On Fri, Jul 13, 2018 at 11:07:20PM +0900, Naohiro Aota wrote:
> btrfs_cmp_data_free() puts cmp's src_pages and dst_pages, but leaves
> their page address intact. Now, if you hit "goto again" in
> btrfs_extent_same_range() and hit some error in
> btrfs_cmp_data_prepare(), you'll try to unlock/put already put pages.
>
> This is simple fix to reset the address to avoid use-after-free.
>
> Fixes: 67b07bd4bec5 ("Btrfs: reuse cmp workspace in EXTENT_SAME ioctl")
> Signed-off-by: Naohiro Aota <naota@xxxxxxxxx>
Thanks for catching it.
Reviewed-by: David Sterba <dsterba@xxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
