From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Steve French <smfrench@gmail.com>,
Tom Talpey <tom@talpey.com>, Long Li <longli@microsoft.com>,
Namjae Jeon <linkinjeon@kernel.org>,
linux-cifs@vger.kernel.org, samba-technical@lists.samba.org,
Stefan Metzmacher <metze@samba.org>,
Steve French <stfrench@microsoft.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.16 133/149] smb: client: let smbd_destroy() call disable_work_sync(&info->post_send_credits_work)
Date: Mon, 22 Sep 2025 21:30:33 +0200 [thread overview]
Message-ID: <20250922192416.223784333@linuxfoundation.org> (raw)
In-Reply-To: <20250922192412.885919229@linuxfoundation.org>
6.16-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Metzmacher <metze@samba.org>
[ Upstream commit d9dcbbcf9145b68aa85c40947311a6907277e097 ]
In smbd_destroy() we may destroy the memory so we better
wait until post_send_credits_work is no longer pending
and will never be started again.
I actually just hit the case using rxe:
WARNING: CPU: 0 PID: 138 at drivers/infiniband/sw/rxe/rxe_verbs.c:1032 rxe_post_recv+0x1ee/0x480 [rdma_rxe]
...
[ 5305.686979] [ T138] smbd_post_recv+0x445/0xc10 [cifs]
[ 5305.687135] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5
[ 5305.687149] [ T138] ? __kasan_check_write+0x14/0x30
[ 5305.687185] [ T138] ? __pfx_smbd_post_recv+0x10/0x10 [cifs]
[ 5305.687329] [ T138] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 5305.687356] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5
[ 5305.687368] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5
[ 5305.687378] [ T138] ? _raw_spin_unlock_irqrestore+0x11/0x60
[ 5305.687389] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5
[ 5305.687399] [ T138] ? get_receive_buffer+0x168/0x210 [cifs]
[ 5305.687555] [ T138] smbd_post_send_credits+0x382/0x4b0 [cifs]
[ 5305.687701] [ T138] ? __pfx_smbd_post_send_credits+0x10/0x10 [cifs]
[ 5305.687855] [ T138] ? __pfx___schedule+0x10/0x10
[ 5305.687865] [ T138] ? __pfx__raw_spin_lock_irq+0x10/0x10
[ 5305.687875] [ T138] ? queue_delayed_work_on+0x8e/0xa0
[ 5305.687889] [ T138] process_one_work+0x629/0xf80
[ 5305.687908] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5
[ 5305.687917] [ T138] ? __kasan_check_write+0x14/0x30
[ 5305.687933] [ T138] worker_thread+0x87f/0x1570
...
It means rxe_post_recv was called after rdma_destroy_qp().
This happened because put_receive_buffer() was triggered
by ib_drain_qp() and called:
queue_work(info->workqueue, &info->post_send_credits_work);
Cc: Steve French <smfrench@gmail.com>
Cc: Tom Talpey <tom@talpey.com>
Cc: Long Li <longli@microsoft.com>
Cc: Namjae Jeon <linkinjeon@kernel.org>
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Fixes: f198186aa9bb ("CIFS: SMBD: Establish SMB Direct connection")
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/client/smbdirect.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c
index 8c6e766078e14..8b920410cd2fe 100644
--- a/fs/smb/client/smbdirect.c
+++ b/fs/smb/client/smbdirect.c
@@ -1335,6 +1335,9 @@ void smbd_destroy(struct TCP_Server_Info *server)
sc->status == SMBDIRECT_SOCKET_DISCONNECTED);
}
+ log_rdma_event(INFO, "cancelling post_send_credits_work\n");
+ disable_work_sync(&info->post_send_credits_work);
+
log_rdma_event(INFO, "destroying qp\n");
ib_drain_qp(sc->ib.qp);
rdma_destroy_qp(sc->rdma.cm_id);
--
2.51.0
next prev parent reply other threads:[~2025-09-22 19:47 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20250922192412.885919229@linuxfoundation.org>
2025-09-22 19:28 ` [PATCH 6.16 012/149] smb: server: let smb_direct_writev() respect SMB_DIRECT_MAX_SEND_SGES Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.16 048/149] ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.16 126/149] smb: smbdirect: introduce smbdirect_socket.recv_io.expected Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.16 127/149] smb: client: make use of smbdirect_socket->recv_io.expected Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.16 128/149] smb: smbdirect: introduce struct smbdirect_recv_io Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.16 129/149] smb: client: make use of " Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.16 130/149] smb: client: let recv_done verify data_offset, data_length and remaining_data_length Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.16 131/149] smb: client: fix filename matching of deferred files Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.16 132/149] smb: client: use disable[_delayed]_work_sync in smbdirect.c Greg Kroah-Hartman
2025-09-22 19:30 ` Greg Kroah-Hartman [this message]
2025-09-22 19:30 ` [PATCH 6.16 136/149] smb: client: fix file open check in __cifs_unlink() Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.16 137/149] smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250922192416.223784333@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linkinjeon@kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=longli@microsoft.com \
--cc=metze@samba.org \
--cc=patches@lists.linux.dev \
--cc=samba-technical@lists.samba.org \
--cc=sashal@kernel.org \
--cc=smfrench@gmail.com \
--cc=stable@vger.kernel.org \
--cc=stfrench@microsoft.com \
--cc=tom@talpey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox