CVE-2026-31477

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix memory leaks and NULL deref in smb2_lock()

smb2lock() has three error handling issues after listdel() detaches smblock from locklist at nocheckcl:

1) If vfslockfile() returns an unexpected error in the non-UNLOCK path, goto out leaks smblock and its flock because the out: handler only iterates locklist and rollbacklist, neither of which contains the detached smblock.

2) If vfslockfile() returns -ENOENT in the UNLOCK path, goto out leaks smb_lock and flock for the same reason. The error code returned to the dispatcher is also stale.

3) In the rollback path, smbflockinit() can return NULL on allocation failure. The result is dereferenced unconditionally, causing a kernel NULL pointer dereference. Add a NULL check to prevent the crash and clean up the bookkeeping; the VFS lock itself cannot be rolled back without the allocation and will be released at file or connection teardown.

Fix cases 1 and 2 by hoisting the locksfreelock()/kfree() to before the if(!rc) check in the UNLOCK branch so all exit paths share one free site, and by freeing smblock and flock before goto out in the non-UNLOCK branch. Propagate the correct error code in both cases. Fix case 3 by wrapping the VFS unlock in an if(rlock) guard and adding a NULL check for locksfree_lock(rlock) in the shared cleanup.

Found via call-graph analysis using sqry.