added cc:stable and merged into cifs-2.6.git for-next On Sat, Jun 13, 2020 at 7:36 AM Xiyu Yang <xiyuyang19@xxxxxxxxxxxx> wrote: > > open_shroot() invokes kref_get(), which increases the refcount of the > "tcon->crfid" object. When open_shroot() returns not zero, it means the > open operation failed and close_shroot() will not be called to decrement > the refcount of the "tcon->crfid". > > The reference counting issue happens in one normal path of > open_shroot(). When the cached root have been opened successfully in a > concurrent process, the function increases the refcount and jump to > "oshr_free" to return. However the current return value "rc" may not > equal to 0, thus the increased refcount will not be balanced outside the > function, causing a refcnt leak. > > Fix this issue by setting the value of "rc" to 0 before jumping to > "oshr_free" label. > > Signed-off-by: Xiyu Yang <xiyuyang19@xxxxxxxxxxxx> > Signed-off-by: Xin Tan <tanxin.ctf@xxxxxxxxx> > --- > fs/cifs/smb2ops.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c > index 736d86b8a910..28553d45604e 100644 > --- a/fs/cifs/smb2ops.c > +++ b/fs/cifs/smb2ops.c > @@ -763,6 +763,7 @@ int open_shroot(unsigned int xid, struct cifs_tcon *tcon, > /* close extra handle outside of crit sec */ > SMB2_close(xid, tcon, fid.persistent_fid, fid.volatile_fid); > } > + rc = 0; > goto oshr_free; > } > > -- > 2.7.4 > -- Thanks, Steve