ksmbd: destroy async_ida in ksmbd_conn_free()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

When per-connection async_ida was converted from a dynamically
allocated ksmbd_ida to an embedded struct ida, ksmbd_ida_free() was
removed from the connection teardown path but no matching
ida_destroy() was added. The connection is therefore freed with the
IDA's backing xarray still intact.

The kernel IDA API expects ida_init() and ida_destroy() to be paired
over an object's lifetime, so add the missing cleanup before the
connection is freed.

No leak has been observed in testing; this is a pairing fix to match
the IDA lifetime rules, not a response to a reproduced regression.

Fixes: d40012a83f87 ("cifsd: declare ida statically")
Signed-off-by: DaeMyung Kang <charsyam@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

authored by

DaeMyung Kang and committed by

Steve French 1 month ago b32c8db4 c049ee14

1 changed file

expand all

smb

server

connection.c

fs/smb/server/connection.c

··· 98 98 kfree(conn->preauth_info); 99 99 kfree(conn->mechToken); 100 100 if (atomic_dec_and_test(&conn->refcnt)) { 101 + /* 102 + * async_ida is embedded in struct ksmbd_conn, so pair 103 + * ida_destroy() with the final kfree() rather than with 104 + * the unconditional field teardown above. This keeps 105 + * the IDA valid for the entire lifetime of the struct, 106 + * even while other refcount holders (oplock / vfs 107 + * durable handles) still reference the connection. 108 + */ 109 + ida_destroy(&conn->async_ida); 101 110 conn->transport->ops->free_transport(conn->transport); 102 111 kfree(conn); 103 112 }

Configure Feed

Configure Feed