CVE-2024-53176
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: During unmount, ensure all cached dir instances drop their dentry
The unmount process (cifs_kill_sb() calling close_all_cached_dirs()) can race with various cached directory operations, which ultimately results in dentries not being dropped and these kernel BUGs:
BUG: Dentry ffff88814f37e358{i=1000000000080,n=/} still in use (2) [unmount of cifs cifs] VFS: Busy inodes after unmount of cifs (cifs) ————[ cut here ]———— kernel BUG at fs/super.c:661!
This happens when a cfid is in the process of being cleaned up when, and has been removed from the cfids->entries list, including:
- Receiving a lease break from the server
- Server reconnection triggers invalidate_all_cached_dirs(), which removes all the cfids from the list
- The laundromat thread decides to expire an old cfid.
To solve these problems, dropping the dentry is done in queued work done in a newly-added cfid_put_wq workqueue, and close_all_cached_dirs() flushes that workqueue after it drops all the dentries of which it's aware. This is a global workqueue (rather than scoped to a mount), but the queued work is minimal.
The final cleanup work for cleaning up a cfid is performed via work queued in the serverclose_wq workqueue; this is done separate from dropping the dentries so that close_all_cached_dirs() doesn't block on any server operations.
Both of these queued works expect to invoked with a cfid reference and a tcon reference to avoid those objects from being freed while the work is ongoing.
While we're here, add proper locking to close_all_cached_dirs(), and locking around the freeing of cfid->dentry.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | ebe98f1447bbccf8228335c62d86af02a0ed23f7 < 73934e535cffbda1490fa97d82690a0f9aa73e94 | affected |
| Linux | Linux | ebe98f1447bbccf8228335c62d86af02a0ed23f7 < ff4528bbc82d0d90073751f7b49e7b9e9c7e5638 | affected |
| Linux | Linux | ebe98f1447bbccf8228335c62d86af02a0ed23f7 < 548812afd96982a76a93ba76c0582ea670c40d9e | affected |
| Linux | Linux | ebe98f1447bbccf8228335c62d86af02a0ed23f7 < 3fa640d035e5ae526769615c35cb9ed4be6e3662 | affected |
| Linux | Linux | 6.1 | affected |
| Linux | Linux | 0 < 6.1 | unaffected |
| Linux | Linux | 6.6.64 <= 6.6.* | unaffected |
| Linux | Linux | 6.11.11 <= 6.11.* | unaffected |
| Linux | Linux | 6.12.2 <= 6.12.* | unaffected |
| Linux | Linux | 6.13 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/73934e535cffbda1490fa97d82690a0f9aa73e94
- https://git.kernel.org/stable/c/ff4528bbc82d0d90073751f7b49e7b9e9c7e5638
- https://git.kernel.org/stable/c/548812afd96982a76a93ba76c0582ea670c40d9e
- https://git.kernel.org/stable/c/3fa640d035e5ae526769615c35cb9ed4be6e3662
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.