ntfs3: fix double free of sbi->options->nls and clarify ownership of fc->fs_private

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

commit 02f312754c87 ("ntfs3: fix use-after-free of sbi->options in cmp_fnames") introduced a use-after-free bug
due to improper handling of sbi->options in error paths. This resulted in crashes when superblock cleanup
is performed in ntfs_put_super.

This patch ensures that the options structure and its subfields are properly freed, preventing the memory
corruption and use-after-free errors.

Fixes: 02f312754c87 ("ntfs3: fix use-after-free of sbi->options in cmp_fnames")
Reported-by: syzbot+cc433e4cd6d54736bf80@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=cc433e4cd6d54736bf80
Signed-off-by: YangWen <anmuxixixi@gmail.com>
[almaz.alexandrovich@paragon-software.com: added fixes and closes tags]
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>

authored by

YangWen and committed by

Konstantin Komarov 4 months ago aee4d5a5 a8a3ca23

+3 -2

1 changed file

expand all

ntfs3

super.c

+3 -2

fs/ntfs3/super.c

··· 705 705 706 706 if (sbi->options) { 707 707 unload_nls(sbi->options->nls); 708 - kfree(sbi->options->nls); 708 + kfree(sbi->options->nls_name); 709 709 kfree(sbi->options); 710 710 sbi->options = NULL; 711 711 } ··· 1251 1251 } 1252 1252 } 1253 1253 sbi->options = options; 1254 + fc->fs_private = NULL; 1254 1255 sb->s_flags |= SB_NODIRATIME; 1255 1256 sb->s_magic = 0x7366746e; // "ntfs" 1256 1257 sb->s_op = &ntfs_sops; ··· 1677 1676 out: 1678 1677 if (sbi && sbi->options) { 1679 1678 unload_nls(sbi->options->nls); 1680 - kfree(sbi->options->nls); 1679 + kfree(sbi->options->nls_name); 1681 1680 kfree(sbi->options); 1682 1681 sbi->options = NULL; 1683 1682 }