From: ZhangGuoDong zhangguodong@kylinos.cn
[ Upstream commit 3296c3012a9d9a27e81e34910384e55a6ff3cff0 ]
When the command is a replay operation and -ENOEXEC is returned, the refcount of ksmbd_file must be released.
Signed-off-by: ZhangGuoDong zhangguodong@kylinos.cn Signed-off-by: ChenXiaoSong chenxiaosong@kylinos.cn Acked-by: Namjae Jeon linkinjeon@kernel.org Signed-off-by: Steve French stfrench@microsoft.com Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
### 3. CLASSIFICATION
- **Type**: Bug fix (refcount/memory leak) - **Pattern**: Classic missed put() in error path - **Severity**: Medium - causes memory leak affecting long-running servers - **Not applicable**: No new features, no device IDs, no API changes
### 4. SCOPE AND RISK ASSESSMENT
| Aspect | Assessment | |--------|------------| | Lines changed | 1 (single line addition) | | Files touched | 1 (fs/smb/server/smb2pdu.c) | | Complexity | Very low - standard refcount balance fix | | Risk of regression | Very low - only affects specific error path | | Subsystem maturity | ksmbd is relatively mature with active maintenance |
### 5. USER IMPACT
- **Affected users**: Users of ksmbd (in-kernel SMB server) - **Bug trigger**: When a SMB durable v2 open request is NOT a replay operation - **Consequence**: Memory leak - `ksmbd_file` structures are not freed - **Long-term impact**: Memory exhaustion on busy SMB servers over time
### 6. STABILITY INDICATORS
- **Acked-by**: Namjae Jeon (ksmbd maintainer) - authoritative - **Fix pattern**: Textbook refcount leak fix - very well understood - **Code path**: Clear and deterministic - when -ENOEXEC is returned, reference must be released
### 7. DEPENDENCY CHECK
- **Self-contained**: Yes - no dependencies on other commits - **Affected versions**: Introduced in v6.9-rc1 via commit c8efcc786146a - **Applies to stable trees**: 6.9.y, 6.10.y, 6.11.y, 6.12.y, etc. - **Clean backport**: Should apply cleanly to any tree containing c8efcc786146a
### Technical Analysis
The bug mechanism is straightforward:
1. `ksmbd_lookup_fd_cguid()` looks up a file by GUID and returns it with an incremented refcount via `ksmbd_fp_get()` 2. The caller at line 2816 stores this in `dh_info->fp` 3. In the error path (line 2820-2822), when NOT a replay operation, the code returns -ENOEXEC 4. **The bug**: The `goto out` statement jumps to a label that simply returns, without releasing the reference 5. **The fix**: Add `ksmbd_put_durable_fd(dh_info->fp)` before `goto out` to properly decrement the refcount
This is a standard kernel refcount bug pattern: lookup functions return referenced objects, and callers must ensure all exit paths release the reference.
### Conclusion
This commit is an excellent candidate for stable backporting:
- **Obviously correct**: Standard refcount leak fix pattern used throughout the kernel - **Fixes a real bug**: Memory leak that can affect production servers - **Small and surgical**: Single line addition with zero risk of breaking unrelated code - **No new features**: Pure bug fix - **Well-tested**: Acked by the subsystem maintainer - **Clear scope**: Only affects the specific -ENOEXEC error path in durable handle parsing
The fix is minimal, addresses a genuine resource leak, and follows established kernel patterns. The risk of regression is essentially zero since the fix only adds a missing cleanup call in a specific error path.
**YES**
fs/smb/server/smb2pdu.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index 3795fb90e161..e4ac9d72faa0 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -2822,6 +2822,7 @@ static int parse_durable_handle_context(struct ksmbd_work *work, SMB2_CLIENT_GUID_SIZE)) { if (!(req->hdr.Flags & SMB2_FLAGS_REPLAY_OPERATION)) { err = -ENOEXEC; + ksmbd_put_durable_fd(dh_info->fp); goto out; }