summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2023-07-09 19:45:32 +0300
committerLinus Torvalds <torvalds@linux-foundation.org>2023-07-09 19:45:32 +0300
commit4770353b660abc8b1a5d2afc233b6061d48e7d80 (patch)
treec46cf317f03f0ce71ddd5dbc4969ed021b01e85c
parentcff068739688791cf7a8f427b7ca6230d798914a (diff)
parentd14de8067e3f9653cdef5a094176d00f3260ab20 (diff)
downloadlinux-4770353b660abc8b1a5d2afc233b6061d48e7d80.tar.xz
Merge tag '6.5-rc-smb3-client-fixes-part2' of git://git.samba.org/sfrench/cifs-2.6
Pull more smb client updates from Steve French: - fix potential use after free in unmount - minor cleanup - add worker to cleanup stale directory leases * tag '6.5-rc-smb3-client-fixes-part2' of git://git.samba.org/sfrench/cifs-2.6: cifs: Add a laundromat thread for cached directories smb: client: remove redundant pointer 'server' cifs: fix session state transition to avoid use-after-free issue
-rw-r--r--fs/smb/client/cached_dir.c67
-rw-r--r--fs/smb/client/cached_dir.h1
-rw-r--r--fs/smb/client/connect.c7
-rw-r--r--fs/smb/client/dfs.c2
4 files changed, 72 insertions, 5 deletions
diff --git a/fs/smb/client/cached_dir.c b/fs/smb/client/cached_dir.c
index bfc964b36c72..fe483f163dbc 100644
--- a/fs/smb/client/cached_dir.c
+++ b/fs/smb/client/cached_dir.c
@@ -568,6 +568,53 @@ static void free_cached_dir(struct cached_fid *cfid)
kfree(cfid);
}
+static int
+cifs_cfids_laundromat_thread(void *p)
+{
+ struct cached_fids *cfids = p;
+ struct cached_fid *cfid, *q;
+ struct list_head entry;
+
+ while (!kthread_should_stop()) {
+ ssleep(1);
+ INIT_LIST_HEAD(&entry);
+ if (kthread_should_stop())
+ return 0;
+ spin_lock(&cfids->cfid_list_lock);
+ list_for_each_entry_safe(cfid, q, &cfids->entries, entry) {
+ if (time_after(jiffies, cfid->time + HZ * 30)) {
+ list_del(&cfid->entry);
+ list_add(&cfid->entry, &entry);
+ cfids->num_entries--;
+ }
+ }
+ spin_unlock(&cfids->cfid_list_lock);
+
+ list_for_each_entry_safe(cfid, q, &entry, entry) {
+ cfid->on_list = false;
+ list_del(&cfid->entry);
+ /*
+ * Cancel, and wait for the work to finish in
+ * case we are racing with it.
+ */
+ cancel_work_sync(&cfid->lease_break);
+ if (cfid->has_lease) {
+ /*
+ * We lease has not yet been cancelled from
+ * the server so we need to drop the reference.
+ */
+ spin_lock(&cfids->cfid_list_lock);
+ cfid->has_lease = false;
+ spin_unlock(&cfids->cfid_list_lock);
+ kref_put(&cfid->refcount, smb2_close_cached_fid);
+ }
+ }
+ }
+
+ return 0;
+}
+
+
struct cached_fids *init_cached_dirs(void)
{
struct cached_fids *cfids;
@@ -577,6 +624,20 @@ struct cached_fids *init_cached_dirs(void)
return NULL;
spin_lock_init(&cfids->cfid_list_lock);
INIT_LIST_HEAD(&cfids->entries);
+
+ /*
+ * since we're in a cifs function already, we know that
+ * this will succeed. No need for try_module_get().
+ */
+ __module_get(THIS_MODULE);
+ cfids->laundromat = kthread_run(cifs_cfids_laundromat_thread,
+ cfids, "cifsd-cfid-laundromat");
+ if (IS_ERR(cfids->laundromat)) {
+ cifs_dbg(VFS, "Failed to start cfids laundromat thread.\n");
+ kfree(cfids);
+ module_put(THIS_MODULE);
+ return NULL;
+ }
return cfids;
}
@@ -589,6 +650,12 @@ void free_cached_dirs(struct cached_fids *cfids)
struct cached_fid *cfid, *q;
LIST_HEAD(entry);
+ if (cfids->laundromat) {
+ kthread_stop(cfids->laundromat);
+ cfids->laundromat = NULL;
+ module_put(THIS_MODULE);
+ }
+
spin_lock(&cfids->cfid_list_lock);
list_for_each_entry_safe(cfid, q, &cfids->entries, entry) {
cfid->on_list = false;
diff --git a/fs/smb/client/cached_dir.h b/fs/smb/client/cached_dir.h
index 2f4e764c9ca9..facc9b154d00 100644
--- a/fs/smb/client/cached_dir.h
+++ b/fs/smb/client/cached_dir.h
@@ -57,6 +57,7 @@ struct cached_fids {
spinlock_t cfid_list_lock;
int num_entries;
struct list_head entries;
+ struct task_struct *laundromat;
};
extern struct cached_fids *init_cached_dirs(void);
diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c
index dab7bc876507..85dd1b373974 100644
--- a/fs/smb/client/connect.c
+++ b/fs/smb/client/connect.c
@@ -1967,15 +1967,16 @@ void __cifs_put_smb_ses(struct cifs_ses *ses)
spin_unlock(&cifs_tcp_ses_lock);
return;
}
+ spin_lock(&ses->ses_lock);
+ if (ses->ses_status == SES_GOOD)
+ ses->ses_status = SES_EXITING;
+ spin_unlock(&ses->ses_lock);
spin_unlock(&cifs_tcp_ses_lock);
/* ses_count can never go negative */
WARN_ON(ses->ses_count < 0);
spin_lock(&ses->ses_lock);
- if (ses->ses_status == SES_GOOD)
- ses->ses_status = SES_EXITING;
-
if (ses->ses_status == SES_EXITING && server->ops->logoff) {
spin_unlock(&ses->ses_lock);
cifs_free_ipc(ses);
diff --git a/fs/smb/client/dfs.c b/fs/smb/client/dfs.c
index 26d14dd0482e..1403a2d1ab17 100644
--- a/fs/smb/client/dfs.c
+++ b/fs/smb/client/dfs.c
@@ -143,7 +143,6 @@ static int __dfs_mount_share(struct cifs_mount_ctx *mnt_ctx)
struct smb3_fs_context *ctx = mnt_ctx->fs_ctx;
char *ref_path = NULL, *full_path = NULL;
struct dfs_cache_tgt_iterator *tit;
- struct TCP_Server_Info *server;
struct cifs_tcon *tcon;
char *origin_fullpath = NULL;
char sep = CIFS_DIR_SEP(cifs_sb);
@@ -214,7 +213,6 @@ static int __dfs_mount_share(struct cifs_mount_ctx *mnt_ctx)
} while (rc == -EREMOTE);
if (!rc) {
- server = mnt_ctx->server;
tcon = mnt_ctx->tcon;
spin_lock(&tcon->tc_lock);