| Message ID | 3d46bd74955e2087332e492a96f6da78ca4ed533.1667898218.git.anand.jain@oracle.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | btrfs: drop path before copying subvol info to userspace | expand |
On Tue, Nov 08, 2022 at 07:23:19PM +0530, Anand Jain wrote: > Similar to the commit > btrfs: drop path before copying root refs to userspace > > btrfs_ioctl_get_subvol_info() frees the search path after the userspace > copy from the temp buffer %subvol_info. Fix this by freeing the path > before we copy to userspace. Seems that there are a few more ioctls that need to be fixed: btrfs_ioctl_logical_to_ino, btrfs_ioctl_ino_to_path, btrfs_ioctl_get_subvol_rootref.
On 11/8/22 22:37, David Sterba wrote: > On Tue, Nov 08, 2022 at 07:23:19PM +0530, Anand Jain wrote: >> Similar to the commit >> btrfs: drop path before copying root refs to userspace >> >> btrfs_ioctl_get_subvol_info() frees the search path after the userspace >> copy from the temp buffer %subvol_info. Fix this by freeing the path >> before we copy to userspace. > > Seems that there are a few more ioctls that need to be fixed: > btrfs_ioctl_logical_to_ino, > btrfs_ioctl_ino_to_path, > btrfs_ioctl_get_subvol_rootref. Right, I missed them when I glanced. I am sending the fixes. Thanks.
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index a64a71d882dc..4742dedd8fd5 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -2214,13 +2214,15 @@ static int btrfs_ioctl_get_subvol_info(struct inode *inode, void __user *argp) } } - if (copy_to_user(argp, subvol_info, sizeof(*subvol_info))) - ret = -EFAULT; - out: btrfs_put_root(root); out_free: btrfs_free_path(path); + + if (!ret) + if (copy_to_user(argp, subvol_info, sizeof(*subvol_info))) + ret = -EFAULT; + kfree(subvol_info); return ret; }
Similar to the commit btrfs: drop path before copying root refs to userspace btrfs_ioctl_get_subvol_info() frees the search path after the userspace copy from the temp buffer %subvol_info. Fix this by freeing the path before we copy to userspace. Signed-off-by: Anand Jain <anand.jain@oracle.com> --- fs/btrfs/ioctl.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)