[PATCH] nfsd: fix nfs4_file refcount leak in nfsd_get_dir_deleg()

Next message: Tuo Li: "Re: [PATCH] misc: bcm_vk: Fix possible null-pointer dereferences in bcm_vk_read()"
Previous message: Ricky Ringler: "[PATCH] xtensa: mmu: validate user access in fast_load_store with MMU"
Next in thread: Chuck Lever: "Re: [PATCH] nfsd: fix nfs4_file refcount leak in nfsd_get_dir_deleg()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jeff Layton

Date: Fri Dec 12 2025 - 21:53:35 EST

Claude pointed out that there is nfs4_file refcount leak in
nfsd_get_dir_deleg(). Ensure that the reference to "fp" is released
before returning.

Cc: Chris Mason <clm@xxxxxxxx>
Fixes: 8b99f6a8c116 ("nfsd: wire up GET_DIR_DELEGATION handling")
Signed-off-by: Jeff Layton <jlayton@xxxxxxxxxx>
---
fs/nfsd/nfs4state.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index 808c24fb5c9a0b432d3271c051b409fcb75970cd..90d355af1a21e6cab14fc1178f249c9716aef441 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -9456,8 +9456,10 @@ nfsd_get_dir_deleg(struct nfsd4_compound_state *cstate,
spin_unlock(&clp->cl_lock);
spin_unlock(&state_lock);

- if (!status)
+ if (!status) {
+ put_nfs4_file(fp);
return dp;
+ }

/* Something failed. Drop the lease and clean up the stid */
kernel_setlease(fp->fi_deleg_file->nf_file, F_UNLCK, NULL, (void **)&dp);
@@ -9465,5 +9467,6 @@ nfsd_get_dir_deleg(struct nfsd4_compound_state *cstate,
nfs4_put_stid(&dp->dl_stid);
out_delegees:
put_deleg_file(fp);
+ put_nfs4_file(fp);
return ERR_PTR(status);
}

---
base-commit: 187d0801404f415f22c0b31531982c7ea97fa341
change-id: 20251213-nfsd-6-19-ba98c52c77da

Best regards,
--
Jeff Layton <jlayton@xxxxxxxxxx>