btrfs: fix use-after-free on rbtree that tracks inodes for auto defrag - blaster4385/linux-IllusionX - Linux kernel with personal config changes for arch linux

diff options

author	Filipe Manana <[email protected]>	2024-09-15 20:52:53 +0100
committer	David Sterba <[email protected]>	2024-09-17 17:35:53 +0200
commit	7f1b63f981b8284c6d8238cb49b5cb156d9a833e (patch)
tree	ff84007af6f9af2157d407bf754196fb6d3506ed /drivers/pci/controller/dwc
parent	b0b595e61d97de61c15b379b754b2caa90e83e5c (diff)

btrfs: fix use-after-free on rbtree that tracks inodes for auto defrag

When cleaning up defrag inodes at btrfs_cleanup_defrag_inodes(), called during remount and unmount, we are freeing every node from the rbtree that tracks inodes for auto defrag using rbtree_postorder_for_each_entry_safe(), which doesn't modify the tree itself. So once we unlock the lock that protects the rbtree, we have a tree pointing to a root that was freed (and a root pointing to freed nodes, and their children pointing to other freed nodes, and so on). This makes further access to the tree result in a use-after-free with unpredictable results. Fix this by initializing the rbtree to an empty root after the call to rbtree_postorder_for_each_entry_safe() and before unlocking. Fixes: 276940915f23 ("btrfs: clear defragmented inodes using postorder in btrfs_cleanup_defrag_inodes()") Reported-by: [email protected] Link: https://lore.kernel.org/linux-btrfs/[email protected]/ Reviewed-by: Qu Wenruo <[email protected]> Signed-off-by: Filipe Manana <[email protected]> Reviewed-by: David Sterba <[email protected]> Signed-off-by: David Sterba <[email protected]>

Diffstat (limited to 'drivers/pci/controller/dwc')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: