CVE-2024-53176

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-53176
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-53176.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-53176
Downstream
Related
Published
2024-12-27T14:15:24Z
Modified
2025-08-09T20:01:25Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

smb: During unmount, ensure all cached dir instances drop their dentry

The unmount process (cifskillsb() calling closeallcached_dirs()) can race with various cached directory operations, which ultimately results in dentries not being dropped and these kernel BUGs:

BUG: Dentry ffff88814f37e358{i=1000000000080,n=/} still in use (2) [unmount of cifs cifs] VFS: Busy inodes after unmount of cifs (cifs) ------------[ cut here ]------------ kernel BUG at fs/super.c:661!

This happens when a cfid is in the process of being cleaned up when, and has been removed from the cfids->entries list, including:

  • Receiving a lease break from the server
  • Server reconnection triggers invalidateallcached_dirs(), which removes all the cfids from the list
  • The laundromat thread decides to expire an old cfid.

To solve these problems, dropping the dentry is done in queued work done in a newly-added cfidputwq workqueue, and closeallcached_dirs() flushes that workqueue after it drops all the dentries of which it's aware. This is a global workqueue (rather than scoped to a mount), but the queued work is minimal.

The final cleanup work for cleaning up a cfid is performed via work queued in the serverclosewq workqueue; this is done separate from dropping the dentries so that closeallcacheddirs() doesn't block on any server operations.

Both of these queued works expect to invoked with a cfid reference and a tcon reference to avoid those objects from being freed while the work is ongoing.

While we're here, add proper locking to closeallcached_dirs(), and locking around the freeing of cfid->dentry.

References

Affected packages