Re: [PATCH] ksmbd: fix memory leaks and NULL deref in smb2_lock()
From: ChenXiaoSong
Date: Tue Mar 17 2026 - 05:04:43 EST
Hi Werner,
It might be better to move `locks_free_lock()` and `kfree()` to before `if (!rc)` statement.
```
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -7579,14 +7579,15 @@ int smb2_lock(struct ksmbd_work *work)
rc = vfs_lock_file(filp, smb_lock->cmd, flock, NULL);
skip:
if (smb_lock->flags & SMB2_LOCKFLAG_UNLOCK) {
+ locks_free_lock(flock);
+ kfree(smb_lock);
if (!rc) {
ksmbd_debug(SMB, "File unlocked\n");
} else if (rc == -ENOENT) {
rsp->hdr.Status = STATUS_NOT_LOCKED;
+ err = rc;
goto out;
}
- locks_free_lock(flock);
- kfree(smb_lock);
} else {
if (rc == FILE_LOCK_DEFERRED) {
void **argv;
```
Thanks,
ChenXiaoSong <chenxiaosong@xxxxxxxxxx>
On 3/17/26 16:08, Werner Kasselman wrote:
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -7583,6 +7583,9 @@ int smb2_lock(struct ksmbd_work *work)
ksmbd_debug(SMB, "File unlocked\n");
} else if (rc == -ENOENT) {
rsp->hdr.Status = STATUS_NOT_LOCKED;
+ locks_free_lock(flock);
+ kfree(smb_lock);
+ err = -ENOENT;
goto out;
}
locks_free_lock(flock);