From aaa1d4f0196c6f86ace26f2ebd7bc94c69ca9594 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 29 Mar 2024 13:17:17 +0100 Subject: [PATCH] 5.10-stable patches added patches: btrfs-allocate-btrfs_ioctl_defrag_range_args-on-stack.patch --- ...rfs_ioctl_defrag_range_args-on-stack.patch | 88 +++++++++++++++++++ queue-5.10/series | 1 + 2 files changed, 89 insertions(+) create mode 100644 queue-5.10/btrfs-allocate-btrfs_ioctl_defrag_range_args-on-stack.patch diff --git a/queue-5.10/btrfs-allocate-btrfs_ioctl_defrag_range_args-on-stack.patch b/queue-5.10/btrfs-allocate-btrfs_ioctl_defrag_range_args-on-stack.patch new file mode 100644 index 00000000000..cd2df4fca98 --- /dev/null +++ b/queue-5.10/btrfs-allocate-btrfs_ioctl_defrag_range_args-on-stack.patch @@ -0,0 +1,88 @@ +From c853a5783ebe123847886d432354931874367292 Mon Sep 17 00:00:00 2001 +From: Goldwyn Rodrigues +Date: Tue, 27 Jul 2021 16:17:30 -0500 +Subject: btrfs: allocate btrfs_ioctl_defrag_range_args on stack + +From: Goldwyn Rodrigues + +commit c853a5783ebe123847886d432354931874367292 upstream. + +Instead of using kmalloc() to allocate btrfs_ioctl_defrag_range_args, +allocate btrfs_ioctl_defrag_range_args on stack, the size is reasonably +small and ioctls are called in process context. + +sizeof(btrfs_ioctl_defrag_range_args) = 48 + +Reviewed-by: Anand Jain +Signed-off-by: Goldwyn Rodrigues +Reviewed-by: David Sterba +Signed-off-by: David Sterba +[ This patch is needed to fix a memory leak of "range" that was +introduced when commit 173431b274a9 ("btrfs: defrag: reject unknown +flags of btrfs_ioctl_defrag_range_args") was backported to kernels +lacking this patch. Now with these two patches applied in reverse order, +range->flags needed to change back to range.flags. +This bug was discovered and resolved using Coverity Static Analysis +Security Testing (SAST) by Synopsys, Inc.] +Signed-off-by: Maximilian Heyne +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ioctl.c | 25 ++++++++----------------- + 1 file changed, 8 insertions(+), 17 deletions(-) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -3148,7 +3148,7 @@ static int btrfs_ioctl_defrag(struct fil + { + struct inode *inode = file_inode(file); + struct btrfs_root *root = BTRFS_I(inode)->root; +- struct btrfs_ioctl_defrag_range_args *range; ++ struct btrfs_ioctl_defrag_range_args range = {0}; + int ret; + + ret = mnt_want_write_file(file); +@@ -3180,37 +3180,28 @@ static int btrfs_ioctl_defrag(struct fil + goto out; + } + +- range = kzalloc(sizeof(*range), GFP_KERNEL); +- if (!range) { +- ret = -ENOMEM; +- goto out; +- } +- + if (argp) { +- if (copy_from_user(range, argp, +- sizeof(*range))) { ++ if (copy_from_user(&range, argp, sizeof(range))) { + ret = -EFAULT; +- kfree(range); + goto out; + } +- if (range->flags & ~BTRFS_DEFRAG_RANGE_FLAGS_SUPP) { ++ if (range.flags & ~BTRFS_DEFRAG_RANGE_FLAGS_SUPP) { + ret = -EOPNOTSUPP; + goto out; + } + /* compression requires us to start the IO */ +- if ((range->flags & BTRFS_DEFRAG_RANGE_COMPRESS)) { +- range->flags |= BTRFS_DEFRAG_RANGE_START_IO; +- range->extent_thresh = (u32)-1; ++ if ((range.flags & BTRFS_DEFRAG_RANGE_COMPRESS)) { ++ range.flags |= BTRFS_DEFRAG_RANGE_START_IO; ++ range.extent_thresh = (u32)-1; + } + } else { + /* the rest are all set to zero by kzalloc */ +- range->len = (u64)-1; ++ range.len = (u64)-1; + } + ret = btrfs_defrag_file(file_inode(file), file, +- range, BTRFS_OLDEST_GENERATION, 0); ++ &range, BTRFS_OLDEST_GENERATION, 0); + if (ret > 0) + ret = 0; +- kfree(range); + break; + default: + ret = -EINVAL; diff --git a/queue-5.10/series b/queue-5.10/series index 1d91d5ecdd0..18c19042219 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -134,3 +134,4 @@ fs-aio-check-iocb_aio_rw-before-the-struct-aio_kiocb-conversion.patch tee-optee-fix-kernel-panic-caused-by-incorrect-error-handling.patch xen-events-close-evtchn-after-mapping-cleanup.patch printk-update-console_may_schedule-in-console_tryloc.patch +btrfs-allocate-btrfs_ioctl_defrag_range_args-on-stack.patch -- 2.47.2