提交 22883ddc 编写于 作者: L Lu Fengqi 提交者: David Sterba

btrfs: fix invalid-free in btrfs_extent_same

If this condition ((BTRFS_I(src)->flags & BTRFS_INODE_NODATASUM) !=
		   (BTRFS_I(dst)->flags & BTRFS_INODE_NODATASUM))
is hit, we will go to free the uninitialized cmp.src_pages and
cmp.dst_pages.

Fixes: 67b07bd4 ("Btrfs: reuse cmp workspace in EXTENT_SAME ioctl")
Signed-off-by: NLu Fengqi <lufq.fnst@cn.fujitsu.com>
Reviewed-by: NDavid Sterba <dsterba@suse.com>
Signed-off-by: NDavid Sterba <dsterba@suse.com>
上级 f0986318
...@@ -3577,7 +3577,7 @@ static int btrfs_extent_same(struct inode *src, u64 loff, u64 olen, ...@@ -3577,7 +3577,7 @@ static int btrfs_extent_same(struct inode *src, u64 loff, u64 olen,
ret = btrfs_extent_same_range(src, loff, BTRFS_MAX_DEDUPE_LEN, ret = btrfs_extent_same_range(src, loff, BTRFS_MAX_DEDUPE_LEN,
dst, dst_loff, &cmp); dst, dst_loff, &cmp);
if (ret) if (ret)
goto out_unlock; goto out_free;
loff += BTRFS_MAX_DEDUPE_LEN; loff += BTRFS_MAX_DEDUPE_LEN;
dst_loff += BTRFS_MAX_DEDUPE_LEN; dst_loff += BTRFS_MAX_DEDUPE_LEN;
...@@ -3587,16 +3587,16 @@ static int btrfs_extent_same(struct inode *src, u64 loff, u64 olen, ...@@ -3587,16 +3587,16 @@ static int btrfs_extent_same(struct inode *src, u64 loff, u64 olen,
ret = btrfs_extent_same_range(src, loff, tail_len, dst, ret = btrfs_extent_same_range(src, loff, tail_len, dst,
dst_loff, &cmp); dst_loff, &cmp);
out_free:
kvfree(cmp.src_pages);
kvfree(cmp.dst_pages);
out_unlock: out_unlock:
if (same_inode) if (same_inode)
inode_unlock(src); inode_unlock(src);
else else
btrfs_double_inode_unlock(src, dst); btrfs_double_inode_unlock(src, dst);
out_free:
kvfree(cmp.src_pages);
kvfree(cmp.dst_pages);
return ret; return ret;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册