Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit cdfb080e authored Apr 06, 2015 by Chris Mason

Btrfs: fix use after free when close_ctree frees the orphan_rsv



Near the end of close_ctree, we're calling btrfs_free_block_rsv
to free up the orphan rsv.  The problem is this call updates the
space_info, which has already been freed.

This adds a new __ function that directly calls kfree instead of trying
to update the space infos.

Signed-off-by: Chris Mason <clm@fb.com>

parent 1bbc621e

fs/btrfs/ctree.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -3470,6 +3470,7 @@ struct btrfs_block_rsv btrfs_alloc_block_rsv(struct btrfs_root root,
		unsigned short type);
		void btrfs_free_block_rsv(struct btrfs_root *root,
		struct btrfs_block_rsv *rsv);
		void __btrfs_free_block_rsv(struct btrfs_block_rsv *rsv);
		int btrfs_block_rsv_add(struct btrfs_root *root,
		struct btrfs_block_rsv *block_rsv, u64 num_bytes,
		enum btrfs_reserve_flush_enum flush);

fs/btrfs/disk-io.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -3766,7 +3766,7 @@ void close_ctree(struct btrfs_root *root)

		btrfs_free_stripe_hash_table(fs_info);

		btrfs_free_block_rsv(root, root->orphan_block_rsv);
		__btrfs_free_block_rsv(root->orphan_block_rsv);
		root->orphan_block_rsv = NULL;

		lock_chunks(root);

fs/btrfs/extent-tree.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -4918,6 +4918,11 @@ void btrfs_free_block_rsv(struct btrfs_root *root,
		kfree(rsv);
		}

		void __btrfs_free_block_rsv(struct btrfs_block_rsv *rsv)
		{
		kfree(rsv);
		}

		int btrfs_block_rsv_add(struct btrfs_root *root,
		struct btrfs_block_rsv *block_rsv, u64 num_bytes,
		enum btrfs_reserve_flush_enum flush)