ntsync: Fix reference leaks in the remaining create ioctls.

When ntsync_obj_get_fd() fails, we free the ntsync object but forget to drop the
"file" member.

This was fixed for semaphores in 0e7d523b5f7a23b1dc6ceceb04e31a60e9e3321d, but
that commit did not fix the similar leak for events and mutexes, since they were
part of patches not yet in the mainline kernel. Fix those cases.

Fixes: 5bc2479a3585b "ntsync: Introduce NTSYNC_IOC_CREATE_MUTEX."
Fixes: 4c7404b9c2b57 "ntsync: Introduce NTSYNC_IOC_CREATE_EVENT."
Signed-off-by: Elizabeth Figura <zfigura@codeweavers.com>
Link: https://lore.kernel.org/r/20250116190717.8923-1-zfigura@codeweavers.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/misc/ntsync.c b/drivers/misc/ntsync.c
index b6441e9789744dc67b863594f68c1d09d974fbd6..055395cde42b66c8e1949b3c2f1816c4e6bca7cc 100644 (file)
--- a/drivers/misc/ntsync.c
+++ b/drivers/misc/ntsync.c
@@ -781,7 +781,7 @@ static int ntsync_create_mutex(struct ntsync_device *dev, void __user *argp)
        mutex->u.mutex.owner = args.owner;
        fd = ntsync_obj_get_fd(mutex);
        if (fd < 0)
-               kfree(mutex);
+               ntsync_free_obj(mutex);
 
        return fd;
 }
@@ -802,7 +802,7 @@ static int ntsync_create_event(struct ntsync_device *dev, void __user *argp)
        event->u.event.signaled = args.signaled;
        fd = ntsync_obj_get_fd(event);
        if (fd < 0)
-               kfree(event);
+               ntsync_free_obj(event);
 
        return fd;
 }