btrfs: free btrfs_path before copying fspath to userspace

asj · kdave · commit 8cf96b409d9b · 2022-11-15T17:15:44.000+01:00
btrfs_ioctl_ino_to_path() frees the search path after the userspace copy
from the temp buffer @ipath-&gt;fspath. Which potentially can lead to a lock
splat warning.

Fix this by freeing the path before we copy it to userspace.

CC: stable@vger.kernel.org # 4.19+
Signed-off-by: Anand Jain &lt;anand.jain@oracle.com&gt;
Reviewed-by: David Sterba &lt;dsterba@suse.com&gt;
Signed-off-by: David Sterba &lt;dsterba@suse.com&gt;
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
@@ -4232,6 +4232,8 @@ static long btrfs_ioctl_ino_to_path(struct btrfs_root *root, void __user *arg)
 		ipath->fspath->val[i] = rel_ptr;
 	}
 
+	btrfs_free_path(path);
+	path = NULL;
 	ret = copy_to_user((void __user *)(unsigned long)ipa->fspath,
 			   ipath->fspath, size);
 	if (ret) {

Original file line number	Diff line number	Diff line change
`@@ -4232,6 +4232,8 @@ static long btrfs_ioctl_ino_to_path(struct btrfs_root root, void __user arg)`
`4232`	`4232`	`ipath->fspath->val[i] = rel_ptr;`
`4233`	`4233`	`}`
`4234`	`4234`
	`4235`	`+ btrfs_free_path(path);`
	`4236`	`+ path = NULL;`
`4235`	`4237`	`ret = copy_to_user((void __user *)(unsigned long)ipa->fspath,`
`4236`	`4238`	`ipath->fspath, size);`
`4237`	`4239`	`if (ret) {`