Btrfs: avoid possible use-after-free in clear_extent_bit() - linux

diff options

author	Li Zefan <lizf@cn.fujitsu.com>	2012-03-12 16:39:48 +0800
committer	David Sterba <dsterba@suse.cz>	2012-04-18 19:22:18 +0200
commit	cdc6a3952558f00b1bc3b6401e1cf98797632fe2 (patch)
tree	b97cf714429b439c6887b2fe0acf9065e1d09f1f /lib/mpi/mpi-gcd.c
parent	8e52acf70459020d7e9e9fda25066be4da520943 (diff)

Btrfs: avoid possible use-after-free in clear_extent_bit()

clear_extent_bit() { next_node = rb_next(&state->rb_node); ... clear_state_bit(state); <-- this may free next_node if (next_node) { state = rb_entry(next_node); ... } } clear_state_bit() calls merge_state() which may free the next node of the passing extent_state, so clear_extent_bit() may end up referencing freed memory. Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>

Diffstat (limited to 'lib/mpi/mpi-gcd.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: