From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Marios Makassikis <mmakassikis@freebox.fr>,
Namjae Jeon <linkinjeon@kernel.org>,
Steve French <stfrench@microsoft.com>,
Li hongliang <1468888505@139.com>
Subject: [PATCH 6.6 67/72] ksmbd: fix recursive locking in RPC handle list access
Date: Wed, 4 Feb 2026 15:41:10 +0100 [thread overview]
Message-ID: <20260204143848.069797467@linuxfoundation.org> (raw)
In-Reply-To: <20260204143845.603454952@linuxfoundation.org>
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marios Makassikis <mmakassikis@freebox.fr>
[ Upstream commit 88f170814fea74911ceab798a43cbd7c5599bed4 ]
Since commit 305853cce3794 ("ksmbd: Fix race condition in RPC handle list
access"), ksmbd_session_rpc_method() attempts to lock sess->rpc_lock.
This causes hung connections / tasks when a client attempts to open
a named pipe. Using Samba's rpcclient tool:
$ rpcclient //192.168.1.254 -U user%password
$ rpcclient $> srvinfo
<connection hung here>
Kernel side:
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:0 state:D stack:0 pid:5021 tgid:5021 ppid:2 flags:0x00200000
Workqueue: ksmbd-io handle_ksmbd_work
Call trace:
__schedule from schedule+0x3c/0x58
schedule from schedule_preempt_disabled+0xc/0x10
schedule_preempt_disabled from rwsem_down_read_slowpath+0x1b0/0x1d8
rwsem_down_read_slowpath from down_read+0x28/0x30
down_read from ksmbd_session_rpc_method+0x18/0x3c
ksmbd_session_rpc_method from ksmbd_rpc_open+0x34/0x68
ksmbd_rpc_open from ksmbd_session_rpc_open+0x194/0x228
ksmbd_session_rpc_open from create_smb2_pipe+0x8c/0x2c8
create_smb2_pipe from smb2_open+0x10c/0x27ac
smb2_open from handle_ksmbd_work+0x238/0x3dc
handle_ksmbd_work from process_scheduled_works+0x160/0x25c
process_scheduled_works from worker_thread+0x16c/0x1e8
worker_thread from kthread+0xa8/0xb8
kthread from ret_from_fork+0x14/0x38
Exception stack(0x8529ffb0 to 0x8529fff8)
The task deadlocks because the lock is already held:
ksmbd_session_rpc_open
down_write(&sess->rpc_lock)
ksmbd_rpc_open
ksmbd_session_rpc_method
down_read(&sess->rpc_lock) <-- deadlock
Adjust ksmbd_session_rpc_method() callers to take the lock when necessary.
Fixes: 305853cce3794 ("ksmbd: Fix race condition in RPC handle list access")
Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Li hongliang <1468888505@139.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/mgmt/user_session.c | 7 ++-----
fs/smb/server/smb2pdu.c | 9 ++++++++-
fs/smb/server/transport_ipc.c | 12 ++++++++++++
3 files changed, 22 insertions(+), 6 deletions(-)
--- a/fs/smb/server/mgmt/user_session.c
+++ b/fs/smb/server/mgmt/user_session.c
@@ -147,14 +147,11 @@ void ksmbd_session_rpc_close(struct ksmb
int ksmbd_session_rpc_method(struct ksmbd_session *sess, int id)
{
struct ksmbd_session_rpc *entry;
- int method;
- down_read(&sess->rpc_lock);
+ lockdep_assert_held(&sess->rpc_lock);
entry = xa_load(&sess->rpc_handle_list, id);
- method = entry ? entry->method : 0;
- up_read(&sess->rpc_lock);
- return method;
+ return entry ? entry->method : 0;
}
void ksmbd_session_destroy(struct ksmbd_session *sess)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -4614,8 +4614,15 @@ static int smb2_get_info_file_pipe(struc
* pipe without opening it, checking error condition here
*/
id = req->VolatileFileId;
- if (!ksmbd_session_rpc_method(sess, id))
+
+ lockdep_assert_not_held(&sess->rpc_lock);
+
+ down_read(&sess->rpc_lock);
+ if (!ksmbd_session_rpc_method(sess, id)) {
+ up_read(&sess->rpc_lock);
return -ENOENT;
+ }
+ up_read(&sess->rpc_lock);
ksmbd_debug(SMB, "FileInfoClass %u, FileId 0x%llx\n",
req->FileInfoClass, req->VolatileFileId);
--- a/fs/smb/server/transport_ipc.c
+++ b/fs/smb/server/transport_ipc.c
@@ -778,6 +778,9 @@ struct ksmbd_rpc_command *ksmbd_rpc_writ
if (!msg)
return NULL;
+ lockdep_assert_not_held(&sess->rpc_lock);
+
+ down_read(&sess->rpc_lock);
msg->type = KSMBD_EVENT_RPC_REQUEST;
req = (struct ksmbd_rpc_command *)msg->payload;
req->handle = handle;
@@ -786,6 +789,7 @@ struct ksmbd_rpc_command *ksmbd_rpc_writ
req->flags |= KSMBD_RPC_WRITE_METHOD;
req->payload_sz = payload_sz;
memcpy(req->payload, payload, payload_sz);
+ up_read(&sess->rpc_lock);
resp = ipc_msg_send_request(msg, req->handle);
ipc_msg_free(msg);
@@ -802,6 +806,9 @@ struct ksmbd_rpc_command *ksmbd_rpc_read
if (!msg)
return NULL;
+ lockdep_assert_not_held(&sess->rpc_lock);
+
+ down_read(&sess->rpc_lock);
msg->type = KSMBD_EVENT_RPC_REQUEST;
req = (struct ksmbd_rpc_command *)msg->payload;
req->handle = handle;
@@ -809,6 +816,7 @@ struct ksmbd_rpc_command *ksmbd_rpc_read
req->flags |= rpc_context_flags(sess);
req->flags |= KSMBD_RPC_READ_METHOD;
req->payload_sz = 0;
+ up_read(&sess->rpc_lock);
resp = ipc_msg_send_request(msg, req->handle);
ipc_msg_free(msg);
@@ -829,6 +837,9 @@ struct ksmbd_rpc_command *ksmbd_rpc_ioct
if (!msg)
return NULL;
+ lockdep_assert_not_held(&sess->rpc_lock);
+
+ down_read(&sess->rpc_lock);
msg->type = KSMBD_EVENT_RPC_REQUEST;
req = (struct ksmbd_rpc_command *)msg->payload;
req->handle = handle;
@@ -837,6 +848,7 @@ struct ksmbd_rpc_command *ksmbd_rpc_ioct
req->flags |= KSMBD_RPC_IOCTL_METHOD;
req->payload_sz = payload_sz;
memcpy(req->payload, payload, payload_sz);
+ up_read(&sess->rpc_lock);
resp = ipc_msg_send_request(msg, req->handle);
ipc_msg_free(msg);
next prev parent reply other threads:[~2026-02-04 15:22 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-04 14:40 [PATCH 6.6 00/72] 6.6.123-rc1 review Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 01/72] Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 02/72] net/mlx5: Fix memory leak in esw_acl_ingress_lgcy_setup() Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 03/72] can: gs_usb: gs_usb_receive_bulk_callback(): fix error message Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 04/72] net: bcmasp: fix early exit leak with fixed phy Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 05/72] octeon_ep: Fix memory leak in octep_device_setup() Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 06/72] bonding: annotate data-races around slave->last_rx Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 07/72] net: mvpp2: cls: Fix memory leak in mvpp2_ethtool_cls_rule_ins() Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 08/72] ipv6: use the right ifindex when replying to icmpv6 from localhost Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 09/72] net: wwan: t7xx: fix potential skb->frags overflow in RX path Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 10/72] rocker: fix memory leak in rocker_world_port_post_fini() Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 11/72] nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame() Greg Kroah-Hartman
2026-02-04 14:40 ` [Intel-wired-lan] [PATCH 6.6 12/72] ice: stop counting UDP csum mismatch as rx_errors Greg Kroah-Hartman
2026-02-04 14:40 ` Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 13/72] net/mlx5e: TC, delete flows only for existing peers Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 14/72] net/mlx5e: Report rx_discards_phy via rx_dropped Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 15/72] net/mlx5e: Account for netdev stats in ndo_get_stats64 Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 16/72] nfc: nci: Fix race between rfkill and nci_unregister_device() Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 17/72] net: bridge: fix static key check Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 18/72] net/mlx5e: Skip ESN replay window setup for IPsec crypto offload Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 19/72] scsi: firewire: sbp-target: Fix overflow in sbp_make_tpg() Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 20/72] ASoC: Intel: sof_es8336: fix headphone GPIO logic inversion Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 21/72] gpiolib: acpi: use BIT_ULL() for u64 mask in address space handler Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 22/72] dma/pool: distinguish between missing and exhausted atomic pools Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 23/72] pinctrl: meson: mark the GPIO controller as sleeping Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 24/72] riscv: compat: fix COMPAT_UTS_MACHINE definition Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 25/72] rust: kbuild: give `--config-path` to `rustfmt` in `.rsi` target Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 26/72] ASoC: fsl: imx-card: Do not force slot width to sample width Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 27/72] scsi: be2iscsi: Fix a memory leak in beiscsi_boot_get_sinfo() Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 28/72] ASoC: amd: yc: Add DMI quirk for Acer TravelMate P216-41-TCO Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 29/72] gpio: pca953x: mask interrupts in irq shutdown Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 30/72] scsi: qla2xxx: edif: Fix dma_free_coherent() size Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 31/72] efivarfs: fix error propagation in efivar_entry_get() Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 32/72] mptcp: only reset subflow errors when propagated Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 33/72] selftests: mptcp: check no dup close events after error Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 34/72] selftests: mptcp: check subflow errors in close events Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 35/72] selftests: mptcp: join: fix local endp not being tracked Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 36/72] flex_proportions: make fprop_new_period() hardirq safe Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 37/72] scripts: generate_rust_analyzer: Add compiler_builtins -> core dep Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 38/72] drm/imx/tve: fix probe device leak Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 39/72] drm/amdgpu/soc21: fix xclk for APUs Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 40/72] drm/amdgpu/gfx10: fix wptr reset in KGQ init Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 41/72] drm/amdgpu/gfx11: " Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 42/72] gpio: rockchip: Stop calling pinctrl for set_direction Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 43/72] mm/kfence: randomize the freelist on initialization Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 44/72] arm64/fpsimd: signal: Mandate SVE payload for streaming-mode state Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 45/72] arm64/fpsimd: signal: Consistently read FPSIMD context Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 46/72] arm64/fpsimd: signal: Fix restoration of SVE context Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 47/72] mei: trace: treat reg parameter as string Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 48/72] ksmbd: smbd: fix dma_unmap_sg() nents Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 49/72] drm/amdgpu: Replace Mutex with Spinlock for RLCG register access to avoid Priority Inversion in SRIOV Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 50/72] ksmbd: Fix race condition in RPC handle list access Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 51/72] wifi: mac80211: move TDLS work to wiphy work Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 52/72] wifi: ath11k: add srng->lock for ath11k_hal_srng_* in monitor mode Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 53/72] team: Move team device type change at the end of team_port_add Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 54/72] drm/radeon: delete radeon_fence_process in is_signaled, no deadlock Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 55/72] btrfs: prevent use-after-free on page private data in btrfs_subpage_clear_uptodate() Greg Kroah-Hartman
2026-02-04 14:40 ` [PATCH 6.6 56/72] net/sched: act_ife: convert comma to semicolon Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.6 57/72] ALSA: usb-audio: Fix missing unlock at error path of maxpacksize check Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.6 58/72] pinctrl: lpass-lpi: implement .get_direction() for the GPIO driver Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.6 59/72] drm/msm/a6xx: fix bogus hwcg register updates Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.6 60/72] perf: sched: Fix perf crash with new is_user_task() helper Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.6 61/72] writeback: fix 100% CPU usage when dirtytime_expire_interval is 0 Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.6 62/72] mptcp: avoid dup SUB_CLOSED events after disconnect Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.6 63/72] pinctrl: qcom: sm8350-lpass-lpi: Merge with SC7280 to fix I2S2 and SWR TX pins Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.6 64/72] drm/amdkfd: Dont use sw fault filter if retry cam enabled Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.6 65/72] drm/amdgpu: fix NULL pointer dereference in amdgpu_gmc_filter_faults_remove Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.6 66/72] xsk: Fix race condition in AF_XDP generic RX path Greg Kroah-Hartman
2026-02-04 14:41 ` Greg Kroah-Hartman [this message]
2026-02-04 14:41 ` [PATCH 6.6 68/72] ptr_ring: do not block hard interrupts in ptr_ring_resize_multiple() Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.6 69/72] drm/amd/display: use udelay rather than fsleep Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.6 70/72] Revert "net: Allow to use SMP threads for backlog NAPI." Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.6 71/72] Revert "net: Remove conditional threaded-NAPI wakeup based on task state." Greg Kroah-Hartman
2026-02-04 14:41 ` [PATCH 6.6 72/72] bpf/selftests: test_select_reuseport_kern: Remove unused header Greg Kroah-Hartman
2026-02-04 19:52 ` [PATCH 6.6 00/72] 6.6.123-rc1 review Brett A C Sheffield
2026-02-04 20:01 ` Florian Fainelli
2026-02-04 20:27 ` Jon Hunter
2026-02-04 22:49 ` Peter Schneider
2026-02-05 7:46 ` Ron Economos
2026-02-05 8:28 ` Francesco Dolcini
2026-02-05 11:39 ` Mark Brown
2026-02-06 5:54 ` Shung-Hsi Yu
2026-02-06 9:25 ` Miguel Ojeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260204143848.069797467@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=1468888505@139.com \
--cc=linkinjeon@kernel.org \
--cc=mmakassikis@freebox.fr \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=stfrench@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.