smb-server-make-sure-we-call-ib_dma_unmap_single-onl.patch
smb-server-let-recv_done-consistently-call-put_recvm.patch
smb-server-let-recv_done-avoid-touching-data_transfe.patch
-smb-client-let-send_done-cleanup-before-calling-smbd.patch
smb-client-remove-separate-empty_packet_queue.patch
smb-client-make-sure-we-call-ib_dma_unmap_single-onl.patch
smb-client-let-recv_done-cleanup-before-notifying-th.patch
hid-apple-validate-feature-report-field-count-to-prevent-null-pointer-dereference.patch
usb-gadget-f_hid-fix-memory-leak-in-hidg_bind-error-path.patch
usb-gadget-fix-use-after-free-in-composite_dev_cleanup.patch
-smb-client-don-t-wait-for-info-send_pending-0-on-error.patch
+++ /dev/null
-From 8b2b8a6a5827848250c0caf075b23256bab4ac88 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 12 Aug 2025 18:45:06 +0200
-Subject: smb: client: don't wait for info->send_pending == 0 on error
-
-From: Stefan Metzmacher <metze@samba.org>
-
-commit 8b2b8a6a5827848250c0caf075b23256bab4ac88 upstream.
-
-We already called ib_drain_qp() before and that makes sure
-send_done() was called with IB_WC_WR_FLUSH_ERR, but
-didn't called atomic_dec_and_test(&sc->send_io.pending.count)
-
-So we may never reach the info->send_pending == 0 condition.
-
-Cc: Steve French <smfrench@gmail.com>
-Cc: Tom Talpey <tom@talpey.com>
-Cc: Long Li <longli@microsoft.com>
-Cc: linux-cifs@vger.kernel.org
-Cc: samba-technical@lists.samba.org
-Fixes: 5349ae5e05fa ("smb: client: let send_done() cleanup before calling smbd_disconnect_rdma_connection()")
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Signed-off-by: Steve French <stfrench@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/smb/client/smbdirect.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
---- a/fs/smb/client/smbdirect.c
-+++ b/fs/smb/client/smbdirect.c
-@@ -1316,10 +1316,6 @@ void smbd_destroy(struct TCP_Server_Info
- log_rdma_event(INFO, "cancelling idle timer\n");
- cancel_delayed_work_sync(&info->idle_timer_work);
-
-- log_rdma_event(INFO, "wait for all send posted to IB to finish\n");
-- wait_event(info->wait_send_pending,
-- atomic_read(&info->send_pending) == 0);
--
- /* It's not possible for upper layer to get to reassembly */
- log_rdma_event(INFO, "drain the reassembly queue\n");
- do {
-@@ -1965,7 +1961,11 @@ int smbd_send(struct TCP_Server_Info *se
- */
-
- wait_event(info->wait_send_pending,
-- atomic_read(&info->send_pending) == 0);
-+ atomic_read(&info->send_pending) == 0 ||
-+ sc->status != SMBDIRECT_SOCKET_CONNECTED);
-+
-+ if (sc->status != SMBDIRECT_SOCKET_CONNECTED && rc == 0)
-+ rc = -EAGAIN;
-
- return rc;
- }
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- fs/smb/client/smbdirect.c | 25 +++++++++++--------------
+ fs/smb/client/smbdirect.c | 25 +++++++++++--------------
1 file changed, 11 insertions(+), 14 deletions(-)
-diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c
-index d26b8cef82d6..47f2a6cc1c0c 100644
--- a/fs/smb/client/smbdirect.c
+++ b/fs/smb/client/smbdirect.c
-@@ -479,10 +479,6 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
+@@ -477,10 +477,6 @@ static void recv_done(struct ib_cq *cq,
data_transfer = smbd_response_payload(response);
data_length = le32_to_cpu(data_transfer->data_length);
if (data_length) {
if (info->full_packet_received)
response->first_segment = true;
-@@ -491,16 +487,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
+@@ -489,16 +485,7 @@ static void recv_done(struct ib_cq *cq,
info->full_packet_received = false;
else
info->full_packet_received = true;
atomic_dec(&info->receive_credits);
info->receive_credit_target =
-@@ -528,6 +515,16 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
+@@ -526,6 +513,16 @@ static void recv_done(struct ib_cq *cq,
info->keep_alive_requested = KEEP_ALIVE_PENDING;
}
return;
}
---
-2.39.5
-
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- fs/smb/client/smbdirect.c | 14 ++++++++------
+ fs/smb/client/smbdirect.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
-diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c
-index 5690e8b3d101..d26b8cef82d6 100644
--- a/fs/smb/client/smbdirect.c
+++ b/fs/smb/client/smbdirect.c
-@@ -454,7 +454,6 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
+@@ -452,7 +452,6 @@ static void recv_done(struct ib_cq *cq,
if (wc->status != IB_WC_SUCCESS || wc->opcode != IB_WC_RECV) {
log_rdma_recv(INFO, "wc->status=%d opcode=%d\n",
wc->status, wc->opcode);
goto error;
}
-@@ -471,8 +470,9 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
+@@ -469,8 +468,9 @@ static void recv_done(struct ib_cq *cq,
info->full_packet_received = true;
info->negotiate_done =
process_negotiation_response(response, wc->byte_len);
/* SMBD data transfer packet */
case SMBD_TRANSFER_DATA:
-@@ -529,14 +529,16 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
+@@ -527,14 +527,16 @@ static void recv_done(struct ib_cq *cq,
}
return;
}
static struct rdma_cm_id *smbd_create_id(
---
-2.39.5
-
+++ /dev/null
-From fb6ca0a1de44a2bec67cc2a61503ab631b2103ec Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 4 Aug 2025 14:10:12 +0200
-Subject: smb: client: let send_done() cleanup before calling
- smbd_disconnect_rdma_connection()
-
-From: Stefan Metzmacher <metze@samba.org>
-
-[ Upstream commit 5349ae5e05fa37409fd48a1eb483b199c32c889b ]
-
-We should call ib_dma_unmap_single() and mempool_free() before calling
-smbd_disconnect_rdma_connection().
-
-And smbd_disconnect_rdma_connection() needs to be the last function to
-call as all other state might already be gone after it returns.
-
-Cc: Steve French <smfrench@gmail.com>
-Cc: Tom Talpey <tom@talpey.com>
-Cc: Long Li <longli@microsoft.com>
-Cc: linux-cifs@vger.kernel.org
-Cc: samba-technical@lists.samba.org
-Fixes: f198186aa9bb ("CIFS: SMBD: Establish SMB Direct connection")
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Signed-off-by: Steve French <stfrench@microsoft.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/smb/client/smbdirect.c | 14 ++++++++------
- 1 file changed, 8 insertions(+), 6 deletions(-)
-
-diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c
-index 754e94a0e07f..e99e783f1b0e 100644
---- a/fs/smb/client/smbdirect.c
-+++ b/fs/smb/client/smbdirect.c
-@@ -281,18 +281,20 @@ static void send_done(struct ib_cq *cq, struct ib_wc *wc)
- log_rdma_send(INFO, "smbd_request 0x%p completed wc->status=%d\n",
- request, wc->status);
-
-- if (wc->status != IB_WC_SUCCESS || wc->opcode != IB_WC_SEND) {
-- log_rdma_send(ERR, "wc->status=%d wc->opcode=%d\n",
-- wc->status, wc->opcode);
-- smbd_disconnect_rdma_connection(request->info);
-- }
--
- for (i = 0; i < request->num_sge; i++)
- ib_dma_unmap_single(sc->ib.dev,
- request->sge[i].addr,
- request->sge[i].length,
- DMA_TO_DEVICE);
-
-+ if (wc->status != IB_WC_SUCCESS || wc->opcode != IB_WC_SEND) {
-+ log_rdma_send(ERR, "wc->status=%d wc->opcode=%d\n",
-+ wc->status, wc->opcode);
-+ mempool_free(request, info->request_mempool);
-+ smbd_disconnect_rdma_connection(info);
-+ return;
-+ }
-+
- if (atomic_dec_and_test(&request->info->send_pending))
- wake_up(&request->info->wait_send_pending);
-
---
-2.39.5
-
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- fs/smb/client/smbdirect.c | 11 +++++++++--
+ fs/smb/client/smbdirect.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
-diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c
-index 0ab490c0a9b0..5690e8b3d101 100644
--- a/fs/smb/client/smbdirect.c
+++ b/fs/smb/client/smbdirect.c
-@@ -1057,6 +1057,7 @@ static int smbd_post_recv(
+@@ -1055,6 +1055,7 @@ static int smbd_post_recv(
if (rc) {
ib_dma_unmap_single(sc->ib.dev, response->sge.addr,
response->sge.length, DMA_FROM_DEVICE);
smbd_disconnect_rdma_connection(info);
log_rdma_recv(ERR, "ib_post_recv failed rc=%d\n", rc);
}
-@@ -1186,8 +1187,13 @@ static void put_receive_buffer(
+@@ -1184,8 +1185,13 @@ static void put_receive_buffer(
struct smbdirect_socket *sc = &info->socket;
unsigned long flags;
spin_lock_irqsave(&info->receive_queue_lock, flags);
list_add_tail(&response->list, &info->receive_queue);
-@@ -1221,6 +1227,7 @@ static int allocate_receive_buffers(struct smbd_connection *info, int num_buf)
+@@ -1219,6 +1225,7 @@ static int allocate_receive_buffers(stru
goto allocate_failed;
response->info = info;
list_add_tail(&response->list, &info->receive_queue);
info->count_receive_queue++;
}
---
-2.39.5
-
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- fs/smb/client/cifs_debug.c | 6 ++--
- fs/smb/client/smbdirect.c | 62 +++-----------------------------------
- fs/smb/client/smbdirect.h | 4 ---
+ fs/smb/client/cifs_debug.c | 6 +---
+ fs/smb/client/smbdirect.c | 62 +++------------------------------------------
+ fs/smb/client/smbdirect.h | 4 --
3 files changed, 7 insertions(+), 65 deletions(-)
-diff --git a/fs/smb/client/cifs_debug.c b/fs/smb/client/cifs_debug.c
-index c0196be0e65f..9092051776fc 100644
--- a/fs/smb/client/cifs_debug.c
+++ b/fs/smb/client/cifs_debug.c
-@@ -432,10 +432,8 @@ static int cifs_debug_data_proc_show(struct seq_file *m, void *v)
+@@ -432,10 +432,8 @@ static int cifs_debug_data_proc_show(str
server->smbd_conn->receive_credit_target);
seq_printf(m, "\nPending send_pending: %x ",
atomic_read(&server->smbd_conn->send_pending));
seq_printf(m, "\nMR responder_resources: %x "
"max_frmr_depth: %x mr_type: %x",
server->smbd_conn->responder_resources,
-diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c
-index e99e783f1b0e..0ab490c0a9b0 100644
--- a/fs/smb/client/smbdirect.c
+++ b/fs/smb/client/smbdirect.c
@@ -13,8 +13,6 @@
static void enqueue_reassembly(
struct smbd_connection *info,
struct smbd_response *response, int data_length);
-@@ -393,7 +389,6 @@ static bool process_negotiation_response(
+@@ -391,7 +387,6 @@ static bool process_negotiation_response
static void smbd_post_send_credits(struct work_struct *work)
{
int ret = 0;
int rc;
struct smbd_response *response;
struct smbd_connection *info =
-@@ -409,18 +404,9 @@ static void smbd_post_send_credits(struct work_struct *work)
+@@ -407,18 +402,9 @@ static void smbd_post_send_credits(struc
if (info->receive_credit_target >
atomic_read(&info->receive_credits)) {
while (true) {
response->type = SMBD_TRANSFER_DATA;
response->first_segment = false;
-@@ -511,7 +497,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
+@@ -509,7 +495,7 @@ static void recv_done(struct ib_cq *cq,
response,
data_length);
} else
if (data_length)
wake_up_interruptible(&info->wait_reassembly_queue);
-@@ -1115,17 +1101,6 @@ static int smbd_negotiate(struct smbd_connection *info)
+@@ -1113,17 +1099,6 @@ static int smbd_negotiate(struct smbd_co
return rc;
}
/*
* Implement Connection.FragmentReassemblyBuffer defined in [MS-SMBD] 3.1.1.1
* This is a queue for reassembling upper layer payload and present to upper
-@@ -1174,25 +1149,6 @@ static struct smbd_response *_get_first_reassembly(struct smbd_connection *info)
+@@ -1172,25 +1147,6 @@ static struct smbd_response *_get_first_
return ret;
}
/*
* Get a receive buffer
* For each remote send, we need to post a receive. The receive buffers are
-@@ -1257,10 +1213,6 @@ static int allocate_receive_buffers(struct smbd_connection *info, int num_buf)
+@@ -1255,10 +1211,6 @@ static int allocate_receive_buffers(stru
spin_lock_init(&info->receive_queue_lock);
info->count_receive_queue = 0;
init_waitqueue_head(&info->wait_receive_queues);
for (i = 0; i < num_buf; i++) {
-@@ -1294,9 +1246,6 @@ static void destroy_receive_buffers(struct smbd_connection *info)
+@@ -1292,9 +1244,6 @@ static void destroy_receive_buffers(stru
while ((response = get_receive_buffer(info)))
mempool_free(response, info->response_mempool);
}
/* Implement idle connection timer [MS-SMBD] 3.1.6.2 */
-@@ -1383,8 +1332,7 @@ void smbd_destroy(struct TCP_Server_Info *server)
+@@ -1381,8 +1330,7 @@ void smbd_destroy(struct TCP_Server_Info
log_rdma_event(INFO, "free receive buffers\n");
wait_event(info->wait_receive_queues,
destroy_receive_buffers(info);
/*
-diff --git a/fs/smb/client/smbdirect.h b/fs/smb/client/smbdirect.h
-index 3d552ab27e0f..fb8db71735f3 100644
--- a/fs/smb/client/smbdirect.h
+++ b/fs/smb/client/smbdirect.h
@@ -110,10 +110,6 @@ struct smbd_connection {
wait_queue_head_t wait_receive_queues;
/* Reassembly queue */
---
-2.39.5
-
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- fs/smb/client/smbdirect.c | 6 ++++--
+ fs/smb/client/smbdirect.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
-diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c
-index 47f2a6cc1c0c..60b160219f0a 100644
--- a/fs/smb/client/smbdirect.c
+++ b/fs/smb/client/smbdirect.c
-@@ -1636,8 +1636,10 @@ static struct smbd_connection *_smbd_get_connection(
+@@ -1634,8 +1634,10 @@ static struct smbd_connection *_smbd_get
goto rdma_connect_failed;
}
if (sc->status != SMBDIRECT_SOCKET_CONNECTED) {
log_rdma_event(ERR, "rdma_connect failed port=%d\n", port);
---
-2.39.5
-
smb-server-make-sure-we-call-ib_dma_unmap_single-onl.patch
smb-server-let-recv_done-consistently-call-put_recvm.patch
smb-server-let-recv_done-avoid-touching-data_transfe.patch
-smb-client-let-send_done-cleanup-before-calling-smbd.patch
smb-client-remove-separate-empty_packet_queue.patch
smb-client-make-sure-we-call-ib_dma_unmap_single-onl.patch
smb-client-let-recv_done-cleanup-before-notifying-th.patch
hid-apple-avoid-setting-up-battery-timer-for-devices-without-battery.patch
usb-gadget-fix-use-after-free-in-composite_dev_cleanup.patch
mm-fix-a-uaf-when-vma-mm-is-freed-after-vma-vm_refcnt-got-dropped.patch
-smb-client-don-t-wait-for-info-send_pending-0-on-error.patch
+++ /dev/null
-From 8b2b8a6a5827848250c0caf075b23256bab4ac88 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 12 Aug 2025 18:45:06 +0200
-Subject: smb: client: don't wait for info->send_pending == 0 on error
-
-From: Stefan Metzmacher <metze@samba.org>
-
-commit 8b2b8a6a5827848250c0caf075b23256bab4ac88 upstream.
-
-We already called ib_drain_qp() before and that makes sure
-send_done() was called with IB_WC_WR_FLUSH_ERR, but
-didn't called atomic_dec_and_test(&sc->send_io.pending.count)
-
-So we may never reach the info->send_pending == 0 condition.
-
-Cc: Steve French <smfrench@gmail.com>
-Cc: Tom Talpey <tom@talpey.com>
-Cc: Long Li <longli@microsoft.com>
-Cc: linux-cifs@vger.kernel.org
-Cc: samba-technical@lists.samba.org
-Fixes: 5349ae5e05fa ("smb: client: let send_done() cleanup before calling smbd_disconnect_rdma_connection()")
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Signed-off-by: Steve French <stfrench@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/smb/client/smbdirect.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
---- a/fs/smb/client/smbdirect.c
-+++ b/fs/smb/client/smbdirect.c
-@@ -1316,10 +1316,6 @@ void smbd_destroy(struct TCP_Server_Info
- log_rdma_event(INFO, "cancelling idle timer\n");
- cancel_delayed_work_sync(&info->idle_timer_work);
-
-- log_rdma_event(INFO, "wait for all send posted to IB to finish\n");
-- wait_event(info->wait_send_pending,
-- atomic_read(&info->send_pending) == 0);
--
- /* It's not possible for upper layer to get to reassembly */
- log_rdma_event(INFO, "drain the reassembly queue\n");
- do {
-@@ -1965,7 +1961,11 @@ int smbd_send(struct TCP_Server_Info *se
- */
-
- wait_event(info->wait_send_pending,
-- atomic_read(&info->send_pending) == 0);
-+ atomic_read(&info->send_pending) == 0 ||
-+ sc->status != SMBDIRECT_SOCKET_CONNECTED);
-+
-+ if (sc->status != SMBDIRECT_SOCKET_CONNECTED && rc == 0)
-+ rc = -EAGAIN;
-
- return rc;
- }
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- fs/smb/client/smbdirect.c | 25 +++++++++++--------------
+ fs/smb/client/smbdirect.c | 25 +++++++++++--------------
1 file changed, 11 insertions(+), 14 deletions(-)
-diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c
-index d26b8cef82d6..47f2a6cc1c0c 100644
--- a/fs/smb/client/smbdirect.c
+++ b/fs/smb/client/smbdirect.c
-@@ -479,10 +479,6 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
+@@ -477,10 +477,6 @@ static void recv_done(struct ib_cq *cq,
data_transfer = smbd_response_payload(response);
data_length = le32_to_cpu(data_transfer->data_length);
if (data_length) {
if (info->full_packet_received)
response->first_segment = true;
-@@ -491,16 +487,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
+@@ -489,16 +485,7 @@ static void recv_done(struct ib_cq *cq,
info->full_packet_received = false;
else
info->full_packet_received = true;
atomic_dec(&info->receive_credits);
info->receive_credit_target =
-@@ -528,6 +515,16 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
+@@ -526,6 +513,16 @@ static void recv_done(struct ib_cq *cq,
info->keep_alive_requested = KEEP_ALIVE_PENDING;
}
return;
}
---
-2.39.5
-
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- fs/smb/client/smbdirect.c | 14 ++++++++------
+ fs/smb/client/smbdirect.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
-diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c
-index 5690e8b3d101..d26b8cef82d6 100644
--- a/fs/smb/client/smbdirect.c
+++ b/fs/smb/client/smbdirect.c
-@@ -454,7 +454,6 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
+@@ -452,7 +452,6 @@ static void recv_done(struct ib_cq *cq,
if (wc->status != IB_WC_SUCCESS || wc->opcode != IB_WC_RECV) {
log_rdma_recv(INFO, "wc->status=%d opcode=%d\n",
wc->status, wc->opcode);
goto error;
}
-@@ -471,8 +470,9 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
+@@ -469,8 +468,9 @@ static void recv_done(struct ib_cq *cq,
info->full_packet_received = true;
info->negotiate_done =
process_negotiation_response(response, wc->byte_len);
/* SMBD data transfer packet */
case SMBD_TRANSFER_DATA:
-@@ -529,14 +529,16 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
+@@ -527,14 +527,16 @@ static void recv_done(struct ib_cq *cq,
}
return;
}
static struct rdma_cm_id *smbd_create_id(
---
-2.39.5
-
+++ /dev/null
-From d94fdd7411d254719d506d2725d45887a0c1b6c5 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 4 Aug 2025 14:10:12 +0200
-Subject: smb: client: let send_done() cleanup before calling
- smbd_disconnect_rdma_connection()
-
-From: Stefan Metzmacher <metze@samba.org>
-
-[ Upstream commit 5349ae5e05fa37409fd48a1eb483b199c32c889b ]
-
-We should call ib_dma_unmap_single() and mempool_free() before calling
-smbd_disconnect_rdma_connection().
-
-And smbd_disconnect_rdma_connection() needs to be the last function to
-call as all other state might already be gone after it returns.
-
-Cc: Steve French <smfrench@gmail.com>
-Cc: Tom Talpey <tom@talpey.com>
-Cc: Long Li <longli@microsoft.com>
-Cc: linux-cifs@vger.kernel.org
-Cc: samba-technical@lists.samba.org
-Fixes: f198186aa9bb ("CIFS: SMBD: Establish SMB Direct connection")
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Signed-off-by: Steve French <stfrench@microsoft.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/smb/client/smbdirect.c | 14 ++++++++------
- 1 file changed, 8 insertions(+), 6 deletions(-)
-
-diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c
-index 754e94a0e07f..e99e783f1b0e 100644
---- a/fs/smb/client/smbdirect.c
-+++ b/fs/smb/client/smbdirect.c
-@@ -281,18 +281,20 @@ static void send_done(struct ib_cq *cq, struct ib_wc *wc)
- log_rdma_send(INFO, "smbd_request 0x%p completed wc->status=%d\n",
- request, wc->status);
-
-- if (wc->status != IB_WC_SUCCESS || wc->opcode != IB_WC_SEND) {
-- log_rdma_send(ERR, "wc->status=%d wc->opcode=%d\n",
-- wc->status, wc->opcode);
-- smbd_disconnect_rdma_connection(request->info);
-- }
--
- for (i = 0; i < request->num_sge; i++)
- ib_dma_unmap_single(sc->ib.dev,
- request->sge[i].addr,
- request->sge[i].length,
- DMA_TO_DEVICE);
-
-+ if (wc->status != IB_WC_SUCCESS || wc->opcode != IB_WC_SEND) {
-+ log_rdma_send(ERR, "wc->status=%d wc->opcode=%d\n",
-+ wc->status, wc->opcode);
-+ mempool_free(request, info->request_mempool);
-+ smbd_disconnect_rdma_connection(info);
-+ return;
-+ }
-+
- if (atomic_dec_and_test(&request->info->send_pending))
- wake_up(&request->info->wait_send_pending);
-
---
-2.39.5
-
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- fs/smb/client/smbdirect.c | 11 +++++++++--
+ fs/smb/client/smbdirect.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
-diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c
-index 0ab490c0a9b0..5690e8b3d101 100644
--- a/fs/smb/client/smbdirect.c
+++ b/fs/smb/client/smbdirect.c
-@@ -1057,6 +1057,7 @@ static int smbd_post_recv(
+@@ -1055,6 +1055,7 @@ static int smbd_post_recv(
if (rc) {
ib_dma_unmap_single(sc->ib.dev, response->sge.addr,
response->sge.length, DMA_FROM_DEVICE);
smbd_disconnect_rdma_connection(info);
log_rdma_recv(ERR, "ib_post_recv failed rc=%d\n", rc);
}
-@@ -1186,8 +1187,13 @@ static void put_receive_buffer(
+@@ -1184,8 +1185,13 @@ static void put_receive_buffer(
struct smbdirect_socket *sc = &info->socket;
unsigned long flags;
spin_lock_irqsave(&info->receive_queue_lock, flags);
list_add_tail(&response->list, &info->receive_queue);
-@@ -1221,6 +1227,7 @@ static int allocate_receive_buffers(struct smbd_connection *info, int num_buf)
+@@ -1219,6 +1225,7 @@ static int allocate_receive_buffers(stru
goto allocate_failed;
response->info = info;
list_add_tail(&response->list, &info->receive_queue);
info->count_receive_queue++;
}
---
-2.39.5
-
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- fs/smb/client/cifs_debug.c | 6 ++--
- fs/smb/client/smbdirect.c | 62 +++-----------------------------------
- fs/smb/client/smbdirect.h | 4 ---
+ fs/smb/client/cifs_debug.c | 6 +---
+ fs/smb/client/smbdirect.c | 62 +++------------------------------------------
+ fs/smb/client/smbdirect.h | 4 --
3 files changed, 7 insertions(+), 65 deletions(-)
-diff --git a/fs/smb/client/cifs_debug.c b/fs/smb/client/cifs_debug.c
-index c0196be0e65f..9092051776fc 100644
--- a/fs/smb/client/cifs_debug.c
+++ b/fs/smb/client/cifs_debug.c
-@@ -432,10 +432,8 @@ static int cifs_debug_data_proc_show(struct seq_file *m, void *v)
+@@ -432,10 +432,8 @@ static int cifs_debug_data_proc_show(str
server->smbd_conn->receive_credit_target);
seq_printf(m, "\nPending send_pending: %x ",
atomic_read(&server->smbd_conn->send_pending));
seq_printf(m, "\nMR responder_resources: %x "
"max_frmr_depth: %x mr_type: %x",
server->smbd_conn->responder_resources,
-diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c
-index e99e783f1b0e..0ab490c0a9b0 100644
--- a/fs/smb/client/smbdirect.c
+++ b/fs/smb/client/smbdirect.c
@@ -13,8 +13,6 @@
static void enqueue_reassembly(
struct smbd_connection *info,
struct smbd_response *response, int data_length);
-@@ -393,7 +389,6 @@ static bool process_negotiation_response(
+@@ -391,7 +387,6 @@ static bool process_negotiation_response
static void smbd_post_send_credits(struct work_struct *work)
{
int ret = 0;
int rc;
struct smbd_response *response;
struct smbd_connection *info =
-@@ -409,18 +404,9 @@ static void smbd_post_send_credits(struct work_struct *work)
+@@ -407,18 +402,9 @@ static void smbd_post_send_credits(struc
if (info->receive_credit_target >
atomic_read(&info->receive_credits)) {
while (true) {
response->type = SMBD_TRANSFER_DATA;
response->first_segment = false;
-@@ -511,7 +497,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
+@@ -509,7 +495,7 @@ static void recv_done(struct ib_cq *cq,
response,
data_length);
} else
if (data_length)
wake_up_interruptible(&info->wait_reassembly_queue);
-@@ -1115,17 +1101,6 @@ static int smbd_negotiate(struct smbd_connection *info)
+@@ -1113,17 +1099,6 @@ static int smbd_negotiate(struct smbd_co
return rc;
}
/*
* Implement Connection.FragmentReassemblyBuffer defined in [MS-SMBD] 3.1.1.1
* This is a queue for reassembling upper layer payload and present to upper
-@@ -1174,25 +1149,6 @@ static struct smbd_response *_get_first_reassembly(struct smbd_connection *info)
+@@ -1172,25 +1147,6 @@ static struct smbd_response *_get_first_
return ret;
}
/*
* Get a receive buffer
* For each remote send, we need to post a receive. The receive buffers are
-@@ -1257,10 +1213,6 @@ static int allocate_receive_buffers(struct smbd_connection *info, int num_buf)
+@@ -1255,10 +1211,6 @@ static int allocate_receive_buffers(stru
spin_lock_init(&info->receive_queue_lock);
info->count_receive_queue = 0;
init_waitqueue_head(&info->wait_receive_queues);
for (i = 0; i < num_buf; i++) {
-@@ -1294,9 +1246,6 @@ static void destroy_receive_buffers(struct smbd_connection *info)
+@@ -1292,9 +1244,6 @@ static void destroy_receive_buffers(stru
while ((response = get_receive_buffer(info)))
mempool_free(response, info->response_mempool);
}
/* Implement idle connection timer [MS-SMBD] 3.1.6.2 */
-@@ -1383,8 +1332,7 @@ void smbd_destroy(struct TCP_Server_Info *server)
+@@ -1381,8 +1330,7 @@ void smbd_destroy(struct TCP_Server_Info
log_rdma_event(INFO, "free receive buffers\n");
wait_event(info->wait_receive_queues,
destroy_receive_buffers(info);
/*
-diff --git a/fs/smb/client/smbdirect.h b/fs/smb/client/smbdirect.h
-index 3d552ab27e0f..fb8db71735f3 100644
--- a/fs/smb/client/smbdirect.h
+++ b/fs/smb/client/smbdirect.h
@@ -110,10 +110,6 @@ struct smbd_connection {
wait_queue_head_t wait_receive_queues;
/* Reassembly queue */
---
-2.39.5
-
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- fs/smb/client/smbdirect.c | 6 ++++--
+ fs/smb/client/smbdirect.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
-diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c
-index 47f2a6cc1c0c..60b160219f0a 100644
--- a/fs/smb/client/smbdirect.c
+++ b/fs/smb/client/smbdirect.c
-@@ -1636,8 +1636,10 @@ static struct smbd_connection *_smbd_get_connection(
+@@ -1634,8 +1634,10 @@ static struct smbd_connection *_smbd_get
goto rdma_connect_failed;
}
if (sc->status != SMBDIRECT_SOCKET_CONNECTED) {
log_rdma_event(ERR, "rdma_connect failed port=%d\n", port);
---
-2.39.5
-
smb-server-make-sure-we-call-ib_dma_unmap_single-onl.patch
smb-server-let-recv_done-consistently-call-put_recvm.patch
smb-server-let-recv_done-avoid-touching-data_transfe.patch
-smb-client-let-send_done-cleanup-before-calling-smbd.patch
smb-client-remove-separate-empty_packet_queue.patch
smb-client-make-sure-we-call-ib_dma_unmap_single-onl.patch
smb-client-let-recv_done-cleanup-before-notifying-th.patch
usb-gadget-fix-use-after-free-in-composite_dev_cleanup.patch
wifi-ath12k-install-pairwise-key-first.patch
mm-fix-a-uaf-when-vma-mm-is-freed-after-vma-vm_refcnt-got-dropped.patch
-smb-client-don-t-wait-for-info-send_pending-0-on-error.patch
+++ /dev/null
-From 8b2b8a6a5827848250c0caf075b23256bab4ac88 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 12 Aug 2025 18:45:06 +0200
-Subject: smb: client: don't wait for info->send_pending == 0 on error
-
-From: Stefan Metzmacher <metze@samba.org>
-
-commit 8b2b8a6a5827848250c0caf075b23256bab4ac88 upstream.
-
-We already called ib_drain_qp() before and that makes sure
-send_done() was called with IB_WC_WR_FLUSH_ERR, but
-didn't called atomic_dec_and_test(&sc->send_io.pending.count)
-
-So we may never reach the info->send_pending == 0 condition.
-
-Cc: Steve French <smfrench@gmail.com>
-Cc: Tom Talpey <tom@talpey.com>
-Cc: Long Li <longli@microsoft.com>
-Cc: linux-cifs@vger.kernel.org
-Cc: samba-technical@lists.samba.org
-Fixes: 5349ae5e05fa ("smb: client: let send_done() cleanup before calling smbd_disconnect_rdma_connection()")
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Signed-off-by: Steve French <stfrench@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/smb/client/smbdirect.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
---- a/fs/smb/client/smbdirect.c
-+++ b/fs/smb/client/smbdirect.c
-@@ -1316,10 +1316,6 @@ void smbd_destroy(struct TCP_Server_Info
- log_rdma_event(INFO, "cancelling idle timer\n");
- cancel_delayed_work_sync(&info->idle_timer_work);
-
-- log_rdma_event(INFO, "wait for all send posted to IB to finish\n");
-- wait_event(info->wait_send_pending,
-- atomic_read(&info->send_pending) == 0);
--
- /* It's not possible for upper layer to get to reassembly */
- log_rdma_event(INFO, "drain the reassembly queue\n");
- do {
-@@ -1965,7 +1961,11 @@ int smbd_send(struct TCP_Server_Info *se
- */
-
- wait_event(info->wait_send_pending,
-- atomic_read(&info->send_pending) == 0);
-+ atomic_read(&info->send_pending) == 0 ||
-+ sc->status != SMBDIRECT_SOCKET_CONNECTED);
-+
-+ if (sc->status != SMBDIRECT_SOCKET_CONNECTED && rc == 0)
-+ rc = -EAGAIN;
-
- return rc;
- }
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- fs/smb/client/smbdirect.c | 25 +++++++++++--------------
+ fs/smb/client/smbdirect.c | 25 +++++++++++--------------
1 file changed, 11 insertions(+), 14 deletions(-)
-diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c
-index d26b8cef82d6..47f2a6cc1c0c 100644
--- a/fs/smb/client/smbdirect.c
+++ b/fs/smb/client/smbdirect.c
-@@ -479,10 +479,6 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
+@@ -477,10 +477,6 @@ static void recv_done(struct ib_cq *cq,
data_transfer = smbd_response_payload(response);
data_length = le32_to_cpu(data_transfer->data_length);
if (data_length) {
if (info->full_packet_received)
response->first_segment = true;
-@@ -491,16 +487,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
+@@ -489,16 +485,7 @@ static void recv_done(struct ib_cq *cq,
info->full_packet_received = false;
else
info->full_packet_received = true;
atomic_dec(&info->receive_credits);
info->receive_credit_target =
-@@ -528,6 +515,16 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
+@@ -526,6 +513,16 @@ static void recv_done(struct ib_cq *cq,
info->keep_alive_requested = KEEP_ALIVE_PENDING;
}
return;
}
---
-2.39.5
-
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- fs/smb/client/smbdirect.c | 14 ++++++++------
+ fs/smb/client/smbdirect.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
-diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c
-index 5690e8b3d101..d26b8cef82d6 100644
--- a/fs/smb/client/smbdirect.c
+++ b/fs/smb/client/smbdirect.c
-@@ -454,7 +454,6 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
+@@ -452,7 +452,6 @@ static void recv_done(struct ib_cq *cq,
if (wc->status != IB_WC_SUCCESS || wc->opcode != IB_WC_RECV) {
log_rdma_recv(INFO, "wc->status=%d opcode=%d\n",
wc->status, wc->opcode);
goto error;
}
-@@ -471,8 +470,9 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
+@@ -469,8 +468,9 @@ static void recv_done(struct ib_cq *cq,
info->full_packet_received = true;
info->negotiate_done =
process_negotiation_response(response, wc->byte_len);
/* SMBD data transfer packet */
case SMBD_TRANSFER_DATA:
-@@ -529,14 +529,16 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
+@@ -527,14 +527,16 @@ static void recv_done(struct ib_cq *cq,
}
return;
}
static struct rdma_cm_id *smbd_create_id(
---
-2.39.5
-
+++ /dev/null
-From e26f98680a660d6f6d9fd99187620c43e2c7007f Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 4 Aug 2025 14:10:12 +0200
-Subject: smb: client: let send_done() cleanup before calling
- smbd_disconnect_rdma_connection()
-
-From: Stefan Metzmacher <metze@samba.org>
-
-[ Upstream commit 5349ae5e05fa37409fd48a1eb483b199c32c889b ]
-
-We should call ib_dma_unmap_single() and mempool_free() before calling
-smbd_disconnect_rdma_connection().
-
-And smbd_disconnect_rdma_connection() needs to be the last function to
-call as all other state might already be gone after it returns.
-
-Cc: Steve French <smfrench@gmail.com>
-Cc: Tom Talpey <tom@talpey.com>
-Cc: Long Li <longli@microsoft.com>
-Cc: linux-cifs@vger.kernel.org
-Cc: samba-technical@lists.samba.org
-Fixes: f198186aa9bb ("CIFS: SMBD: Establish SMB Direct connection")
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Signed-off-by: Steve French <stfrench@microsoft.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/smb/client/smbdirect.c | 14 ++++++++------
- 1 file changed, 8 insertions(+), 6 deletions(-)
-
-diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c
-index 754e94a0e07f..e99e783f1b0e 100644
---- a/fs/smb/client/smbdirect.c
-+++ b/fs/smb/client/smbdirect.c
-@@ -281,18 +281,20 @@ static void send_done(struct ib_cq *cq, struct ib_wc *wc)
- log_rdma_send(INFO, "smbd_request 0x%p completed wc->status=%d\n",
- request, wc->status);
-
-- if (wc->status != IB_WC_SUCCESS || wc->opcode != IB_WC_SEND) {
-- log_rdma_send(ERR, "wc->status=%d wc->opcode=%d\n",
-- wc->status, wc->opcode);
-- smbd_disconnect_rdma_connection(request->info);
-- }
--
- for (i = 0; i < request->num_sge; i++)
- ib_dma_unmap_single(sc->ib.dev,
- request->sge[i].addr,
- request->sge[i].length,
- DMA_TO_DEVICE);
-
-+ if (wc->status != IB_WC_SUCCESS || wc->opcode != IB_WC_SEND) {
-+ log_rdma_send(ERR, "wc->status=%d wc->opcode=%d\n",
-+ wc->status, wc->opcode);
-+ mempool_free(request, info->request_mempool);
-+ smbd_disconnect_rdma_connection(info);
-+ return;
-+ }
-+
- if (atomic_dec_and_test(&request->info->send_pending))
- wake_up(&request->info->wait_send_pending);
-
---
-2.39.5
-
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- fs/smb/client/smbdirect.c | 11 +++++++++--
+ fs/smb/client/smbdirect.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
-diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c
-index 0ab490c0a9b0..5690e8b3d101 100644
--- a/fs/smb/client/smbdirect.c
+++ b/fs/smb/client/smbdirect.c
-@@ -1057,6 +1057,7 @@ static int smbd_post_recv(
+@@ -1055,6 +1055,7 @@ static int smbd_post_recv(
if (rc) {
ib_dma_unmap_single(sc->ib.dev, response->sge.addr,
response->sge.length, DMA_FROM_DEVICE);
smbd_disconnect_rdma_connection(info);
log_rdma_recv(ERR, "ib_post_recv failed rc=%d\n", rc);
}
-@@ -1186,8 +1187,13 @@ static void put_receive_buffer(
+@@ -1184,8 +1185,13 @@ static void put_receive_buffer(
struct smbdirect_socket *sc = &info->socket;
unsigned long flags;
spin_lock_irqsave(&info->receive_queue_lock, flags);
list_add_tail(&response->list, &info->receive_queue);
-@@ -1221,6 +1227,7 @@ static int allocate_receive_buffers(struct smbd_connection *info, int num_buf)
+@@ -1219,6 +1225,7 @@ static int allocate_receive_buffers(stru
goto allocate_failed;
response->info = info;
list_add_tail(&response->list, &info->receive_queue);
info->count_receive_queue++;
}
---
-2.39.5
-
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- fs/smb/client/cifs_debug.c | 6 ++--
- fs/smb/client/smbdirect.c | 62 +++-----------------------------------
- fs/smb/client/smbdirect.h | 4 ---
+ fs/smb/client/cifs_debug.c | 6 +---
+ fs/smb/client/smbdirect.c | 62 +++------------------------------------------
+ fs/smb/client/smbdirect.h | 4 --
3 files changed, 7 insertions(+), 65 deletions(-)
-diff --git a/fs/smb/client/cifs_debug.c b/fs/smb/client/cifs_debug.c
-index 3fdf75737d43..d1acde844326 100644
--- a/fs/smb/client/cifs_debug.c
+++ b/fs/smb/client/cifs_debug.c
-@@ -432,10 +432,8 @@ static int cifs_debug_data_proc_show(struct seq_file *m, void *v)
+@@ -432,10 +432,8 @@ static int cifs_debug_data_proc_show(str
server->smbd_conn->receive_credit_target);
seq_printf(m, "\nPending send_pending: %x ",
atomic_read(&server->smbd_conn->send_pending));
seq_printf(m, "\nMR responder_resources: %x "
"max_frmr_depth: %x mr_type: %x",
server->smbd_conn->responder_resources,
-diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c
-index e99e783f1b0e..0ab490c0a9b0 100644
--- a/fs/smb/client/smbdirect.c
+++ b/fs/smb/client/smbdirect.c
@@ -13,8 +13,6 @@
static void enqueue_reassembly(
struct smbd_connection *info,
struct smbd_response *response, int data_length);
-@@ -393,7 +389,6 @@ static bool process_negotiation_response(
+@@ -391,7 +387,6 @@ static bool process_negotiation_response
static void smbd_post_send_credits(struct work_struct *work)
{
int ret = 0;
int rc;
struct smbd_response *response;
struct smbd_connection *info =
-@@ -409,18 +404,9 @@ static void smbd_post_send_credits(struct work_struct *work)
+@@ -407,18 +402,9 @@ static void smbd_post_send_credits(struc
if (info->receive_credit_target >
atomic_read(&info->receive_credits)) {
while (true) {
response->type = SMBD_TRANSFER_DATA;
response->first_segment = false;
-@@ -511,7 +497,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
+@@ -509,7 +495,7 @@ static void recv_done(struct ib_cq *cq,
response,
data_length);
} else
if (data_length)
wake_up_interruptible(&info->wait_reassembly_queue);
-@@ -1115,17 +1101,6 @@ static int smbd_negotiate(struct smbd_connection *info)
+@@ -1113,17 +1099,6 @@ static int smbd_negotiate(struct smbd_co
return rc;
}
/*
* Implement Connection.FragmentReassemblyBuffer defined in [MS-SMBD] 3.1.1.1
* This is a queue for reassembling upper layer payload and present to upper
-@@ -1174,25 +1149,6 @@ static struct smbd_response *_get_first_reassembly(struct smbd_connection *info)
+@@ -1172,25 +1147,6 @@ static struct smbd_response *_get_first_
return ret;
}
/*
* Get a receive buffer
* For each remote send, we need to post a receive. The receive buffers are
-@@ -1257,10 +1213,6 @@ static int allocate_receive_buffers(struct smbd_connection *info, int num_buf)
+@@ -1255,10 +1211,6 @@ static int allocate_receive_buffers(stru
spin_lock_init(&info->receive_queue_lock);
info->count_receive_queue = 0;
init_waitqueue_head(&info->wait_receive_queues);
for (i = 0; i < num_buf; i++) {
-@@ -1294,9 +1246,6 @@ static void destroy_receive_buffers(struct smbd_connection *info)
+@@ -1292,9 +1244,6 @@ static void destroy_receive_buffers(stru
while ((response = get_receive_buffer(info)))
mempool_free(response, info->response_mempool);
}
/* Implement idle connection timer [MS-SMBD] 3.1.6.2 */
-@@ -1383,8 +1332,7 @@ void smbd_destroy(struct TCP_Server_Info *server)
+@@ -1381,8 +1330,7 @@ void smbd_destroy(struct TCP_Server_Info
log_rdma_event(INFO, "free receive buffers\n");
wait_event(info->wait_receive_queues,
destroy_receive_buffers(info);
/*
-diff --git a/fs/smb/client/smbdirect.h b/fs/smb/client/smbdirect.h
-index 75b3f491c3ad..ea04ce8a9763 100644
--- a/fs/smb/client/smbdirect.h
+++ b/fs/smb/client/smbdirect.h
@@ -110,10 +110,6 @@ struct smbd_connection {
wait_queue_head_t wait_receive_queues;
/* Reassembly queue */
---
-2.39.5
-
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- fs/smb/client/smbdirect.c | 6 ++++--
+ fs/smb/client/smbdirect.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
-diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c
-index 47f2a6cc1c0c..60b160219f0a 100644
--- a/fs/smb/client/smbdirect.c
+++ b/fs/smb/client/smbdirect.c
-@@ -1636,8 +1636,10 @@ static struct smbd_connection *_smbd_get_connection(
+@@ -1634,8 +1634,10 @@ static struct smbd_connection *_smbd_get
goto rdma_connect_failed;
}
if (sc->status != SMBDIRECT_SOCKET_CONNECTED) {
log_rdma_event(ERR, "rdma_connect failed port=%d\n", port);
---
-2.39.5
-
smb-client-correct-typos-in-multiple-comments-across.patch
smb-smbdirect-add-smbdirect_socket.h.patch
smb-client-make-use-of-common-smbdirect_socket.patch
-smb-client-let-send_done-cleanup-before-calling-smbd.patch
smb-client-make-sure-we-call-ib_dma_unmap_single-onl.patch
smb-client-let-recv_done-cleanup-before-notifying-th.patch
pptp-fix-pptp_xmit-error-path.patch
mips-mm-tlb-r4k-uniquify-tlb-entries-on-init.patch
mm-hmm-move-pmd_to_hmm_pfn_flags-to-the-respective-ifdeffery.patch
usb-gadget-fix-use-after-free-in-composite_dev_cleanup.patch
-smb-client-don-t-wait-for-info-send_pending-0-on-error.patch
+++ /dev/null
-From 8b2b8a6a5827848250c0caf075b23256bab4ac88 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 12 Aug 2025 18:45:06 +0200
-Subject: smb: client: don't wait for info->send_pending == 0 on error
-
-From: Stefan Metzmacher <metze@samba.org>
-
-commit 8b2b8a6a5827848250c0caf075b23256bab4ac88 upstream.
-
-We already called ib_drain_qp() before and that makes sure
-send_done() was called with IB_WC_WR_FLUSH_ERR, but
-didn't called atomic_dec_and_test(&sc->send_io.pending.count)
-
-So we may never reach the info->send_pending == 0 condition.
-
-Cc: Steve French <smfrench@gmail.com>
-Cc: Tom Talpey <tom@talpey.com>
-Cc: Long Li <longli@microsoft.com>
-Cc: linux-cifs@vger.kernel.org
-Cc: samba-technical@lists.samba.org
-Fixes: 5349ae5e05fa ("smb: client: let send_done() cleanup before calling smbd_disconnect_rdma_connection()")
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Signed-off-by: Steve French <stfrench@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/smb/client/smbdirect.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
---- a/fs/smb/client/smbdirect.c
-+++ b/fs/smb/client/smbdirect.c
-@@ -1338,10 +1338,6 @@ void smbd_destroy(struct TCP_Server_Info
- log_rdma_event(INFO, "cancelling idle timer\n");
- cancel_delayed_work_sync(&info->idle_timer_work);
-
-- log_rdma_event(INFO, "wait for all send posted to IB to finish\n");
-- wait_event(info->wait_send_pending,
-- atomic_read(&info->send_pending) == 0);
--
- /* It's not possible for upper layer to get to reassembly */
- log_rdma_event(INFO, "drain the reassembly queue\n");
- do {
-@@ -2053,7 +2049,11 @@ int smbd_send(struct TCP_Server_Info *se
- */
-
- wait_event(info->wait_send_pending,
-- atomic_read(&info->send_pending) == 0);
-+ atomic_read(&info->send_pending) == 0 ||
-+ sc->status != SMBDIRECT_SOCKET_CONNECTED);
-+
-+ if (sc->status != SMBDIRECT_SOCKET_CONNECTED && rc == 0)
-+ rc = -EAGAIN;
-
- return rc;
- }
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- fs/smb/client/smbdirect.c | 14 ++++++++------
+ fs/smb/client/smbdirect.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
-diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c
-index 49aafb58c7df..c7f4eb8c9a10 100644
--- a/fs/smb/client/smbdirect.c
+++ b/fs/smb/client/smbdirect.c
-@@ -467,7 +467,6 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
+@@ -465,7 +465,6 @@ static void recv_done(struct ib_cq *cq,
if (wc->status != IB_WC_SUCCESS || wc->opcode != IB_WC_RECV) {
log_rdma_recv(INFO, "wc->status=%d opcode=%d\n",
wc->status, wc->opcode);
goto error;
}
-@@ -484,8 +483,9 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
+@@ -482,8 +481,9 @@ static void recv_done(struct ib_cq *cq,
info->full_packet_received = true;
info->negotiate_done =
process_negotiation_response(response, wc->byte_len);
/* SMBD data transfer packet */
case SMBD_TRANSFER_DATA:
-@@ -542,14 +542,16 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
+@@ -540,14 +540,16 @@ static void recv_done(struct ib_cq *cq,
}
return;
}
static struct rdma_cm_id *smbd_create_id(
---
-2.39.5
-
+++ /dev/null
-From 850451f27cf8795d3ac0df4540d82a062f8c0752 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 4 Aug 2025 14:10:12 +0200
-Subject: smb: client: let send_done() cleanup before calling
- smbd_disconnect_rdma_connection()
-
-From: Stefan Metzmacher <metze@samba.org>
-
-[ Upstream commit 5349ae5e05fa37409fd48a1eb483b199c32c889b ]
-
-We should call ib_dma_unmap_single() and mempool_free() before calling
-smbd_disconnect_rdma_connection().
-
-And smbd_disconnect_rdma_connection() needs to be the last function to
-call as all other state might already be gone after it returns.
-
-Cc: Steve French <smfrench@gmail.com>
-Cc: Tom Talpey <tom@talpey.com>
-Cc: Long Li <longli@microsoft.com>
-Cc: linux-cifs@vger.kernel.org
-Cc: samba-technical@lists.samba.org
-Fixes: f198186aa9bb ("CIFS: SMBD: Establish SMB Direct connection")
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Signed-off-by: Steve French <stfrench@microsoft.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/smb/client/smbdirect.c | 14 ++++++++------
- 1 file changed, 8 insertions(+), 6 deletions(-)
-
-diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c
-index 8d215b207dcc..9aef85f3cf11 100644
---- a/fs/smb/client/smbdirect.c
-+++ b/fs/smb/client/smbdirect.c
-@@ -282,18 +282,20 @@ static void send_done(struct ib_cq *cq, struct ib_wc *wc)
- log_rdma_send(INFO, "smbd_request 0x%p completed wc->status=%d\n",
- request, wc->status);
-
-- if (wc->status != IB_WC_SUCCESS || wc->opcode != IB_WC_SEND) {
-- log_rdma_send(ERR, "wc->status=%d wc->opcode=%d\n",
-- wc->status, wc->opcode);
-- smbd_disconnect_rdma_connection(request->info);
-- }
--
- for (i = 0; i < request->num_sge; i++)
- ib_dma_unmap_single(sc->ib.dev,
- request->sge[i].addr,
- request->sge[i].length,
- DMA_TO_DEVICE);
-
-+ if (wc->status != IB_WC_SUCCESS || wc->opcode != IB_WC_SEND) {
-+ log_rdma_send(ERR, "wc->status=%d wc->opcode=%d\n",
-+ wc->status, wc->opcode);
-+ mempool_free(request, info->request_mempool);
-+ smbd_disconnect_rdma_connection(info);
-+ return;
-+ }
-+
- if (atomic_dec_and_test(&request->info->send_pending))
- wake_up(&request->info->wait_send_pending);
-
---
-2.39.5
-
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- fs/smb/client/smbdirect.c | 11 +++++++++--
+ fs/smb/client/smbdirect.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
-diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c
-index 9aef85f3cf11..49aafb58c7df 100644
--- a/fs/smb/client/smbdirect.c
+++ b/fs/smb/client/smbdirect.c
-@@ -1043,6 +1043,7 @@ static int smbd_post_recv(
+@@ -1041,6 +1041,7 @@ static int smbd_post_recv(
if (rc) {
ib_dma_unmap_single(sc->ib.dev, response->sge.addr,
response->sge.length, DMA_FROM_DEVICE);
smbd_disconnect_rdma_connection(info);
log_rdma_recv(ERR, "ib_post_recv failed rc=%d\n", rc);
}
-@@ -1202,8 +1203,13 @@ static void put_receive_buffer(
+@@ -1200,8 +1201,13 @@ static void put_receive_buffer(
struct smbdirect_socket *sc = &info->socket;
unsigned long flags;
spin_lock_irqsave(&info->receive_queue_lock, flags);
list_add_tail(&response->list, &info->receive_queue);
-@@ -1241,6 +1247,7 @@ static int allocate_receive_buffers(struct smbd_connection *info, int num_buf)
+@@ -1239,6 +1245,7 @@ static int allocate_receive_buffers(stru
goto allocate_failed;
response->info = info;
list_add_tail(&response->list, &info->receive_queue);
info->count_receive_queue++;
}
---
-2.39.5
-
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- fs/smb/client/smbdirect.c | 6 ++++--
+ fs/smb/client/smbdirect.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
-diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c
-index c7f4eb8c9a10..71aef565db5f 100644
--- a/fs/smb/client/smbdirect.c
+++ b/fs/smb/client/smbdirect.c
-@@ -1647,8 +1647,10 @@ static struct smbd_connection *_smbd_get_connection(
+@@ -1645,8 +1645,10 @@ static struct smbd_connection *_smbd_get
goto rdma_connect_failed;
}
if (sc->status != SMBDIRECT_SOCKET_CONNECTED) {
log_rdma_event(ERR, "rdma_connect failed port=%d\n", port);
---
-2.39.5
-
projects / thirdparty / kernel / stable-queue.git / commitdiff
