| Message ID | 20211116115025.GC11936@kili (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | btrfs: fix error pointer dereference in btrfs_ioctl_rm_dev_v2() | expand |
On Tue, Nov 16, 2021 at 02:50:25PM +0300, Dan Carpenter wrote: > If memdup_user() fails the error handing will crash when it tries > to kfree() an error pointer. Just return directly because there is > no cleanup required. > > Fixes: 1a15eb724aae ("btrfs: use btrfs_get_dev_args_from_path in dev removal ioctls") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Josef Bacik <josef@toxicpanda.com> Thanks, Josef
On Tue, Nov 16, 2021 at 02:50:25PM +0300, Dan Carpenter wrote: > If memdup_user() fails the error handing will crash when it tries > to kfree() an error pointer. Just return directly because there is > no cleanup required. > > Fixes: 1a15eb724aae ("btrfs: use btrfs_get_dev_args_from_path in dev removal ioctls") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Added to misc-next, thanks.
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index fb8cc9642ac4..32df384b40c8 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -3187,10 +3187,8 @@ static long btrfs_ioctl_rm_dev_v2(struct file *file, void __user *arg) return -EPERM; vol_args = memdup_user(arg, sizeof(*vol_args)); - if (IS_ERR(vol_args)) { - ret = PTR_ERR(vol_args); - goto out; - } + if (IS_ERR(vol_args)) + return PTR_ERR(vol_args); if (vol_args->flags & ~BTRFS_DEVICE_REMOVE_ARGS_MASK) { ret = -EOPNOTSUPP;
If memdup_user() fails the error handing will crash when it tries to kfree() an error pointer. Just return directly because there is no cleanup required. Fixes: 1a15eb724aae ("btrfs: use btrfs_get_dev_args_from_path in dev removal ioctls") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- fs/btrfs/ioctl.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-)