[PATCH] cifs: fix race condition in smb2_compound_op

Ondrej Hubsch ohubsch at purestorage.com
Tue Apr 26 12:31:52 UTC 2022

When cfile->count becomes 1 after it is passed to smb2_compound_op (aka
cfile becomes the last reference to the file handle) the call to
cifsFileInfo_put will cause a SMB2_CLOSE being immediately sent to the
server -- just before the compound request. The compound request then
contains an incorrect (already closed) handle, resulting in EBADF/EIO

This can happen for instance when:

1) close(fd) was called, but there are still references held in
wdata->cfile in cifs_writedata's -- these are cleaned up asynchronously in
2) smb2_query_path_info is called and successfully fetches cfile through
3) asynchronous cleanup of all wdata->cfiles completes

Then the cfile->count can be 1, triggering this bug.

This patch addresses this situation by removing the call to
cifsFileInfo_put as it is also called in the finished section right after

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15051
Signed-off-by: Ondrej Hubsch <ohubsch at purestorage.com>
 fs/cifs/smb2inode.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/fs/cifs/smb2inode.c b/fs/cifs/smb2inode.c
index fe5bfa245fa7..d82bd244ecab 100644
--- a/fs/cifs/smb2inode.c
+++ b/fs/cifs/smb2inode.c
@@ -361,14 +361,12 @@ smb2_compound_op(const unsigned int xid, struct
cifs_tcon *tcon,

-       if (cfile) {
-               cifsFileInfo_put(cfile);
-               cfile = NULL;
+       if (cfile)
                rc = compound_send_recv(xid, ses, server,
                                        flags, num_rqst - 2,
                                        &rqst[1], &resp_buftype[1],
-       } else
+       else
                rc = compound_send_recv(xid, ses, server,
                                        flags, num_rqst,
                                        rqst, resp_buftype,

More information about the samba-technical mailing list