diff options
| author | Anand Jain <anand.jain@oracle.com> | 2022-11-10 11:36:29 +0530 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2022-12-08 11:18:31 +0100 |
| commit | 9f9980fa8bea0042aa9539b011daf47754f25936 (patch) | |
| tree | 16b88c42a56b0cd7a4de43b2027187b469bc8dd3 /fs/btrfs | |
| parent | cf1789192c5b9824ab6b52ed5ddea85da85ceecf (diff) | |
| download | linux-stable-9f9980fa8bea0042aa9539b011daf47754f25936.tar.gz linux-stable-9f9980fa8bea0042aa9539b011daf47754f25936.tar.bz2 linux-stable-9f9980fa8bea0042aa9539b011daf47754f25936.zip | |
btrfs: free btrfs_path before copying fspath to userspace
commit 8cf96b409d9b3946ece58ced13f92d0f775b0442 upstream.
btrfs_ioctl_ino_to_path() frees the search path after the userspace copy
from the temp buffer @ipath->fspath. Which potentially can lead to a lock
splat warning.
Fix this by freeing the path before we copy it to userspace.
CC: stable@vger.kernel.org # 4.19+
Signed-off-by: Anand Jain <anand.jain@oracle.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'fs/btrfs')
| -rw-r--r-- | fs/btrfs/ioctl.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index df648f5493b5..7c17f3582b3b 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -4887,6 +4887,8 @@ static long btrfs_ioctl_ino_to_path(struct btrfs_root *root, void __user *arg) ipath->fspath->val[i] = rel_ptr; } + btrfs_free_path(path); + path = NULL; ret = copy_to_user((void __user *)(unsigned long)ipa->fspath, ipath->fspath, size); if (ret) { |