{"id":2222211,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2222211/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-cifs-client/patch/8fcbca55c57c7cadefd6cef79e73b199e8c039c4.1775838249.git.metze@samba.org/","project":{"id":12,"url":"http://patchwork.ozlabs.org/api/1.1/projects/12/?format=json","name":"Linux CIFS Client","link_name":"linux-cifs-client","list_id":"linux-cifs.vger.kernel.org","list_email":"linux-cifs@vger.kernel.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<8fcbca55c57c7cadefd6cef79e73b199e8c039c4.1775838249.git.metze@samba.org>","date":"2026-04-10T20:11:01","name":"[2/2] smb: server: avoid double-free in smb_direct_free_sendmsg after smb_direct_flush_send_list()","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"627c15d2e86d0539d6a5370cc48d50ce78d52893","submitter":{"id":8149,"url":"http://patchwork.ozlabs.org/api/1.1/people/8149/?format=json","name":"Stefan Metzmacher","email":"metze@samba.org"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/linux-cifs-client/patch/8fcbca55c57c7cadefd6cef79e73b199e8c039c4.1775838249.git.metze@samba.org/mbox/","series":[{"id":499503,"url":"http://patchwork.ozlabs.org/api/1.1/series/499503/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-cifs-client/list/?series=499503","date":"2026-04-10T20:11:00","name":"SMB Direct: double-free of send_io on ib_post_send failure in batch flush path","version":1,"mbox":"http://patchwork.ozlabs.org/series/499503/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2222211/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2222211/checks/","tags":{},"headers":{"Return-Path":"\n <linux-cifs+bounces-10752-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (3072-bit key;\n secure) header.d=samba.org header.i=@samba.org header.a=rsa-sha256\n header.s=42 header.b=Z+uKM9SX;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c15:e001:75::12fc:5321; helo=sin.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10752-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (3072-bit key) header.d=samba.org header.i=@samba.org\n header.b=\"Z+uKM9SX\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=144.76.82.148","smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=samba.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=samba.org"],"Received":["from sin.lore.kernel.org (sin.lore.kernel.org\n [IPv6:2600:3c15:e001:75::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fsp0Y0ZTsz20HT\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 11 Apr 2026 06:13:49 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sin.lore.kernel.org (Postfix) with ESMTP id 98541301FDDF\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 10 Apr 2026 20:11:38 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 5D8CA38F92B;\n\tFri, 10 Apr 2026 20:11:35 +0000 (UTC)","from hr2.samba.org (hr2.samba.org [144.76.82.148])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 8CCAA36495C\n\tfor <linux-cifs@vger.kernel.org>; Fri, 10 Apr 2026 20:11:33 +0000 (UTC)","from [127.0.0.2] (localhost [127.0.0.1])\n\tby hr2.samba.org with esmtpsa\n (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256)\n\t(Exim)\n\tid 1wBICR-00000000IJT-0Sx8;\n\tFri, 10 Apr 2026 20:11:31 +0000"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775851895; cv=none;\n b=TiBGT1BOjXAL9pto9YAmRPoG2yXhdscZegwq/A5cVQk/3AsUuUW1i/iQPClLGVtzwC8mDMKxgmCYMG9zs80x0cOGaXNhBUYOAHp8nV9XDYDb1KHxlnA90d3L/0i3JagDsPU5KkWb23a2eQ/Yagzq3n/bSeL58WKigLIcrsn1nrk=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775851895; c=relaxed/simple;\n\tbh=YgjxrizYOG/1Uuc4mAZ5nhBDyGoXgZWywBfReaL4UW0=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=QtECTNyqkc+F/bS0xwQwALhB/1SGiAyK+dczQ/hv4Lt/6mWML9yfy4MQuz7AFPPll+OhnYDDLWFcuYd3Zaf+LRMZXazrbTnLFVj/vklvhqyBSnNg/5MoK6xg/00246dO5sfRuLj+8Cbp84jLpsPS3IwVjxH7ul9Z7og69hq/7FI=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=samba.org;\n spf=pass smtp.mailfrom=samba.org;\n dkim=pass (3072-bit key) header.d=samba.org header.i=@samba.org\n header.b=Z+uKM9SX; arc=none smtp.client-ip=144.76.82.148","DKIM-Signature":"v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org;\n\ts=42; h=Message-ID:Date:Cc:To:From;\n\tbh=MX2bO6SmuNqe5sP5rQJtOeCfyZ0XKDKRKHFExphHsX8=; b=Z+uKM9SXKRVlnC4jG3z5dgz2Lu\n\tPG69pAGZ1i6fbeEsGRa2klNeFF8w74JEKxgO34X73Cz9jTxW++FyGjYUwzIcDvbU9cie3zUMOPUeI\n\t/qyd5Qpa/4s+hEMNUTtRJNb3eQPwTf1wLcFHFd4mleskCIkbSTitAEDwi8dsSrPmFmN6F0nSSDkYI\n\tLDk+/AwTZRuzXlfgnPtF6IXjDHwTQqQIfxZ3aXcPpnnnVqSkNzQvtjLJHbRh/1hfdjOq+wCTNhvGQ\n\tmmMxu5D+uSwb0VhcSH10bgJyedeoBLx4gtP4FoumP/5gWMT3dQWVdrMkj6MqykBDNyBnMDnctwyVF\n\tFvQ3Q1tjVeBqa/zOD2IPRMeRJTxQNIIloo0hBaVJ+XcSvQZl238OzqFtArfvQUMOkaw8r8bzb/KbF\n\tgPNAMy04m/O+41Iz5Vg884FXtb2+M3k4wybgn1mAmDuHjoGDk8AOMav6YjsVBFFB71alLsDiA13Xp\n\t/LVNJA3pjxUBCK3onF/VDBSA;","From":"Stefan Metzmacher <metze@samba.org>","To":"linux-cifs@vger.kernel.org,\n\tsamba-technical@lists.samba.org","Cc":"metze@samba.org,\n\tRuikai Peng <ruikai@pwno.io>,\n\tstable@kernel.org,\n\tNamjae Jeon <linkinjeon@kernel.org>,\n\tSteve French <smfrench@gmail.com>,\n\tTom Talpey <tom@talpey.com>,\n\tSergey Senozhatsky <senozhatsky@chromium.org>,\n\tPaulo Alcantara <pc@manguebit.org>,\n\tsecurity@kernel.org","Subject":"[PATCH 2/2] smb: server: avoid double-free in smb_direct_free_sendmsg\n after smb_direct_flush_send_list()","Date":"Fri, 10 Apr 2026 22:11:01 +0200","Message-ID":"\n <8fcbca55c57c7cadefd6cef79e73b199e8c039c4.1775838249.git.metze@samba.org>","X-Mailer":"git-send-email 2.43.0","In-Reply-To":"<cover.1775838249.git.metze@samba.org>","References":"<cover.1775838249.git.metze@samba.org>","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"<linux-cifs.vger.kernel.org>","List-Subscribe":"<mailto:linux-cifs+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:linux-cifs+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit"},"content":"smb_direct_flush_send_list() already calls smb_direct_free_sendmsg(),\nso we should not call it again after post_sendmsg()\nmoved it to the batch list.\n\nReported-by: Ruikai Peng <ruikai@pwno.io>\nCloses: https://lore.kernel.org/linux-cifs/CAFD3drNOSJ05y3A+jNXSDxW-2w09KHQ0DivhxQ_pcc7immVVOQ@mail.gmail.com/\nFixes: 34abd408c8ba (\"smb: server: make use of smbdirect_socket.send_io.bcredits\")\nCc: stable@kernel.org\nCc: Namjae Jeon <linkinjeon@kernel.org>\nCc: Steve French <smfrench@gmail.com>\nCc: Tom Talpey <tom@talpey.com>\nCc: Ruikai Peng <ruikai@pwno.io>\nCc: Sergey Senozhatsky <senozhatsky@chromium.org>\nCc: Paulo Alcantara <pc@manguebit.org>\nCc: linux-cifs@vger.kernel.org\nCc: samba-technical@lists.samba.org\nCc: security@kernel.org\nSigned-off-by: Stefan Metzmacher <metze@samba.org>\nTested-by: Ruikai Peng <ruikai@pwno.io>\n---\n fs/smb/server/transport_rdma.c | 8 +++++++-\n 1 file changed, 7 insertions(+), 1 deletion(-)","diff":"diff --git a/fs/smb/server/transport_rdma.c b/fs/smb/server/transport_rdma.c\nindex 188572491d53..dbc8dedb85dc 100644\n--- a/fs/smb/server/transport_rdma.c\n+++ b/fs/smb/server/transport_rdma.c\n@@ -1588,15 +1588,21 @@ static int smb_direct_post_send_data(struct smbdirect_socket *sc,\n \tif (ret)\n \t\tgoto err;\n \n+\t/*\n+\t * From here msg is moved to send_ctx\n+\t * and we should not free it explicitly.\n+\t */\n+\n \tif (send_ctx == &_send_ctx) {\n \t\tret = smb_direct_flush_send_list(sc, send_ctx, true);\n \t\tif (ret)\n-\t\t\tgoto err;\n+\t\t\tgoto flush_failed;\n \t}\n \n \treturn 0;\n err:\n \tsmb_direct_free_sendmsg(sc, msg);\n+flush_failed:\n header_failed:\n \tatomic_inc(&sc->send_io.credits.count);\n credit_failed:\n","prefixes":["2/2"]}