{"id":2224794,"url":"http://patchwork.ozlabs.org/api/patches/2224794/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-cifs-client/patch/20260418172844.1333378-3-charsyam@gmail.com/","project":{"id":12,"url":"http://patchwork.ozlabs.org/api/projects/12/?format=json","name":"Linux CIFS Client","link_name":"linux-cifs-client","list_id":"linux-cifs.vger.kernel.org","list_email":"linux-cifs@vger.kernel.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260418172844.1333378-3-charsyam@gmail.com>","list_archive_url":null,"date":"2026-04-18T17:28:44","name":"[2/2] ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id()","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"91aaee645ef55251e82cc9cc208143ff8b6f2702","submitter":{"id":93166,"url":"http://patchwork.ozlabs.org/api/people/93166/?format=json","name":"DaeMyung Kang","email":"charsyam@gmail.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/linux-cifs-client/patch/20260418172844.1333378-3-charsyam@gmail.com/mbox/","series":[{"id":500457,"url":"http://patchwork.ozlabs.org/api/series/500457/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-cifs-client/list/?series=500457","date":"2026-04-18T17:28:42","name":"ksmbd: connection accounting and session teardown fixes","version":1,"mbox":"http://patchwork.ozlabs.org/series/500457/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2224794/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2224794/checks/","tags":{},"related":[],"headers":{"Return-Path":"\n <linux-cifs+bounces-10901-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=QurXQ/H5;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c15:e001:75::12fc:5321; helo=sin.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10901-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=\"QurXQ/H5\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=209.85.216.50","smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=gmail.com"],"Received":["from sin.lore.kernel.org (sin.lore.kernel.org\n [IPv6:2600:3c15:e001:75::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fyf0w5BVbz1yGt\n\tfor <incoming@patchwork.ozlabs.org>; Sun, 19 Apr 2026 03:30:56 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sin.lore.kernel.org (Postfix) with ESMTP id 5DAA6300D561\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 18 Apr 2026 17:30:46 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id ED53C28B7DB;\n\tSat, 18 Apr 2026 17:30:41 +0000 (UTC)","from mail-pj1-f50.google.com (mail-pj1-f50.google.com\n [209.85.216.50])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id AD2B930E0E9\n\tfor <linux-cifs@vger.kernel.org>; Sat, 18 Apr 2026 17:30:40 +0000 (UTC)","by mail-pj1-f50.google.com with SMTP id\n 98e67ed59e1d1-35e57611113so378489a91.0\n        for <linux-cifs@vger.kernel.org>;\n Sat, 18 Apr 2026 10:30:40 -0700 (PDT)","from ser8.. ([221.156.231.192])\n        by smtp.gmail.com with ESMTPSA id\n d9443c01a7336-2b5fa9ff3bfsm69694965ad.7.2026.04.18.10.30.37\n        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n        Sat, 18 Apr 2026 10:30:39 -0700 (PDT)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776533441; cv=none;\n b=GDtiKJWCWqYFZhM+aE3FJoTc4NuOfBiuvpNW/HB9SW5pYTgj4rNW0oEx6xpX8CHvUM8KcgPcOlLmUPQWVV2DfM+WvdmN0o5infTELeZ1tJ61sFM2oFii1pWm7rGimEk0JpveZKvR4GcIDU5kvysZYopui8CqZn7ESaH1cYpIyL0=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776533441; c=relaxed/simple;\n\tbh=ezf//pPazx1mLelB2gmRNccf8HxZrkHgU//I5FWrCyw=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=Uldn3xxYsZ7ukEu4jl5UAa/7RTy4Y6z3LuGSbojzjmJnNTyPNu7KnIJMAIfVrqsSpZYc4GhiXwPji4PLoiGbgZ665mqFBTxHlw4XL4kd+76Ocl41ulUn4Pl6qrWbA2MKUivzT/hch//I/E98j9r3DB4+BZ9rRAPzWti36VDmykc=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com;\n spf=pass smtp.mailfrom=gmail.com;\n dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=QurXQ/H5; arc=none smtp.client-ip=209.85.216.50","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=gmail.com; s=20251104; t=1776533440; x=1777138240;\n darn=vger.kernel.org;\n        h=content-transfer-encoding:mime-version:references:in-reply-to\n         :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n         :message-id:reply-to;\n        bh=n1YbAZG9CJiEeAf7NGLPiDB355/n4BunXq6TPbpCs08=;\n        b=QurXQ/H5ToZI50kQGmZb+B3u4q4k9XFMiYZ+KArrL6tEn5Xjfy4DfzaDDuXnYlAC+i\n         1V5oC06DP6uwk9ZBRC3jZjEhKg1k2ZhT+3Q/9uGW7uqAkPAEBMF9QjxvF9Efxies3L0H\n         pbqtYt59yj5MgxOcvSWl4iUxHEIo2M+O/CAdnFqhd/7CCEH6957MWtIe6xstZ5OzjxVk\n         /Mw9UMLCSxg/g/iHeC8BvZxO4cghs70Xs4c1G8lz4RQjgGsS1rQ8+VnC6FYnXyIsfz48\n         mPyZBZLFAO6SEbtAzVtWJdKUfrrX/RtD+FM0quWR0I8qjoNxdBMWwvtQWLJ2D2c8Wq4R\n         YqmA==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=1e100.net; s=20251104; t=1776533440; x=1777138240;\n        h=content-transfer-encoding:mime-version:references:in-reply-to\n         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n         :to:cc:subject:date:message-id:reply-to;\n        bh=n1YbAZG9CJiEeAf7NGLPiDB355/n4BunXq6TPbpCs08=;\n        b=Y2ZEChKP4MbBnts78hZnEZdqWMjiWyZomXnOtRS7WRMEIsAPgv9L0QwKx4s/GHZvYQ\n         I0kFiP6H6AKNeOvH3kDqyC9qOo3QCiLFP5wYu6uBXgVmuIAcWk5vz7LTabL+Bx3M3SGF\n         292rKOXZWGgFIH+jd+K5Rj6/wiUXQsJzjcxA81q6lonSxTHuSq8ZdRgl1EZgvx2FHy+n\n         CrfSxGePqKtEZb98IYxIHplPwyNfE9VigLovcUoHasMS7UQ+cVmtChnX7dc6wxUbJvl4\n         oHmP1z6DJqGHo+7U7x4BF6BrjvpdvfyQEF1nsfmTduph2Olo7VQjrw9vJgm+8WsxVET3\n         hh1Q==","X-Forwarded-Encrypted":"i=1;\n AFNElJ/tT6GvpO5M8/eTa750vSAeTyBD3w8kwcGE18ZodoHy7QmjvKVDM1Iu+4qFtQlaeBJKdp9e2eB7cO9E@vger.kernel.org","X-Gm-Message-State":"AOJu0YzAGLt57X+bryDKzZOWfRaA0IKYVdRc5C7TQzhyjLFOUQal6cmh\n\thSlUx67IPdONWrkOm5MmkxgVl+aHVL71gQU03fY0ThyoBN+kwqfWQ9W/","X-Gm-Gg":"AeBDievd7F3+OXopi0rBzbEEVEFPOCi1I1zyiZIM0NEy5TuX7arie1ie3mPniEslOSq\n\tGJ52t89Lr1S9FH7cRZDnzYLByEF5kVQko7uoc7DLk2LS0KIElSPMRqB6rNIAbI6QX/XYi6JUPdd\n\tIU5Jta4j6v76nu32PPtH02LppgX8yZ3aV2t8YaPGl4vs/vLF1ejLZ1hD2QRBbm1PWHXMpSUPv3G\n\tKV7oOE/7bSrKC3DGmxMTIsxdCyaXs2HTww3bHMsRPGovR+q6V+cN/9DegS0vYDDlT+zs2zImh6J\n\t2HjnOCZlK1mpNOCyI9zd2Qn8CKxRiKkqa4TjG3TNR77I4VgAyVKzwwIjA+ISRo/W79TzOjOILiI\n\tSmuMOMimfEjebszjYwrf4YfRO+fjKME94C3RFA7cHc8SduRQ04o3iiEpq6OYY/1DtarwQ1McAJA\n\tj4SCWAsF3xK+11Fo2/Ti8IisxF0Vo=","X-Received":"by 2002:a17:902:c40a:b0:2b2:ac6f:f6a with SMTP id\n d9443c01a7336-2b5f9d679e8mr42742655ad.0.1776533440022;\n        Sat, 18 Apr 2026 10:30:40 -0700 (PDT)","From":"DaeMyung Kang <charsyam@gmail.com>","To":"linkinjeon@kernel.org,\n\tsmfrench@gmail.com","Cc":"senozhatsky@chromium.org,\n\ttom@talpey.com,\n\tlinux-cifs@vger.kernel.org,\n\tlinux-kernel@vger.kernel.org,\n\tstable@vger.kernel.org,\n\tHenrique Carvalho <henrique.carvalho@suse.com>,\n\tDaeMyung Kang <charsyam@gmail.com>","Subject":"[PATCH 2/2] ksmbd: reset rcount per connection in\n ksmbd_conn_wait_idle_sess_id()","Date":"Sun, 19 Apr 2026 02:28:44 +0900","Message-ID":"<20260418172844.1333378-3-charsyam@gmail.com>","X-Mailer":"git-send-email 2.43.0","In-Reply-To":"<20260418172844.1333378-1-charsyam@gmail.com>","References":"<20260418172844.1333378-1-charsyam@gmail.com>","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"<linux-cifs.vger.kernel.org>","List-Subscribe":"<mailto:linux-cifs+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:linux-cifs+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit"},"content":"rcount is intended to be connection-specific: 2 for curr_conn, 1 for\nevery other connection sharing the same session.  However, it is\ninitialised only once before the hash iteration and is never reset.\nAfter the loop visits curr_conn, later sibling connections are also\nchecked against rcount == 2, so a sibling with req_running == 1 is\nincorrectly treated as idle.  This makes the outcome depend on the\nhash iteration order: whether a given sibling is checked against the\nloose (< 2) or the strict (< 1) threshold is decided by whether it\nhappens to be visited before or after curr_conn.\n\nThe function's contract is \"wait until every connection sharing this\nsession is idle\" so that destroy_previous_session() can safely tear\nthe session down.  The latched rcount violates that contract and\nreopens the teardown race window the wait logic was meant to close:\ndestroy_previous_session() may proceed before sibling channels have\nactually quiesced, overlapping session teardown with in-flight work\non those connections.\n\nRecompute rcount inside the loop so each connection is compared\nagainst its own threshold regardless of iteration order.\n\nThis is a code-inspection fix for an iteration-order-dependent logic\nerror; a targeted reproducer would require SMB3 multichannel with\nin-flight work on a sibling channel landing after curr_conn in hash\norder, which is not something that can be triggered reliably.\n\nFixes: 76e98a158b20 (\"ksmbd: fix race condition between destroy_previous_session() and smb2 operations()\")\nCc: stable@vger.kernel.org\nSigned-off-by: DaeMyung Kang <charsyam@gmail.com>\n---\n fs/smb/server/connection.c | 5 ++---\n 1 file changed, 2 insertions(+), 3 deletions(-)","diff":"diff --git a/fs/smb/server/connection.c b/fs/smb/server/connection.c\nindex a26899d12df1..b5e077f272cf 100644\n--- a/fs/smb/server/connection.c\n+++ b/fs/smb/server/connection.c\n@@ -237,7 +237,7 @@ int ksmbd_conn_wait_idle_sess_id(struct ksmbd_conn *curr_conn, u64 sess_id)\n {\n \tstruct ksmbd_conn *conn;\n \tint rc, retry_count = 0, max_timeout = 120;\n-\tint rcount = 1, bkt;\n+\tint rcount, bkt;\n \n retry_idle:\n \tif (retry_count >= max_timeout)\n@@ -246,8 +246,7 @@ int ksmbd_conn_wait_idle_sess_id(struct ksmbd_conn *curr_conn, u64 sess_id)\n \tdown_read(&conn_list_lock);\n \thash_for_each(conn_list, bkt, conn, hlist) {\n \t\tif (conn->binding || xa_load(&conn->sessions, sess_id)) {\n-\t\t\tif (conn == curr_conn)\n-\t\t\t\trcount = 2;\n+\t\t\trcount = (conn == curr_conn) ? 2 : 1;\n \t\t\tif (atomic_read(&conn->req_running) >= rcount) {\n \t\t\t\trc = wait_event_timeout(conn->req_running_q,\n \t\t\t\t\tatomic_read(&conn->req_running) < rcount,\n","prefixes":["2/2"]}