| Message ID | 20220429081121.1640-1-xiongx18@fudan.edu.cn (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ksmbd: fix reference count leak in smb_check_perm_dacl() | expand |
2022-04-29 17:11 GMT+09:00, Xin Xiong <xiongx18@fudan.edu.cn>: > The issue happens in a specific path in smb_check_perm_dacl(). When > "id" and "uid" have the same value, the function simply jumps out of > the loop without decrementing the reference count of the object > "posix_acls", which is increased by get_acl() earlier. This may > result in memory leaks. > > Fix it by decreasing the reference count of "posix_acls" before > jumping to label "check_access_bits". > > Fixes: 777cad1604d6 ("ksmbd: remove select FS_POSIX_ACL in Kconfig") > Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn> > Signed-off-by: Xin Tan <tanxin.ctf@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Thanks!
diff --git a/fs/ksmbd/smbacl.c b/fs/ksmbd/smbacl.c index 6ecf55ea1fed..38f23bf981ac 100644 --- a/fs/ksmbd/smbacl.c +++ b/fs/ksmbd/smbacl.c @@ -1261,6 +1261,7 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, struct path *path, if (!access_bits) access_bits = SET_MINIMUM_RIGHTS; + posix_acl_release(posix_acls); goto check_access_bits; } }
The issue happens in a specific path in smb_check_perm_dacl(). When "id" and "uid" have the same value, the function simply jumps out of the loop without decrementing the reference count of the object "posix_acls", which is increased by get_acl() earlier. This may result in memory leaks. Fix it by decreasing the reference count of "posix_acls" before jumping to label "check_access_bits". Fixes: 777cad1604d6 ("ksmbd: remove select FS_POSIX_ACL in Kconfig") Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn> Signed-off-by: Xin Tan <tanxin.ctf@gmail.com> --- fs/ksmbd/smbacl.c | 1 + 1 file changed, 1 insertion(+)