ACK: [PATCH 1/1] xfs: fix two memory leaks in xfs_attr_list.c error paths

Colin Ian King colin.king at canonical.com
Mon Jan 2 12:58:33 UTC 2017 

On 02/01/17 11:33, Luis Henriques wrote:
> From: Mateusz Guzik <mguzik at redhat.com>
> 
> commit 2e83b79b2d6c78bf1b4aa227938a214dcbddc83f upstream.
> 
> This plugs 2 trivial leaks in xfs_attr_shortform_list and
> xfs_attr3_leaf_list_int.
> 
> Signed-off-by: Mateusz Guzik <mguzik at redhat.com>
> Reviewed-by: Eric Sandeen <sandeen at redhat.com>
> Signed-off-by: Dave Chinner <david at fromorbit.com>
> [bwh: Backported to 3.2: adjust filename]
> Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
> CVE-2016-9685
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
>  fs/xfs/xfs_attr_leaf.c | 19 ++++++++++---------
>  1 file changed, 10 insertions(+), 9 deletions(-)
> 
> diff --git a/fs/xfs/xfs_attr_leaf.c b/fs/xfs/xfs_attr_leaf.c
> index c1b55e596551..e050022f7140 100644
> --- a/fs/xfs/xfs_attr_leaf.c
> +++ b/fs/xfs/xfs_attr_leaf.c
> @@ -721,8 +721,10 @@ xfs_attr_shortform_list(xfs_attr_list_context_t *context)
>  					sbp->namelen,
>  					sbp->valuelen,
>  					&sbp->name[sbp->namelen]);
> -		if (error).  
> +		if (error) {
> +			kmem_free(sbuf);
>  			return error;
> +		}
>  		if (context->seen_enough)
>  			break;
>  		cursor->offset++;
> @@ -2404,14 +2406,13 @@ xfs_attr_leaf_list_int(xfs_dabuf_t *bp, xfs_attr_list_context_t *context)
>  				args.rmtblkno = be32_to_cpu(name_rmt->valueblk);
>  				args.rmtblkcnt = XFS_B_TO_FSB(args.dp->i_mount, valuelen);
>  				retval = xfs_attr_rmtval_get(&args);
> -				if (retval)
> -					return retval;
> -				retval = context->put_listent(context,
> -						entry->flags,
> -						name_rmt->name,
> -						(int)name_rmt->namelen,
> -						valuelen,
> -						args.value);
> +				if (!retval)
> +					retval = context->put_listent(context,
> +							entry->flags,
> +							name_rmt->name,
> +							(int)name_rmt->namelen,
> +							valuelen,
> +							args.value);
>  				kmem_free(args.value);
>  			} else {
>  				retval = context->put_listent(context,
> 
Looks good to me.

Acked-by: Colin Ian King <colin.king at canonical.com>

More information about the kernel-team mailing list