Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 83aae320 authored by Anand Jain's avatar Anand Jain Committed by Greg Kroah-Hartman
Browse files

btrfs: free btrfs_path before copying inodes to userspace 



[ Upstream commit 418ffb9e3cf6c4e2574d3a732b724916684bd133 ]

btrfs_ioctl_logical_to_ino() frees the search path after the userspace
copy from the temp buffer @inodes. Which potentially can lead to a lock
splat.

Fix this by freeing the path before we copy @inodes to userspace.

CC: stable@vger.kernel.org # 4.19+
Signed-off-by: default avatarAnand Jain <anand.jain@oracle.com>
Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent 9fd11e2d

fs/btrfs/ioctl.c

+7 −9
Original line number Original line Diff line number Diff line
@@ -4590,21 +4590,20 @@ static long btrfs_ioctl_logical_to_ino(struct btrfs_fs_info *fs_info, 
		size = min_t(u32, loi->size, SZ_16M);

		size = min_t(u32, loi->size, SZ_16M);

	}

	}





	path = btrfs_alloc_path();

	if (!path) {

		ret = -ENOMEM;

		goto out;

	}



	inodes = init_data_container(size);

	inodes = init_data_container(size);

	if (IS_ERR(inodes)) {

	if (IS_ERR(inodes)) {

		ret = PTR_ERR(inodes);

		ret = PTR_ERR(inodes);

		inodes = NULL;

		goto out_loi;

		goto out;

	}

	}





	path = btrfs_alloc_path();

	if (!path) {

		ret = -ENOMEM;

		goto out;

	}

	ret = iterate_inodes_from_logical(loi->logical, fs_info, path,

	ret = iterate_inodes_from_logical(loi->logical, fs_info, path,

					  build_ino_list, inodes, ignore_offset);

					  build_ino_list, inodes, ignore_offset);

	btrfs_free_path(path);

	if (ret == -EINVAL)

	if (ret == -EINVAL)

		ret = -ENOENT;

		ret = -ENOENT;

	if (ret < 0)

	if (ret < 0)
@@ -4616,7 +4615,6 @@ static long btrfs_ioctl_logical_to_ino(struct btrfs_fs_info *fs_info, 
		ret = -EFAULT;

		ret = -EFAULT;





out:

out:

	btrfs_free_path(path);

	kvfree(inodes);

	kvfree(inodes);

out_loi:

out_loi:

	kfree(loi);

	kfree(loi);