fs/smb/client/readdir.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
V2: - Correct spelling mistakes in the commit message, such as 'lopp' -> 'loop'. - The titles of patches follow the same style. This patch series addresses a use-after-free vulnerability in the SMB/CIFS client readdir implementation that can be triggered during concurrent directory reads when a signal interrupts directory enumeration. The root cause is in the operation sequence in find_cifs_entry(): 1. When query_dir_next() fails due to signal interruption (ERESTARTSYS) 2. The code continues to access last_entry pointer before checking the return code 3. This can access freed memory since the buffer may have been released The race condition can be triggered by processes accessing the same directory with concurrent readdir operations, especially when signals are involved. The fix is straightforward: 1. First patch ensures we check the return code before using any pointers 2. Second patch improves defensiveness by resetting all related buffer pointers when freeing the network buffer Wang Zhaolong (2): smb: client: Fix use-after-free in cifs_fill_dirent smb: client: Reset all search buffer pointers when releasing buffer fs/smb/client/readdir.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) -- 2.39.2
Wang Zhaolong <wangzhaolong1@huawei.com> writes: > V2: > - Correct spelling mistakes in the commit message, such as 'lopp' -> 'loop'. > - The titles of patches follow the same style. > > This patch series addresses a use-after-free vulnerability in the SMB/CIFS > client readdir implementation that can be triggered during concurrent > directory reads when a signal interrupts directory enumeration. > > The root cause is in the operation sequence in find_cifs_entry(): > 1. When query_dir_next() fails due to signal interruption (ERESTARTSYS) > 2. The code continues to access last_entry pointer before checking the return code > 3. This can access freed memory since the buffer may have been released > > The race condition can be triggered by processes accessing the same directory > with concurrent readdir operations, especially when signals are involved. > > The fix is straightforward: > 1. First patch ensures we check the return code before using any pointers > 2. Second patch improves defensiveness by resetting all related buffer pointers > when freeing the network buffer > > Wang Zhaolong (2): > smb: client: Fix use-after-free in cifs_fill_dirent > smb: client: Reset all search buffer pointers when releasing buffer > > fs/smb/client/readdir.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Merged into cifs-2.6.git for-next I was only able to reproduce the rmmod problem once though (without the patch) so been tricky to test. What server were you testing against (I tried current Samba and ksmbd)? On Fri, May 16, 2025 at 8:50 AM Paulo Alcantara <pc@manguebit.com> wrote: > > Wang Zhaolong <wangzhaolong1@huawei.com> writes: > > > V2: > > - Correct spelling mistakes in the commit message, such as 'lopp' -> 'loop'. > > - The titles of patches follow the same style. > > > > This patch series addresses a use-after-free vulnerability in the SMB/CIFS > > client readdir implementation that can be triggered during concurrent > > directory reads when a signal interrupts directory enumeration. > > > > The root cause is in the operation sequence in find_cifs_entry(): > > 1. When query_dir_next() fails due to signal interruption (ERESTARTSYS) > > 2. The code continues to access last_entry pointer before checking the return code > > 3. This can access freed memory since the buffer may have been released > > > > The race condition can be triggered by processes accessing the same directory > > with concurrent readdir operations, especially when signals are involved. > > > > The fix is straightforward: > > 1. First patch ensures we check the return code before using any pointers > > 2. Second patch improves defensiveness by resetting all related buffer pointers > > when freeing the network buffer > > > > Wang Zhaolong (2): > > smb: client: Fix use-after-free in cifs_fill_dirent > > smb: client: Reset all search buffer pointers when releasing buffer > > > > fs/smb/client/readdir.c | 7 +++++-- > > 1 file changed, 5 insertions(+), 2 deletions(-) > > Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.com> > -- Thanks, Steve
> Merged into cifs-2.6.git for-next > > I was only able to reproduce the rmmod problem once though (without > the patch) so been tricky to test. What server were you testing > against (I tried current Samba and ksmbd)? > I initialized the Samba server using the `samba` package provided by the Debian Trixie distribution. Best regards, Wang Zhaolong
I was able to reproduce it by running the reproducer poc much longer [189335.643181] Key type cifs.idmap unregistered [189335.643203] Key type cifs.spnego unregistered [189335.649519] CIFS: VFS: kmem_cache_destroy small req cachep [189335.656316] ============================================================================= [189335.656320] BUG cifs_small_rq (Tainted: G B W OE ): Objects remaining on __kmem_cache_shutdown() [189335.656322] ----------------------------------------------------------------------------- [189335.656324] Object 0x000000001a39cfef @offset=15232 [189335.656326] Slab 0x00000000479475fe objects=36 used=1 fp=0x0000000090941d36 flags=0x17ffffc0000240(workingset|head|node=0|zone=2|lastcpupid=0x1fffff) [189335.656334] ------------[ cut here ]------------ [189335.656335] WARNING: CPU: 1 PID: 84118 at mm/slub.c:1135 __slab_err+0x1d/0x30 .... [189335.656512] [last unloaded: cifs(OE)] [189335.656516] CPU: 1 UID: 0 PID: 84118 Comm: rmmod Tainted: G B W OE 6.15.0-061500rc4-generic #202504272253 PREEMPT(voluntary) [189335.656520] Tainted: [B]=BAD_PAGE, [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE [189335.656521] Hardware name: LENOVO 20MAS08500/20MAS08500, BIOS N2CET70W (1.53 ) 03/11/2024 [189335.656522] RIP: 0010:__slab_err+0x1d/0x30 [189335.656525] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 e8 72 ff ff ff be 01 00 00 00 bf 05 00 00 00 e8 33 b2 1c 00 <0f> 0b 5d 31 f6 31 ff c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 90 [189335.656527] RSP: 0018:ffffcf3041b33a18 EFLAGS: 00010046 [189335.656529] RAX: 0000000000000000 RBX: ffffcf3041b33a60 RCX: 0000000000000000 [189335.656530] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [189335.656531] RBP: ffffcf3041b33a18 R08: 0000000000000000 R09: 0000000000000000 [189335.656533] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8c1b49eb7600 [189335.656534] R13: ffff8c1b4ccd9580 R14: dead000000000122 R15: ffff8c1b4ccd9580 [189335.656535] FS: 00007d912677e080(0000) GS:ffff8c2312b1b000(0000) knlGS:0000000000000000 [189335.656537] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [189335.656538] CR2: 000061c8bedf4778 CR3: 00000003f2b4a001 CR4: 00000000003726f0 [189335.656540] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [189335.656541] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [189335.656542] Call Trace: [189335.656543] <TASK> [189335.656546] free_partial.cold+0x137/0x191 [189335.656550] __kmem_cache_shutdown+0x46/0xa0 [189335.656553] kmem_cache_destroy+0x3e/0x1c0 [189335.656558] cifs_destroy_request_bufs+0x5c/0x70 [cifs] [189335.656618] exit_cifs+0x3a/0xef0 [cifs] [189335.656666] __do_sys_delete_module.isra.0+0x19d/0x2e0 [189335.656671] __x64_sys_delete_module+0x12/0x20 [189335.656674] x64_sys_call+0x1765/0x2320 [189335.656677] do_syscall_64+0x7e/0x210 [189335.656679] ? __fput+0x1a2/0x2d0 [189335.656681] ? kmem_cache_free+0x408/0x470 [189335.656684] ? __fput+0x1a2/0x2d0 [189335.656686] ? arch_exit_to_user_mode_prepare.isra.0+0x22/0xd0 [189335.656689] ? syscall_exit_to_user_mode+0x38/0x1d0 [189335.656692] ? do_syscall_64+0x8a/0x210 [189335.656695] ? do_read_fault+0xfb/0x230 [189335.656698] ? do_fault+0x15d/0x220 [189335.656699] ? handle_pte_fault+0x140/0x210 [189335.656702] ? __handle_mm_fault+0x3cd/0x790 [189335.656705] ? __count_memcg_events+0xd3/0x1a0 [189335.656708] ? count_memcg_events.constprop.0+0x2a/0x50 [189335.656710] ? handle_mm_fault+0x1ca/0x2e0 [189335.656713] ? do_user_addr_fault+0x2f8/0x830 [189335.656716] ? arch_exit_to_user_mode_prepare.isra.0+0x22/0xd0 [189335.656719] ? irqentry_exit_to_user_mode+0x2d/0x1d0 [189335.656722] ? irqentry_exit+0x43/0x50 [189335.656724] ? exc_page_fault+0x96/0x1e0 [189335.656727] entry_SYSCALL_64_after_hwframe+0x76/0x7e [189335.656729] RIP: 0033:0x7d9125f2ac9b [189335.656731] Code: 73 01 c3 48 8b 0d 7d 81 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 4d 81 0d 00 f7 d8 64 89 01 48 [189335.656732] RSP: 002b:00007ffe9b9656f8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 [189335.656735] RAX: ffffffffffffffda RBX: 00005eb63e457720 RCX: 00007d9125f2ac9b [189335.656736] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005eb63e457788 [189335.656737] RBP: 00007ffe9b965720 R08: 1999999999999999 R09: 0000000000000000 [189335.656738] R10: 00007d9125fb1fc0 R11: 0000000000000206 R12: 0000000000000000 [189335.656740] R13: 00007ffe9b965970 R14: 00005eb63e457720 R15: 0000000000000000 [189335.656743] </TASK> [189335.656744] ---[ end trace 0000000000000000 ]--- [189335.656803] ------------[ cut here ]------------ [189335.656804] kmem_cache_destroy cifs_small_rq: Slab cache still has objects when called from cifs_destroy_request_bufs+0x5c/0x70 [cifs] [189335.656861] WARNING: CPU: 1 PID: 84118 at mm/slab_common.c:525 kmem_cache_destroy+0x152/0x1c0 .... On Sun, May 18, 2025 at 9:56 PM Wang Zhaolong <wangzhaolong1@huawei.com> wrote: > > > > > > > Merged into cifs-2.6.git for-next > > > > I was only able to reproduce the rmmod problem once though (without > > the patch) so been tricky to test. What server were you testing > > against (I tried current Samba and ksmbd)? > > > > I initialized the Samba server using the `samba` package provided by the > Debian Trixie distribution. > > Best regards, > Wang Zhaolong -- Thanks, Steve
> I was able to reproduce it by running the reproducer poc much longer > > [189335.643181] Key type cifs.idmap unregistered > [189335.643203] Key type cifs.spnego unregistered > [189335.649519] CIFS: VFS: kmem_cache_destroy small req cachep > [189335.656316] > ============================================================================= > [189335.656320] BUG cifs_small_rq (Tainted: G B W OE ): > Objects remaining on __kmem_cache_shutdown() > [189335.656322] > ----------------------------------------------------------------------------- > > [189335.656324] Object 0x000000001a39cfef @offset=15232 > [189335.656326] Slab 0x00000000479475fe objects=36 used=1 > fp=0x0000000090941d36 > flags=0x17ffffc0000240(workingset|head|node=0|zone=2|lastcpupid=0x1fffff) > [189335.656334] ------------[ cut here ]------------ After disabling KASAN, I encountered two memory leak issues after running the POC for half-hour: Phenomenon 1: [ 2175.037198] ------------[ cut here ]------------ [ 2175.038447] WARNING: CPU: 2 PID: 425 at fs/smb/client/smb2ops.c:104 smb2_add_credits+0x2ac/0x6c0 [cifs] [ 2175.041927] Modules linked in: cifs cifs_arc4 nls_ucs2_utils cifs_md4 [ 2175.043736] CPU: 2 UID: 0 PID: 425 Comm: cifsd Not tainted 6.15.0-rc6+ #241 PREEMPT(full) [ 2175.046082] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 [ 2175.048680] RIP: 0010:smb2_add_credits+0x2ac/0x6c0 [cifs] [ 2175.050432] Code: ff ff 4c 89 e7 e8 d4 8e ff ff 41 89 c5 e9 99 fe ff ff c7 43 08 02 00 00 00 45 8b 8c 24 d8 01 00 00 45 85 c9 0f 85 48 fe ff ff <0f> 0b 80 3d 41 6a eb ff 00 0f 84 dc 03 00 00 0f 1f 44 00 00 f [ 2175.054563] RSP: 0018:ffffa9a94043fca8 EFLAGS: 00010246 [ 2175.055716] RAX: 0000000000001ffe RBX: ffffa9a94043fcf0 RCX: 0000000000000000 [ 2175.057236] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff90b807432a34 [ 2175.058760] RBP: 0000000000000000 R08: ffff90b80ce60188 R09: 0000000000000000 [ 2175.060268] R10: 0000000000000000 R11: 0000000000000001 R12: ffff90b807432800 [ 2175.061730] R13: 0000000000000000 R14: 0000000000000001 R15: ffff90b8074329d0 [ 2175.063210] FS: 0000000000000000(0000) GS:ffff90b8a9e84000(0000) knlGS:0000000000000000 [ 2175.064422] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2175.065455] CR2: 00005643543896f8 CR3: 000000000192c000 CR4: 00000000000006f0 [ 2175.066519] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 2175.067561] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 2175.068658] Call Trace: [ 2175.069068] <TASK> [ 2175.069402] cifs_compound_callback+0x77/0xb0 [cifs] [ 2175.070214] cifs_cancelled_callback+0x12/0x40 [cifs] [ 2175.071058] clean_demultiplex_info+0x206/0x420 [cifs] [ 2175.071935] cifs_demultiplex_thread+0x1a6/0xcb0 [cifs] [ 2175.072815] ? dl_server_update_idle_time+0x60/0xa0 [ 2175.073579] ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] [ 2175.074550] kthread+0x10d/0x200 [ 2175.075051] ? __pfx_kthread+0x10/0x10 [ 2175.075631] ret_from_fork+0x34/0x50 [ 2175.076197] ? __pfx_kthread+0x10/0x10 [ 2175.076683] ret_from_fork_asm+0x1a/0x30 [ 2175.077143] </TASK> [ 2175.077398] ---[ end trace 0000000000000000 ]--- [ 2175.077919] CIFS: rreq R=00000000[0] Zero in_flight [ 2175.285771] ------------[ cut here ]------------ Phenomenon 2 [ 2175.287049] kmem_cache_destroy cifs_request: Slab cache still has objects when called from exit_cifs+0x43/0x560 [cifs] [ 2175.287205] WARNING: CPU: 0 PID: 3207738 at mm/slab_common.c:525 kmem_cache_destroy+0xfd/0x160 [ 2175.292071] Modules linked in: cifs(-) cifs_arc4 nls_ucs2_utils cifs_md4 [ 2175.293796] CPU: 0 UID: 0 PID: 3207738 Comm: modprobe Tainted: G W 6.15.0-rc6+ #241 PREEMPT(full) [ 2175.296519] Tainted: [W]=WARN [ 2175.297339] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 [ 2175.299559] RIP: 0010:kmem_cache_destroy+0xfd/0x160 [ 2175.300836] Code: de 5b e9 86 bf 05 00 e8 b1 db e4 ff eb b2 48 8b 53 60 48 8b 4c 24 08 48 c7 c6 a0 be a2 93 48 c7 c7 10 2e fb 93 e8 a3 9d da ff <0f> 0b 48 8b 53 68 48 8b 43 70 48 c7 c7 80 8a 37 94 48 89 42 8 [ 2175.304313] RSP: 0018:ffffa9a94328beb8 EFLAGS: 00010286 [ 2175.305261] RAX: 0000000000000000 RBX: ffff90b801c63a00 RCX: 0000000000000000 [ 2175.306544] RDX: 0000000000000002 RSI: 0000000000000001 RDI: 00000000ffffffff [ 2175.307815] RBP: 0000000000000800 R08: 0000000000004ffb R09: 00000000ffffefff [ 2175.309077] R10: 00000000ffffefff R11: ffffffff94265060 R12: 0000000000000000 [ 2175.310353] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 2175.311632] FS: 00007fa76803b440(0000) GS:ffff90b8a9d84000(0000) knlGS:0000000000000000 [ 2175.313063] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2175.314098] CR2: 0000560b6ad2e850 CR3: 000000000deac000 CR4: 00000000000006f0 [ 2175.315221] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 2175.316137] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 2175.317091] Call Trace: [ 2175.317433] <TASK> [ 2175.317734] exit_cifs+0x43/0x560 [cifs] [ 2175.318316] __x64_sys_delete_module+0x1ad/0x2a0 [ 2175.318958] ? fpregs_assert_state_consistent+0x25/0x50 [ 2175.319656] do_syscall_64+0x4b/0x110 [ 2175.320184] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 2175.320856] RIP: 0033:0x7fa767927977 [ 2175.321359] Code: 73 01 c3 48 8b 0d a9 94 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 79 94 0c 00 f7 d8 64 89 8 [ 2175.323766] RSP: 002b:00007ffd9f24c6f8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 [ 2175.324766] RAX: ffffffffffffffda RBX: 000056460f617e30 RCX: 00007fa767927977 [ 2175.325721] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000056460f617e98 [ 2175.326580] RBP: 0000000000000000 R08: 1999999999999999 R09: 0000000000000000 [ 2175.327329] R10: 00007fa767999ac0 R11: 0000000000000206 R12: 0000000000000000 [ 2175.328086] R13: 0000000000000000 R14: 00007ffd9f24c730 R15: 00007ffd9f24dbe8 [ 2175.328832] </TASK> [ 2175.329090] ---[ end trace 0000000000000000 ]--- These should be new issues. I'll get to the bottom of them as soon as I can. Best regards, Wang Zhaolong
> >> I was able to reproduce it by running the reproducer poc much longer >> >> [189335.643181] Key type cifs.idmap unregistered >> [189335.643203] Key type cifs.spnego unregistered >> [189335.649519] CIFS: VFS: kmem_cache_destroy small req cachep >> [189335.656316] >> ============================================================================= >> [189335.656320] BUG cifs_small_rq (Tainted: G B W OE ): >> Objects remaining on __kmem_cache_shutdown() >> [189335.656322] >> ----------------------------------------------------------------------------- >> >> [189335.656324] Object 0x000000001a39cfef @offset=15232 >> [189335.656326] Slab 0x00000000479475fe objects=36 used=1 >> fp=0x0000000090941d36 >> flags=0x17ffffc0000240(workingset|head|node=0|zone=2|lastcpupid=0x1fffff) >> [189335.656334] ------------[ cut here ]------------ > > After disabling KASAN, I encountered two memory leak issues after > running the POC for half-hour: > > Phenomenon 1: > > [ 2175.037198] ------------[ cut here ]------------ > [ 2175.038447] WARNING: CPU: 2 PID: 425 at fs/smb/client/smb2ops.c:104 smb2_add_credits+0x2ac/0x6c0 [cifs] > [ 2175.041927] Modules linked in: cifs cifs_arc4 nls_ucs2_utils cifs_md4 > [ 2175.043736] CPU: 2 UID: 0 PID: 425 Comm: cifsd Not tainted 6.15.0-rc6+ #241 PREEMPT(full) > [ 2175.046082] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 > [ 2175.048680] RIP: 0010:smb2_add_credits+0x2ac/0x6c0 [cifs] > [ 2175.050432] Code: ff ff 4c 89 e7 e8 d4 8e ff ff 41 89 c5 e9 99 fe ff ff c7 > 43 08 02 00 00 00 45 8b 8c 24 d8 01 00 00 45 85 c9 0f 85 48 fe ff ff <0f> 0b 80 3d > 41 6a eb ff 00 0f 84 dc 03 00 00 0f 1f 44 00 00 f > [ 2175.054563] RSP: 0018:ffffa9a94043fca8 EFLAGS: 00010246 > [ 2175.055716] RAX: 0000000000001ffe RBX: ffffa9a94043fcf0 RCX: 0000000000000000 > [ 2175.057236] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff90b807432a34 > [ 2175.058760] RBP: 0000000000000000 R08: ffff90b80ce60188 R09: 0000000000000000 > [ 2175.060268] R10: 0000000000000000 R11: 0000000000000001 R12: ffff90b807432800 > [ 2175.061730] R13: 0000000000000000 R14: 0000000000000001 R15: ffff90b8074329d0 > [ 2175.063210] FS: 0000000000000000(0000) GS:ffff90b8a9e84000(0000) knlGS:0000000000000000 > [ 2175.064422] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 2175.065455] CR2: 00005643543896f8 CR3: 000000000192c000 CR4: 00000000000006f0 > [ 2175.066519] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > [ 2175.067561] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > [ 2175.068658] Call Trace: > [ 2175.069068] <TASK> > [ 2175.069402] cifs_compound_callback+0x77/0xb0 [cifs] > [ 2175.070214] cifs_cancelled_callback+0x12/0x40 [cifs] > [ 2175.071058] clean_demultiplex_info+0x206/0x420 [cifs] > [ 2175.071935] cifs_demultiplex_thread+0x1a6/0xcb0 [cifs] > [ 2175.072815] ? dl_server_update_idle_time+0x60/0xa0 > [ 2175.073579] ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] > [ 2175.074550] kthread+0x10d/0x200 > [ 2175.075051] ? __pfx_kthread+0x10/0x10 > [ 2175.075631] ret_from_fork+0x34/0x50 > [ 2175.076197] ? __pfx_kthread+0x10/0x10 > [ 2175.076683] ret_from_fork_asm+0x1a/0x30 > [ 2175.077143] </TASK> > [ 2175.077398] ---[ end trace 0000000000000000 ]--- > [ 2175.077919] CIFS: rreq R=00000000[0] Zero in_flight > [ 2175.285771] ------------[ cut here ]------------ > > > Phenomenon 2 > > [ 2175.287049] kmem_cache_destroy cifs_request: Slab cache still has objects when called from exit_cifs+0x43/0x560 [cifs] > [ 2175.287205] WARNING: CPU: 0 PID: 3207738 at mm/slab_common.c:525 kmem_cache_destroy+0xfd/0x160 > [ 2175.292071] Modules linked in: cifs(-) cifs_arc4 nls_ucs2_utils cifs_md4 > [ 2175.293796] CPU: 0 UID: 0 PID: 3207738 Comm: modprobe Tainted: G W 6.15.0-rc6+ #241 PREEMPT(full) > [ 2175.296519] Tainted: [W]=WARN > [ 2175.297339] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 > [ 2175.299559] RIP: 0010:kmem_cache_destroy+0xfd/0x160 > [ 2175.300836] Code: de 5b e9 86 bf 05 00 e8 b1 db e4 ff eb b2 48 8b 53 60 48 8b > 4c 24 08 48 c7 c6 a0 be a2 93 48 c7 c7 10 2e fb 93 e8 a3 9d da ff <0f> 0b 48 8b 53 68 > 48 8b 43 70 48 c7 c7 80 8a 37 94 48 89 42 8 > [ 2175.304313] RSP: 0018:ffffa9a94328beb8 EFLAGS: 00010286 > [ 2175.305261] RAX: 0000000000000000 RBX: ffff90b801c63a00 RCX: 0000000000000000 > [ 2175.306544] RDX: 0000000000000002 RSI: 0000000000000001 RDI: 00000000ffffffff > [ 2175.307815] RBP: 0000000000000800 R08: 0000000000004ffb R09: 00000000ffffefff > [ 2175.309077] R10: 00000000ffffefff R11: ffffffff94265060 R12: 0000000000000000 > [ 2175.310353] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 > [ 2175.311632] FS: 00007fa76803b440(0000) GS:ffff90b8a9d84000(0000) knlGS:0000000000000000 > [ 2175.313063] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 2175.314098] CR2: 0000560b6ad2e850 CR3: 000000000deac000 CR4: 00000000000006f0 > [ 2175.315221] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > [ 2175.316137] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > [ 2175.317091] Call Trace: > [ 2175.317433] <TASK> > [ 2175.317734] exit_cifs+0x43/0x560 [cifs] > [ 2175.318316] __x64_sys_delete_module+0x1ad/0x2a0 > [ 2175.318958] ? fpregs_assert_state_consistent+0x25/0x50 > [ 2175.319656] do_syscall_64+0x4b/0x110 > [ 2175.320184] entry_SYSCALL_64_after_hwframe+0x76/0x7e > [ 2175.320856] RIP: 0033:0x7fa767927977 > [ 2175.321359] Code: 73 01 c3 48 8b 0d a9 94 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 > 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff > ff 73 01 c3 48 8b 0d 79 94 0c 00 f7 d8 64 89 8 > [ 2175.323766] RSP: 002b:00007ffd9f24c6f8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 > [ 2175.324766] RAX: ffffffffffffffda RBX: 000056460f617e30 RCX: 00007fa767927977 > [ 2175.325721] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000056460f617e98 > [ 2175.326580] RBP: 0000000000000000 R08: 1999999999999999 R09: 0000000000000000 > [ 2175.327329] R10: 00007fa767999ac0 R11: 0000000000000206 R12: 0000000000000000 > [ 2175.328086] R13: 0000000000000000 R14: 00007ffd9f24c730 R15: 00007ffd9f24dbe8 > [ 2175.328832] </TASK> > [ 2175.329090] ---[ end trace 0000000000000000 ]--- > > > These should be new issues. I'll get to the bottom of them as soon as I can. > > Best regards, > Wang Zhaolong > I have identified the issue mentioned above. Below is my proposed fix: https://lore.kernel.org/all/20250804134006.3609555-1-wangzhaolong@huaweicloud.com/ I'd like to kindly invite feedback and discussion from the community on this issue, particularly regarding the root cause and the correctness of the proposed solution. Any suggestions, concerns, or alternative approaches are highly welcome. Best regards, Wang Zhaolong
Since your patches both clearly fix problems, and look non-controversial (and reviewed by multiple people). I plan to send them upstream today, let me know if any objections. On Thu, May 22, 2025 at 9:00 AM Wang Zhaolong <wangzhaolong1@huawei.com> wrote: > > > > > > > I was able to reproduce it by running the reproducer poc much longer > > > > [189335.643181] Key type cifs.idmap unregistered > > [189335.643203] Key type cifs.spnego unregistered > > [189335.649519] CIFS: VFS: kmem_cache_destroy small req cachep > > [189335.656316] > > ============================================================================= > > [189335.656320] BUG cifs_small_rq (Tainted: G B W OE ): > > Objects remaining on __kmem_cache_shutdown() > > [189335.656322] > > ----------------------------------------------------------------------------- > > > > [189335.656324] Object 0x000000001a39cfef @offset=15232 > > [189335.656326] Slab 0x00000000479475fe objects=36 used=1 > > fp=0x0000000090941d36 > > flags=0x17ffffc0000240(workingset|head|node=0|zone=2|lastcpupid=0x1fffff) > > [189335.656334] ------------[ cut here ]------------ > > After disabling KASAN, I encountered two memory leak issues after > running the POC for half-hour: > > Phenomenon 1: > > [ 2175.037198] ------------[ cut here ]------------ > [ 2175.038447] WARNING: CPU: 2 PID: 425 at fs/smb/client/smb2ops.c:104 smb2_add_credits+0x2ac/0x6c0 [cifs] > [ 2175.041927] Modules linked in: cifs cifs_arc4 nls_ucs2_utils cifs_md4 > [ 2175.043736] CPU: 2 UID: 0 PID: 425 Comm: cifsd Not tainted 6.15.0-rc6+ #241 PREEMPT(full) > [ 2175.046082] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 > [ 2175.048680] RIP: 0010:smb2_add_credits+0x2ac/0x6c0 [cifs] > [ 2175.050432] Code: ff ff 4c 89 e7 e8 d4 8e ff ff 41 89 c5 e9 99 fe ff ff c7 > 43 08 02 00 00 00 45 8b 8c 24 d8 01 00 00 45 85 c9 0f 85 48 fe ff ff <0f> 0b 80 3d > 41 6a eb ff 00 0f 84 dc 03 00 00 0f 1f 44 00 00 f > [ 2175.054563] RSP: 0018:ffffa9a94043fca8 EFLAGS: 00010246 > [ 2175.055716] RAX: 0000000000001ffe RBX: ffffa9a94043fcf0 RCX: 0000000000000000 > [ 2175.057236] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff90b807432a34 > [ 2175.058760] RBP: 0000000000000000 R08: ffff90b80ce60188 R09: 0000000000000000 > [ 2175.060268] R10: 0000000000000000 R11: 0000000000000001 R12: ffff90b807432800 > [ 2175.061730] R13: 0000000000000000 R14: 0000000000000001 R15: ffff90b8074329d0 > [ 2175.063210] FS: 0000000000000000(0000) GS:ffff90b8a9e84000(0000) knlGS:0000000000000000 > [ 2175.064422] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 2175.065455] CR2: 00005643543896f8 CR3: 000000000192c000 CR4: 00000000000006f0 > [ 2175.066519] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > [ 2175.067561] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > [ 2175.068658] Call Trace: > [ 2175.069068] <TASK> > [ 2175.069402] cifs_compound_callback+0x77/0xb0 [cifs] > [ 2175.070214] cifs_cancelled_callback+0x12/0x40 [cifs] > [ 2175.071058] clean_demultiplex_info+0x206/0x420 [cifs] > [ 2175.071935] cifs_demultiplex_thread+0x1a6/0xcb0 [cifs] > [ 2175.072815] ? dl_server_update_idle_time+0x60/0xa0 > [ 2175.073579] ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] > [ 2175.074550] kthread+0x10d/0x200 > [ 2175.075051] ? __pfx_kthread+0x10/0x10 > [ 2175.075631] ret_from_fork+0x34/0x50 > [ 2175.076197] ? __pfx_kthread+0x10/0x10 > [ 2175.076683] ret_from_fork_asm+0x1a/0x30 > [ 2175.077143] </TASK> > [ 2175.077398] ---[ end trace 0000000000000000 ]--- > [ 2175.077919] CIFS: rreq R=00000000[0] Zero in_flight > [ 2175.285771] ------------[ cut here ]------------ > > > Phenomenon 2 > > [ 2175.287049] kmem_cache_destroy cifs_request: Slab cache still has objects when called from exit_cifs+0x43/0x560 [cifs] > [ 2175.287205] WARNING: CPU: 0 PID: 3207738 at mm/slab_common.c:525 kmem_cache_destroy+0xfd/0x160 > [ 2175.292071] Modules linked in: cifs(-) cifs_arc4 nls_ucs2_utils cifs_md4 > [ 2175.293796] CPU: 0 UID: 0 PID: 3207738 Comm: modprobe Tainted: G W 6.15.0-rc6+ #241 PREEMPT(full) > [ 2175.296519] Tainted: [W]=WARN > [ 2175.297339] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 > [ 2175.299559] RIP: 0010:kmem_cache_destroy+0xfd/0x160 > [ 2175.300836] Code: de 5b e9 86 bf 05 00 e8 b1 db e4 ff eb b2 48 8b 53 60 48 8b > 4c 24 08 48 c7 c6 a0 be a2 93 48 c7 c7 10 2e fb 93 e8 a3 9d da ff <0f> 0b 48 8b 53 68 > 48 8b 43 70 48 c7 c7 80 8a 37 94 48 89 42 8 > [ 2175.304313] RSP: 0018:ffffa9a94328beb8 EFLAGS: 00010286 > [ 2175.305261] RAX: 0000000000000000 RBX: ffff90b801c63a00 RCX: 0000000000000000 > [ 2175.306544] RDX: 0000000000000002 RSI: 0000000000000001 RDI: 00000000ffffffff > [ 2175.307815] RBP: 0000000000000800 R08: 0000000000004ffb R09: 00000000ffffefff > [ 2175.309077] R10: 00000000ffffefff R11: ffffffff94265060 R12: 0000000000000000 > [ 2175.310353] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 > [ 2175.311632] FS: 00007fa76803b440(0000) GS:ffff90b8a9d84000(0000) knlGS:0000000000000000 > [ 2175.313063] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 2175.314098] CR2: 0000560b6ad2e850 CR3: 000000000deac000 CR4: 00000000000006f0 > [ 2175.315221] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > [ 2175.316137] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > [ 2175.317091] Call Trace: > [ 2175.317433] <TASK> > [ 2175.317734] exit_cifs+0x43/0x560 [cifs] > [ 2175.318316] __x64_sys_delete_module+0x1ad/0x2a0 > [ 2175.318958] ? fpregs_assert_state_consistent+0x25/0x50 > [ 2175.319656] do_syscall_64+0x4b/0x110 > [ 2175.320184] entry_SYSCALL_64_after_hwframe+0x76/0x7e > [ 2175.320856] RIP: 0033:0x7fa767927977 > [ 2175.321359] Code: 73 01 c3 48 8b 0d a9 94 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 > 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff > ff 73 01 c3 48 8b 0d 79 94 0c 00 f7 d8 64 89 8 > [ 2175.323766] RSP: 002b:00007ffd9f24c6f8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 > [ 2175.324766] RAX: ffffffffffffffda RBX: 000056460f617e30 RCX: 00007fa767927977 > [ 2175.325721] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000056460f617e98 > [ 2175.326580] RBP: 0000000000000000 R08: 1999999999999999 R09: 0000000000000000 > [ 2175.327329] R10: 00007fa767999ac0 R11: 0000000000000206 R12: 0000000000000000 > [ 2175.328086] R13: 0000000000000000 R14: 00007ffd9f24c730 R15: 00007ffd9f24dbe8 > [ 2175.328832] </TASK> > [ 2175.329090] ---[ end trace 0000000000000000 ]--- > > > These should be new issues. I'll get to the bottom of them as soon as I can. > > Best regards, > Wang Zhaolong > -- Thanks, Steve
> Since your patches both clearly fix problems, and look > non-controversial (and reviewed by multiple people). I plan to send > them upstream today, let me know if any objections. > Thank you for your confirmation and for sending the patches upstream. Much appreciated! Best regards, Wang Zhaolong
> I was able to reproduce it by running the reproducer poc much longer I was able to reproduce the issue described in the patch within 1-3 minutes by running POC on a virtual machine with 4 CPU cores, under the CONFIG_KASAN=y. > > [189335.643181] Key type cifs.idmap unregistered > [189335.643203] Key type cifs.spnego unregistered > [189335.649519] CIFS: VFS: kmem_cache_destroy small req cachep > [189335.656316] > ============================================================================= > [189335.656320] BUG cifs_small_rq (Tainted: G B W OE ): > Objects remaining on __kmem_cache_shutdown() > [189335.656322] > ----------------------------------------------------------------------------- > > [189335.656324] Object 0x000000001a39cfef @offset=15232 > [189335.656326] Slab 0x00000000479475fe objects=36 used=1 > fp=0x0000000090941d36 > flags=0x17ffffc0000240(workingset|head|node=0|zone=2|lastcpupid=0x1fffff) > [189335.656334] ------------[ cut here ]------------ > [189335.656335] WARNING: CPU: 1 PID: 84118 at mm/slub.c:1135 > __slab_err+0x1d/0x30 > .... > [189335.656512] [last unloaded: cifs(OE)] > [189335.656516] CPU: 1 UID: 0 PID: 84118 Comm: rmmod Tainted: G B > W OE 6.15.0-061500rc4-generic #202504272253 PREEMPT(voluntary) > [189335.656520] Tainted: [B]=BAD_PAGE, [W]=WARN, [O]=OOT_MODULE, > [E]=UNSIGNED_MODULE > [189335.656521] Hardware name: LENOVO 20MAS08500/20MAS08500, BIOS > N2CET70W (1.53 ) 03/11/2024 > [189335.656522] RIP: 0010:__slab_err+0x1d/0x30 > [189335.656525] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 > 00 00 55 48 89 e5 e8 72 ff ff ff be 01 00 00 00 bf 05 00 00 00 e8 33 > b2 1c 00 <0f> 0b 5d 31 f6 31 ff c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 > 90 90 > [189335.656527] RSP: 0018:ffffcf3041b33a18 EFLAGS: 00010046 > [189335.656529] RAX: 0000000000000000 RBX: ffffcf3041b33a60 RCX: > 0000000000000000 > [189335.656530] RDX: 0000000000000000 RSI: 0000000000000000 RDI: > 0000000000000000 > [189335.656531] RBP: ffffcf3041b33a18 R08: 0000000000000000 R09: > 0000000000000000 > [189335.656533] R10: 0000000000000000 R11: 0000000000000000 R12: > ffff8c1b49eb7600 > [189335.656534] R13: ffff8c1b4ccd9580 R14: dead000000000122 R15: > ffff8c1b4ccd9580 > [189335.656535] FS: 00007d912677e080(0000) GS:ffff8c2312b1b000(0000) > knlGS:0000000000000000 > [189335.656537] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [189335.656538] CR2: 000061c8bedf4778 CR3: 00000003f2b4a001 CR4: > 00000000003726f0 > [189335.656540] DR0: 0000000000000000 DR1: 0000000000000000 DR2: > 0000000000000000 > [189335.656541] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: > 0000000000000400 > [189335.656542] Call Trace: > [189335.656543] <TASK> > [189335.656546] free_partial.cold+0x137/0x191 > [189335.656550] __kmem_cache_shutdown+0x46/0xa0 > [189335.656553] kmem_cache_destroy+0x3e/0x1c0 > [189335.656558] cifs_destroy_request_bufs+0x5c/0x70 [cifs] > [189335.656618] exit_cifs+0x3a/0xef0 [cifs] > [189335.656666] __do_sys_delete_module.isra.0+0x19d/0x2e0 > [189335.656671] __x64_sys_delete_module+0x12/0x20 > [189335.656674] x64_sys_call+0x1765/0x2320 > [189335.656677] do_syscall_64+0x7e/0x210 > [189335.656679] ? __fput+0x1a2/0x2d0 > [189335.656681] ? kmem_cache_free+0x408/0x470 > [189335.656684] ? __fput+0x1a2/0x2d0 > [189335.656686] ? arch_exit_to_user_mode_prepare.isra.0+0x22/0xd0 > [189335.656689] ? syscall_exit_to_user_mode+0x38/0x1d0 > [189335.656692] ? do_syscall_64+0x8a/0x210 > [189335.656695] ? do_read_fault+0xfb/0x230 > [189335.656698] ? do_fault+0x15d/0x220 > [189335.656699] ? handle_pte_fault+0x140/0x210 > [189335.656702] ? __handle_mm_fault+0x3cd/0x790 > [189335.656705] ? __count_memcg_events+0xd3/0x1a0 > [189335.656708] ? count_memcg_events.constprop.0+0x2a/0x50 > [189335.656710] ? handle_mm_fault+0x1ca/0x2e0 > [189335.656713] ? do_user_addr_fault+0x2f8/0x830 > [189335.656716] ? arch_exit_to_user_mode_prepare.isra.0+0x22/0xd0 > [189335.656719] ? irqentry_exit_to_user_mode+0x2d/0x1d0 > [189335.656722] ? irqentry_exit+0x43/0x50 > [189335.656724] ? exc_page_fault+0x96/0x1e0 > [189335.656727] entry_SYSCALL_64_after_hwframe+0x76/0x7e > [189335.656729] RIP: 0033:0x7d9125f2ac9b This call trace seems to look like a memory leak or a reference counting management issue. Can it still be reproduced even after my patch is applied? Best regards, Wang Zhaolong
© 2016 - 2025 Red Hat, Inc.