linux/fs/cifs
Steve French 0a55cf74ff SMB3: EBADF/EIO errors in rename/open caused by race condition in smb2_compound_op
There is  a race condition in smb2_compound_op:

after_close:
	num_rqst++;

	if (cfile) {
		cifsFileInfo_put(cfile); // sends SMB2_CLOSE to the server
		cfile = NULL;

This is triggered by smb2_query_path_info operation that happens during
revalidate_dentry. In smb2_query_path_info, get_readable_path is called to
load the cfile, increasing the reference counter. If in the meantime, this
reference becomes the very last, this call to cifsFileInfo_put(cfile) will
trigger a SMB2_CLOSE request sent to the server just before sending this compound
request – and so then the compound request fails either with EBADF/EIO depending
on the timing at the server, because the handle is already closed.

In the first scenario, the race seems to be happening between smb2_query_path_info
triggered by the rename operation, and between “cleanup” of asynchronous writes – while
fsync(fd) likely waits for the asynchronous writes to complete, releasing the writeback
structures can happen after the close(fd) call. So the EBADF/EIO errors will pop up if
the timing is such that:
1) There are still outstanding references after close(fd) in the writeback structures
2) smb2_query_path_info successfully fetches the cfile, increasing the refcounter by 1
3) All writeback structures release the same cfile, reducing refcounter to 1
4) smb2_compound_op is called with that cfile

In the second scenario, the race seems to be similar – here open triggers the
smb2_query_path_info operation, and if all other threads in the meantime decrease the
refcounter to 1 similarly to the first scenario, again SMB2_CLOSE will be sent to the
server just before issuing the compound request. This case is harder to reproduce.

See https://bugzilla.samba.org/show_bug.cgi?id=15051

Cc: stable@vger.kernel.org
Fixes: 8de9e86c67 ("cifs: create a helper to find a writeable handle by path name")
Signed-off-by: Ondrej Hubsch <ohubsch@purestorage.com>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Signed-off-by: Steve French <stfrench@microsoft.com>
2022-05-17 13:47:27 -05:00
..
asn1.c cifs: decoding negTokenInit with generic ASN1 decoder 2021-06-20 21:28:17 -05:00
cifs_debug.c smb3: cleanup and clarify status of tree connections 2022-03-28 17:07:30 -05:00
cifs_debug.h cifs: use SPDX-Licence-Identifier 2021-06-20 21:28:17 -05:00
cifs_dfs_ref.c cifs: support nested dfs links over reconnect 2021-11-10 16:30:13 -06:00
cifs_fs_sb.h cifs: support nested dfs links over reconnect 2021-11-10 16:30:13 -06:00
cifs_ioctl.h cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
cifs_spnego_negtokeninit.asn1 cifs: decoding negTokenInit with generic ASN1 decoder 2021-06-20 21:28:17 -05:00
cifs_spnego.c cifs: use the chans_need_reconnect bitmap for reconnect status 2022-01-02 20:38:46 -06:00
cifs_spnego.h cifs: use the chans_need_reconnect bitmap for reconnect status 2022-01-02 20:38:46 -06:00
cifs_swn.c cifs: use a different reconnect helper for non-cifsd threads 2022-03-18 23:12:03 -05:00
cifs_swn.h cifs: simplify SWN code with dummy funcs instead of ifdefs 2021-04-25 16:28:22 -05:00
cifs_unicode.c cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
cifs_unicode.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
cifs_uniupr.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
cifsacl.c cifs: modefromsids must add an ACE for authenticated users 2022-02-14 09:55:51 -06:00
cifsacl.h cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
cifsencrypt.c cifs: take cifs_tcp_ses_lock for status checks 2022-01-07 20:07:07 -06:00
cifsfs.c cifs: verify that tcon is valid before dereference in cifs_kill_sb 2022-04-14 00:07:36 -05:00
cifsfs.h cifs: update internal module number 2022-04-04 22:40:14 -05:00
cifsglob.h 14 fixes to cifs client and to smbfs_common code 2022-04-01 14:31:57 -07:00
cifspdu.h smb3: move defines for query info and query fsinfo to smbfs_common 2022-03-26 23:09:51 -05:00
cifsproto.h cifs: use a different reconnect helper for non-cifsd threads 2022-03-18 23:12:03 -05:00
cifsroot.c cifs: Standardize logging output 2020-06-01 00:10:18 -05:00
cifssmb.c 14 fixes to cifs client and to smbfs_common code 2022-04-01 14:31:57 -07:00
connect.c cifs: use correct lock type in cifs_reconnect() 2022-04-20 22:54:39 -05:00
dfs_cache.c cifs: fix NULL ptr dereference in refresh_mounts() 2022-04-20 22:54:17 -05:00
dfs_cache.h cifs: support share failover when remounting 2021-07-22 11:43:23 -05:00
dir.c cifs: Support fscache indexing rewrite 2022-01-19 11:21:08 -06:00
dns_resolve.c cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
dns_resolve.h cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
export.c cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
file.c 14 fixes to cifs client and to smbfs_common code 2022-04-01 14:31:57 -07:00
fs_context.c smb3: fix snapshot mount option 2022-02-13 14:56:16 -06:00
fs_context.h cifs: send workstation name during ntlmssp session setup 2021-11-08 13:07:56 -06:00
fscache.c netfs: Add a netfs inode context 2022-03-18 09:29:05 +00:00
fscache.h netfs: Add a netfs inode context 2022-03-18 09:29:05 +00:00
inode.c fs: Remove ->readpages address space operation 2022-04-01 13:45:33 -04:00
ioctl.c cifs: fix incorrect kernel doc comments 2021-09-13 18:29:46 -05:00
Kconfig cifs: Support fscache indexing rewrite 2022-01-19 11:21:08 -06:00
link.c cifs: potential buffer overflow in handling symlinks 2022-04-13 12:00:49 -05:00
Makefile cifs: Support fscache indexing rewrite 2022-01-19 11:21:08 -06:00
misc.c smb3: cleanup and clarify status of tree connections 2022-03-28 17:07:30 -05:00
netlink.c cifs: Constify static struct genl_ops 2021-06-20 21:28:16 -05:00
netlink.h cifs: Register generic netlink family 2020-12-14 09:16:22 -06:00
netmisc.c cifs: fix potential race with cifsd thread 2022-04-04 12:01:22 -05:00
nterr.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
nterr.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
ntlmssp.h treewide: Replace zero-length arrays with flexible-array members 2022-02-17 07:00:39 -06:00
readdir.c cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
rfc1002pdu.h cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
sess.c cifs: fix confusing unneeded warning message on smb2.1 and earlier 2022-02-16 17:16:49 -06:00
smb1ops.c cifs: use a different reconnect helper for non-cifsd threads 2022-03-18 23:12:03 -05:00
smb2file.c cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
smb2glob.h smb3: move defines for ioctl protocol header and SMB2 sizes to smbfs_common 2022-03-26 23:09:20 -05:00
smb2inode.c SMB3: EBADF/EIO errors in rename/open caused by race condition in smb2_compound_op 2022-05-17 13:47:27 -05:00
smb2maperror.c cifs: Create a new shared file holding smb2 pdu definitions 2021-11-05 09:50:57 -05:00
smb2misc.c cifs: remove check of list iterator against head past the loop body 2022-04-04 12:01:22 -05:00
smb2ops.c cifs: destage any unwritten data to the server before calling copychunk_write 2022-04-20 22:54:54 -05:00
smb2pdu.c smb3: cleanup and clarify status of tree connections 2022-03-28 17:07:30 -05:00
smb2pdu.h smb3: fix ksmbd bigendian bug in oplock break, and move its struct to smbfs_common 2022-03-31 09:38:53 -05:00
smb2proto.h cifs: convert the path to utf16 in smb2_query_info_compound 2022-03-23 15:17:22 -05:00
smb2status.h cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
smb2transport.c cifs: protect all accesses to chan_* with chan_lock 2022-01-19 11:10:54 -06:00
smbdirect.c smbdirect: missing rc checks while waiting for rdma events 2021-06-22 12:08:32 -05:00
smbdirect.h cifs: smbd: Do not schedule work to send immediate packet on every receive 2020-04-07 12:41:16 -05:00
smbencrypt.c cifs: rename cifs_common to smbfs_common 2021-09-08 23:59:26 -05:00
smberr.h cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
trace.c smb3: Cleanup license mess 2019-01-24 09:37:33 -06:00
trace.h cifs: Split the smb3_add_credits tracepoint 2022-04-08 21:25:38 -05:00
transport.c cifs: Use kzalloc instead of kmalloc/memset 2022-04-18 10:22:57 -05:00
unc.c cifs: don't cargo-cult strndup() 2021-04-25 16:28:23 -05:00
winucase.c cifs: remove pathname for file from SPDX header 2021-09-13 14:51:10 -05:00
xattr.c cifs: fix set of group SID via NTSD xattrs 2022-02-13 14:56:34 -06:00