{"id":2222210,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2222210/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-cifs-client/patch/63d48102cf16da1bae51f8e37419dd7a5223462c.1775838249.git.metze@samba.org/","project":{"id":12,"url":"http://patchwork.ozlabs.org/api/1.1/projects/12/?format=json","name":"Linux CIFS Client","link_name":"linux-cifs-client","list_id":"linux-cifs.vger.kernel.org","list_email":"linux-cifs@vger.kernel.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<63d48102cf16da1bae51f8e37419dd7a5223462c.1775838249.git.metze@samba.org>","date":"2026-04-10T20:11:00","name":"[1/2] smb: client: avoid double-free in smbd_free_send_io() after smbd_send_batch_flush()","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"a67bd048c8b89ee9c8374323873298edc0016baa","submitter":{"id":8149,"url":"http://patchwork.ozlabs.org/api/1.1/people/8149/?format=json","name":"Stefan Metzmacher","email":"metze@samba.org"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/linux-cifs-client/patch/63d48102cf16da1bae51f8e37419dd7a5223462c.1775838249.git.metze@samba.org/mbox/","series":[{"id":499503,"url":"http://patchwork.ozlabs.org/api/1.1/series/499503/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-cifs-client/list/?series=499503","date":"2026-04-10T20:11:00","name":"SMB Direct: double-free of send_io on ib_post_send failure in batch flush path","version":1,"mbox":"http://patchwork.ozlabs.org/series/499503/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2222210/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2222210/checks/","tags":{},"headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (3072-bit key;\n secure) header.d=samba.org header.i=@samba.org header.a=rsa-sha256\n header.s=42 header.b=qZ6P/3Bf;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c15:e001:75::12fc:5321; helo=sin.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10751-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (3072-bit key) header.d=samba.org header.i=@samba.org\n header.b=\"qZ6P/3Bf\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=144.76.82.148","smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=samba.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=samba.org"],"Received":["from sin.lore.kernel.org (sin.lore.kernel.org\n [IPv6:2600:3c15:e001:75::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fsp0X1bj1z1yCv\n\tfor ; Sat, 11 Apr 2026 06:13:48 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sin.lore.kernel.org (Postfix) with ESMTP id 0DCB6301B861\n\tfor ; Fri, 10 Apr 2026 20:11:38 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 10BED38E5E1;\n\tFri, 10 Apr 2026 20:11:35 +0000 (UTC)","from hr2.samba.org (hr2.samba.org [144.76.82.148])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 5D7D033E377\n\tfor ; Fri, 10 Apr 2026 20:11:33 +0000 (UTC)","from [127.0.0.2] (localhost [127.0.0.1])\n\tby hr2.samba.org with esmtpsa\n (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256)\n\t(Exim)\n\tid 1wBICL-00000000IJD-2D0g;\n\tFri, 10 Apr 2026 20:11:25 +0000"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775851895; cv=none;\n b=EHVUldJ4klRcNe2a2Gv4hG5YWrFwKpi2lXVG9ZmzzR/BJZFmpqFe//+3BlF23NStbUZvtLUz/df1MUCt7RYtH1tiqvz+dtoNBbQVNZsR12qkKdrdTm9um5EYFTUCCAmO5XMigY3UD8xq2AA1uYj6jdGKFvos8W/UpfAX3O9bfsM=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775851895; c=relaxed/simple;\n\tbh=7V2deim1shwDSds3+C73OGkq6RqsGtKoF6QwJLSFylo=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=mTd6dAruDYBHoTMX7WZEdUUgzOYtPWoQOKs6J9kS2wkn9M/0GCju1iLYyoaVRzEIXuc0220fdz2YLHxQZcMO8bB50mtVLu4DvIzdEs9NemkUN2/79xjL+lApc1gvCuw+GmaPAiSFgeQAqi5soVRGosNLkiB3+2eOiAn7/zy7lqg=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=samba.org;\n spf=pass smtp.mailfrom=samba.org;\n dkim=pass (3072-bit key) header.d=samba.org header.i=@samba.org\n header.b=qZ6P/3Bf; arc=none smtp.client-ip=144.76.82.148","DKIM-Signature":"v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org;\n\ts=42; h=Message-ID:Date:Cc:To:From;\n\tbh=0/gbFaWlJTvuMgwmQatvgm0QB9NiBlBeSMyg5NxSF+Y=; b=qZ6P/3BfeI+JIVxI1ruB6CcRsh\n\t6p/FxHlGxHJNA1ahXmCvToC5xm7RnqIHBidfPDewsN5fwBJqU0fbfjf/MRNbHDgshJQXmNWbJZbKj\n\ty6uQnJpYnqBjYteFj4CMHKpI/EW0r29A6mCAH/ba3FYZXIMPzT8QS/WkhDRSPZK3OQBrEWON4ouO2\n\t7+AlsVcT1R5t7HBTfyex9KDL7PS1fgGnFUN7YDFL9HEZdJY5Vk2VaWjlbrKHtrwQV2kiaI8ihnQxA\n\teXngrKEpozDYrPqIUrUOfrczaKsbFmZC6lUjDZ8EbPSd5KtkThnYeREXgKnj6B2XGvOWH0d0z7yrx\n\t5MIF/XJCRHHTYa1n4WI7cv+ZMjaNqMm3khdoUrfiwTd9KHHJ3o1IkZrwxOEYyjUoMAeA1dCCf79Rz\n\tvjbE7dP0IIOHgcCDsfmW99J+EhIFpKm7wPhwDmhwr7Yt4+oQ/t21sKZ2xOEvqqRReyPrRnMxHEmwi\n\ts142Ir0AYDL74vNI9wRH/+Lw;","From":"Stefan Metzmacher ","To":"linux-cifs@vger.kernel.org,\n\tsamba-technical@lists.samba.org","Cc":"metze@samba.org,\n\tRuikai Peng ,\n\tstable@kernel.org,\n\tSteve French ,\n\tTom Talpey ,\n\tLong Li ,\n\tNamjae Jeon ,\n\tSergey Senozhatsky ,\n\tPaulo Alcantara ,\n\tsecurity@kernel.org","Subject":"[PATCH 1/2] smb: client: avoid double-free in smbd_free_send_io()\n after smbd_send_batch_flush()","Date":"Fri, 10 Apr 2026 22:11:00 +0200","Message-ID":"\n <63d48102cf16da1bae51f8e37419dd7a5223462c.1775838249.git.metze@samba.org>","X-Mailer":"git-send-email 2.43.0","In-Reply-To":"","References":"","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit"},"content":"smbd_send_batch_flush() already calls smbd_free_send_io(),\nso we should not call it again after smbd_post_send()\nmoved it to the batch list.\n\nReported-by: Ruikai Peng \nCloses: https://lore.kernel.org/linux-cifs/CAFD3drNOSJ05y3A+jNXSDxW-2w09KHQ0DivhxQ_pcc7immVVOQ@mail.gmail.com/\nFixes: 21538121efe6 (\"smb: client: make use of smbdirect_socket.send_io.bcredits\")\nCc: stable@kernel.org\nCc: Steve French \nCc: Tom Talpey \nCc: Long Li \nCc: Namjae Jeon \nCc: Ruikai Peng \nCc: Sergey Senozhatsky \nCc: Paulo Alcantara \nCc: linux-cifs@vger.kernel.org\nCc: samba-technical@lists.samba.org\nCc: security@kernel.org\nSigned-off-by: Stefan Metzmacher \nTested-by: Ruikai Peng \n---\n fs/smb/client/smbdirect.c | 8 ++++++++\n 1 file changed, 8 insertions(+)","diff":"diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c\nindex c79304012b08..461658105013 100644\n--- a/fs/smb/client/smbdirect.c\n+++ b/fs/smb/client/smbdirect.c\n@@ -1551,17 +1551,25 @@ static int smbd_post_send_iter(struct smbdirect_socket *sc,\n \n \trc = smbd_post_send(sc, batch, request);\n \tif (!rc) {\n+\t\t/*\n+\t\t * From here request is moved to batch\n+\t\t * and we should not free it explicitly.\n+\t\t */\n+\n \t\tif (batch != &_batch)\n \t\t\treturn 0;\n \n \t\trc = smbd_send_batch_flush(sc, batch, true);\n \t\tif (!rc)\n \t\t\treturn 0;\n+\n+\t\tgoto err_flush;\n \t}\n \n err_dma:\n \tsmbd_free_send_io(request);\n \n+err_flush:\n err_alloc:\n \tatomic_inc(&sc->send_io.credits.count);\n \twake_up(&sc->send_io.credits.wait_queue);\n","prefixes":["1/2"]}