diff options
-rw-r--r-- | fs/btrfs/ioctl.c | 49 | ||||
-rw-r--r-- | fs/btrfs/super.c | 13 |
2 files changed, 16 insertions, 46 deletions
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index 7594bec1be10..9f135e878507 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c | |||
@@ -461,15 +461,9 @@ static int btrfs_ioctl_resize(struct btrfs_root *root, void __user *arg) | |||
461 | if (!capable(CAP_SYS_ADMIN)) | 461 | if (!capable(CAP_SYS_ADMIN)) |
462 | return -EPERM; | 462 | return -EPERM; |
463 | 463 | ||
464 | vol_args = kmalloc(sizeof(*vol_args), GFP_NOFS); | 464 | vol_args = memdup_user(arg, sizeof(*vol_args)); |
465 | 465 | if (IS_ERR(vol_args)) | |
466 | if (!vol_args) | 466 | return PTR_ERR(vol_args); |
467 | return -ENOMEM; | ||
468 | |||
469 | if (copy_from_user(vol_args, arg, sizeof(*vol_args))) { | ||
470 | ret = -EFAULT; | ||
471 | goto out; | ||
472 | } | ||
473 | 467 | ||
474 | vol_args->name[BTRFS_PATH_NAME_MAX] = '\0'; | 468 | vol_args->name[BTRFS_PATH_NAME_MAX] = '\0'; |
475 | namelen = strlen(vol_args->name); | 469 | namelen = strlen(vol_args->name); |
@@ -545,7 +539,6 @@ static int btrfs_ioctl_resize(struct btrfs_root *root, void __user *arg) | |||
545 | 539 | ||
546 | out_unlock: | 540 | out_unlock: |
547 | mutex_unlock(&root->fs_info->volume_mutex); | 541 | mutex_unlock(&root->fs_info->volume_mutex); |
548 | out: | ||
549 | kfree(vol_args); | 542 | kfree(vol_args); |
550 | return ret; | 543 | return ret; |
551 | } | 544 | } |
@@ -565,15 +558,9 @@ static noinline int btrfs_ioctl_snap_create(struct file *file, | |||
565 | if (root->fs_info->sb->s_flags & MS_RDONLY) | 558 | if (root->fs_info->sb->s_flags & MS_RDONLY) |
566 | return -EROFS; | 559 | return -EROFS; |
567 | 560 | ||
568 | vol_args = kmalloc(sizeof(*vol_args), GFP_NOFS); | 561 | vol_args = memdup_user(arg, sizeof(*vol_args)); |
569 | 562 | if (IS_ERR(vol_args)) | |
570 | if (!vol_args) | 563 | return PTR_ERR(vol_args); |
571 | return -ENOMEM; | ||
572 | |||
573 | if (copy_from_user(vol_args, arg, sizeof(*vol_args))) { | ||
574 | ret = -EFAULT; | ||
575 | goto out; | ||
576 | } | ||
577 | 564 | ||
578 | vol_args->name[BTRFS_PATH_NAME_MAX] = '\0'; | 565 | vol_args->name[BTRFS_PATH_NAME_MAX] = '\0'; |
579 | namelen = strlen(vol_args->name); | 566 | namelen = strlen(vol_args->name); |
@@ -675,19 +662,13 @@ static long btrfs_ioctl_add_dev(struct btrfs_root *root, void __user *arg) | |||
675 | if (!capable(CAP_SYS_ADMIN)) | 662 | if (!capable(CAP_SYS_ADMIN)) |
676 | return -EPERM; | 663 | return -EPERM; |
677 | 664 | ||
678 | vol_args = kmalloc(sizeof(*vol_args), GFP_NOFS); | 665 | vol_args = memdup_user(arg, sizeof(*vol_args)); |
666 | if (IS_ERR(vol_args)) | ||
667 | return PTR_ERR(vol_args); | ||
679 | 668 | ||
680 | if (!vol_args) | ||
681 | return -ENOMEM; | ||
682 | |||
683 | if (copy_from_user(vol_args, arg, sizeof(*vol_args))) { | ||
684 | ret = -EFAULT; | ||
685 | goto out; | ||
686 | } | ||
687 | vol_args->name[BTRFS_PATH_NAME_MAX] = '\0'; | 669 | vol_args->name[BTRFS_PATH_NAME_MAX] = '\0'; |
688 | ret = btrfs_init_new_device(root, vol_args->name); | 670 | ret = btrfs_init_new_device(root, vol_args->name); |
689 | 671 | ||
690 | out: | ||
691 | kfree(vol_args); | 672 | kfree(vol_args); |
692 | return ret; | 673 | return ret; |
693 | } | 674 | } |
@@ -703,19 +684,13 @@ static long btrfs_ioctl_rm_dev(struct btrfs_root *root, void __user *arg) | |||
703 | if (root->fs_info->sb->s_flags & MS_RDONLY) | 684 | if (root->fs_info->sb->s_flags & MS_RDONLY) |
704 | return -EROFS; | 685 | return -EROFS; |
705 | 686 | ||
706 | vol_args = kmalloc(sizeof(*vol_args), GFP_NOFS); | 687 | vol_args = memdup_user(arg, sizeof(*vol_args)); |
688 | if (IS_ERR(vol_args)) | ||
689 | return PTR_ERR(vol_args); | ||
707 | 690 | ||
708 | if (!vol_args) | ||
709 | return -ENOMEM; | ||
710 | |||
711 | if (copy_from_user(vol_args, arg, sizeof(*vol_args))) { | ||
712 | ret = -EFAULT; | ||
713 | goto out; | ||
714 | } | ||
715 | vol_args->name[BTRFS_PATH_NAME_MAX] = '\0'; | 691 | vol_args->name[BTRFS_PATH_NAME_MAX] = '\0'; |
716 | ret = btrfs_rm_device(root, vol_args->name); | 692 | ret = btrfs_rm_device(root, vol_args->name); |
717 | 693 | ||
718 | out: | ||
719 | kfree(vol_args); | 694 | kfree(vol_args); |
720 | return ret; | 695 | return ret; |
721 | } | 696 | } |
diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c index 9744af9d71e9..a7acfe639a44 100644 --- a/fs/btrfs/super.c +++ b/fs/btrfs/super.c | |||
@@ -635,14 +635,9 @@ static long btrfs_control_ioctl(struct file *file, unsigned int cmd, | |||
635 | if (!capable(CAP_SYS_ADMIN)) | 635 | if (!capable(CAP_SYS_ADMIN)) |
636 | return -EPERM; | 636 | return -EPERM; |
637 | 637 | ||
638 | vol = kmalloc(sizeof(*vol), GFP_KERNEL); | 638 | vol = memdup_user((void __user *)arg, sizeof(*vol)); |
639 | if (!vol) | 639 | if (IS_ERR(vol)) |
640 | return -ENOMEM; | 640 | return PTR_ERR(vol); |
641 | |||
642 | if (copy_from_user(vol, (void __user *)arg, sizeof(*vol))) { | ||
643 | ret = -EFAULT; | ||
644 | goto out; | ||
645 | } | ||
646 | 641 | ||
647 | switch (cmd) { | 642 | switch (cmd) { |
648 | case BTRFS_IOC_SCAN_DEV: | 643 | case BTRFS_IOC_SCAN_DEV: |
@@ -650,7 +645,7 @@ static long btrfs_control_ioctl(struct file *file, unsigned int cmd, | |||
650 | &btrfs_fs_type, &fs_devices); | 645 | &btrfs_fs_type, &fs_devices); |
651 | break; | 646 | break; |
652 | } | 647 | } |
653 | out: | 648 | |
654 | kfree(vol); | 649 | kfree(vol); |
655 | return ret; | 650 | return ret; |
656 | } | 651 | } |