Btrfs: avoid possible use-after-free in clear_extent_bit() - linux

diff options

author	Li Zefan <lizf@cn.fujitsu.com>	2012-03-12 09:39:48 +0100
committer	David Sterba <dsterba@suse.cz>	2012-04-18 19:22:18 +0200
commit	cdc6a3952558f00b1bc3b6401e1cf98797632fe2 (patch)
tree	b97cf714429b439c6887b2fe0acf9065e1d09f1f /fs/btrfs/backref.c
parent	Btrfs: retrurn void from clear_state_bit (diff)
download	linux-cdc6a3952558f00b1bc3b6401e1cf98797632fe2.tar.xz linux-cdc6a3952558f00b1bc3b6401e1cf98797632fe2.zip

Btrfs: avoid possible use-after-free in clear_extent_bit()

clear_extent_bit() { next_node = rb_next(&state->rb_node); ... clear_state_bit(state); <-- this may free next_node if (next_node) { state = rb_entry(next_node); ... } } clear_state_bit() calls merge_state() which may free the next node of the passing extent_state, so clear_extent_bit() may end up referencing freed memory. Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>

Diffstat (limited to '')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: