[PATCH V2 0/2] smb: client: Fix use-after-free in readdir

[PATCH V2 0/2] smb: client: Fix use-after-free in readdir

[Wang Zhaolong]

V2:
  - Correct spelling mistakes in the commit message, such as 'lopp' -> 'loop'.
  - The titles of patches follow the same style.

This patch series addresses a use-after-free vulnerability in the SMB/CIFS
client readdir implementation that can be triggered during concurrent
directory reads when a signal interrupts directory enumeration.

The root cause is in the operation sequence in find_cifs_entry():
1. When query_dir_next() fails due to signal interruption (ERESTARTSYS)
2. The code continues to access last_entry pointer before checking the return code
3. This can access freed memory since the buffer may have been released

The race condition can be triggered by processes accessing the same directory
with concurrent readdir operations, especially when signals are involved.

The fix is straightforward:
1. First patch ensures we check the return code before using any pointers
2. Second patch improves defensiveness by resetting all related buffer pointers
   when freeing the network buffer

Wang Zhaolong (2):
  smb: client: Fix use-after-free in cifs_fill_dirent
  smb: client: Reset all search buffer pointers when releasing buffer

 fs/smb/client/readdir.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

-- 
2.39.2

[PATCH V2 1/2] smb: client: Fix use-after-free in cifs_fill_dirent

[Wang Zhaolong]

There is a race condition in the readdir concurrency process, which may
access the rsp buffer after it has been released, triggering the
following KASAN warning.

 ==================================================================
 BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs]
 Read of size 4 at addr ffff8880099b819c by task a.out/342975

 CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full)
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014
 Call Trace:
  <TASK>
  dump_stack_lvl+0x53/0x70
  print_report+0xce/0x640
  kasan_report+0xb8/0xf0
  cifs_fill_dirent+0xb03/0xb60 [cifs]
  cifs_readdir+0x12cb/0x3190 [cifs]
  iterate_dir+0x1a1/0x520
  __x64_sys_getdents+0x134/0x220
  do_syscall_64+0x4b/0x110
  entry_SYSCALL_64_after_hwframe+0x76/0x7e
 RIP: 0033:0x7f996f64b9f9
 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89
 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
 f0 ff ff  0d f7 c3 0c 00 f7 d8 64 89 8
 RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e
 RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9
 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
 RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000
 R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88
 R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000
  </TASK>

 Allocated by task 408:
  kasan_save_stack+0x20/0x40
  kasan_save_track+0x14/0x30
  __kasan_slab_alloc+0x6e/0x70
  kmem_cache_alloc_noprof+0x117/0x3d0
  mempool_alloc_noprof+0xf2/0x2c0
  cifs_buf_get+0x36/0x80 [cifs]
  allocate_buffers+0x1d2/0x330 [cifs]
  cifs_demultiplex_thread+0x22b/0x2690 [cifs]
  kthread+0x394/0x720
  ret_from_fork+0x34/0x70
  ret_from_fork_asm+0x1a/0x30

 Freed by task 342979:
  kasan_save_stack+0x20/0x40
  kasan_save_track+0x14/0x30
  kasan_save_free_info+0x3b/0x60
  __kasan_slab_free+0x37/0x50
  kmem_cache_free+0x2b8/0x500
  cifs_buf_release+0x3c/0x70 [cifs]
  cifs_readdir+0x1c97/0x3190 [cifs]
  iterate_dir+0x1a1/0x520
  __x64_sys_getdents64+0x134/0x220
  do_syscall_64+0x4b/0x110
  entry_SYSCALL_64_after_hwframe+0x76/0x7e

 The buggy address belongs to the object at ffff8880099b8000
  which belongs to the cache cifs_request of size 16588
 The buggy address is located 412 bytes inside of
  freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc)

 The buggy address belongs to the physical page:
 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8
 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
 anon flags: 0x80000000000040(head|node=0|zone=1)
 page_type: f5(slab)
 raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001
 raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000
 head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001
 head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000
 head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff
 head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
 page dumped because: kasan: bad access detected

 Memory state around the buggy address:
  ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 >ffff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                             ^
  ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ==================================================================

POC is available in the link [1].

The problem triggering process is as follows:

Process 1                       Process 2
-----------------------------------------------------------------
cifs_readdir
  /* file->private_data == NULL */
  initiate_cifs_search
    cifsFile = kzalloc(sizeof(struct cifsFileInfo), GFP_KERNEL);
    smb2_query_dir_first ->query_dir_first()
      SMB2_query_directory
        SMB2_query_directory_init
        cifs_send_recv
        smb2_parse_query_directory
          srch_inf->ntwrk_buf_start = (char *)rsp;
          srch_inf->srch_entries_start = (char *)rsp + ...
          srch_inf->last_entry = (char *)rsp + ...
          srch_inf->smallBuf = true;
  find_cifs_entry
    /* if (cfile->srch_inf.ntwrk_buf_start) */
    cifs_small_buf_release(cfile->srch_inf // free

                        cifs_readdir  ->iterate_shared()
                          /* file->private_data != NULL */
                          find_cifs_entry
                            /* in while (...) loop */
                            smb2_query_dir_next  ->query_dir_next()
                              SMB2_query_directory
                                SMB2_query_directory_init
                                cifs_send_recv
                                  compound_send_recv
                                    smb_send_rqst
                                    __smb_send_rqst
                                      rc = -ERESTARTSYS;
                                      /* if (fatal_signal_pending()) */
                                      goto out;
                                      return rc
                            /* if (cfile->srch_inf.last_entry) */
                            cifs_save_resume_key()
                              cifs_fill_dirent // UAF
                            /* if (rc) */
                            return -ENOENT;

Fix this by ensuring the return code is checked before using pointers
from the srch_inf.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=220131 [1]
Fixes: a364bc0b37f1 ("[CIFS] fix saving of resume key before CIFSFindNext")
Cc: stable@vger.kernel.org
Signed-off-by: Wang Zhaolong <wangzhaolong1@huawei.com>
---
 fs/smb/client/readdir.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/smb/client/readdir.c b/fs/smb/client/readdir.c
index 50f96259d9ad..67d7dd64b5e2 100644
--- a/fs/smb/client/readdir.c
+++ b/fs/smb/client/readdir.c
@@ -754,15 +754,15 @@ find_cifs_entry(const unsigned int xid, struct cifs_tcon *tcon, loff_t pos,
 	       (rc == 0) && !cfile->srch_inf.endOfSearch) {
 		cifs_dbg(FYI, "calling findnext2\n");
 		rc = server->ops->query_dir_next(xid, tcon, &cfile->fid,
 						 search_flags,
 						 &cfile->srch_inf);
+		if (rc)
+			return -ENOENT;
 		/* FindFirst/Next set last_entry to NULL on malformed reply */
 		if (cfile->srch_inf.last_entry)
 			cifs_save_resume_key(cfile->srch_inf.last_entry, cfile);
-		if (rc)
-			return -ENOENT;
 	}
 	if (index_to_find < cfile->srch_inf.index_of_last_entry) {
 		/* we found the buffer that contains the entry */
 		/* scan and find it */
 		int i;
-- 
2.39.2

[PATCH V2 2/2] smb: client: Reset all search buffer pointers when releasing buffer

[Wang Zhaolong]

Multiple pointers in struct cifs_search_info (ntwrk_buf_start,
srch_entries_start, and last_entry) point to the same allocated buffer.
However, when freeing this buffer, only ntwrk_buf_start was set to NULL,
while the other pointers remained pointing to freed memory.

This is defensive programming to prevent potential issues with stale
pointers. While the active UAF vulnerability is fixed by the previous
patch, this change ensures consistent pointer state and more robust error
handling.

Signed-off-by: Wang Zhaolong <wangzhaolong1@huawei.com>
---
 fs/smb/client/readdir.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/smb/client/readdir.c b/fs/smb/client/readdir.c
index 67d7dd64b5e2..787d6bcb5d1d 100644
--- a/fs/smb/client/readdir.c
+++ b/fs/smb/client/readdir.c
@@ -731,11 +731,14 @@ find_cifs_entry(const unsigned int xid, struct cifs_tcon *tcon, loff_t pos,
 				cifs_small_buf_release(cfile->srch_inf.
 						ntwrk_buf_start);
 			else
 				cifs_buf_release(cfile->srch_inf.
 						ntwrk_buf_start);
+			/* Reset all pointers to the network buffer to prevent stale references */
 			cfile->srch_inf.ntwrk_buf_start = NULL;
+			cfile->srch_inf.srch_entries_start = NULL;
+			cfile->srch_inf.last_entry = NULL;
 		}
 		rc = initiate_cifs_search(xid, file, full_path);
 		if (rc) {
 			cifs_dbg(FYI, "error %d reinitiating a search on rewind\n",
 				 rc);
-- 
2.39.2

Re: [PATCH V2 0/2] smb: client: Fix use-after-free in readdir

[Paulo Alcantara]

Wang Zhaolong <wangzhaolong1@huawei.com> writes:

> V2:
>   - Correct spelling mistakes in the commit message, such as 'lopp' -> 'loop'.
>   - The titles of patches follow the same style.
>
> This patch series addresses a use-after-free vulnerability in the SMB/CIFS
> client readdir implementation that can be triggered during concurrent
> directory reads when a signal interrupts directory enumeration.
>
> The root cause is in the operation sequence in find_cifs_entry():
> 1. When query_dir_next() fails due to signal interruption (ERESTARTSYS)
> 2. The code continues to access last_entry pointer before checking the return code
> 3. This can access freed memory since the buffer may have been released
>
> The race condition can be triggered by processes accessing the same directory
> with concurrent readdir operations, especially when signals are involved.
>
> The fix is straightforward:
> 1. First patch ensures we check the return code before using any pointers
> 2. Second patch improves defensiveness by resetting all related buffer pointers
>    when freeing the network buffer
>
> Wang Zhaolong (2):
>   smb: client: Fix use-after-free in cifs_fill_dirent
>   smb: client: Reset all search buffer pointers when releasing buffer
>
>  fs/smb/client/readdir.c | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)

Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>

Re: [PATCH V2 0/2] smb: client: Fix use-after-free in readdir

[Steve French]

Merged into cifs-2.6.git for-next

I was only able to reproduce the rmmod problem once though (without
the patch) so been tricky to test.  What server were you testing
against (I tried current Samba and ksmbd)?

On Fri, May 16, 2025 at 8:50 AM Paulo Alcantara <pc@manguebit.com> wrote:
>
> Wang Zhaolong <wangzhaolong1@huawei.com> writes:
>
> > V2:
> >   - Correct spelling mistakes in the commit message, such as 'lopp' -> 'loop'.
> >   - The titles of patches follow the same style.
> >
> > This patch series addresses a use-after-free vulnerability in the SMB/CIFS
> > client readdir implementation that can be triggered during concurrent
> > directory reads when a signal interrupts directory enumeration.
> >
> > The root cause is in the operation sequence in find_cifs_entry():
> > 1. When query_dir_next() fails due to signal interruption (ERESTARTSYS)
> > 2. The code continues to access last_entry pointer before checking the return code
> > 3. This can access freed memory since the buffer may have been released
> >
> > The race condition can be triggered by processes accessing the same directory
> > with concurrent readdir operations, especially when signals are involved.
> >
> > The fix is straightforward:
> > 1. First patch ensures we check the return code before using any pointers
> > 2. Second patch improves defensiveness by resetting all related buffer pointers
> >    when freeing the network buffer
> >
> > Wang Zhaolong (2):
> >   smb: client: Fix use-after-free in cifs_fill_dirent
> >   smb: client: Reset all search buffer pointers when releasing buffer
> >
> >  fs/smb/client/readdir.c | 7 +++++--
> >  1 file changed, 5 insertions(+), 2 deletions(-)
>
> Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
>


-- 
Thanks,

Steve

Re: [PATCH V2 0/2] smb: client: Fix use-after-free in readdir

[Wang Zhaolong]

> Merged into cifs-2.6.git for-next
> 
> I was only able to reproduce the rmmod problem once though (without
> the patch) so been tricky to test.  What server were you testing
> against (I tried current Samba and ksmbd)?
> 

I initialized the Samba server using the `samba` package provided by the
Debian Trixie distribution.

Best regards,
Wang Zhaolong

Re: [PATCH V2 0/2] smb: client: Fix use-after-free in readdir

[Steve French]

I was able to reproduce it by running the reproducer poc much longer

[189335.643181] Key type cifs.idmap unregistered
[189335.643203] Key type cifs.spnego unregistered
[189335.649519] CIFS: VFS: kmem_cache_destroy small req cachep
[189335.656316]
=============================================================================
[189335.656320] BUG cifs_small_rq (Tainted: G    B   W  OE      ):
Objects remaining on __kmem_cache_shutdown()
[189335.656322]
-----------------------------------------------------------------------------

[189335.656324] Object 0x000000001a39cfef @offset=15232
[189335.656326] Slab 0x00000000479475fe objects=36 used=1
fp=0x0000000090941d36
flags=0x17ffffc0000240(workingset|head|node=0|zone=2|lastcpupid=0x1fffff)
[189335.656334] ------------[ cut here ]------------
[189335.656335] WARNING: CPU: 1 PID: 84118 at mm/slub.c:1135
__slab_err+0x1d/0x30
....
[189335.656512]  [last unloaded: cifs(OE)]
[189335.656516] CPU: 1 UID: 0 PID: 84118 Comm: rmmod Tainted: G    B
W  OE       6.15.0-061500rc4-generic #202504272253 PREEMPT(voluntary)
[189335.656520] Tainted: [B]=BAD_PAGE, [W]=WARN, [O]=OOT_MODULE,
[E]=UNSIGNED_MODULE
[189335.656521] Hardware name: LENOVO 20MAS08500/20MAS08500, BIOS
N2CET70W (1.53 ) 03/11/2024
[189335.656522] RIP: 0010:__slab_err+0x1d/0x30
[189335.656525] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44
00 00 55 48 89 e5 e8 72 ff ff ff be 01 00 00 00 bf 05 00 00 00 e8 33
b2 1c 00 <0f> 0b 5d 31 f6 31 ff c3 cc cc cc cc 0f 1f 80 00 00 00 00 90
90 90
[189335.656527] RSP: 0018:ffffcf3041b33a18 EFLAGS: 00010046
[189335.656529] RAX: 0000000000000000 RBX: ffffcf3041b33a60 RCX:
0000000000000000
[189335.656530] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
0000000000000000
[189335.656531] RBP: ffffcf3041b33a18 R08: 0000000000000000 R09:
0000000000000000
[189335.656533] R10: 0000000000000000 R11: 0000000000000000 R12:
ffff8c1b49eb7600
[189335.656534] R13: ffff8c1b4ccd9580 R14: dead000000000122 R15:
ffff8c1b4ccd9580
[189335.656535] FS:  00007d912677e080(0000) GS:ffff8c2312b1b000(0000)
knlGS:0000000000000000
[189335.656537] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[189335.656538] CR2: 000061c8bedf4778 CR3: 00000003f2b4a001 CR4:
00000000003726f0
[189335.656540] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[189335.656541] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[189335.656542] Call Trace:
[189335.656543]  <TASK>
[189335.656546]  free_partial.cold+0x137/0x191
[189335.656550]  __kmem_cache_shutdown+0x46/0xa0
[189335.656553]  kmem_cache_destroy+0x3e/0x1c0
[189335.656558]  cifs_destroy_request_bufs+0x5c/0x70 [cifs]
[189335.656618]  exit_cifs+0x3a/0xef0 [cifs]
[189335.656666]  __do_sys_delete_module.isra.0+0x19d/0x2e0
[189335.656671]  __x64_sys_delete_module+0x12/0x20
[189335.656674]  x64_sys_call+0x1765/0x2320
[189335.656677]  do_syscall_64+0x7e/0x210
[189335.656679]  ? __fput+0x1a2/0x2d0
[189335.656681]  ? kmem_cache_free+0x408/0x470
[189335.656684]  ? __fput+0x1a2/0x2d0
[189335.656686]  ? arch_exit_to_user_mode_prepare.isra.0+0x22/0xd0
[189335.656689]  ? syscall_exit_to_user_mode+0x38/0x1d0
[189335.656692]  ? do_syscall_64+0x8a/0x210
[189335.656695]  ? do_read_fault+0xfb/0x230
[189335.656698]  ? do_fault+0x15d/0x220
[189335.656699]  ? handle_pte_fault+0x140/0x210
[189335.656702]  ? __handle_mm_fault+0x3cd/0x790
[189335.656705]  ? __count_memcg_events+0xd3/0x1a0
[189335.656708]  ? count_memcg_events.constprop.0+0x2a/0x50
[189335.656710]  ? handle_mm_fault+0x1ca/0x2e0
[189335.656713]  ? do_user_addr_fault+0x2f8/0x830
[189335.656716]  ? arch_exit_to_user_mode_prepare.isra.0+0x22/0xd0
[189335.656719]  ? irqentry_exit_to_user_mode+0x2d/0x1d0
[189335.656722]  ? irqentry_exit+0x43/0x50
[189335.656724]  ? exc_page_fault+0x96/0x1e0
[189335.656727]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[189335.656729] RIP: 0033:0x7d9125f2ac9b
[189335.656731] Code: 73 01 c3 48 8b 0d 7d 81 0d 00 f7 d8 64 89 01 48
83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00
00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 4d 81 0d 00 f7 d8 64 89
01 48
[189335.656732] RSP: 002b:00007ffe9b9656f8 EFLAGS: 00000206 ORIG_RAX:
00000000000000b0
[189335.656735] RAX: ffffffffffffffda RBX: 00005eb63e457720 RCX:
00007d9125f2ac9b
[189335.656736] RDX: 0000000000000000 RSI: 0000000000000800 RDI:
00005eb63e457788
[189335.656737] RBP: 00007ffe9b965720 R08: 1999999999999999 R09:
0000000000000000
[189335.656738] R10: 00007d9125fb1fc0 R11: 0000000000000206 R12:
0000000000000000
[189335.656740] R13: 00007ffe9b965970 R14: 00005eb63e457720 R15:
0000000000000000
[189335.656743]  </TASK>
[189335.656744] ---[ end trace 0000000000000000 ]---
[189335.656803] ------------[ cut here ]------------
[189335.656804] kmem_cache_destroy cifs_small_rq: Slab cache still has
objects when called from cifs_destroy_request_bufs+0x5c/0x70 [cifs]
[189335.656861] WARNING: CPU: 1 PID: 84118 at mm/slab_common.c:525
kmem_cache_destroy+0x152/0x1c0

....

On Sun, May 18, 2025 at 9:56 PM Wang Zhaolong <wangzhaolong1@huawei.com> wrote:
>
>
>
>
>
> > Merged into cifs-2.6.git for-next
> >
> > I was only able to reproduce the rmmod problem once though (without
> > the patch) so been tricky to test.  What server were you testing
> > against (I tried current Samba and ksmbd)?
> >
>
> I initialized the Samba server using the `samba` package provided by the
> Debian Trixie distribution.
>
> Best regards,
> Wang Zhaolong



-- 
Thanks,

Steve

Re: [PATCH V2 0/2] smb: client: Fix use-after-free in readdir

[Wang Zhaolong]

> I was able to reproduce it by running the reproducer poc much longer


I was able to reproduce the issue described in the patch within 1-3 minutes by
running POC on a virtual machine with 4 CPU cores, under the CONFIG_KASAN=y.

> 
> [189335.643181] Key type cifs.idmap unregistered
> [189335.643203] Key type cifs.spnego unregistered
> [189335.649519] CIFS: VFS: kmem_cache_destroy small req cachep
> [189335.656316]
> =============================================================================
> [189335.656320] BUG cifs_small_rq (Tainted: G    B   W  OE      ):
> Objects remaining on __kmem_cache_shutdown()
> [189335.656322]
> -----------------------------------------------------------------------------
> 
> [189335.656324] Object 0x000000001a39cfef @offset=15232
> [189335.656326] Slab 0x00000000479475fe objects=36 used=1
> fp=0x0000000090941d36
> flags=0x17ffffc0000240(workingset|head|node=0|zone=2|lastcpupid=0x1fffff)
> [189335.656334] ------------[ cut here ]------------
> [189335.656335] WARNING: CPU: 1 PID: 84118 at mm/slub.c:1135
> __slab_err+0x1d/0x30
> ....
> [189335.656512]  [last unloaded: cifs(OE)]
> [189335.656516] CPU: 1 UID: 0 PID: 84118 Comm: rmmod Tainted: G    B
> W  OE       6.15.0-061500rc4-generic #202504272253 PREEMPT(voluntary)
> [189335.656520] Tainted: [B]=BAD_PAGE, [W]=WARN, [O]=OOT_MODULE,
> [E]=UNSIGNED_MODULE
> [189335.656521] Hardware name: LENOVO 20MAS08500/20MAS08500, BIOS
> N2CET70W (1.53 ) 03/11/2024
> [189335.656522] RIP: 0010:__slab_err+0x1d/0x30
> [189335.656525] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44
> 00 00 55 48 89 e5 e8 72 ff ff ff be 01 00 00 00 bf 05 00 00 00 e8 33
> b2 1c 00 <0f> 0b 5d 31 f6 31 ff c3 cc cc cc cc 0f 1f 80 00 00 00 00 90
> 90 90
> [189335.656527] RSP: 0018:ffffcf3041b33a18 EFLAGS: 00010046
> [189335.656529] RAX: 0000000000000000 RBX: ffffcf3041b33a60 RCX:
> 0000000000000000
> [189335.656530] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
> 0000000000000000
> [189335.656531] RBP: ffffcf3041b33a18 R08: 0000000000000000 R09:
> 0000000000000000
> [189335.656533] R10: 0000000000000000 R11: 0000000000000000 R12:
> ffff8c1b49eb7600
> [189335.656534] R13: ffff8c1b4ccd9580 R14: dead000000000122 R15:
> ffff8c1b4ccd9580
> [189335.656535] FS:  00007d912677e080(0000) GS:ffff8c2312b1b000(0000)
> knlGS:0000000000000000
> [189335.656537] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [189335.656538] CR2: 000061c8bedf4778 CR3: 00000003f2b4a001 CR4:
> 00000000003726f0
> [189335.656540] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
> 0000000000000000
> [189335.656541] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
> 0000000000000400
> [189335.656542] Call Trace:
> [189335.656543]  <TASK>
> [189335.656546]  free_partial.cold+0x137/0x191
> [189335.656550]  __kmem_cache_shutdown+0x46/0xa0
> [189335.656553]  kmem_cache_destroy+0x3e/0x1c0
> [189335.656558]  cifs_destroy_request_bufs+0x5c/0x70 [cifs]
> [189335.656618]  exit_cifs+0x3a/0xef0 [cifs]
> [189335.656666]  __do_sys_delete_module.isra.0+0x19d/0x2e0
> [189335.656671]  __x64_sys_delete_module+0x12/0x20
> [189335.656674]  x64_sys_call+0x1765/0x2320
> [189335.656677]  do_syscall_64+0x7e/0x210
> [189335.656679]  ? __fput+0x1a2/0x2d0
> [189335.656681]  ? kmem_cache_free+0x408/0x470
> [189335.656684]  ? __fput+0x1a2/0x2d0
> [189335.656686]  ? arch_exit_to_user_mode_prepare.isra.0+0x22/0xd0
> [189335.656689]  ? syscall_exit_to_user_mode+0x38/0x1d0
> [189335.656692]  ? do_syscall_64+0x8a/0x210
> [189335.656695]  ? do_read_fault+0xfb/0x230
> [189335.656698]  ? do_fault+0x15d/0x220
> [189335.656699]  ? handle_pte_fault+0x140/0x210
> [189335.656702]  ? __handle_mm_fault+0x3cd/0x790
> [189335.656705]  ? __count_memcg_events+0xd3/0x1a0
> [189335.656708]  ? count_memcg_events.constprop.0+0x2a/0x50
> [189335.656710]  ? handle_mm_fault+0x1ca/0x2e0
> [189335.656713]  ? do_user_addr_fault+0x2f8/0x830
> [189335.656716]  ? arch_exit_to_user_mode_prepare.isra.0+0x22/0xd0
> [189335.656719]  ? irqentry_exit_to_user_mode+0x2d/0x1d0
> [189335.656722]  ? irqentry_exit+0x43/0x50
> [189335.656724]  ? exc_page_fault+0x96/0x1e0
> [189335.656727]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
> [189335.656729] RIP: 0033:0x7d9125f2ac9b

This call trace seems to look like a memory leak or a reference
counting management issue. Can it still be reproduced even after my
patch is applied?

Best regards,
Wang Zhaolong

Re: [PATCH V2 0/2] smb: client: Fix use-after-free in readdir

[Wang Zhaolong]

> I was able to reproduce it by running the reproducer poc much longer
> 
> [189335.643181] Key type cifs.idmap unregistered
> [189335.643203] Key type cifs.spnego unregistered
> [189335.649519] CIFS: VFS: kmem_cache_destroy small req cachep
> [189335.656316]
> =============================================================================
> [189335.656320] BUG cifs_small_rq (Tainted: G    B   W  OE      ):
> Objects remaining on __kmem_cache_shutdown()
> [189335.656322]
> -----------------------------------------------------------------------------
> 
> [189335.656324] Object 0x000000001a39cfef @offset=15232
> [189335.656326] Slab 0x00000000479475fe objects=36 used=1
> fp=0x0000000090941d36
> flags=0x17ffffc0000240(workingset|head|node=0|zone=2|lastcpupid=0x1fffff)
> [189335.656334] ------------[ cut here ]------------

After disabling KASAN, I encountered two memory leak issues after
running the POC for half-hour:

Phenomenon 1:

[ 2175.037198] ------------[ cut here ]------------
[ 2175.038447] WARNING: CPU: 2 PID: 425 at fs/smb/client/smb2ops.c:104 smb2_add_credits+0x2ac/0x6c0 [cifs]
[ 2175.041927] Modules linked in: cifs cifs_arc4 nls_ucs2_utils cifs_md4
[ 2175.043736] CPU: 2 UID: 0 PID: 425 Comm: cifsd Not tainted 6.15.0-rc6+ #241 PREEMPT(full)
[ 2175.046082] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014
[ 2175.048680] RIP: 0010:smb2_add_credits+0x2ac/0x6c0 [cifs]
[ 2175.050432] Code: ff ff 4c 89 e7 e8 d4 8e ff ff 41 89 c5 e9 99 fe ff ff c7
43 08 02 00 00 00 45 8b 8c 24 d8 01 00 00 45 85 c9 0f 85 48 fe ff ff <0f> 0b 80 3d
41 6a eb ff 00 0f 84 dc 03 00 00 0f 1f 44 00 00 f
[ 2175.054563] RSP: 0018:ffffa9a94043fca8 EFLAGS: 00010246
[ 2175.055716] RAX: 0000000000001ffe RBX: ffffa9a94043fcf0 RCX: 0000000000000000
[ 2175.057236] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff90b807432a34
[ 2175.058760] RBP: 0000000000000000 R08: ffff90b80ce60188 R09: 0000000000000000
[ 2175.060268] R10: 0000000000000000 R11: 0000000000000001 R12: ffff90b807432800
[ 2175.061730] R13: 0000000000000000 R14: 0000000000000001 R15: ffff90b8074329d0
[ 2175.063210] FS:  0000000000000000(0000) GS:ffff90b8a9e84000(0000) knlGS:0000000000000000
[ 2175.064422] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2175.065455] CR2: 00005643543896f8 CR3: 000000000192c000 CR4: 00000000000006f0
[ 2175.066519] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2175.067561] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 2175.068658] Call Trace:
[ 2175.069068]  <TASK>
[ 2175.069402]  cifs_compound_callback+0x77/0xb0 [cifs]
[ 2175.070214]  cifs_cancelled_callback+0x12/0x40 [cifs]
[ 2175.071058]  clean_demultiplex_info+0x206/0x420 [cifs]
[ 2175.071935]  cifs_demultiplex_thread+0x1a6/0xcb0 [cifs]
[ 2175.072815]  ? dl_server_update_idle_time+0x60/0xa0
[ 2175.073579]  ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]
[ 2175.074550]  kthread+0x10d/0x200
[ 2175.075051]  ? __pfx_kthread+0x10/0x10
[ 2175.075631]  ret_from_fork+0x34/0x50
[ 2175.076197]  ? __pfx_kthread+0x10/0x10
[ 2175.076683]  ret_from_fork_asm+0x1a/0x30
[ 2175.077143]  </TASK>
[ 2175.077398] ---[ end trace 0000000000000000 ]---
[ 2175.077919] CIFS: rreq R=00000000[0] Zero in_flight
[ 2175.285771] ------------[ cut here ]------------


Phenomenon 2

[ 2175.287049] kmem_cache_destroy cifs_request: Slab cache still has objects when called from exit_cifs+0x43/0x560 [cifs]
[ 2175.287205] WARNING: CPU: 0 PID: 3207738 at mm/slab_common.c:525 kmem_cache_destroy+0xfd/0x160
[ 2175.292071] Modules linked in: cifs(-) cifs_arc4 nls_ucs2_utils cifs_md4
[ 2175.293796] CPU: 0 UID: 0 PID: 3207738 Comm: modprobe Tainted: G        W           6.15.0-rc6+ #241 PREEMPT(full)
[ 2175.296519] Tainted: [W]=WARN
[ 2175.297339] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014
[ 2175.299559] RIP: 0010:kmem_cache_destroy+0xfd/0x160
[ 2175.300836] Code: de 5b e9 86 bf 05 00 e8 b1 db e4 ff eb b2 48 8b 53 60 48 8b
4c 24 08 48 c7 c6 a0 be a2 93 48 c7 c7 10 2e fb 93 e8 a3 9d da ff <0f> 0b 48 8b 53 68
48 8b 43 70 48 c7 c7 80 8a 37 94 48 89 42 8
[ 2175.304313] RSP: 0018:ffffa9a94328beb8 EFLAGS: 00010286
[ 2175.305261] RAX: 0000000000000000 RBX: ffff90b801c63a00 RCX: 0000000000000000
[ 2175.306544] RDX: 0000000000000002 RSI: 0000000000000001 RDI: 00000000ffffffff
[ 2175.307815] RBP: 0000000000000800 R08: 0000000000004ffb R09: 00000000ffffefff
[ 2175.309077] R10: 00000000ffffefff R11: ffffffff94265060 R12: 0000000000000000
[ 2175.310353] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 2175.311632] FS:  00007fa76803b440(0000) GS:ffff90b8a9d84000(0000) knlGS:0000000000000000
[ 2175.313063] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2175.314098] CR2: 0000560b6ad2e850 CR3: 000000000deac000 CR4: 00000000000006f0
[ 2175.315221] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2175.316137] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 2175.317091] Call Trace:
[ 2175.317433]  <TASK>
[ 2175.317734]  exit_cifs+0x43/0x560 [cifs]
[ 2175.318316]  __x64_sys_delete_module+0x1ad/0x2a0
[ 2175.318958]  ? fpregs_assert_state_consistent+0x25/0x50
[ 2175.319656]  do_syscall_64+0x4b/0x110
[ 2175.320184]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 2175.320856] RIP: 0033:0x7fa767927977
[ 2175.321359] Code: 73 01 c3 48 8b 0d a9 94 0c 00 f7 d8 64 89 01 48 83 c8 ff c3
66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 01 c3 48 8b 0d 79 94 0c 00 f7 d8 64 89 8
[ 2175.323766] RSP: 002b:00007ffd9f24c6f8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
[ 2175.324766] RAX: ffffffffffffffda RBX: 000056460f617e30 RCX: 00007fa767927977
[ 2175.325721] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000056460f617e98
[ 2175.326580] RBP: 0000000000000000 R08: 1999999999999999 R09: 0000000000000000
[ 2175.327329] R10: 00007fa767999ac0 R11: 0000000000000206 R12: 0000000000000000
[ 2175.328086] R13: 0000000000000000 R14: 00007ffd9f24c730 R15: 00007ffd9f24dbe8
[ 2175.328832]  </TASK>
[ 2175.329090] ---[ end trace 0000000000000000 ]---


These should be new issues. I'll get to the bottom of them as soon as I can.

Best regards,
Wang Zhaolong

Re: [PATCH V2 0/2] smb: client: Fix use-after-free in readdir

[Steve French]

Since your patches both clearly fix problems, and look
non-controversial (and reviewed by multiple people).  I plan to send
them upstream today, let me know if any objections.

On Thu, May 22, 2025 at 9:00 AM Wang Zhaolong <wangzhaolong1@huawei.com> wrote:
>
>
>
>
>
> > I was able to reproduce it by running the reproducer poc much longer
> >
> > [189335.643181] Key type cifs.idmap unregistered
> > [189335.643203] Key type cifs.spnego unregistered
> > [189335.649519] CIFS: VFS: kmem_cache_destroy small req cachep
> > [189335.656316]
> > =============================================================================
> > [189335.656320] BUG cifs_small_rq (Tainted: G    B   W  OE      ):
> > Objects remaining on __kmem_cache_shutdown()
> > [189335.656322]
> > -----------------------------------------------------------------------------
> >
> > [189335.656324] Object 0x000000001a39cfef @offset=15232
> > [189335.656326] Slab 0x00000000479475fe objects=36 used=1
> > fp=0x0000000090941d36
> > flags=0x17ffffc0000240(workingset|head|node=0|zone=2|lastcpupid=0x1fffff)
> > [189335.656334] ------------[ cut here ]------------
>
> After disabling KASAN, I encountered two memory leak issues after
> running the POC for half-hour:
>
> Phenomenon 1:
>
> [ 2175.037198] ------------[ cut here ]------------
> [ 2175.038447] WARNING: CPU: 2 PID: 425 at fs/smb/client/smb2ops.c:104 smb2_add_credits+0x2ac/0x6c0 [cifs]
> [ 2175.041927] Modules linked in: cifs cifs_arc4 nls_ucs2_utils cifs_md4
> [ 2175.043736] CPU: 2 UID: 0 PID: 425 Comm: cifsd Not tainted 6.15.0-rc6+ #241 PREEMPT(full)
> [ 2175.046082] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014
> [ 2175.048680] RIP: 0010:smb2_add_credits+0x2ac/0x6c0 [cifs]
> [ 2175.050432] Code: ff ff 4c 89 e7 e8 d4 8e ff ff 41 89 c5 e9 99 fe ff ff c7
> 43 08 02 00 00 00 45 8b 8c 24 d8 01 00 00 45 85 c9 0f 85 48 fe ff ff <0f> 0b 80 3d
> 41 6a eb ff 00 0f 84 dc 03 00 00 0f 1f 44 00 00 f
> [ 2175.054563] RSP: 0018:ffffa9a94043fca8 EFLAGS: 00010246
> [ 2175.055716] RAX: 0000000000001ffe RBX: ffffa9a94043fcf0 RCX: 0000000000000000
> [ 2175.057236] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff90b807432a34
> [ 2175.058760] RBP: 0000000000000000 R08: ffff90b80ce60188 R09: 0000000000000000
> [ 2175.060268] R10: 0000000000000000 R11: 0000000000000001 R12: ffff90b807432800
> [ 2175.061730] R13: 0000000000000000 R14: 0000000000000001 R15: ffff90b8074329d0
> [ 2175.063210] FS:  0000000000000000(0000) GS:ffff90b8a9e84000(0000) knlGS:0000000000000000
> [ 2175.064422] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 2175.065455] CR2: 00005643543896f8 CR3: 000000000192c000 CR4: 00000000000006f0
> [ 2175.066519] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [ 2175.067561] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [ 2175.068658] Call Trace:
> [ 2175.069068]  <TASK>
> [ 2175.069402]  cifs_compound_callback+0x77/0xb0 [cifs]
> [ 2175.070214]  cifs_cancelled_callback+0x12/0x40 [cifs]
> [ 2175.071058]  clean_demultiplex_info+0x206/0x420 [cifs]
> [ 2175.071935]  cifs_demultiplex_thread+0x1a6/0xcb0 [cifs]
> [ 2175.072815]  ? dl_server_update_idle_time+0x60/0xa0
> [ 2175.073579]  ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]
> [ 2175.074550]  kthread+0x10d/0x200
> [ 2175.075051]  ? __pfx_kthread+0x10/0x10
> [ 2175.075631]  ret_from_fork+0x34/0x50
> [ 2175.076197]  ? __pfx_kthread+0x10/0x10
> [ 2175.076683]  ret_from_fork_asm+0x1a/0x30
> [ 2175.077143]  </TASK>
> [ 2175.077398] ---[ end trace 0000000000000000 ]---
> [ 2175.077919] CIFS: rreq R=00000000[0] Zero in_flight
> [ 2175.285771] ------------[ cut here ]------------
>
>
> Phenomenon 2
>
> [ 2175.287049] kmem_cache_destroy cifs_request: Slab cache still has objects when called from exit_cifs+0x43/0x560 [cifs]
> [ 2175.287205] WARNING: CPU: 0 PID: 3207738 at mm/slab_common.c:525 kmem_cache_destroy+0xfd/0x160
> [ 2175.292071] Modules linked in: cifs(-) cifs_arc4 nls_ucs2_utils cifs_md4
> [ 2175.293796] CPU: 0 UID: 0 PID: 3207738 Comm: modprobe Tainted: G        W           6.15.0-rc6+ #241 PREEMPT(full)
> [ 2175.296519] Tainted: [W]=WARN
> [ 2175.297339] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014
> [ 2175.299559] RIP: 0010:kmem_cache_destroy+0xfd/0x160
> [ 2175.300836] Code: de 5b e9 86 bf 05 00 e8 b1 db e4 ff eb b2 48 8b 53 60 48 8b
> 4c 24 08 48 c7 c6 a0 be a2 93 48 c7 c7 10 2e fb 93 e8 a3 9d da ff <0f> 0b 48 8b 53 68
> 48 8b 43 70 48 c7 c7 80 8a 37 94 48 89 42 8
> [ 2175.304313] RSP: 0018:ffffa9a94328beb8 EFLAGS: 00010286
> [ 2175.305261] RAX: 0000000000000000 RBX: ffff90b801c63a00 RCX: 0000000000000000
> [ 2175.306544] RDX: 0000000000000002 RSI: 0000000000000001 RDI: 00000000ffffffff
> [ 2175.307815] RBP: 0000000000000800 R08: 0000000000004ffb R09: 00000000ffffefff
> [ 2175.309077] R10: 00000000ffffefff R11: ffffffff94265060 R12: 0000000000000000
> [ 2175.310353] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> [ 2175.311632] FS:  00007fa76803b440(0000) GS:ffff90b8a9d84000(0000) knlGS:0000000000000000
> [ 2175.313063] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 2175.314098] CR2: 0000560b6ad2e850 CR3: 000000000deac000 CR4: 00000000000006f0
> [ 2175.315221] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [ 2175.316137] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [ 2175.317091] Call Trace:
> [ 2175.317433]  <TASK>
> [ 2175.317734]  exit_cifs+0x43/0x560 [cifs]
> [ 2175.318316]  __x64_sys_delete_module+0x1ad/0x2a0
> [ 2175.318958]  ? fpregs_assert_state_consistent+0x25/0x50
> [ 2175.319656]  do_syscall_64+0x4b/0x110
> [ 2175.320184]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
> [ 2175.320856] RIP: 0033:0x7fa767927977
> [ 2175.321359] Code: 73 01 c3 48 8b 0d a9 94 0c 00 f7 d8 64 89 01 48 83 c8 ff c3
> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff
> ff 73 01 c3 48 8b 0d 79 94 0c 00 f7 d8 64 89 8
> [ 2175.323766] RSP: 002b:00007ffd9f24c6f8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
> [ 2175.324766] RAX: ffffffffffffffda RBX: 000056460f617e30 RCX: 00007fa767927977
> [ 2175.325721] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000056460f617e98
> [ 2175.326580] RBP: 0000000000000000 R08: 1999999999999999 R09: 0000000000000000
> [ 2175.327329] R10: 00007fa767999ac0 R11: 0000000000000206 R12: 0000000000000000
> [ 2175.328086] R13: 0000000000000000 R14: 00007ffd9f24c730 R15: 00007ffd9f24dbe8
> [ 2175.328832]  </TASK>
> [ 2175.329090] ---[ end trace 0000000000000000 ]---
>
>
> These should be new issues. I'll get to the bottom of them as soon as I can.
>
> Best regards,
> Wang Zhaolong
>


-- 
Thanks,

Steve

Re: [PATCH V2 0/2] smb: client: Fix use-after-free in readdir

[Wang Zhaolong]

> Since your patches both clearly fix problems, and look
> non-controversial (and reviewed by multiple people).  I plan to send
> them upstream today, let me know if any objections.
> 

Thank you for your confirmation and for sending the patches upstream.

Much appreciated!

Best regards,
Wang Zhaolong

Re: [PATCH V2 0/2] smb: client: Fix use-after-free in readdir

[Wang Zhaolong]

> 
>> I was able to reproduce it by running the reproducer poc much longer
>>
>> [189335.643181] Key type cifs.idmap unregistered
>> [189335.643203] Key type cifs.spnego unregistered
>> [189335.649519] CIFS: VFS: kmem_cache_destroy small req cachep
>> [189335.656316]
>> =============================================================================
>> [189335.656320] BUG cifs_small_rq (Tainted: G    B   W  OE      ):
>> Objects remaining on __kmem_cache_shutdown()
>> [189335.656322]
>> -----------------------------------------------------------------------------
>>
>> [189335.656324] Object 0x000000001a39cfef @offset=15232
>> [189335.656326] Slab 0x00000000479475fe objects=36 used=1
>> fp=0x0000000090941d36
>> flags=0x17ffffc0000240(workingset|head|node=0|zone=2|lastcpupid=0x1fffff)
>> [189335.656334] ------------[ cut here ]------------
> 
> After disabling KASAN, I encountered two memory leak issues after
> running the POC for half-hour:
> 
> Phenomenon 1:
> 
> [ 2175.037198] ------------[ cut here ]------------
> [ 2175.038447] WARNING: CPU: 2 PID: 425 at fs/smb/client/smb2ops.c:104 smb2_add_credits+0x2ac/0x6c0 [cifs]
> [ 2175.041927] Modules linked in: cifs cifs_arc4 nls_ucs2_utils cifs_md4
> [ 2175.043736] CPU: 2 UID: 0 PID: 425 Comm: cifsd Not tainted 6.15.0-rc6+ #241 PREEMPT(full)
> [ 2175.046082] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014
> [ 2175.048680] RIP: 0010:smb2_add_credits+0x2ac/0x6c0 [cifs]
> [ 2175.050432] Code: ff ff 4c 89 e7 e8 d4 8e ff ff 41 89 c5 e9 99 fe ff ff c7
> 43 08 02 00 00 00 45 8b 8c 24 d8 01 00 00 45 85 c9 0f 85 48 fe ff ff <0f> 0b 80 3d
> 41 6a eb ff 00 0f 84 dc 03 00 00 0f 1f 44 00 00 f
> [ 2175.054563] RSP: 0018:ffffa9a94043fca8 EFLAGS: 00010246
> [ 2175.055716] RAX: 0000000000001ffe RBX: ffffa9a94043fcf0 RCX: 0000000000000000
> [ 2175.057236] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff90b807432a34
> [ 2175.058760] RBP: 0000000000000000 R08: ffff90b80ce60188 R09: 0000000000000000
> [ 2175.060268] R10: 0000000000000000 R11: 0000000000000001 R12: ffff90b807432800
> [ 2175.061730] R13: 0000000000000000 R14: 0000000000000001 R15: ffff90b8074329d0
> [ 2175.063210] FS:  0000000000000000(0000) GS:ffff90b8a9e84000(0000) knlGS:0000000000000000
> [ 2175.064422] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 2175.065455] CR2: 00005643543896f8 CR3: 000000000192c000 CR4: 00000000000006f0
> [ 2175.066519] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [ 2175.067561] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [ 2175.068658] Call Trace:
> [ 2175.069068]  <TASK>
> [ 2175.069402]  cifs_compound_callback+0x77/0xb0 [cifs]
> [ 2175.070214]  cifs_cancelled_callback+0x12/0x40 [cifs]
> [ 2175.071058]  clean_demultiplex_info+0x206/0x420 [cifs]
> [ 2175.071935]  cifs_demultiplex_thread+0x1a6/0xcb0 [cifs]
> [ 2175.072815]  ? dl_server_update_idle_time+0x60/0xa0
> [ 2175.073579]  ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]
> [ 2175.074550]  kthread+0x10d/0x200
> [ 2175.075051]  ? __pfx_kthread+0x10/0x10
> [ 2175.075631]  ret_from_fork+0x34/0x50
> [ 2175.076197]  ? __pfx_kthread+0x10/0x10
> [ 2175.076683]  ret_from_fork_asm+0x1a/0x30
> [ 2175.077143]  </TASK>
> [ 2175.077398] ---[ end trace 0000000000000000 ]---
> [ 2175.077919] CIFS: rreq R=00000000[0] Zero in_flight
> [ 2175.285771] ------------[ cut here ]------------
> 
> 
> Phenomenon 2
> 
> [ 2175.287049] kmem_cache_destroy cifs_request: Slab cache still has objects when called from exit_cifs+0x43/0x560 [cifs]
> [ 2175.287205] WARNING: CPU: 0 PID: 3207738 at mm/slab_common.c:525 kmem_cache_destroy+0xfd/0x160
> [ 2175.292071] Modules linked in: cifs(-) cifs_arc4 nls_ucs2_utils cifs_md4
> [ 2175.293796] CPU: 0 UID: 0 PID: 3207738 Comm: modprobe Tainted: G        W           6.15.0-rc6+ #241 PREEMPT(full)
> [ 2175.296519] Tainted: [W]=WARN
> [ 2175.297339] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014
> [ 2175.299559] RIP: 0010:kmem_cache_destroy+0xfd/0x160
> [ 2175.300836] Code: de 5b e9 86 bf 05 00 e8 b1 db e4 ff eb b2 48 8b 53 60 48 8b
> 4c 24 08 48 c7 c6 a0 be a2 93 48 c7 c7 10 2e fb 93 e8 a3 9d da ff <0f> 0b 48 8b 53 68
> 48 8b 43 70 48 c7 c7 80 8a 37 94 48 89 42 8
> [ 2175.304313] RSP: 0018:ffffa9a94328beb8 EFLAGS: 00010286
> [ 2175.305261] RAX: 0000000000000000 RBX: ffff90b801c63a00 RCX: 0000000000000000
> [ 2175.306544] RDX: 0000000000000002 RSI: 0000000000000001 RDI: 00000000ffffffff
> [ 2175.307815] RBP: 0000000000000800 R08: 0000000000004ffb R09: 00000000ffffefff
> [ 2175.309077] R10: 00000000ffffefff R11: ffffffff94265060 R12: 0000000000000000
> [ 2175.310353] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> [ 2175.311632] FS:  00007fa76803b440(0000) GS:ffff90b8a9d84000(0000) knlGS:0000000000000000
> [ 2175.313063] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 2175.314098] CR2: 0000560b6ad2e850 CR3: 000000000deac000 CR4: 00000000000006f0
> [ 2175.315221] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [ 2175.316137] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [ 2175.317091] Call Trace:
> [ 2175.317433]  <TASK>
> [ 2175.317734]  exit_cifs+0x43/0x560 [cifs]
> [ 2175.318316]  __x64_sys_delete_module+0x1ad/0x2a0
> [ 2175.318958]  ? fpregs_assert_state_consistent+0x25/0x50
> [ 2175.319656]  do_syscall_64+0x4b/0x110
> [ 2175.320184]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
> [ 2175.320856] RIP: 0033:0x7fa767927977
> [ 2175.321359] Code: 73 01 c3 48 8b 0d a9 94 0c 00 f7 d8 64 89 01 48 83 c8 ff c3
> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff
> ff 73 01 c3 48 8b 0d 79 94 0c 00 f7 d8 64 89 8
> [ 2175.323766] RSP: 002b:00007ffd9f24c6f8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
> [ 2175.324766] RAX: ffffffffffffffda RBX: 000056460f617e30 RCX: 00007fa767927977
> [ 2175.325721] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000056460f617e98
> [ 2175.326580] RBP: 0000000000000000 R08: 1999999999999999 R09: 0000000000000000
> [ 2175.327329] R10: 00007fa767999ac0 R11: 0000000000000206 R12: 0000000000000000
> [ 2175.328086] R13: 0000000000000000 R14: 00007ffd9f24c730 R15: 00007ffd9f24dbe8
> [ 2175.328832]  </TASK>
> [ 2175.329090] ---[ end trace 0000000000000000 ]---
> 
> 
> These should be new issues. I'll get to the bottom of them as soon as I can.
> 
> Best regards,
> Wang Zhaolong
> 

I have identified the issue mentioned above. Below is my proposed fix:

https://lore.kernel.org/all/20250804134006.3609555-1-wangzhaolong@huaweicloud.com/

I'd like to kindly invite feedback and discussion from the community on this
issue, particularly regarding the root cause and the correctness of the
proposed solution. Any suggestions, concerns, or alternative approaches are
highly welcome.

Best regards,
Wang Zhaolong