lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250915151950.1017597-1-f.ebner@proxmox.com>
Date: Mon, 15 Sep 2025 17:19:38 +0200
From: Fiona Ebner <f.ebner@...xmox.com>
To: linux-kernel@...r.kernel.org
Cc: samba-technical@...ts.samba.org,
	linux-cifs@...r.kernel.org,
	bharathsm@...rosoft.com,
	tom@...pey.com,
	sprasad@...rosoft.com,
	ronniesahlberg@...il.com,
	pc@...guebit.org,
	sfrench@...ba.org
Subject: [PATCH 0/2] smb: client: transport: avoid reconnects triggered by pending task work

When io_uring is used in the same task as CIFS, there might be
unnecessary reconnects, causing issues in user-space applications
like QEMU with a log like:

> CIFS: VFS: \\10.10.100.81 Error -512 sending data on socket to server

Certain io_uring completions might be added to task_work with
notify_method being TWA_SIGNAL and thus TIF_NOTIFY_SIGNAL is set for
the task.

In __smb_send_rqst(), signals are masked before calling
smb_send_kvec(), but the masking does not apply to TIF_NOTIFY_SIGNAL.

If sk_stream_wait_memory() is reached via sock_sendmsg() while
TIF_NOTIFY_SIGNAL is set, signal_pending(current) will evaluate to
true there, and -EINTR will be propagated all the way from
sk_stream_wait_memory() to sock_sendmsg() in smb_send_kvec().
Afterwards, __smb_send_rqst() will see that not everything was written
and reconnect.


A reproducer exposing the issue using QEMU:
#!/bin/bash
target=$1
dd if=/dev/urandom of=/tmp/disk.raw bs=1M count=100
qemu-img create -f raw $target 100M
./qemu-system-x86_64 --qmp stdio \
--blockdev raw,node-name=node0,file.driver=file,file.filename=/tmp/disk.raw,file.aio=io_uring \
--blockdev raw,node-name=node1,file.driver=file,file.filename=$target,file.aio=native,file.cache.direct=on \
<<EOF
{"execute": "qmp_capabilities"}
{"execute": "blockdev-mirror", "arguments": { "job-id": "mirror0", "device": "node0", "target": "node1", "sync": "full" } }
EOF

Another reproducer is having a QEMU virtual machine with one disk
using io_uring and one disk on CIFS and doing IO to both disks at the
same time.

I also got a reproducer based on liburing's examples/io_uring-cp.c
which I can send along if you are interested in it.


Fiona Ebner (2):
  smb: client: transport: avoid reconnects triggered by pending task
    work
  smb: client: transport: minor indentation style fix

 fs/smb/client/transport.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

-- 
2.47.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ