Commit 4cb68296 authored Dec 08, 2020 by David Howells Committed by Linus Torvalds Dec 08, 2020

afs: Fix memory leak when mounting with multiple source parameters



There's a memory leak in afs_parse_source() whereby multiple source=
parameters overwrite fc->source in the fs_context struct without freeing
the previously recorded source.

Fix this by only permitting a single source parameter and rejecting with
an error all subsequent ones.

This was caught by syzbot with the kernel memory leak detector, showing
something like the following trace:

  unreferenced object 0xffff888114375440 (size 32):
    comm "repro", pid 5168, jiffies 4294923723 (age 569.948s)
    backtrace:
      slab_post_alloc_hook+0x42/0x79
      __kmalloc_track_caller+0x125/0x16a
      kmemdup_nul+0x24/0x3c
      vfs_parse_fs_string+0x5a/0xa1
      generic_parse_monolithic+0x9d/0xc5
      do_new_mount+0x10d/0x15a
      do_mount+0x5f/0x8e
      __do_sys_mount+0xff/0x127
      do_syscall_64+0x2d/0x3a
      entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: 13fcc683 ("afs: Add fs_context support")
Reported-by:  <syzbot+86dc6632faaca40133ab@syzkaller.appspotmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent c6f7e151

fs/afs/super.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -230,6 +230,9 @@ static int afs_parse_source(struct fs_context fc, struct fs_parameter param)

		_enter(",%s", name);

		if (fc->source)
		return invalf(fc, "kAFS: Multiple sources not supported");

		if (!name) {
		printk(KERN_ERR "kAFS: no volume name specified\n");
		return -EINVAL;

Admin message