btrfs: fix use-after-free on rbtree that tracks inodes for auto defrag - kernel

diff options

author	Filipe Manana <[email protected]>	2024-09-15 19:52:53 +0000
committer	David Sterba <[email protected]>	2024-09-17 15:35:53 +0000
commit	7f1b63f981b8284c6d8238cb49b5cb156d9a833e (patch)
tree	ff84007af6f9af2157d407bf754196fb6d3506ed /rust/helpers/mutex.c
parent	btrfs: tree-checker: fix the wrong output of data backref objectid (diff)
download	kernel-7f1b63f981b8284c6d8238cb49b5cb156d9a833e.tar.gz kernel-7f1b63f981b8284c6d8238cb49b5cb156d9a833e.zip

btrfs: fix use-after-free on rbtree that tracks inodes for auto defrag

When cleaning up defrag inodes at btrfs_cleanup_defrag_inodes(), called during remount and unmount, we are freeing every node from the rbtree that tracks inodes for auto defrag using rbtree_postorder_for_each_entry_safe(), which doesn't modify the tree itself. So once we unlock the lock that protects the rbtree, we have a tree pointing to a root that was freed (and a root pointing to freed nodes, and their children pointing to other freed nodes, and so on). This makes further access to the tree result in a use-after-free with unpredictable results. Fix this by initializing the rbtree to an empty root after the call to rbtree_postorder_for_each_entry_safe() and before unlocking. Fixes: 276940915f23 ("btrfs: clear defragmented inodes using postorder in btrfs_cleanup_defrag_inodes()") Reported-by: [email protected] Link: https://lore.kernel.org/linux-btrfs/[email protected]/ Reviewed-by: Qu Wenruo <[email protected]> Signed-off-by: Filipe Manana <[email protected]> Reviewed-by: David Sterba <[email protected]> Signed-off-by: David Sterba <[email protected]>

Diffstat (limited to 'rust/helpers/mutex.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: