The ioctl parameter block consists of two parts, a dm_ioctl struct followed by a data buffer. Don't free the parameter block when the data buffer is empty. Fixes: 30c2a1f('dm ioctl: use kvfree() in free_params()') Signed-off-by: Geliang Tang <geliangtang@xxxxxxx> --- drivers/md/dm-ioctl.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index dbb5588..3f93787 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1673,10 +1673,13 @@ static int check_version(unsigned int cmd, struct dm_ioctl __user *user) static void free_params(struct dm_ioctl *param, size_t param_size, int param_flags) { + const size_t minimum_data_size = sizeof(*param) - sizeof(param->data); + if (param_flags & DM_WIPE_BUFFER) memset(param, 0, param_size); - kvfree(param); + if (param_size > minimum_data_size) + kvfree(param); } static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl *param_kernel, -- 1.9.1 -- dm-devel mailing list dm-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/dm-devel