Linux Kernel: cifs: release auth_key.response for reconnect

CIFS Session Reconnection Memory Leak Fix

This Linux kernel change addresses a memory leak in the CIFS client code where auth_key.response was not being freed during session reconnection. The fix ensures that any existing authentication key response is released before setting up a new session, preventing memory exhaustion over repeated reconnect cycles.

The Problem

When a CIFS mount encounters a connection error and triggers a reconnection attempt, there’s a race condition that can leave allocated memory unreleased:

1. cifs_mount initiates connection setup
2. cifs_get_tcp_session starts the read thread (cifs_demultiplex_thread)
3. Socket read fails with -ECONNABORTED, triggering smb2_reconnect_server
4. Meanwhile, cifs_setup_session has already allocated memory for auth_key.response
5. During reconnect, cifs_setup_session runs again without freeing the previous allocation
6. The old auth_key.response is never released until the session is destroyed

This pattern repeats on every reconnection, leading to incremental memory leaks visible in production systems with unstable network connections.

The Solution

The fix adds a cleanup check at the beginning of cifs_setup_session to detect and free any existing auth_key.response before allocating a new one:

if (ses->auth_key.response) {
    cifs_dbg(VFS, "Free previous auth_key.response = %p\n",
         ses->auth_key.response);
    kfree(ses->auth_key.response);
    ses->auth_key.response = NULL;
    ses->auth_key.len = 0;
}

This executes immediately after security mode checks and before invoking the session setup operations (server->ops->sess_setup).

Where auth_key.response Gets Allocated

The auth_key.response buffer is allocated deep in the authentication flow:

• cifs_setup_session → SMB2_sess_setup → SMB2_sess_auth_rawntlmssp_authenticate → build_ntlmssp_auth_blob → setup_ntlmv2_rsp

The allocation happens as part of NTLMv2 response generation during the authentication handshake. Without the cleanup fix, reconnections would accumulate these allocations.

Key Details

The fix clears both the pointer and the length field (ses->auth_key.len = 0), ensuring the session state is clean. The debug message logs the freed address for diagnostic purposes.

This patch was marked for stable kernels given its impact on production systems, particularly those with:

• Unstable network connections requiring frequent reconnects
• Long-running CIFS mounts that may experience transient connection failures
• Memory-constrained systems where leaks accumulate visibly

The change is minimal and safe — it only adds cleanup before reallocation, following standard kernel resource management patterns. Systems without reconnection events are unaffected.