[PATCH 0/2] ksmbd: pair ida_init() with ida_destroy() in cleanup paths

[DaeMyung Kang]

Two small IDA cleanup fixes.  Both instances share the same history:
when the per-object IDA was converted from a dynamically allocated
ksmbd_ida (which had ksmbd_ida_free() called at destruction) to an
embedded struct ida initialised with ida_init(), the matching
ida_destroy() was not added to the teardown path.  The enclosing
object is freed with the IDA's backing xarray still intact.

  1/2  ksmbd_session_destroy() frees the session without destroying
       sess->tree_conn_ida.  This patch also moves ida_init() to
       right after the session allocation so that the init/destroy
       pairing holds on the early error paths of __session_create()
       as well.

  2/2  ksmbd_conn_free() frees the connection without destroying
       conn->async_ida.  ksmbd_conn_alloc() has no failure path
       after ida_init(), so no init-site move is required.  The
       destroy is placed inside the final refcount branch (next to
       kfree(conn)) rather than with the unconditional field teardown
       because async_ida is embedded in struct ksmbd_conn and its
       storage must stay valid while other refcount holders
       (oplock / vfs durable handles) still reference the struct.

No leak has been observed in testing; both are pairing fixes to match
IDA lifetime rules, not responses to reproduced regressions.  Cc:
stable is intentionally omitted for the same reason.

Tested on top of current linux-next inside virtme-ng with
CONFIG_PROVE_LOCKING, CONFIG_DEBUG_OBJECTS, CONFIG_DEBUG_KMEMLEAK,
CONFIG_DEBUG_ATOMIC_SLEEP and CONFIG_FAILSLAB enabled.  Exercises:

 * 25x mount / umount via loopback cifs client with 3% failslab
   injection to cover ksmbd_init_file_table() and
   __init_smb2_session() failures on the __session_create() error
   path (which now reaches ksmbd_session_destroy() with an
   already-initialised tree_conn_ida).
 * Concurrent 32 MiB SMB2 reads followed by ksmbd.control
   --shutdown to drive async request teardown.
 * rmmod ksmbd afterwards.

No splats (BUG:, WARNING:, UBSAN, ODEBUG, task hung, inconsistent
lock, suspicious RCU) and no kmemleak unreferenced objects.

DaeMyung Kang (2):
  ksmbd: destroy tree_conn_ida in ksmbd_session_destroy()
  ksmbd: destroy async_ida in ksmbd_conn_free()

 fs/smb/server/connection.c        | 9 +++++++++
 fs/smb/server/mgmt/user_session.c | 5 +++--
 2 files changed, 12 insertions(+), 2 deletions(-)

--
2.43.0