Commit 418ffb9e authored by Anand Jain's avatar Anand Jain Committed by David Sterba

btrfs: free btrfs_path before copying inodes to userspace

btrfs_ioctl_logical_to_ino() frees the search path after the userspace
copy from the temp buffer @inodes. Which potentially can lead to a lock
splat.

Fix this by freeing the path before we copy @inodes to userspace.

CC: stable@vger.kernel.org # 4.19+
Signed-off-by: default avatarAnand Jain <anand.jain@oracle.com>
Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
parent b740d806
...@@ -4282,21 +4282,20 @@ static long btrfs_ioctl_logical_to_ino(struct btrfs_fs_info *fs_info, ...@@ -4282,21 +4282,20 @@ static long btrfs_ioctl_logical_to_ino(struct btrfs_fs_info *fs_info,
size = min_t(u32, loi->size, SZ_16M); size = min_t(u32, loi->size, SZ_16M);
} }
path = btrfs_alloc_path();
if (!path) {
ret = -ENOMEM;
goto out;
}
inodes = init_data_container(size); inodes = init_data_container(size);
if (IS_ERR(inodes)) { if (IS_ERR(inodes)) {
ret = PTR_ERR(inodes); ret = PTR_ERR(inodes);
inodes = NULL; goto out_loi;
goto out;
} }
path = btrfs_alloc_path();
if (!path) {
ret = -ENOMEM;
goto out;
}
ret = iterate_inodes_from_logical(loi->logical, fs_info, path, ret = iterate_inodes_from_logical(loi->logical, fs_info, path,
inodes, ignore_offset); inodes, ignore_offset);
btrfs_free_path(path);
if (ret == -EINVAL) if (ret == -EINVAL)
ret = -ENOENT; ret = -ENOENT;
if (ret < 0) if (ret < 0)
...@@ -4308,7 +4307,6 @@ static long btrfs_ioctl_logical_to_ino(struct btrfs_fs_info *fs_info, ...@@ -4308,7 +4307,6 @@ static long btrfs_ioctl_logical_to_ino(struct btrfs_fs_info *fs_info,
ret = -EFAULT; ret = -EFAULT;
out: out:
btrfs_free_path(path);
kvfree(inodes); kvfree(inodes);
out_loi: out_loi:
kfree(loi); kfree(loi);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment