From: ZhangGuoDong zhangguodong@kylinos.cn
[ Upstream commit 7c28f8eef5ac5312794d8a52918076dcd787e53b ]
When ksmbd_iov_pin_rsp() fails, we should call ksmbd_session_rpc_close().
Signed-off-by: ZhangGuoDong zhangguodong@kylinos.cn Signed-off-by: ChenXiaoSong chenxiaosong@kylinos.cn Acked-by: Namjae Jeon linkinjeon@kernel.org Signed-off-by: Steve French stfrench@microsoft.com Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
### 3. CLASSIFICATION
**Bug Type:** Resource leak - This is clearly a **bug fix**, not a feature addition - When `ksmbd_iov_pin_rsp()` fails after `ksmbd_session_rpc_open()` succeeds, the RPC session is never closed - Resources leaked include: - The `ksmbd_session_rpc` structure memory - The IPC ID allocated via `ksmbd_ipc_id_alloc()` - Entry remains in the session's `rpc_handle_list` xarray
### 4. SCOPE AND RISK ASSESSMENT
**Size:** Very small - 4 lines of actual code change - Line 1: `int id;` → `int id = -1;` (initialization to enable cleanup check) - Lines 2-3: Added `if (id >= 0) ksmbd_session_rpc_close(work->sess, id);` in error path
**Risk:** Very low - Only affects the error path when `ksmbd_iov_pin_rsp()` fails - Standard cleanup pattern already used elsewhere in the codebase - Cannot affect normal (successful) operation
**Subsystem:** ksmbd (kernel SMB server) - Mature component, been in mainline since Linux 5.15 - Has an active maintainer (Namjae Jeon)
### 5. USER IMPACT
- **Who is affected:** Users running ksmbd as their SMB server - **Trigger condition:** Any time `ksmbd_iov_pin_rsp()` fails after opening an RPC pipe - **Severity:** Medium - resource leaks accumulate over time, can lead to system degradation or resource exhaustion under sustained error conditions - **Real-world likelihood:** Moderate - `ksmbd_iov_pin_rsp()` can fail with -ENOMEM under memory pressure
### 6. STABILITY INDICATORS
- **Acked-by:** Namjae Jeon (ksmbd maintainer) - **Signed-off-by:** Steve French (SMB/CIFS maintainer) - The fix follows the existing pattern in the codebase (similar cleanup is done for `name` in the same error path)
### 7. DEPENDENCY CHECK
- No dependencies on other commits - Uses `ksmbd_session_rpc_close()` which exists in all kernel versions with ksmbd (5.15+) - The affected code (`create_smb2_pipe()` and `ksmbd_iov_pin_rsp()`) exists in stable trees
---
## Conclusion
This commit fixes a clear resource leak in the ksmbd SMB server. When the final step of creating an SMB pipe (`ksmbd_iov_pin_rsp()`) fails, the previously opened RPC session was never cleaned up, causing memory and ID leaks.
**Why it should be backported:** 1. **Fixes a real bug** - Resource leaks are a well-known category of bugs that accumulate over time 2. **Obviously correct** - Standard error path cleanup pattern, mirrors how `name` is freed in the same path 3. **Small and surgical** - Only 4 lines changed, localized to one function 4. **Low risk** - Only affects error path, cannot break normal operation 5. **Maintainer acknowledgment** - Acked by ksmbd maintainer 6. **Affects stable trees** - ksmbd has been in-kernel since 5.15, stable users can hit this bug
**Concerns:** None significant. The fix is trivial and follows established patterns.
**YES**
fs/smb/server/smb2pdu.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index 6a94cda0927d..e052dcb9a14c 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -2291,7 +2291,7 @@ static noinline int create_smb2_pipe(struct ksmbd_work *work) { struct smb2_create_rsp *rsp; struct smb2_create_req *req; - int id; + int id = -1; int err; char *name;
@@ -2348,6 +2348,9 @@ static noinline int create_smb2_pipe(struct ksmbd_work *work) break; }
+ if (id >= 0) + ksmbd_session_rpc_close(work->sess, id); + if (!IS_ERR(name)) kfree(name);