6.1-stable review patch. If anyone has any objections, please let me know. ------------------ From: Fedor Pchelkin <pchelkin@xxxxxxxxx> commit 8cf9bedfc3c47d24bb0de386f808f925dc52863e upstream. The ppace array is not freed if one of the init_acl_state() calls inside parse_dacl() fails. At the moment the function may fail only due to the memory allocation errors so it's highly unlikely in this case but nevertheless a fix is needed. Move ppace allocation after the init_acl_state() calls with proper error handling. Found by Linux Verification Center (linuxtesting.org). Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Fedor Pchelkin <pchelkin@xxxxxxxxx> Acked-by: Namjae Jeon <linkinjeon@xxxxxxxxxx> Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/smb/server/smbacl.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) --- a/fs/smb/server/smbacl.c +++ b/fs/smb/server/smbacl.c @@ -401,10 +401,6 @@ static void parse_dacl(struct user_names if (num_aces > ULONG_MAX / sizeof(struct smb_ace *)) return; - ppace = kmalloc_array(num_aces, sizeof(struct smb_ace *), GFP_KERNEL); - if (!ppace) - return; - ret = init_acl_state(&acl_state, num_aces); if (ret) return; @@ -413,6 +409,13 @@ static void parse_dacl(struct user_names free_acl_state(&acl_state); return; } + + ppace = kmalloc_array(num_aces, sizeof(struct smb_ace *), GFP_KERNEL); + if (!ppace) { + free_acl_state(&default_acl_state); + free_acl_state(&acl_state); + return; + } /* * reset rwx permissions for user/group/other.