fs/ntfs3/index.c | 1 + 1 file changed, 1 insertion(+)
When indx_create_allocate() fails after
attr_allocate_clusters() succeeds, run_deallocate()
frees the disk clusters but never frees the memory
allocated by run_add_entry() via kvmalloc() for the
runs_tree structure.
Fix this by adding run_close() at the out: label to
free the run.runs memory on all error paths. The
success path is unaffected as it returns 0 directly
without going through out:, transferring ownership
of the run memory to indx->alloc_run via memcpy().
Reported-by: syzbot+7adcddaeeb860e5d3f2f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7adcddaeeb860e5d3f2f
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
fs/ntfs3/index.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c
index 97f06c26fe1a..11f59d7b9ea4 100644
--- a/fs/ntfs3/index.c
+++ b/fs/ntfs3/index.c
@@ -1481,6 +1481,7 @@ static int indx_create_allocate(struct ntfs_index *indx, struct ntfs_inode *ni,
run_deallocate(sbi, &run, false);
out:
+ run_close(&run);
return err;
}
--
2.43.0On Mon, Mar 23, 2026 at 10:51 AM Deepanshu Kartikey <kartikey406@gmail.com> wrote: > > When indx_create_allocate() fails after > attr_allocate_clusters() succeeds, run_deallocate() > frees the disk clusters but never frees the memory > allocated by run_add_entry() via kvmalloc() for the > runs_tree structure. > > Fix this by adding run_close() at the out: label to > free the run.runs memory on all error paths. The > success path is unaffected as it returns 0 directly > without going through out:, transferring ownership > of the run memory to indx->alloc_run via memcpy(). > > Reported-by: syzbot+7adcddaeeb860e5d3f2f@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=7adcddaeeb860e5d3f2f > Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com> > --- > fs/ntfs3/index.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c > index 97f06c26fe1a..11f59d7b9ea4 100644 > --- a/fs/ntfs3/index.c > +++ b/fs/ntfs3/index.c > @@ -1481,6 +1481,7 @@ static int indx_create_allocate(struct ntfs_index *indx, struct ntfs_inode *ni, > run_deallocate(sbi, &run, false); > > out: > + run_close(&run); > return err; > } > > -- > 2.43.0 > Hi Almaz, Gentle ping on this patch . I have submitted this patch on 23 March 2026 and this patch has been tested by sysbot. Please let me know if anything else required Thanks
On 3/31/26 10:49, Deepanshu Kartikey wrote: > On Mon, Mar 23, 2026 at 10:51 AM Deepanshu Kartikey > <kartikey406@gmail.com> wrote: >> When indx_create_allocate() fails after >> attr_allocate_clusters() succeeds, run_deallocate() >> frees the disk clusters but never frees the memory >> allocated by run_add_entry() via kvmalloc() for the >> runs_tree structure. >> >> Fix this by adding run_close() at the out: label to >> free the run.runs memory on all error paths. The >> success path is unaffected as it returns 0 directly >> without going through out:, transferring ownership >> of the run memory to indx->alloc_run via memcpy(). >> >> Reported-by: syzbot+7adcddaeeb860e5d3f2f@syzkaller.appspotmail.com >> Closes: https://syzkaller.appspot.com/bug?extid=7adcddaeeb860e5d3f2f >> Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com> >> --- >> fs/ntfs3/index.c | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c >> index 97f06c26fe1a..11f59d7b9ea4 100644 >> --- a/fs/ntfs3/index.c >> +++ b/fs/ntfs3/index.c >> @@ -1481,6 +1481,7 @@ static int indx_create_allocate(struct ntfs_index *indx, struct ntfs_inode *ni, >> run_deallocate(sbi, &run, false); >> >> out: >> + run_close(&run); >> return err; >> } >> >> -- >> 2.43.0 >> > Hi Almaz, > > Gentle ping on this patch . I have submitted this patch on 23 March > 2026 and this patch has been tested by sysbot. > > Please let me know if anything else required > > Thanks Hello, Your patch is applied, thanks for your work. Regards, Konstantin
On 3/31/26 10:49, Deepanshu Kartikey wrote: > On Mon, Mar 23, 2026 at 10:51 AM Deepanshu Kartikey > <kartikey406@gmail.com> wrote: >> When indx_create_allocate() fails after >> attr_allocate_clusters() succeeds, run_deallocate() >> frees the disk clusters but never frees the memory >> allocated by run_add_entry() via kvmalloc() for the >> runs_tree structure. >> >> Fix this by adding run_close() at the out: label to >> free the run.runs memory on all error paths. The >> success path is unaffected as it returns 0 directly >> without going through out:, transferring ownership >> of the run memory to indx->alloc_run via memcpy(). >> >> Reported-by: syzbot+7adcddaeeb860e5d3f2f@syzkaller.appspotmail.com >> Closes: https://syzkaller.appspot.com/bug?extid=7adcddaeeb860e5d3f2f >> Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com> >> --- >> fs/ntfs3/index.c | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c >> index 97f06c26fe1a..11f59d7b9ea4 100644 >> --- a/fs/ntfs3/index.c >> +++ b/fs/ntfs3/index.c >> @@ -1481,6 +1481,7 @@ static int indx_create_allocate(struct ntfs_index *indx, struct ntfs_inode *ni, >> run_deallocate(sbi, &run, false); >> >> out: >> + run_close(&run); >> return err; >> } >> >> -- >> 2.43.0 >> > Hi Almaz, > > Gentle ping on this patch . I have submitted this patch on 23 March > 2026 and this patch has been tested by sysbot. > > Please let me know if anything else required > > Thanks Hello, Your patch is being tested internally. I’ll follow up with feedback in the next few days. Regards, Konstantin
© 2016 - 2026 Red Hat, Inc.