From: Anand Jain <anand.jain@oracle.com>
Date: Thu, 10 Nov 2022 06:06:29 +0000 (+0530)
Subject: btrfs: free btrfs_path before copying fspath to userspace
X-Git-Tag: v6.1~73^2~7
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=8cf96b409d9b3946ece58ced13f92d0f775b0442;p=platform%2Fkernel%2Flinux-starfive.git

btrfs: free btrfs_path before copying fspath to userspace

btrfs_ioctl_ino_to_path() frees the search path after the userspace copy
from the temp buffer @ipath->fspath. Which potentially can lead to a lock
splat warning.

Fix this by freeing the path before we copy it to userspace.

CC: stable@vger.kernel.org # 4.19+
Signed-off-by: Anand Jain <anand.jain@oracle.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
---

diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index b595f2c..df5b893 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -4232,6 +4232,8 @@ static long btrfs_ioctl_ino_to_path(struct btrfs_root *root, void __user *arg)
 		ipath->fspath->val[i] = rel_ptr;
 	}
 
+	btrfs_free_path(path);
+	path = NULL;
 	ret = copy_to_user((void __user *)(unsigned long)ipa->fspath,
 			   ipath->fspath, size);
 	if (ret) {