From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Wang Zhaolong <wangzhaolong@huaweicloud.com>,
Steve French <stfrench@microsoft.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.1 43/81] smb: client: fix race condition in negotiate timeout by using more precise timing
Date: Tue, 8 Jul 2025 18:23:35 +0200 [thread overview]
Message-ID: <20250708162226.377390027@linuxfoundation.org> (raw)
In-Reply-To: <20250708162224.795155912@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wang Zhaolong <wangzhaolong@huaweicloud.com>
[ Upstream commit 266b5d02e14f3a0e07414e11f239397de0577a1d ]
When the SMB server reboots and the client immediately accesses the mount
point, a race condition can occur that causes operations to fail with
"Host is down" error.
Reproduction steps:
# Mount SMB share
mount -t cifs //192.168.245.109/TEST /mnt/ -o xxxx
ls /mnt
# Reboot server
ssh root@192.168.245.109 reboot
ssh root@192.168.245.109 /path/to/cifs_server_setup.sh
ssh root@192.168.245.109 systemctl stop firewalld
# Immediate access fails
ls /mnt
ls: cannot access '/mnt': Host is down
# But works if there is a delay
The issue is caused by a race condition between negotiate and reconnect.
The 20-second negotiate timeout mechanism can interfere with the normal
recovery process when both are triggered simultaneously.
ls cifsd
---------------------------------------------------
cifs_getattr
cifs_revalidate_dentry
cifs_get_inode_info
cifs_get_fattr
smb2_query_path_info
smb2_compound_op
SMB2_open_init
smb2_reconnect
cifs_negotiate_protocol
smb2_negotiate
cifs_send_recv
smb_send_rqst
wait_for_response
cifs_demultiplex_thread
cifs_read_from_socket
cifs_readv_from_socket
server_unresponsive
cifs_reconnect
__cifs_reconnect
cifs_abort_connection
mid->mid_state = MID_RETRY_NEEDED
cifs_wake_up_task
cifs_sync_mid_result
// case MID_RETRY_NEEDED
rc = -EAGAIN;
// In smb2_negotiate()
rc = -EHOSTDOWN;
The server_unresponsive() timeout triggers cifs_reconnect(), which aborts
ongoing mid requests and causes the ls command to receive -EAGAIN, leading
to -EHOSTDOWN.
Fix this by introducing a dedicated `neg_start` field to
precisely tracks when the negotiate process begins. The timeout check
now uses this accurate timestamp instead of `lstrp`, ensuring that:
1. Timeout is only triggered after negotiate has actually run for 20s
2. The mechanism doesn't interfere with concurrent recovery processes
3. Uninitialized timestamps (value 0) don't trigger false timeouts
Fixes: 7ccc1465465d ("smb: client: fix hang in wait_for_response() for negproto")
Signed-off-by: Wang Zhaolong <wangzhaolong@huaweicloud.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/client/cifsglob.h | 1 +
fs/smb/client/connect.c | 7 ++++---
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/fs/smb/client/cifsglob.h b/fs/smb/client/cifsglob.h
index 9c5aa646b8cc8..6df50ff6d9184 100644
--- a/fs/smb/client/cifsglob.h
+++ b/fs/smb/client/cifsglob.h
@@ -678,6 +678,7 @@ struct TCP_Server_Info {
__le32 session_key_id; /* retrieved from negotiate response and send in session setup request */
struct session_key session_key;
unsigned long lstrp; /* when we got last response from this server */
+ unsigned long neg_start; /* when negotiate started (jiffies) */
struct cifs_secmech secmech; /* crypto sec mech functs, descriptors */
#define CIFS_NEGFLAVOR_UNENCAP 1 /* wct == 17, but no ext_sec */
#define CIFS_NEGFLAVOR_EXTENDED 2 /* wct == 17, ext_sec bit set */
diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c
index 6486e514686f0..c3480e84f5c62 100644
--- a/fs/smb/client/connect.c
+++ b/fs/smb/client/connect.c
@@ -689,12 +689,12 @@ server_unresponsive(struct TCP_Server_Info *server)
/*
* If we're in the process of mounting a share or reconnecting a session
* and the server abruptly shut down (e.g. socket wasn't closed, packet
- * had been ACK'ed but no SMB response), don't wait longer than 20s to
- * negotiate protocol.
+ * had been ACK'ed but no SMB response), don't wait longer than 20s from
+ * when negotiate actually started.
*/
spin_lock(&server->srv_lock);
if (server->tcpStatus == CifsInNegotiate &&
- time_after(jiffies, server->lstrp + 20 * HZ)) {
+ time_after(jiffies, server->neg_start + 20 * HZ)) {
spin_unlock(&server->srv_lock);
cifs_reconnect(server, false);
return true;
@@ -4219,6 +4219,7 @@ cifs_negotiate_protocol(const unsigned int xid, struct cifs_ses *ses,
server->lstrp = jiffies;
server->tcpStatus = CifsInNegotiate;
+ server->neg_start = jiffies;
spin_unlock(&server->srv_lock);
rc = server->ops->negotiate(xid, ses, server);
--
2.39.5
next prev parent reply other threads:[~2025-07-08 16:27 UTC|newest]
Thread overview: 89+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-08 16:22 [PATCH 6.1 00/81] 6.1.144-rc1 review Greg Kroah-Hartman
2025-07-08 16:22 ` [PATCH 6.1 01/81] rtc: cmos: use spin_lock_irqsave in cmos_interrupt Greg Kroah-Hartman
2025-07-08 16:22 ` [PATCH 6.1 02/81] s390/pci: Do not try re-enabling load/store if device is disabled Greg Kroah-Hartman
2025-07-08 16:22 ` [PATCH 6.1 03/81] vsock/vmci: Clear the vmci transport packet properly when initializing it Greg Kroah-Hartman
2025-07-08 16:22 ` [PATCH 6.1 04/81] mmc: sdhci: Add a helper function for dump register in dynamic debug mode Greg Kroah-Hartman
2025-07-08 16:22 ` [PATCH 6.1 05/81] Revert "mmc: sdhci: Disable SD card clock before changing parameters" Greg Kroah-Hartman
2025-07-08 16:22 ` [PATCH 6.1 06/81] mmc: core: sd: Apply BROKEN_SD_DISCARD quirk earlier Greg Kroah-Hartman
2025-07-08 16:22 ` [PATCH 6.1 07/81] Bluetooth: hci_sync: revert some mesh modifications Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 08/81] Bluetooth: MGMT: set_mesh: update LE scan interval and window Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 09/81] Bluetooth: MGMT: mesh_send: check instances prior disabling advertising Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 10/81] regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 11/81] usb: typec: altmodes/displayport: do not index invalid pin_assignments Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 12/81] mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 13/81] mtk-sd: Prevent memory corruption from DMA map failure Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 14/81] mtk-sd: reset host->mrq on prepare_data() error Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 15/81] arm64: dts: apple: t8103: Fix PCIe BCM4377 nodename Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 16/81] platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 17/81] RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 18/81] nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 19/81] NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 20/81] scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database() Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 21/81] scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu() Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 22/81] scsi: ufs: core: Fix spelling of a sysfs attribute name Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 23/81] RDMA/mlx5: Fix CC counters query for MPV Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 24/81] platform/mellanox: nvsw-sn2201: Fix bus number in adapter error message Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 25/81] Bluetooth: Prevent unintended pause by checking if advertising is active Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 26/81] btrfs: fix missing error handling when searching for inode refs during log replay Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 27/81] btrfs: fix iteration of extrefs " Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 28/81] ethernet: atl1: Add missing DMA mapping error checks and count errors Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 29/81] drm/exynos: fimd: Guard display clock control with runtime PM calls Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 30/81] spi: spi-fsl-dspi: Clear completion counter before initiating transfer Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 31/81] drm/i915/selftests: Change mock_request() to return error pointers Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 32/81] platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 33/81] platform/mellanox: mlxreg-lc: Fix logic error in power state check Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 34/81] drm/i915/gt: Fix timeline left held on VMA alloc error Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 35/81] drm/i915/gsc: mei interrupt top half should be in irq disabled context Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 36/81] igc: disable L1.2 PCI-E link substate to avoid performance issue Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 37/81] lib: test_objagg: Set error message in check_expect_hints_stats() Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 38/81] amd-xgbe: align CL37 AN sequence as per databook Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 39/81] enic: fix incorrect MTU comparison in enic_change_mtu() Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 40/81] rose: fix dangling neighbour pointers in rose_rt_device_down() Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 41/81] nui: Fix dma_mapping_error() check Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 42/81] net/sched: Always pass notifications when child class becomes empty Greg Kroah-Hartman
2025-07-08 16:23 ` Greg Kroah-Hartman [this message]
2025-07-08 16:23 ` [PATCH 6.1 44/81] drm/msm: Fix a fence leak in submit error path Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 45/81] drm/msm: Fix another leak in the " Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 46/81] ALSA: sb: Dont allow changing the DMA mode during operations Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 47/81] ALSA: sb: Force to disable DMAs once when DMA mode is changed Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 48/81] ata: libata-acpi: Do not assume 40 wire cable if no devices are enabled Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 49/81] ata: pata_cs5536: fix build on 32-bit UML Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 50/81] powerpc: Fix struct termio related ioctl macros Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 51/81] ASoC: amd: yc: update quirk data for HP Victus Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 52/81] scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port() Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 53/81] aoe: defer rexmit timer downdev work to workqueue Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 54/81] wifi: mac80211: drop invalid source address OCB frames Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 55/81] wifi: ath6kl: remove WARN on bad firmware input Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 56/81] ACPICA: Refuse to evaluate a method if arguments are missing Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 57/81] mtd: spinand: fix memory leak of ECC engine conf Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 58/81] rcu: Return early if callback is not specified Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 59/81] virtio-net: ensure the received length does not exceed allocated size Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 60/81] s390/pci: Fix stale function handles in error handling Greg Kroah-Hartman
2025-07-10 8:14 ` Niklas Schnelle
2025-07-10 13:16 ` Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 61/81] drm/v3d: Disable interrupts before resetting the GPU Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 62/81] NFSv4/flexfiles: Fix handling of NFS level errors in I/O Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 63/81] btrfs: use btrfs_record_snapshot_destroy() during rmdir Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 64/81] dpaa2-eth: fix xdp_rxq_info leak Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 65/81] platform/x86: think-lmi: Fix class device unregistration Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 66/81] platform/x86: dell-wmi-sysman: " Greg Kroah-Hartman
2025-07-08 16:23 ` [PATCH 6.1 67/81] net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect Greg Kroah-Hartman
2025-07-08 16:24 ` [PATCH 6.1 68/81] xhci: dbctty: disable ECHO flag by default Greg Kroah-Hartman
2025-07-08 16:24 ` [PATCH 6.1 69/81] xhci: dbc: Flush queued requests before stopping dbc Greg Kroah-Hartman
2025-07-08 16:24 ` [PATCH 6.1 70/81] xhci: Disable stream for xHC controller with XHCI_BROKEN_STREAMS Greg Kroah-Hartman
2025-07-08 16:24 ` [PATCH 6.1 71/81] usb: cdnsp: do not disable slot for disabled slot Greg Kroah-Hartman
2025-07-08 16:24 ` [PATCH 6.1 72/81] dma-buf: fix timeout handling in dma_resv_wait_timeout v2 Greg Kroah-Hartman
2025-07-08 16:24 ` [PATCH 6.1 73/81] i2c/designware: Fix an initialization issue Greg Kroah-Hartman
2025-07-08 16:24 ` [PATCH 6.1 74/81] Logitech C-270 even more broken Greg Kroah-Hartman
2025-07-08 16:24 ` [PATCH 6.1 75/81] platform/x86: think-lmi: Create ksets consecutively Greg Kroah-Hartman
2025-07-08 16:24 ` [PATCH 6.1 76/81] platform/x86: think-lmi: Fix kobject cleanup Greg Kroah-Hartman
2025-07-08 16:24 ` [PATCH 6.1 77/81] usb: typec: displayport: Fix potential deadlock Greg Kroah-Hartman
2025-07-08 16:24 ` [PATCH 6.1 78/81] x86/bugs: Rename MDS machinery to something more generic Greg Kroah-Hartman
2025-07-08 16:24 ` [PATCH 6.1 79/81] x86/bugs: Add a Transient Scheduler Attacks mitigation Greg Kroah-Hartman
2025-07-08 16:24 ` [PATCH 6.1 80/81] KVM: SVM: Advertise TSA CPUID bits to guests Greg Kroah-Hartman
2025-07-08 16:24 ` [PATCH 6.1 81/81] x86/process: Move the buffer clearing before MONITOR Greg Kroah-Hartman
2025-07-08 16:35 ` Andrew Cooper
2025-07-08 16:48 ` Greg Kroah-Hartman
2025-07-08 16:49 ` Borislav Petkov
2025-07-08 16:52 ` Andrew Cooper
2025-07-09 22:06 ` [PATCH 6.1 00/81] 6.1.144-rc1 review Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250708162226.377390027@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=stfrench@microsoft.com \
--cc=wangzhaolong@huaweicloud.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.