Prior to commit c853a5783ebe ("btrfs: allocate btrfs_ioctl_defrag_range_args on stack") range is allocated on the heap and must be freed. However, commit 173431b274a9 ("btrfs: defrag: reject unknown flags of btrfs_ioctl_defrag_range_args") didn't take care of this when it was backported to kernel < 5.15.
Add a kfree on the error path for stable kernels that lack commit c853a5783ebe ("btrfs: allocate btrfs_ioctl_defrag_range_args on stack").
This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc.
Fixes: 173431b274a9 ("btrfs: defrag: reject unknown flags of btrfs_ioctl_defrag_range_args") CC: stable@vger.kernel.org Signed-off-by: Maximilian Heyne mheyne@amazon.de --- fs/btrfs/ioctl.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index 049b837934e5..adc6c4f2b53c 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -3195,6 +3195,7 @@ static int btrfs_ioctl_defrag(struct file *file, void __user *argp) } if (range->flags & ~BTRFS_DEFRAG_RANGE_FLAGS_SUPP) { ret = -EOPNOTSUPP; + kfree(range); goto out; } /* compression requires us to start the IO */
Hi,
Thanks for your patch.
FYI: kernel test robot notices the stable kernel rule is not satisfied.
The check is based on https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html#opti...
Rule: The upstream commit ID must be specified with a separate line above the commit text. Subject: [PATCH 4.19 5.4 5.15] btrfs: defrag: fix memory leak in btrfs_ioctl_defrag Link: https://lore.kernel.org/stable/20240319170055.17942-1-mheyne%40amazon.de
Please ignore this mail if the patch is not relevant for upstream.
On Tue, Mar 19, 2024 at 05:00:55PM +0000, Maximilian Heyne wrote:
Prior to commit c853a5783ebe ("btrfs: allocate btrfs_ioctl_defrag_range_args on stack") range is allocated on the heap and must be freed. However, commit 173431b274a9 ("btrfs: defrag: reject unknown flags of btrfs_ioctl_defrag_range_args") didn't take care of this when it was backported to kernel < 5.15.
Add a kfree on the error path for stable kernels that lack commit c853a5783ebe ("btrfs: allocate btrfs_ioctl_defrag_range_args on stack").
This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc.
Good catch, thanks.
The affected versions are as you say 4.19, 5.4, 5.15, the fixup is sufficient and minimal fix, c853a5783ebe is reasonably safe for backport too.
On Tue, Mar 19, 2024 at 07:57:11PM +0100, David Sterba wrote:
On Tue, Mar 19, 2024 at 05:00:55PM +0000, Maximilian Heyne wrote:
Prior to commit c853a5783ebe ("btrfs: allocate btrfs_ioctl_defrag_range_args on stack") range is allocated on the heap and must be freed. However, commit 173431b274a9 ("btrfs: defrag: reject unknown flags of btrfs_ioctl_defrag_range_args") didn't take care of this when it was backported to kernel < 5.15.
Add a kfree on the error path for stable kernels that lack commit c853a5783ebe ("btrfs: allocate btrfs_ioctl_defrag_range_args on stack").
This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc.
Good catch, thanks.
The affected versions are as you say 4.19, 5.4, 5.15, the fixup is
I had a typo. Should go to 5.10 because c853a5783ebe is already in 5.15.
sufficient and minimal fix, c853a5783ebe is reasonably safe for backport too.
I think you're right. To avoid divergence it might be better to simply backport c853a5783ebe. Let me send this out.
Amazon Development Center Germany GmbH Krausenstr. 38 10117 Berlin Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B Sitz: Berlin Ust-ID: DE 289 237 879
linux-stable-mirror@lists.linaro.org
-
David Sterba -
kernel test robot -
Maximilian Heyne