From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 177C7C43381 for ; Wed, 20 Mar 2019 11:12:26 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E16E42184E for ; Wed, 20 Mar 2019 11:12:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727392AbfCTLMZ convert rfc822-to-8bit (ORCPT ); Wed, 20 Mar 2019 07:12:25 -0400 Received: from mx2.suse.de ([195.135.220.15]:54390 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727366AbfCTLMZ (ORCPT ); Wed, 20 Mar 2019 07:12:25 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 293C4AE14; Wed, 20 Mar 2019 11:12:24 +0000 (UTC) From: =?utf-8?Q?Aur=C3=A9lien?= Aptel To: Dominik Brodowski Cc: sfrench@samba.org, linux-cifs@vger.kernel.org Subject: Re: v5.1-rc1 cifs bug: underflow; use-after-free. In-Reply-To: <20190319162645.GA3498@light.dominikbrodowski.net> References: <20190319162645.GA3498@light.dominikbrodowski.net> Date: Wed, 20 Mar 2019 12:12:21 +0100 Message-ID: <871s316bqi.fsf@suse.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org Dominik Brodowski writes: > Thanks for taking a look at this issue. Fortunately, it is easily > reproducable (at least for me). Which server are you doing this against? I couldn't reproduce against Windows Server 2016. >> If you enable verbose debugging [1], if my theory is correct you should >> see a lease break messsage followed by "clear cached root file handle" >> message before the warning. > > Hm, no. Ok well I'm not sure what is happening then. But the final points still stand: - since we don't free anything in the release function, there is no use-after-free. - the access to the kref is already protected by crfid.fid_mutex so we could replace it with a regular int and avoid the warning generated by kref_put() that you see. -- Aurélien Aptel / SUSE Labs Samba Team GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3 SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)