提交 2afdcdd3 编写于 作者: A Anand Jain 提交者: sanglipeng

btrfs: free btrfs_path before copying fspath to userspace

stable inclusion
from stable-v5.10.157
commit 0bdb8f7ef87d534b507142185cd03e02f5e4f0e8
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7MU59

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0bdb8f7ef87d534b507142185cd03e02f5e4f0e8

--------------------------------

commit 8cf96b40 upstream.

btrfs_ioctl_ino_to_path() frees the search path after the userspace copy
from the temp buffer @ipath->fspath. Which potentially can lead to a lock
splat warning.

Fix this by freeing the path before we copy it to userspace.

CC: stable@vger.kernel.org # 4.19+
Signed-off-by: NAnand Jain <anand.jain@oracle.com>
Reviewed-by: NDavid Sterba <dsterba@suse.com>
Signed-off-by: NDavid Sterba <dsterba@suse.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
上级 0a3a8e02
...@@ -3879,6 +3879,8 @@ static long btrfs_ioctl_ino_to_path(struct btrfs_root *root, void __user *arg) ...@@ -3879,6 +3879,8 @@ static long btrfs_ioctl_ino_to_path(struct btrfs_root *root, void __user *arg)
ipath->fspath->val[i] = rel_ptr; ipath->fspath->val[i] = rel_ptr;
} }
btrfs_free_path(path);
path = NULL;
ret = copy_to_user((void __user *)(unsigned long)ipa->fspath, ret = copy_to_user((void __user *)(unsigned long)ipa->fspath,
ipath->fspath, size); ipath->fspath, size);
if (ret) { if (ret) {
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册