ksmbd: destroy async_ida in ksmbd_conn_free()

When per-connection async_ida was converted from a dynamically
allocated ksmbd_ida to an embedded struct ida, ksmbd_ida_free() was
removed from the connection teardown path but no matching
ida_destroy() was added.  The connection is therefore freed with the
IDA's backing xarray still intact.

The kernel IDA API expects ida_init() and ida_destroy() to be paired
over an object's lifetime, so add the missing cleanup before the
connection is freed.

No leak has been observed in testing; this is a pairing fix to match
the IDA lifetime rules, not a response to a reproduced regression.

Fixes: d40012a83f87 ("cifsd: declare ida statically")
Signed-off-by: DaeMyung Kang <charsyam@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/smb/server/connection.c b/fs/smb/server/connection.c
index b5e077f272cffc920b0b0442299377b8bba89eab..fbbc0529743f8b264c9d2123f0dfaf50356c0219 100644 (file)
--- a/fs/smb/server/connection.c
+++ b/fs/smb/server/connection.c
@@ -98,6 +98,15 @@ void ksmbd_conn_free(struct ksmbd_conn *conn)
        kfree(conn->preauth_info);
        kfree(conn->mechToken);
        if (atomic_dec_and_test(&conn->refcnt)) {
+               /*
+                * async_ida is embedded in struct ksmbd_conn, so pair
+                * ida_destroy() with the final kfree() rather than with
+                * the unconditional field teardown above.  This keeps
+                * the IDA valid for the entire lifetime of the struct,
+                * even while other refcount holders (oplock / vfs
+                * durable handles) still reference the connection.
+                */
+               ida_destroy(&conn->async_ida);
                conn->transport->ops->free_transport(conn->transport);
                kfree(conn);
        }