fs/ntfs3/index.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-)
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] ntfs3: fix memory leak in indx_insert_into_root()
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Two memory leak paths exist in the NTFS3 index
allocation code:
1. When indx_create_allocate() fails internally,
run_deallocate() frees disk clusters but never
frees the run.runs memory allocated by
attr_allocate_clusters() via run_add_entry().
Fix by adding run_close(&run) at the out: label.
2. When indx_create_allocate() succeeds but a
subsequent operation fails (indx_get_root()
returning NULL, indx_new() failing), the run
list copied into indx->alloc_run is never freed.
Fix by adding out_free_alloc label that calls
run_close(&indx->alloc_run).
Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block")
Reported-by: syzbot+7adcddaeeb860e5d3f2f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7adcddaeeb860e5d3f2f
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
fs/ntfs3/index.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c
index 97f06c26fe1a..6ec351681ddc 100644
--- a/fs/ntfs3/index.c
+++ b/fs/ntfs3/index.c
@@ -1481,6 +1481,7 @@ static int indx_create_allocate(struct ntfs_index *indx, struct ntfs_inode *ni,
run_deallocate(sbi, &run, false);
out:
+ run_close(&run);
return err;
}
@@ -1711,7 +1712,7 @@ static int indx_insert_into_root(struct ntfs_index *indx, struct ntfs_inode *ni,
/* Bug? */
ntfs_set_state(sbi, NTFS_DIRTY_ERROR);
err = -EINVAL;
- goto out_free_re;
+ goto out_free_alloc;
}
if (err) {
@@ -1722,7 +1723,7 @@ static int indx_insert_into_root(struct ntfs_index *indx, struct ntfs_inode *ni,
/* Bug? */
ntfs_set_state(sbi, NTFS_DIRTY_ERROR);
}
- goto out_free_re;
+ goto out_free_alloc;
}
e = (struct NTFS_DE *)(root + 1);
@@ -1733,7 +1734,7 @@ static int indx_insert_into_root(struct ntfs_index *indx, struct ntfs_inode *ni,
n = indx_new(indx, ni, new_vbn, sub_vbn);
if (IS_ERR(n)) {
err = PTR_ERR(n);
- goto out_free_re;
+ goto out_free_alloc;
}
hdr = &n->index->ihdr;
@@ -1781,6 +1782,8 @@ static int indx_insert_into_root(struct ntfs_index *indx, struct ntfs_inode *ni,
out_put_n:
put_indx_node(n);
+out_free_alloc:
+ run_close(&indx->alloc_run);
out_free_re:
kfree(re);
out_free_root:
--
2.43.0© 2016 - 2026 Red Hat, Inc.