{"id":2228103,"url":"http://patchwork.ozlabs.org/api/covers/2228103/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-cifs-client/cover/20260425093829.4004785-1-charsyam@gmail.com/","project":{"id":12,"url":"http://patchwork.ozlabs.org/api/projects/12/?format=json","name":"Linux CIFS Client","link_name":"linux-cifs-client","list_id":"linux-cifs.vger.kernel.org","list_email":"linux-cifs@vger.kernel.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260425093829.4004785-1-charsyam@gmail.com>","list_archive_url":null,"date":"2026-04-25T09:38:27","name":"[0/2] ksmbd: fix stop_sessions() iteration and centralize ksmbd_conn release","submitter":{"id":93166,"url":"http://patchwork.ozlabs.org/api/people/93166/?format=json","name":"DaeMyung Kang","email":"charsyam@gmail.com"},"mbox":"http://patchwork.ozlabs.org/project/linux-cifs-client/cover/20260425093829.4004785-1-charsyam@gmail.com/mbox/","series":[{"id":501429,"url":"http://patchwork.ozlabs.org/api/series/501429/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-cifs-client/list/?series=501429","date":"2026-04-25T09:38:27","name":"ksmbd: fix stop_sessions() iteration and centralize ksmbd_conn release","version":1,"mbox":"http://patchwork.ozlabs.org/series/501429/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/covers/2228103/comments/","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=n+Rpb6eW;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=linux-cifs+bounces-11106-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=\"n+Rpb6eW\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=209.85.214.175","smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=gmail.com"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g2lC63k8rz1yHv\n\tfor ; Sat, 25 Apr 2026 19:38:58 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 5FA403014555\n\tfor ; Sat, 25 Apr 2026 09:38:40 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 9ED58392C20;\n\tSat, 25 Apr 2026 09:38:38 +0000 (UTC)","from mail-pl1-f175.google.com (mail-pl1-f175.google.com\n [209.85.214.175])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 2E36B383C63\n\tfor ; Sat, 25 Apr 2026 09:38:36 +0000 (UTC)","by mail-pl1-f175.google.com with SMTP id\n d9443c01a7336-2b240d753ceso15609295ad.3\n for ;\n Sat, 25 Apr 2026 02:38:36 -0700 (PDT)","from ser8.. ([221.156.231.192])\n by smtp.gmail.com with ESMTPSA id\n d9443c01a7336-2b606ce9891sm206791725ad.83.2026.04.25.02.38.33\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Sat, 25 Apr 2026 02:38:35 -0700 (PDT)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777109918; cv=none;\n b=OD06jkoYhzXgdacXN5KfLn7kdj5Pi6g+7Gb4rtp4CvZnx7gwJ4fwLWFnAmuhzjcd0ZD9H1UcJnV4j4iMRPPT3WLQnMiPi3ijD4bzKZbvHQIOjv0PxmTB35Cyir66+tXJgQCpSIy0jHfvVMGk3GXJw98VZdMw7dPSyXuu9jwFq78=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777109918; c=relaxed/simple;\n\tbh=aNXbkmBeYe7bkZ0ITtRcL7RZi7xiKD8Vu5jVT74b7mY=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=ETrJQrjluPb5WkQAYGGnJWdZQja7j+XxhjfCeZOlOJzrouxregWyY52ePNoghNpCXZh5+zXX48xBJyY01KNXDSOw1qFyEQUOeB2Hf1f1bMh68Ranbjezv4zqSsaQTeF6mCy+Yuk7LygA9drXSHIEdV9YVGoxkPJ/nk5HCFH+OSQ=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com;\n spf=pass smtp.mailfrom=gmail.com;\n dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=n+Rpb6eW; arc=none smtp.client-ip=209.85.214.175","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1777109915; x=1777714715;\n darn=vger.kernel.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=mbVqeApfmb1SRG7yXWeR8Jma0vOyucMXXKmHaiUnCs8=;\n b=n+Rpb6eWA7oIiMaKqYi9Klmkhr+GVy2K6z0CAkncXStNozW1De3Ie7pTAPj8H1tpvt\n aFgIk3A6nbF8bnyzi4i7uPujmAeSESIWB80dW2fm7qqmy3GBdE1NxAbTk+5hFY2YYX6y\n KS4AHQwvM3iq80b01B0zjw3Cp/whCs7t2fUHGKQ//7b2mhQKYAI3qiLp5vE8JDCT27NE\n FtyiGIxmU8WZZa5wtGg/zocV82qfiVL7RTOco9rf4p/+OK2vwylSNSD65lZBzr0amsGr\n TnV6O4K3PdYnHCrRSuPpF8yJbU1lf0wB7dMAebxNTVsUxTgXnIwuxNa8BzZ+Ni2n5RYJ\n jsFw==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777109915; x=1777714715;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=mbVqeApfmb1SRG7yXWeR8Jma0vOyucMXXKmHaiUnCs8=;\n b=rN3P//8orJw2DnVMcvbzaEqFpGOriQ/M8e9A3cCTo0V/yefq7VBq2fmq6JsSbSb56S\n XY5K3zrykIhopNHSiIMnxiDz9+JbXdrd1kWp845pFcHEHDuk3Y/1gaG9zbou++udS4dj\n By81VAJNvcLiOjVQU+Togp97eEOgxjP7E1vxMKtyOLWY25130CLvCZC8lMIpNL4hJAqX\n 5Zyc0xZAqAUAyQEtqIHcEYXz8CtZGf0fz2Hk065IMdToaKuS/5rs0Gzb9qdkIx1y6+wT\n YSyJc2ObkOYW0vxSDYvVv57f0EAESBO8YSCrGytdF2XrKJLqLal0ch/pEE7qK4CGgxVw\n hJmg==","X-Forwarded-Encrypted":"i=1;\n AFNElJ83NYbT4YUgHKkwnvYAHbsSGLp7ghstZw6Kw1J6MiesHJ2agMsclSCoF/CQAcOoVmBVwZL55wW1k8Bp@vger.kernel.org","X-Gm-Message-State":"AOJu0Yw4QYlfmksFbCAa8aJ5PlB2En5/8XgWHL9Jb7WpZxpbW1+wM3N+\n\tiJEr9BprdF2wAjo2yqqGKki8zRX30184VsQPru3OhOR1Lhg74gn61m7J","X-Gm-Gg":"AeBDiesccYftnavPIxhXGcBbOoP6k9KDxvv61/h9r0bkKVKP9Auq3ObT0yGlHv+GTsX\n\t+EfdxM96IOYw66Dwq+s9044FV/Saiug5CuuA9OhO7/dbdvEqHcBYJcOSNM8oGvkCXh75TcICRqH\n\tZtqAfE3XzqwTNSxVzs5c+3PYA2DrL5QfExIYS5zFKeqoyQNSJ+VN5TEzocKAgXK6aO9oi66z9/y\n\tImmymIvhw1wvm+w2wN/nq6Qgq4Fn1rULh+Lgi5XH102JrXmTAKav6xGF9jFZuhbgafnfk2teG1a\n\tTpeo2g8IqUkmKsabaTdbPTmpzrHxUSP57bxkB3E02Jf7MzSRoDk+UtExw5Li0KT8KM9sKVy+Pi+\n\tkJqTTt4DBRrnhISkv2A4r9KZcWZE74Pa1rGgdxYFL8SLVLfqULtSubd5SL93DcwGx0jRKGgaeQs\n\tR0uKWLdh5kT49BsInGagy2oVQ8gEf6azgtd6gZKg==","X-Received":"by 2002:a17:903:1b26:b0:2b2:49b9:c063 with SMTP id\n d9443c01a7336-2b5f9ff619cmr194963735ad.6.1777109915446;\n Sat, 25 Apr 2026 02:38:35 -0700 (PDT)","From":"DaeMyung Kang ","To":"Namjae Jeon ,\n\tSteve French ","Cc":"Sergey Senozhatsky ,\n\tTom Talpey ,\n\tHyunchul Lee ,\n\tRonnie Sahlberg ,\n\tlinux-cifs@vger.kernel.org,\n\tlinux-kernel@vger.kernel.org,\n\tstable@vger.kernel.org,\n\tDaeMyung Kang ","Subject":"[PATCH 0/2] ksmbd: fix stop_sessions() iteration and centralize\n ksmbd_conn release","Date":"Sat, 25 Apr 2026 18:38:27 +0900","Message-ID":"<20260425093829.4004785-1-charsyam@gmail.com>","X-Mailer":"git-send-email 2.43.0","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit"},"content":"Two independent fixes around ksmbd connection teardown.\n\nPatch 1 (\"ksmbd: rewrite stop_sessions() with restartable iteration\")\nfixes a stale-iterator bug in stop_sessions(). The current loop drops\nconn_list_lock around transport->shutdown() and re-acquires it to\ncontinue the same hash_for_each() walk; a concurrent ksmbd_conn_free()\nin the unlocked window can make the iterator revisit or skip\nconnections. The rewrite pins one connection at a time, marks it via\na new conn->stop_called flag, runs shutdown outside the lock, and\nrestarts from the top. The \"is the hash drained?\" check is moved\ninto the locked walk so it no longer races hash_del() from a handler\nthread. Patch 1 carries Cc: stable@vger.kernel.org.\n\n Teardown wall time, ksmbd.control --shutdown + rmmod ksmbd with\n N concurrent nosharesock cifs connections (3-run mean):\n\n N before after\n 10 4.93s 5.34s\n 30 7.34s 7.03s\n 50 7.25s 7.04s\n 100 6.98s 6.78s\n 200 6.77s 6.89s\n\n Performance is unchanged; teardown is dominated by the msleep(100)\n outer retry, not by the iteration. The number of ->shutdown()\n calls equals the number of live connections on both paths when the\n race is not artificially widened.\n\nPatch 2 (\"ksmbd: centralize ksmbd_conn final release to plug transport\nleak\") routes the three bare-kfree final-put sites\n(ksmbd_conn_r_count_dec, __free_opinfo, session_fd_check) through a\nnew ksmbd_conn_put() that defers the once-per-struct cleanup\n(ida_destroy, free_transport, kfree) onto a dedicated workqueue.\nThose sites previously skipped transport cleanup whenever they\nhappened to be the last putter, leaking struct tcp_transport and the\niov kvec (TCP) and the embedded async_ida. The workqueue bounce is\nneeded because the centralized release reaches lock_sock_nested()\nthrough tcp_close(), which sleeps; __free_opinfo() can be a final\nputter from an RCU softirq callback (free_opinfo_rcu).\n\n A/B leak validation, QEMU/virtme guest with ksmbd server and CIFS\n client in the same guest, debug kernel (CONFIG_DEBUG_KMEMLEAK +\n CONFIG_PROVE_LOCKING + CONFIG_DEBUG_ATOMIC_SLEEP +\n CONFIG_DEBUG_OBJECTS + CONFIG_FAILSLAB):\n\n Reproducer per iteration: hold 8 fds open via sleep processes,\n force-close TCP with `ss -K sport = :445`, kill holders,\n lazy-umount; 10 iterations, then ksmbd shutdown + kmemleak scan.\n Pre-patch is HEAD with only patch 1 of this series applied:\n\n state conn_alloc conn_free tcp_free opi_rcu kmemleak\n ---------- ---------- --------- -------- ------- --------\n pre-patch 20 20 10 160 7\n with patch 20 20 20 160 0\n\n Pre-patch conn_free=20 with tcp_free=10 directly demonstrates the\n bare-kfree paths skipping transport cleanup; kmemleak reports 7\n unreferenced struct tcp_transport / t->iov objects. With patch 2\n tcp_free matches conn_free at 20/20 and kmemleak is clean across\n two independent post-patch runs. opi_rcu=160 confirms the RCU\n opinfo release path that motivates the fix is exercised.\n\nPatch 2 also addresses two adjacent issues exposed by the new\ndebugging context:\n\n * __close_file_table_ids() refactor. session_fd_check() already\n sleeps in kstrdup(GFP_KERNEL) and down_write(m_lock) before this\n patch, but the existing code calls it under write_lock(&ft->lock)\n (an rwlock_t). Refactor so skip() runs outside ft->lock with a\n transient reference on fp; idr_remove(), fp->volatile_id clear\n and the m_fp_list unlink happen unconditionally so a deferred\n final putter (atomic_sub_and_test(2) returning false) cannot be\n left to do them via __ksmbd_remove_fd() with a stale\n volatile_id.\n\n Validated on an additional debug kernel built with\n CONFIG_DEBUG_LIST + CONFIG_DEBUG_OBJECTS_WORK using a\n same-session two-tcon storm: one tcon drives an open/write\n storm while the other tcon repeats 50 tree disconnects on the\n same session. Trace counts: 52 __close_file_table_ids\n invocations, 4793 __ksmbd_close_fd, 30337 __put_fd_final, 9578\n ksmbd_conn_put, 1 __ksmbd_conn_release_work. No\n list-corruption, work_struct ODEBUG, sleep-in-atomic, lockdep\n or kmemleak reports observed. This stress validates the\n file-table/id/list rewrite under DEBUG_LIST/DEBUG_OBJECTS_WORK,\n not the transport leak (which the A/B above already covered).\n\n * fp owns a strong reference on fp->conn. fp used to hold a\n borrowed pointer to its connection, leaving a window where the\n conn could be freed while a still-live fp held a stale\n fp->conn. Make fp own a refcount on fp->conn from\n ksmbd_open_fd() / ksmbd_reopen_durable_fd() until __ksmbd_close_fd()\n or session_fd_check(). ksmbd_reopen_durable_fd() is also\n reordered so fp->conn / fp->tcon are set before __open_id()\n publishes fp into the session's file table, so a concurrent\n teardown cannot observe a valid volatile_id with fp->conn ==\n NULL.\n\nThe two patches are independent. Either can be reviewed, applied,\nor reverted without pulling the other. Patch 2 references patch 1\nonly to explain why stop_sessions() is left on its open-coded local\ncleanup and not converted to ksmbd_conn_put() in this series; if\npatch 2 is applied alone, stop_sessions() retains its bare-kfree\nleak that patch 1 separately addresses.\n\nBased on ksmbd-for-next-next.\n\nDaeMyung Kang (2):\n ksmbd: rewrite stop_sessions() with restartable iteration\n ksmbd: centralize ksmbd_conn final release to plug transport leak\n\n fs/smb/server/connection.c | 120 ++++++++++++++++++-----\n fs/smb/server/connection.h | 6 ++\n fs/smb/server/oplock.c | 4 +-\n fs/smb/server/server.c | 12 +++\n fs/smb/server/vfs_cache.c | 189 ++++++++++++++++++++++++++++++++-----\n 5 files changed, 285 insertions(+), 46 deletions(-)\n\n--\n2.43.0"}