ksmbd: free ppace array on error in parse_dacl

[ Upstream commit 8cf9bedfc3c47d24bb0de386f808f925dc52863e ]

The ppace array is not freed if one of the init_acl_state() calls inside
parse_dacl() fails. At the moment the function may fail only due to the
memory allocation errors so it's highly unlikely in this case but
nevertheless a fix is needed.

Move ppace allocation after the init_acl_state() calls with proper error
handling.

Found by Linux Verification Center (linuxtesting.org).

Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/fs/ksmbd/smbacl.c b/fs/ksmbd/smbacl.c
index 9ace5027684d91d4c107185fabb51078d8da6a82..3a6c0abdb0352726712e03c2ac21323dfd1d68dd 100644 (file)
--- a/fs/ksmbd/smbacl.c
+++ b/fs/ksmbd/smbacl.c
@@ -399,10 +399,6 @@ static void parse_dacl(struct user_namespace *user_ns,
        if (num_aces > ULONG_MAX / sizeof(struct smb_ace *))
                return;
 
-       ppace = kmalloc_array(num_aces, sizeof(struct smb_ace *), GFP_KERNEL);
-       if (!ppace)
-               return;
-
        ret = init_acl_state(&acl_state, num_aces);
        if (ret)
                return;
@@ -412,6 +408,13 @@ static void parse_dacl(struct user_namespace *user_ns,
                return;
        }
 
+       ppace = kmalloc_array(num_aces, sizeof(struct smb_ace *), GFP_KERNEL);
+       if (!ppace) {
+               free_acl_state(&default_acl_state);
+               free_acl_state(&acl_state);
+               return;
+       }
+
        /*
         * reset rwx permissions for user/group/other.
         * Also, if num_aces is 0 i.e. DACL has no ACEs,