[PATCH 6.19 693/844] nfsd: fix nfs4_file refcount leak in nfsd_get_dir_deleg()

Next message: Sasha Levin: "[PATCH 6.19 749/844] drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set()"
Previous message: Sasha Levin: "[PATCH 6.19 618/844] arm64: dts: rockchip: Fix SD card support for RK3576 Nanopi R76s"
In reply to: Sasha Levin: "[PATCH 6.19 618/844] arm64: dts: rockchip: Fix SD card support for RK3576 Nanopi R76s"
Next in thread: Sasha Levin: "[PATCH 6.19 749/844] drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sasha Levin

Date: Sat Feb 28 2026 - 14:36:06 EST

From: Jeff Layton <jlayton@xxxxxxxxxx>

[ Upstream commit 789477b849394afdb60507924d65f7ef18f078ce ]

Claude pointed out that there is a nfs4_file refcount leak in
nfsd_get_dir_deleg(). Ensure that the reference to "fp" is released
before returning.

Fixes: 8b99f6a8c116 ("nfsd: wire up GET_DIR_DELEGATION handling")
Cc: stable@xxxxxxxxxxxxxxx
Cc: Chris Mason <clm@xxxxxxxx>
Signed-off-by: Jeff Layton <jlayton@xxxxxxxxxx>
Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
fs/nfsd/nfs4state.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index d5e0f3a52d4f0..45d486466cdc3 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -9520,8 +9520,10 @@ nfsd_get_dir_deleg(struct nfsd4_compound_state *cstate,
spin_unlock(&clp->cl_lock);
spin_unlock(&state_lock);

- if (!status)
+ if (!status) {
+ put_nfs4_file(fp);
return dp;
+ }

/* Something failed. Drop the lease and clean up the stid */
kernel_setlease(fp->fi_deleg_file->nf_file, F_UNLCK, NULL, (void **)&dp);
@@ -9529,5 +9531,6 @@ nfsd_get_dir_deleg(struct nfsd4_compound_state *cstate,
nfs4_put_stid(&dp->dl_stid);
out_delegees:
put_deleg_file(fp);
+ put_nfs4_file(fp);
return ERR_PTR(status);
}
--
2.51.0