[PATCH v2 0/2] smb/client: fix memory leaks

[PATCH v2 0/2] smb/client: fix memory leaks

[chenxiaosong.chenxiaosong]

From: ChenXiaoSong <chenxiaosong@kylinos.cn>

v1->v2:
  - Add "Reported-by: Paulo Alcantara <pc@manguebit.org>"
  - Patch #02
    - Add "Reviewed-by: Pali Rohár <pali@kernel.org>"
    - Update the commit message description

Steve, the patch #02 has already been merged into cifs-2.6.git for-next.
Please replace it with the updated version.

For detailed information, please see the link: https://chenxiaosong.com/en/smb-buildbot.html (I will ensure this link is always accessible).

v1:
  - smb/client: fix memory leak in SendReceive(): https://lore.kernel.org/linux-cifs/20260202064928.1879323-1-chenxiaosong.chenxiaosong@linux.dev/
  - smb/client: fix memory leak in smb2_open_file(): https://lore.kernel.org/linux-cifs/20260201081017.998628-1-chenxiaosong.chenxiaosong@linux.dev/

ChenXiaoSong (2):
  smb/client: fix memory leak in SendReceive()
  smb/client: fix memory leak in smb2_open_file()

 fs/smb/client/smb1transport.c | 4 +++-
 fs/smb/client/smb2file.c      | 1 +
 2 files changed, 4 insertions(+), 1 deletion(-)

-- 
2.52.0

[PATCH v2 1/2] smb/client: fix memory leak in SendReceive()

[chenxiaosong.chenxiaosong]

From: ChenXiaoSong <chenxiaosong@kylinos.cn>

Reproducer:

  1. server: supports SMB1, directories are exported read-only
  2. client: mount -t cifs -o vers=1.0 //${server_ip}/export /mnt
  3. client: dd if=/dev/zero of=/mnt/file bs=512 count=1000 oflag=direct
  4. client: umount /mnt
  5. client: sleep 1
  6. client: modprobe -r cifs

The error message is as follows:

  =============================================================================
  BUG cifs_small_rq (Not tainted): Objects remaining on __kmem_cache_shutdown()
  -----------------------------------------------------------------------------

  Object 0x00000000d34491e6 @offset=896
  Object 0x00000000bde9fab3 @offset=4480
  Object 0x00000000104a1f70 @offset=6272
  Object 0x0000000092a51bb5 @offset=7616
  Object 0x000000006714a7db @offset=13440
  ...
  WARNING: mm/slub.c:1251 at __kmem_cache_shutdown+0x379/0x3f0, CPU#7: modprobe/712
  ...
  Call Trace:
   <TASK>
   kmem_cache_destroy+0x69/0x160
   cifs_destroy_request_bufs+0x39/0x40 [cifs]
   cleanup_module+0x43/0xfc0 [cifs]
   __se_sys_delete_module+0x1d5/0x300
   __x64_sys_delete_module+0x1a/0x30
   x64_sys_call+0x2299/0x2ff0
   do_syscall_64+0x6e/0x270
   entry_SYSCALL_64_after_hwframe+0x76/0x7e
  ...
  kmem_cache_destroy cifs_small_rq: Slab cache still has objects when called from cifs_destroy_request_bufs+0x39/0x40 [cifs]
  WARNING: mm/slab_common.c:532 at kmem_cache_destroy+0x142/0x160, CPU#7: modprobe/712

Link: https://lore.kernel.org/linux-cifs/9751f02d-d1df-4265-a7d6-b19761b21834@linux.dev/T/#mf14808c144448b715f711ce5f0477a071f08eaf6
Fixes: 6be09580df5c ("cifs: Make smb1's SendReceive() wrap cifs_send_recv()")
Reported-by: Paulo Alcantara <pc@manguebit.org>
Signed-off-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
---
 fs/smb/client/smb1transport.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/smb/client/smb1transport.c b/fs/smb/client/smb1transport.c
index 0528c1919961..0b8b852cfc0d 100644
--- a/fs/smb/client/smb1transport.c
+++ b/fs/smb/client/smb1transport.c
@@ -252,13 +252,15 @@ SendReceive(const unsigned int xid, struct cifs_ses *ses,
 	rc = cifs_send_recv(xid, ses, ses->server,
 			    &rqst, &resp_buf_type, flags, &resp_iov);
 	if (rc < 0)
-		return rc;
+		goto out;
 
 	if (out_buf) {
 		*pbytes_returned = resp_iov.iov_len;
 		if (resp_iov.iov_len)
 			memcpy(out_buf, resp_iov.iov_base, resp_iov.iov_len);
 	}
+
+out:
 	free_rsp_buf(resp_buf_type, resp_iov.iov_base);
 	return rc;
 }
-- 
2.52.0

[PATCH v2 2/2] smb/client: fix memory leak in smb2_open_file()

[chenxiaosong.chenxiaosong]

From: ChenXiaoSong <chenxiaosong@kylinos.cn>

Reproducer:

  1. server: directories are exported read-only
  2. client: mount -t cifs //${server_ip}/export /mnt
  3. client: dd if=/dev/zero of=/mnt/file bs=512 count=1000 oflag=direct
  4. client: umount /mnt
  5. client: sleep 1
  6. client: modprobe -r cifs

The error message is as follows:

  =============================================================================
  BUG cifs_small_rq (Not tainted): Objects remaining on __kmem_cache_shutdown()
  -----------------------------------------------------------------------------

  Object 0x00000000d47521be @offset=14336
  ...
  WARNING: mm/slub.c:1251 at __kmem_cache_shutdown+0x34e/0x440, CPU#0: modprobe/1577
  ...
  Call Trace:
   <TASK>
   kmem_cache_destroy+0x94/0x190
   cifs_destroy_request_bufs+0x3e/0x50 [cifs]
   cleanup_module+0x4e/0x540 [cifs]
   __se_sys_delete_module+0x278/0x400
   __x64_sys_delete_module+0x5f/0x70
   x64_sys_call+0x2299/0x2ff0
   do_syscall_64+0x89/0x350
   entry_SYSCALL_64_after_hwframe+0x76/0x7e
  ...
  kmem_cache_destroy cifs_small_rq: Slab cache still has objects when called from cifs_destroy_request_bufs+0x3e/0x50 [cifs]
  WARNING: mm/slab_common.c:532 at kmem_cache_destroy+0x16b/0x190, CPU#0: modprobe/1577

Link: https://lore.kernel.org/linux-cifs/9751f02d-d1df-4265-a7d6-b19761b21834@linux.dev/T/#mf14808c144448b715f711ce5f0477a071f08eaf6
Fixes: e255612b5ed9 ("cifs: Add fallback for SMB2 CREATE without FILE_READ_ATTRIBUTES")
Reported-by: Paulo Alcantara <pc@manguebit.org>
Signed-off-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Reviewed-by: Pali Rohár <pali@kernel.org>
---
 fs/smb/client/smb2file.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/smb/client/smb2file.c b/fs/smb/client/smb2file.c
index 0f0514be29cd..9ab0df01b774 100644
--- a/fs/smb/client/smb2file.c
+++ b/fs/smb/client/smb2file.c
@@ -178,6 +178,7 @@ int smb2_open_file(const unsigned int xid, struct cifs_open_parms *oparms,
 	rc = SMB2_open(xid, oparms, smb2_path, &smb2_oplock, smb2_data, NULL, &err_iov,
 		       &err_buftype);
 	if (rc == -EACCES && retry_without_read_attributes) {
+		free_rsp_buf(err_buftype, err_iov.iov_base);
 		oparms->desired_access &= ~FILE_READ_ATTRIBUTES;
 		rc = SMB2_open(xid, oparms, smb2_path, &smb2_oplock, smb2_data, NULL, &err_iov,
 			       &err_buftype);
-- 
2.52.0

Re: [PATCH v2 1/2] smb/client: fix memory leak in SendReceive()

[Steve French]

merged both into cifs-2.6.git for-next but this smb1 patch has
dependencies on other patches for next merge window so might have been
better to rebase on mainline so we could send sooner (although that
would also require changing at least one other patch in for-next).

On Mon, Feb 2, 2026 at 2:25 AM <chenxiaosong.chenxiaosong@linux.dev> wrote:
>
> From: ChenXiaoSong <chenxiaosong@kylinos.cn>
>
> Reproducer:
>
>   1. server: supports SMB1, directories are exported read-only
>   2. client: mount -t cifs -o vers=1.0 //${server_ip}/export /mnt
>   3. client: dd if=/dev/zero of=/mnt/file bs=512 count=1000 oflag=direct
>   4. client: umount /mnt
>   5. client: sleep 1
>   6. client: modprobe -r cifs
>
> The error message is as follows:
>
>   =============================================================================
>   BUG cifs_small_rq (Not tainted): Objects remaining on __kmem_cache_shutdown()
>   -----------------------------------------------------------------------------
>
>   Object 0x00000000d34491e6 @offset=896
>   Object 0x00000000bde9fab3 @offset=4480
>   Object 0x00000000104a1f70 @offset=6272
>   Object 0x0000000092a51bb5 @offset=7616
>   Object 0x000000006714a7db @offset=13440
>   ...
>   WARNING: mm/slub.c:1251 at __kmem_cache_shutdown+0x379/0x3f0, CPU#7: modprobe/712
>   ...
>   Call Trace:
>    <TASK>
>    kmem_cache_destroy+0x69/0x160
>    cifs_destroy_request_bufs+0x39/0x40 [cifs]
>    cleanup_module+0x43/0xfc0 [cifs]
>    __se_sys_delete_module+0x1d5/0x300
>    __x64_sys_delete_module+0x1a/0x30
>    x64_sys_call+0x2299/0x2ff0
>    do_syscall_64+0x6e/0x270
>    entry_SYSCALL_64_after_hwframe+0x76/0x7e
>   ...
>   kmem_cache_destroy cifs_small_rq: Slab cache still has objects when called from cifs_destroy_request_bufs+0x39/0x40 [cifs]
>   WARNING: mm/slab_common.c:532 at kmem_cache_destroy+0x142/0x160, CPU#7: modprobe/712
>
> Link: https://lore.kernel.org/linux-cifs/9751f02d-d1df-4265-a7d6-b19761b21834@linux.dev/T/#mf14808c144448b715f711ce5f0477a071f08eaf6
> Fixes: 6be09580df5c ("cifs: Make smb1's SendReceive() wrap cifs_send_recv()")
> Reported-by: Paulo Alcantara <pc@manguebit.org>
> Signed-off-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
> ---
>  fs/smb/client/smb1transport.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/fs/smb/client/smb1transport.c b/fs/smb/client/smb1transport.c
> index 0528c1919961..0b8b852cfc0d 100644
> --- a/fs/smb/client/smb1transport.c
> +++ b/fs/smb/client/smb1transport.c
> @@ -252,13 +252,15 @@ SendReceive(const unsigned int xid, struct cifs_ses *ses,
>         rc = cifs_send_recv(xid, ses, ses->server,
>                             &rqst, &resp_buf_type, flags, &resp_iov);
>         if (rc < 0)
> -               return rc;
> +               goto out;
>
>         if (out_buf) {
>                 *pbytes_returned = resp_iov.iov_len;
>                 if (resp_iov.iov_len)
>                         memcpy(out_buf, resp_iov.iov_base, resp_iov.iov_len);
>         }
> +
> +out:
>         free_rsp_buf(resp_buf_type, resp_iov.iov_base);
>         return rc;
>  }
> --
> 2.52.0
>


-- 
Thanks,

Steve

Re: [PATCH v2 1/2] smb/client: fix memory leak in SendReceive()

[ChenXiaoSong]

Should I send new version rebased on mainline? In that case, some of 
David's patches for the next merge window need further changes.

Thanks,
ChenXiaoSong <chenxiaosong@kylinos.cn>

On 2/2/26 4:50 PM, Steve French wrote:
> merged both into cifs-2.6.git for-next but this smb1 patch has
> dependencies on other patches for next merge window so might have been
> better to rebase on mainline so we could send sooner (although that
> would also require changing at least one other patch in for-next).