Forwarded: [PATCH] ntfs3: fix memory leak in indx_insert_into_root()
From: syzbot
Date: Fri Mar 20 2026 - 22:09:52 EST
For archival purposes, forwarding an incoming command email to
linux-kernel@xxxxxxxxxxxxxxx, syzkaller-bugs@xxxxxxxxxxxxxxxx.
***
Subject: [PATCH] ntfs3: fix memory leak in indx_insert_into_root()
Author: kartikey406@xxxxxxxxx
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
When indx_create_allocate() succeeds but a subsequent
operation fails (indx_get_root() returning NULL,
indx_new() failing, or the allocation itself failing),
the run list allocated in run_add_entry() via
attr_allocate_clusters() is never freed, causing a
memory leak.
Fix this by adding a new out_free_alloc label that
calls run_close() on indx->alloc_run before the
existing cleanup labels, and redirecting the affected
error paths to use it.
Reported-by: syzbot+7adcddaeeb860e5d3f2f@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=7adcddaeeb860e5d3f2f
Signed-off-by: Deepanshu Kartikey <Kartikey406@xxxxxxxxx>
---
fs/ntfs3/index.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c
index 97f06c26fe1a..16479b6ce845 100644
--- a/fs/ntfs3/index.c
+++ b/fs/ntfs3/index.c
@@ -1711,7 +1711,7 @@ static int indx_insert_into_root(struct ntfs_index *indx, struct ntfs_inode *ni,
/* Bug? */
ntfs_set_state(sbi, NTFS_DIRTY_ERROR);
err = -EINVAL;
- goto out_free_re;
+ goto out_free_alloc;
}
if (err) {
@@ -1722,7 +1722,7 @@ static int indx_insert_into_root(struct ntfs_index *indx, struct ntfs_inode *ni,
/* Bug? */
ntfs_set_state(sbi, NTFS_DIRTY_ERROR);
}
- goto out_free_re;
+ goto out_free_alloc;
}
e = (struct NTFS_DE *)(root + 1);
@@ -1733,7 +1733,7 @@ static int indx_insert_into_root(struct ntfs_index *indx, struct ntfs_inode *ni,
n = indx_new(indx, ni, new_vbn, sub_vbn);
if (IS_ERR(n)) {
err = PTR_ERR(n);
- goto out_free_re;
+ goto out_free_alloc;
}
hdr = &n->index->ihdr;
@@ -1781,6 +1781,8 @@ static int indx_insert_into_root(struct ntfs_index *indx, struct ntfs_inode *ni,
out_put_n:
put_indx_node(n);
+out_free_alloc:
+ run_close(&indx->alloc_run);
out_free_re:
kfree(re);
out_free_root:
--
2.43.0