From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 06EAF3101D5; Tue, 2 Sep 2025 13:40:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756820454; cv=none; b=fAZVnWpNU4dL4xOKt68Argk2qC0AgnvVVdstynNQfODxA0xbhSWrC2sllj3eU8Tl4dk0elnr1DxQMK0o1/8n4N1HCjnTwvQ1JuxNhPl4WNzDyfpEeiH0jfjK7T8WPULahO7YaO4gDu9ImAVq4Wh9XGtDmQCPRytByyPF630J6n8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756820454; c=relaxed/simple; bh=A37fS3R1j1h4sdBR6Iz7acBbXaDPmdjX+Dxj/eBrMHg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ZsfUy8meF5Pu/vDXPzrw53iaWAA+zdITGRxkbEf1M4jfgp+i3Un0U19/2CUWu9I2TJzRvNHN2TNb1+k1upjWsK4Y7rYbd5L9Mzohhhb4k1vA+IT1pODALA0elZ8qYTUE9IduFBrDHRB4gu+C0VqQUX4gUnzmpUfZpaKK0915LOA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=Wx/hwEYp; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="Wx/hwEYp" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 82F49C4CEED; Tue, 2 Sep 2025 13:40:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1756820453; bh=A37fS3R1j1h4sdBR6Iz7acBbXaDPmdjX+Dxj/eBrMHg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Wx/hwEYpoSQ2wAlvM4xaqYPxzoZFta2VIabPSZELEx5VmD4w/0DJXRKyfMZWyjJG8 OUeFm/WSw/Wo9q0qN9vnxodiV0+KfcQx6nwXhMrLp6cvkreWf6C6TFnrNUmLhbmUOo PVqJVv41pKUNQVlkvL9ma0eRl5dFQUDdjCbVB15U= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Jay Shin , "Paulo Alcantara (Red Hat)" , David Howells , Al Viro , linux-cifs@vger.kernel.org, Steve French , Sasha Levin Subject: [PATCH 6.1 06/50] smb: client: fix race with concurrent opens in unlink(2) Date: Tue, 2 Sep 2025 15:20:57 +0200 Message-ID: <20250902131930.765189186@linuxfoundation.org> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20250902131930.509077918@linuxfoundation.org> References: <20250902131930.509077918@linuxfoundation.org> User-Agent: quilt/0.68 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.1-stable review patch. If anyone has any objections, please let me know. ------------------ From: Paulo Alcantara [ Upstream commit 0af1561b2d60bab2a2b00720a5c7b292ecc549ec ] According to some logs reported by customers, CIFS client might end up reporting unlinked files as existing in stat(2) due to concurrent opens racing with unlink(2). Besides sending the removal request to the server, the unlink process could involve closing any deferred close as well as marking all existing open handles as deleted to prevent them from deferring closes, which increases the race window for potential concurrent opens. Fix this by unhashing the dentry in cifs_unlink() to prevent any subsequent opens. Any open attempts, while we're still unlinking, will block on parent's i_rwsem. Reported-by: Jay Shin Signed-off-by: Paulo Alcantara (Red Hat) Reviewed-by: David Howells Cc: Al Viro Cc: linux-cifs@vger.kernel.org Signed-off-by: Steve French Signed-off-by: Sasha Levin --- fs/smb/client/inode.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/fs/smb/client/inode.c b/fs/smb/client/inode.c index 634f28f0d331e..ffc05ebc92f43 100644 --- a/fs/smb/client/inode.c +++ b/fs/smb/client/inode.c @@ -1649,15 +1649,24 @@ int cifs_unlink(struct inode *dir, struct dentry *dentry) struct cifs_sb_info *cifs_sb = CIFS_SB(sb); struct tcon_link *tlink; struct cifs_tcon *tcon; + __u32 dosattr = 0, origattr = 0; struct TCP_Server_Info *server; struct iattr *attrs = NULL; - __u32 dosattr = 0, origattr = 0; + bool rehash = false; cifs_dbg(FYI, "cifs_unlink, dir=0x%p, dentry=0x%p\n", dir, dentry); if (unlikely(cifs_forced_shutdown(cifs_sb))) return -EIO; + /* Unhash dentry in advance to prevent any concurrent opens */ + spin_lock(&dentry->d_lock); + if (!d_unhashed(dentry)) { + __d_drop(dentry); + rehash = true; + } + spin_unlock(&dentry->d_lock); + tlink = cifs_sb_tlink(cifs_sb); if (IS_ERR(tlink)) return PTR_ERR(tlink); @@ -1706,7 +1715,8 @@ int cifs_unlink(struct inode *dir, struct dentry *dentry) if (inode) cifs_drop_nlink(inode); } else if (rc == -ENOENT) { - d_drop(dentry); + if (simple_positive(dentry)) + d_delete(dentry); } else if (rc == -EBUSY) { if (server->ops->rename_pending_delete) { rc = server->ops->rename_pending_delete(full_path, @@ -1757,6 +1767,8 @@ int cifs_unlink(struct inode *dir, struct dentry *dentry) kfree(attrs); free_xid(xid); cifs_put_tlink(tlink); + if (rehash) + d_rehash(dentry); return rc; } -- 2.50.1