| commit | cdc6a3952558f00b1bc3b6401e1cf98797632fe2 | [log] [tgz] |
|---|---|---|
| author | Li Zefan <lizf@cn.fujitsu.com> | Mon Mar 12 16:39:48 2012 +0800 |
| committer | David Sterba <dsterba@suse.cz> | Wed Apr 18 19:22:18 2012 +0200 |
| tree | b97cf714429b439c6887b2fe0acf9065e1d09f1f | |
| parent | 8e52acf70459020d7e9e9fda25066be4da520943 [diff] |
Btrfs: avoid possible use-after-free in clear_extent_bit()
clear_extent_bit()
{
next_node = rb_next(&state->rb_node);
...
clear_state_bit(state); <-- this may free next_node
if (next_node) {
state = rb_entry(next_node);
...
}
}
clear_state_bit() calls merge_state() which may free the next node
of the passing extent_state, so clear_extent_bit() may end up
referencing freed memory.
Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>