Btrfs: fix use after free when close_ctree frees the orphan_rsv
Near the end of close_ctree, we're calling btrfs_free_block_rsv to free up the orphan rsv. The problem is this call updates the space_info, which has already been freed. This adds a new __ function that directly calls kfree instead of trying to update the space infos. Signed-off-by: Chris Mason <clm@fb.com>
This commit is contained in:
parent
1bbc621ef2
commit
cdfb080e18
|
@ -3470,6 +3470,7 @@ struct btrfs_block_rsv *btrfs_alloc_block_rsv(struct btrfs_root *root,
|
|||
unsigned short type);
|
||||
void btrfs_free_block_rsv(struct btrfs_root *root,
|
||||
struct btrfs_block_rsv *rsv);
|
||||
void __btrfs_free_block_rsv(struct btrfs_block_rsv *rsv);
|
||||
int btrfs_block_rsv_add(struct btrfs_root *root,
|
||||
struct btrfs_block_rsv *block_rsv, u64 num_bytes,
|
||||
enum btrfs_reserve_flush_enum flush);
|
||||
|
|
|
@ -3766,7 +3766,7 @@ void close_ctree(struct btrfs_root *root)
|
|||
|
||||
btrfs_free_stripe_hash_table(fs_info);
|
||||
|
||||
btrfs_free_block_rsv(root, root->orphan_block_rsv);
|
||||
__btrfs_free_block_rsv(root->orphan_block_rsv);
|
||||
root->orphan_block_rsv = NULL;
|
||||
|
||||
lock_chunks(root);
|
||||
|
|
|
@ -4918,6 +4918,11 @@ void btrfs_free_block_rsv(struct btrfs_root *root,
|
|||
kfree(rsv);
|
||||
}
|
||||
|
||||
void __btrfs_free_block_rsv(struct btrfs_block_rsv *rsv)
|
||||
{
|
||||
kfree(rsv);
|
||||
}
|
||||
|
||||
int btrfs_block_rsv_add(struct btrfs_root *root,
|
||||
struct btrfs_block_rsv *block_rsv, u64 num_bytes,
|
||||
enum btrfs_reserve_flush_enum flush)
|
||||
|
|
Loading…
Reference in New Issue