From nobody Tue Dec 2 02:43:45 2025 Received: from mail-pf1-f194.google.com (mail-pf1-f194.google.com [209.85.210.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 87806354AF2 for ; Tue, 18 Nov 2025 15:03:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.194 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763478196; cv=none; b=On3i094prm0Lhl5tE04njy8WY/iwOhPIlpl2tcdZT5TFAS8MLIGiuuGanBfolhBLjksmjrgfCtg5xfB5eB97GxFNV2PWfJuKvLYw+v6fceViKxYy2NX2JtyYnb+dyZKSCEBIMtbZOXxfJNCAFdY/qacHzQLuin88XRF1iwSLEH0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763478196; c=relaxed/simple; bh=ja/LkSN1dbpDQVhNZhk44Tv9iiJnHW6JXYkdYusMa/E=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=mKaQaFkTFV0ybRMXlQOQ4DGAtr2iuPgthMfq7OKaY0YZKz8pkD+yckGHAgLbEhSLgxnJ3ZM0ZtJBZJk3bajecziR2DpyBDGrfnI6+sc2Oluc5MQw3A3zf4a+vTiP5sz3xYWlruJSlcaD7AyFSXMV4Tp8zWvbE6QUft66N8mJVyM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=ee.vjti.ac.in; spf=none smtp.mailfrom=ee.vjti.ac.in; dkim=pass (1024-bit key) header.d=vjti.ac.in header.i=@vjti.ac.in header.b=LK5IWqIP; arc=none smtp.client-ip=209.85.210.194 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=ee.vjti.ac.in Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=ee.vjti.ac.in Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=vjti.ac.in header.i=@vjti.ac.in header.b="LK5IWqIP" Received: by mail-pf1-f194.google.com with SMTP id d2e1a72fcca58-7b6dd81e2d4so5058874b3a.0 for ; Tue, 18 Nov 2025 07:03:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vjti.ac.in; s=google; t=1763478194; x=1764082994; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=QQlkNWnVWNMGqknsz6LYkGe/xvDLcv9mS0GeDyFf+Uw=; b=LK5IWqIPyXbCgWb3/EpGxipq6TQvE74lwYszL5IIdAzOmnfpXLr2KcsNnC39B6SGXK hbXaJfpQ7IMvp3EBZ8qI4JWSTJBhrXiJ4B/x2oPYelgXomTIPXh47sVa8AV1GJB5f1nJ VAm1aUdqS44v02I4um4OaBPy74RugT21e+9nM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763478194; x=1764082994; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=QQlkNWnVWNMGqknsz6LYkGe/xvDLcv9mS0GeDyFf+Uw=; b=kFyjjWRyOmXH9hkTP7+UfXzc6VkUWuVQXHp4RP7DlPlItiHWP8Q+9EB21RY6mkz7Og QLFJB0YxI0OAylyNAQ1lofgOoVPHsYKaBzWaDP5MxACGqQFtF/8I6BV7SaRj4XyyySTq SiU5+WGg9JYychHE5MQllzDj6U2L6f1NKXkPfXo3DIV71FvOvlTkfEiNWx4Jo7xmeFgL XYtWoxBeuZdA8P3+mHsB0x7vS6YQ5nFqjw55nwM4l89VdE52Z6l2F+KttRQsGI9qzv1C KvubJYE/wlo2Reysi7P0EqhCUqM4jgMYuxbwfrjxp6smAJi1vZwVGorj9G/L8DyR49Yv FLNQ== X-Forwarded-Encrypted: i=1; AJvYcCUzuGv6potRmtwPLcR0u1d/NivDRswo+ruqaIOJ/pNGESCCzKlOgQkvSOklQCZzw8RQs0fcQay9Lv4Tg+s=@vger.kernel.org X-Gm-Message-State: AOJu0YzJminygbwh+ht6N+GMtM60ViwBr1GsTDudL9tnqbVfrrqCeIzx yhjDfLu1+ZvdJjVLZ1vtMbZez6JMStUAOaoHcjpa3sn061GHivaJT2RFiGIvviHVRKQ= X-Gm-Gg: ASbGncvEnAq+oK4tk4uj9y8pwHzrCUI8szQ5Sc6QXocRZJt4lAErrgkK/hYbmUResy4 9Sw8yyVX1lyQksBbUbZ7RDMmtxkaZvS/F08jUt7L7BkZ8lXczdAjC+c0Vy3BKTiSwDzyEo/Bynh o0YGpw3gw8cEBA2diwHFJ2B7GP8wHkYtrg5Be1WU2RJgKoiFZaNtLeTRvopFxPl2RhUkkQZDLW6 m+Ai6ClJMlSSK3axiIdAYFXPGqvVEZSXzsa9dKNwAWGndVc6gsUiFeDrG54sH/BCd/wt/MF3Xrj KYVSpA+BhckhXBoPagWyGpBPUpD7QUmP3wBzO8dKQk55Rs0+I54QOdm2dttrErV9wKK1m4KY9Gb u/I2y1tA1XwjXHzhgHTBiH9VVPfqkSjpPDzbwdIun4zI/OkUH/gHjbvKNlncVv/PuUtzb4PnRvd WwnOI4gakeo8ZSLh7cvmzcttMWey6WGKtYTDPicIhaQ6PukBDIJNFDu8qD X-Google-Smtp-Source: AGHT+IHFIIwmUCgaGWygfpulmoTV8AMhwsMJO4oc5YwSM+A51tW7KkpVK+NA+2DZsJUMTDiHbm2Feg== X-Received: by 2002:a05:6a20:7352:b0:253:1e04:4e8 with SMTP id adf61e73a8af0-35ba209f362mr17860446637.56.1763478193712; Tue, 18 Nov 2025 07:03:13 -0800 (PST) Received: from ranegod-HP-ENVY-x360-Convertible-13-bd0xxx.. ([2405:201:31:d016:3cef:9de1:d6ad:21b8]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-bc36db21e8esm15297990a12.5.2025.11.18.07.03.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Nov 2025 07:03:13 -0800 (PST) From: ssrane_b23@ee.vjti.ac.in X-Google-Original-From: ssranevjti@gmail.com To: sfrench@samba.org Cc: pc@manguebit.org, ronniesahlberg@gmail.com, sprasad@microsoft.com, tom@talpey.com, bharathsm@microsoft.com, linux-cifs@vger.kernel.org, samba-technical@lists.samba.org, linux-kernel@vger.kernel.org, skhan@linuxfoundation.org, linux-kernel-mentees@lists.linux.dev, david.hunter.linux@gmail.com, khalid@kernel.org, Shaurya Rane , syzbot+87be6809ed9bf6d718e3@syzkaller.appspotmail.com Subject: [PATCH] cifs: fix memory leak in smb3_fs_context_parse_param error path Date: Tue, 18 Nov 2025 20:32:57 +0530 Message-Id: <20251118150257.35455-1-ssranevjti@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Shaurya Rane Add proper cleanup of ctx->source and fc->source to the cifs_parse_mount_err error handler. This ensures that memory allocated for the source strings is correctly freed on all error paths, matching the cleanup already performed in the success path by smb3_cleanup_fs_context_contents(). Pointers are also set to NULL after freeing to prevent potential double-free issues. This change fixes a memory leak originally detected by syzbot. The leak occurred when processing Opt_source mount options if an error happened after ctx->source and fc->source were successfully allocated but before the function completed. The specific leak sequence was: 1. ctx->source =3D smb3_fs_context_fullpath(ctx, '/') allocates memory 2. fc->source =3D kstrdup(ctx->source, GFP_KERNEL) allocates more memory 3. A subsequent error jumps to cifs_parse_mount_err 4. The old error handler freed passwords but not the source strings, causing the memory to leak. This issue was not addressed by commit e8c73eb7db0a ("cifs: client: fix memory leak in smb3_fs_context_parse_param"), which only fixed leaks from repeated fsconfig() calls but not this error path. Reported-by: syzbot+87be6809ed9bf6d718e3@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D87be6809ed9bf6d718e3 Fixes: 24e0a1eff9e2 ("cifs: switch to new mount api") Signed-off-by: Shaurya Rane Reviewed-by: Paulo Alcantara (Red Hat) --- fs/smb/client/fs_context.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c index 0f894d09157b..975f1fa153fd 100644 --- a/fs/smb/client/fs_context.c +++ b/fs/smb/client/fs_context.c @@ -1834,6 +1834,12 @@ static int smb3_fs_context_parse_param(struct fs_con= text *fc, ctx->password =3D NULL; kfree_sensitive(ctx->password2); ctx->password2 =3D NULL; + kfree(ctx->source); + ctx->source =3D NULL; + if (fc) { + kfree(fc->source); + fc->source =3D NULL; + } return -EINVAL; } =20 --=20 2.34.1