mirrors/scoutfs
1
0
Fork 0
mirror of https://github.com/versity/scoutfs.git synced 2026-05-12 15:41:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix use-after-free in scoutfs_btree_free_blocks()

Browse Source 
bt = bl->data, but we just marked bl to be freed with scoutfs_block_put(),
so save the blkno. Very hypothetical.

Signed-off-by: Auke Kok <auke.kok@versity.com>
This commit is contained in:
Auke Kok
2026-03-16 14:36:42 -07:00
parent 13149b121f
commit a5e746d185
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
kmod/src/btree.c
View File

@@ -2533,6 +2533,7 @@ int scoutfs_btree_free_blocks(struct super_block *sb,
struct scoutfs_avl_node *node;
struct scoutfs_avl_node *next;
struct scoutfs_key par_next;
u64 par_blkno;
int nr_freed = 0;
int nr_par;
int level;
@@ -2641,12 +2642,11 @@ int scoutfs_btree_free_blocks(struct super_block *sb,
}
/* free the last parent block whose leaves were all freed */
trace_scoutfs_btree_free_blocks_parent(sb, root,
le64_to_cpu(bt->hdr.blkno));
par_blkno = le64_to_cpu(bt->hdr.blkno);
trace_scoutfs_btree_free_blocks_parent(sb, root, par_blkno);
scoutfs_block_put(sb, bl);
bl = NULL;
ret = scoutfs_free_meta(sb, alloc, wri,
le64_to_cpu(bt->hdr.blkno));
ret = scoutfs_free_meta(sb, alloc, wri, par_blkno);
BUG_ON(ret); /* checked meta low, freed should fit */
nr_freed++;