| Message ID | 20221123143945.2666-1-void0red@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | btrfs: avoid use-after-free when return the error code | expand |
On Wed, Nov 23, 2022 at 10:39:45PM +0800, void0red wrote: > free_extent_map(em) will free em->map_lookup, so it is > wrong to use it when return. > > Link: https://bugzilla.kernel.org/show_bug.cgi?id=216721 > Signed-off-by: void0red <void0red@gmail.com> > Reported-by: eriri <1527030098@qq.com> Added to misc-next with updated changelog, thanks.
diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c index 635f45f1a2ef..dba087ad40ea 100644 --- a/fs/btrfs/volumes.c +++ b/fs/btrfs/volumes.c @@ -7241,8 +7241,9 @@ static int read_one_chunk(struct btrfs_key *key, struct extent_buffer *leaf, map->stripes[i].dev = handle_missing_device(fs_info, devid, uuid); if (IS_ERR(map->stripes[i].dev)) { + ret = PTR_ERR(map->stripes[i].dev); free_extent_map(em); - return PTR_ERR(map->stripes[i].dev); + return ret; } }
free_extent_map(em) will free em->map_lookup, so it is wrong to use it when return. Link: https://bugzilla.kernel.org/show_bug.cgi?id=216721 Signed-off-by: void0red <void0red@gmail.com> Reported-by: eriri <1527030098@qq.com> --- fs/btrfs/volumes.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)