From patchwork Tue Oct 20 22:50:06 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Engelmayer X-Patchwork-Id: 7453231 Return-Path: X-Original-To: patchwork-linux-btrfs@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 1C61EBEEA4 for ; Tue, 20 Oct 2015 22:51:16 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 477A020678 for ; Tue, 20 Oct 2015 22:51:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E358F20615 for ; Tue, 20 Oct 2015 22:51:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753228AbbJTWvK (ORCPT ); Tue, 20 Oct 2015 18:51:10 -0400 Received: from mout.gmx.net ([212.227.17.21]:53394 "EHLO mout.gmx.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753210AbbJTWvH (ORCPT ); Tue, 20 Oct 2015 18:51:07 -0400 Received: from localhost.localdomain ([81.217.123.197]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0McUnM-1a6Caw2fVg-00Hb9L; Wed, 21 Oct 2015 00:50:58 +0200 From: Christian Engelmayer To: dsterba@suse.com Cc: clm@fb.com, jbacik@fb.com, linux-btrfs@vger.kernel.org, Christian Engelmayer Subject: [PATCH] btrfs: fix possible leak in btrfs_ioctl_balance() Date: Wed, 21 Oct 2015 00:50:06 +0200 Message-Id: <1445381406-13475-1-git-send-email-cengelma@gmx.at> X-Mailer: git-send-email 1.9.1 X-Provags-ID: V03:K0:fbJfjYqHWgW8t/vroRcf3UaV1mHhkba58n571d3qBBbcSLd7PL5 qffIXUVGqHtPPAvMBcSTUUYC5TEpDwp3OYnu8HCiEbwFDwRzbR3KupCeFEtAk6JwcuQv92M 7wA9jW1Y2thraPWnBg5WgK/sX3NKY8g2iOyrGQqMb7uQgCke2P/nn8rTmwi8k4ntmaV9cvZ MRFUFhuS2xD3KTtdMUNSw== X-UI-Out-Filterresults: notjunk:1; V01:K0:COdn32Z+WHI=:lsrNkZSNzh/HTbDvQj29kP YlebdqLw5Fg3fQsGBWD0F8pZjG6vYuItRP7qYFIFsoUfjRpHYTXNinstKKNt34O7TSRL5Vkva liUYtLX96ek6qryIZVKfxw8hQ8zrsPa0xAKrSIX9p+as+eqIfCwI6zttWIZ4W60kwPWkwi5RS xKcVkaptTk9ycDyfpscEalXsqaO4Q3nHfcVmnJEEAoLSdTbUPqqiSuiDYvF7wr8++RTcv1Zni yvA/4mlziztJB27vEzlyjz2wwvAlr/ORuxASxUADEzFJZV+cNEdvfVnIqCuHGwf5C1nz6zltI jIkti+wjJjBRrzQXozQfRonJgcAoeoOmTxlQluJnEeV3jIj28wLEbel8TZOLmWRkSEgJmCkZX JrrBM5y/27omESE/NVm/ApVhhd6LDhv6C2s3Ht2ToLjlVhrKJGndflQvagyNiKzl+X6lXNeP4 Ta3plFBUNIB8TYs/8nmPf842s/ltzEb+eao64QUX2XDvzOb0tmNTX71izd5DsbI9zFFaS9eDu wAEpagyKbnzKatyBtZCLiljdcnmm6W82vyvLFFTTVTqIRsYOkH1sgM3My2bYOKq5dZVmcKOFF GFSj75W76UJPhg0O1d4pztESBeNhGG+R6gktCPm0po5CfouCeKCNgIhJcBABIuC44JURbO/29 Y/NiddNStAIUBHfjAKrk0ODWHZCEsF5ERvVpixDMBlgCwJKmI9DwLtQtJkSX5OIqYR2apCa1+ qGkK64GmPQsog5eNI0MGhxwwRQZq5McGagP0bFtc/Vz0uWrmy1D/likZEH8= Sender: linux-btrfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Commit 8eb934591f8b ("btrfs: check unsupported filters in balance arguments") adds a jump to exit label out_bargs in case the argument check fails. At this point in addition to the bargs memory, the memory for struct btrfs_balance_control has already been allocated. Ownership of bctl is passed to btrfs_balance() in the good case, thus the memory is not freed due to the introduced jump. Make sure that the memory gets freed in any case as necessary. Detected by Coverity CID 1328378. Signed-off-by: Christian Engelmayer Reviewed-by: David Sterba --- The proposed patch is only test compiled. --- fs/btrfs/ioctl.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index 3e3e6130637f..8d20f3b1cab0 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -4641,7 +4641,7 @@ locked: if (bctl->flags & ~(BTRFS_BALANCE_ARGS_MASK | BTRFS_BALANCE_TYPE_MASK)) { ret = -EINVAL; - goto out_bargs; + goto out_bctl; } do_balance: @@ -4655,12 +4655,15 @@ do_balance: need_unlock = false; ret = btrfs_balance(bctl, bargs); + bctl = NULL; if (arg) { if (copy_to_user(arg, bargs, sizeof(*bargs))) ret = -EFAULT; } +out_bctl: + kfree(bctl); out_bargs: kfree(bargs); out_unlock: