> This adds ioctl BTRFS_IOC_GET_FSIDS which reads the fs > info through the btrfs-control Why not use sysfs? > + sz_fslist_arg = sizeof(*fslist_arg); > + fslist_arg = memdup_user(arg, sz_fslist_arg); Doesn't check allocation failure. > + > + sz_fslist = sizeof(*fslist) * fslist_arg->count; > + kfree(fslist_arg); That allocation and copy and free gets a single u64. Use copy_from_user() for the u64. > + fslist_arg = memdup_user(arg, sz_fslist_arg + sz_fslist); Allocates an arbitrarily huge size that depends only on user input. Doesn't check failure again. And I bet you can scribble on kernel memory if you wrap the size. > + if (copy_to_user(arg, fslist_arg, sz_fslist_arg + sz_fslist)) > + ret = -EFAULT; And there's no reason to buffer all this in the kernel to begin with. Just copy_to_user() as you iterate over each fs_devices. > + fslist = (struct btrfs_ioctl_fslist *) fslist + > + sizeof(*fslist); AKA fslist++. - z -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
