[PATCH 0/2] SMB Direct: double-free of send_io on ib_post

public inbox for linux-cifs@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH 0/2] SMB Direct: double-free of send_io on ib_post_send failure in batch flush path
@ 2026-04-10 20:10 Stefan Metzmacher
  2026-04-10 20:11 ` [PATCH 1/2] smb: client: avoid double-free in smbd_free_send_io() after smbd_send_batch_flush() Stefan Metzmacher
                   ` (3 more replies)
  0 siblings, 4 replies; 6+ messages in thread
From: Stefan Metzmacher @ 2026-04-10 20:10 UTC (permalink / raw)
  To: linux-cifs, samba-technical
  Cc: metze, Namjae Jeon, Steve French, Tom Talpey, Ruikai Peng,
	Sergey Senozhatsky, Paulo Alcantara, security

Hi Steve,

here are the real patches for the changes already tested by
Ruikai Peng for the double-free problem reported, see:
https://lore.kernel.org/linux-cifs/CAFD3drNOSJ05y3A+jNXSDxW-2w09KHQ0DivhxQ_pcc7immVVOQ@mail.gmail.com/

I prepared a branch that can replace ksmbd-for-next.
The 2 changes are rebased below the smbdirect.ko changes,
I resolved the conflicts and made sure the problem is also solved in
the new common code. This in for-7.1/smbdirect-ko-20260410-v12
at commit: 274b415378bbd0cf6fde1a719e264cee2eefc06f
git fetch https://git.samba.org/metze/linux/wip.git for-7.1/smbdirect-ko-20260410-v12
https://git.samba.org/?p=metze/linux/wip.git;a=shortlog;h=refs/heads/for-7.1/smbdirect-ko-20260410-v12
I made sure each commit compiles fine...

Stefan Metzmacher (2):
  smb: client: avoid double-free in smbd_free_send_io() after
    smbd_send_batch_flush()
  smb: server: avoid double-free in smb_direct_free_sendmsg after
    smb_direct_flush_send_list()

 fs/smb/client/smbdirect.c      | 8 ++++++++
 fs/smb/server/transport_rdma.c | 8 +++++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

-- 
2.43.0

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH 1/2] smb: client: avoid double-free in smbd_free_send_io() after smbd_send_batch_flush()
  2026-04-10 20:10 [PATCH 0/2] SMB Direct: double-free of send_io on ib_post_send failure in batch flush path Stefan Metzmacher
@ 2026-04-10 20:11 ` Stefan Metzmacher
  2026-04-10 20:11 ` [PATCH 2/2] smb: server: avoid double-free in smb_direct_free_sendmsg after smb_direct_flush_send_list() Stefan Metzmacher
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 6+ messages in thread
From: Stefan Metzmacher @ 2026-04-10 20:11 UTC (permalink / raw)
  To: linux-cifs, samba-technical
  Cc: metze, Ruikai Peng, stable, Steve French, Tom Talpey, Long Li,
	Namjae Jeon, Sergey Senozhatsky, Paulo Alcantara, security

smbd_send_batch_flush() already calls smbd_free_send_io(),
so we should not call it again after smbd_post_send()
moved it to the batch list.

Reported-by: Ruikai Peng <ruikai@pwno.io>
Closes: https://lore.kernel.org/linux-cifs/CAFD3drNOSJ05y3A+jNXSDxW-2w09KHQ0DivhxQ_pcc7immVVOQ@mail.gmail.com/
Fixes: 21538121efe6 ("smb: client: make use of smbdirect_socket.send_io.bcredits")
Cc: stable@kernel.org
Cc: Steve French <smfrench@gmail.com>
Cc: Tom Talpey <tom@talpey.com>
Cc: Long Li <longli@microsoft.com>
Cc: Namjae Jeon <linkinjeon@kernel.org>
Cc: Ruikai Peng <ruikai@pwno.io>
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: Paulo Alcantara <pc@manguebit.org>
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Cc: security@kernel.org
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Tested-by: Ruikai Peng <ruikai@pwno.io>
---
 fs/smb/client/smbdirect.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c
index c79304012b08..461658105013 100644
--- a/fs/smb/client/smbdirect.c
+++ b/fs/smb/client/smbdirect.c
@@ -1551,17 +1551,25 @@ static int smbd_post_send_iter(struct smbdirect_socket *sc,
 
 	rc = smbd_post_send(sc, batch, request);
 	if (!rc) {
+		/*
+		 * From here request is moved to batch
+		 * and we should not free it explicitly.
+		 */
+
 		if (batch != &_batch)
 			return 0;
 
 		rc = smbd_send_batch_flush(sc, batch, true);
 		if (!rc)
 			return 0;
+
+		goto err_flush;
 	}
 
 err_dma:
 	smbd_free_send_io(request);
 
+err_flush:
 err_alloc:
 	atomic_inc(&sc->send_io.credits.count);
 	wake_up(&sc->send_io.credits.wait_queue);
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [PATCH 2/2] smb: server: avoid double-free in smb_direct_free_sendmsg after smb_direct_flush_send_list()
  2026-04-10 20:10 [PATCH 0/2] SMB Direct: double-free of send_io on ib_post_send failure in batch flush path Stefan Metzmacher
  2026-04-10 20:11 ` [PATCH 1/2] smb: client: avoid double-free in smbd_free_send_io() after smbd_send_batch_flush() Stefan Metzmacher
@ 2026-04-10 20:11 ` Stefan Metzmacher
  2026-04-10 20:30 ` [PATCH 0/2] SMB Direct: double-free of send_io on ib_post_send failure in batch flush path Paulo Alcantara
  2026-04-11  0:51 ` Namjae Jeon
  3 siblings, 0 replies; 6+ messages in thread
From: Stefan Metzmacher @ 2026-04-10 20:11 UTC (permalink / raw)
  To: linux-cifs, samba-technical
  Cc: metze, Ruikai Peng, stable, Namjae Jeon, Steve French, Tom Talpey,
	Sergey Senozhatsky, Paulo Alcantara, security

smb_direct_flush_send_list() already calls smb_direct_free_sendmsg(),
so we should not call it again after post_sendmsg()
moved it to the batch list.

Reported-by: Ruikai Peng <ruikai@pwno.io>
Closes: https://lore.kernel.org/linux-cifs/CAFD3drNOSJ05y3A+jNXSDxW-2w09KHQ0DivhxQ_pcc7immVVOQ@mail.gmail.com/
Fixes: 34abd408c8ba ("smb: server: make use of smbdirect_socket.send_io.bcredits")
Cc: stable@kernel.org
Cc: Namjae Jeon <linkinjeon@kernel.org>
Cc: Steve French <smfrench@gmail.com>
Cc: Tom Talpey <tom@talpey.com>
Cc: Ruikai Peng <ruikai@pwno.io>
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: Paulo Alcantara <pc@manguebit.org>
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Cc: security@kernel.org
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Tested-by: Ruikai Peng <ruikai@pwno.io>
---
 fs/smb/server/transport_rdma.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/fs/smb/server/transport_rdma.c b/fs/smb/server/transport_rdma.c
index 188572491d53..dbc8dedb85dc 100644
--- a/fs/smb/server/transport_rdma.c
+++ b/fs/smb/server/transport_rdma.c
@@ -1588,15 +1588,21 @@ static int smb_direct_post_send_data(struct smbdirect_socket *sc,
 	if (ret)
 		goto err;
 
+	/*
+	 * From here msg is moved to send_ctx
+	 * and we should not free it explicitly.
+	 */
+
 	if (send_ctx == &_send_ctx) {
 		ret = smb_direct_flush_send_list(sc, send_ctx, true);
 		if (ret)
-			goto err;
+			goto flush_failed;
 	}
 
 	return 0;
 err:
 	smb_direct_free_sendmsg(sc, msg);
+flush_failed:
 header_failed:
 	atomic_inc(&sc->send_io.credits.count);
 credit_failed:
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH 0/2] SMB Direct: double-free of send_io on ib_post_send failure in batch flush path
  2026-04-10 20:10 [PATCH 0/2] SMB Direct: double-free of send_io on ib_post_send failure in batch flush path Stefan Metzmacher
  2026-04-10 20:11 ` [PATCH 1/2] smb: client: avoid double-free in smbd_free_send_io() after smbd_send_batch_flush() Stefan Metzmacher
  2026-04-10 20:11 ` [PATCH 2/2] smb: server: avoid double-free in smb_direct_free_sendmsg after smb_direct_flush_send_list() Stefan Metzmacher
@ 2026-04-10 20:30 ` Paulo Alcantara
  2026-04-11  0:51 ` Namjae Jeon
  3 siblings, 0 replies; 6+ messages in thread
From: Paulo Alcantara @ 2026-04-10 20:30 UTC (permalink / raw)
  To: Stefan Metzmacher, linux-cifs, samba-technical
  Cc: metze, Namjae Jeon, Steve French, Tom Talpey, Ruikai Peng,
	Sergey Senozhatsky, security

Stefan Metzmacher <metze@samba.org> writes:

> here are the real patches for the changes already tested by
> Ruikai Peng for the double-free problem reported, see:
> https://lore.kernel.org/linux-cifs/CAFD3drNOSJ05y3A+jNXSDxW-2w09KHQ0DivhxQ_pcc7immVVOQ@mail.gmail.com/
>
> I prepared a branch that can replace ksmbd-for-next.
> The 2 changes are rebased below the smbdirect.ko changes,
> I resolved the conflicts and made sure the problem is also solved in
> the new common code. This in for-7.1/smbdirect-ko-20260410-v12
> at commit: 274b415378bbd0cf6fde1a719e264cee2eefc06f
> git fetch https://git.samba.org/metze/linux/wip.git for-7.1/smbdirect-ko-20260410-v12
> https://git.samba.org/?p=metze/linux/wip.git;a=shortlog;h=refs/heads/for-7.1/smbdirect-ko-20260410-v12
> I made sure each commit compiles fine...
>
>
> Stefan Metzmacher (2):
>   smb: client: avoid double-free in smbd_free_send_io() after
>     smbd_send_batch_flush()
>   smb: server: avoid double-free in smb_direct_free_sendmsg after
>     smb_direct_flush_send_list()
>
>  fs/smb/client/smbdirect.c      | 8 ++++++++
>  fs/smb/server/transport_rdma.c | 8 +++++++-
>  2 files changed, 15 insertions(+), 1 deletion(-)

Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 0/2] SMB Direct: double-free of send_io on ib_post_send failure in batch flush path
  2026-04-10 20:10 [PATCH 0/2] SMB Direct: double-free of send_io on ib_post_send failure in batch flush path Stefan Metzmacher
                   ` (2 preceding siblings ...)
  2026-04-10 20:30 ` [PATCH 0/2] SMB Direct: double-free of send_io on ib_post_send failure in batch flush path Paulo Alcantara
@ 2026-04-11  0:51 ` Namjae Jeon
  2026-04-11  1:31   ` Steve French
  3 siblings, 1 reply; 6+ messages in thread
From: Namjae Jeon @ 2026-04-11  0:51 UTC (permalink / raw)
  To: Stefan Metzmacher
  Cc: linux-cifs, samba-technical, Steve French, Tom Talpey,
	Ruikai Peng, Sergey Senozhatsky, Paulo Alcantara, security

On Sat, Apr 11, 2026 at 5:11 AM Stefan Metzmacher <metze@samba.org> wrote:
>
> Hi Steve,
>
> here are the real patches for the changes already tested by
> Ruikai Peng for the double-free problem reported, see:
> https://lore.kernel.org/linux-cifs/CAFD3drNOSJ05y3A+jNXSDxW-2w09KHQ0DivhxQ_pcc7immVVOQ@mail.gmail.com/
>
> I prepared a branch that can replace ksmbd-for-next.
> The 2 changes are rebased below the smbdirect.ko changes,
> I resolved the conflicts and made sure the problem is also solved in
> the new common code. This in for-7.1/smbdirect-ko-20260410-v12
> at commit: 274b415378bbd0cf6fde1a719e264cee2eefc06f
> git fetch https://git.samba.org/metze/linux/wip.git for-7.1/smbdirect-ko-20260410-v12
> https://git.samba.org/?p=metze/linux/wip.git;a=shortlog;h=refs/heads/for-7.1/smbdirect-ko-20260410-v12
> I made sure each commit compiles fine...
>
>
> Stefan Metzmacher (2):
>   smb: client: avoid double-free in smbd_free_send_io() after
>     smbd_send_batch_flush()
>   smb: server: avoid double-free in smb_direct_free_sendmsg after
>     smb_direct_flush_send_list()
>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Thanks!

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 0/2] SMB Direct: double-free of send_io on ib_post_send failure in batch flush path
  2026-04-11  0:51 ` Namjae Jeon
@ 2026-04-11  1:31   ` Steve French
  0 siblings, 0 replies; 6+ messages in thread
From: Steve French @ 2026-04-11  1:31 UTC (permalink / raw)
  To: Namjae Jeon
  Cc: Stefan Metzmacher, linux-cifs, samba-technical, Tom Talpey,
	Ruikai Peng, Sergey Senozhatsky, Paulo Alcantara, security

Added the acked-by and updated ksmbd-for-next

On Fri, Apr 10, 2026 at 7:51 PM Namjae Jeon <linkinjeon@kernel.org> wrote:
>
> On Sat, Apr 11, 2026 at 5:11 AM Stefan Metzmacher <metze@samba.org> wrote:
> >
> > Hi Steve,
> >
> > here are the real patches for the changes already tested by
> > Ruikai Peng for the double-free problem reported, see:
> > https://lore.kernel.org/linux-cifs/CAFD3drNOSJ05y3A+jNXSDxW-2w09KHQ0DivhxQ_pcc7immVVOQ@mail.gmail.com/
> >
> > I prepared a branch that can replace ksmbd-for-next.
> > The 2 changes are rebased below the smbdirect.ko changes,
> > I resolved the conflicts and made sure the problem is also solved in
> > the new common code. This in for-7.1/smbdirect-ko-20260410-v12
> > at commit: 274b415378bbd0cf6fde1a719e264cee2eefc06f
> > git fetch https://git.samba.org/metze/linux/wip.git for-7.1/smbdirect-ko-20260410-v12
> > https://git.samba.org/?p=metze/linux/wip.git;a=shortlog;h=refs/heads/for-7.1/smbdirect-ko-20260410-v12
> > I made sure each commit compiles fine...
> >
> >
> > Stefan Metzmacher (2):
> >   smb: client: avoid double-free in smbd_free_send_io() after
> >     smbd_send_batch_flush()
> >   smb: server: avoid double-free in smb_direct_free_sendmsg after
> >     smb_direct_flush_send_list()
> >
> Acked-by: Namjae Jeon <linkinjeon@kernel.org>
> Thanks!



-- 
Thanks,

Steve

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2026-04-11  1:32 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-10 20:10 [PATCH 0/2] SMB Direct: double-free of send_io on ib_post_send failure in batch flush path Stefan Metzmacher
2026-04-10 20:11 ` [PATCH 1/2] smb: client: avoid double-free in smbd_free_send_io() after smbd_send_batch_flush() Stefan Metzmacher
2026-04-10 20:11 ` [PATCH 2/2] smb: server: avoid double-free in smb_direct_free_sendmsg after smb_direct_flush_send_list() Stefan Metzmacher
2026-04-10 20:30 ` [PATCH 0/2] SMB Direct: double-free of send_io on ib_post_send failure in batch flush path Paulo Alcantara
2026-04-11  0:51 ` Namjae Jeon
2026-04-11  1:31   ` Steve French

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox