btrfs: fix memory leak on duplicated memory in the qgroup assign ioctl

On 'btrfs_ioctl_qgroup_assign' we first duplicate the argument as provided by the user, which is kfree'd in the end. But this was not the case when allocating memory for 'prealloc'. In this case, if it somehow failed, then the previous code would go directly into calling 'mnt_drop_write_file', without freeing the string duplicated from the user space. Fixes: 4addc1ffd67a ("btrfs: qgroup: preallocate memory before adding a relation") CC: stable@vger.kernel.org # 6.12+ Reviewed-by: Boris Burkov <boris@bur.io> Reviewed-by: Filipe Manana <fdmanana@suse.com> Signed-off-by: Miquel Sabaté Solà <mssola@mssola.com> Signed-off-by: Filipe Manana <fdmanana@suse.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com>
author: Miquel Sabaté Solà <mssola@mssola.com> 2025-09-25 20:41:39 +0200
committer: David Sterba <dsterba@suse.com> 2025-10-13 22:29:27 +0200
commit: 53a4acbfc1de85fa637521ffab4f4e2ee03cbeeb (patch)
tree: ad6198240ac0a00735a7381a7ec96fdcd3a45409
parent: 7e5a5983edda664e8e4bb20af17b80f5135c655c (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index a454b5ba2097..938286bee6a8 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -3740,7 +3740,7 @@ static long btrfs_ioctl_qgroup_assign(struct file *file, void __user *arg)
 		prealloc = kzalloc(sizeof(*prealloc), GFP_KERNEL);
 		if (!prealloc) {
 			ret = -ENOMEM;
-			goto drop_write;
+			goto out;
 		}
 	}
author	Miquel Sabaté Solà <mssola@mssola.com>	2025-09-25 20:41:39 +0200
committer	David Sterba <dsterba@suse.com>	2025-10-13 22:29:27 +0200
commit	53a4acbfc1de85fa637521ffab4f4e2ee03cbeeb (patch)
tree	ad6198240ac0a00735a7381a7ec96fdcd3a45409
parent	7e5a5983edda664e8e4bb20af17b80f5135c655c (diff)