]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
ksmbd: track the connection owning a byte-range lock
authorNamjae Jeon <linkinjeon@kernel.org>
Mon, 15 Jun 2026 01:00:00 +0000 (10:00 +0900)
committerSteve French <stfrench@microsoft.com>
Tue, 23 Jun 2026 01:15:03 +0000 (20:15 -0500)
SMB2_LOCK adds each granted byte-range lock to both the file lock list
and the lock list of the connection which handled the request.  The
final close and durable handle paths, however, remove the connection
list entry while holding fp->conn->llist_lock.

With SMB3 multichannel, the connection handling the LOCK request can be
different from the connection which opened the file.  The entry can
therefore be removed under a different spinlock from the one protecting
the list it belongs to.  A concurrent traversal can then access freed
struct ksmbd_lock and struct file_lock objects.

Record the connection owning each lock's clist entry and hold a
reference to it while the entry is linked.  Use that connection and its
llist_lock for unlock, rollback, close, and durable preserve.  Durable
reconnect assigns the new connection as the owner when publishing the
locks again.

Fixes: f5a544e3bab7 ("ksmbd: add support for SMB3 multichannel")
Cc: stable@vger.kernel.org
Reported-by: Musaab Khan <musaab.khan@protonmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
fs/smb/server/smb2pdu.c
fs/smb/server/vfs_cache.c
fs/smb/server/vfs_cache.h

index c1c6c1a64f600e393bda4ae95bb483576197dbaf..ba24040d05eba4fbf92af0b6fbe20432795cabcd 100644 (file)
@@ -7774,9 +7774,11 @@ int smb2_lock(struct ksmbd_work *work)
                                                nolock = 0;
                                                list_del(&cmp_lock->flist);
                                                list_del(&cmp_lock->clist);
+                                               cmp_lock->conn = NULL;
                                                spin_unlock(&conn->llist_lock);
                                                up_read(&conn_list_lock);
 
+                                               ksmbd_conn_put(conn);
                                                locks_free_lock(cmp_lock->fl);
                                                kfree(cmp_lock);
                                                goto out_check_cl;
@@ -7911,6 +7913,7 @@ skip:
                                goto out2;
                        } else if (!rc) {
                                list_add(&smb_lock->llist, &rollback_list);
+                               smb_lock->conn = ksmbd_conn_get(work->conn);
                                spin_lock(&work->conn->llist_lock);
                                list_add_tail(&smb_lock->clist,
                                              &work->conn->lock_list);
@@ -7965,11 +7968,14 @@ out:
                }
 
                list_del(&smb_lock->llist);
-               spin_lock(&work->conn->llist_lock);
+               conn = smb_lock->conn;
+               spin_lock(&conn->llist_lock);
                if (!list_empty(&smb_lock->flist))
                        list_del(&smb_lock->flist);
                list_del(&smb_lock->clist);
-               spin_unlock(&work->conn->llist_lock);
+               smb_lock->conn = NULL;
+               spin_unlock(&conn->llist_lock);
+               ksmbd_conn_put(conn);
 
                locks_free_lock(smb_lock->fl);
                if (rlock)
index 8c556e46cc102e85055bad8b7f8c33558c76800e..39c56942ae440b21100fec49860a6f5ef96258fe 100644 (file)
@@ -484,10 +484,14 @@ static void __ksmbd_close_fd(struct ksmbd_file_table *ft, struct ksmbd_file *fp)
         * there are not accesses to fp->lock_list.
         */
        list_for_each_entry_safe(smb_lock, tmp_lock, &fp->lock_list, flist) {
-               if (!list_empty(&smb_lock->clist) && fp->conn) {
-                       spin_lock(&fp->conn->llist_lock);
-                       list_del(&smb_lock->clist);
-                       spin_unlock(&fp->conn->llist_lock);
+               struct ksmbd_conn *conn = smb_lock->conn;
+
+               if (conn) {
+                       spin_lock(&conn->llist_lock);
+                       list_del_init(&smb_lock->clist);
+                       smb_lock->conn = NULL;
+                       spin_unlock(&conn->llist_lock);
+                       ksmbd_conn_put(conn);
                }
 
                list_del(&smb_lock->flist);
@@ -1303,9 +1307,15 @@ static bool session_fd_check(struct ksmbd_tree_connect *tcon,
        up_write(&ci->m_lock);
 
        list_for_each_entry_safe(smb_lock, tmp_lock, &fp->lock_list, flist) {
-               spin_lock(&conn->llist_lock);
+               struct ksmbd_conn *lock_conn = smb_lock->conn;
+
+               if (!lock_conn)
+                       continue;
+               spin_lock(&lock_conn->llist_lock);
                list_del_init(&smb_lock->clist);
-               spin_unlock(&conn->llist_lock);
+               smb_lock->conn = NULL;
+               spin_unlock(&lock_conn->llist_lock);
+               ksmbd_conn_put(lock_conn);
        }
 
        fp->conn = NULL;
@@ -1435,6 +1445,7 @@ int ksmbd_reopen_durable_fd(struct ksmbd_work *work, struct ksmbd_file *fp)
        }
 
        list_for_each_entry(smb_lock, &fp->lock_list, flist) {
+               smb_lock->conn = ksmbd_conn_get(conn);
                spin_lock(&conn->llist_lock);
                list_add_tail(&smb_lock->clist, &conn->lock_list);
                spin_unlock(&conn->llist_lock);
index 7d547e1a74f7f25b6a7c0aa9474510af15385e34..a3a9fda6de91774cbc36cd640d8fee16ca0a3578 100644 (file)
@@ -32,6 +32,7 @@ struct ksmbd_session;
 
 struct ksmbd_lock {
        struct file_lock *fl;
+       struct ksmbd_conn *conn;
        struct list_head clist;
        struct list_head flist;
        struct list_head llist;