fs/smb/server/smb2pdu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
If ksmbd_override_fsids() fails, we jump to err_out2. At that point, fp is
NULL because it hasn't been assigned dh_info.fp yet, so ksmbd_fd_put(work,
fp) will not be called. However, dh_info.fp was already inserted into the
session file table by ksmbd_reopen_durable_fd(), so it will leak in the
session file table until the session is closed.
Move fp = dh_info.fp; ahead of the ksmbd_override_fsids() check to fix the
problem.
Found by an experimental AI code review agent at Google.
Cc: Namjae Jeon <linkinjeon@kernel.org>
Cc: ChenXiaoSong <chenxiaosong@chenxiaosong.com>
Fixes: c8efcc786146a ("ksmbd: add support for durable handles v1/v2")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
---
fs/smb/server/smb2pdu.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 95901a78951c..8b680c96ee44 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -3011,13 +3011,14 @@ int smb2_open(struct ksmbd_work *work)
goto err_out2;
}
+ fp = dh_info.fp;
+
if (ksmbd_override_fsids(work)) {
rc = -ENOMEM;
ksmbd_put_durable_fd(dh_info.fp);
goto err_out2;
}
- fp = dh_info.fp;
file_info = FILE_OPENED;
rc = ksmbd_vfs_getattr(&fp->filp->f_path, &stat);
--
2.45.2On Fri, Feb 27, 2026 at 2:54 PM Guenter Roeck <linux@roeck-us.net> wrote:
>
> If ksmbd_override_fsids() fails, we jump to err_out2. At that point, fp is
> NULL because it hasn't been assigned dh_info.fp yet, so ksmbd_fd_put(work,
> fp) will not be called. However, dh_info.fp was already inserted into the
> session file table by ksmbd_reopen_durable_fd(), so it will leak in the
> session file table until the session is closed.
>
> Move fp = dh_info.fp; ahead of the ksmbd_override_fsids() check to fix the
> problem.
>
> Found by an experimental AI code review agent at Google.
>
> Cc: Namjae Jeon <linkinjeon@kernel.org>
> Cc: ChenXiaoSong <chenxiaosong@chenxiaosong.com>
> Fixes: c8efcc786146a ("ksmbd: add support for durable handles v1/v2")
> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Applied it with ChenXiaoSong's reviewed-by tag to #ksmbd-for-next-next.
Thanks!
Looks good. Feel free to add:
Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
On 2026/2/27 13:54, Guenter Roeck wrote:
> If ksmbd_override_fsids() fails, we jump to err_out2. At that point, fp is
> NULL because it hasn't been assigned dh_info.fp yet, so ksmbd_fd_put(work,
> fp) will not be called. However, dh_info.fp was already inserted into the
> session file table by ksmbd_reopen_durable_fd(), so it will leak in the
> session file table until the session is closed.
>
> Move fp = dh_info.fp; ahead of the ksmbd_override_fsids() check to fix the
> problem.
>
> Found by an experimental AI code review agent at Google.
>
> Cc: Namjae Jeon <linkinjeon@kernel.org>
> Cc: ChenXiaoSong <chenxiaosong@chenxiaosong.com>
> Fixes: c8efcc786146a ("ksmbd: add support for durable handles v1/v2")
> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
> ---
> fs/smb/server/smb2pdu.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
> index 95901a78951c..8b680c96ee44 100644
> --- a/fs/smb/server/smb2pdu.c
> +++ b/fs/smb/server/smb2pdu.c
> @@ -3011,13 +3011,14 @@ int smb2_open(struct ksmbd_work *work)
> goto err_out2;
> }
>
> + fp = dh_info.fp;
> +
> if (ksmbd_override_fsids(work)) {
> rc = -ENOMEM;
> ksmbd_put_durable_fd(dh_info.fp);
> goto err_out2;
> }
>
> - fp = dh_info.fp;
> file_info = FILE_OPENED;
>
> rc = ksmbd_vfs_getattr(&fp->filp->f_path, &stat);
© 2016 - 2026 Red Hat, Inc.