fs/smb/client/smb2inode.c | 2 ++ 1 file changed, 2 insertions(+)
Fix refcount leak in `smb2_set_path_attr` when path conversion fails.
Function `cifs_get_writable_path` returns `cfile` with its reference
counter `cfile->count` increased on success. Function `smb2_compound_op`
would decrease the reference counter for `cfile`, as stated in its
comment. By calling `smb2_rename_path`, the reference counter of `cfile`
would leak if `cifs_convert_path_to_utf16` fails in `smb2_set_path_attr`.
Fixes: 8de9e86c67ba ("cifs: create a helper to find a writeable handle by path name")
Signed-off-by: Shuhao Fu <sfual@cse.ust.hk>
---
fs/smb/client/smb2inode.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c
index 09e3fc81d..69cb81fa0 100644
--- a/fs/smb/client/smb2inode.c
+++ b/fs/smb/client/smb2inode.c
@@ -1294,6 +1294,8 @@ static int smb2_set_path_attr(const unsigned int xid, struct cifs_tcon *tcon,
smb2_to_name = cifs_convert_path_to_utf16(to_name, cifs_sb);
if (smb2_to_name == NULL) {
rc = -ENOMEM;
+ if (cfile)
+ cifsFileInfo_put(cfile);
goto smb2_rename_path;
}
in_iov.iov_base = smb2_to_name;
--
2.39.5 (Apple Git-154)There are multiple callers - are there callers that don't call
"set_writeable_path()" ? And so could cause the reverse refcount
issue?
On Tue, Nov 4, 2025 at 9:21 AM Shuhao Fu <sfual@cse.ust.hk> wrote:
>
> Fix refcount leak in `smb2_set_path_attr` when path conversion fails.
>
> Function `cifs_get_writable_path` returns `cfile` with its reference
> counter `cfile->count` increased on success. Function `smb2_compound_op`
> would decrease the reference counter for `cfile`, as stated in its
> comment. By calling `smb2_rename_path`, the reference counter of `cfile`
> would leak if `cifs_convert_path_to_utf16` fails in `smb2_set_path_attr`.
>
> Fixes: 8de9e86c67ba ("cifs: create a helper to find a writeable handle by path name")
> Signed-off-by: Shuhao Fu <sfual@cse.ust.hk>
> ---
> fs/smb/client/smb2inode.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c
> index 09e3fc81d..69cb81fa0 100644
> --- a/fs/smb/client/smb2inode.c
> +++ b/fs/smb/client/smb2inode.c
> @@ -1294,6 +1294,8 @@ static int smb2_set_path_attr(const unsigned int xid, struct cifs_tcon *tcon,
> smb2_to_name = cifs_convert_path_to_utf16(to_name, cifs_sb);
> if (smb2_to_name == NULL) {
> rc = -ENOMEM;
> + if (cfile)
> + cifsFileInfo_put(cfile);
> goto smb2_rename_path;
> }
> in_iov.iov_base = smb2_to_name;
> --
> 2.39.5 (Apple Git-154)
>
>
--
Thanks,
Steve
On Tue, Nov 04, 2025 at 10:12:13AM -0600, Steve French wrote:
> There are multiple callers - are there callers that don't call
> "set_writeable_path()" ? And so could cause the reverse refcount
> issue?
I found three calls to `smb2_set_path_attr`. Two in `smb2_rename_path`
and one in `smb2_create_hardlink`. The one in `smb2_create_hardlink`
passes NULL for cfile. Therefore, it would not cause reverse refcount
issue here.
Thanks,
Shuhao
>
> On Tue, Nov 4, 2025 at 9:21 AM Shuhao Fu <sfual@cse.ust.hk> wrote:
> >
> > Fix refcount leak in `smb2_set_path_attr` when path conversion fails.
> >
> > Function `cifs_get_writable_path` returns `cfile` with its reference
> > counter `cfile->count` increased on success. Function `smb2_compound_op`
> > would decrease the reference counter for `cfile`, as stated in its
> > comment. By calling `smb2_rename_path`, the reference counter of `cfile`
> > would leak if `cifs_convert_path_to_utf16` fails in `smb2_set_path_attr`.
> >
> > Fixes: 8de9e86c67ba ("cifs: create a helper to find a writeable handle by path name")
> > Signed-off-by: Shuhao Fu <sfual@cse.ust.hk>
> > ---
> > fs/smb/client/smb2inode.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c
> > index 09e3fc81d..69cb81fa0 100644
> > --- a/fs/smb/client/smb2inode.c
> > +++ b/fs/smb/client/smb2inode.c
> > @@ -1294,6 +1294,8 @@ static int smb2_set_path_attr(const unsigned int xid, struct cifs_tcon *tcon,
> > smb2_to_name = cifs_convert_path_to_utf16(to_name, cifs_sb);
> > if (smb2_to_name == NULL) {
> > rc = -ENOMEM;
> > + if (cfile)
> > + cifsFileInfo_put(cfile);
> > goto smb2_rename_path;
> > }
> > in_iov.iov_base = smb2_to_name;
> > --
> > 2.39.5 (Apple Git-154)
> >
> >
>
>
> --
> Thanks,
>
> Steve
On 11/4/25 1:12 PM, Steve French via samba-technical wrote:
> There are multiple callers - are there callers that don't call
> "set_writeable_path()" ? And so could cause the reverse refcount
> issue?
Yes... Even if it does not cause an issue today, that fix looks like it
belongs inside smb2_rename_path?
>
> On Tue, Nov 4, 2025 at 9:21 AM Shuhao Fu <sfual@cse.ust.hk> wrote:
>>
>> Fix refcount leak in `smb2_set_path_attr` when path conversion fails.
>>
>> Function `cifs_get_writable_path` returns `cfile` with its reference
>> counter `cfile->count` increased on success. Function `smb2_compound_op`
>> would decrease the reference counter for `cfile`, as stated in its
>> comment. By calling `smb2_rename_path`, the reference counter of `cfile`
>> would leak if `cifs_convert_path_to_utf16` fails in `smb2_set_path_attr`.
>>
>> Fixes: 8de9e86c67ba ("cifs: create a helper to find a writeable handle by path name")
>> Signed-off-by: Shuhao Fu <sfual@cse.ust.hk>
>> ---
>> fs/smb/client/smb2inode.c | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c
>> index 09e3fc81d..69cb81fa0 100644
>> --- a/fs/smb/client/smb2inode.c
>> +++ b/fs/smb/client/smb2inode.c
>> @@ -1294,6 +1294,8 @@ static int smb2_set_path_attr(const unsigned int xid, struct cifs_tcon *tcon,
>> smb2_to_name = cifs_convert_path_to_utf16(to_name, cifs_sb);
>> if (smb2_to_name == NULL) {
>> rc = -ENOMEM;
>> + if (cfile)
>> + cifsFileInfo_put(cfile);
>> goto smb2_rename_path;
>> }
>> in_iov.iov_base = smb2_to_name;
>> --
>> 2.39.5 (Apple Git-154)
>>
>>
>
>
--
Henrique
SUSE Labs
On Tue, Nov 04, 2025 at 01:23:33PM -0300, Henrique Carvalho wrote:
>
>
> On 11/4/25 1:12 PM, Steve French via samba-technical wrote:
> > There are multiple callers - are there callers that don't call
> > "set_writeable_path()" ? And so could cause the reverse refcount
> > issue?
>
> Yes... Even if it does not cause an issue today, that fix looks like it
> belongs inside smb2_rename_path?
I placed decrement in `smb2_set_path_attr` since it seems like a wrapper
of `smb2_compound_op`. I figured that this wrapper should handle the
failure cases the same way as `smb2_compound_op`.
Thanks,
Shuhao
>
> >
> > On Tue, Nov 4, 2025 at 9:21 AM Shuhao Fu <sfual@cse.ust.hk> wrote:
> >>
> >> Fix refcount leak in `smb2_set_path_attr` when path conversion fails.
> >>
> >> Function `cifs_get_writable_path` returns `cfile` with its reference
> >> counter `cfile->count` increased on success. Function `smb2_compound_op`
> >> would decrease the reference counter for `cfile`, as stated in its
> >> comment. By calling `smb2_rename_path`, the reference counter of `cfile`
> >> would leak if `cifs_convert_path_to_utf16` fails in `smb2_set_path_attr`.
> >>
> >> Fixes: 8de9e86c67ba ("cifs: create a helper to find a writeable handle by path name")
> >> Signed-off-by: Shuhao Fu <sfual@cse.ust.hk>
> >> ---
> >> fs/smb/client/smb2inode.c | 2 ++
> >> 1 file changed, 2 insertions(+)
> >>
> >> diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c
> >> index 09e3fc81d..69cb81fa0 100644
> >> --- a/fs/smb/client/smb2inode.c
> >> +++ b/fs/smb/client/smb2inode.c
> >> @@ -1294,6 +1294,8 @@ static int smb2_set_path_attr(const unsigned int xid, struct cifs_tcon *tcon,
> >> smb2_to_name = cifs_convert_path_to_utf16(to_name, cifs_sb);
> >> if (smb2_to_name == NULL) {
> >> rc = -ENOMEM;
> >> + if (cfile)
> >> + cifsFileInfo_put(cfile);
> >> goto smb2_rename_path;
> >> }
> >> in_iov.iov_base = smb2_to_name;
> >> --
> >> 2.39.5 (Apple Git-154)
> >>
> >>
> >
> >
>
> --
> Henrique
> SUSE Labs
On 11/4/25 1:56 PM, Shuhao Fu wrote:
> On Tue, Nov 04, 2025 at 01:23:33PM -0300, Henrique Carvalho wrote:
>>
>>
>> On 11/4/25 1:12 PM, Steve French via samba-technical wrote:
>>> There are multiple callers - are there callers that don't call
>>> "set_writeable_path()" ? And so could cause the reverse refcount
>>> issue?
>>
>> Yes... Even if it does not cause an issue today, that fix looks like it
>> belongs inside smb2_rename_path?
>
> I placed decrement in `smb2_set_path_attr` since it seems like a wrapper
> of `smb2_compound_op`. I figured that this wrapper should handle the
> failure cases the same way as `smb2_compound_op`.
Makes sense.
Acked-by: Henrique Carvalho <henrique.carvalho@suse.com>
>
> Thanks,
> Shuhao
>>
>>>
>>> On Tue, Nov 4, 2025 at 9:21 AM Shuhao Fu <sfual@cse.ust.hk> wrote:
>>>>
>>>> Fix refcount leak in `smb2_set_path_attr` when path conversion fails.
>>>>
>>>> Function `cifs_get_writable_path` returns `cfile` with its reference
>>>> counter `cfile->count` increased on success. Function `smb2_compound_op`
>>>> would decrease the reference counter for `cfile`, as stated in its
>>>> comment. By calling `smb2_rename_path`, the reference counter of `cfile`
>>>> would leak if `cifs_convert_path_to_utf16` fails in `smb2_set_path_attr`.
>>>>
>>>> Fixes: 8de9e86c67ba ("cifs: create a helper to find a writeable handle by path name")
>>>> Signed-off-by: Shuhao Fu <sfual@cse.ust.hk>
>>>> ---
>>>> fs/smb/client/smb2inode.c | 2 ++
>>>> 1 file changed, 2 insertions(+)
>>>>
>>>> diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c
>>>> index 09e3fc81d..69cb81fa0 100644
>>>> --- a/fs/smb/client/smb2inode.c
>>>> +++ b/fs/smb/client/smb2inode.c
>>>> @@ -1294,6 +1294,8 @@ static int smb2_set_path_attr(const unsigned int xid, struct cifs_tcon *tcon,
>>>> smb2_to_name = cifs_convert_path_to_utf16(to_name, cifs_sb);
>>>> if (smb2_to_name == NULL) {
>>>> rc = -ENOMEM;
>>>> + if (cfile)
>>>> + cifsFileInfo_put(cfile);
>>>> goto smb2_rename_path;
>>>> }
>>>> in_iov.iov_base = smb2_to_name;
>>>> --
>>>> 2.39.5 (Apple Git-154)
>>>>
>>>>
>>>
>>>
>>
>> --
>> Henrique
>> SUSE Labs
--
Henrique
SUSE Labs
© 2016 - 2026 Red Hat, Inc.