From: Stefan Metzmacher metze@samba.org

[ Upstream commit daac51c7032036a0ca5f1aa419ad1b0471d1c6e0 ]

During tests of another unrelated patch I was able to trigger this error: Objects remaining on __kmem_cache_shutdown()

Cc: Steve French smfrench@gmail.com Cc: Tom Talpey tom@talpey.com Cc: Long Li longli@microsoft.com Cc: Namjae Jeon linkinjeon@kernel.org Cc: linux-cifs@vger.kernel.org Cc: samba-technical@lists.samba.org Fixes: f198186aa9bb ("CIFS: SMBD: Establish SMB Direct connection") Signed-off-by: Stefan Metzmacher metze@samba.org Signed-off-by: Steve French stfrench@microsoft.com Signed-off-by: Sasha Levin sashal@kernel.org [Andrey Troshin: backport fix from fs/cifs/smbdirect.c to fs/smb/client/smbdirect.c] Signed-off-by: Andrey Troshin drtrosh@yandex-team.ru --- Backport fix for CVE-2025-39929 Link: https://nvd.nist.gov/vuln/detail/CVE-2025-39929 --- fs/cifs/smbdirect.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/cifs/smbdirect.c b/fs/cifs/smbdirect.c index ae332f3771f6..e273f3b9efcb 100644 --- a/fs/cifs/smbdirect.c +++ b/fs/cifs/smbdirect.c @@ -1083,8 +1083,10 @@ static int smbd_negotiate(struct smbd_connection *info) log_rdma_event(INFO, "smbd_post_recv rc=%d iov.addr=%llx iov.length=%x iov.lkey=%x\n", rc, response->sge.addr, response->sge.length, response->sge.lkey); - if (rc) + if (rc) { + put_receive_buffer(info, response); return rc; + }

init_completion(&info->negotiate_completion); info->negotiate_done = false;