Forwarded: [PATCH] ntfs3: fix memory leak in indx_insert_into_root()

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@xxxxxxxxxxxxxxx, syzkaller-bugs@xxxxxxxxxxxxxxxx.

***

Subject: [PATCH] ntfs3: fix memory leak in indx_insert_into_root()
Author: kartikey406@xxxxxxxxx

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


Two memory leak paths exist in the NTFS3 index
allocation code:

1. When indx_create_allocate() fails internally,
   run_deallocate() frees disk clusters but never
   frees the run.runs memory allocated by
   attr_allocate_clusters() via run_add_entry().
   Fix by adding run_close(&run) at the out: label.

2. When indx_create_allocate() succeeds but a
   subsequent operation fails (indx_get_root()
   returning NULL, indx_new() failing), the run
   list copied into indx->alloc_run is never freed.
   Fix by adding out_free_alloc label that calls
   run_close(&indx->alloc_run).

Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block")
Reported-by: syzbot+7adcddaeeb860e5d3f2f@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=7adcddaeeb860e5d3f2f
Signed-off-by: Deepanshu Kartikey <Kartikey406@xxxxxxxxx>
---
 fs/ntfs3/index.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c
index 97f06c26fe1a..6ec351681ddc 100644
--- a/fs/ntfs3/index.c
+++ b/fs/ntfs3/index.c
@@ -1481,6 +1481,7 @@ static int indx_create_allocate(struct ntfs_index *indx, struct ntfs_inode *ni,
 	run_deallocate(sbi, &run, false);
 
 out:
+	run_close(&run);
 	return err;
 }
 
@@ -1711,7 +1712,7 @@ static int indx_insert_into_root(struct ntfs_index *indx, struct ntfs_inode *ni,
 		/* Bug? */
 		ntfs_set_state(sbi, NTFS_DIRTY_ERROR);
 		err = -EINVAL;
-		goto out_free_re;
+		goto out_free_alloc;
 	}
 
 	if (err) {
@@ -1722,7 +1723,7 @@ static int indx_insert_into_root(struct ntfs_index *indx, struct ntfs_inode *ni,
 			/* Bug? */
 			ntfs_set_state(sbi, NTFS_DIRTY_ERROR);
 		}
-		goto out_free_re;
+		goto out_free_alloc;
 	}
 
 	e = (struct NTFS_DE *)(root + 1);
@@ -1733,7 +1734,7 @@ static int indx_insert_into_root(struct ntfs_index *indx, struct ntfs_inode *ni,
 	n = indx_new(indx, ni, new_vbn, sub_vbn);
 	if (IS_ERR(n)) {
 		err = PTR_ERR(n);
-		goto out_free_re;
+		goto out_free_alloc;
 	}
 
 	hdr = &n->index->ihdr;
@@ -1781,6 +1782,8 @@ static int indx_insert_into_root(struct ntfs_index *indx, struct ntfs_inode *ni,
 
 out_put_n:
 	put_indx_node(n);
+out_free_alloc:
+	run_close(&indx->alloc_run);
 out_free_re:
 	kfree(re);
 out_free_root:
-- 
2.43.0