btrfs: fix possible leak in btrfs_ioctl_balance()

Commit 8eb934591f8b ("btrfs: check unsupported filters in balance
arguments") adds a jump to exit label out_bargs in case the argument
check fails. At this point in addition to the bargs memory, the
memory for struct btrfs_balance_control has already been allocated.
Ownership of bctl is passed to btrfs_balance() in the good case,
thus the memory is not freed due to the introduced jump. Make sure
that the memory gets freed in any case as necessary. Detected by
Coverity CID 1328378.

Signed-off-by: Christian Engelmayer <cengelma@gmx.at>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: Chris Mason <clm@fb.com>
(cherry picked from commit 0f89abf56abbd0e1c6e3cef9813e6d9f05383c1e)

diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index 0daaf290fa71847838aa344df847f79dc90dbd42..de6739cc5ac0d6c010addb3bc77a922b19e596ea 100644 (file)
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -4725,7 +4725,7 @@ locked:
 
        if (bctl->flags & ~(BTRFS_BALANCE_ARGS_MASK | BTRFS_BALANCE_TYPE_MASK)) {
                ret = -EINVAL;
-               goto out_bargs;
+               goto out_bctl;
        }
 
 do_balance:
@@ -4739,12 +4739,15 @@ do_balance:
        need_unlock = false;
 
        ret = btrfs_balance(bctl, bargs);
+       bctl = NULL;
 
        if (arg) {
                if (copy_to_user(arg, bargs, sizeof(*bargs)))
                        ret = -EFAULT;
        }
 
+out_bctl:
+       kfree(bctl);
 out_bargs:
        kfree(bargs);
 out_unlock: