ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked()

Al Viro · smfrench · commit 277627b431a0 · 2025-07-08T11:25:44.000-05:00
If the call of ksmbd_vfs_lock_parent() fails, we drop the parent_path references and return an error. We need to drop the write access we just got on parent_path->mnt before we drop the mount reference - callers assume that ksmbd_vfs_kern_path_locked() returns with mount write access grabbed if and only if it has returned 0. Fixes: 864fb5d ("ksmbd: fix possible deadlock in smb2_open") Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
diff --git a/fs/smb/server/vfs.c b/fs/smb/server/vfs.c
@@ -1282,6 +1282,7 @@ int ksmbd_vfs_kern_path_locked(struct ksmbd_work *work, char *name,
 
 		err = ksmbd_vfs_lock_parent(parent_path->dentry, path->dentry);
 		if (err) {
+			mnt_drop_write(parent_path->mnt);
 			path_put(path);
 			path_put(parent_path);
 		}

Original file line number	Diff line number	Diff line change
`@@ -1282,6 +1282,7 @@ int ksmbd_vfs_kern_path_locked(struct ksmbd_work work, char name,`
`1282`	`1282`
`1283`	`1283`	`err = ksmbd_vfs_lock_parent(parent_path->dentry, path->dentry);`
`1284`	`1284`	`if (err) {`
	`1285`	`+ mnt_drop_write(parent_path->mnt);`
`1285`	`1286`	`path_put(path);`
`1286`	`1287`	`path_put(parent_path);`
`1287`	`1288`	`}`