Re: [PATCH] fix a mount write count leak in ksmbd_vfs_kern_path_locked() (was Re: [RFC] MNT_WRITE_HOLD mess)

Namjae Jeon <linkinjeon@xxxxxxxxxx> · Sun, 6 Jul 2025 12:49:21 +0900



On Sun, Jul 6, 2025 at 10:26 AM Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote:
>
> If the call of ksmbd_vfs_lock_parent() fails, we drop the parent_path
> references and return an error.  We need to drop the write access we
> just got on parent_path->mnt before we drop the mount reference - callers
> assume that ksmbd_vfs_kern_path_locked() returns with mount write
> access grabbed if and only if it has returned 0.
>
> Fixes: 864fb5d37163 "ksmbd: fix possible deadlock in smb2_open"
> Signed-off-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
Applied it to #ksmbd-for-next-next.
Thank you for the patch!
> ---
> diff --git a/fs/smb/server/vfs.c b/fs/smb/server/vfs.c
> index 0f3aad12e495..d3437f6644e3 100644
> --- a/fs/smb/server/vfs.c
> +++ b/fs/smb/server/vfs.c
> @@ -1282,6 +1282,7 @@ int ksmbd_vfs_kern_path_locked(struct ksmbd_work *work, char *name,
>
>                 err = ksmbd_vfs_lock_parent(parent_path->dentry, path->dentry);
>                 if (err) {
> +                       mnt_drop_write(parent_path->mnt);
>                         path_put(path);
>                         path_put(parent_path);
>                 }