On Mon, Jan 19, 2026 at 10:46:17AM +0100, Sascha Hauer wrote:
> tmpfile_create() assigns the parentpath->mnt to the new file's path
> without mntget() it, so we'll get unbalanced reference count when
> the tmpfile is closed. Add the missing mntget().
git blame points to:
e5591127b7 ("fs: allocate inodes for O_TMPFILE-created files")
I am not really sure though if the issue was there before the patch.
Sascha
>
> Signed-off-by: Sascha Hauer <[email protected]>
> ---
> fs/fs.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/fs/fs.c b/fs/fs.c
> index 75fd3a3ef9..43840c3a7a 100644
> --- a/fs/fs.c
> +++ b/fs/fs.c
> @@ -2675,6 +2675,7 @@ static struct file *tmpfile_create(const struct path
> *parentpath,
> if (!f)
> return ERR_PTR(-EMFILE);
>
> + mntget(parentpath->mnt);
> f->f_path.mnt = parentpath->mnt;
> f->f_path.dentry = d_alloc_anon(&fsdev->sb);
> f->f_flags = flags;
> --
> 2.47.3
>
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
