Commit 97b19170 authored by Naohiro Aota's avatar Naohiro Aota Committed by David Sterba

btrfs: fix use-after-free of cmp workspace pages

btrfs_cmp_data_free() puts cmp's src_pages and dst_pages, but leaves
their page address intact. Now, if you hit "goto again" in
btrfs_extent_same_range() and hit some error in
btrfs_cmp_data_prepare(), you'll try to unlock/put already put pages.

This is simple fix to reset the address to avoid use-after-free.

Fixes: 67b07bd4 ("Btrfs: reuse cmp workspace in EXTENT_SAME ioctl")
Signed-off-by: default avatarNaohiro Aota <naota@elisp.net>
Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
parent 20c5bbc6
...@@ -3327,11 +3327,13 @@ static void btrfs_cmp_data_free(struct cmp_pages *cmp) ...@@ -3327,11 +3327,13 @@ static void btrfs_cmp_data_free(struct cmp_pages *cmp)
if (pg) { if (pg) {
unlock_page(pg); unlock_page(pg);
put_page(pg); put_page(pg);
cmp->src_pages[i] = NULL;
} }
pg = cmp->dst_pages[i]; pg = cmp->dst_pages[i];
if (pg) { if (pg) {
unlock_page(pg); unlock_page(pg);
put_page(pg); put_page(pg);
cmp->dst_pages[i] = NULL;
} }
} }
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment