From: DaeMyung Kang Date: Sun, 19 Apr 2026 11:02:55 +0000 (+0900) Subject: ksmbd: destroy async_ida in ksmbd_conn_free() X-Git-Tag: v7.1-rc1~34^2~6 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=b32c8db48212a34998c36d0bbc05b29d5c407ef5;p=thirdparty%2Fkernel%2Flinux.git ksmbd: destroy async_ida in ksmbd_conn_free() When per-connection async_ida was converted from a dynamically allocated ksmbd_ida to an embedded struct ida, ksmbd_ida_free() was removed from the connection teardown path but no matching ida_destroy() was added. The connection is therefore freed with the IDA's backing xarray still intact. The kernel IDA API expects ida_init() and ida_destroy() to be paired over an object's lifetime, so add the missing cleanup before the connection is freed. No leak has been observed in testing; this is a pairing fix to match the IDA lifetime rules, not a response to a reproduced regression. Fixes: d40012a83f87 ("cifsd: declare ida statically") Signed-off-by: DaeMyung Kang Acked-by: Namjae Jeon Signed-off-by: Steve French --- diff --git a/fs/smb/server/connection.c b/fs/smb/server/connection.c index b5e077f272cf..fbbc0529743f 100644 --- a/fs/smb/server/connection.c +++ b/fs/smb/server/connection.c @@ -98,6 +98,15 @@ void ksmbd_conn_free(struct ksmbd_conn *conn) kfree(conn->preauth_info); kfree(conn->mechToken); if (atomic_dec_and_test(&conn->refcnt)) { + /* + * async_ida is embedded in struct ksmbd_conn, so pair + * ida_destroy() with the final kfree() rather than with + * the unconditional field teardown above. This keeps + * the IDA valid for the entire lifetime of the struct, + * even while other refcount holders (oplock / vfs + * durable handles) still reference the connection. + */ + ida_destroy(&conn->async_ida); conn->transport->ops->free_transport(conn->transport); kfree(conn); }