19f7dbb20d
Copy from filesystems/btrfsprogs based on submit request 41263 from user dirkmueller OBS-URL: https://build.opensuse.org/request/show/41263 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/btrfsprogs?expand=0&rev=12
40 lines
1.3 KiB
Diff
40 lines
1.3 KiB
Diff
From: Jeff Mahoney <jeffm@suse.com>
|
|
Subject: btrfsprogs: Fix use after free in close_ctree
|
|
References: bnc#603620
|
|
|
|
After the roots are closed, root is freed. Yet close_ctree continues
|
|
to use it. It works generally because no new memory is allocated in
|
|
the interim, but with glibc malloc perturbing enabled, it crashes
|
|
every time. This is because root->fs_info points to garbage.
|
|
|
|
This patch uses the already-cached fs_info variable for the rest of
|
|
the accesses and fixes the crash.
|
|
|
|
|
|
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
|
---
|
|
disk-io.c | 10 +++++-----
|
|
1 file changed, 5 insertions(+), 5 deletions(-)
|
|
|
|
--- a/disk-io.c
|
|
+++ b/disk-io.c
|
|
@@ -971,13 +971,13 @@ int close_ctree(struct btrfs_root *root)
|
|
if (fs_info->csum_root->node)
|
|
free_extent_buffer(fs_info->csum_root->node);
|
|
|
|
- if (root->fs_info->log_root_tree) {
|
|
- if (root->fs_info->log_root_tree->node)
|
|
- free_extent_buffer(root->fs_info->log_root_tree->node);
|
|
- free(root->fs_info->log_root_tree);
|
|
+ if (fs_info->log_root_tree) {
|
|
+ if (fs_info->log_root_tree->node)
|
|
+ free_extent_buffer(fs_info->log_root_tree->node);
|
|
+ free(fs_info->log_root_tree);
|
|
}
|
|
|
|
- close_all_devices(root->fs_info);
|
|
+ close_all_devices(fs_info);
|
|
extent_io_tree_cleanup(&fs_info->extent_cache);
|
|
extent_io_tree_cleanup(&fs_info->free_space_cache);
|
|
extent_io_tree_cleanup(&fs_info->block_group_cache);
|