From: Scott Mayhew <smayhew@redhat.com>
Date: Tue, 25 Feb 2020 16:05:22 +0000 (-0500)
Subject: NFS: Fix leak of ctx->nfs_server.hostname
X-Git-Tag: v5.10.7~3072^2~1
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=75a9b9176157f3095d3099adf512b5a233addbc7;p=platform%2Fkernel%2Flinux-rpi.git

NFS: Fix leak of ctx->nfs_server.hostname

If userspace passes an nfs_mount_data struct in the data argument of
mount(2), then nfs23_parse_monolithic() or nfs4_parse_monolithic()
will allocate memory for ctx->nfs_server.hostname.  This needs to be
freed in nfs_parse_source(), which also allocates memory for
ctx->nfs_server.hostname, otherwise a leak will occur.

Reported-by: syzbot+193c375dcddb4f345091@syzkaller.appspotmail.com
Fixes: f2aedb713c28 ("NFS: Add fs_context support.")
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
---

diff --git a/fs/nfs/fs_context.c b/fs/nfs/fs_context.c
index b616263..e113fcb 100644
--- a/fs/nfs/fs_context.c
+++ b/fs/nfs/fs_context.c
@@ -832,6 +832,8 @@ static int nfs_parse_source(struct fs_context *fc,
 	if (len > maxnamlen)
 		goto out_hostname;
 
+	kfree(ctx->nfs_server.hostname);
+
 	/* N.B. caller will free nfs_server.hostname in all cases */
 	ctx->nfs_server.hostname = kmemdup_nul(dev_name, len, GFP_KERNEL);
 	if (!ctx->nfs_server.hostname)