From: Greg Kroah-Hartman Date: Fri, 29 Mar 2024 12:16:43 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v6.7.12~166 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=294458e2976c1edb3653ddb80c3de02f07f8a2d6;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: btrfs-allocate-btrfs_ioctl_defrag_range_args-on-stack.patch --- diff --git a/queue-4.19/btrfs-allocate-btrfs_ioctl_defrag_range_args-on-stack.patch b/queue-4.19/btrfs-allocate-btrfs_ioctl_defrag_range_args-on-stack.patch new file mode 100644 index 00000000000..566ef936824 --- /dev/null +++ b/queue-4.19/btrfs-allocate-btrfs_ioctl_defrag_range_args-on-stack.patch @@ -0,0 +1,88 @@ +From c853a5783ebe123847886d432354931874367292 Mon Sep 17 00:00:00 2001 +From: Goldwyn Rodrigues +Date: Tue, 27 Jul 2021 16:17:30 -0500 +Subject: btrfs: allocate btrfs_ioctl_defrag_range_args on stack + +From: Goldwyn Rodrigues + +commit c853a5783ebe123847886d432354931874367292 upstream. + +Instead of using kmalloc() to allocate btrfs_ioctl_defrag_range_args, +allocate btrfs_ioctl_defrag_range_args on stack, the size is reasonably +small and ioctls are called in process context. + +sizeof(btrfs_ioctl_defrag_range_args) = 48 + +Reviewed-by: Anand Jain +Signed-off-by: Goldwyn Rodrigues +Reviewed-by: David Sterba +Signed-off-by: David Sterba +[ This patch is needed to fix a memory leak of "range" that was +introduced when commit 173431b274a9 ("btrfs: defrag: reject unknown +flags of btrfs_ioctl_defrag_range_args") was backported to kernels +lacking this patch. Now with these two patches applied in reverse order, +range->flags needed to change back to range.flags. +This bug was discovered and resolved using Coverity Static Analysis +Security Testing (SAST) by Synopsys, Inc.] +Signed-off-by: Maximilian Heyne +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ioctl.c | 25 ++++++++----------------- + 1 file changed, 8 insertions(+), 17 deletions(-) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -2992,7 +2992,7 @@ static int btrfs_ioctl_defrag(struct fil + { + struct inode *inode = file_inode(file); + struct btrfs_root *root = BTRFS_I(inode)->root; +- struct btrfs_ioctl_defrag_range_args *range; ++ struct btrfs_ioctl_defrag_range_args range = {0}; + int ret; + + ret = mnt_want_write_file(file); +@@ -3024,37 +3024,28 @@ static int btrfs_ioctl_defrag(struct fil + goto out; + } + +- range = kzalloc(sizeof(*range), GFP_KERNEL); +- if (!range) { +- ret = -ENOMEM; +- goto out; +- } +- + if (argp) { +- if (copy_from_user(range, argp, +- sizeof(*range))) { ++ if (copy_from_user(&range, argp, sizeof(range))) { + ret = -EFAULT; +- kfree(range); + goto out; + } +- if (range->flags & ~BTRFS_DEFRAG_RANGE_FLAGS_SUPP) { ++ if (range.flags & ~BTRFS_DEFRAG_RANGE_FLAGS_SUPP) { + ret = -EOPNOTSUPP; + goto out; + } + /* compression requires us to start the IO */ +- if ((range->flags & BTRFS_DEFRAG_RANGE_COMPRESS)) { +- range->flags |= BTRFS_DEFRAG_RANGE_START_IO; +- range->extent_thresh = (u32)-1; ++ if ((range.flags & BTRFS_DEFRAG_RANGE_COMPRESS)) { ++ range.flags |= BTRFS_DEFRAG_RANGE_START_IO; ++ range.extent_thresh = (u32)-1; + } + } else { + /* the rest are all set to zero by kzalloc */ +- range->len = (u64)-1; ++ range.len = (u64)-1; + } + ret = btrfs_defrag_file(file_inode(file), file, +- range, BTRFS_OLDEST_GENERATION, 0); ++ &range, BTRFS_OLDEST_GENERATION, 0); + if (ret > 0) + ret = 0; +- kfree(range); + break; + default: + ret = -EINVAL; diff --git a/queue-4.19/series b/queue-4.19/series index dd25641bed7..7d06cce918a 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -78,3 +78,4 @@ tty-serial-fsl_lpuart-avoid-idle-preamble-pending-if-cts-is-enabled.patch vt-fix-unicode-buffer-corruption-when-deleting-characters.patch fs-aio-check-iocb_aio_rw-before-the-struct-aio_kiocb-conversion.patch printk-update-console_may_schedule-in-console_tryloc.patch +btrfs-allocate-btrfs_ioctl_defrag_range_args-on-stack.patch