four smb3 server fixes

-----BEGIN PGP SIGNATURE----- iQGzBAABCgAdFiEE6fsu8pdIjtWE/DpLiiy9cAdyT1EFAmlXPlwACgkQiiy9cAdy T1E9IQwAweeZ0DcWbOsCL7LCeelWHV8ULCebqZUR1jOfW7CBJ9QHuOu3A78MoRUs FglFgHCwQ8oCCVH3AuQNK2lRulUCBcFIOUuFQSqZF+NFZ1eTzuFHfvZJYe4OXTbz QogxMIP85PegR0M4oZ6PGz/3iDXatPC11NhdbTUnMGtsNWA/cIG1A030g2pDVeEu MtMB2Et+hs4d2toYgnTmwM044yi3b71/bBDo7uSykIX4G1/MdYgtVd+kacD9PhwA irHPb/C/Rvla3sS/Z5/Hh0CLU1GUgscR5iHMTZG84uGds5fsYbtMv1wiG1eZvim/ /bgEqBxM73ahlb4cYhIyxoAUGIlkkswFr1IhNgfJneKbotLnwm7Fmm1xyhvzUzVy vAzh+dh8cm28G3iuobSsaJkvE6Ah5DbQwYp9CzSjgUASGaOHKZfAd7nB4DfkAT3u KWYQV7B4t37B5KZdYhngFjgX0SUDpggbkHeGIC26TYdb08ajWF5ejV+md/Zl/IuF XUl2Iqte =W8mw -----END PGP SIGNATURE----- Merge tag 'v6.19-rc3-smb3-server-fixes' of git://git.samba.org/ksmbd Pull smb server fixes from Steve French: - Fix memory leak - Fix two refcount leaks - Fix error path in create_smb2_pipe * tag 'v6.19-rc3-smb3-server-fixes' of git://git.samba.org/ksmbd: smb/server: fix refcount leak in smb2_open() smb/server: fix refcount leak in parse_durable_handle_context() smb/server: call ksmbd_session_rpc_close() on error path in create_smb2_pipe() ksmbd: Fix memory leak in get_file_all_info()
2026-03-08 01:24:47 +01:00 · 2026-01-02 09:24:43 -08:00 · 2026-01-02 09:24:43 -08:00 · e3a97ab1bb
commit e3a97ab1bb
parent 047b4e783c f416c55699
1 changed files with 9 additions and 3 deletions
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@ -2281,7 +2281,7 @@ static noinline int create_smb2_pipe(struct ksmbd_work *work)
 {
 	struct smb2_create_rsp *rsp;
 	struct smb2_create_req *req;
-	int id;
+	int id = -1;
 	int err;
 	char *name;

@ -2338,6 +2338,9 @@ out:
 		break;
 	}

+	if (id >= 0)
+		ksmbd_session_rpc_close(work->sess, id);
+
 	if (!IS_ERR(name))
 		kfree(name);

@ -2809,6 +2812,7 @@ static int parse_durable_handle_context(struct ksmbd_work *work,
 					    SMB2_CLIENT_GUID_SIZE)) {
 					if (!(req->hdr.Flags & SMB2_FLAGS_REPLAY_OPERATION)) {
 						err = -ENOEXEC;
+						ksmbd_put_durable_fd(dh_info->fp);
 						goto out;
 					}

@ -3006,10 +3010,10 @@ int smb2_open(struct ksmbd_work *work)
 			file_info = FILE_OPENED;

 			rc = ksmbd_vfs_getattr(&fp->filp->f_path, &stat);
+			ksmbd_put_durable_fd(fp);
 			if (rc)
 				goto err_out2;

-			ksmbd_put_durable_fd(fp);
 			goto reconnected_fp;
 		}
 	} else if (req_op_level == SMB2_OPLOCK_LEVEL_LEASE)
@ -4923,8 +4927,10 @@ static int get_file_all_info(struct ksmbd_work *work,

 	ret = vfs_getattr(&fp->filp->f_path, &stat, STATX_BASIC_STATS,
 			  AT_STATX_SYNC_AS_STAT);
-	if (ret)
+	if (ret) {
+		kfree(filename);
 		return ret;
+	}

 	ksmbd_debug(SMB, "filename = %s\n", filename);
 	delete_pending = ksmbd_inode_pending_delete(fp);