Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.1/patches/2229607/?format=api
{ "id": 2229607, "url": "http://patchwork.ozlabs.org/api/1.1/patches/2229607/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-cifs-client/patch/20260428140856.941847-4-charsyam@gmail.com/", "project": { "id": 12, "url": "http://patchwork.ozlabs.org/api/1.1/projects/12/?format=api", "name": "Linux CIFS Client", "link_name": "linux-cifs-client", "list_id": "linux-cifs.vger.kernel.org", "list_email": "linux-cifs@vger.kernel.org", "web_url": "", "scm_url": "", "webscm_url": "" }, "msgid": "<20260428140856.941847-4-charsyam@gmail.com>", "date": "2026-04-28T14:08:56", "name": "[v2,3/3] ksmbd: close durable scavenger races against m_fp_list lookups", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "2c200b91feb1653f0f5d5ec211655dcf5d98a7c9", "submitter": { "id": 93166, "url": "http://patchwork.ozlabs.org/api/1.1/people/93166/?format=api", "name": "DaeMyung Kang", "email": "charsyam@gmail.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/linux-cifs-client/patch/20260428140856.941847-4-charsyam@gmail.com/mbox/", "series": [ { "id": 501865, "url": "http://patchwork.ozlabs.org/api/1.1/series/501865/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-cifs-client/list/?series=501865", "date": "2026-04-28T14:08:55", "name": "ksmbd: fix connection and durable handle teardown races", "version": 2, "mbox": "http://patchwork.ozlabs.org/series/501865/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2229607/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2229607/checks/", "tags": {}, "headers": { "Return-Path": "\n <linux-cifs+bounces-11219-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "linux-cifs@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=A+mQ76Ep;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c09:e001:a7::12fc:5321; helo=sto.lore.kernel.org;\n envelope-from=linux-cifs+bounces-11219-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=\"A+mQ76Ep\"", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=209.85.216.44", "smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=gmail.com" ], "Received": [ "from sto.lore.kernel.org (sto.lore.kernel.org\n [IPv6:2600:3c09:e001:a7::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g4j6p5glwz1xvV\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 29 Apr 2026 00:12:02 +1000 (AEST)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sto.lore.kernel.org (Postfix) with ESMTP id 47550303AEC5\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 28 Apr 2026 14:09:38 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 0A107441044;\n\tTue, 28 Apr 2026 14:09:14 +0000 (UTC)", "from mail-pj1-f44.google.com (mail-pj1-f44.google.com\n [209.85.216.44])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 67D0644A711\n\tfor <linux-cifs@vger.kernel.org>; Tue, 28 Apr 2026 14:09:12 +0000 (UTC)", "by mail-pj1-f44.google.com with SMTP id\n 98e67ed59e1d1-35d99c906d5so1772409a91.1\n for <linux-cifs@vger.kernel.org>;\n Tue, 28 Apr 2026 07:09:12 -0700 (PDT)", "from ser8.. ([221.156.231.192])\n by smtp.gmail.com with ESMTPSA id\n 41be03b00d2f7-c7fcade0f56sm2190526a12.21.2026.04.28.07.09.09\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Tue, 28 Apr 2026 07:09:11 -0700 (PDT)" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777385353; cv=none;\n b=XHn/bMTbWaXVlRslw67vIloV86XfAjWoNgYHWOistfL6U2Kh37j8MU9PlTple+sqeSCTV+tgovzBPWQggcXkD9Lvx3Bn3+j3T+ptlZdEuu5TInfCoPUlDp3+CHPCp07tTRLvEhzSkfNRooY2KoHBDeTMq3t6WLoJju1i0BiuMwM=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777385353; c=relaxed/simple;\n\tbh=4wj41cHrtYbOpRGT0t7PtOWHzkpMgKUVap56UoFLJIQ=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=T/ICu6zIQAtMIX9fjO2nvsX9dXBMnN1LeV3Mdl97IYA4Tn9eCOXn1CPphOR3IhCzex8IU3tz8nVGagzOKdjbSujn+RPKkflr2LvzM77A1TPK9rxv/xvdBLYvJ7jW1rN8a+wgZAhttrcgcc3hsiHwKH+Qt349ypGqQmKUwMdC6mY=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com;\n spf=pass smtp.mailfrom=gmail.com;\n dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=A+mQ76Ep; arc=none smtp.client-ip=209.85.216.44", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1777385352; x=1777990152;\n darn=vger.kernel.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=tkJ08U6yZCRDKix+9y0PgVL7KcnbudlGjXHmuDGf9BQ=;\n b=A+mQ76EpoWEDPhZKKZtmBBKkp7SYakv6ALWIRj7PjT47LMCg8HAUXlsI0GS4lMswP1\n GwthRNhxoxBJY2qo1dBdKh+QjHBp9gZ4Idp2G7lPur2S+XiUWENRogy/AiIOhI2JBcIi\n ERC08CX9acZ0XJ2n8yMJPhtOSI2/coKfsyJfTWJjPz84Xro5HxcIkljdaftpOni3UdcG\n 4omAK4542NKx/uYnj/p9Kkoll7OsRk0xEJzsLi/A/kPSATu1/kx2nu2WZ7dGhdt6CBhs\n 3uuwvwyCIr1lfPo217VOmi1E3NB6/kf9tMEnRcziVqPkVxH8FvRIZClhH6GhblYgjWnY\n oJeA==", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777385352; x=1777990152;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=tkJ08U6yZCRDKix+9y0PgVL7KcnbudlGjXHmuDGf9BQ=;\n b=USbF5/i1agroOcug7DKqkHmfKhvdNdOKt94DKs2ZhgejnIMVfaUIDTIiJbQ7JqLMO2\n TJSm+QlwV5S7Kk9y6SokZ5nyso/1d9CNqggBa9u940fbp+Oopw0kUiErVjC1j4uHj2bv\n rquo9ulIFiWE2XqVcFErclyklGIaxAknAu5Y2Qot7JumWjYtwjVFT/1xEFxACuvlLi0B\n yIaDSyH4kSqMIsTyiVbYZKFH1IfkA3o6rp2W8NNM5jJsSOtMgy1joSYXnWvl/aVyd/Mz\n ru0TW/d9d7omxOWRnb9LP03TlgXbuHrK75oqAjdwrofLt96xC+MJdZgzaJtftL2SzjNd\n 4FCA==", "X-Forwarded-Encrypted": "i=1;\n AFNElJ9EqLRglXbdlwRplR8Gj5SvvxqXZLcmrbUdjF04DBhk2I5O6hwiiUK/sYVqEbYrYXoN10Dj1bPZC5+l@vger.kernel.org", "X-Gm-Message-State": "AOJu0YwpAydHZIyJc7AFmmgSoK98abs3BjA0NUAJ8WqPYD9sXwUZurdB\n\tdOgV122CjJM0Tuo1aJfnmGOEHPqAPZ0BQMNxcNmxHEBOLOcFW3KeMTxQ", "X-Gm-Gg": "AeBDietc7UOvtS7cTVkLa54nnvr7rTEnzxjSuH1BJTCwjjAUb+umEr+xPOMlK0OSqhb\n\taPIGcuGjQcTuwRNlGV2w2UOx2NWQ4niCLcAf7VI54RF2vt+EYFo+fTWBAp/RNOyEI5IJMGuMXfB\n\tvVr84BzIDCKms5cUYP5cDh5D702uScB0cX92PfeLGYMKoc8q/jwXqDJb0NU30YGZxGNLpoDq01g\n\t5GQlPDH1MRY+mNL15pYmQkk+5NWF6MMPKcLEUzqnmVsCFRNKiPlePdGrnbUckC6b5mzbWC5gpUa\n\tFfanjWmiZyw4FeKmcDa+gxu8CxkRowy9nwp/g0+DaoMuN8j6a2itQ7m1vT3tO7ZfOZ/u1oAmn2r\n\tbZLWH3oVbMp9JxO92V6aU+jq/OuNB8K31zEgN/odykISdPTaMxy9cHJ1CY815OoLj/8AATu1ZUa\n\t3wr2c0E3nmWNnN7lo48ZaEMUBMcvk=", "X-Received": "by 2002:a05:6a21:104:b0:3a2:d3c3:39a9 with SMTP id\n adf61e73a8af0-3a39889bc54mr2419585637.0.1777385351601;\n Tue, 28 Apr 2026 07:09:11 -0700 (PDT)", "From": "DaeMyung Kang <charsyam@gmail.com>", "To": "Namjae Jeon <linkinjeon@kernel.org>,\n\tSteve French <smfrench@gmail.com>", "Cc": "Sergey Senozhatsky <senozhatsky@chromium.org>,\n\tTom Talpey <tom@talpey.com>,\n\tHyunchul Lee <hyc.lee@gmail.com>,\n\tRonnie Sahlberg <lsahlber@redhat.com>,\n\tlinux-cifs@vger.kernel.org,\n\tlinux-kernel@vger.kernel.org,\n\tDaeMyung Kang <charsyam@gmail.com>", "Subject": "[PATCH v2 3/3] ksmbd: close durable scavenger races against m_fp_list\n lookups", "Date": "Tue, 28 Apr 2026 23:08:56 +0900", "Message-ID": "<20260428140856.941847-4-charsyam@gmail.com>", "X-Mailer": "git-send-email 2.43.0", "In-Reply-To": "<20260428140856.941847-1-charsyam@gmail.com>", "References": "<20260428140856.941847-1-charsyam@gmail.com>", "Precedence": "bulk", "X-Mailing-List": "linux-cifs@vger.kernel.org", "List-Id": "<linux-cifs.vger.kernel.org>", "List-Subscribe": "<mailto:linux-cifs+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:linux-cifs+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit" }, "content": "ksmbd_durable_scavenger() has two related races against any walker\nthat iterates f_ci->m_fp_list, including ksmbd_lookup_fd_inode()\n(used by ksmbd_vfs_rename) and the share-mode checks in\nfs/smb/server/smb_common.c.\n\n(1) fp->node list-head reuse. Durable-preserved handles can remain\nlinked on f_ci->m_fp_list after session teardown so share-mode checks\nstill see them while the handle is reconnectable. The scavenger\ncollected expired handles by adding fp->node to a local\nscavenger_list after removing them from the global durable idr.\nBecause fp->node is the same list_head used by m_fp_list,\nlist_add(&fp->node, &scavenger_list) overwrites the m_fp_list links\nand corrupts both lists. CONFIG_DEBUG_LIST can report this on the\nshare-mode walk path.\n\n(2) Refcount race against m_fp_list walkers. The scavenger qualifies\nan expired durable handle with atomic_read(&fp->refcount) > 1 and\nfp->conn under global_ft.lock, removes fp from global_ft, then drops\nglobal_ft.lock before unlinking fp from m_fp_list and freeing it.\nDuring that gap fp is still linked on m_fp_list with f_state ==\nFP_INITED. ksmbd_lookup_fd_inode() under m_lock read calls\nksmbd_fp_get() (atomic_inc_not_zero on refcount that is still 1) and\ntakes a live reference; the scavenger then unlinks and frees fp\nwhile the holder owns a reference, leading to UAF on the holder's\nsubsequent ksmbd_fd_put() and on any field reads performed by a\nconcurrent share-mode walker that iterates m_fp_list without taking\nksmbd_fp_get() (smb_check_perm_dleases-like paths).\n\nFix both:\n\n * Stop reusing fp->node as a scavenger-private list node. Remove\n one expired handle from global_ft under global_ft.lock, take an\n explicit transient reference, drop the lock, unlink fp->node\n from m_fp_list under f_ci->m_lock, then drop both the durable\n lifetime and transient references with atomic_sub_and_test(2,\n &fp->refcount). If the scavenger is the last putter the close\n runs there; otherwise an in-flight holder that already raced\n through the m_fp_list lookup owns the final close via its\n ksmbd_fd_put() path. The one-at-a-time disposal can rescan the\n durable idr when multiple handles expire in the same pass, but\n durable scavenging is a background expiration path and the final\n full scan recomputes min_timeout before the next wait.\n\n * Clear fp->persistent_id inside __ksmbd_remove_durable_fd() right\n after idr_remove(), so a delayed final close from a holder that\n snatched fp does not re-issue idr_remove() on a persistent id\n that idr_alloc_cyclic() in ksmbd_open_durable_fd() may have\n already handed out to a brand-new durable handle.\n\n * Bypass the per-conn open_files_count decrement in\n __put_fd_final() when fp is detached from any session table\n (fp->conn cleared by session_fd_check() at durable preserve --\n paired with the volatile_id clear at unpublish, so checking\n fp->conn alone is sufficient). The walker that owns the final\n close runs from an unrelated work->conn whose\n stats.open_files_count never tracked this durable fp; without\n this guard the holder would underflow that unrelated counter.\n\nThe two races are folded into one patch because patch (1) alone\ncleans up the corrupted list but leaves a deterministic UAF window\nfor m_fp_list walkers that the transient-reference and\npersistent_id discipline in (2) close; bisecting onto an\nintermediate state would land on a UAF that pre-patch chaos merely\nmade less reproducible.\n\nValidation:\n * CONFIG_DEBUG_LIST coverage for the list_head reuse path.\n * KASAN-enabled direct SMB2 durable-handle coverage that exercised\n ksmbd_durable_scavenger() and non-NULL ksmbd_lookup_fd_inode()\n returns while durable handles expired under concurrent rename\n lookups, with no KASAN, UAF, list-corruption, ODEBUG, or WARNING\n reports.\n * checkpatch --strict\n * make -j$(nproc) M=fs/smb/server\n\nFixes: d484d621d40f (\"ksmbd: add durable scavenger timer\")\nSigned-off-by: DaeMyung Kang <charsyam@gmail.com>\n---\n fs/smb/server/vfs_cache.c | 102 ++++++++++++++++++++++++++++----------\n 1 file changed, 76 insertions(+), 26 deletions(-)", "diff": "diff --git a/fs/smb/server/vfs_cache.c b/fs/smb/server/vfs_cache.c\nindex dc4037ef1834..354c4d8a1cfb 100644\n--- a/fs/smb/server/vfs_cache.c\n+++ b/fs/smb/server/vfs_cache.c\n@@ -418,6 +418,14 @@ static void __ksmbd_remove_durable_fd(struct ksmbd_file *fp)\n \t\treturn;\n \n \tidr_remove(global_ft.idr, fp->persistent_id);\n+\t/*\n+\t * Clear persistent_id so a later __ksmbd_close_fd() that runs from a\n+\t * delayed putter (e.g. when a concurrent ksmbd_lookup_fd_inode()\n+\t * walker held the final reference) does not re-issue idr_remove() on\n+\t * an id that idr_alloc_cyclic() may have already handed out to a new\n+\t * durable handle.\n+\t */\n+\tfp->persistent_id = KSMBD_NO_FID;\n }\n \n static void ksmbd_remove_durable_fd(struct ksmbd_file *fp)\n@@ -521,6 +529,20 @@ static struct ksmbd_file *__ksmbd_lookup_fd(struct ksmbd_file_table *ft,\n \n static void __put_fd_final(struct ksmbd_work *work, struct ksmbd_file *fp)\n {\n+\t/*\n+\t * Detached durable fp -- session_fd_check() cleared fp->conn at\n+\t * preserve, so this fp is no longer tracked by any conn's\n+\t * stats.open_files_count. This happens when\n+\t * ksmbd_scavenger_dispose_dh() hands the final close off to an\n+\t * m_fp_list walker (e.g. ksmbd_lookup_fd_inode()) whose work->conn\n+\t * is unrelated to the conn that originally opened the handle; close\n+\t * via the NULL-ft path so we do not underflow that unrelated\n+\t * counter.\n+\t */\n+\tif (!fp->conn) {\n+\t\t__ksmbd_close_fd(NULL, fp);\n+\t\treturn;\n+\t}\n \t__ksmbd_close_fd(&work->sess->file_table, fp);\n \tatomic_dec(&work->conn->stats.open_files_count);\n }\n@@ -1033,24 +1055,37 @@ static bool ksmbd_durable_scavenger_alive(void)\n \treturn true;\n }\n \n-static void ksmbd_scavenger_dispose_dh(struct list_head *head)\n+static void ksmbd_scavenger_dispose_dh(struct ksmbd_file *fp)\n {\n-\twhile (!list_empty(head)) {\n-\t\tstruct ksmbd_file *fp;\n+\t/*\n+\t * Durable-preserved fp can remain linked on f_ci->m_fp_list for\n+\t * share-mode checks. Unlink it before final close; fp->node is not\n+\t * available as a scavenger-private list node because re-adding it to\n+\t * another list corrupts m_fp_list.\n+\t */\n+\tdown_write(&fp->f_ci->m_lock);\n+\tlist_del_init(&fp->node);\n+\tup_write(&fp->f_ci->m_lock);\n \n-\t\tfp = list_first_entry(head, struct ksmbd_file, node);\n-\t\tlist_del_init(&fp->node);\n+\t/*\n+\t * Drop both the durable lifetime reference and the transient reference\n+\t * taken by the scavenger under global_ft.lock. If a concurrent\n+\t * ksmbd_lookup_fd_inode() (or any other m_fp_list walker) snatched fp\n+\t * before the unlink above, that holder owns the final close via\n+\t * ksmbd_fd_put() -> __ksmbd_close_fd(). Otherwise the scavenger is\n+\t * the last putter and finalises fp here.\n+\t */\n+\tif (atomic_sub_and_test(2, &fp->refcount))\n \t\t__ksmbd_close_fd(NULL, fp);\n-\t}\n }\n \n static int ksmbd_durable_scavenger(void *dummy)\n {\n \tstruct ksmbd_file *fp = NULL;\n+\tstruct ksmbd_file *expired_fp;\n \tunsigned int id;\n \tunsigned int min_timeout = 1;\n \tbool found_fp_timeout;\n-\tLIST_HEAD(scavenger_list);\n \tunsigned long remaining_jiffies;\n \n \t__module_get(THIS_MODULE);\n@@ -1060,8 +1095,6 @@ static int ksmbd_durable_scavenger(void *dummy)\n \t\tif (try_to_freeze())\n \t\t\tcontinue;\n \n-\t\tfound_fp_timeout = false;\n-\n \t\tremaining_jiffies = wait_event_timeout(dh_wq,\n \t\t\t\t ksmbd_durable_scavenger_alive() == false,\n \t\t\t\t __msecs_to_jiffies(min_timeout));\n@@ -1070,23 +1103,39 @@ static int ksmbd_durable_scavenger(void *dummy)\n \t\telse\n \t\t\tmin_timeout = DURABLE_HANDLE_MAX_TIMEOUT;\n \n-\t\twrite_lock(&global_ft.lock);\n-\t\tidr_for_each_entry(global_ft.idr, fp, id) {\n-\t\t\tif (!fp->durable_timeout)\n-\t\t\t\tcontinue;\n+\t\tdo {\n+\t\t\texpired_fp = NULL;\n+\t\t\tfound_fp_timeout = false;\n \n-\t\t\tif (atomic_read(&fp->refcount) > 1 ||\n-\t\t\t fp->conn)\n-\t\t\t\tcontinue;\n-\n-\t\t\tfound_fp_timeout = true;\n-\t\t\tif (fp->durable_scavenger_timeout <=\n-\t\t\t jiffies_to_msecs(jiffies)) {\n-\t\t\t\t__ksmbd_remove_durable_fd(fp);\n-\t\t\t\tlist_add(&fp->node, &scavenger_list);\n-\t\t\t} else {\n+\t\t\twrite_lock(&global_ft.lock);\n+\t\t\tidr_for_each_entry(global_ft.idr, fp, id) {\n \t\t\t\tunsigned long durable_timeout;\n \n+\t\t\t\tif (!fp->durable_timeout)\n+\t\t\t\t\tcontinue;\n+\n+\t\t\t\tif (atomic_read(&fp->refcount) > 1 ||\n+\t\t\t\t fp->conn)\n+\t\t\t\t\tcontinue;\n+\n+\t\t\t\tfound_fp_timeout = true;\n+\t\t\t\tif (fp->durable_scavenger_timeout <=\n+\t\t\t\t jiffies_to_msecs(jiffies)) {\n+\t\t\t\t\t__ksmbd_remove_durable_fd(fp);\n+\t\t\t\t\t/*\n+\t\t\t\t\t * Take a transient reference so fp\n+\t\t\t\t\t * cannot be freed by an in-flight\n+\t\t\t\t\t * ksmbd_lookup_fd_inode() that found\n+\t\t\t\t\t * it through f_ci->m_fp_list while we\n+\t\t\t\t\t * drop global_ft.lock and reach the\n+\t\t\t\t\t * m_fp_list unlink in\n+\t\t\t\t\t * ksmbd_scavenger_dispose_dh().\n+\t\t\t\t\t */\n+\t\t\t\t\tatomic_inc(&fp->refcount);\n+\t\t\t\t\texpired_fp = fp;\n+\t\t\t\t\tbreak;\n+\t\t\t\t}\n+\n \t\t\t\tdurable_timeout =\n \t\t\t\t\tfp->durable_scavenger_timeout -\n \t\t\t\t\t\tjiffies_to_msecs(jiffies);\n@@ -1094,10 +1143,11 @@ static int ksmbd_durable_scavenger(void *dummy)\n \t\t\t\tif (min_timeout > durable_timeout)\n \t\t\t\t\tmin_timeout = durable_timeout;\n \t\t\t}\n-\t\t}\n-\t\twrite_unlock(&global_ft.lock);\n+\t\t\twrite_unlock(&global_ft.lock);\n \n-\t\tksmbd_scavenger_dispose_dh(&scavenger_list);\n+\t\t\tif (expired_fp)\n+\t\t\t\tksmbd_scavenger_dispose_dh(expired_fp);\n+\t\t} while (expired_fp);\n \n \t\tif (found_fp_timeout == false)\n \t\t\tbreak;\n", "prefixes": [ "v2", "3/3" ] }