ntfs: free volume-wide resources on fill_super failure

ntfs_fill_super()'s err_out_now path frees only the volume struct via
kfree(vol), leaving several vol-owned allocations behind on every mount
failure:

  - vol->nls_map, loaded by ntfs_init_fs_context() via
    load_nls_default() (or replaced by an explicit nls= option in
    ntfs_parse_param()), is never unload_nls()'d.

  - vol->volume_label, allocated by load_system_files() through
    ntfs_ucstonls() once the $Volume name attribute has been parsed, is
    not released by load_system_files()'s own error labels nor by the
    fill_super() inline cleanup that only runs on d_make_root()
    failure.  Any later failure inside load_system_files() leaks it.

  - vol->lcn_empty_bits_per_page was kvfree()'d in
    unl_upcase_iput_tmp_ino_err_out_now without clearing the pointer,
    so it could not be folded into a single common cleanup.

Because the failure paths never call ntfs_volume_free() and never reach
the d_make_root() inline cleanup block (it sits above the label and is
jumped over by the load_system_files() / kvmalloc failure gotos), these
resources accumulate per failed mount attempt with no chance of
recovery short of unloading the module.  This is a silent leak: the
inodes loaded prior to failure remain hashed but generic_shutdown_super()
skips evict_inodes() when sb->s_root is unset, so no CHECK_DATA_CORRUPTION
warning is emitted either.

Move the per-volume frees down to err_out_now and drop the
lcn_empty_bits_per_page kvfree() from the upper label so the cleanup is
performed exactly once on every failure path.  Using unconditional
kvfree() / kfree() / unload_nls() is safe because they all accept NULL
and the upper labels that previously freed nls_map (the d_make_root()
inline cleanup) already clear the pointer.

Cc: stable@vger.kernel.org # v7.1
Signed-off-by: DaeMyung Kang <charsyam@gmail.com>
Reviewed-by: Hyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>

diff --git a/fs/ntfs/super.c b/fs/ntfs/super.c
index 9e321cc2febe7d6ccdbce34c4817655b968e2195..7e3561265b47e159341e26ff96ed683c1c5aa66b 100644 (file)
--- a/fs/ntfs/super.c
+++ b/fs/ntfs/super.c
@@ -2530,8 +2530,6 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc)
        }
        /* Error exit code path. */
 unl_upcase_iput_tmp_ino_err_out_now:
-       if (vol->lcn_empty_bits_per_page)
-               kvfree(vol->lcn_empty_bits_per_page);
        /*
         * Decrease the number of upcase users and destroy the global default
         * upcase table if necessary.
@@ -2551,6 +2549,9 @@ iput_tmp_ino_err_out_now:
        /* Errors at this stage are irrelevant. */
 err_out_now:
        sb->s_fs_info = NULL;
+       kvfree(vol->lcn_empty_bits_per_page);
+       kfree(vol->volume_label);
+       unload_nls(vol->nls_map);
        kfree(vol);
        ntfs_debug("Failed, returning -EINVAL.");
        lockdep_on();