From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 13 Aug 2025 08:00:28 +0000 (+0200)
Subject: 6.15-stable patches
X-Git-Tag: v6.1.148~8
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=55daf510d004ceed2d403aff95b2370a7057ea1f;p=thirdparty%2Fkernel%2Fstable-queue.git

6.15-stable patches

added patches:
	smb-client-don-t-wait-for-info-send_pending-0-on-error.patch
---

diff --git a/queue-6.15/series b/queue-6.15/series
index 43adcaf5b0..27d9302459 100644
--- a/queue-6.15/series
+++ b/queue-6.15/series
@@ -478,3 +478,4 @@ hid-core-harden-s32ton-against-conversion-to-0-bits.patch
 hid-apple-avoid-setting-up-battery-timer-for-devices-without-battery.patch
 usb-gadget-fix-use-after-free-in-composite_dev_cleanup.patch
 mm-fix-a-uaf-when-vma-mm-is-freed-after-vma-vm_refcnt-got-dropped.patch
+smb-client-don-t-wait-for-info-send_pending-0-on-error.patch
diff --git a/queue-6.15/smb-client-don-t-wait-for-info-send_pending-0-on-error.patch b/queue-6.15/smb-client-don-t-wait-for-info-send_pending-0-on-error.patch
new file mode 100644
index 0000000000..43a256a330
--- /dev/null
+++ b/queue-6.15/smb-client-don-t-wait-for-info-send_pending-0-on-error.patch
@@ -0,0 +1,54 @@
+From 8b2b8a6a5827848250c0caf075b23256bab4ac88 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 12 Aug 2025 18:45:06 +0200
+Subject: smb: client: don't wait for info->send_pending == 0 on error
+
+From: Stefan Metzmacher <metze@samba.org>
+
+commit 8b2b8a6a5827848250c0caf075b23256bab4ac88 upstream.
+
+We already called ib_drain_qp() before and that makes sure
+send_done() was called with IB_WC_WR_FLUSH_ERR, but
+didn't called atomic_dec_and_test(&sc->send_io.pending.count)
+
+So we may never reach the info->send_pending == 0 condition.
+
+Cc: Steve French <smfrench@gmail.com>
+Cc: Tom Talpey <tom@talpey.com>
+Cc: Long Li <longli@microsoft.com>
+Cc: linux-cifs@vger.kernel.org
+Cc: samba-technical@lists.samba.org
+Fixes: 5349ae5e05fa ("smb: client: let send_done() cleanup before calling smbd_disconnect_rdma_connection()")
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/smbdirect.c |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/fs/smb/client/smbdirect.c
++++ b/fs/smb/client/smbdirect.c
+@@ -1316,10 +1316,6 @@ void smbd_destroy(struct TCP_Server_Info
+ 	log_rdma_event(INFO, "cancelling idle timer\n");
+ 	cancel_delayed_work_sync(&info->idle_timer_work);
+ 
+-	log_rdma_event(INFO, "wait for all send posted to IB to finish\n");
+-	wait_event(info->wait_send_pending,
+-		atomic_read(&info->send_pending) == 0);
+-
+ 	/* It's not possible for upper layer to get to reassembly */
+ 	log_rdma_event(INFO, "drain the reassembly queue\n");
+ 	do {
+@@ -1965,7 +1961,11 @@ int smbd_send(struct TCP_Server_Info *se
+ 	 */
+ 
+ 	wait_event(info->wait_send_pending,
+-		atomic_read(&info->send_pending) == 0);
++		atomic_read(&info->send_pending) == 0 ||
++		sc->status != SMBDIRECT_SOCKET_CONNECTED);
++
++	if (sc->status != SMBDIRECT_SOCKET_CONNECTED && rc == 0)
++		rc = -EAGAIN;
+ 
+ 	return rc;
+ }