Btrfs: avoid possible use-after-free in clear_extent_bit()
authorLi Zefan <lizf@cn.fujitsu.com>
Mon, 12 Mar 2012 08:39:48 +0000 (16:39 +0800)
committerVarun Wadekar <vwadekar@nvidia.com>
Mon, 30 Apr 2012 12:36:25 +0000 (17:36 +0530)
commit823b4a1b3d670cadcd88b30b7044f80291393584
tree4d7448edfcf99bbf0d4a2de22cd0e177fdb43eae
parent14ac85b792efb27d889faba4efc395348c4d7c2b
Btrfs: avoid possible use-after-free in clear_extent_bit()

clear_extent_bit()
{
    next_node = rb_next(&state->rb_node);
    ...
    clear_state_bit(state);  <-- this may free next_node
    if (next_node) {
        state = rb_entry(next_node);
        ...
    }
}

clear_state_bit() calls merge_state() which may free the next node
of the passing extent_state, so clear_extent_bit() may end up
referencing freed memory.

Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
fs/btrfs/extent_io.c