From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DBF362D77EE for ; Sat, 25 Apr 2026 09:07:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777108046; cv=none; b=SBQljwcTT1+N3XDHQPHE0KmezRGB5OzU11O7PgfV/IgNrQ5O774zSOOHmdU+fB9hgSAsGg3UhIgmj4WQn2Y+hljTUNRCoNr7+36yzTBUs5TPRixAsB2RSOznRXNl1edyEMbSV79t6sKdR3rx0OSJBKWK3vTh2QuBaiczPooyffo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777108046; c=relaxed/simple; bh=pjxUWJSisHevQFNfnHkNhvW7n7l3+kLO7LGktgYnJKc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ftCFmfEJtCURMfoBduSpVDRESu5dRc95eNFXz0oxUnWBMB2YuH5YNXSQJ68XabgWchKtNd8OgvWO/GPvEO3aWl91U03Z8uhBNz6ylAZ0L44yxmo3WIm+q1OLF8KrXMi+I0ws8Rrdn8OSTwOU5WuuMt3nE+H2bMSY/iJN4Zi4bkI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=qyjeNliL; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="qyjeNliL" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1BF1AC2BCB5; Sat, 25 Apr 2026 09:07:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1777108046; bh=pjxUWJSisHevQFNfnHkNhvW7n7l3+kLO7LGktgYnJKc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qyjeNliLBg5emUUZ/MmsRnPphf30/3GB9G7rGDt7jiEXCFeq34iM+iZAPamu8eXnd 0lFfCQAUaDFdyFsdY+Q8qNDMg2MhI8TcLUbVNwjrtZ0xhPS7++763SPDRMexHZ8HfU JEHZcium2I6kdPJGNZWBbFJ8Ij2mda2wr8I04Y57GQUA8roDYUo1s2cPk6raFBkx6O mDQoMrRBd2fyq6c0eb359cmNzivubxbAGR4Hm0MT4FnYlG01Rf3J93ivPRj5ubMpza klS3O0fy0VtlSzZSNEdzXSPxSmUXKdbmedPcMsffPDYAaNaSvwVg9pE5rvqJdA6d+o cOEd6YD1hB/Sw== From: Sasha Levin To: stable@vger.kernel.org Cc: DaeMyung Kang , Namjae Jeon , Steve French , Sasha Levin Subject: [PATCH 6.12.y 3/3] ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id() Date: Sat, 25 Apr 2026 05:07:22 -0400 Message-ID: <20260425090722.3316820-3-sashal@kernel.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260425090722.3316820-1-sashal@kernel.org> References: <2026042410-cinch-frostbite-b760@gregkh> <20260425090722.3316820-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: DaeMyung Kang [ Upstream commit def036ef87f8641c1c525d5ae17438d7a1006491 ] rcount is intended to be connection-specific: 2 for curr_conn, 1 for every other connection sharing the same session. However, it is initialised only once before the hash iteration and is never reset. After the loop visits curr_conn, later sibling connections are also checked against rcount == 2, so a sibling with req_running == 1 is incorrectly treated as idle. This makes the outcome depend on the hash iteration order: whether a given sibling is checked against the loose (< 2) or the strict (< 1) threshold is decided by whether it happens to be visited before or after curr_conn. The function's contract is "wait until every connection sharing this session is idle" so that destroy_previous_session() can safely tear the session down. The latched rcount violates that contract and reopens the teardown race window the wait logic was meant to close: destroy_previous_session() may proceed before sibling channels have actually quiesced, overlapping session teardown with in-flight work on those connections. Recompute rcount inside the loop so each connection is compared against its own threshold regardless of iteration order. This is a code-inspection fix for an iteration-order-dependent logic error; a targeted reproducer would require SMB3 multichannel with in-flight work on a sibling channel landing after curr_conn in hash order, which is not something that can be triggered reliably. Fixes: 76e98a158b20 ("ksmbd: fix race condition between destroy_previous_session() and smb2 operations()") Cc: stable@vger.kernel.org Signed-off-by: DaeMyung Kang Acked-by: Namjae Jeon Signed-off-by: Steve French Signed-off-by: Sasha Levin --- fs/smb/server/connection.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/fs/smb/server/connection.c b/fs/smb/server/connection.c index 076f704b37a7b..d38d9c0272c29 100644 --- a/fs/smb/server/connection.c +++ b/fs/smb/server/connection.c @@ -180,7 +180,7 @@ int ksmbd_conn_wait_idle_sess_id(struct ksmbd_conn *curr_conn, u64 sess_id) { struct ksmbd_conn *conn; int rc, retry_count = 0, max_timeout = 120; - int rcount = 1, bkt; + int rcount, bkt; retry_idle: if (retry_count >= max_timeout) @@ -189,8 +189,7 @@ int ksmbd_conn_wait_idle_sess_id(struct ksmbd_conn *curr_conn, u64 sess_id) down_read(&conn_list_lock); hash_for_each(conn_list, bkt, conn, hlist) { if (conn->binding || xa_load(&conn->sessions, sess_id)) { - if (conn == curr_conn) - rcount = 2; + rcount = (conn == curr_conn) ? 2 : 1; if (atomic_read(&conn->req_running) >= rcount) { rc = wait_event_timeout(conn->req_running_q, atomic_read(&conn->req_running) < rcount, -- 2.53.0