From nobody Sat Apr 4 01:46:24 2026 Received: from mail-oi1-f198.google.com (mail-oi1-f198.google.com [209.85.167.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 072423BB48 for ; Sat, 21 Mar 2026 03:58:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.198 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774065531; cv=none; b=N3/F7g+qV5ZMMmwc3d8bflrCo4VTMryJ3OP+Rp5cqxr4I55yro35OARwSKColO8aUvVSgwqblRsZWhGRzE6eYQpw9hA02hoEPHs5GpvmCN/CfRdRrRIqyPMoW7nT+/hSNB3HZ1zUi4mUI7An7yw02BKphduk6w4sBhcR5ebnwOA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774065531; c=relaxed/simple; bh=a9R426nuOrSmNYB37g2KWBHX9U488PY9w9I481apQyA=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=Aero5FT4TuXg8l0ijqU6UMyvHUxDZTVsEULXcZ8ny6QiSa4388KMpl/o2iOwLCzo2sjsC9km6rFiIXqkeIWinmGKA7XWKMGIXIZWcu2UwsMQtsUESknX91pfpz5JE7XDFAqwPmNjzpXgnlY1BazDaGvIJy70kxrrAQx73x15MNA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.167.198 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-oi1-f198.google.com with SMTP id 5614622812f47-4670e83d97bso10541358b6e.3 for ; Fri, 20 Mar 2026 20:58:49 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774065529; x=1774670329; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Q+bag+B9tCnDzahmZ1jFi92Aj+dLAOBaxuB02HGgguU=; b=f0BFCdJdWg4YOVWZRZROdfcldj0D7a/AWp4DsFaiDZUjXHRx21j/OB73Lc6JmuQ8PQ O9IT5Ag1lTUw2yaXOkY/qmkDpSMhLcX305BpSLzfMJE9Es1vAmBNAxj55++33oJF6Wru whVo3ll3K6IQYYWm++aXk+sMVWmNoKFT8JbGbEtfnJBOatDjShB8uQb4w6rV925BxYKC VlNBi5hn+nXCwPKuJPEo6/YAj56CeyQtPvWHeHutORh4Thw8Gbx/Kqea2ufpJGzU8Jwx SIVj58hJMhduikOaGEZNifQjQ1O5rl4e4ErUXXUaq9LZVh9kc4pvcnQELt4anSM93nxw 8b4g== X-Gm-Message-State: AOJu0YxEvMNWiBg4ymILtlePuS/TwpLvbo3rEmneiFA+KEoB71ndcbpR gwiwtznrAJCzoCH843fct7+5b5r+DUtMGp0qyZlJvnuRR2Da1v1wDi3ARkjgVuegdYYTS3EKFrE XIPbDfXiUO7rZ9h//ZbCowDGbEIU1bHawi7+Cz9fGlrb+QCQw0fNaVYw5Ig0= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6808:14c5:b0:467:20ec:9b62 with SMTP id 5614622812f47-467e5dd63c7mr3145903b6e.17.1774065529093; Fri, 20 Mar 2026 20:58:49 -0700 (PDT) Date: Fri, 20 Mar 2026 20:58:49 -0700 In-Reply-To: <69bdd09b.050a0220.3bf4de.0032.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <69be1779.050a0220.3bf4de.003b.GAE@google.com> Subject: Forwarded: [PATCH] ntfs3: fix memory leak in indx_insert_into_root() From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ntfs3: fix memory leak in indx_insert_into_root() Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git= master Two memory leak paths exist in the NTFS3 index allocation code: 1. When indx_create_allocate() fails internally, run_deallocate() frees disk clusters but never frees the run.runs memory allocated by attr_allocate_clusters() via run_add_entry(). Fix by adding run_close(&run) at the out: label. 2. When indx_create_allocate() succeeds but a subsequent operation fails (indx_get_root() returning NULL, indx_new() failing), the run list copied into indx->alloc_run is never freed. Fix by adding out_free_alloc label that calls run_close(&indx->alloc_run). Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block") Reported-by: syzbot+7adcddaeeb860e5d3f2f@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D7adcddaeeb860e5d3f2f Signed-off-by: Deepanshu Kartikey --- fs/ntfs3/index.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c index 97f06c26fe1a..6ec351681ddc 100644 --- a/fs/ntfs3/index.c +++ b/fs/ntfs3/index.c @@ -1481,6 +1481,7 @@ static int indx_create_allocate(struct ntfs_index *in= dx, struct ntfs_inode *ni, run_deallocate(sbi, &run, false); =20 out: + run_close(&run); return err; } =20 @@ -1711,7 +1712,7 @@ static int indx_insert_into_root(struct ntfs_index *i= ndx, struct ntfs_inode *ni, /* Bug? */ ntfs_set_state(sbi, NTFS_DIRTY_ERROR); err =3D -EINVAL; - goto out_free_re; + goto out_free_alloc; } =20 if (err) { @@ -1722,7 +1723,7 @@ static int indx_insert_into_root(struct ntfs_index *i= ndx, struct ntfs_inode *ni, /* Bug? */ ntfs_set_state(sbi, NTFS_DIRTY_ERROR); } - goto out_free_re; + goto out_free_alloc; } =20 e =3D (struct NTFS_DE *)(root + 1); @@ -1733,7 +1734,7 @@ static int indx_insert_into_root(struct ntfs_index *i= ndx, struct ntfs_inode *ni, n =3D indx_new(indx, ni, new_vbn, sub_vbn); if (IS_ERR(n)) { err =3D PTR_ERR(n); - goto out_free_re; + goto out_free_alloc; } =20 hdr =3D &n->index->ihdr; @@ -1781,6 +1782,8 @@ static int indx_insert_into_root(struct ntfs_index *i= ndx, struct ntfs_inode *ni, =20 out_put_n: put_indx_node(n); +out_free_alloc: + run_close(&indx->alloc_run); out_free_re: kfree(re); out_free_root: --=20 2.43.0