--- /dev/null
+From c853a5783ebe123847886d432354931874367292 Mon Sep 17 00:00:00 2001
+From: Goldwyn Rodrigues <rgoldwyn@suse.com>
+Date: Tue, 27 Jul 2021 16:17:30 -0500
+Subject: btrfs: allocate btrfs_ioctl_defrag_range_args on stack
+
+From: Goldwyn Rodrigues <rgoldwyn@suse.com>
+
+commit c853a5783ebe123847886d432354931874367292 upstream.
+
+Instead of using kmalloc() to allocate btrfs_ioctl_defrag_range_args,
+allocate btrfs_ioctl_defrag_range_args on stack, the size is reasonably
+small and ioctls are called in process context.
+
+sizeof(btrfs_ioctl_defrag_range_args) = 48
+
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+[ This patch is needed to fix a memory leak of "range" that was
+introduced when commit 173431b274a9 ("btrfs: defrag: reject unknown
+flags of btrfs_ioctl_defrag_range_args") was backported to kernels
+lacking this patch. Now with these two patches applied in reverse order,
+range->flags needed to change back to range.flags.
+This bug was discovered and resolved using Coverity Static Analysis
+Security Testing (SAST) by Synopsys, Inc.]
+Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/ioctl.c | 25 ++++++++-----------------
+ 1 file changed, 8 insertions(+), 17 deletions(-)
+
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -2992,7 +2992,7 @@ static int btrfs_ioctl_defrag(struct fil
+ {
+ struct inode *inode = file_inode(file);
+ struct btrfs_root *root = BTRFS_I(inode)->root;
+- struct btrfs_ioctl_defrag_range_args *range;
++ struct btrfs_ioctl_defrag_range_args range = {0};
+ int ret;
+
+ ret = mnt_want_write_file(file);
+@@ -3024,37 +3024,28 @@ static int btrfs_ioctl_defrag(struct fil
+ goto out;
+ }
+
+- range = kzalloc(sizeof(*range), GFP_KERNEL);
+- if (!range) {
+- ret = -ENOMEM;
+- goto out;
+- }
+-
+ if (argp) {
+- if (copy_from_user(range, argp,
+- sizeof(*range))) {
++ if (copy_from_user(&range, argp, sizeof(range))) {
+ ret = -EFAULT;
+- kfree(range);
+ goto out;
+ }
+- if (range->flags & ~BTRFS_DEFRAG_RANGE_FLAGS_SUPP) {
++ if (range.flags & ~BTRFS_DEFRAG_RANGE_FLAGS_SUPP) {
+ ret = -EOPNOTSUPP;
+ goto out;
+ }
+ /* compression requires us to start the IO */
+- if ((range->flags & BTRFS_DEFRAG_RANGE_COMPRESS)) {
+- range->flags |= BTRFS_DEFRAG_RANGE_START_IO;
+- range->extent_thresh = (u32)-1;
++ if ((range.flags & BTRFS_DEFRAG_RANGE_COMPRESS)) {
++ range.flags |= BTRFS_DEFRAG_RANGE_START_IO;
++ range.extent_thresh = (u32)-1;
+ }
+ } else {
+ /* the rest are all set to zero by kzalloc */
+- range->len = (u64)-1;
++ range.len = (u64)-1;
+ }
+ ret = btrfs_defrag_file(file_inode(file), file,
+- range, BTRFS_OLDEST_GENERATION, 0);
++ &range, BTRFS_OLDEST_GENERATION, 0);
+ if (ret > 0)
+ ret = 0;
+- kfree(range);
+ break;
+ default:
+ ret = -EINVAL;
projects / thirdparty / kernel / stable-queue.git / commitdiff
