[ Sasha's backport helper bot ]
Hi,
Summary of potential issues: ⚠️ Found matching upstream commit but patch is missing proper reference to it
Found matching upstream commit: a9685b409a03b73d2980bbfa53eb47555802d0a9
WARNING: Author mismatch between patch and found commit: Backport author: Cliff Liudonghua.liu@windriver.com Commit author: Paul Aurichpaul@darkrain42.org
Status in newer kernel trees: 6.13.y | Present (exact SHA1) 6.12.y | Present (different SHA1: 47655a12c6b1) 6.6.y | Present (different SHA1: 791f83305357)
Note: The patch differs from the upstream commit: --- 1: a9685b409a03b ! 1: 94e68b9a81ffa smb: prevent use-after-free due to open_cached_dir error paths @@ Commit message Cc: stable@vger.kernel.org Signed-off-by: Paul Aurich paul@darkrain42.org Signed-off-by: Steve French stfrench@microsoft.com + [ Do not apply the change for cfids_laundromat_worker() since there is no + this function and related feature on 6.1.y. Update open_cached_dir() + according to method of upstream patch. ] + Signed-off-by: Cliff Liu donghua.liu@windriver.com + Signed-off-by: He Zhe Zhe.He@windriver.com
## fs/smb/client/cached_dir.c ## @@ fs/smb/client/cached_dir.c: int open_cached_dir(unsigned int xid, struct cifs_tcon *tcon, - SMB2_query_info_free(&rqst[1]); - free_rsp_buf(resp_buftype[0], rsp_iov[0].iov_base); - free_rsp_buf(resp_buftype[1], rsp_iov[1].iov_base); -+out: + /* + * We are guaranteed to have two references at this point. + * One for the caller and one for a potential lease. +- * Release the Lease-ref so that the directory will be closed +- * when the caller closes the cached handle. ++ * Release one here, and the second below. + */ + kref_put(&cfid->refcount, smb2_close_cached_fid); + } if (rc) { - spin_lock(&cfids->cfid_list_lock); - if (cfid->on_list) { -@@ fs/smb/client/cached_dir.c: int open_cached_dir(unsigned int xid, struct cifs_tcon *tcon, - /* - * We are guaranteed to have two references at this - * point. One for the caller and one for a potential -- * lease. Release the Lease-ref so that the directory -- * will be closed when the caller closes the cached -- * handle. -+ * lease. Release one here, and the second below. - */ - cfid->has_lease = false; -- spin_unlock(&cfids->cfid_list_lock); - kref_put(&cfid->refcount, smb2_close_cached_fid); -- goto out; - } - spin_unlock(&cfids->cfid_list_lock); -- } --out: -- if (rc) { - if (cfid->is_open) - SMB2_close(0, cfid->tcon, cfid->fid.persistent_fid, - cfid->fid.volatile_fid); - free_cached_dir(cfid); -+ +- cfid = NULL; ++ cfid->has_lease = false; + kref_put(&cfid->refcount, smb2_close_cached_fid); - } else { - *ret_cfid = cfid; - atomic_inc(&tcon->num_remote_opens); + } + + if (rc == 0) { @@ fs/smb/client/cached_dir.c: void invalidate_all_cached_dirs(struct cifs_tcon *tcon) cfids->num_entries--; cfid->is_open = false; @@ fs/smb/client/cached_dir.c: int cached_dir_lease_break(struct cifs_tcon *tcon, _ cfid->time = 0; /* * We found a lease remove it from the list -@@ fs/smb/client/cached_dir.c: static void cfids_laundromat_worker(struct work_struct *work) - cfid->on_list = false; - list_move(&cfid->entry, &entry); - cfids->num_entries--; -- /* To prevent race with smb2_cached_lease_break() */ -- kref_get(&cfid->refcount); -+ if (cfid->has_lease) { -+ /* -+ * Our lease has not yet been cancelled from the -+ * server. Steal that reference. -+ */ -+ cfid->has_lease = false; -+ } else -+ kref_get(&cfid->refcount); - } - } - spin_unlock(&cfids->cfid_list_lock); -@@ fs/smb/client/cached_dir.c: static void cfids_laundromat_worker(struct work_struct *work) - * with it. - */ - cancel_work_sync(&cfid->lease_break); -- if (cfid->has_lease) { -- /* -- * Our lease has not yet been cancelled from the server -- * so we need to drop the reference. -- */ -- spin_lock(&cfids->cfid_list_lock); -- cfid->has_lease = false; -- spin_unlock(&cfids->cfid_list_lock); -- kref_put(&cfid->refcount, smb2_close_cached_fid); -- } -- /* Drop the extra reference opened above */ -+ /* -+ * Drop the ref-count from above, either the lease-ref (if there -+ * was one) or the extra one acquired. -+ */ - kref_put(&cfid->refcount, smb2_close_cached_fid); - } - queue_delayed_work(cifsiod_wq, &cfids->laundromat_work, ---
Results of testing on various branches:
| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-6.1.y | Success | Success |