Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp280501pxk; Wed, 23 Sep 2020 03:05:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzWghaGiOqjjZ4truJy/bABi0Etwj3wZVN2IZOvkh01cmQC7U1QCZpHFSiEC9lIfYDnammp X-Received: by 2002:a50:bb26:: with SMTP id y35mr9253645ede.234.1600855542636; Wed, 23 Sep 2020 03:05:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600855542; cv=none; d=google.com; s=arc-20160816; b=A/6P2OaHco5wD+WeiyeScAmDxzjYxqibPGQIEzDC+CnAy+GtxaBXxALBV49m5j1bto fYqfQxwxF3Xp9SizeC9kt596KmG7IupdVGAgJynENu6NoBGbQWASoqQT3ntfiQ/Dnan4 YbkhM13dgbSycUuuo6nafG1Ule2CEZ8GgiYMIxwjsRALQuFQcqjjwJW/stHkLK5T8RTK /+FIpyXVAlJfzCr9rJ9xXLJ3rkpBLoczU4zh3dti+JOHXRh/jD3pb1Dx4jK2c1ekRSKO FNp+O8ENzejRR6fdEQmVbPK/hSGCBV55N4+fxtNuWdxJAMwm7eZjqZbWWfkMQrv6SThb y0ug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=kmJ/D5/9c2UvK/peKOgGV2T1md/I8rdSORcPBcBMU4Q=; b=IMi3FgVaUBNTnnecPBPWrKYkTuUjumgbG/sk/vXyKdC4q93ZhOzNEV/8G0CA6FSibO 8F9Nh1QAChUezwxbAhzkjOcx2QJ/cjpQTk/T2bJnjvETz5Hrtm5azIVrgS3/ndAtROuI uzapsqP21uo4gbtdlNYUS1jMELUAvSER++rdQixVUhHKFrnwVNfHuBOLq8thehNbXV0/ diLKjRx2wKd9aUB+0chA8YuU9CX25YZNoHMGA11Ry7wnquu1M4FkJWhxjKVbxNxuGVlO Tur9ZyTNO+9zlkAUp4dCEnMPHKSgLsPkZXbhpvpefHse2J8J/Y0+9ODyXfN4sbAK7V17 M+cw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c6si13334064edq.397.2020.09.23.03.05.18; Wed, 23 Sep 2020 03:05:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726338AbgIWKEH (ORCPT + 99 others); Wed, 23 Sep 2020 06:04:07 -0400 Received: from mx2.suse.de ([195.135.220.15]:56774 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726130AbgIWKEH (ORCPT ); Wed, 23 Sep 2020 06:04:07 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id C3226B207; Wed, 23 Sep 2020 10:04:42 +0000 (UTC) Received: by quack2.suse.cz (Postfix, from userid 1000) id 3BB141E12E3; Wed, 23 Sep 2020 12:04:05 +0200 (CEST) Date: Wed, 23 Sep 2020 12:04:05 +0200 From: Jan Kara To: Peilin Ye Cc: Jan Kara , Greg Kroah-Hartman , linux-kernel-mentees@lists.linuxfoundation.org, syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org Subject: Re: [Linux-kernel-mentees] [PATCH] udf: Fix memory leak in udf_process_sequence() Message-ID: <20200923100405.GD6719@quack2.suse.cz> References: <0000000000004c1f4d05afcff2f4@google.com> <20200922154531.153922-1-yepeilin.cs@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200922154531.153922-1-yepeilin.cs@gmail.com> User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue 22-09-20 11:45:31, Peilin Ye wrote: > udf_process_sequence() is leaking memory. Free `data.part_descs_loc` > before returning. > > Cc: stable@vger.kernel.org > Fixes: 7b78fd02fb19 ("udf: Fix handling of Partition Descriptors") > Reported-and-tested-by: syzbot+128f4dd6e796c98b3760@syzkaller.appspotmail.com > Link: https://syzkaller.appspot.com/bug?id=c5ec4e6f5d818f3c4afd4d59342468eec08a38da > Signed-off-by: Peilin Ye Thanks for the patch but I've just yesterday written exactly the same patch and merged it to my tree... Honza > --- > fs/udf/super.c | 20 +++++++++++++------- > 1 file changed, 13 insertions(+), 7 deletions(-) > > diff --git a/fs/udf/super.c b/fs/udf/super.c > index 1c42f544096d..b0d862ab3024 100644 > --- a/fs/udf/super.c > +++ b/fs/udf/super.c > @@ -1698,7 +1698,8 @@ static noinline int udf_process_sequence( > "Pointers (max %u supported)\n", > UDF_MAX_TD_NESTING); > brelse(bh); > - return -EIO; > + ret = -EIO; > + goto out; > } > > vdp = (struct volDescPtr *)bh->b_data; > @@ -1718,7 +1719,8 @@ static noinline int udf_process_sequence( > curr = get_volume_descriptor_record(ident, bh, &data); > if (IS_ERR(curr)) { > brelse(bh); > - return PTR_ERR(curr); > + ret = PTR_ERR(curr); > + goto out; > } > /* Descriptor we don't care about? */ > if (!curr) > @@ -1740,28 +1742,32 @@ static noinline int udf_process_sequence( > */ > if (!data.vds[VDS_POS_PRIMARY_VOL_DESC].block) { > udf_err(sb, "Primary Volume Descriptor not found!\n"); > - return -EAGAIN; > + ret = -EAGAIN; > + goto out; > } > ret = udf_load_pvoldesc(sb, data.vds[VDS_POS_PRIMARY_VOL_DESC].block); > if (ret < 0) > - return ret; > + goto out; > > if (data.vds[VDS_POS_LOGICAL_VOL_DESC].block) { > ret = udf_load_logicalvol(sb, > data.vds[VDS_POS_LOGICAL_VOL_DESC].block, > fileset); > if (ret < 0) > - return ret; > + goto out; > } > > /* Now handle prevailing Partition Descriptors */ > for (i = 0; i < data.num_part_descs; i++) { > ret = udf_load_partdesc(sb, data.part_descs_loc[i].rec.block); > if (ret < 0) > - return ret; > + goto out; > } > > - return 0; > + ret = 0; > +out: > + kfree(data.part_descs_loc); > + return ret; > } > > /* > -- > 2.25.1 > -- Jan Kara SUSE Labs, CR