[PATCH] fs/smb/server: fix refcount leak in oplock_break()

Next message: Sean Christopherson: "Re: [PATCH v4 02/10] KVM: pfncache: Restore guest-uses-pfn support"
Previous message: XIAO WU: "Re: [PATCH v4] rethook: Remove the running task check in rethook_find_ret_addr()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: WenTao Liang

Date: Thu Jun 11 2026 - 11:56:47 EST

In oplock_break(), when handling a lease oplock, the breaking_cnt
refcount is incremented with atomic_inc() before calling
oplock_break_pending(). If oplock_break_pending() returns a non-zero
error (1 when another break is already pending, or -ENOENT when the
oplock is closing), the function returns immediately without
decrementing the refcount, leaking a reference. The leak can
eventually lead to resource exhaustion, though in practice it may be
masked by a timeout in wait_lease_breaking().

Fix this by adding an atomic_dec() on the error path before returning
early, restoring the refcount.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
---
fs/smb/server/oplock.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/smb/server/oplock.c b/fs/smb/server/oplock.c
index b193dde4810d..cae756efa8cf 100644
--- a/fs/smb/server/oplock.c
+++ b/fs/smb/server/oplock.c
@@ -898,8 +898,10 @@ static int oplock_break(struct oplock_info *brk_opinfo, int req_op_level,

atomic_inc(&brk_opinfo->breaking_cnt);
err = oplock_break_pending(brk_opinfo, req_op_level);
- if (err)
+ if (err) {
+ atomic_dec(&brk_opinfo->breaking_cnt);
return err < 0 ? err : 0;
+ }

if (brk_opinfo->open_trunc) {
/*
--
2.50.1 (Apple Git-155)