--- /dev/null
+From 277627b431a0a6401635c416a21b2a0f77a77347 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 6 Jul 2025 02:26:45 +0100
+Subject: ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 277627b431a0a6401635c416a21b2a0f77a77347 upstream.
+
+If the call of ksmbd_vfs_lock_parent() fails, we drop the parent_path
+references and return an error. We need to drop the write access we
+just got on parent_path->mnt before we drop the mount reference - callers
+assume that ksmbd_vfs_kern_path_locked() returns with mount write
+access grabbed if and only if it has returned 0.
+
+Fixes: 864fb5d37163 ("ksmbd: fix possible deadlock in smb2_open")
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/vfs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/smb/server/vfs.c
++++ b/fs/smb/server/vfs.c
+@@ -1283,6 +1283,7 @@ out1:
+
+ err = ksmbd_vfs_lock_parent(parent_path->dentry, path->dentry);
+ if (err) {
++ mnt_drop_write(parent_path->mnt);
+ path_put(path);
+ path_put(parent_path);
+ }
--- /dev/null
+From 0c2b53997e8f5e2ec9e0fbd17ac0436466b65488 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 2 Jul 2025 09:18:05 +0200
+Subject: smb: server: make use of rdma_destroy_qp()
+
+From: Stefan Metzmacher <metze@samba.org>
+
+commit 0c2b53997e8f5e2ec9e0fbd17ac0436466b65488 upstream.
+
+The qp is created by rdma_create_qp() as t->cm_id->qp
+and t->qp is just a shortcut.
+
+rdma_destroy_qp() also calls ib_destroy_qp(cm_id->qp) internally,
+but it is protected by a mutex, clears the cm_id and also calls
+trace_cm_qp_destroy().
+
+This should make the tracing more useful as both
+rdma_create_qp() and rdma_destroy_qp() are traces and it makes
+the code look more sane as functions from the same layer are used
+for the specific qp object.
+
+trace-cmd stream -e rdma_cma:cm_qp_create -e rdma_cma:cm_qp_destroy
+shows this now while doing a mount and unmount from a client:
+
+ <...>-80 [002] 378.514182: cm_qp_create: cm.id=1 src=172.31.9.167:5445 dst=172.31.9.166:37113 tos=0 pd.id=0 qp_type=RC send_wr=867 recv_wr=255 qp_num=1 rc=0
+ <...>-6283 [001] 381.686172: cm_qp_destroy: cm.id=1 src=172.31.9.167:5445 dst=172.31.9.166:37113 tos=0 qp_num=1
+
+Before we only saw the first line.
+
+Cc: Namjae Jeon <linkinjeon@kernel.org>
+Cc: Steve French <stfrench@microsoft.com>
+Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Cc: Hyunchul Lee <hyc.lee@gmail.com>
+Cc: Tom Talpey <tom@talpey.com>
+Cc: linux-cifs@vger.kernel.org
+Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Tom Talpey <tom@talpey.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/transport_rdma.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/smb/server/transport_rdma.c
++++ b/fs/smb/server/transport_rdma.c
+@@ -426,7 +426,8 @@ static void free_transport(struct smb_di
+ if (t->qp) {
+ ib_drain_qp(t->qp);
+ ib_mr_pool_destroy(t->qp, &t->qp->rdma_mrs);
+- ib_destroy_qp(t->qp);
++ t->qp = NULL;
++ rdma_destroy_qp(t->cm_id);
+ }
+
+ ksmbd_debug(RDMA, "drain the reassembly queue\n");
+@@ -1934,8 +1935,8 @@ static int smb_direct_create_qpair(struc
+ return 0;
+ err:
+ if (t->qp) {
+- ib_destroy_qp(t->qp);
+ t->qp = NULL;
++ rdma_destroy_qp(t->cm_id);
+ }
+ if (t->recv_cq) {
+ ib_destroy_cq(t->recv_cq);
projects / thirdparty / kernel / stable-queue.git / commitdiff
