ext4: fix memory leak in xattr

Dave Jones · tytso · commit 6e4ea8e33b20 · 2013-10-12T14:39:49.000-04:00
If we take the 2nd retry path in ext4_expand_extra_isize_ea, we
potentionally return from the function without having freed these
allocations.  If we don't do the return, we over-write the previous
allocation pointers, so we leak either way.

Spotted with Coverity.

[ Fixed by tytso to set is and bs to NULL after freeing these
  pointers, in case in the retry loop we later end up triggering an
  error causing a jump to cleanup, at which point we could have a double
  free bug. -- Ted ]

Signed-off-by: Dave Jones &lt;davej@fedoraproject.org&gt;
Signed-off-by: "Theodore Ts'o" &lt;tytso@mit.edu&gt;
Reviewed-by: Eric Sandeen &lt;sandeen@redhat.com&gt;
Cc: stable@vger.kernel.org
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
@@ -1350,6 +1350,8 @@ int ext4_expand_extra_isize_ea(struct inode *inode, int new_extra_isize,
 				    s_min_extra_isize) {
 					tried_min_extra_isize++;
 					new_extra_isize = s_min_extra_isize;
+					kfree(is); is = NULL;
+					kfree(bs); bs = NULL;
 					goto retry;
 				}
 				error = -1;

Original file line number	Diff line number	Diff line change
`@@ -1350,6 +1350,8 @@ int ext4_expand_extra_isize_ea(struct inode *inode, int new_extra_isize,`
`1350`	`1350`	`s_min_extra_isize) {`
`1351`	`1351`	`tried_min_extra_isize++;`
`1352`	`1352`	`new_extra_isize = s_min_extra_isize;`
	`1353`	`+ kfree(is); is = NULL;`
	`1354`	`+ kfree(bs); bs = NULL;`
`1353`	`1355`	`goto retry;`
`1354`	`1356`	`}`
`1355`	`1357`	`error = -1;`