CVE-2024-53176

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: During unmount, ensure all cached dir instances drop their dentry<br /> <br /> The unmount process (cifs_kill_sb() calling close_all_cached_dirs()) can<br /> race with various cached directory operations, which ultimately results<br /> in dentries not being dropped and these kernel BUGs:<br /> <br /> BUG: Dentry ffff88814f37e358{i=1000000000080,n=/} still in use (2) [unmount of cifs cifs]<br /> VFS: Busy inodes after unmount of cifs (cifs)<br /> ------------[ cut here ]------------<br /> kernel BUG at fs/super.c:661!<br /> <br /> This happens when a cfid is in the process of being cleaned up when, and<br /> has been removed from the cfids-&gt;entries list, including:<br /> <br /> - Receiving a lease break from the server<br /> - Server reconnection triggers invalidate_all_cached_dirs(), which<br /> removes all the cfids from the list<br /> - The laundromat thread decides to expire an old cfid.<br /> <br /> To solve these problems, dropping the dentry is done in queued work done<br /> in a newly-added cfid_put_wq workqueue, and close_all_cached_dirs()<br /> flushes that workqueue after it drops all the dentries of which it&amp;#39;s<br /> aware. This is a global workqueue (rather than scoped to a mount), but<br /> the queued work is minimal.<br /> <br /> The final cleanup work for cleaning up a cfid is performed via work<br /> queued in the serverclose_wq workqueue; this is done separate from<br /> dropping the dentries so that close_all_cached_dirs() doesn&amp;#39;t block on<br /> any server operations.<br /> <br /> Both of these queued works expect to invoked with a cfid reference and<br /> a tcon reference to avoid those objects from being freed while the work<br /> is ongoing.<br /> <br /> While we&amp;#39;re here, add proper locking to close_all_cached_dirs(), and<br /> locking around the freeing of cfid-&gt;dentry.