From: Namjae Jeon namjae.jeon@samsung.com
mainline inclusion from mainline-5.15-rc1 commit 6c4e675ad3594526d6604a7d30f1defdd08a42e4 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA
Reference: https://git.kernel.org/torvalds/linux/c/6c4e675ad359
-------------------------------
BUG_ON trap is coming when running xfstests generic/591 and smb2 leases = yes in smb.conf.
[ 597.224978] list_add double add: new=ffff9110d292bb20, prev=ffff9110d292bb20, next=ffff9110d6c389e8. [ 597.225073] ------------[ cut here ]------------ [ 597.225077] kernel BUG at lib/list_debug.c:31! [ 597.225090] invalid opcode: 0000 [#1] SMP PTI [ 597.225095] CPU: 2 PID: 501 Comm: kworker/2:3 Tainted: G OE 5.13.0-rc1+ #2 [ 597.225099] Hardware name: SAMSUNG ELECTRONICS CO., LTD. Samsung DeskTop System/SAMSUNG_DT1234567890, BIOS P04KBM.022.121023.SK 10/23/2012 [ 597.225102] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] [ 597.225125] RIP: 0010:__list_add_valid+0x66/0x70 [ 597.225132] Code: 0b 48 89 c1 4c 89 c6 48 c7 c7 c8 08 c0 95 e8 fd 54 66 00 0f 0b 48 89 f2 4c 89 c1 48 89 fe 48 c7 c7 20 09 c0 95 e8 e6 54 66 00 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 8b 07 48 b9 00 01 00 00 00 00 [ 597.225136] RSP: 0018:ffffb9c9408dbac0 EFLAGS: 00010282 [ 597.225139] RAX: 0000000000000058 RBX: ffff9110d292ba40 RCX: 0000000000000000 [ 597.225142] RDX: 0000000000000000 RSI: ffff9111da328c30 RDI: ffff9111da328c30 [ 597.225144] RBP: ffffb9c9408dbac0 R08: 0000000000000001 R09: 0000000000000001 [ 597.225147] R10: 0000000003dd35ed R11: ffffb9c9408db888 R12: ffff9110d6c38998 [ 597.225149] R13: ffff9110d6c38800 R14: ffff9110d292bb20 R15: ffff9110d292bb20 [ 597.225152] FS: 0000000000000000(0000) GS:ffff9111da300000(0000) knlGS:0000000000000000 [ 597.225155] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 597.225157] CR2: 00007fd1629f84d0 CR3: 00000000c9a12006 CR4: 00000000001706e0 [ 597.225160] Call Trace: [ 597.225163] setup_async_work+0xa2/0x120 [ksmbd] [ 597.225191] oplock_break+0x396/0x5d0 [ksmbd] [ 597.225206] smb_grant_oplock+0x7a1/0x900 [ksmbd] [ 597.225218] ? smb_grant_oplock+0x7a1/0x900 [ksmbd] [ 597.225231] smb2_open+0xbbb/0x2960 [ksmbd] [ 597.225243] ? smb2_open+0xbbb/0x2960 [ksmbd] [ 597.225257] ? find_held_lock+0x35/0xa0 [ 597.225261] ? xa_load+0xaf/0x160 [ 597.225268] handle_ksmbd_work+0x2e0/0x420 [ksmbd] [ 597.225280] ? handle_ksmbd_work+0x2e0/0x420 [ksmbd] [ 597.225292] process_one_work+0x25a/0x5d0 [ 597.225298] worker_thread+0x3f/0x3a0 [ 597.225302] ? __kthread_parkme+0x6f/0xa0 [ 597.225306] ? process_one_work+0x5d0/0x5d0 [ 597.225309] kthread+0x142/0x160 [ 597.225313] ? kthread_park+0x90/0x90 [ 597.225316] ret_from_fork+0x22/0x30
same work struct can be add to list in smb_break_all_write_oplock() and smb_grant_oplock(). If client send invalid lease break ack to server, This issue can occur by calling both functions.
Signed-off-by: Namjae Jeon namjae.jeon@samsung.com Signed-off-by: Steve French stfrench@microsoft.com Signed-off-by: Jason Yan yanaijie@huawei.com Signed-off-by: Zhong Jinghua zhongjinghua@huawei.com --- fs/cifsd/smb2pdu.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index 3e112fbdc2d9..5b92e00881bb 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -690,9 +690,11 @@ int setup_async_work(struct ksmbd_work *work, void (*fn)(void **), void **arg) work->cancel_fn = fn; work->cancel_argv = arg;
- spin_lock(&conn->request_lock); - list_add_tail(&work->async_request_entry, &conn->async_requests); - spin_unlock(&conn->request_lock); + if (list_empty(&work->async_request_entry)) { + spin_lock(&conn->request_lock); + list_add_tail(&work->async_request_entry, &conn->async_requests); + spin_unlock(&conn->request_lock); + }
return 0; }