aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--fs/btrfs/ioctl.c49
-rw-r--r--fs/btrfs/super.c13
2 files changed, 16 insertions, 46 deletions
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index 7594bec1be10..9f135e878507 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -461,15 +461,9 @@ static int btrfs_ioctl_resize(struct btrfs_root *root, void __user *arg)
461 if (!capable(CAP_SYS_ADMIN)) 461 if (!capable(CAP_SYS_ADMIN))
462 return -EPERM; 462 return -EPERM;
463 463
464 vol_args = kmalloc(sizeof(*vol_args), GFP_NOFS); 464 vol_args = memdup_user(arg, sizeof(*vol_args));
465 465 if (IS_ERR(vol_args))
466 if (!vol_args) 466 return PTR_ERR(vol_args);
467 return -ENOMEM;
468
469 if (copy_from_user(vol_args, arg, sizeof(*vol_args))) {
470 ret = -EFAULT;
471 goto out;
472 }
473 467
474 vol_args->name[BTRFS_PATH_NAME_MAX] = '\0'; 468 vol_args->name[BTRFS_PATH_NAME_MAX] = '\0';
475 namelen = strlen(vol_args->name); 469 namelen = strlen(vol_args->name);
@@ -545,7 +539,6 @@ static int btrfs_ioctl_resize(struct btrfs_root *root, void __user *arg)
545 539
546out_unlock: 540out_unlock:
547 mutex_unlock(&root->fs_info->volume_mutex); 541 mutex_unlock(&root->fs_info->volume_mutex);
548out:
549 kfree(vol_args); 542 kfree(vol_args);
550 return ret; 543 return ret;
551} 544}
@@ -565,15 +558,9 @@ static noinline int btrfs_ioctl_snap_create(struct file *file,
565 if (root->fs_info->sb->s_flags & MS_RDONLY) 558 if (root->fs_info->sb->s_flags & MS_RDONLY)
566 return -EROFS; 559 return -EROFS;
567 560
568 vol_args = kmalloc(sizeof(*vol_args), GFP_NOFS); 561 vol_args = memdup_user(arg, sizeof(*vol_args));
569 562 if (IS_ERR(vol_args))
570 if (!vol_args) 563 return PTR_ERR(vol_args);
571 return -ENOMEM;
572
573 if (copy_from_user(vol_args, arg, sizeof(*vol_args))) {
574 ret = -EFAULT;
575 goto out;
576 }
577 564
578 vol_args->name[BTRFS_PATH_NAME_MAX] = '\0'; 565 vol_args->name[BTRFS_PATH_NAME_MAX] = '\0';
579 namelen = strlen(vol_args->name); 566 namelen = strlen(vol_args->name);
@@ -675,19 +662,13 @@ static long btrfs_ioctl_add_dev(struct btrfs_root *root, void __user *arg)
675 if (!capable(CAP_SYS_ADMIN)) 662 if (!capable(CAP_SYS_ADMIN))
676 return -EPERM; 663 return -EPERM;
677 664
678 vol_args = kmalloc(sizeof(*vol_args), GFP_NOFS); 665 vol_args = memdup_user(arg, sizeof(*vol_args));
666 if (IS_ERR(vol_args))
667 return PTR_ERR(vol_args);
679 668
680 if (!vol_args)
681 return -ENOMEM;
682
683 if (copy_from_user(vol_args, arg, sizeof(*vol_args))) {
684 ret = -EFAULT;
685 goto out;
686 }
687 vol_args->name[BTRFS_PATH_NAME_MAX] = '\0'; 669 vol_args->name[BTRFS_PATH_NAME_MAX] = '\0';
688 ret = btrfs_init_new_device(root, vol_args->name); 670 ret = btrfs_init_new_device(root, vol_args->name);
689 671
690out:
691 kfree(vol_args); 672 kfree(vol_args);
692 return ret; 673 return ret;
693} 674}
@@ -703,19 +684,13 @@ static long btrfs_ioctl_rm_dev(struct btrfs_root *root, void __user *arg)
703 if (root->fs_info->sb->s_flags & MS_RDONLY) 684 if (root->fs_info->sb->s_flags & MS_RDONLY)
704 return -EROFS; 685 return -EROFS;
705 686
706 vol_args = kmalloc(sizeof(*vol_args), GFP_NOFS); 687 vol_args = memdup_user(arg, sizeof(*vol_args));
688 if (IS_ERR(vol_args))
689 return PTR_ERR(vol_args);
707 690
708 if (!vol_args)
709 return -ENOMEM;
710
711 if (copy_from_user(vol_args, arg, sizeof(*vol_args))) {
712 ret = -EFAULT;
713 goto out;
714 }
715 vol_args->name[BTRFS_PATH_NAME_MAX] = '\0'; 691 vol_args->name[BTRFS_PATH_NAME_MAX] = '\0';
716 ret = btrfs_rm_device(root, vol_args->name); 692 ret = btrfs_rm_device(root, vol_args->name);
717 693
718out:
719 kfree(vol_args); 694 kfree(vol_args);
720 return ret; 695 return ret;
721} 696}
diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
index 9744af9d71e9..a7acfe639a44 100644
--- a/fs/btrfs/super.c
+++ b/fs/btrfs/super.c
@@ -635,14 +635,9 @@ static long btrfs_control_ioctl(struct file *file, unsigned int cmd,
635 if (!capable(CAP_SYS_ADMIN)) 635 if (!capable(CAP_SYS_ADMIN))
636 return -EPERM; 636 return -EPERM;
637 637
638 vol = kmalloc(sizeof(*vol), GFP_KERNEL); 638 vol = memdup_user((void __user *)arg, sizeof(*vol));
639 if (!vol) 639 if (IS_ERR(vol))
640 return -ENOMEM; 640 return PTR_ERR(vol);
641
642 if (copy_from_user(vol, (void __user *)arg, sizeof(*vol))) {
643 ret = -EFAULT;
644 goto out;
645 }
646 641
647 switch (cmd) { 642 switch (cmd) {
648 case BTRFS_IOC_SCAN_DEV: 643 case BTRFS_IOC_SCAN_DEV:
@@ -650,7 +645,7 @@ static long btrfs_control_ioctl(struct file *file, unsigned int cmd,
650 &btrfs_fs_type, &fs_devices); 645 &btrfs_fs_type, &fs_devices);
651 break; 646 break;
652 } 647 }
653out: 648
654 kfree(vol); 649 kfree(vol);
655 return ret; 650 return ret;
656} 651}