diff options
| author | Chuck Lever <chuck.lever@oracle.com> | 2026-05-14 23:56:06 +0300 |
|---|---|---|
| committer | Chuck Lever <cel@kernel.org> | 2026-06-09 23:32:59 +0300 |
| commit | 70a38f87bed7f0694fd07988b47b2db1e10d8df3 (patch) | |
| tree | 3a2c5a4ade607a6b674e582adde8c235d3d6ad72 /include/linux | |
| parent | f16a1513452edb532fec81e591c64c320866719c (diff) | |
| download | linux-70a38f87bed7f0694fd07988b47b2db1e10d8df3.tar.xz | |
lockd: Plug nlm_file refcount leak on cached nlm_do_fopen() failure
The cached-file path in nlm_lookup_file() reaches the found: label
unconditionally, even when nlm_do_fopen() fails. At that label
*result and file->f_count are updated before the error is returned.
The wrappers nlm3svc_lookup_file() and nlm4svc_lookup_file() then
bail out of their switch without copying *result back to their
caller, so the proc handler's local nlm_file pointer remains NULL
and the cleanup path skips nlm_release_file(). The f_count
increment is never released, and nlm_traverse_files() can no
longer reap the file because its refcount never returns to zero
between requests.
Short-circuit the cached path so neither *result nor f_count is
touched when nlm_do_fopen() fails on a hashed nlm_file.
Fixes: 7f024fcd5c97 ("Keep read and write fds with each nlm_file")
Cc: stable@vger.kernel.org
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Diffstat (limited to 'include/linux')
0 files changed, 0 insertions, 0 deletions