From: Sasha Levin <sashal@kernel.org>
To: patches@lists.linux.dev, stable@vger.kernel.org
Cc: ZhangGuoDong <zhangguodong@kylinos.cn>,
ChenXiaoSong <chenxiaosong@kylinos.cn>,
Namjae Jeon <linkinjeon@kernel.org>,
Steve French <stfrench@microsoft.com>,
Sasha Levin <sashal@kernel.org>,
smfrench@gmail.com, linux-cifs@vger.kernel.org
Subject: [PATCH AUTOSEL 6.18-5.15] smb/server: call ksmbd_session_rpc_close() on error path in create_smb2_pipe()
Date: Wed, 7 Jan 2026 10:53:03 -0500 [thread overview]
Message-ID: <20260107155329.4063936-1-sashal@kernel.org> (raw)
From: ZhangGuoDong <zhangguodong@kylinos.cn>
[ Upstream commit 7c28f8eef5ac5312794d8a52918076dcd787e53b ]
When ksmbd_iov_pin_rsp() fails, we should call ksmbd_session_rpc_close().
Signed-off-by: ZhangGuoDong <zhangguodong@kylinos.cn>
Signed-off-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
LLM Generated explanations, may be completely bogus:
### 3. CLASSIFICATION
**Bug Type:** Resource leak
- This is clearly a **bug fix**, not a feature addition
- When `ksmbd_iov_pin_rsp()` fails after `ksmbd_session_rpc_open()`
succeeds, the RPC session is never closed
- Resources leaked include:
- The `ksmbd_session_rpc` structure memory
- The IPC ID allocated via `ksmbd_ipc_id_alloc()`
- Entry remains in the session's `rpc_handle_list` xarray
### 4. SCOPE AND RISK ASSESSMENT
**Size:** Very small - 4 lines of actual code change
- Line 1: `int id;` → `int id = -1;` (initialization to enable cleanup
check)
- Lines 2-3: Added `if (id >= 0) ksmbd_session_rpc_close(work->sess,
id);` in error path
**Risk:** Very low
- Only affects the error path when `ksmbd_iov_pin_rsp()` fails
- Standard cleanup pattern already used elsewhere in the codebase
- Cannot affect normal (successful) operation
**Subsystem:** ksmbd (kernel SMB server)
- Mature component, been in mainline since Linux 5.15
- Has an active maintainer (Namjae Jeon)
### 5. USER IMPACT
- **Who is affected:** Users running ksmbd as their SMB server
- **Trigger condition:** Any time `ksmbd_iov_pin_rsp()` fails after
opening an RPC pipe
- **Severity:** Medium - resource leaks accumulate over time, can lead
to system degradation or resource exhaustion under sustained error
conditions
- **Real-world likelihood:** Moderate - `ksmbd_iov_pin_rsp()` can fail
with -ENOMEM under memory pressure
### 6. STABILITY INDICATORS
- **Acked-by:** Namjae Jeon (ksmbd maintainer)
- **Signed-off-by:** Steve French (SMB/CIFS maintainer)
- The fix follows the existing pattern in the codebase (similar cleanup
is done for `name` in the same error path)
### 7. DEPENDENCY CHECK
- No dependencies on other commits
- Uses `ksmbd_session_rpc_close()` which exists in all kernel versions
with ksmbd (5.15+)
- The affected code (`create_smb2_pipe()` and `ksmbd_iov_pin_rsp()`)
exists in stable trees
---
## Conclusion
This commit fixes a clear resource leak in the ksmbd SMB server. When
the final step of creating an SMB pipe (`ksmbd_iov_pin_rsp()`) fails,
the previously opened RPC session was never cleaned up, causing memory
and ID leaks.
**Why it should be backported:**
1. **Fixes a real bug** - Resource leaks are a well-known category of
bugs that accumulate over time
2. **Obviously correct** - Standard error path cleanup pattern, mirrors
how `name` is freed in the same path
3. **Small and surgical** - Only 4 lines changed, localized to one
function
4. **Low risk** - Only affects error path, cannot break normal operation
5. **Maintainer acknowledgment** - Acked by ksmbd maintainer
6. **Affects stable trees** - ksmbd has been in-kernel since 5.15,
stable users can hit this bug
**Concerns:** None significant. The fix is trivial and follows
established patterns.
**YES**
fs/smb/server/smb2pdu.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 6a94cda0927d..e052dcb9a14c 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -2291,7 +2291,7 @@ static noinline int create_smb2_pipe(struct ksmbd_work *work)
{
struct smb2_create_rsp *rsp;
struct smb2_create_req *req;
- int id;
+ int id = -1;
int err;
char *name;
@@ -2348,6 +2348,9 @@ static noinline int create_smb2_pipe(struct ksmbd_work *work)
break;
}
+ if (id >= 0)
+ ksmbd_session_rpc_close(work->sess, id);
+
if (!IS_ERR(name))
kfree(name);
--
2.51.0
next reply other threads:[~2026-01-07 15:53 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-07 15:53 Sasha Levin [this message]
2026-01-07 15:53 ` [PATCH AUTOSEL 6.18] io_uring: use GFP_NOWAIT for overflow CQEs on legacy rings Sasha Levin
2026-01-07 15:53 ` [PATCH AUTOSEL 6.18-6.6] smb/server: fix refcount leak in smb2_open() Sasha Levin
2026-01-07 15:53 ` [PATCH AUTOSEL 6.18] wifi: mac80211: don't WARN for connections on invalid channels Sasha Levin
2026-01-07 15:53 ` [PATCH AUTOSEL 6.18-5.10] net: usb: sr9700: support devices with virtual driver CD Sasha Levin
2026-01-07 15:53 ` [PATCH AUTOSEL 6.18-5.10] wifi: mac80211: ocb: skip rx_no_sta when interface is not joined Sasha Levin
2026-01-07 15:53 ` [PATCH AUTOSEL 6.18-5.10] block,bfq: fix aux stat accumulation destination Sasha Levin
2026-01-07 15:53 ` [PATCH AUTOSEL 6.18] platform/x86: dell-lis3lv02d: Add Latitude 5400 Sasha Levin
2026-01-07 15:53 ` [PATCH AUTOSEL 6.18-5.10] wifi: wlcore: ensure skb headroom before skb_push Sasha Levin
2026-01-07 15:53 ` [PATCH AUTOSEL 6.18-6.6] smb/server: fix refcount leak in parse_durable_handle_context() Sasha Levin
2026-01-07 15:53 ` [PATCH AUTOSEL 6.18] wifi: iwlwifi: Implement settime64 as stub for MVM/MLD PTP Sasha Levin
2026-01-07 15:53 ` [PATCH AUTOSEL 6.18-6.1] LoongArch: Set correct protection_map[] for VM_NONE/VM_SHARED Sasha Levin
2026-01-07 15:53 ` [PATCH AUTOSEL 6.18-6.1] LoongArch: Enable exception fixup for specific ADE subcode Sasha Levin
2026-01-07 15:53 ` [PATCH AUTOSEL 6.18-6.12] md: suspend array while updating raid_disks via sysfs Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260107155329.4063936-1-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=chenxiaosong@kylinos.cn \
--cc=linkinjeon@kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=patches@lists.linux.dev \
--cc=smfrench@gmail.com \
--cc=stable@vger.kernel.org \
--cc=stfrench@microsoft.com \
--cc=zhangguodong@kylinos.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox