{"id":2230533,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2230533/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-cifs-client/patch/20260429205236.456099-2-henrique.carvalho@suse.com/","project":{"id":12,"url":"http://patchwork.ozlabs.org/api/1.1/projects/12/?format=json","name":"Linux CIFS Client","link_name":"linux-cifs-client","list_id":"linux-cifs.vger.kernel.org","list_email":"linux-cifs@vger.kernel.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260429205236.456099-2-henrique.carvalho@suse.com>","date":"2026-04-29T20:52:35","name":"[2/3] smb: client: fix race in multichannel rescaling during mount","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"2ca9e13446b183ab80433237936003a21205ef1a","submitter":{"id":89563,"url":"http://patchwork.ozlabs.org/api/1.1/people/89563/?format=json","name":"Henrique Carvalho","email":"henrique.carvalho@suse.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/linux-cifs-client/patch/20260429205236.456099-2-henrique.carvalho@suse.com/mbox/","series":[{"id":502149,"url":"http://patchwork.ozlabs.org/api/1.1/series/502149/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-cifs-client/list/?series=502149","date":"2026-04-29T20:52:34","name":"[1/3] smb: client: fix conflicting option validation for new mount API","version":1,"mbox":"http://patchwork.ozlabs.org/series/502149/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2230533/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2230533/checks/","tags":{},"headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=suse.com header.i=@suse.com header.a=rsa-sha256\n header.s=google header.b=E8yzMhy4;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c15:e001:75::12fc:5321; helo=sin.lore.kernel.org;\n envelope-from=linux-cifs+bounces-11299-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=suse.com header.i=@suse.com\n header.b=\"E8yzMhy4\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=209.85.128.49","smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=suse.com","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=suse.com"],"Received":["from sin.lore.kernel.org (sin.lore.kernel.org\n [IPv6:2600:3c15:e001:75::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g5TzL5Tz4z1yHv\n\tfor ; Thu, 30 Apr 2026 06:53:18 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sin.lore.kernel.org (Postfix) with ESMTP id 6045C3009397\n\tfor ; Wed, 29 Apr 2026 20:53:15 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id B06672FE58C;\n\tWed, 29 Apr 2026 20:53:12 +0000 (UTC)","from mail-wm1-f49.google.com (mail-wm1-f49.google.com\n [209.85.128.49])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 035AA394462\n\tfor ; Wed, 29 Apr 2026 20:53:09 +0000 (UTC)","by mail-wm1-f49.google.com with SMTP id\n 5b1f17b1804b1-48a7fe4f40bso2081405e9.0\n for ;\n Wed, 29 Apr 2026 13:53:09 -0700 (PDT)","from precision ([2a01:4b00:c007:bb00:be9d:a3c4:18b1:4a25])\n by smtp.gmail.com with ESMTPSA id\n a92af1059eb24-12de3269b41sm3925240c88.13.2026.04.29.13.53.02\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Wed, 29 Apr 2026 13:53:07 -0700 (PDT)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777495992; cv=none;\n b=qq50CWHj4ekGDjtdBribuo9TZHYCoRC52TMEdl4JcD0Sq2WqF1oPt1YOSTomFv6OuzlpczF6MC2X49H+xhKaOaKqHoz++/BTOkNtJHZrRYyOyuwIknAEv2V9FWMKlzTrVfA4zdyPeV6QuUmAZvhaVOeRHVSdt9v9mpytz7AZpI0=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777495992; c=relaxed/simple;\n\tbh=B43jmh8tyellEDHw/JHQWGP4Kl4Bt82DdbNgnsOczTI=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=WwTySs9CviLv10PdNM4wdYOhcoP/vN2N1kxH4jNU84bCdaQcyNwStuvxdr/Px2Kcv999IyTm5iTY7y/ODx3J+CDfhOLR//V04IEhIFctP5qqzKrkHkJkOSlCp6sj0t2n/5lX/SxoS9c+8yHwPSRtL9W5DU5PEENQlIBGwGBjiQk=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=suse.com;\n spf=pass smtp.mailfrom=suse.com;\n dkim=pass (2048-bit key) header.d=suse.com header.i=@suse.com\n header.b=E8yzMhy4; arc=none smtp.client-ip=209.85.128.49","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=suse.com; s=google; t=1777495988; x=1778100788;\n darn=vger.kernel.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=86QVkp45/ToGTd4flnsgE7Dt+Q0OFD4ax6NkF368peQ=;\n b=E8yzMhy4SOL6sxsHtnTEJowaR2HCdNuuHqgmWU6jqGPmlbOw+xyuK2PyvCIYvceKqb\n xnJJk3pUIGLqMo3mgHNAnaDG2+bOtb3QtoMz5mayDDiZ45dhiuKap9tTgm++VyndyhiB\n Sv2P3vVMoYPq/dPqAzv4hsbj6ZAgwcp1DijNrg4psx+6Cr1KhqGP75pevVTczZyTG9kg\n 64yi+b3Jfe39HwGVfngVQw53GMXrnoaQwa149rZzezucbr/2lTf6U58jLV1eeKePihAX\n sQ61q066u/mpR+nwA3FLJ3oNBPUB8JQjuWYiWY9k6WlHo5uojm7ubZxtQLBvEW2KqJW+\n YJdw==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777495988; x=1778100788;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=86QVkp45/ToGTd4flnsgE7Dt+Q0OFD4ax6NkF368peQ=;\n b=cmZAybl8jRdekgTWOvr1hOBnlZ9pjwYOW2icvbZCzkEiGYwvR0t2B2jHRPkBrARUmp\n nF4owWhS2qfcAR6WKMre5mT4tEpE3oSUjXHFpXBXXicL4XlSmikrbymruRbTheRvKGc7\n J+PDwDVQvLwb6SX8/V16WVVJ5C2yO/tRhxWRK39mRDTzJgY8KiDulxk6uaP0A3Db4OH8\n 8K3s2OW0QUfPHzlZ9ylv/yZjcr5x8KzD3x26zhwo7eGrGBFH0Wt858NBrDgC79C+NubX\n sq+qc/HWlBYhHa1uo/xBSlJNu1i2fqlBFA/5gppwpZD6Fy4xriZm/nfKUzTQo4oC3eUV\n JxGA==","X-Forwarded-Encrypted":"i=1;\n AFNElJ9AEbIjdD3P3fhWT+QNyLBiS6ZRZqesPefIAGWkpAt3R8UUXuWEZFPfJfqV87cBaJSi+rcNro3OOt+5@vger.kernel.org","X-Gm-Message-State":"AOJu0Yw7j3ZokQO9G9FSV2EpY0vAMBtlXfIeA4KbNg3t3gN2StG+CY/6\n\tgqWaV4sqY3UdYll4VOr6DZhBXyJzNSfQj/IHVva5vHqyjEk4HMSxHjlqvm87Yll2CvA=","X-Gm-Gg":"AeBDietKIYjwcGYamtxfnuhSLYaeXoeJEVi9GngfyXCyyQOZ90eECEzcouKJh3O8Dup\n\tiTXqKjKvSWK3Y3bdkm9RtIzk0Gy3NGErGPI3S6MwfIUkAPpKX3+qEOyxLMq4HqxxWgCbW4sysya\n\tx8xvg8WOl1RlcOWBUKrrLCgq/8srZKBeIKGQPRGL6l607gxDwSVZbu8IL4mGggl6wdRh5Yw1LGA\n\tNSc+mvmXg1eRhMpy5X47zMRvPOqidzc3a0HG+44DG6tA1GG5Gf9jpWe0fO3Dxl2Hc7dV6C/Yj2B\n\tNcPJvi39gDggt3o7GD7ZeM3fUspDADJFuEUzzP3vJXYmyxtO3mI/j6bu9+gdmDHJDcqTjTQlETD\n\t9Q+COCDmQJ0h0xQzbUETDtnUJrGHu14Hs99RwNtzNr+1HSpEMXnMjHw164RU7imzSyMfL08k37B\n\thaT8LMJqp3BrUIDt9+mxNzTlfdyakOlolDK6ffvqs05q5P","X-Received":"by 2002:a05:600c:c058:b0:487:4eb:d125 with SMTP id\n 5b1f17b1804b1-48a83d6f154mr2397105e9.9.1777495988358;\n Wed, 29 Apr 2026 13:53:08 -0700 (PDT)","From":"Henrique Carvalho ","To":"sfrench@samba.org","Cc":"metze@samba.org,\n\tpc@manguebit.org,\n\tronniesahlberg@gmail.com,\n\tsprasad@microsoft.com,\n\ttom@talpey.com,\n\tbharathsm@microsoft.com,\n\tematsumiya@suse.de,\n\tlinux-cifs@vger.kernel.org,\n\tstable@vger.kernel.org","Subject":"[PATCH 2/3] smb: client: fix race in multichannel rescaling during\n mount","Date":"Wed, 29 Apr 2026 17:52:35 -0300","Message-ID":"<20260429205236.456099-2-henrique.carvalho@suse.com>","X-Mailer":"git-send-email 2.53.0","In-Reply-To":"<20260429205236.456099-1-henrique.carvalho@suse.com>","References":"<20260429205236.456099-1-henrique.carvalho@suse.com>","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit"},"content":"mchan_mount_* introduced async channel rescaling during mount. That can\nlead race with other mount/remount attempts that use the same session,\nwhen these are scaling down the channels, potentially leading to UAF, as\ndescribed in\nhttps://lore.kernel.org/linux-cifs/rw7ptbx22cntes5eag5r3kvg5mzfvvzdhj4v2kw6mnunmsewev@f2iyrmmitkl3/\n\nFix this by using the same serialization used in other rescaling paths\nand if in a race, rescheduling the channel scaling work.\n\nCc: stable@vger.kernel.org\nFixes: 556bb341f9f2 (\"smb: client: introduce multichannel async work during mount\")\nSigned-off-by: Henrique Carvalho \n---\n fs/smb/client/cifsglob.h | 2 +-\n fs/smb/client/connect.c | 32 +++++++++++++++++++++++++-------\n fs/smb/client/sess.c | 1 -\n 3 files changed, 26 insertions(+), 9 deletions(-)","diff":"diff --git a/fs/smb/client/cifsglob.h b/fs/smb/client/cifsglob.h\nindex 82e0adc1dabd..ef63a1c3249c 100644\n--- a/fs/smb/client/cifsglob.h\n+++ b/fs/smb/client/cifsglob.h\n@@ -1817,7 +1817,7 @@ struct cifs_mount_ctx {\n };\n \n struct mchan_mount {\n-\tstruct work_struct work;\n+\tstruct delayed_work dwork;\n \tstruct cifs_ses *ses;\n };\n \ndiff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c\nindex dcde25da468d..2ea93f0b78c9 100644\n--- a/fs/smb/client/connect.c\n+++ b/fs/smb/client/connect.c\n@@ -3813,7 +3813,7 @@ mchan_mount_alloc(struct cifs_ses *ses)\n \tif (!mchan_mount)\n \t\treturn ERR_PTR(-ENOMEM);\n \n-\tINIT_WORK(&mchan_mount->work, mchan_mount_work_fn);\n+\tINIT_DELAYED_WORK(&mchan_mount->dwork, mchan_mount_work_fn);\n \n \tspin_lock(&cifs_tcp_ses_lock);\n \tcifs_smb_ses_inc_refcount(ses);\n@@ -3833,13 +3833,32 @@ mchan_mount_free(struct mchan_mount *mchan_mount)\n static void\n mchan_mount_work_fn(struct work_struct *work)\n {\n-\tstruct mchan_mount *mchan_mount = container_of(work, struct mchan_mount, work);\n+\tstruct mchan_mount *mchan_mount = container_of(work, struct mchan_mount, dwork.work);\n+\tstruct cifs_ses *ses = mchan_mount->ses;\n \n-\tsmb3_update_ses_channels(mchan_mount->ses,\n-\t\t\t\t mchan_mount->ses->server,\n+\t/*\n+\t * mchan_mount_work_fn could race with smb3_update_ses_channel called\n+\t * for the same session on remount, other mounts or\n+\t * smb3_update_ses_channel\n+\t */\n+\tspin_lock(&ses->ses_lock);\n+\tif (ses->flags & CIFS_SES_FLAG_SCALE_CHANNELS) {\n+\t\tspin_unlock(&ses->ses_lock);\n+\t\tqueue_delayed_work(cifsiod_wq, &mchan_mount->dwork, 2 * HZ);\n+\t\treturn;\n+\t}\n+\tses->flags |= CIFS_SES_FLAG_SCALE_CHANNELS;\n+\tspin_unlock(&ses->ses_lock);\n+\n+\tsmb3_update_ses_channels(ses,\n+\t\t\t\t ses->server,\n \t\t\t\t false /* from_reconnect */,\n \t\t\t\t false /* disable_mchan */);\n \n+\tspin_lock(&ses->ses_lock);\n+\tses->flags &= ~CIFS_SES_FLAG_SCALE_CHANNELS;\n+\tspin_unlock(&ses->ses_lock);\n+\n \tmchan_mount_free(mchan_mount);\n }\n \n@@ -3885,7 +3904,7 @@ int cifs_mount(struct cifs_sb_info *cifs_sb, struct smb3_fs_context *ctx)\n \t\tgoto error;\n \n \tif (ctx->multichannel)\n-\t\tqueue_work(cifsiod_wq, &mchan_mount->work);\n+\t\tqueue_work(cifsiod_wq, &mchan_mount->dwork.work);\n \n \tfree_xid(mnt_ctx.xid);\n \treturn rc;\n@@ -3942,8 +3961,7 @@ int cifs_mount(struct cifs_sb_info *cifs_sb, struct smb3_fs_context *ctx)\n \t\tgoto error;\n \n \tif (ctx->multichannel)\n-\t\tqueue_work(cifsiod_wq, &mchan_mount->work);\n-\n+\t\tqueue_work(cifsiod_wq, &mchan_mount->dwork.work);\n \tfree_xid(mnt_ctx.xid);\n \treturn rc;\n \ndiff --git a/fs/smb/client/sess.c b/fs/smb/client/sess.c\nindex de2012cc9cf3..24d5206e5c44 100644\n--- a/fs/smb/client/sess.c\n+++ b/fs/smb/client/sess.c\n@@ -627,7 +627,6 @@ cifs_ses_add_channel(struct cifs_ses *ses,\n \treturn rc;\n }\n \n-\n int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,\n \t\t\t\t struct cifs_ses *ses)\n {\n","prefixes":["2/3"]}