[PATCH 0/2] cifs: Revert bogus fix for CVE-2024-54680 and its followup commit.

[PATCH 0/2] cifs: Revert bogus fix for CVE-2024-54680 and its followup commit.

[Kuniyuki Iwashima]

Commit e9f2517a3e18 ("smb: client: fix TCP timers deadlock after
rmmod") was not only a bogus fix for the LOCKDEP issue but also
introduced a real TCP socket leak.

I'm working on the LOCKDEP fix on the networking side, so let's
revert the commit and its followup fix.

For details, please see each commit.


Kuniyuki Iwashima (2):
  Revert "smb: client: Fix netns refcount imbalance causing leaks and
    use-after-free"
  Revert "smb: client: fix TCP timers deadlock after rmmod"

 fs/smb/client/connect.c | 34 +++++++++-------------------------
 1 file changed, 9 insertions(+), 25 deletions(-)

-- 
2.48.1

[PATCH 1/2] Revert "smb: client: Fix netns refcount imbalance causing leaks and use-after-free"

[Kuniyuki Iwashima]

This reverts commit 4e7f1644f2ac6d01dc584f6301c3b1d5aac4eaef.

The commit e9f2517a3e18 ("smb: client: fix TCP timers deadlock after
rmmod") is not only a bogus fix for LOCKDEP null-ptr-deref but also
introduces a real issue, TCP sockets leak, which will be explained in
detail in the next revert.

Also, CNA assigned CVE-2024-54680 to it but is rejecting it. [0]

Thus, we are reverting the commit and its follow-up commit 4e7f1644f2ac
("smb: client: Fix netns refcount imbalance causing leaks and
use-after-free").

Link: https://lore.kernel.org/all/2025040248-tummy-smilingly-4240@gregkh/ #[0]
Fixes: 4e7f1644f2ac ("smb: client: Fix netns refcount imbalance causing leaks and use-after-free")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
---
 fs/smb/client/connect.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c
index 10a7c28d2d44..137a611c5ab0 100644
--- a/fs/smb/client/connect.c
+++ b/fs/smb/client/connect.c
@@ -300,7 +300,6 @@ cifs_abort_connection(struct TCP_Server_Info *server)
 			 server->ssocket->flags);
 		sock_release(server->ssocket);
 		server->ssocket = NULL;
-		put_net(cifs_net_ns(server));
 	}
 	server->sequence_number = 0;
 	server->session_estab = false;
@@ -3367,12 +3366,8 @@ generic_ip_connect(struct TCP_Server_Info *server)
 		/*
 		 * Grab netns reference for the socket.
 		 *
-		 * This reference will be released in several situations:
-		 * - In the failure path before the cifsd thread is started.
-		 * - In the all place where server->socket is released, it is
-		 *   also set to NULL.
-		 * - Ultimately in clean_demultiplex_info(), during the final
-		 *   teardown.
+		 * It'll be released here, on error, or in clean_demultiplex_info() upon server
+		 * teardown.
 		 */
 		get_net(net);
 
@@ -3388,8 +3383,10 @@ generic_ip_connect(struct TCP_Server_Info *server)
 	}
 
 	rc = bind_socket(server);
-	if (rc < 0)
+	if (rc < 0) {
+		put_net(cifs_net_ns(server));
 		return rc;
+	}
 
 	/*
 	 * Eventually check for other socket options to change from
@@ -3444,6 +3441,9 @@ generic_ip_connect(struct TCP_Server_Info *server)
 	    (server->rfc1001_sessinit == -1 && sport == htons(RFC1001_PORT)))
 		rc = ip_rfc1001_connect(server);
 
+	if (rc < 0)
+		put_net(cifs_net_ns(server));
+
 	return rc;
 }
 
-- 
2.48.1

Re: [PATCH 1/2] Revert "smb: client: Fix netns refcount imbalance causing leaks and use-after-free"

[Wang Zhaolong]

Acked-by: Wang Zhaolong <wangzhaolong1@huawei.com>

> This reverts commit 4e7f1644f2ac6d01dc584f6301c3b1d5aac4eaef.
> 
> The commit e9f2517a3e18 ("smb: client: fix TCP timers deadlock after
> rmmod") is not only a bogus fix for LOCKDEP null-ptr-deref but also
> introduces a real issue, TCP sockets leak, which will be explained in
> detail in the next revert.
> 
> Also, CNA assigned CVE-2024-54680 to it but is rejecting it. [0]
> 
> Thus, we are reverting the commit and its follow-up commit 4e7f1644f2ac
> ("smb: client: Fix netns refcount imbalance causing leaks and
> use-after-free").
> 
> Link: https://lore.kernel.org/all/2025040248-tummy-smilingly-4240@gregkh/ #[0]
> Fixes: 4e7f1644f2ac ("smb: client: Fix netns refcount imbalance causing leaks and use-after-free")
> Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
> ---
>   fs/smb/client/connect.c | 16 ++++++++--------
>   1 file changed, 8 insertions(+), 8 deletions(-)
> 
> diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c
> index 10a7c28d2d44..137a611c5ab0 100644
> --- a/fs/smb/client/connect.c
> +++ b/fs/smb/client/connect.c
> @@ -300,7 +300,6 @@ cifs_abort_connection(struct TCP_Server_Info *server)
>   			 server->ssocket->flags);
>   		sock_release(server->ssocket);
>   		server->ssocket = NULL;
> -		put_net(cifs_net_ns(server));
>   	}
>   	server->sequence_number = 0;
>   	server->session_estab = false;
> @@ -3367,12 +3366,8 @@ generic_ip_connect(struct TCP_Server_Info *server)
>   		/*
>   		 * Grab netns reference for the socket.
>   		 *
> -		 * This reference will be released in several situations:
> -		 * - In the failure path before the cifsd thread is started.
> -		 * - In the all place where server->socket is released, it is
> -		 *   also set to NULL.
> -		 * - Ultimately in clean_demultiplex_info(), during the final
> -		 *   teardown.
> +		 * It'll be released here, on error, or in clean_demultiplex_info() upon server
> +		 * teardown.
>   		 */
>   		get_net(net);
>   
> @@ -3388,8 +3383,10 @@ generic_ip_connect(struct TCP_Server_Info *server)
>   	}
>   
>   	rc = bind_socket(server);
> -	if (rc < 0)
> +	if (rc < 0) {
> +		put_net(cifs_net_ns(server));
>   		return rc;
> +	}
>   
>   	/*
>   	 * Eventually check for other socket options to change from
> @@ -3444,6 +3441,9 @@ generic_ip_connect(struct TCP_Server_Info *server)
>   	    (server->rfc1001_sessinit == -1 && sport == htons(RFC1001_PORT)))
>   		rc = ip_rfc1001_connect(server);
>   
> +	if (rc < 0)
> +		put_net(cifs_net_ns(server));
> +
>   	return rc;
>   }
>   

Re: [PATCH 1/2] Revert "smb: client: Fix netns refcount imbalance causing leaks and use-after-free"

[Wang Zhaolong]

Hi Kuniyuki,

When testing this patch on the latest mainline, I found that the following
snippet has a conflict:


> @@ -3444,6 +3441,9 @@ generic_ip_connect(struct TCP_Server_Info *server)
>   	    (server->rfc1001_sessinit == -1 && sport == htons(RFC1001_PORT)))
>   		rc = ip_rfc1001_connect(server);
>   
> +	if (rc < 0)
> +		put_net(cifs_net_ns(server));
> +
>   	return rc;
>   }
>   

Specifically, it is this line:

>   	    (server->rfc1001_sessinit == -1 && sport == htons(RFC1001_PORT)))

In my code, it corresponds to the following snippet:

```
@@ -3333,10 +3330,13 @@ generic_ip_connect(struct TCP_Server_Info *server)
  	}
  	trace_smb3_connect_done(server->hostname, server->conn_id, &server->dstaddr);
  	if (sport == htons(RFC1001_PORT))
  		rc = ip_rfc1001_connect(server);
  
+	if (rc < 0)
+		put_net(cifs_net_ns(server));
+
  	return rc;
  }
```

Looks like V3 needs to be sent?

Best regards,
Wang Zhaolong

Re: [PATCH 1/2] Revert "smb: client: Fix netns refcount imbalance causing leaks and use-after-free"

[Kuniyuki Iwashima]

From: Wang Zhaolong <wangzhaolong1@huawei.com>
Date: Thu, 3 Apr 2025 17:59:20 +0800
> Hi Kuniyuki,
> 
> When testing this patch on the latest mainline, I found that the following
> snippet has a conflict:

I guess it's because I used for-next branch of the cifs.git.

Steve:

What branch should be used to send reverts for -rcX ?


> 
> 
> > @@ -3444,6 +3441,9 @@ generic_ip_connect(struct TCP_Server_Info *server)
> >   	    (server->rfc1001_sessinit == -1 && sport == htons(RFC1001_PORT)))
> >   		rc = ip_rfc1001_connect(server);
> >   
> > +	if (rc < 0)
> > +		put_net(cifs_net_ns(server));
> > +
> >   	return rc;
> >   }
> >   
> 
> Specifically, it is this line:
> 
> >   	    (server->rfc1001_sessinit == -1 && sport == htons(RFC1001_PORT)))
> 
> In my code, it corresponds to the following snippet:
> 
> ```
> @@ -3333,10 +3330,13 @@ generic_ip_connect(struct TCP_Server_Info *server)
>   	}
>   	trace_smb3_connect_done(server->hostname, server->conn_id, &server->dstaddr);
>   	if (sport == htons(RFC1001_PORT))
>   		rc = ip_rfc1001_connect(server);
>   
> +	if (rc < 0)
> +		put_net(cifs_net_ns(server));
> +
>   	return rc;
>   }
> ```
> 
> Looks like V3 needs to be sent?
> 
> Best regards,
> Wang Zhaolong

Re: [PATCH 1/2] Revert "smb: client: Fix netns refcount imbalance causing leaks and use-after-free"

[Steve French]

> What branch should be used to send reverts for -rcX ?

cifs-2.6.git for-next

But probably won't be an issue in a few days (since mainline then will
likely include the conflicting patch - which fortunately is unrelated
to this discussion, just fixes an RFC1001 bug)

On Thu, Apr 3, 2025 at 12:27 PM Kuniyuki Iwashima <kuniyu@amazon.com> wrote:
>
> From: Wang Zhaolong <wangzhaolong1@huawei.com>
> Date: Thu, 3 Apr 2025 17:59:20 +0800
> > Hi Kuniyuki,
> >
> > When testing this patch on the latest mainline, I found that the following
> > snippet has a conflict:
>
> I guess it's because I used for-next branch of the cifs.git.
>
> Steve:
>
> What branch should be used to send reverts for -rcX ?
>
>
> >
> >
> > > @@ -3444,6 +3441,9 @@ generic_ip_connect(struct TCP_Server_Info *server)
> > >         (server->rfc1001_sessinit == -1 && sport == htons(RFC1001_PORT)))
> > >             rc = ip_rfc1001_connect(server);
> > >
> > > +   if (rc < 0)
> > > +           put_net(cifs_net_ns(server));
> > > +
> > >     return rc;
> > >   }
> > >
> >
> > Specifically, it is this line:
> >
> > >         (server->rfc1001_sessinit == -1 && sport == htons(RFC1001_PORT)))
> >
> > In my code, it corresponds to the following snippet:
> >
> > ```
> > @@ -3333,10 +3330,13 @@ generic_ip_connect(struct TCP_Server_Info *server)
> >       }
> >       trace_smb3_connect_done(server->hostname, server->conn_id, &server->dstaddr);
> >       if (sport == htons(RFC1001_PORT))
> >               rc = ip_rfc1001_connect(server);
> >
> > +     if (rc < 0)
> > +             put_net(cifs_net_ns(server));
> > +
> >       return rc;
> >   }
> > ```
> >
> > Looks like V3 needs to be sent?
> >
> > Best regards,
> > Wang Zhaolong
>


-- 
Thanks,

Steve

Re: [PATCH 1/2] Revert "smb: client: Fix netns refcount imbalance causing leaks and use-after-free"

[Kuniyuki Iwashima]

From: Steve French <smfrench@gmail.com>
Date: Thu, 3 Apr 2025 12:32:35 -0500
> > What branch should be used to send reverts for -rcX ?
> 
> cifs-2.6.git for-next
> 
> But probably won't be an issue in a few days (since mainline then will
> likely include the conflicting patch - which fortunately is unrelated
> to this discussion, just fixes an RFC1001 bug)

Thanks, then I'd leave v2 as is for now.

[PATCH 2/2] Revert "smb: client: fix TCP timers deadlock after rmmod"

[Kuniyuki Iwashima]

This reverts commit e9f2517a3e18a54a3943c098d2226b245d488801.

Commit e9f2517a3e18 ("smb: client: fix TCP timers deadlock after
rmmod") is intended to fix a null-ptr-deref in LOCKDEP, which is
mentioned as CVE-2024-54680, but is actually did not fix anything;
The issue can be reproduced on top of it. [0]

Also, it reverted the change by commit ef7134c7fc48 ("smb: client:
Fix use-after-free of network namespace.") and introduced a real
issue by reviving the kernel TCP socket.

When a reconnect happens for a CIFS connection, the socket state
transitions to FIN_WAIT_1.  Then, inet_csk_clear_xmit_timers_sync()
in tcp_close() stops all timers for the socket.

If an incoming FIN packet is lost, the socket will stay at FIN_WAIT_1
forever, and such sockets could be leaked up to net.ipv4.tcp_max_orphans.

Usually, FIN can be retransmitted by the peer, but if the peer aborts
the connection, the issue comes into reality.

I warned about this privately by pointing out the exact report [1],
but the bogus fix was finally merged.

So, we should not stop the timers to finally kill the connection on
our side in that case, meaning we must not use a kernel socket for
TCP whose sk->sk_net_refcnt is 0.

The kernel socket does not have a reference to its netns to make it
possible to tear down netns without cleaning up every resource in it.

For example, tunnel devices use a UDP socket internally, but we can
destroy netns without removing such devices and let it complete
during exit.  Otherwise, netns would be leaked when the last application
died.

However, this is problematic for TCP sockets because TCP has timers to
close the connection gracefully even after the socket is close()d.  The
lifetime of the socket and its netns is different from the lifetime of
the underlying connection.

If the socket user does not maintain the netns lifetime, the timer could
be fired after the socket is close()d and its netns is freed up, resulting
in use-after-free.

Actually, we have seen so many similar issues and converted such sockets
to have a reference to netns.

That's why I converted the CIFS client socket to have a reference to
netns (sk->sk_net_refcnt == 1), which is somehow mentioned as out-of-scope
of CIFS and technically wrong in e9f2517a3e18, but **is in-scope and right
fix**.

Regarding the LOCKDEP issue, we can prevent the module unload by
bumping the module refcount when switching the LOCKDDEP key in
sock_lock_init_class_and_name(). [2]

For a while, let's revert the bogus fix.

Note that now we can use sk_net_refcnt_upgrade() for the socket
conversion, but I'll do so later separately to make backport easy.

Link: https://lore.kernel.org/all/20250402020807.28583-1-kuniyu@amazon.com/ #[0]
Link: https://lore.kernel.org/netdev/c08bd5378da647a2a4c16698125d180a@huawei.com/ #[1]
Link: https://lore.kernel.org/lkml/20250402005841.19846-1-kuniyu@amazon.com/ #[2]
Fixes: e9f2517a3e18 ("smb: client: fix TCP timers deadlock after rmmod")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
---
 fs/smb/client/connect.c | 36 ++++++++++--------------------------
 1 file changed, 10 insertions(+), 26 deletions(-)

diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c
index 137a611c5ab0..989d8808260b 100644
--- a/fs/smb/client/connect.c
+++ b/fs/smb/client/connect.c
@@ -1073,13 +1073,9 @@ clean_demultiplex_info(struct TCP_Server_Info *server)
 	msleep(125);
 	if (cifs_rdma_enabled(server))
 		smbd_destroy(server);
-
 	if (server->ssocket) {
 		sock_release(server->ssocket);
 		server->ssocket = NULL;
-
-		/* Release netns reference for the socket. */
-		put_net(cifs_net_ns(server));
 	}
 
 	if (!list_empty(&server->pending_mid_q)) {
@@ -1127,7 +1123,6 @@ clean_demultiplex_info(struct TCP_Server_Info *server)
 		 */
 	}
 
-	/* Release netns reference for this server. */
 	put_net(cifs_net_ns(server));
 	kfree(server->leaf_fullpath);
 	kfree(server->hostname);
@@ -1773,8 +1768,6 @@ cifs_get_tcp_session(struct smb3_fs_context *ctx,
 
 	tcp_ses->ops = ctx->ops;
 	tcp_ses->vals = ctx->vals;
-
-	/* Grab netns reference for this server. */
 	cifs_set_net_ns(tcp_ses, get_net(current->nsproxy->net_ns));
 
 	tcp_ses->sign = ctx->sign;
@@ -1902,7 +1895,6 @@ cifs_get_tcp_session(struct smb3_fs_context *ctx,
 out_err_crypto_release:
 	cifs_crypto_secmech_release(tcp_ses);
 
-	/* Release netns reference for this server. */
 	put_net(cifs_net_ns(tcp_ses));
 
 out_err:
@@ -1911,10 +1903,8 @@ cifs_get_tcp_session(struct smb3_fs_context *ctx,
 			cifs_put_tcp_session(tcp_ses->primary_server, false);
 		kfree(tcp_ses->hostname);
 		kfree(tcp_ses->leaf_fullpath);
-		if (tcp_ses->ssocket) {
+		if (tcp_ses->ssocket)
 			sock_release(tcp_ses->ssocket);
-			put_net(cifs_net_ns(tcp_ses));
-		}
 		kfree(tcp_ses);
 	}
 	return ERR_PTR(rc);
@@ -3356,20 +3346,20 @@ generic_ip_connect(struct TCP_Server_Info *server)
 		socket = server->ssocket;
 	} else {
 		struct net *net = cifs_net_ns(server);
+		struct sock *sk;
 
-		rc = sock_create_kern(net, sfamily, SOCK_STREAM, IPPROTO_TCP, &server->ssocket);
+		rc = __sock_create(net, sfamily, SOCK_STREAM,
+				   IPPROTO_TCP, &server->ssocket, 1);
 		if (rc < 0) {
 			cifs_server_dbg(VFS, "Error %d creating socket\n", rc);
 			return rc;
 		}
 
-		/*
-		 * Grab netns reference for the socket.
-		 *
-		 * It'll be released here, on error, or in clean_demultiplex_info() upon server
-		 * teardown.
-		 */
-		get_net(net);
+		sk = server->ssocket->sk;
+		__netns_tracker_free(net, &sk->ns_tracker, false);
+		sk->sk_net_refcnt = 1;
+		get_net_track(net, &sk->ns_tracker, GFP_KERNEL);
+		sock_inuse_add(net, 1);
 
 		/* BB other socket options to set KEEPALIVE, NODELAY? */
 		cifs_dbg(FYI, "Socket created\n");
@@ -3383,10 +3373,8 @@ generic_ip_connect(struct TCP_Server_Info *server)
 	}
 
 	rc = bind_socket(server);
-	if (rc < 0) {
-		put_net(cifs_net_ns(server));
+	if (rc < 0)
 		return rc;
-	}
 
 	/*
 	 * Eventually check for other socket options to change from
@@ -3423,7 +3411,6 @@ generic_ip_connect(struct TCP_Server_Info *server)
 	if (rc < 0) {
 		cifs_dbg(FYI, "Error %d connecting to server\n", rc);
 		trace_smb3_connect_err(server->hostname, server->conn_id, &server->dstaddr, rc);
-		put_net(cifs_net_ns(server));
 		sock_release(socket);
 		server->ssocket = NULL;
 		return rc;
@@ -3441,9 +3428,6 @@ generic_ip_connect(struct TCP_Server_Info *server)
 	    (server->rfc1001_sessinit == -1 && sport == htons(RFC1001_PORT)))
 		rc = ip_rfc1001_connect(server);
 
-	if (rc < 0)
-		put_net(cifs_net_ns(server));
-
 	return rc;
 }
 
-- 
2.48.1

Re: [PATCH 2/2] Revert "smb: client: fix TCP timers deadlock after rmmod"

[Wang Zhaolong]

Thanks Kuniyuki for the thorough explanation and fix. Your analysis of
the TCP socket lifecycle and reference counting is excellent!

This reversion is definitely the right approach.

Acked-by: Wang Zhaolong <wangzhaolong1@huawei.com>

> This reverts commit e9f2517a3e18a54a3943c098d2226b245d488801.
> 
> Commit e9f2517a3e18 ("smb: client: fix TCP timers deadlock after
> rmmod") is intended to fix a null-ptr-deref in LOCKDEP, which is
> mentioned as CVE-2024-54680, but is actually did not fix anything;
> The issue can be reproduced on top of it. [0]
> 
> Also, it reverted the change by commit ef7134c7fc48 ("smb: client:
> Fix use-after-free of network namespace.") and introduced a real
> issue by reviving the kernel TCP socket.
> 
> When a reconnect happens for a CIFS connection, the socket state
> transitions to FIN_WAIT_1.  Then, inet_csk_clear_xmit_timers_sync()
> in tcp_close() stops all timers for the socket.
> 
> If an incoming FIN packet is lost, the socket will stay at FIN_WAIT_1
> forever, and such sockets could be leaked up to net.ipv4.tcp_max_orphans.
> 
> Usually, FIN can be retransmitted by the peer, but if the peer aborts
> the connection, the issue comes into reality.
> 
> I warned about this privately by pointing out the exact report [1],
> but the bogus fix was finally merged.
> 
> So, we should not stop the timers to finally kill the connection on
> our side in that case, meaning we must not use a kernel socket for
> TCP whose sk->sk_net_refcnt is 0.
> 
> The kernel socket does not have a reference to its netns to make it
> possible to tear down netns without cleaning up every resource in it.
> 
> For example, tunnel devices use a UDP socket internally, but we can
> destroy netns without removing such devices and let it complete
> during exit.  Otherwise, netns would be leaked when the last application
> died.
> 
> However, this is problematic for TCP sockets because TCP has timers to
> close the connection gracefully even after the socket is close()d.  The
> lifetime of the socket and its netns is different from the lifetime of
> the underlying connection.
> 
> If the socket user does not maintain the netns lifetime, the timer could
> be fired after the socket is close()d and its netns is freed up, resulting
> in use-after-free.
> 
> Actually, we have seen so many similar issues and converted such sockets
> to have a reference to netns.
> 
> That's why I converted the CIFS client socket to have a reference to
> netns (sk->sk_net_refcnt == 1), which is somehow mentioned as out-of-scope
> of CIFS and technically wrong in e9f2517a3e18, but **is in-scope and right
> fix**.
> 
> Regarding the LOCKDEP issue, we can prevent the module unload by
> bumping the module refcount when switching the LOCKDDEP key in
> sock_lock_init_class_and_name(). [2]
> 
> For a while, let's revert the bogus fix.
> 
> Note that now we can use sk_net_refcnt_upgrade() for the socket
> conversion, but I'll do so later separately to make backport easy.
> 
> Link: https://lore.kernel.org/all/20250402020807.28583-1-kuniyu@amazon.com/ #[0]
> Link: https://lore.kernel.org/netdev/c08bd5378da647a2a4c16698125d180a@huawei.com/ #[1]
> Link: https://lore.kernel.org/lkml/20250402005841.19846-1-kuniyu@amazon.com/ #[2]
> Fixes: e9f2517a3e18 ("smb: client: fix TCP timers deadlock after rmmod")
> Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
> ---
>   fs/smb/client/connect.c | 36 ++++++++++--------------------------
>   1 file changed, 10 insertions(+), 26 deletions(-)
> 
> diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c
> index 137a611c5ab0..989d8808260b 100644
> --- a/fs/smb/client/connect.c
> +++ b/fs/smb/client/connect.c
> @@ -1073,13 +1073,9 @@ clean_demultiplex_info(struct TCP_Server_Info *server)
>   	msleep(125);
>   	if (cifs_rdma_enabled(server))
>   		smbd_destroy(server);
> -
>   	if (server->ssocket) {
>   		sock_release(server->ssocket);
>   		server->ssocket = NULL;
> -
> -		/* Release netns reference for the socket. */
> -		put_net(cifs_net_ns(server));
>   	}
>   
>   	if (!list_empty(&server->pending_mid_q)) {
> @@ -1127,7 +1123,6 @@ clean_demultiplex_info(struct TCP_Server_Info *server)
>   		 */
>   	}
>   
> -	/* Release netns reference for this server. */
>   	put_net(cifs_net_ns(server));
>   	kfree(server->leaf_fullpath);
>   	kfree(server->hostname);
> @@ -1773,8 +1768,6 @@ cifs_get_tcp_session(struct smb3_fs_context *ctx,
>   
>   	tcp_ses->ops = ctx->ops;
>   	tcp_ses->vals = ctx->vals;
> -
> -	/* Grab netns reference for this server. */
>   	cifs_set_net_ns(tcp_ses, get_net(current->nsproxy->net_ns));
>   
>   	tcp_ses->sign = ctx->sign;
> @@ -1902,7 +1895,6 @@ cifs_get_tcp_session(struct smb3_fs_context *ctx,
>   out_err_crypto_release:
>   	cifs_crypto_secmech_release(tcp_ses);
>   
> -	/* Release netns reference for this server. */
>   	put_net(cifs_net_ns(tcp_ses));
>   
>   out_err:
> @@ -1911,10 +1903,8 @@ cifs_get_tcp_session(struct smb3_fs_context *ctx,
>   			cifs_put_tcp_session(tcp_ses->primary_server, false);
>   		kfree(tcp_ses->hostname);
>   		kfree(tcp_ses->leaf_fullpath);
> -		if (tcp_ses->ssocket) {
> +		if (tcp_ses->ssocket)
>   			sock_release(tcp_ses->ssocket);
> -			put_net(cifs_net_ns(tcp_ses));
> -		}
>   		kfree(tcp_ses);
>   	}
>   	return ERR_PTR(rc);
> @@ -3356,20 +3346,20 @@ generic_ip_connect(struct TCP_Server_Info *server)
>   		socket = server->ssocket;
>   	} else {
>   		struct net *net = cifs_net_ns(server);
> +		struct sock *sk;
>   
> -		rc = sock_create_kern(net, sfamily, SOCK_STREAM, IPPROTO_TCP, &server->ssocket);
> +		rc = __sock_create(net, sfamily, SOCK_STREAM,
> +				   IPPROTO_TCP, &server->ssocket, 1);
>   		if (rc < 0) {
>   			cifs_server_dbg(VFS, "Error %d creating socket\n", rc);
>   			return rc;
>   		}
>   
> -		/*
> -		 * Grab netns reference for the socket.
> -		 *
> -		 * It'll be released here, on error, or in clean_demultiplex_info() upon server
> -		 * teardown.
> -		 */
> -		get_net(net);
> +		sk = server->ssocket->sk;
> +		__netns_tracker_free(net, &sk->ns_tracker, false);
> +		sk->sk_net_refcnt = 1;
> +		get_net_track(net, &sk->ns_tracker, GFP_KERNEL);
> +		sock_inuse_add(net, 1);
>   
>   		/* BB other socket options to set KEEPALIVE, NODELAY? */
>   		cifs_dbg(FYI, "Socket created\n");
> @@ -3383,10 +3373,8 @@ generic_ip_connect(struct TCP_Server_Info *server)
>   	}
>   
>   	rc = bind_socket(server);
> -	if (rc < 0) {
> -		put_net(cifs_net_ns(server));
> +	if (rc < 0)
>   		return rc;
> -	}
>   
>   	/*
>   	 * Eventually check for other socket options to change from
> @@ -3423,7 +3411,6 @@ generic_ip_connect(struct TCP_Server_Info *server)
>   	if (rc < 0) {
>   		cifs_dbg(FYI, "Error %d connecting to server\n", rc);
>   		trace_smb3_connect_err(server->hostname, server->conn_id, &server->dstaddr, rc);
> -		put_net(cifs_net_ns(server));
>   		sock_release(socket);
>   		server->ssocket = NULL;
>   		return rc;
> @@ -3441,9 +3428,6 @@ generic_ip_connect(struct TCP_Server_Info *server)
>   	    (server->rfc1001_sessinit == -1 && sport == htons(RFC1001_PORT)))
>   		rc = ip_rfc1001_connect(server);
>   
> -	if (rc < 0)
> -		put_net(cifs_net_ns(server));
> -
>   	return rc;
>   }
>   

Re: [PATCH 0/2] cifs: Revert bogus fix for CVE-2024-54680 and its followup commit.

[Steve French]

might be helpful if there were eBPF tracepoints for some of this that
would be able to log warnings optionally if refcount issue on
sock_release and/or rmmod


On Wed, Apr 2, 2025 at 3:03 PM Kuniyuki Iwashima <kuniyu@amazon.com> wrote:
>
> Commit e9f2517a3e18 ("smb: client: fix TCP timers deadlock after
> rmmod") was not only a bogus fix for the LOCKDEP issue but also
> introduced a real TCP socket leak.
>
> I'm working on the LOCKDEP fix on the networking side, so let's
> revert the commit and its followup fix.
>
> For details, please see each commit.
>
>
> Kuniyuki Iwashima (2):
>   Revert "smb: client: Fix netns refcount imbalance causing leaks and
>     use-after-free"
>   Revert "smb: client: fix TCP timers deadlock after rmmod"
>
>  fs/smb/client/connect.c | 34 +++++++++-------------------------
>  1 file changed, 9 insertions(+), 25 deletions(-)
>
> --
> 2.48.1
>
>


-- 
Thanks,

Steve

Re: [PATCH 0/2] cifs: Revert bogus fix for CVE-2024-54680 and its followup commit.

[Kuniyuki Iwashima]

From: Steve French <smfrench@gmail.com>
Date: Wed, 2 Apr 2025 20:14:03 -0500
> might be helpful if there were eBPF tracepoints for some of this that
> would be able to log warnings optionally if refcount issue on
> sock_release and/or rmmod

I just posted a fix and there explained that the socket and module
refcnt discrepancy is totally fine without LOCKDEP.

https://lore.kernel.org/netdev/20250403020837.51664-1-kuniyu@amazon.com/

So, in this case, the helpful warning is one logged by hlock_class().

As it returns NULL and triggers null-ptr-derf, it means something went
wrong, and I guess it was acceptable because LOCKDEP is not enabled in
production.

Btw, I posted v2 with Cc: stable tags as requested by Greg, so please
drop this v1.

https://lore.kernel.org/linux-cifs/20250402202714.6799-1-kuniyu@amazon.com/

Thanks!

> 
> 
> On Wed, Apr 2, 2025 at 3:03 PM Kuniyuki Iwashima <kuniyu@amazon.com> wrote:
> >
> > Commit e9f2517a3e18 ("smb: client: fix TCP timers deadlock after
> > rmmod") was not only a bogus fix for the LOCKDEP issue but also
> > introduced a real TCP socket leak.
> >
> > I'm working on the LOCKDEP fix on the networking side, so let's
> > revert the commit and its followup fix.
> >
> > For details, please see each commit.
> >
> >
> > Kuniyuki Iwashima (2):
> >   Revert "smb: client: Fix netns refcount imbalance causing leaks and
> >     use-after-free"
> >   Revert "smb: client: fix TCP timers deadlock after rmmod"
> >
> >  fs/smb/client/connect.c | 34 +++++++++-------------------------
> >  1 file changed, 9 insertions(+), 25 deletions(-)
> >
> > --
> > 2.48.1

Re: [PATCH 0/2] cifs: Revert bogus fix for CVE-2024-54680 and its followup commit.

[Steve French]

I can run some regression tests with these two patches, but it would
be very helpful if the original patch authors could comment (Wang and
Enzo), and since this apparently relies on a fix to the network stack
(the LOCKDEP fix) it would be helpful if any opinions from the network
devs.

For a complex issue like this it is important to have at least some
Tested-by or Reviewed-by for these two, because I was having trouble
reproducing the various reported problems on Ubuntu (or our Fedora
test VMs), and the refcount issues are more complicated they seem.
Let me know if anyone has reviewed these two patches or tested them.


On Wed, Apr 2, 2025 at 9:19 PM Kuniyuki Iwashima <kuniyu@amazon.com> wrote:
>
> From: Steve French <smfrench@gmail.com>
> Date: Wed, 2 Apr 2025 20:14:03 -0500
> > might be helpful if there were eBPF tracepoints for some of this that
> > would be able to log warnings optionally if refcount issue on
> > sock_release and/or rmmod
>
> I just posted a fix and there explained that the socket and module
> refcnt discrepancy is totally fine without LOCKDEP.
>
> https://lore.kernel.org/netdev/20250403020837.51664-1-kuniyu@amazon.com/
>
> So, in this case, the helpful warning is one logged by hlock_class().
>
> As it returns NULL and triggers null-ptr-derf, it means something went
> wrong, and I guess it was acceptable because LOCKDEP is not enabled in
> production.
>
> Btw, I posted v2 with Cc: stable tags as requested by Greg, so please
> drop this v1.
>
> https://lore.kernel.org/linux-cifs/20250402202714.6799-1-kuniyu@amazon.com/
>
> Thanks!
>
> >
> >
> > On Wed, Apr 2, 2025 at 3:03 PM Kuniyuki Iwashima <kuniyu@amazon.com> wrote:
> > >
> > > Commit e9f2517a3e18 ("smb: client: fix TCP timers deadlock after
> > > rmmod") was not only a bogus fix for the LOCKDEP issue but also
> > > introduced a real TCP socket leak.
> > >
> > > I'm working on the LOCKDEP fix on the networking side, so let's
> > > revert the commit and its followup fix.
> > >
> > > For details, please see each commit.
> > >
> > >
> > > Kuniyuki Iwashima (2):
> > >   Revert "smb: client: Fix netns refcount imbalance causing leaks and
> > >     use-after-free"
> > >   Revert "smb: client: fix TCP timers deadlock after rmmod"
> > >
> > >  fs/smb/client/connect.c | 34 +++++++++-------------------------
> > >  1 file changed, 9 insertions(+), 25 deletions(-)
> > >
> > > --
> > > 2.48.1



-- 
Thanks,

Steve

Re: [PATCH 0/2] cifs: Revert bogus fix for CVE-2024-54680 and its followup commit.

[Wang Zhaolong]

> For a complex issue like this it is important to have at least some
> Tested-by or Reviewed-by for these two, because I was having trouble
> reproducing the various reported problems on Ubuntu (or our Fedora
> test VMs), and the refcount issues are more complicated they seem.
> Let me know if anyone has reviewed these two patches or tested them.
> 

Hi Steve,

I can confirm these issues on my test environment. I'm currently using
Debian Testing (Trixie) for my development work. I've also observed the
unexpected phenomenon on Ubuntu 16.04 LTS when running the test cases.

I suspect the difficulty in reproducing might be related to rootfs image
versions - particularly with older distros like Ubuntu 16.04, as the
test case involves numerous dependent packages.

The issue of net_ns reference count leakage is not fully resolved yet.
Based on that use case, the net_ns count leakage problem can still be
constructed by adding various network faults.

I'm currently modernizing my development environment and working on
automating it. In the future, I will try to provide more comprehensive
reproduction steps when reporting problems, including detailed
instructions for setting up the environment.

Best regards,
Wang Zhaolong

Re: [PATCH 0/2] cifs: Revert bogus fix for CVE-2024-54680 and its followup commit.

[Kuniyuki Iwashima]

From: Steve French <smfrench@gmail.com>
Date: Wed, 2 Apr 2025 22:19:36 -0500
> I can run some regression tests with these two patches, but it would
> be very helpful if the original patch authors could comment (Wang and
> Enzo), and since this apparently relies on a fix to the network stack
> (the LOCKDEP fix) it would be helpful if any opinions from the network
> devs.
> 
> For a complex issue like this it is important to have at least some
> Tested-by or Reviewed-by for these two, because I was having trouble
> reproducing the various reported problems on Ubuntu (or our Fedora
> test VMs), and the refcount issues are more complicated they seem.
> Let me know if anyone has reviewed these two patches or tested them.

Hi Steve,

The lockdep fix was merged on the networking side and will be sent to
the mainline this week.
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=0bb2f7a1ad1f

As you mentioned Fedora, I tried ksmbd and created a repro script that
works on a single host.

On my Fedora VM, I ran the prep & reproducer scripts and successfully
triggered the issue on cifs-2.6.git/for-next with/without reverts.

I hope this helps you reproduce the issue and verify the patch on your
Fedora test VM.

Please let me know if there's anything I can help.

Thanks!


Prerequisite:

1. On VM, the user is expected to be root
2. ffa1e7ada456 needs to be reverted (as it stopped lockdep during
   boot on my VM)
3. .config is created based on x86_64_defconfig

---8<---
make defconfig
./scripts/config -m CONFIG_CIFS -m CONFIG_SMB_SERVER -e CONFIG_PROVE_LOCKING
make olddefconfig
make -j $(nproc)
---8<---


Prep:

This script builds ksmbd-tools and installs it and cifs-utils,
iproute (for ss), and iptables-legacy (for iptables).

---8<---
#!/bin/bash

#
# Build and install ksmbd-tools
# See https://github.com/cifsd-team/ksmbd-tools?tab=readme-ov-file#building-and-installing
#
dnf install -y git gcc pkgconf autoconf automake libtool make meson ninja-build gawk libnl3-devel glib2-devel
git clone https://github.com/cifsd-team/ksmbd-tools.git
cd ksmbd-tools
./autogen.sh
./configure --with-rundir=/run
make
make install
cd ~/


#
# CIFS client
#
dnf install -y cifs-utils


#
# Networking utilities
#
dnf install -y iproute iptables-legacy
---8<---


Reproducer:

---8<----
#!/bin/bash

function show_sk_mod_ref()
{
    ss -tan | grep 445
    lsmod | grep cifs
}

set -x


#
# Share /root/server
#
mkdir server
touch server/a.txt
ksmbd.addshare --add --option "path = /root/server" --option 'read only = no' server
ksmbd.adduser --password test root
modprobe ksmbd
ksmbd.mountd


#
# Mount /root/server as /root/client
#
mkdir client
mount -t cifs -o vers=3.0,echo_interval=1,user=root,password=test //127.0.0.1/server /root/client


#
# Drop FIN packet from CIFS client
#
iptables -A OUTPUT -p tcp --dport 445 -j DROP


show_sk_mod_ref


#
# Unmount /root/client
#
until umount client; do
    sleep 1
done

show_sk_mod_ref


#
# Unload module, and then lockdep will complain.
#
until rmmod cifs; do
    show_sk_mod_ref
    sleep 3
done


show_sk_mod_ref
---8<---


FWIW, here's output of the repro including console output.

---8<---
Fedora Linux 41 (Container Image)
Kernel 6.15.0-rc1-00011-gf78f3365efed on an x86_64 (console)

fedora login: root
Last login: Fri Apr 11 06:20:39 on console
[root@fedora ~]# ./repro.sh 
+ mkdir server
+ touch server/a.txt
+ ksmbd.addshare --add --option 'path = /root/server' --option 'read only = no' server
[ksmbd.addshare/831]: INFO: No user database
[ksmbd.addshare/831]: INFO: Wrote `/usr/local/etc/ksmbd/ksmbd.conf'
[ksmbd.addshare/831]: INFO: Wrote `/usr/local/etc/ksmbd/ksmbd.conf'
[ksmbd.addshare/831]: INFO: Added share `server'
[ksmbd.addshare/831]: INFO: Ignored lock file
+ ksmbd.adduser --password test root
[ksmbd.adduser/832]: INFO: Wrote `/usr/local/etc/ksmbd/ksmbdpwd.db'
[ksmbd.adduser/832]: INFO: Wrote `/usr/local/etc/ksmbd/ksmbdpwd.db'
[ksmbd.adduser/832]: INFO: Added user `root'
[ksmbd.adduser/832]: INFO: Ignored lock file
+ modprobe ksmbd
+ ksmbd.mountd
[ksmbd.mountd/835]: INFO: Started manager
+ mkdir client
+ mount -t cifs -o vers=3.0,echo_interval=1,user=root,password=test //127.0.0.1/server /root/client
[  113.929225] Key type cifs.idmap registered
[  113.930423] CIFS: Attempting to mount //127.0.0.1/server
[  113.993548] mount.cifs (843) used greatest stack depth: 11208 bytes left
+ iptables -A OUTPUT -p tcp --dport 445 -j DROP
+ show_sk_mod_ref
+ ss -tan
+ grep 445
ESTAB  0      0               127.0.0.1:34814          127.0.0.1:445  
LISTEN 0      0                       *:445                    *:*    
LISTEN 0      0                       *:445                    *:*    
ESTAB  0      516    [::ffff:127.0.0.1]:445   [::ffff:127.0.0.1]:34814
+ lsmod
+ grep cifs
cifs                 1175552  2
cifs_md4               12288  1 cifs
cifs_arc4              12288  2 cifs,ksmbd
nls_ucs2_utils          8192  2 cifs,ksmbd
+ umount client
[  121.064583] CIFS: VFS: \\127.0.0.1 has not responded in 3 seconds. Reconnecting...
+ show_sk_mod_ref
+ ss -tan
+ grep 445
FIN-WAIT-1 0      145             127.0.0.1:34814          127.0.0.1:445  
LISTEN     0      0                       *:445                    *:*    
LISTEN     0      0                       *:445                    *:*    
ESTAB      0      516    [::ffff:127.0.0.1]:445   [::ffff:127.0.0.1]:34814
+ lsmod
+ grep cifs
cifs                 1175552  1
cifs_md4               12288  1 cifs
cifs_arc4              12288  2 cifs,ksmbd
nls_ucs2_utils          8192  2 cifs,ksmbd
+ rmmod cifs
rmmod: ERROR: Module cifs is in use
+ show_sk_mod_ref
+ ss -tan
+ grep 445
FIN-WAIT-1 0      145             127.0.0.1:34814          127.0.0.1:445  
LISTEN     0      0                       *:445                    *:*    
LISTEN     0      0                       *:445                    *:*    
ESTAB      0      516    [::ffff:127.0.0.1]:445   [::ffff:127.0.0.1]:34814
+ lsmod
+ grep cifs
cifs                 1175552  1
cifs_md4               12288  1 cifs
cifs_arc4              12288  2 cifs,ksmbd
nls_ucs2_utils          8192  2 cifs,ksmbd
+ sleep 3
+ rmmod cifs
[  127.142558] Key type cifs.idmap unregistered
+ show_sk_mod_ref
+ ss -tan
+ grep 445
FIN-WAIT-1 0      145             127.0.0.1:34814          127.0.0.1:445  
LISTEN     0      0                       *:445                    *:*    
LISTEN     0      0                       *:445                    *:*    
ESTAB      0      516    [::ffff:127.0.0.1]:445   [::ffff:127.0.0.1]:34814
+ lsmod
+ grep cifs
cifs_md4               12288  0
cifs_arc4              12288  1 ksmbd
[root@fedora ~]# [  127.414391] ------------[ cut here ]------------
[  127.414940] DEBUG_LOCKS_WARN_ON(1)
[  127.414950] WARNING: CPU: 62 PID: 0 at kernel/locking/lockdep.c:237 hlock_class+0x5f/0x70
[  127.416185] Modules linked in: cifs_md4 ksmbd cifs_arc4 nls_ucs2_utils [last unloaded: cifs]
[  127.417066] CPU: 62 UID: 0 PID: 0 Comm: swapper/62 Not tainted 6.15.0-rc1-00011-gf78f3365efed #3 PREEMPT(voluntary) 
[  127.418158] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
[  127.419312] RIP: 0010:hlock_class+0x5f/0x70
[  127.419745] Code: ef 90 e8 c4 8f 4d 00 85 c0 74 23 8b 05 ba 8c bf 01 85 c0 75 19 90 48 c7 c6 13 fb a1 82 48 c7 c7 cc 76 a0 82 e8 92 b4 f7 ff 90 <0f> 0b 90 90 90 31 c0 c3 cc cc cc cc 0f 1f 44 00 00 90 90 90 90 90
[  127.421622] RSP: 0018:ffa0000000d60c20 EFLAGS: 00010086
[  127.422146] RAX: 0000000000000000 RBX: ff11000100b12b38 RCX: 0000000000000027
[  127.422890] RDX: ff1100081fd97c08 RSI: 0000000000000001 RDI: ff1100081fd97c00
[  127.423624] RBP: ff11000100b12100 R08: ff1100083fe6e0e8 R09: 00000000ffffbfff
[  127.424365] R10: ff1100081eca0000 R11: ff1100083fe10cf8 R12: ff11000100b12b60
[  127.425099] R13: 0000000000000001 R14: 0000000000000000 R15: 00000000000424ac
[  127.425827] FS:  0000000000000000(0000) GS:ff1100089c5bb000(0000) knlGS:0000000000000000
[  127.426657] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  127.427259] CR2: 00007f714e3ab0d8 CR3: 0000000002c4c006 CR4: 0000000000771ef0
[  127.428004] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  127.428738] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
[  127.429465] PKRU: 55555554
[  127.429753] Call Trace:
[  127.430012]  <IRQ>
[  127.430231]  __lock_acquire+0x21d/0x1730
[  127.430631]  ? __lock_acquire+0xa4f/0x1730
[  127.431054]  lock_acquire+0xbd/0x2d0
[  127.431427]  ? tcp_write_timer+0x5a/0x120
[  127.431846]  ? lock_acquire+0xbd/0x2d0
[  127.432244]  ? call_timer_fn+0x71/0x260
[  127.432651]  ? __pfx_tcp_write_timer+0x10/0x10
[  127.433116]  _raw_spin_lock+0x2b/0x40
[  127.433506]  ? tcp_write_timer+0x5a/0x120
[  127.433915]  tcp_write_timer+0x5a/0x120
[  127.434317]  ? __pfx_tcp_write_timer+0x10/0x10
[  127.434776]  call_timer_fn+0x9d/0x260
[  127.435154]  __run_timers+0x1f9/0x300
[  127.435538]  ? find_held_lock+0x2b/0x80
[  127.435933]  ? tmigr_handle_remote_up+0x1a6/0x370
[  127.436422]  timer_expire_remote+0x36/0x50
[  127.436852]  tmigr_handle_remote_up+0x2a5/0x370
[  127.437327]  ? find_held_lock+0x2b/0x80
[  127.437726]  ? tmigr_handle_remote+0x88/0xd0
[  127.438157]  ? lock_release+0xc6/0x290
[  127.438530]  ? __pfx_tmigr_handle_remote_up+0x10/0x10
[  127.439037]  __walk_groups.isra.0+0x1a/0x70
[  127.439464]  tmigr_handle_remote+0xa0/0xd0
[  127.439892]  ? kvm_clock_get_cycles+0x18/0x30
[  127.440343]  handle_softirqs+0xbd/0x3b0
[  127.440738]  __irq_exit_rcu+0xa1/0xc0
[  127.441111]  irq_exit_rcu+0x9/0x20
[  127.441469]  sysvec_apic_timer_interrupt+0x6f/0x80
[  127.441968]  </IRQ>
[  127.442198]  <TASK>
[  127.442428]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[  127.442965] RIP: 0010:pv_native_safe_halt+0xf/0x20
[  127.443469] Code: 56 7a 00 c3 cc cc cc cc 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d c5 af 12 00 fb f4 <c3> cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90
[  127.445348] RSP: 0018:ffa000000028fee0 EFLAGS: 00000206
[  127.445882] RAX: 0000000000004e63 RBX: ff11000100b12100 RCX: 0000000000000000
[  127.446619] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff812f81df
[  127.447348] RBP: 000000000000003e R08: 0000000000000001 R09: 0000000000000000
[  127.448077] R10: 0000000000000001 R11: 0000000000000080 R12: 0000000000000000
[  127.448805] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  127.449541]  ? do_idle+0x1df/0x250
[  127.449905]  default_idle+0x9/0x10
[  127.450266]  default_idle_call+0x85/0x1e0
[  127.450687]  do_idle+0x1df/0x250
[  127.451032]  cpu_startup_entry+0x24/0x30
[  127.451441]  start_secondary+0xf8/0x100
[  127.451846]  common_startup_64+0x13e/0x148
[  127.452276]  </TASK>
[  127.452516] irq event stamp: 20078
[  127.452869] hardirqs last  enabled at (20078): [<ffffffff822ef523>] _raw_spin_unlock_irq+0x23/0x40
[  127.453787] hardirqs last disabled at (20077): [<ffffffff822ef262>] _raw_spin_lock_irq+0x42/0x50
[  127.454659] softirqs last  enabled at (20062): [<ffffffff8129b31e>] handle_softirqs+0x2ee/0x3b0
[  127.455536] softirqs last disabled at (20069): [<ffffffff8129b541>] __irq_exit_rcu+0xa1/0xc0
[  127.456394] ---[ end trace 0000000000000000 ]---
[  127.456858] BUG: kernel NULL pointer dereference, address: 00000000000000c4
[  127.457553] #PF: supervisor read access in kernel mode
[  127.458069] #PF: error_code(0x0000) - not-present page
[  127.458584] PGD 0 
[  127.458802] Oops: Oops: 0000 [#1] SMP NOPTI
[  127.459231] CPU: 62 UID: 0 PID: 0 Comm: swapper/62 Tainted: G        W           6.15.0-rc1-00011-gf78f3365efed #3 PREEMPT(voluntary) 
[  127.460448] Tainted: [W]=WARN
[  127.460754] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
[  127.461924] RIP: 0010:__lock_acquire+0x220/0x1730
[  127.462393] Code: 15 41 09 c7 41 8b 44 24 20 25 ff 1f 00 00 41 09 c7 8b 84 24 a0 00 00 00 45 89 7c 24 20 41 89 44 24 24 e8 03 b9 ff ff 4c 89 e7 <44> 0f b6 b8 c4 00 00 00 e8 f3 b8 ff ff 0f b6 80 c5 00 00 00 88 44
[  127.464288] RSP: 0018:ffa0000000d60c28 EFLAGS: 00010046
[  127.464825] RAX: 0000000000000000 RBX: ff11000100b12b38 RCX: 0000000000000027
[  127.465538] RDX: ff1100081fd97c08 RSI: 0000000000000001 RDI: ff11000100b12b60
[  127.466245] RBP: ff11000100b12100 R08: ff1100083fe6e0e8 R09: 00000000ffffbfff
[  127.466964] R10: ff1100081eca0000 R11: ff1100083fe10cf8 R12: ff11000100b12b60
[  127.467689] R13: 0000000000000001 R14: 0000000000000000 R15: 00000000000424ac
[  127.468415] FS:  0000000000000000(0000) GS:ff1100089c5bb000(0000) knlGS:0000000000000000
[  127.469228] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  127.469810] CR2: 00000000000000c4 CR3: 0000000002c4c006 CR4: 0000000000771ef0
[  127.470530] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  127.471249] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
[  127.471968] PKRU: 55555554
[  127.472248] Call Trace:
[  127.472505]  <IRQ>
[  127.472723]  ? __lock_acquire+0xa4f/0x1730
[  127.473144]  lock_acquire+0xbd/0x2d0
[  127.473510]  ? tcp_write_timer+0x5a/0x120
[  127.473920]  ? lock_acquire+0xbd/0x2d0
[  127.474306]  ? call_timer_fn+0x71/0x260
[  127.474714]  ? __pfx_tcp_write_timer+0x10/0x10
[  127.475182]  _raw_spin_lock+0x2b/0x40
[  127.475568]  ? tcp_write_timer+0x5a/0x120
[  127.475987]  tcp_write_timer+0x5a/0x120
[  127.476391]  ? __pfx_tcp_write_timer+0x10/0x10
[  127.476850]  call_timer_fn+0x9d/0x260
[  127.477231]  __run_timers+0x1f9/0x300
[  127.477614]  ? find_held_lock+0x2b/0x80
[  127.478017]  ? tmigr_handle_remote_up+0x1a6/0x370
[  127.478511]  timer_expire_remote+0x36/0x50
[  127.478937]  tmigr_handle_remote_up+0x2a5/0x370
[  127.479406]  ? find_held_lock+0x2b/0x80
[  127.479795]  ? tmigr_handle_remote+0x88/0xd0
[  127.480238]  ? lock_release+0xc6/0x290
[  127.480628]  ? __pfx_tmigr_handle_remote_up+0x10/0x10
[  127.481146]  __walk_groups.isra.0+0x1a/0x70
[  127.481575]  tmigr_handle_remote+0xa0/0xd0
[  127.481994]  ? kvm_clock_get_cycles+0x18/0x30
[  127.482441]  handle_softirqs+0xbd/0x3b0
[  127.482837]  __irq_exit_rcu+0xa1/0xc0
[  127.483217]  irq_exit_rcu+0x9/0x20
[  127.483569]  sysvec_apic_timer_interrupt+0x6f/0x80
[  127.484054]  </IRQ>
[  127.484282]  <TASK>
[  127.484506]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[  127.485032] RIP: 0010:pv_native_safe_halt+0xf/0x20
[  127.485525] Code: 56 7a 00 c3 cc cc cc cc 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d c5 af 12 00 fb f4 <c3> cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90
[  127.487401] RSP: 0018:ffa000000028fee0 EFLAGS: 00000206
[  127.487939] RAX: 0000000000004e63 RBX: ff11000100b12100 RCX: 0000000000000000
[  127.488671] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff812f81df
[  127.489399] RBP: 000000000000003e R08: 0000000000000001 R09: 0000000000000000
[  127.490120] R10: 0000000000000001 R11: 0000000000000080 R12: 0000000000000000
[  127.490846] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  127.491570]  ? do_idle+0x1df/0x250
[  127.491926]  default_idle+0x9/0x10
[  127.492272]  default_idle_call+0x85/0x1e0
[  127.492687]  do_idle+0x1df/0x250
[  127.493028]  cpu_startup_entry+0x24/0x30
[  127.493437]  start_secondary+0xf8/0x100
[  127.493830]  common_startup_64+0x13e/0x148
[  127.494257]  </TASK>
[  127.494494] Modules linked in: cifs_md4 ksmbd cifs_arc4 nls_ucs2_utils [last unloaded: cifs]
[  127.495352] CR2: 00000000000000c4
[  127.495697] ---[ end trace 0000000000000000 ]---
[  127.496168] RIP: 0010:__lock_acquire+0x220/0x1730
[  127.496635] Code: 15 41 09 c7 41 8b 44 24 20 25 ff 1f 00 00 41 09 c7 8b 84 24 a0 00 00 00 45 89 7c 24 20 41 89 44 24 24 e8 03 b9 ff ff 4c 89 e7 <44> 0f b6 b8 c4 00 00 00 e8 f3 b8 ff ff 0f b6 80 c5 00 00 00 88 44
[  127.498505] RSP: 0018:ffa0000000d60c28 EFLAGS: 00010046
[  127.499036] RAX: 0000000000000000 RBX: ff11000100b12b38 RCX: 0000000000000027
[  127.499755] RDX: ff1100081fd97c08 RSI: 0000000000000001 RDI: ff11000100b12b60
[  127.500478] RBP: ff11000100b12100 R08: ff1100083fe6e0e8 R09: 00000000ffffbfff
[  127.501203] R10: ff1100081eca0000 R11: ff1100083fe10cf8 R12: ff11000100b12b60
[  127.501901] R13: 0000000000000001 R14: 0000000000000000 R15: 00000000000424ac
[  127.502617] FS:  0000000000000000(0000) GS:ff1100089c5bb000(0000) knlGS:0000000000000000
[  127.503433] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  127.504012] CR2: 00000000000000c4 CR3: 0000000002c4c006 CR4: 0000000000771ef0
[  127.504741] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  127.505464] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
[  127.506182] PKRU: 55555554
[  127.506467] Kernel panic - not syncing: Fatal exception in interrupt
[  127.508092] Kernel Offset: disabled
[  127.508527] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
---8<---

Re: [PATCH 0/2] cifs: Revert bogus fix for CVE-2024-54680 and its followup commit.

[Steve French]

I have tentatively merged the two revert patches into cifs-2.6.git
for-next but still hoping for any review comments for those more
expert in the network lockdep code.

Let me know when the fix to core/sock.c is upstream

On Fri, Apr 11, 2025 at 2:07 AM Kuniyuki Iwashima <kuniyu@amazon.com> wrote:
>
> From: Steve French <smfrench@gmail.com>
> Date: Wed, 2 Apr 2025 22:19:36 -0500
> > I can run some regression tests with these two patches, but it would
> > be very helpful if the original patch authors could comment (Wang and
> > Enzo), and since this apparently relies on a fix to the network stack
> > (the LOCKDEP fix) it would be helpful if any opinions from the network
> > devs.
> >
> > For a complex issue like this it is important to have at least some
> > Tested-by or Reviewed-by for these two, because I was having trouble
> > reproducing the various reported problems on Ubuntu (or our Fedora
> > test VMs), and the refcount issues are more complicated they seem.
> > Let me know if anyone has reviewed these two patches or tested them.
>
> Hi Steve,
>
> The lockdep fix was merged on the networking side and will be sent to
> the mainline this week.
> https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=0bb2f7a1ad1f
>
> As you mentioned Fedora, I tried ksmbd and created a repro script that
> works on a single host.
>
> On my Fedora VM, I ran the prep & reproducer scripts and successfully
> triggered the issue on cifs-2.6.git/for-next with/without reverts.
>
> I hope this helps you reproduce the issue and verify the patch on your
> Fedora test VM.
>
> Please let me know if there's anything I can help.
>
> Thanks!
>
>
> Prerequisite:
>
> 1. On VM, the user is expected to be root
> 2. ffa1e7ada456 needs to be reverted (as it stopped lockdep during
>    boot on my VM)
> 3. .config is created based on x86_64_defconfig
>
> ---8<---
> make defconfig
> ./scripts/config -m CONFIG_CIFS -m CONFIG_SMB_SERVER -e CONFIG_PROVE_LOCKING
> make olddefconfig
> make -j $(nproc)
> ---8<---
>
>
> Prep:
>
> This script builds ksmbd-tools and installs it and cifs-utils,
> iproute (for ss), and iptables-legacy (for iptables).
>
> ---8<---
> #!/bin/bash
>
> #
> # Build and install ksmbd-tools
> # See https://github.com/cifsd-team/ksmbd-tools?tab=readme-ov-file#building-and-installing
> #
> dnf install -y git gcc pkgconf autoconf automake libtool make meson ninja-build gawk libnl3-devel glib2-devel
> git clone https://github.com/cifsd-team/ksmbd-tools.git
> cd ksmbd-tools
> ./autogen.sh
> ./configure --with-rundir=/run
> make
> make install
> cd ~/
>
>
> #
> # CIFS client
> #
> dnf install -y cifs-utils
>
>
> #
> # Networking utilities
> #
> dnf install -y iproute iptables-legacy
> ---8<---
>
>
> Reproducer:
>
> ---8<----
> #!/bin/bash
>
> function show_sk_mod_ref()
> {
>     ss -tan | grep 445
>     lsmod | grep cifs
> }
>
> set -x
>
>
> #
> # Share /root/server
> #
> mkdir server
> touch server/a.txt
> ksmbd.addshare --add --option "path = /root/server" --option 'read only = no' server
> ksmbd.adduser --password test root
> modprobe ksmbd
> ksmbd.mountd
>
>
> #
> # Mount /root/server as /root/client
> #
> mkdir client
> mount -t cifs -o vers=3.0,echo_interval=1,user=root,password=test //127.0.0.1/server /root/client
>
>
> #
> # Drop FIN packet from CIFS client
> #
> iptables -A OUTPUT -p tcp --dport 445 -j DROP
>
>
> show_sk_mod_ref
>
>
> #
> # Unmount /root/client
> #
> until umount client; do
>     sleep 1
> done
>
> show_sk_mod_ref
>
>
> #
> # Unload module, and then lockdep will complain.
> #
> until rmmod cifs; do
>     show_sk_mod_ref
>     sleep 3
> done
>
>
> show_sk_mod_ref
> ---8<---
>
>
> FWIW, here's output of the repro including console output.
>
> ---8<---
> Fedora Linux 41 (Container Image)
> Kernel 6.15.0-rc1-00011-gf78f3365efed on an x86_64 (console)
>
> fedora login: root
> Last login: Fri Apr 11 06:20:39 on console
> [root@fedora ~]# ./repro.sh
> + mkdir server
> + touch server/a.txt
> + ksmbd.addshare --add --option 'path = /root/server' --option 'read only = no' server
> [ksmbd.addshare/831]: INFO: No user database
> [ksmbd.addshare/831]: INFO: Wrote `/usr/local/etc/ksmbd/ksmbd.conf'
> [ksmbd.addshare/831]: INFO: Wrote `/usr/local/etc/ksmbd/ksmbd.conf'
> [ksmbd.addshare/831]: INFO: Added share `server'
> [ksmbd.addshare/831]: INFO: Ignored lock file
> + ksmbd.adduser --password test root
> [ksmbd.adduser/832]: INFO: Wrote `/usr/local/etc/ksmbd/ksmbdpwd.db'
> [ksmbd.adduser/832]: INFO: Wrote `/usr/local/etc/ksmbd/ksmbdpwd.db'
> [ksmbd.adduser/832]: INFO: Added user `root'
> [ksmbd.adduser/832]: INFO: Ignored lock file
> + modprobe ksmbd
> + ksmbd.mountd
> [ksmbd.mountd/835]: INFO: Started manager
> + mkdir client
> + mount -t cifs -o vers=3.0,echo_interval=1,user=root,password=test //127.0.0.1/server /root/client
> [  113.929225] Key type cifs.idmap registered
> [  113.930423] CIFS: Attempting to mount //127.0.0.1/server
> [  113.993548] mount.cifs (843) used greatest stack depth: 11208 bytes left
> + iptables -A OUTPUT -p tcp --dport 445 -j DROP
> + show_sk_mod_ref
> + ss -tan
> + grep 445
> ESTAB  0      0               127.0.0.1:34814          127.0.0.1:445
> LISTEN 0      0                       *:445                    *:*
> LISTEN 0      0                       *:445                    *:*
> ESTAB  0      516    [::ffff:127.0.0.1]:445   [::ffff:127.0.0.1]:34814
> + lsmod
> + grep cifs
> cifs                 1175552  2
> cifs_md4               12288  1 cifs
> cifs_arc4              12288  2 cifs,ksmbd
> nls_ucs2_utils          8192  2 cifs,ksmbd
> + umount client
> [  121.064583] CIFS: VFS: \\127.0.0.1 has not responded in 3 seconds. Reconnecting...
> + show_sk_mod_ref
> + ss -tan
> + grep 445
> FIN-WAIT-1 0      145             127.0.0.1:34814          127.0.0.1:445
> LISTEN     0      0                       *:445                    *:*
> LISTEN     0      0                       *:445                    *:*
> ESTAB      0      516    [::ffff:127.0.0.1]:445   [::ffff:127.0.0.1]:34814
> + lsmod
> + grep cifs
> cifs                 1175552  1
> cifs_md4               12288  1 cifs
> cifs_arc4              12288  2 cifs,ksmbd
> nls_ucs2_utils          8192  2 cifs,ksmbd
> + rmmod cifs
> rmmod: ERROR: Module cifs is in use
> + show_sk_mod_ref
> + ss -tan
> + grep 445
> FIN-WAIT-1 0      145             127.0.0.1:34814          127.0.0.1:445
> LISTEN     0      0                       *:445                    *:*
> LISTEN     0      0                       *:445                    *:*
> ESTAB      0      516    [::ffff:127.0.0.1]:445   [::ffff:127.0.0.1]:34814
> + lsmod
> + grep cifs
> cifs                 1175552  1
> cifs_md4               12288  1 cifs
> cifs_arc4              12288  2 cifs,ksmbd
> nls_ucs2_utils          8192  2 cifs,ksmbd
> + sleep 3
> + rmmod cifs
> [  127.142558] Key type cifs.idmap unregistered
> + show_sk_mod_ref
> + ss -tan
> + grep 445
> FIN-WAIT-1 0      145             127.0.0.1:34814          127.0.0.1:445
> LISTEN     0      0                       *:445                    *:*
> LISTEN     0      0                       *:445                    *:*
> ESTAB      0      516    [::ffff:127.0.0.1]:445   [::ffff:127.0.0.1]:34814
> + lsmod
> + grep cifs
> cifs_md4               12288  0
> cifs_arc4              12288  1 ksmbd
> [root@fedora ~]# [  127.414391] ------------[ cut here ]------------
> [  127.414940] DEBUG_LOCKS_WARN_ON(1)
> [  127.414950] WARNING: CPU: 62 PID: 0 at kernel/locking/lockdep.c:237 hlock_class+0x5f/0x70
> [  127.416185] Modules linked in: cifs_md4 ksmbd cifs_arc4 nls_ucs2_utils [last unloaded: cifs]
> [  127.417066] CPU: 62 UID: 0 PID: 0 Comm: swapper/62 Not tainted 6.15.0-rc1-00011-gf78f3365efed #3 PREEMPT(voluntary)
> [  127.418158] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
> [  127.419312] RIP: 0010:hlock_class+0x5f/0x70
> [  127.419745] Code: ef 90 e8 c4 8f 4d 00 85 c0 74 23 8b 05 ba 8c bf 01 85 c0 75 19 90 48 c7 c6 13 fb a1 82 48 c7 c7 cc 76 a0 82 e8 92 b4 f7 ff 90 <0f> 0b 90 90 90 31 c0 c3 cc cc cc cc 0f 1f 44 00 00 90 90 90 90 90
> [  127.421622] RSP: 0018:ffa0000000d60c20 EFLAGS: 00010086
> [  127.422146] RAX: 0000000000000000 RBX: ff11000100b12b38 RCX: 0000000000000027
> [  127.422890] RDX: ff1100081fd97c08 RSI: 0000000000000001 RDI: ff1100081fd97c00
> [  127.423624] RBP: ff11000100b12100 R08: ff1100083fe6e0e8 R09: 00000000ffffbfff
> [  127.424365] R10: ff1100081eca0000 R11: ff1100083fe10cf8 R12: ff11000100b12b60
> [  127.425099] R13: 0000000000000001 R14: 0000000000000000 R15: 00000000000424ac
> [  127.425827] FS:  0000000000000000(0000) GS:ff1100089c5bb000(0000) knlGS:0000000000000000
> [  127.426657] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [  127.427259] CR2: 00007f714e3ab0d8 CR3: 0000000002c4c006 CR4: 0000000000771ef0
> [  127.428004] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [  127.428738] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
> [  127.429465] PKRU: 55555554
> [  127.429753] Call Trace:
> [  127.430012]  <IRQ>
> [  127.430231]  __lock_acquire+0x21d/0x1730
> [  127.430631]  ? __lock_acquire+0xa4f/0x1730
> [  127.431054]  lock_acquire+0xbd/0x2d0
> [  127.431427]  ? tcp_write_timer+0x5a/0x120
> [  127.431846]  ? lock_acquire+0xbd/0x2d0
> [  127.432244]  ? call_timer_fn+0x71/0x260
> [  127.432651]  ? __pfx_tcp_write_timer+0x10/0x10
> [  127.433116]  _raw_spin_lock+0x2b/0x40
> [  127.433506]  ? tcp_write_timer+0x5a/0x120
> [  127.433915]  tcp_write_timer+0x5a/0x120
> [  127.434317]  ? __pfx_tcp_write_timer+0x10/0x10
> [  127.434776]  call_timer_fn+0x9d/0x260
> [  127.435154]  __run_timers+0x1f9/0x300
> [  127.435538]  ? find_held_lock+0x2b/0x80
> [  127.435933]  ? tmigr_handle_remote_up+0x1a6/0x370
> [  127.436422]  timer_expire_remote+0x36/0x50
> [  127.436852]  tmigr_handle_remote_up+0x2a5/0x370
> [  127.437327]  ? find_held_lock+0x2b/0x80
> [  127.437726]  ? tmigr_handle_remote+0x88/0xd0
> [  127.438157]  ? lock_release+0xc6/0x290
> [  127.438530]  ? __pfx_tmigr_handle_remote_up+0x10/0x10
> [  127.439037]  __walk_groups.isra.0+0x1a/0x70
> [  127.439464]  tmigr_handle_remote+0xa0/0xd0
> [  127.439892]  ? kvm_clock_get_cycles+0x18/0x30
> [  127.440343]  handle_softirqs+0xbd/0x3b0
> [  127.440738]  __irq_exit_rcu+0xa1/0xc0
> [  127.441111]  irq_exit_rcu+0x9/0x20
> [  127.441469]  sysvec_apic_timer_interrupt+0x6f/0x80
> [  127.441968]  </IRQ>
> [  127.442198]  <TASK>
> [  127.442428]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
> [  127.442965] RIP: 0010:pv_native_safe_halt+0xf/0x20
> [  127.443469] Code: 56 7a 00 c3 cc cc cc cc 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d c5 af 12 00 fb f4 <c3> cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90
> [  127.445348] RSP: 0018:ffa000000028fee0 EFLAGS: 00000206
> [  127.445882] RAX: 0000000000004e63 RBX: ff11000100b12100 RCX: 0000000000000000
> [  127.446619] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff812f81df
> [  127.447348] RBP: 000000000000003e R08: 0000000000000001 R09: 0000000000000000
> [  127.448077] R10: 0000000000000001 R11: 0000000000000080 R12: 0000000000000000
> [  127.448805] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> [  127.449541]  ? do_idle+0x1df/0x250
> [  127.449905]  default_idle+0x9/0x10
> [  127.450266]  default_idle_call+0x85/0x1e0
> [  127.450687]  do_idle+0x1df/0x250
> [  127.451032]  cpu_startup_entry+0x24/0x30
> [  127.451441]  start_secondary+0xf8/0x100
> [  127.451846]  common_startup_64+0x13e/0x148
> [  127.452276]  </TASK>
> [  127.452516] irq event stamp: 20078
> [  127.452869] hardirqs last  enabled at (20078): [<ffffffff822ef523>] _raw_spin_unlock_irq+0x23/0x40
> [  127.453787] hardirqs last disabled at (20077): [<ffffffff822ef262>] _raw_spin_lock_irq+0x42/0x50
> [  127.454659] softirqs last  enabled at (20062): [<ffffffff8129b31e>] handle_softirqs+0x2ee/0x3b0
> [  127.455536] softirqs last disabled at (20069): [<ffffffff8129b541>] __irq_exit_rcu+0xa1/0xc0
> [  127.456394] ---[ end trace 0000000000000000 ]---
> [  127.456858] BUG: kernel NULL pointer dereference, address: 00000000000000c4
> [  127.457553] #PF: supervisor read access in kernel mode
> [  127.458069] #PF: error_code(0x0000) - not-present page
> [  127.458584] PGD 0
> [  127.458802] Oops: Oops: 0000 [#1] SMP NOPTI
> [  127.459231] CPU: 62 UID: 0 PID: 0 Comm: swapper/62 Tainted: G        W           6.15.0-rc1-00011-gf78f3365efed #3 PREEMPT(voluntary)
> [  127.460448] Tainted: [W]=WARN
> [  127.460754] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
> [  127.461924] RIP: 0010:__lock_acquire+0x220/0x1730
> [  127.462393] Code: 15 41 09 c7 41 8b 44 24 20 25 ff 1f 00 00 41 09 c7 8b 84 24 a0 00 00 00 45 89 7c 24 20 41 89 44 24 24 e8 03 b9 ff ff 4c 89 e7 <44> 0f b6 b8 c4 00 00 00 e8 f3 b8 ff ff 0f b6 80 c5 00 00 00 88 44
> [  127.464288] RSP: 0018:ffa0000000d60c28 EFLAGS: 00010046
> [  127.464825] RAX: 0000000000000000 RBX: ff11000100b12b38 RCX: 0000000000000027
> [  127.465538] RDX: ff1100081fd97c08 RSI: 0000000000000001 RDI: ff11000100b12b60
> [  127.466245] RBP: ff11000100b12100 R08: ff1100083fe6e0e8 R09: 00000000ffffbfff
> [  127.466964] R10: ff1100081eca0000 R11: ff1100083fe10cf8 R12: ff11000100b12b60
> [  127.467689] R13: 0000000000000001 R14: 0000000000000000 R15: 00000000000424ac
> [  127.468415] FS:  0000000000000000(0000) GS:ff1100089c5bb000(0000) knlGS:0000000000000000
> [  127.469228] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [  127.469810] CR2: 00000000000000c4 CR3: 0000000002c4c006 CR4: 0000000000771ef0
> [  127.470530] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [  127.471249] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
> [  127.471968] PKRU: 55555554
> [  127.472248] Call Trace:
> [  127.472505]  <IRQ>
> [  127.472723]  ? __lock_acquire+0xa4f/0x1730
> [  127.473144]  lock_acquire+0xbd/0x2d0
> [  127.473510]  ? tcp_write_timer+0x5a/0x120
> [  127.473920]  ? lock_acquire+0xbd/0x2d0
> [  127.474306]  ? call_timer_fn+0x71/0x260
> [  127.474714]  ? __pfx_tcp_write_timer+0x10/0x10
> [  127.475182]  _raw_spin_lock+0x2b/0x40
> [  127.475568]  ? tcp_write_timer+0x5a/0x120
> [  127.475987]  tcp_write_timer+0x5a/0x120
> [  127.476391]  ? __pfx_tcp_write_timer+0x10/0x10
> [  127.476850]  call_timer_fn+0x9d/0x260
> [  127.477231]  __run_timers+0x1f9/0x300
> [  127.477614]  ? find_held_lock+0x2b/0x80
> [  127.478017]  ? tmigr_handle_remote_up+0x1a6/0x370
> [  127.478511]  timer_expire_remote+0x36/0x50
> [  127.478937]  tmigr_handle_remote_up+0x2a5/0x370
> [  127.479406]  ? find_held_lock+0x2b/0x80
> [  127.479795]  ? tmigr_handle_remote+0x88/0xd0
> [  127.480238]  ? lock_release+0xc6/0x290
> [  127.480628]  ? __pfx_tmigr_handle_remote_up+0x10/0x10
> [  127.481146]  __walk_groups.isra.0+0x1a/0x70
> [  127.481575]  tmigr_handle_remote+0xa0/0xd0
> [  127.481994]  ? kvm_clock_get_cycles+0x18/0x30
> [  127.482441]  handle_softirqs+0xbd/0x3b0
> [  127.482837]  __irq_exit_rcu+0xa1/0xc0
> [  127.483217]  irq_exit_rcu+0x9/0x20
> [  127.483569]  sysvec_apic_timer_interrupt+0x6f/0x80
> [  127.484054]  </IRQ>
> [  127.484282]  <TASK>
> [  127.484506]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
> [  127.485032] RIP: 0010:pv_native_safe_halt+0xf/0x20
> [  127.485525] Code: 56 7a 00 c3 cc cc cc cc 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d c5 af 12 00 fb f4 <c3> cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90
> [  127.487401] RSP: 0018:ffa000000028fee0 EFLAGS: 00000206
> [  127.487939] RAX: 0000000000004e63 RBX: ff11000100b12100 RCX: 0000000000000000
> [  127.488671] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff812f81df
> [  127.489399] RBP: 000000000000003e R08: 0000000000000001 R09: 0000000000000000
> [  127.490120] R10: 0000000000000001 R11: 0000000000000080 R12: 0000000000000000
> [  127.490846] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> [  127.491570]  ? do_idle+0x1df/0x250
> [  127.491926]  default_idle+0x9/0x10
> [  127.492272]  default_idle_call+0x85/0x1e0
> [  127.492687]  do_idle+0x1df/0x250
> [  127.493028]  cpu_startup_entry+0x24/0x30
> [  127.493437]  start_secondary+0xf8/0x100
> [  127.493830]  common_startup_64+0x13e/0x148
> [  127.494257]  </TASK>
> [  127.494494] Modules linked in: cifs_md4 ksmbd cifs_arc4 nls_ucs2_utils [last unloaded: cifs]
> [  127.495352] CR2: 00000000000000c4
> [  127.495697] ---[ end trace 0000000000000000 ]---
> [  127.496168] RIP: 0010:__lock_acquire+0x220/0x1730
> [  127.496635] Code: 15 41 09 c7 41 8b 44 24 20 25 ff 1f 00 00 41 09 c7 8b 84 24 a0 00 00 00 45 89 7c 24 20 41 89 44 24 24 e8 03 b9 ff ff 4c 89 e7 <44> 0f b6 b8 c4 00 00 00 e8 f3 b8 ff ff 0f b6 80 c5 00 00 00 88 44
> [  127.498505] RSP: 0018:ffa0000000d60c28 EFLAGS: 00010046
> [  127.499036] RAX: 0000000000000000 RBX: ff11000100b12b38 RCX: 0000000000000027
> [  127.499755] RDX: ff1100081fd97c08 RSI: 0000000000000001 RDI: ff11000100b12b60
> [  127.500478] RBP: ff11000100b12100 R08: ff1100083fe6e0e8 R09: 00000000ffffbfff
> [  127.501203] R10: ff1100081eca0000 R11: ff1100083fe10cf8 R12: ff11000100b12b60
> [  127.501901] R13: 0000000000000001 R14: 0000000000000000 R15: 00000000000424ac
> [  127.502617] FS:  0000000000000000(0000) GS:ff1100089c5bb000(0000) knlGS:0000000000000000
> [  127.503433] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [  127.504012] CR2: 00000000000000c4 CR3: 0000000002c4c006 CR4: 0000000000771ef0
> [  127.504741] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [  127.505464] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
> [  127.506182] PKRU: 55555554
> [  127.506467] Kernel panic - not syncing: Fatal exception in interrupt
> [  127.508092] Kernel Offset: disabled
> [  127.508527] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
> ---8<---



-- 
Thanks,

Steve

Re: [PATCH 0/2] cifs: Revert bogus fix for CVE-2024-54680 and its followup commit.

[Kuniyuki Iwashima]

From: Steve French <smfrench@gmail.com>
Date: Sat, 12 Apr 2025 12:28:46 -0500
> I have tentatively merged the two revert patches into cifs-2.6.git
> for-next but still hoping for any review comments for those more
> expert in the network lockdep code.
> 
> Let me know when the fix to core/sock.c is upstream

Thanks, Steve.

It was pulled by Linus.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0bb2f7a1ad1f11d861f58e5ee5051c8974ff9569
https://lore.kernel.org/netdev/174430107749.3733248.15022802028936610477.pr-tracker-bot@kernel.org/