From patchwork Wed May 26 15:40:02 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jeff Mahoney <jeffm@suse.com>
X-Patchwork-Id: 102423
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by demeter.kernel.org (8.14.3/8.14.3) with ESMTP id o4QFdsnJ008288
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
	Wed, 26 May 2010 15:39:54 GMT
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755239Ab0EZPjw (ORCPT
	<rfc822;patchwork-linux-btrfs@patchwork.kernel.org>);
	Wed, 26 May 2010 11:39:52 -0400
Received: from cantor.suse.de ([195.135.220.2]:47608 "EHLO mx1.suse.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1753981Ab0EZPjv (ORCPT <rfc822;linux-btrfs@vger.kernel.org>);
	Wed, 26 May 2010 11:39:51 -0400
Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.221.2])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.suse.de (Postfix) with ESMTP id 5B8BC93987
	for <linux-btrfs@vger.kernel.org>;
	Wed, 26 May 2010 17:39:50 +0200 (CEST)
Message-ID: <4BFD40D2.9090800@suse.com>
Date: Wed, 26 May 2010 11:40:02 -0400
From: Jeff Mahoney <jeffm@suse.com>
Organization: SUSE Labs, Novell, Inc
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
	rv:1.9.1.9) Gecko/20100317 SUSE/3.0.4-1.20 Thunderbird/3.0.4
MIME-Version: 1.0
To: linux-btrfs@vger.kernel.org
Subject: [PATCH] btrfsprogs: Fix use after free in close_ctree
X-Enigmail-Version: 1.0.1
Sender: linux-btrfs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-btrfs.vger.kernel.org>
X-Mailing-List: linux-btrfs@vger.kernel.org
X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by
	milter-greylist-4.2.3 (demeter.kernel.org [140.211.167.41]);
	Wed, 26 May 2010 15:39:54 +0000 (UTC)


--- a/disk-io.c
+++ b/disk-io.c
@@ -971,13 +971,13 @@ int close_ctree(struct btrfs_root *root)
 	if (fs_info->csum_root->node)
 		free_extent_buffer(fs_info->csum_root->node);
 
-	if (root->fs_info->log_root_tree) {
-		if (root->fs_info->log_root_tree->node)
-			free_extent_buffer(root->fs_info->log_root_tree->node);
-		free(root->fs_info->log_root_tree);
+	if (fs_info->log_root_tree) {
+		if (fs_info->log_root_tree->node)
+			free_extent_buffer(fs_info->log_root_tree->node);
+		free(fs_info->log_root_tree);
 	}
 
-	close_all_devices(root->fs_info);
+	close_all_devices(fs_info);
 	extent_io_tree_cleanup(&fs_info->extent_cache);
 	extent_io_tree_cleanup(&fs_info->free_space_cache);
 	extent_io_tree_cleanup(&fs_info->block_group_cache);