ntsync: fix a file reference leak in drivers/misc/ntsync.c

	struct ntsync_obj contains a reference to struct file
and that reference contributes to refcount - ntsync_alloc_obj()
grabs it.  Normally the object is destroyed (and reference
to obj->file dropped) in ntsync_obj_release().  However, in
case of ntsync_obj_get_fd() failure the object is destroyed
directly by its creator.

	That case should also drop obj->file; plain kfree(obj)
is not enough there - it ends up leaking struct file * reference.

	Take that logics into a helper (ntsync_free_obj()) and
use it in both codepaths that destroy ntsync_obj instances.

Fixes: b46271e "ntsync: Introduce NTSYNC_IOC_CREATE_SEM"
Signed-off-by: Al Viro <[email protected]>
Reviewed-by: Elizabeth Figura <[email protected]>
Link: https://lore.kernel.org/r/20250115025002.GA1977892@ZenIV
Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Al Viro

drivers/misc/ntsync.c

@@ -651,13 +651,15 @@ static int ntsync_event_read(struct ntsync_obj *event, void __user *argp)
 	return 0;
 }
 
-static int ntsync_obj_release(struct inode *inode, struct file *file)
+static void ntsync_free_obj(struct ntsync_obj *obj)
 {
-	struct ntsync_obj *obj = file->private_data;
-
 	fput(obj->dev->file);
 	kfree(obj);
+}
 
+static int ntsync_obj_release(struct inode *inode, struct file *file)
+{
+	ntsync_free_obj(file->private_data);
 	return 0;
 }
 
@@ -755,7 +757,7 @@ static int ntsync_create_sem(struct ntsync_device *dev, void __user *argp)
 	sem->u.sem.max = args.max;
 	fd = ntsync_obj_get_fd(sem);
 	if (fd < 0)
-		kfree(sem);
+		ntsync_free_obj(sem);
 
 	return fd;
 }