ntfs3: fix memory leak in indx_create_allocate()

deepanshu406 · aalexandrovich · commit 87ac077d6ea8 · 2026-04-02T20:23:23.000+02:00
When indx_create_allocate() fails after attr_allocate_clusters() succeeds, run_deallocate() frees the disk clusters but never frees the memory allocated by run_add_entry() via kvmalloc() for the runs_tree structure. Fix this by adding run_close() at the out: label to free the run.runs memory on all error paths. The success path is unaffected as it returns 0 directly without going through out:, transferring ownership of the run memory to indx->alloc_run via memcpy(). Reported-by: syzbot+7adcddaeeb860e5d3f2f@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=7adcddaeeb860e5d3f2f Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c
@@ -1482,6 +1482,7 @@ static int indx_create_allocate(struct ntfs_index *indx, struct ntfs_inode *ni,
 	run_deallocate(sbi, &run, false);
 
 out:
+	run_close(&run);
 	return err;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -1482,6 +1482,7 @@ static int indx_create_allocate(struct ntfs_index indx, struct ntfs_inode ni,`
`1482`	`1482`	`run_deallocate(sbi, &run, false);`
`1483`	`1483`
`1484`	`1484`	`out:`
	`1485`	`+ run_close(&run);`
`1485`	`1486`	`return err;`
`1486`	`1487`	`}`
`1487`	`1488`