From nobody Mon Jun 8 05:26:57 2026 Received: from mail-dl1-f46.google.com (mail-dl1-f46.google.com [74.125.82.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8AD043264E3 for ; Tue, 2 Jun 2026 00:57:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780361869; cv=none; b=NhhYsimU9TOZ9Ovujyt05ge9QHdPbixcNqhTwthRSzASm73GOS3CZFHMgCUSOLTllnwKZIBz3KWpWbIrkZEjQVJOQZuPaZyas1WRLHcHvEq/aJV5ifwNGoosodPohJlumxnHhWtl32jdOxzz2wZVYPg1bm47jPC664KPUIKNjKE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780361869; c=relaxed/simple; bh=8dOzYtDhU17Y9aqUIAk3lssg6AUbmv6OzcAHvyNbPMs=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=dKy7USmtOIwWo1RhXi1xtHmDfkcZfkBgJxD0Xr3c1fDMVWwEdMHzPpQyZAGhJnd++sKPGLF5mdbqwjTa4tJtO1feUKVtxhIRBrSG5g72vnBL3RStBtnfUNFDq2xb8SX6eGEJATwI6ifH3Oa10CqfofLUFI9N79wowZ7yghbn/Yg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=O3u6CoKB; arc=none smtp.client-ip=74.125.82.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="O3u6CoKB" Received: by mail-dl1-f46.google.com with SMTP id a92af1059eb24-137ed2e66faso723853c88.0 for ; Mon, 01 Jun 2026 17:57:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780361866; x=1780966666; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=DXR6yUNY2xTRwtTa1l0H+ifyduTbQtbKZWSjUq1qTZM=; b=O3u6CoKBPlzgOr0eCjBllqdBi7APlhQ2VXPBXDHxwHnbILodSfYQnq7JzXFLPY3nTP euDSNM+EVGxDAogx+7DZJk6hIJZSNQp3ZS6OscJ6TCNBVBFuzHo0Gley2C/QUSQGoNoH A4VBf/D8r7AwxJVSlbIK1cCyy1Xfwf1OSlASqeofhwSctKN8a2A6IodgGi8uzq5lklN2 ZHMxuf8dz08RC4rZLN537yTGGCmA2HsArxm7OL3cWU9eTvyAZ6ZxoMx4ttkB2qbCB0BQ wth4wNOXvOzWTnZebmMmaYUG+QRu18O4uklV+02Zr911NK8l30w9iwktKSfZ9sDXR85p 4eFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780361866; x=1780966666; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=DXR6yUNY2xTRwtTa1l0H+ifyduTbQtbKZWSjUq1qTZM=; b=niw5jd8LwcDSooX/kmkMuJTd4cVWUC2ZKm4LkGP9newz/bMi2V1/pHH1I6YrlOzpCs W9IQ3FtqzTLOMPHv/zPoe3vPn4reclZh5c+A2agA0EYFwQi8otl769xeRgR30lyPYRLX i0Z2PbArEgjvCB2n2xTgXq5/78CMuotSPxmRyXwNE6f5vJ3pdGgFh6fo5L0mK4n/Bpn4 JKGm4Qb+joYNgY9Wz+KYojJdSmQWlaGJeKigL+p2EplvLE8PtdsCXCYpshXUKC7AuBI4 EI3VVBS4zOYbuspLB1hYGjJYO1gr2corNjv79YK13AuAKiu+Kah1yH8vP6aCNGFZkxzA cseA== X-Forwarded-Encrypted: i=1; AFNElJ8LGe361dV7wDq274SlBX8LA25BCNuY8nEnY6zMNTyswOHJUOfuWKZDRuGeYLm5Ypw87C/8FHEXh5NY9Zw=@vger.kernel.org X-Gm-Message-State: AOJu0YwOK2YmER3rvywWxbWhSEWiLwWgWjH73iuTs3Ruu1uaJL3Zc45M w0LmWwCwzMR4HkgJoGj6qidpu2YgD9kxtE/cMJP49sjd7fpRQI3vIrdg X-Gm-Gg: Acq92OH5NdmFh9Jhwy9scxAxnAqxxIL2MWiwvObLeorqWTFDtfFQhT/cKYmQRMtgjOt oDejDcs/SaLM/lLdocriFANIF4MU4xLTzFaejcvUR+TOxga/yOtl+x1RuaSQs8rVRpBSTUIrhw2 WMQ0EEaUE1UAHLQxK7D27X1pegEUu5fw1uyqENjAx53GAVa4tlW+bJCtQc3apbB/yzK3JCqSCHu 7gXkD0Vd4iGvuM4Tb4TKz1DU8us8OuuhjZeDl3vI7DDkfGcxPGpf71dGLpHPsYogaLWevPDFDA8 bx7aqe/oB6bL6DHbA/sVMNQD9UyHTgTMLfomLWGYfABlGLaMHeYr4tTP/lO5S9ljZ23DFhvpTNQ 6NesGdhuiTyl8H983PTVvISq2Qiqp1jWfOz8tZWoRrQlKNXAXJirqghhImw3O9oCO7ycCsbHbY0 qk0qUWaBY5tF7/7K2Q00iIZ37vDjyQjLM= X-Received: by 2002:a05:7022:117:b0:135:3ed5:5e38 with SMTP id a92af1059eb24-137d4028f39mr5708982c88.27.1780361865398; Mon, 01 Jun 2026 17:57:45 -0700 (PDT) Received: from FredPC ([2600:381:b903:348a:53c:a9ca:4ab3:9c1b]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-137dc179940sm6135319c88.5.2026.06.01.17.57.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Jun 2026 17:57:45 -0700 (PDT) From: Fredric Cover X-Google-Original-From: Fredric Cover To: sfrench@samba.org Cc: ronniesahlberg@gmail.com, sprasad@microsoft.com, tom@talpey.com, bharathsm@microsoft.com, linux-cifs@vger.kernel.org, linux-kernel@vger.kernel.org, Fredric Cover Subject: [PATCH RFC] smb: client: fix races in cifsd thread creation Date: Mon, 1 Jun 2026 17:55:10 -0700 Message-ID: <20260602005512.126883-1-FredTheDude@proton.me> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Fredric Cover The cifsd demultiplex thread can run and access tcp_ses before the parent thread has finished populating tcp_ses, which the worker thread accesses locklessly. Also, the kthread_run macro may start the thread before returning the thread pointer. Because the pointer is part of the structure that the thread can access, if the kernel is preempted after the thread is spawned, but before the thread pointer is populated and the thread attempts to exit, it will sleep, waiting for a SIGKILL signal. Fix this by moving creation of the thread to after all of tcp_ses'es fields are populated, and spawning the thread last, using a split kthread_create/wake_up_process logic. Signed-off-by: Fredric Cover --- Please note that I am fairly new to kernel development, and this patch may have major flaws that I overlooked. Also, although I wrote the code, Google's Gemini found the bug in the first place. --- fs/smb/client/connect.c | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c index dcde25da468d..3452e54c9a18 100644 --- a/fs/smb/client/connect.c +++ b/fs/smb/client/connect.c @@ -1871,14 +1871,6 @@ cifs_get_tcp_session(struct smb3_fs_context *ctx, * this will succeed. No need for try_module_get(). */ __module_get(THIS_MODULE); - tcp_ses->tsk =3D kthread_run(cifs_demultiplex_thread, - tcp_ses, "cifsd"); - if (IS_ERR(tcp_ses->tsk)) { - rc =3D PTR_ERR(tcp_ses->tsk); - cifs_dbg(VFS, "error %d create cifsd thread\n", rc); - module_put(THIS_MODULE); - goto out_err_crypto_release; - } tcp_ses->min_offload =3D ctx->min_offload; tcp_ses->retrans =3D ctx->retrans; /* @@ -1886,9 +1878,7 @@ cifs_get_tcp_session(struct smb3_fs_context *ctx, * to the struct since the kernel thread not created yet * no need to spinlock this update of tcpStatus */ - spin_lock(&tcp_ses->srv_lock); tcp_ses->tcpStatus =3D CifsNeedNegotiate; - spin_unlock(&tcp_ses->srv_lock); =20 if ((ctx->max_credits < 20) || (ctx->max_credits > 60000)) tcp_ses->max_credits =3D SMB2_MAX_CREDITS_AVAILABLE; @@ -1897,7 +1887,16 @@ cifs_get_tcp_session(struct smb3_fs_context *ctx, =20 tcp_ses->nr_targets =3D 1; tcp_ses->ignore_signature =3D ctx->ignore_signature; - /* thread spawned, put it on the list */ + + tcp_ses->tsk =3D kthread_create(cifs_demultiplex_thread, + tcp_ses, "cifsd"); + if (IS_ERR(tcp_ses->tsk)) { + rc =3D PTR_ERR(tcp_ses->tsk); + cifs_dbg(VFS, "error %d create cifsd thread\n", rc); + module_put(THIS_MODULE); + goto out_err_crypto_release; + } + /* thread created, put it on the list */ spin_lock(&cifs_tcp_ses_lock); list_add(&tcp_ses->tcp_ses_list, &cifs_tcp_ses_list); spin_unlock(&cifs_tcp_ses_lock); @@ -1905,6 +1904,12 @@ cifs_get_tcp_session(struct smb3_fs_context *ctx, /* queue echo request delayed work */ queue_delayed_work(cifsiod_wq, &tcp_ses->echo, tcp_ses->echo_interval); =20 + /* + * Use split create/wake logic to ensure that tcp_ses is fully populated + * and tcp_ses->tsk is valid + */ + wake_up_process(tcp_ses->tsk); + return tcp_ses; =20 out_err_crypto_release: --=20 2.53.0