smb/server: Fix another refcount leak in smb2_open()

groeck · smfrench · commit c15e7c62feb3 · 2026-03-08T21:28:38.000-05:00
If ksmbd_override_fsids() fails, we jump to err_out2. At that point, fp is NULL because it hasn't been assigned dh_info.fp yet, so ksmbd_fd_put(work, fp) will not be called. However, dh_info.fp was already inserted into the session file table by ksmbd_reopen_durable_fd(), so it will leak in the session file table until the session is closed. Move fp = dh_info.fp; ahead of the ksmbd_override_fsids() check to fix the problem. Found by an experimental AI code review agent at Google. Fixes: c8efcc7 ("ksmbd: add support for durable handles v1/v2") Signed-off-by: Guenter Roeck <linux@roeck-us.net> Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
@@ -3012,13 +3012,14 @@ int smb2_open(struct ksmbd_work *work)
 				goto err_out2;
 			}
 
+			fp = dh_info.fp;
+
 			if (ksmbd_override_fsids(work)) {
 				rc = -ENOMEM;
 				ksmbd_put_durable_fd(dh_info.fp);
 				goto err_out2;
 			}
 
-			fp = dh_info.fp;
 			file_info = FILE_OPENED;
 
 			rc = ksmbd_vfs_getattr(&fp->filp->f_path, &stat);

Original file line number	Diff line number	Diff line change
`@@ -3012,13 +3012,14 @@ int smb2_open(struct ksmbd_work *work)`
`3012`	`3012`	`goto err_out2;`
`3013`	`3013`	`}`
`3014`	`3014`
	`3015`	`+ fp = dh_info.fp;`
	`3016`	`+`
`3015`	`3017`	`if (ksmbd_override_fsids(work)) {`
`3016`	`3018`	`rc = -ENOMEM;`
`3017`	`3019`	`ksmbd_put_durable_fd(dh_info.fp);`
`3018`	`3020`	`goto err_out2;`
`3019`	`3021`	`}`
`3020`	`3022`
`3021`		`- fp = dh_info.fp;`
`3022`	`3023`	`file_info = FILE_OPENED;`
`3023`	`3024`
`3024`	`3025`	`rc = ksmbd_vfs_getattr(&fp->filp->f_path, &stat);`