Commit b32c8db4 authored Apr 19, 2026 by DaeMyung Kang Committed by Steve French Apr 22, 2026

ksmbd: destroy async_ida in ksmbd_conn_free()



When per-connection async_ida was converted from a dynamically
allocated ksmbd_ida to an embedded struct ida, ksmbd_ida_free() was
removed from the connection teardown path but no matching
ida_destroy() was added.  The connection is therefore freed with the
IDA's backing xarray still intact.

The kernel IDA API expects ida_init() and ida_destroy() to be paired
over an object's lifetime, so add the missing cleanup before the
connection is freed.

No leak has been observed in testing; this is a pairing fix to match
the IDA lifetime rules, not a response to a reproduced regression.

Fixes: d40012a8 ("cifsd: declare ida statically")
Signed-off-by: DaeMyung Kang <charsyam@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

parent c049ee14

fs/smb/server/connection.c

+9 −0

Original line number	Diff line number	Diff line
		@@ -98,6 +98,15 @@ void ksmbd_conn_free(struct ksmbd_conn *conn)
		kfree(conn->preauth_info);
		kfree(conn->mechToken);
		if (atomic_dec_and_test(&conn->refcnt)) {
		/*
		* async_ida is embedded in struct ksmbd_conn, so pair
		* ida_destroy() with the final kfree() rather than with
		* the unconditional field teardown above. This keeps
		* the IDA valid for the entire lifetime of the struct,
		* even while other refcount holders (oplock / vfs
		* durable handles) still reference the connection.
		*/
		ida_destroy(&conn->async_ida);
		conn->transport->ops->free_transport(conn->transport);
		kfree(conn);
		}