[PATCH] fs: Fix lock leak in replace_fd()

Next message: Krzysztof Kozlowski: "Re: [PATCH v3 1/8] dt-bindings: soc: starfive: Add StarFive JHB100 syscon modules"
Previous message: Thierry Reding: "Re: [PATCH 3/4] mfd: max77620: override PSCI poweroff handler on Pixel C"
Next in thread: Mateusz Guzik: "Re: [PATCH] fs: Fix lock leak in replace_fd()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Hongling Zeng

Date: Thu May 21 2026 - 03:54:21 EST

In replace_fd(), the function acquires files->file_lock but then has
two return paths that don't release the lock:
- When do_dup2() fails (returns negative error)
- When do_dup2() succeeds (returns 0)

Both of these paths return directly without unlocking files->file_lock,
causing a lock leak and potential deadlock.

Fix this by making both error and success paths go through the
out_unlock label to ensure the lock is always released.

Fixes: 708c04a5c2b7 ("fs: always return zero on success from replace_fd()")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Hongling Zeng <zenghongling@xxxxxxxxxx>
---
fs/file.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/fs/file.c b/fs/file.c
index 2c81c0b162d0..d0f019fb0568 100644
--- a/fs/file.c
+++ b/fs/file.c
@@ -1361,8 +1361,7 @@ int replace_fd(unsigned fd, struct file *file, unsigned flags)
goto out_unlock;
err = do_dup2(files, file, fd, flags);
if (err < 0)
- return err;
- return 0;
+ goto out_unlock;

out_unlock:
spin_unlock(&files->file_lock);
--
2.25.1