ACK: [SRU][N][PATCH 0/1] cifs: Fix memory leak of a folio every call to cifs_writepages_begin()
Edoardo Canepa
edoardo.canepa at canonical.com
Tue Nov 18 09:11:15 UTC 2025
Acked-by: Edoardo Canepa <edoardo.canepa at canonical.com>
On 11/18/25 04:48, Matthew Ruffell wrote:
> BugLink: https://bugs.launchpad.net/bugs/2131213
>
> [Impact]
>
> The fix for CVE-2024-27036 introduced a slow memory leak to the cifs subsystem:
>
> commit f3dc1bdb6b0b0693562c7c54a6c28bafa608ba3c
> Author: David Howells <dhowells at redhat.com>
> Date: Thu Feb 22 11:20:26 2024 +0000
> Subject: cifs: Fix writeback data corruption
> Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f3dc1bdb6b0b0693562c7c54a6c28bafa608ba3c
>
> The changes made to folios caused folios used in cifs_writepages_begin() to never
> folio_put() the references, leading to a leak of a folio per call to
> cifs_writepages_begin(). This presents itself as a slow leak, slowly leaking
> memory on each cifs operation until the system is exhausted of memory and hangs,
> which can be from several hours to several days.
>
> This greatly impacts system stability, and increases the risk of outages and
> data corruption when the system eventually runs out of memory.
>
> There is no workarounds.
>
> [Fix]
>
> This bug does not actually affect mainline Linux, due to the cifs subsystem
> undergoing a major refactor in 6.10 to switch to using netfslib to manage folios.
>
> This makes this bug only present in stable trees. It was fixed in 6.6.107 by:
>
> commit 5de7b4141af107c184f4f86594ea0763aecd764e
> From: Yang Erkun <yangerkun at huawei.com>
> Date: Fri, 12 Sep 2025 09:41:50 +0800
> Subject: cifs: fix pagecache leak when do writepages
> Link: https://github.com/gregkh/linux/commit/5de7b4141af107c184f4f86594ea0763aecd764e
>
> This has already been applied to -azure since 6.8.0-1040.46, but this is needed
> in -generic.
>
> [Testcase]
>
> 1) Create a fresh VM for the server, using noble.
> 2) sudo apt update
> 3) sudo apt upgrade
> 4) sudo hostnamectl set-hostname samba-dc
> 5) sudo vim /etc/hosts
> Add an entry with its IP address, e.g.:
> 192.168.122.124 samba-dc samba-dc.example.com
> 6) sudo apt install -y samba smbclient winbind libpam-winbind libnss-winbind krb5-kdc libpam-krb5 cifs-utils
> Note: skip config of kerberos KDC.
> 7) sudo rm /etc/krb5.conf
> 8) sudo rm /etc/samba/smb.conf
> 9) sudo samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=samba-dc.EXAMPLE.COM --domain=SAMBA --adminpass=Password1
> 10) sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
> 11) sudo systemctl mask smbd nmbd winbind
> 12) sudo systemctl disable smbd nmbd winbind
> 13) sudo systemctl stop smbd nmbd winbind
> 14) sudo systemctl unmask samba-ad-dc
> 15) sudo systemctl start samba-ad-dc
> 16) sudo systemctl enable samba-ad-dc
> 17) sudo reboot
> 18) sudo systemctl stop systemd-resolved
> 19) sudo systemctl disable systemd-resolved
> 20) cat << EOF >> /etc/resolv.conf
> nameserver 192.168.122.124
> search SAMBA
> EOF
> sudo vim /etc/samba/smb.conf
> Change forwarder to 8.8.8.8
> 21) sudo reboot
> 22) host -t SRV _ldap._tcp.samba-dc.example.com
> _ldap._tcp.samba-dc.example.com has SRV record 0 100 389 samba-dc.samba-dc.example.com.
> 23) $ smbclient -L localhost -N
> Anonymous login successful
>
> Sharename Type Comment
> --------- ---- -------
> sysvol Disk
> netlogon Disk
> IPC$ IPC IPC Service (Samba 4.13.17-Ubuntu)
> SMB1 disabled -- no workgroup available
> 24) $ smbclient //localhost/netlogon -UAdministrator -c 'ls'
> Enter SAMBA\Administrator's password:
> . D 0 Mon Feb 28 04:23:22 2022
> .. D 0 Mon Feb 28 04:23:27 2022
>
> 9983232 blocks of size 1024. 7995324 blocks available
> 25) kinit administrator
> Password for administrator at SAMBA-DC.EXAMPLE.COM:
> Warning: Your password will expire in 41 days on Wed May 21 02:51:02 2025
> 26) klist
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: administrator at SAMBA-DC.EXAMPLE.COM
>
> Valid starting Expires Service principal
> 04/09/25 02:53:27 04/09/25 12:53:27 krbtgt/SAMBA-DC.EXAMPLE.COM at SAMBA-DC.EXAMPLE.COM
> renew until 04/10/25 02:53:22
> 27) Create a share:
> 28) sudo mkdir -p /srv/samba/Demo/
> 29) sudo vim /etc/samba/smb.conf
> [Demo]
> path = /srv/samba/Demo/
> read only = no
> 30) sudo chmod 0770 /srv/samba/Demo/
> 31) smbclient -U Administrator //samba-dc.example.com/demo
> Password for [SAMBA\Administrator]:
> Try "help" to get a list of possible commands.
> smb: \>
> 32) smbclient -U Administrator --use-krb5-ccache=/tmp/krb5cc_1000 //samba-dc.example.com/demo
> Try "help" to get a list of possible commands.
> smb: \>
>
> Make a fresh VM for the client:
>
> $ sudo vim /etc/hosts
> Add an entry with its IP address, e.g.:
> 192.168.122.124 samba-dc samba-dc.example.com
> $ sudo apt install cifs-utils
> $ sudo -s
> # kinit Administrator at SAMBA-DC.EXAMPLE.COM
> Password for Administrator at SAMBA-DC.EXAMPLE.COM:
> Warning: Your password will expire in 41 days on Wed May 21 02:51:02 2025
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Administrator at SAMBA-DC.EXAMPLE.COM
>
> Valid starting Expires Service principal
> 04/09/25 03:26:10 04/09/25 13:26:10 krbtgt/SAMBA-DC.EXAMPLE.COM at SAMBA-DC.EXAMPLE.COM
> renew until 04/10/25 03:26:06
> # mkdir /mnt/testshare1
> # mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
> Create some small files, 6 should be enough.
> # fallocate -l 1k d1.data
> # fallocate -l 1k d2.data
> # fallocate -l 1k d3.data
> # fallocate -l 1k d4.data
> # fallocate -l 1k d5.data
> # fallocate -l 1k d6.data
> Check the free memory:
> root at noble-client:/home/ubuntu# free -m
> total used free shared buff/cache available
> Mem: 3915 393 3519 1 224 3521
> Swap: 0 0 0
> Open up six terminals, and run this in each:
> # while true ; do zstd --force d1.data ; done
> # while true ; do zstd --force d2.data ; done
> # while true ; do zstd --force d3.data ; done
> # while true ; do zstd --force d4.data ; done
> # while true ; do zstd --force d5.data ; done
> # while true ; do zstd --force d6.data ; done
> Watch free memory slowly decrease in the "free" column.
> root at noble-client:/home/ubuntu# free -m
> total used free shared buff/cache available
> Mem: 3915 529 2783 1 393 3385
> Swap: 0 0 0
> root at noble-client:/home/ubuntu# free -m
> total used free shared buff/cache available
> Mem: 3915 534 1590 1 483 3278
> Swap: 0 0 0
>
> This may take several hours.
>
> There is a test kernel in the following ppa:
>
> https://launchpad.net/~mruffell/+archive/ubuntu/lp2131213-test
>
> If you enable the ppa and install the test kernel, the memory leak will no longer
> occur.
>
> [Where problems can occur]
>
> We are changing how folios are managed and freed. This could lead to additional
> memory leaks or data corruption if a regression were to occur.
>
> Since this affects core writeback operations, if a regression were to occur, it
> would likely impact all cifs users, and there likely would not be any workarounds.
>
> [Other info]
>
> Reported in the following discourse posts:
> https://discourse.ubuntu.com/t/ubuntu-24-04-file-operations-on-top-of-a-cifs-mount-leak-memory/56439
> https://discourse.ubuntu.com/t/ubuntu-24-04-file-operations-on-top-of-a-cifs-mount-leak-memory/62985
>
> Fixed recently in -azure 6.8.0-1040.46:
> https://bugs.launchpad.net/ubuntu/+source/linux-azure/+bug/2122719
>
> Upstream mailing list discussions:
> V3:
> https://lore.kernel.org/all/20250911030120.1076413-1-yangerkun@huawei.com/
> V4:
> https://lore.kernel.org/linux-cifs/20250912014150.3057545-1-yangerkun@huawei.com/
>
> Yang Erkun (1):
> cifs: fix pagecache leak when do writepages
>
> fs/smb/client/file.c | 16 +++++++++++++---
> 1 file changed, 13 insertions(+), 3 deletions(-)
>
More information about the kernel-team
mailing list