WSL2-Linux-Kernel/fs/cifs
Aurelien Aptel bc31d0cdcf CIFS: fix POSIX lock leak and invalid ptr deref
We have a customer reporting crashes in lock_get_status() with many
"Leaked POSIX lock" messages preceeding the crash.

 Leaked POSIX lock on dev=0x0:0x56 ...
 Leaked POSIX lock on dev=0x0:0x56 ...
 Leaked POSIX lock on dev=0x0:0x56 ...
 Leaked POSIX lock on dev=0x0:0x53 ...
 Leaked POSIX lock on dev=0x0:0x53 ...
 Leaked POSIX lock on dev=0x0:0x53 ...
 Leaked POSIX lock on dev=0x0:0x53 ...
 POSIX: fl_owner=ffff8900e7b79380 fl_flags=0x1 fl_type=0x1 fl_pid=20709
 Leaked POSIX lock on dev=0x0:0x4b ino...
 Leaked locks on dev=0x0:0x4b ino=0xf911400000029:
 POSIX: fl_owner=ffff89f41c870e00 fl_flags=0x1 fl_type=0x1 fl_pid=19592
 stack segment: 0000 [#1] SMP
 Modules linked in: binfmt_misc msr tcp_diag udp_diag inet_diag unix_diag af_packet_diag netlink_diag rpcsec_gss_krb5 arc4 ecb auth_rpcgss nfsv4 md4 nfs nls_utf8 lockd grace cifs sunrpc ccm dns_resolver fscache af_packet iscsi_ibft iscsi_boot_sysfs vmw_vsock_vmci_transport vsock xfs libcrc32c sb_edac edac_core crct10dif_pclmul crc32_pclmul ghash_clmulni_intel drbg ansi_cprng vmw_balloon aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd joydev pcspkr vmxnet3 i2c_piix4 vmw_vmci shpchp fjes processor button ac btrfs xor raid6_pq sr_mod cdrom ata_generic sd_mod ata_piix vmwgfx crc32c_intel drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm serio_raw ahci libahci drm libata vmw_pvscsi sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua scsi_mod autofs4

 Supported: Yes
 CPU: 6 PID: 28250 Comm: lsof Not tainted 4.4.156-94.64-default #1
 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016
 task: ffff88a345f28740 ti: ffff88c74005c000 task.ti: ffff88c74005c000
 RIP: 0010:[<ffffffff8125dcab>]  [<ffffffff8125dcab>] lock_get_status+0x9b/0x3b0
 RSP: 0018:ffff88c74005fd90  EFLAGS: 00010202
 RAX: ffff89bde83e20ae RBX: ffff89e870003d18 RCX: 0000000049534f50
 RDX: ffffffff81a3541f RSI: ffffffff81a3544e RDI: ffff89bde83e20ae
 RBP: 0026252423222120 R08: 0000000020584953 R09: 000000000000ffff
 R10: 0000000000000000 R11: ffff88c74005fc70 R12: ffff89e5ca7b1340
 R13: 00000000000050e5 R14: ffff89e870003d30 R15: ffff89e5ca7b1340
 FS:  00007fafd64be800(0000) GS:ffff89f41fd00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000001c80018 CR3: 000000a522048000 CR4: 0000000000360670
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Stack:
  0000000000000208 ffffffff81a3d6b6 ffff89e870003d30 ffff89e870003d18
  ffff89e5ca7b1340 ffff89f41738d7c0 ffff89e870003d30 ffff89e5ca7b1340
  ffffffff8125e08f 0000000000000000 ffff89bc22b67d00 ffff88c74005ff28
 Call Trace:
  [<ffffffff8125e08f>] locks_show+0x2f/0x70
  [<ffffffff81230ad1>] seq_read+0x251/0x3a0
  [<ffffffff81275bbc>] proc_reg_read+0x3c/0x70
  [<ffffffff8120e456>] __vfs_read+0x26/0x140
  [<ffffffff8120e9da>] vfs_read+0x7a/0x120
  [<ffffffff8120faf2>] SyS_read+0x42/0xa0
  [<ffffffff8161cbc3>] entry_SYSCALL_64_fastpath+0x1e/0xb7

When Linux closes a FD (close(), close-on-exec, dup2(), ...) it calls
filp_close() which also removes all posix locks.

The lock struct is initialized like so in filp_close() and passed
down to cifs

	...
        lock.fl_type = F_UNLCK;
        lock.fl_flags = FL_POSIX | FL_CLOSE;
        lock.fl_start = 0;
        lock.fl_end = OFFSET_MAX;
	...

Note the FL_CLOSE flag, which hints the VFS code that this unlocking
is done for closing the fd.

filp_close()
  locks_remove_posix(filp, id);
    vfs_lock_file(filp, F_SETLK, &lock, NULL);
      return filp->f_op->lock(filp, cmd, fl) => cifs_lock()
        rc = cifs_setlk(file, flock, type, wait_flag, posix_lck, lock, unlock, xid);
          rc = server->ops->mand_unlock_range(cfile, flock, xid);
          if (flock->fl_flags & FL_POSIX && !rc)
                  rc = locks_lock_file_wait(file, flock)

Notice how we don't call locks_lock_file_wait() which does the
generic VFS lock/unlock/wait work on the inode if rc != 0.

If we are closing the handle, the SMB server is supposed to remove any
locks associated with it. Similarly, cifs.ko frees and wakes up any
lock and lock waiter when closing the file:

cifs_close()
  cifsFileInfo_put(file->private_data)
	/*
	 * Delete any outstanding lock records. We'll lose them when the file
	 * is closed anyway.
	 */
	down_write(&cifsi->lock_sem);
	list_for_each_entry_safe(li, tmp, &cifs_file->llist->locks, llist) {
		list_del(&li->llist);
		cifs_del_lock_waiters(li);
		kfree(li);
	}
	list_del(&cifs_file->llist->llist);
	kfree(cifs_file->llist);
	up_write(&cifsi->lock_sem);

So we can safely ignore unlocking failures in cifs_lock() if they
happen with the FL_CLOSE flag hint set as both the server and the
client take care of it during the actual closing.

This is not a proper fix for the unlocking failure but it's safe and
it seems to prevent the lock leakages and crashes the customer
experiences.

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: NeilBrown <neil@brown.name>
Signed-off-by: Steve French <stfrench@microsoft.com>
Acked-by: Pavel Shilovsky <pshilov@microsoft.com>
2019-03-14 19:32:36 -05:00
..
Kconfig fs: cifs: Kconfig: pedantic formatting 2019-03-06 21:55:12 -06:00
Makefile cifs: Add DFS cache routines 2018-12-28 10:05:58 -06:00
asn1.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
cache.c cifs: use 64-bit timestamps for fscache 2018-08-07 14:15:41 -05:00
cifs_debug.c smb3: display volume serial number for shares in /proc/fs/cifs/DebugData 2019-03-14 19:32:35 -05:00
cifs_debug.h cifs: minor clarification in comments 2018-10-23 21:16:05 -05:00
cifs_dfs_ref.c cifs: use correct format characters 2019-03-05 18:10:28 -06:00
cifs_fs_sb.h smb3: make default i/o size for smb3 mounts larger 2019-03-04 20:05:35 -06:00
cifs_ioctl.h SMB3: passthru query info doesn't check for SMB3 FSCTL passthru 2019-03-14 19:32:36 -05:00
cifs_spnego.c smb3: on kerberos mount if server doesn't specify auth type use krb5 2018-11-02 14:09:41 -05:00
cifs_spnego.h [CIFS] Rename three structures to avoid camel case 2011-05-27 04:34:02 +00:00
cifs_unicode.c fs/cifs: don't translate SFM_SLASH (U+F026) to backslash 2018-09-02 23:21:42 -05:00
cifs_unicode.h [SMB3] Remove ifdef since SMB3 (and later) now STRONGLY preferred 2017-07-08 18:57:07 -05:00
cifs_uniupr.h cifs: correction of unicode header files 2010-08-20 00:46:42 +00:00
cifsacl.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
cifsacl.h cifs: For SMB2 security informaion query, check for minimum sized security descriptor instead of sizeof FileAllInformation class 2018-06-04 19:19:24 -05:00
cifsencrypt.c cifs: remove coverity warning in calc_lanman_hash 2018-12-23 22:41:26 -06:00
cifsfs.c smb3: for kerberos mounts display the credential uid used 2019-03-05 18:10:48 -06:00
cifsfs.h cifs: update internal module version number 2019-03-05 18:10:04 -06:00
cifsglob.h CIFS: make mknod() an smb_version_op 2019-03-14 19:32:36 -05:00
cifspdu.h smb3: missing defines and structs for reparse point handling 2018-11-02 14:09:41 -05:00
cifsproto.h CIFS: Return error code when getting file handle for writeback 2019-03-05 18:10:04 -06:00
cifssmb.c CIFS: Return error code when getting file handle for writeback 2019-03-05 18:10:04 -06:00
connect.c cifs: remove unused value pointed out by Coverity 2019-03-14 19:32:36 -05:00
dfs_cache.c cifs: Fix a tiny potential memory leak 2019-01-10 14:32:30 -06:00
dfs_cache.h cifs: Add DFS cache routines 2018-12-28 10:05:58 -06:00
dir.c CIFS: make mknod() an smb_version_op 2019-03-14 19:32:36 -05:00
dns_resolve.c cifs: fix composing of mount options for DFS referrals 2013-05-24 13:08:31 -05:00
dns_resolve.h DNS: Separate out CIFS DNS Resolver code 2010-08-05 17:17:51 +00:00
export.c [CIFS] cifs: Rename cERROR and cFYI to cifs_dbg 2013-05-04 22:17:23 -05:00
file.c CIFS: fix POSIX lock leak and invalid ptr deref 2019-03-14 19:32:36 -05:00
fscache.c cifs: use 64-bit timestamps for fscache 2018-08-07 14:15:41 -05:00
fscache.h cifs: use 64-bit timestamps for fscache 2018-08-07 14:15:41 -05:00
inode.c smb3: make default i/o size for smb3 mounts larger 2019-03-04 20:05:35 -06:00
ioctl.c cifs: add support for ioctl on directories 2018-10-23 21:16:05 -05:00
link.c cifs: replace snprintf with scnprintf 2019-03-04 20:05:34 -06:00
misc.c cifs: Add support for failover in smb2_reconnect() 2018-12-28 10:13:11 -06:00
netmisc.c cifs: use timespec64 internally 2018-08-07 14:15:41 -05:00
nterr.c CIFS: Rename 7 error codes to NT_ style 2012-07-24 10:25:10 -05:00
nterr.h CIFS: Rename 7 error codes to NT_ style 2012-07-24 10:25:10 -05:00
ntlmssp.h cifs: dynamic allocation of ntlmssp blob 2016-06-23 23:45:07 -05:00
readdir.c cifs: check ntwrk_buf_start for NULL before dereferencing it 2018-12-23 22:41:31 -06:00
rfc1002pdu.h [CIFS] whitespace cleanup 2007-06-05 18:30:44 +00:00
sess.c cifs: remove set but not used variable 'smb_buf' 2018-12-23 22:41:20 -06:00
smb1ops.c CIFS: make mknod() an smb_version_op 2019-03-14 19:32:36 -05:00
smb2file.c cifs: Fix potential OOB access of lock element array 2019-01-11 07:14:40 -06:00
smb2glob.h cifs: change SMB2_OP_RENAME and SMB2_OP_HARDLINK to use compounding 2018-10-23 21:16:04 -05:00
smb2inode.c smb3: Add dynamic trace points for various compounded smb3 ops 2019-03-14 19:32:35 -05:00
smb2maperror.c CIFS: Fix error mapping for SMB2_LOCK command which caused OFD lock problem 2018-12-23 22:42:56 -06:00
smb2misc.c CIFS: Do not reset lease state to NONE on lease break 2019-03-04 20:05:35 -06:00
smb2ops.c SMB3: Allow SMB3 FSCTL queries to be sent to server from tools 2019-03-14 19:32:36 -05:00
smb2pdu.c cifs: fix smb3_zero_range so it can expand the file-size when required 2019-03-14 19:32:35 -05:00
smb2pdu.h cifs: fix smb3_zero_range so it can expand the file-size when required 2019-03-14 19:32:35 -05:00
smb2proto.h cifs: add SMB2_ioctl_init/free helpers to be used with compounding 2019-03-14 19:32:35 -05:00
smb2status.h smb2: fix typo in definition of a few error flags 2019-03-14 19:32:36 -05:00
smb2transport.c CIFS: Only send SMB2_NEGOTIATE command on new TCP connections 2019-03-05 18:14:27 -06:00
smbdirect.c cifs: replace snprintf with scnprintf 2019-03-04 20:05:34 -06:00
smbdirect.h cifs: fix SMB1 breakage 2018-07-05 13:48:24 -05:00
smbencrypt.c CIFS: refactor crypto shash/sdesc allocation&free 2018-04-01 20:24:39 -05:00
smberr.h cifs: map NT_STATUS_ERROR_WRITE_PROTECTED to -EROFS 2010-08-02 12:40:40 +00:00
smbfsctl.h [SMB3] Send durable handle v2 contexts when use of persistent handles required 2015-11-03 09:26:27 -06:00
trace.c smb3: Cleanup license mess 2019-01-24 09:37:33 -06:00
trace.h smb3: add dynamic tracepoints for simple fallocate and zero range 2019-03-14 19:32:35 -05:00
transport.c cifs: simplify how we handle credits in compound_send_recv() 2019-03-14 19:32:35 -05:00
winucase.c [CIFS] quiet sparse compile warning 2013-09-08 14:54:24 -05:00
xattr.c smb3: create smb3 equivalent alias for cifs pseudo-xattrs 2018-08-10 18:46:58 -05:00