Commit 37f32f52 authored by Amir Goldstein's avatar Amir Goldstein

ovl: fix memory leak in ovl_parse_param()

On failure to parse parameters in ovl_parse_param_lowerdir(), it is
necessary to update ctx->nr with the correct nr before using
ovl_reset_lowerdirs() to release l->name.

Reported-and-tested-by: syzbot+26eedf3631650972f17c@syzkaller.appspotmail.com
Fixes: c835110b ("ovl: remove unused code in lowerdir param parsing")
Co-authored-by: default avatarEdward Adam Davis <eadavis@qq.com>
Signed-off-by: default avatarAmir Goldstein <amir73il@gmail.com>
parent b28060db
...@@ -430,7 +430,7 @@ static int ovl_parse_param_lowerdir(const char *name, struct fs_context *fc) ...@@ -430,7 +430,7 @@ static int ovl_parse_param_lowerdir(const char *name, struct fs_context *fc)
struct ovl_fs_context *ctx = fc->fs_private; struct ovl_fs_context *ctx = fc->fs_private;
struct ovl_fs_context_layer *l; struct ovl_fs_context_layer *l;
char *dup = NULL, *iter; char *dup = NULL, *iter;
ssize_t nr_lower = 0, nr = 0, nr_data = 0; ssize_t nr_lower, nr;
bool data_layer = false; bool data_layer = false;
/* /*
...@@ -482,6 +482,7 @@ static int ovl_parse_param_lowerdir(const char *name, struct fs_context *fc) ...@@ -482,6 +482,7 @@ static int ovl_parse_param_lowerdir(const char *name, struct fs_context *fc)
iter = dup; iter = dup;
l = ctx->lower; l = ctx->lower;
for (nr = 0; nr < nr_lower; nr++, l++) { for (nr = 0; nr < nr_lower; nr++, l++) {
ctx->nr++;
memset(l, 0, sizeof(*l)); memset(l, 0, sizeof(*l));
err = ovl_mount_dir(iter, &l->path); err = ovl_mount_dir(iter, &l->path);
...@@ -498,10 +499,10 @@ static int ovl_parse_param_lowerdir(const char *name, struct fs_context *fc) ...@@ -498,10 +499,10 @@ static int ovl_parse_param_lowerdir(const char *name, struct fs_context *fc)
goto out_put; goto out_put;
if (data_layer) if (data_layer)
nr_data++; ctx->nr_data++;
/* Calling strchr() again would overrun. */ /* Calling strchr() again would overrun. */
if ((nr + 1) == nr_lower) if (ctx->nr == nr_lower)
break; break;
err = -EINVAL; err = -EINVAL;
...@@ -511,7 +512,7 @@ static int ovl_parse_param_lowerdir(const char *name, struct fs_context *fc) ...@@ -511,7 +512,7 @@ static int ovl_parse_param_lowerdir(const char *name, struct fs_context *fc)
* This is a regular layer so we require that * This is a regular layer so we require that
* there are no data layers. * there are no data layers.
*/ */
if ((ctx->nr_data + nr_data) > 0) { if (ctx->nr_data > 0) {
pr_err("regular lower layers cannot follow data lower layers"); pr_err("regular lower layers cannot follow data lower layers");
goto out_put; goto out_put;
} }
...@@ -524,8 +525,6 @@ static int ovl_parse_param_lowerdir(const char *name, struct fs_context *fc) ...@@ -524,8 +525,6 @@ static int ovl_parse_param_lowerdir(const char *name, struct fs_context *fc)
data_layer = true; data_layer = true;
iter++; iter++;
} }
ctx->nr = nr_lower;
ctx->nr_data += nr_data;
kfree(dup); kfree(dup);
return 0; return 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment