vfs_get_sd_xattr+0x16d/0x500 [ksmbd] [ 4712.003984] ? cmp_map_id+0x200/0x200 [ 4712.003988] ? build_sec_desc+0x842/0x1dd0 [ksmbd] [ 4712.004000] kasan_report+0xaa/0x120 [ 4712.004045] ? build_sec_desc+0x842/0x1dd0 [ksmbd] [ 4712.004056] kasan_check_range+0x100/0x1e0 [ 4712.004060] memcpy+0x3c/0x60 [ 4712.004064] build_sec_desc+0x842/0x1dd0 [ksmbd] [ 4712.004076] ? parse_sec_desc+0x580/0x580 [ksmbd] [ 4712.004088] ? ksmbd_acls_fattr+0x281/0x410 [ksmbd] [ 4712.004099] smb2_query_info+0xa8f/0x6110 [ksmbd] [ 4712.004111] ? psi_group_change+0x856/0xd70 [ 4712.004148] ? update_load_avg+0x1c3/0x1af0 [ 4712.004152] ? asym_cpu_capacity_scan+0x5d0/0x5d0 [ 4712.004157] ? xas_load+0x23/0x300 [ 4712.004162] ? smb2_query_dir+0x1530/0x1530 [ksmbd] [ 4712.004173] ? _raw_spin_lock_bh+0xe0/0xe0 [ 4712.004179] handle_ksmbd_work+0x30e/0x1020 [ksmbd] [ 4712.004192] process_one_work+0x778/0x11c0 [ 4712.004227] ? _raw_spin_lock_irq+0x8e/0xe0 [ 4712.004231] worker_thread+0x544/0x1180 [ 4712.004234] ? __cpuidle_text_end+0x4/0x4 [ 4712.004239] kthread+0x282/0x320 [ 4712.004243] ? process_one_work+0x11c0/0x11c0 [ 4712.004246] ? kthread_complete_and_exit+0x30/0x30 [ 4712.004282] ret_from_fork+0x1f/0x30 This patch add the buffer validation for security descriptor that is stored by malformed SMB2_SET_INFO_HE command. and allocate large response buffer about SMB2_O_INFO_SECURITY file info class. Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17771 Reviewed-by: Hyunchul Lee <hyc.lee@gmail.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>

The testcase use SMB2_SET_INFO_HE command to set a malformed file attribute under the label `security.NTACL`. SMB2_QUERY_INFO_HE command in testcase trigger the following overflow. [ 4712.003781] ================================================================== [ 4712.003790] BUG: KASAN: slab-out-of-bounds in build_sec_desc+0x842/0x1dd0 [ksmbd] [ 4712.003807] Write of size 1060 at addr ffff88801e34c068 by task kworker/0:0/4190 [ 4712.003813] CPU: 0 PID: 4190 Comm: kworker/0:0 Not tainted 5.19.0-rc5 cifsd-team#1 [ 4712.003850] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] [ 4712.003867] Call Trace: [ 4712.003870] <TASK> [ 4712.003873] dump_stack_lvl+0x49/0x5f [ 4712.003935] print_report.cold+0x5e/0x5cf [ 4712.003972] ? ksmbd_vfs_get_sd_xattr+0x16d/0x500 [ksmbd] [ 4712.003984] ? cmp_map_id+0x200/0x200 [ 4712.003988] ? build_sec_desc+0x842/0x1dd0 [ksmbd] [ 4712.004000] kasan_report+0xaa/0x120 [ 4712.004045] ? build_sec_desc+0x842/0x1dd0 [ksmbd] [ 4712.004056] kasan_check_range+0x100/0x1e0 [ 4712.004060] memcpy+0x3c/0x60 [ 4712.004064] build_sec_desc+0x842/0x1dd0 [ksmbd] [ 4712.004076] ? parse_sec_desc+0x580/0x580 [ksmbd] [ 4712.004088] ? ksmbd_acls_fattr+0x281/0x410 [ksmbd] [ 4712.004099] smb2_query_info+0xa8f/0x6110 [ksmbd] [ 4712.004111] ? psi_group_change+0x856/0xd70 [ 4712.004148] ? update_load_avg+0x1c3/0x1af0 [ 4712.004152] ? asym_cpu_capacity_scan+0x5d0/0x5d0 [ 4712.004157] ? xas_load+0x23/0x300 [ 4712.004162] ? smb2_query_dir+0x1530/0x1530 [ksmbd] [ 4712.004173] ? _raw_spin_lock_bh+0xe0/0xe0 [ 4712.004179] handle_ksmbd_work+0x30e/0x1020 [ksmbd] [ 4712.004192] process_one_work+0x778/0x11c0 [ 4712.004227] ? _raw_spin_lock_irq+0x8e/0xe0 [ 4712.004231] worker_thread+0x544/0x1180 [ 4712.004234] ? __cpuidle_text_end+0x4/0x4 [ 4712.004239] kthread+0x282/0x320 [ 4712.004243] ? process_one_work+0x11c0/0x11c0 [ 4712.004246] ? kthread_complete_and_exit+0x30/0x30 [ 4712.004282] ret_from_fork+0x1f/0x30 This patch add the buffer validation for security descriptor that is stored by malformed SMB2_SET_INFO_HE command. and allocate large response buffer about SMB2_O_INFO_SECURITY file info class. Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17771 Reviewed-by: Hyunchul Lee <hyc.lee@gmail.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>

…2_ea_info UBSAN complains about out-of-bounds array indexes on 1-element arrays in struct smb2_ea_info. UBSAN: array-index-out-of-bounds in fs/smb/server/smb2pdu.c:4335:15 index 1 is out of range for type 'char [1]' CPU: 1 PID: 354 Comm: kworker/1:4 Not tainted 6.5.0-rc4 #1 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/22/2020 Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] Call Trace: <TASK> __dump_stack linux/lib/dump_stack.c:88 dump_stack_lvl+0x48/0x70 linux/lib/dump_stack.c:106 dump_stack+0x10/0x20 linux/lib/dump_stack.c:113 ubsan_epilogue linux/lib/ubsan.c:217 __ubsan_handle_out_of_bounds+0xc6/0x110 linux/lib/ubsan.c:348 smb2_get_ea linux/fs/smb/server/smb2pdu.c:4335 smb2_get_info_file linux/fs/smb/server/smb2pdu.c:4900 smb2_query_info+0x63ae/0x6b20 linux/fs/smb/server/smb2pdu.c:5275 __process_request linux/fs/smb/server/server.c:145 __handle_ksmbd_work linux/fs/smb/server/server.c:213 handle_ksmbd_work+0x348/0x10b0 linux/fs/smb/server/server.c:266 process_one_work+0x85a/0x1500 linux/kernel/workqueue.c:2597 worker_thread+0xf3/0x13a0 linux/kernel/workqueue.c:2748 kthread+0x2b7/0x390 linux/kernel/kthread.c:389 ret_from_fork+0x44/0x90 linux/arch/x86/kernel/process.c:145 ret_from_fork_asm+0x1b/0x30 linux/arch/x86/entry/entry_64.S:304 </TASK> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>

…alid If smb2 request from client is invalid, The following kernel oops could happen. The patch e2b76ab8b5c9: "ksmbd: add support for read compound" leads this issue. When request is invalid, It doesn't set anything in the response buffer. This patch add missing set invalid parameter error response. [ 673.085542] ksmbd: cli req too short, len 184 not 142. cmd:5 mid:109 [ 673.085580] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 673.085591] #PF: supervisor read access in kernel mode [ 673.085600] #PF: error_code(0x0000) - not-present page [ 673.085608] PGD 0 P4D 0 [ 673.085620] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 673.085631] CPU: 3 PID: 1039 Comm: kworker/3:0 Not tainted 6.6.0-rc2-tmt #16 [ 673.085643] Hardware name: AZW U59/U59, BIOS JTKT001 05/05/2022 [ 673.085651] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] [ 673.085719] RIP: 0010:ksmbd_conn_write+0x68/0xc0 [ksmbd] [ 673.085808] RAX: 0000000000000000 RBX: ffff88811ade4f00 RCX: 0000000000000000 [ 673.085817] RDX: 0000000000000000 RSI: ffff88810c2a9780 RDI: ffff88810c2a9ac0 [ 673.085826] RBP: ffffc900005e3e00 R08: 0000000000000000 R09: 0000000000000000 [ 673.085834] R10: ffffffffa3168160 R11: 63203a64626d736b R12: ffff8881057c8800 [ 673.085842] R13: ffff8881057c8820 R14: ffff8882781b2380 R15: ffff8881057c8800 [ 673.085852] FS: 0000000000000000(0000) GS:ffff888278180000(0000) knlGS:0000000000000000 [ 673.085864] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 673.085872] CR2: 0000000000000000 CR3: 000000015b63c000 CR4: 0000000000350ee0 [ 673.085883] Call Trace: [ 673.085890] <TASK> [ 673.085900] ? show_regs+0x6a/0x80 [ 673.085916] ? __die+0x25/0x70 [ 673.085926] ? page_fault_oops+0x154/0x4b0 [ 673.085938] ? tick_nohz_tick_stopped+0x18/0x50 [ 673.085954] ? __irq_work_queue_local+0xba/0x140 [ 673.085967] ? do_user_addr_fault+0x30f/0x6c0 [ 673.085979] ? exc_page_fault+0x79/0x180 [ 673.085992] ? asm_exc_page_fault+0x27/0x30 [ 673.086009] ? ksmbd_conn_write+0x68/0xc0 [ksmbd] [ 673.086067] ? ksmbd_conn_write+0x46/0xc0 [ksmbd] [ 673.086123] handle_ksmbd_work+0x28d/0x4b0 [ksmbd] [ 673.086177] process_one_work+0x178/0x350 [ 673.086193] ? __pfx_worker_thread+0x10/0x10 [ 673.086202] worker_thread+0x2f3/0x420 [ 673.086210] ? _raw_spin_unlock_irqrestore+0x27/0x50 [ 673.086222] ? __pfx_worker_thread+0x10/0x10 [ 673.086230] kthread+0x103/0x140 [ 673.086242] ? __pfx_kthread+0x10/0x10 [ 673.086253] ret_from_fork+0x39/0x60 [ 673.086263] ? __pfx_kthread+0x10/0x10 [ 673.086274] ret_from_fork_asm+0x1b/0x30 Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound") Reported-by: Tom Talpey <tom@talpey.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>

…2_ea_info UBSAN complains about out-of-bounds array indexes on 1-element arrays in struct smb2_ea_info. UBSAN: array-index-out-of-bounds in fs/smb/server/smb2pdu.c:4335:15 index 1 is out of range for type 'char [1]' CPU: 1 PID: 354 Comm: kworker/1:4 Not tainted 6.5.0-rc4 cifsd-team#1 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/22/2020 Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] Call Trace: <TASK> __dump_stack linux/lib/dump_stack.c:88 dump_stack_lvl+0x48/0x70 linux/lib/dump_stack.c:106 dump_stack+0x10/0x20 linux/lib/dump_stack.c:113 ubsan_epilogue linux/lib/ubsan.c:217 __ubsan_handle_out_of_bounds+0xc6/0x110 linux/lib/ubsan.c:348 smb2_get_ea linux/fs/smb/server/smb2pdu.c:4335 smb2_get_info_file linux/fs/smb/server/smb2pdu.c:4900 smb2_query_info+0x63ae/0x6b20 linux/fs/smb/server/smb2pdu.c:5275 __process_request linux/fs/smb/server/server.c:145 __handle_ksmbd_work linux/fs/smb/server/server.c:213 handle_ksmbd_work+0x348/0x10b0 linux/fs/smb/server/server.c:266 process_one_work+0x85a/0x1500 linux/kernel/workqueue.c:2597 worker_thread+0xf3/0x13a0 linux/kernel/workqueue.c:2748 kthread+0x2b7/0x390 linux/kernel/kthread.c:389 ret_from_fork+0x44/0x90 linux/arch/x86/kernel/process.c:145 ret_from_fork_asm+0x1b/0x30 linux/arch/x86/entry/entry_64.S:304 </TASK> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>

…alid If smb2 request from client is invalid, The following kernel oops could happen. The patch e2b76ab8b5c9: "ksmbd: add support for read compound" leads this issue. When request is invalid, It doesn't set anything in the response buffer. This patch add missing set invalid parameter error response. [ 673.085542] ksmbd: cli req too short, len 184 not 142. cmd:5 mid:109 [ 673.085580] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 673.085591] #PF: supervisor read access in kernel mode [ 673.085600] #PF: error_code(0x0000) - not-present page [ 673.085608] PGD 0 P4D 0 [ 673.085620] Oops: 0000 [cifsd-team#1] PREEMPT SMP NOPTI [ 673.085631] CPU: 3 PID: 1039 Comm: kworker/3:0 Not tainted 6.6.0-rc2-tmt cifsd-team#16 [ 673.085643] Hardware name: AZW U59/U59, BIOS JTKT001 05/05/2022 [ 673.085651] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] [ 673.085719] RIP: 0010:ksmbd_conn_write+0x68/0xc0 [ksmbd] [ 673.085808] RAX: 0000000000000000 RBX: ffff88811ade4f00 RCX: 0000000000000000 [ 673.085817] RDX: 0000000000000000 RSI: ffff88810c2a9780 RDI: ffff88810c2a9ac0 [ 673.085826] RBP: ffffc900005e3e00 R08: 0000000000000000 R09: 0000000000000000 [ 673.085834] R10: ffffffffa3168160 R11: 63203a64626d736b R12: ffff8881057c8800 [ 673.085842] R13: ffff8881057c8820 R14: ffff8882781b2380 R15: ffff8881057c8800 [ 673.085852] FS: 0000000000000000(0000) GS:ffff888278180000(0000) knlGS:0000000000000000 [ 673.085864] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 673.085872] CR2: 0000000000000000 CR3: 000000015b63c000 CR4: 0000000000350ee0 [ 673.085883] Call Trace: [ 673.085890] <TASK> [ 673.085900] ? show_regs+0x6a/0x80 [ 673.085916] ? __die+0x25/0x70 [ 673.085926] ? page_fault_oops+0x154/0x4b0 [ 673.085938] ? tick_nohz_tick_stopped+0x18/0x50 [ 673.085954] ? __irq_work_queue_local+0xba/0x140 [ 673.085967] ? do_user_addr_fault+0x30f/0x6c0 [ 673.085979] ? exc_page_fault+0x79/0x180 [ 673.085992] ? asm_exc_page_fault+0x27/0x30 [ 673.086009] ? ksmbd_conn_write+0x68/0xc0 [ksmbd] [ 673.086067] ? ksmbd_conn_write+0x46/0xc0 [ksmbd] [ 673.086123] handle_ksmbd_work+0x28d/0x4b0 [ksmbd] [ 673.086177] process_one_work+0x178/0x350 [ 673.086193] ? __pfx_worker_thread+0x10/0x10 [ 673.086202] worker_thread+0x2f3/0x420 [ 673.086210] ? _raw_spin_unlock_irqrestore+0x27/0x50 [ 673.086222] ? __pfx_worker_thread+0x10/0x10 [ 673.086230] kthread+0x103/0x140 [ 673.086242] ? __pfx_kthread+0x10/0x10 [ 673.086253] ret_from_fork+0x39/0x60 [ 673.086263] ? __pfx_kthread+0x10/0x10 [ 673.086274] ret_from_fork_asm+0x1b/0x30 Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound") Reported-by: Tom Talpey <tom@talpey.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>

Running smb2.rename test from Samba smbtorture suite against a kernel built with lockdep triggers a "possible recursive locking detected" warning. This is because mnt_want_write() is called twice with no mnt_drop_write() in between: -> ksmbd_vfs_mkdir() -> ksmbd_vfs_kern_path_create() -> kern_path_create() -> filename_create() -> mnt_want_write() -> mnt_want_write() Fix this by removing the mnt_want_write/mnt_drop_write calls from vfs helpers that call kern_path_create(). Full lockdep trace below: ============================================ WARNING: possible recursive locking detected 6.6.0-rc5 #775 Not tainted -------------------------------------------- kworker/1:1/32 is trying to acquire lock: ffff888005ac83f8 (sb_writers#5){.+.+}-{0:0}, at: ksmbd_vfs_mkdir+0xe1/0x410 but task is already holding lock: ffff888005ac83f8 (sb_writers#5){.+.+}-{0:0}, at: filename_create+0xb6/0x260 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(sb_writers#5); lock(sb_writers#5); *** DEADLOCK *** May be due to missing lock nesting notation 4 locks held by kworker/1:1/32: #0: ffff8880064e4138 ((wq_completion)ksmbd-io){+.+.}-{0:0}, at: process_one_work+0x40e/0x980 #1: ffff888005b0fdd0 ((work_completion)(&work->work)){+.+.}-{0:0}, at: process_one_work+0x40e/0x980 #2: ffff888005ac83f8 (sb_writers#5){.+.+}-{0:0}, at: filename_create+0xb6/0x260 #3: ffff8880057ce760 (&type->i_mutex_dir_key#3/1){+.+.}-{3:3}, at: filename_create+0x123/0x260 Cc: stable@vger.kernel.org Fixes: 40b268d384a2 ("ksmbd: add mnt_want_write to ksmbd vfs functions") Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>

Running smb2.rename test from Samba smbtorture suite against a kernel built with lockdep triggers a "possible recursive locking detected" warning. This is because mnt_want_write() is called twice with no mnt_drop_write() in between: -> ksmbd_vfs_mkdir() -> ksmbd_vfs_kern_path_create() -> kern_path_create() -> filename_create() -> mnt_want_write() -> mnt_want_write() Fix this by removing the mnt_want_write/mnt_drop_write calls from vfs helpers that call kern_path_create(). Full lockdep trace below: ============================================ WARNING: possible recursive locking detected 6.6.0-rc5 #775 Not tainted -------------------------------------------- kworker/1:1/32 is trying to acquire lock: ffff888005ac83f8 (sb_writers#5){.+.+}-{0:0}, at: ksmbd_vfs_mkdir+0xe1/0x410 but task is already holding lock: ffff888005ac83f8 (sb_writers#5){.+.+}-{0:0}, at: filename_create+0xb6/0x260 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(sb_writers#5); lock(sb_writers#5); *** DEADLOCK *** May be due to missing lock nesting notation 4 locks held by kworker/1:1/32: #0: ffff8880064e4138 ((wq_completion)ksmbd-io){+.+.}-{0:0}, at: process_one_work+0x40e/0x980 cifsd-team#1: ffff888005b0fdd0 ((work_completion)(&work->work)){+.+.}-{0:0}, at: process_one_work+0x40e/0x980 cifsd-team#2: ffff888005ac83f8 (sb_writers#5){.+.+}-{0:0}, at: filename_create+0xb6/0x260 cifsd-team#3: ffff8880057ce760 (&type->i_mutex_dir_key#3/1){+.+.}-{3:3}, at: filename_create+0x123/0x260 Cc: stable@vger.kernel.org Fixes: 40b268d384a2 ("ksmbd: add mnt_want_write to ksmbd vfs functions") Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>

lockdep found possible circular locking dependency like the following. [ 8743.393379] ====================================================== [ 8743.393385] WARNING: possible circular locking dependency detected [ 8743.393391] 6.4.0-rc1+ #11 Tainted: G OE [ 8743.393397] ------------------------------------------------------ [ 8743.393402] kworker/0:2/12921 is trying to acquire lock: [ 8743.393408] ffff888127a14460 (sb_writers#8){.+.+}-{0:0}, at: ksmbd_vfs_setxattr+0x3d/0xd0 [ksmbd] [ 8743.393510] but task is already holding lock: [ 8743.393515] ffff8880360d97f0 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: ksmbd_vfs_kern_path_locked+0x181/0x670 [ksmbd] [ 8743.393618] which lock already depends on the new lock. [ 8743.393623] the existing dependency chain (in reverse order) is: [ 8743.393628] -> #1 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}: [ 8743.393648] down_write_nested+0x9a/0x1b0 [ 8743.393660] filename_create+0x128/0x270 [ 8743.393670] do_mkdirat+0xab/0x1f0 [ 8743.393680] __x64_sys_mkdir+0x47/0x60 [ 8743.393690] do_syscall_64+0x5d/0x90 [ 8743.393701] entry_SYSCALL_64_after_hwframe+0x72/0xdc [ 8743.393711] -> #0 (sb_writers#8){.+.+}-{0:0}: [ 8743.393728] __lock_acquire+0x2201/0x3b80 [ 8743.393737] lock_acquire+0x18f/0x440 [ 8743.393746] mnt_want_write+0x5f/0x240 [ 8743.393755] ksmbd_vfs_setxattr+0x3d/0xd0 [ksmbd] [ 8743.393839] ksmbd_vfs_set_dos_attrib_xattr+0xcc/0x110 [ksmbd] [ 8743.393924] compat_ksmbd_vfs_set_dos_attrib_xattr+0x39/0x50 [ksmbd] [ 8743.394010] smb2_open+0x3432/0x3cc0 [ksmbd] [ 8743.394099] handle_ksmbd_work+0x2c9/0x7b0 [ksmbd] [ 8743.394187] process_one_work+0x65a/0xb30 [ 8743.394198] worker_thread+0x2cf/0x700 [ 8743.394209] kthread+0x1ad/0x1f0 [ 8743.394218] ret_from_fork+0x29/0x50 This patch add mnt_want_write() above parent inode lock and remove nested mnt_want_write calls in smb2_open(). Fixes: 40b268d384a2 ("ksmbd: add mnt_want_write to ksmbd vfs functions") Reported-by: Marios Makassikis <mmakassikis@freebox.fr> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>

lockdep found possible circular locking dependency like the following. [ 8743.393379] ====================================================== [ 8743.393385] WARNING: possible circular locking dependency detected [ 8743.393391] 6.4.0-rc1+ cifsd-team#11 Tainted: G OE [ 8743.393397] ------------------------------------------------------ [ 8743.393402] kworker/0:2/12921 is trying to acquire lock: [ 8743.393408] ffff888127a14460 (sb_writers#8){.+.+}-{0:0}, at: ksmbd_vfs_setxattr+0x3d/0xd0 [ksmbd] [ 8743.393510] but task is already holding lock: [ 8743.393515] ffff8880360d97f0 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: ksmbd_vfs_kern_path_locked+0x181/0x670 [ksmbd] [ 8743.393618] which lock already depends on the new lock. [ 8743.393623] the existing dependency chain (in reverse order) is: [ 8743.393628] -> cifsd-team#1 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}: [ 8743.393648] down_write_nested+0x9a/0x1b0 [ 8743.393660] filename_create+0x128/0x270 [ 8743.393670] do_mkdirat+0xab/0x1f0 [ 8743.393680] __x64_sys_mkdir+0x47/0x60 [ 8743.393690] do_syscall_64+0x5d/0x90 [ 8743.393701] entry_SYSCALL_64_after_hwframe+0x72/0xdc [ 8743.393711] -> #0 (sb_writers#8){.+.+}-{0:0}: [ 8743.393728] __lock_acquire+0x2201/0x3b80 [ 8743.393737] lock_acquire+0x18f/0x440 [ 8743.393746] mnt_want_write+0x5f/0x240 [ 8743.393755] ksmbd_vfs_setxattr+0x3d/0xd0 [ksmbd] [ 8743.393839] ksmbd_vfs_set_dos_attrib_xattr+0xcc/0x110 [ksmbd] [ 8743.393924] compat_ksmbd_vfs_set_dos_attrib_xattr+0x39/0x50 [ksmbd] [ 8743.394010] smb2_open+0x3432/0x3cc0 [ksmbd] [ 8743.394099] handle_ksmbd_work+0x2c9/0x7b0 [ksmbd] [ 8743.394187] process_one_work+0x65a/0xb30 [ 8743.394198] worker_thread+0x2cf/0x700 [ 8743.394209] kthread+0x1ad/0x1f0 [ 8743.394218] ret_from_fork+0x29/0x50 This patch add mnt_want_write() above parent inode lock and remove nested mnt_want_write calls in smb2_open(). Fixes: 40b268d384a2 ("ksmbd: add mnt_want_write to ksmbd vfs functions") Reported-by: Marios Makassikis <mmakassikis@freebox.fr> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>

Steve French reported null pointer dereference error from sha256 lib. cifs.ko can send session setup requests on reused connection. If reused connection is used for binding session, conn->binding can still remain true and generate_preauth_hash() will not set sess->Preauth_HashValue and it will be NULL. It is used as a material to create an encryption key in ksmbd_gen_smb311_encryptionkey. ->Preauth_HashValue cause null pointer dereference error from crypto_shash_update(). BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 8 PID: 429254 Comm: kworker/8:39 Hardware name: LENOVO 20MAS08500/20MAS08500, BIOS N2CET69W (1.52 ) Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] RIP: 0010:lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3] <TASK> ? show_regs+0x6d/0x80 ? __die+0x24/0x80 ? page_fault_oops+0x99/0x1b0 ? do_user_addr_fault+0x2ee/0x6b0 ? exc_page_fault+0x83/0x1b0 ? asm_exc_page_fault+0x27/0x30 ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] ? lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3] ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] _sha256_update+0x77/0xa0 [sha256_ssse3] sha256_avx2_update+0x15/0x30 [sha256_ssse3] crypto_shash_update+0x1e/0x40 hmac_update+0x12/0x20 crypto_shash_update+0x1e/0x40 generate_key+0x234/0x380 [ksmbd] generate_smb3encryptionkey+0x40/0x1c0 [ksmbd] ksmbd_gen_smb311_encryptionkey+0x72/0xa0 [ksmbd] ntlm_authenticate.isra.0+0x423/0x5d0 [ksmbd] smb2_sess_setup+0x952/0xaa0 [ksmbd] __process_request+0xa3/0x1d0 [ksmbd] __handle_ksmbd_work+0x1c4/0x2f0 [ksmbd] handle_ksmbd_work+0x2d/0xa0 [ksmbd] process_one_work+0x16c/0x350 worker_thread+0x306/0x440 ? __pfx_worker_thread+0x10/0x10 kthread+0xef/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x44/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>

sergey-senozhatsky and others added 4 commits February 25, 2019 14:42

cifsd: netshare masks can be u16

cc4d51b

Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>

cifsd: make struct cifsd_share_config masks u16

f9f960a

Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>

cifsd: read in share uid/gid

1613ee1

add force uid/gid params to share config Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>

Merge pull request #194 from sergey-senozhatsky/cifsd-ss

c053745

Cifsd ss

namjaejeon merged commit ba6786e into cifsd-team:cifsd-next Feb 26, 2019

sergey-senozhatsky mentioned this pull request Mar 4, 2019

Systematic kernel crash when trying to access security properties of a file from Windows #16

Closed

mrkiko mentioned this pull request Apr 22, 2020

SPAM in dmesg #390

Closed

sergey-senozhatsky mentioned this pull request Nov 30, 2020

ksmbd 3.3.0 not working on OpenWrt #462

Closed

zztmy mentioned this pull request Jul 1, 2022

I use my phone to access ksmbd by SMBv1,I clicked on the shared directory, but I couldn't access it. I tried several times. Caused kernel panic. #563

Closed

zztmy mentioned this pull request Jul 16, 2022

When SMBv1 is used to write files, only 512-byte data is transmitted in a datagram, resulting in poor performance. #565

Closed

zztmy mentioned this pull request Jul 27, 2022

when oplocks is enable,kernel painc occurs when files are written. #570

Closed

perforlin mentioned this pull request May 10, 2023

kernel NULL pointer dereference, address: 0000000000000030 #582

Closed

jobsidi mentioned this pull request Nov 21, 2023

Failed to bind socket #606

Open

wirtualka85 mentioned this pull request Jul 5, 2024

Ksmbd mount error(121): Remote I/O error #614

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cifsd next #1

Cifsd next #1

namjaejeon commented Feb 26, 2019

Cifsd next #1

Cifsd next #1

Conversation

namjaejeon commented Feb 26, 2019