From: Al Viro <viro@zeniv.linux.org.uk>
Date: Sun, 6 Jul 2025 01:26:45 +0000 (+0100)
Subject: ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked()
X-Git-Tag: v6.6.99~50
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4c4f931676b6b85623f69e40fae8ed607405f8ea;p=thirdparty%2Fkernel%2Fstable.git

ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked()

commit 277627b431a0a6401635c416a21b2a0f77a77347 upstream.

If the call of ksmbd_vfs_lock_parent() fails, we drop the parent_path
references and return an error.  We need to drop the write access we
just got on parent_path->mnt before we drop the mount reference - callers
assume that ksmbd_vfs_kern_path_locked() returns with mount write
access grabbed if and only if it has returned 0.

Fixes: 864fb5d37163 ("ksmbd: fix possible deadlock in smb2_open")
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/fs/smb/server/vfs.c b/fs/smb/server/vfs.c
index 3bbf238270605..de813700f3d4f 100644
--- a/fs/smb/server/vfs.c
+++ b/fs/smb/server/vfs.c
@@ -1293,6 +1293,7 @@ out1:
 
 		err = ksmbd_vfs_lock_parent(parent_path->dentry, path->dentry);
 		if (err) {
+			mnt_drop_write(parent_path->mnt);
 			path_put(path);
 			path_put(parent_path);
 		}