[PATCH 2/3] ksmbd: fix acl.sd_buf memory leak in ksmbd_vfs_get_sd_xattr

From: liuqiangneo

Date: Mon Jun 22 2026 - 22:14:01 EST


From: Qiang Liu <liuqiang@xxxxxxxxxx>

Zero-initialize xattr_ntacl struct and reorder error cleanup labels
to ensure acl.sd_buf is released on all error paths.

Signed-off-by: Qiang Liu <liuqiang@xxxxxxxxxx>
---
fs/smb/server/vfs.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/fs/smb/server/vfs.c b/fs/smb/server/vfs.c
index febe9f7b54c3..60b4210d5ab8 100644
--- a/fs/smb/server/vfs.c
+++ b/fs/smb/server/vfs.c
@@ -1496,7 +1496,7 @@ int ksmbd_vfs_get_sd_xattr(struct ksmbd_conn *conn,
struct ndr n;
struct inode *inode = d_inode(dentry);
struct ndr acl_ndr = {0};
- struct xattr_ntacl acl;
+ struct xattr_ntacl acl = {0};
struct xattr_smb_acl *smb_acl = NULL, *def_smb_acl = NULL;
__u8 cmp_hash[XATTR_SD_HASH_SIZE] = {0};

@@ -1533,6 +1533,7 @@ int ksmbd_vfs_get_sd_xattr(struct ksmbd_conn *conn,
*pntsd = acl.sd_buf;
if (acl.sd_size < sizeof(struct smb_ntsd)) {
pr_err("sd size is invalid\n");
+ rc = -EINVAL;
goto out_free;
}

@@ -1548,12 +1549,12 @@ int ksmbd_vfs_get_sd_xattr(struct ksmbd_conn *conn,
kfree(acl_ndr.data);
kfree(smb_acl);
kfree(def_smb_acl);
+
+free_n_data:
if (rc < 0) {
kfree(acl.sd_buf);
*pntsd = NULL;
}
-
-free_n_data:
kfree(n.data);
return rc;
}
--
2.43.0