From: Henrique Carvalho <henrique.carvalho@suse.com>
To: Steve French <smfrench@gmail.com>
Cc: pc@manguebit.org, ronniesahlberg@gmail.com,
sprasad@microsoft.com, tom@talpey.com, bharathsm@microsoft.com,
ematsumiya@suse.de, jaeshin@redhat.com,
linux-cifs@vger.kernel.org
Subject: Re: [PATCH v4] smb: client: fix potential UAF in smb2_close_cached_fid()
Date: Wed, 5 Nov 2025 10:30:23 -0300 [thread overview]
Message-ID: <d8aa9dc3-2a94-484b-addb-2ceb18318c54@suse.com> (raw)
In-Reply-To: <CAH2r5mtSmg-FwgPzEyPF2CFfP1zuc-Qh5CVuBjbEkA8eTA2Mtg@mail.gmail.com>
Hi Steve,
On 11/4/25 7:42 PM, Steve French wrote:
> One minor comment that AI had on this was on the change to
> fs/smb/client/cached_dir.c (line 447). See below.
>
> -spin_lock(&cfid->cfids->cfid_list_lock);
> +lockdep_assert_held(&cfid->cfids->cfid_list_lock);
>
>
> The lockdep_assert_held validates that the lock is held on entry, but
> the function signature __releases(&cfid->cfids->cfid_list_lock)
> indicates the lock is released inside. Consider adding a corresponding
> __acquires annotation to the call sites that call this function via
> kref_put_lock, or document why callers must hold the lock before
> calling kref_put_lock.
But we don't actually acquire the lock every time in close_cached_dir.
Only when (a) refcount is 1; and (b) refcount did not increase after we
acquired the lock. So where should __acquires annotation go?
One option would be adding documentation to smb2_close_cached_fid,
though since it's a release function that shouldn't be called elsewhere,
I'm not sure that adds much value. Do you have thoughts?
>
> On Mon, Nov 3, 2025 at 5:00 PM Henrique Carvalho
> <henrique.carvalho@suse.com> wrote:
>>
>> find_or_create_cached_dir() could grab a new reference after kref_put()
>> had seen the refcount drop to zero but before cfid_list_lock is acquired
>> in smb2_close_cached_fid(), leading to use-after-free.
>>
>> Switch to kref_put_lock() so cfid_release() is called with
>> cfid_list_lock held, closing that gap.
>>
>> Fixes: ebe98f1447bb ("cifs: enable caching of directories for which a lease is held")
>> Cc: stable@vger.kernel.org
>> Reported-by: Jay Shin <jaeshin@redhat.com>
>> Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
>> Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com>
>> ---
>> V3 -> V4: rebase, added Reviewed-by and Reported-by, add
>> lockdep_assert_held in smb2_close_cached_fid, change commit subject (was
>> "smb: client: fix race in smb2_close_cached_fid()") to clearly state the
>> bug class (UAF)
>> V2 -> V3: rebase, remove unneeded comments, modify commit subject
>> V1 -> V2: kept the original function names and added __releases annotation
>> to silence sparse warning
>> ---
>> fs/smb/client/cached_dir.c | 16 +++++++++-------
>> 1 file changed, 9 insertions(+), 7 deletions(-)
>>
>> diff --git a/fs/smb/client/cached_dir.c b/fs/smb/client/cached_dir.c
>> index b8ac7b7faf61..018055fd2cdb 100644
>> --- a/fs/smb/client/cached_dir.c
>> +++ b/fs/smb/client/cached_dir.c
>> @@ -388,11 +388,11 @@ int open_cached_dir(unsigned int xid, struct cifs_tcon *tcon,
>> * lease. Release one here, and the second below.
>> */
>> cfid->has_lease = false;
>> - kref_put(&cfid->refcount, smb2_close_cached_fid);
>> + close_cached_dir(cfid);
>> }
>> spin_unlock(&cfids->cfid_list_lock);
>>
>> - kref_put(&cfid->refcount, smb2_close_cached_fid);
>> + close_cached_dir(cfid);
>> } else {
>> *ret_cfid = cfid;
>> atomic_inc(&tcon->num_remote_opens);
>> @@ -438,12 +438,14 @@ int open_cached_dir_by_dentry(struct cifs_tcon *tcon,
>>
>> static void
>> smb2_close_cached_fid(struct kref *ref)
>> +__releases(&cfid->cfids->cfid_list_lock)
>> {
>> struct cached_fid *cfid = container_of(ref, struct cached_fid,
>> refcount);
>> int rc;
>>
>> - spin_lock(&cfid->cfids->cfid_list_lock);
>> + lockdep_assert_held(&cfid->cfids->cfid_list_lock);
>> +
>> if (cfid->on_list) {
>> list_del(&cfid->entry);
>> cfid->on_list = false;
>> @@ -478,7 +480,7 @@ void drop_cached_dir_by_name(const unsigned int xid, struct cifs_tcon *tcon,
>> spin_lock(&cfid->cfids->cfid_list_lock);
>> if (cfid->has_lease) {
>> cfid->has_lease = false;
>> - kref_put(&cfid->refcount, smb2_close_cached_fid);
>> + close_cached_dir(cfid);
>> }
>> spin_unlock(&cfid->cfids->cfid_list_lock);
>> close_cached_dir(cfid);
>> @@ -487,7 +489,7 @@ void drop_cached_dir_by_name(const unsigned int xid, struct cifs_tcon *tcon,
>>
>> void close_cached_dir(struct cached_fid *cfid)
>> {
>> - kref_put(&cfid->refcount, smb2_close_cached_fid);
>> + kref_put_lock(&cfid->refcount, smb2_close_cached_fid, &cfid->cfids->cfid_list_lock);
>> }
>>
>> /*
>> @@ -596,7 +598,7 @@ cached_dir_offload_close(struct work_struct *work)
>>
>> WARN_ON(cfid->on_list);
>>
>> - kref_put(&cfid->refcount, smb2_close_cached_fid);
>> + close_cached_dir(cfid);
>> cifs_put_tcon(tcon, netfs_trace_tcon_ref_put_cached_close);
>> }
>>
>> @@ -762,7 +764,7 @@ static void cfids_laundromat_worker(struct work_struct *work)
>> * Drop the ref-count from above, either the lease-ref (if there
>> * was one) or the extra one acquired.
>> */
>> - kref_put(&cfid->refcount, smb2_close_cached_fid);
>> + close_cached_dir(cfid);
>> }
>> queue_delayed_work(cfid_put_wq, &cfids->laundromat_work,
>> dir_cache_timeout * HZ);
>> --
>> 2.50.1
>>
>>
>
>
--
Henrique
SUSE Labs
next prev parent reply other threads:[~2025-11-05 13:32 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-03 22:52 [PATCH v4] smb: client: fix potential UAF in smb2_close_cached_fid() Henrique Carvalho
2025-11-04 14:58 ` Steve French
2025-11-04 22:42 ` Steve French
2025-11-05 13:30 ` Henrique Carvalho [this message]
2025-11-05 16:16 ` Henrique Carvalho
[not found] ` <CAH2r5mvkefptGUvjarOmOW=hQA7_ZRFLwOk_jptOSAyzuMUGuw@mail.gmail.com>
2025-11-05 21:16 ` Henrique Carvalho
[not found] <baf7ee5f-aa34-41f3-a00c-8e3b7686d566@suse.com>
2025-11-08 13:44 ` Henrique Carvalho
2025-11-08 18:25 ` Paulo Alcantara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d8aa9dc3-2a94-484b-addb-2ceb18318c54@suse.com \
--to=henrique.carvalho@suse.com \
--cc=bharathsm@microsoft.com \
--cc=ematsumiya@suse.de \
--cc=jaeshin@redhat.com \
--cc=linux-cifs@vger.kernel.org \
--cc=pc@manguebit.org \
--cc=ronniesahlberg@gmail.com \
--cc=smfrench@gmail.com \
--cc=sprasad@microsoft.com \
--cc=tom@talpey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox