This is a note to let you know that I've just added the patch titled btrfs: free btrfs_path before copying fspath to userspace to the 5.10-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: btrfs-free-btrfs_path-before-copying-fspath-to-userspace.patch and it can be found in the queue-5.10 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 8cf96b409d9b3946ece58ced13f92d0f775b0442 Mon Sep 17 00:00:00 2001 From: Anand Jain <anand.jain@xxxxxxxxxx> Date: Thu, 10 Nov 2022 11:36:29 +0530 Subject: btrfs: free btrfs_path before copying fspath to userspace From: Anand Jain <anand.jain@xxxxxxxxxx> commit 8cf96b409d9b3946ece58ced13f92d0f775b0442 upstream. btrfs_ioctl_ino_to_path() frees the search path after the userspace copy from the temp buffer @ipath->fspath. Which potentially can lead to a lock splat warning. Fix this by freeing the path before we copy it to userspace. CC: stable@xxxxxxxxxxxxxxx # 4.19+ Signed-off-by: Anand Jain <anand.jain@xxxxxxxxxx> Reviewed-by: David Sterba <dsterba@xxxxxxxx> Signed-off-by: David Sterba <dsterba@xxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/btrfs/ioctl.c | 2 ++ 1 file changed, 2 insertions(+) --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -3879,6 +3879,8 @@ static long btrfs_ioctl_ino_to_path(stru ipath->fspath->val[i] = rel_ptr; } + btrfs_free_path(path); + path = NULL; ret = copy_to_user((void __user *)(unsigned long)ipa->fspath, ipath->fspath, size); if (ret) { Patches currently in stable-queue which might be from anand.jain@xxxxxxxxxx are queue-5.10/btrfs-free-btrfs_path-before-copying-fspath-to-userspace.patch queue-5.10/btrfs-free-btrfs_path-before-copying-subvol-info-to-userspace.patch queue-5.10/btrfs-free-btrfs_path-before-copying-root-refs-to-userspace.patch