On Mon, Aug 20, 2018 at 11:25:33AM +0300, Dan Carpenter wrote:
> The issue here is that btrfs_commit_transaction() frees "trans" on both
> the error and the success path. So the problem would be if
> btrfs_commit_transaction() succeeds, and then qgroup_rescan_init()
> fails. That means that "ret" is non-zero and "trans" is non-NULL and it
> leads to a use after free inside the btrfs_end_transaction() macro.
>
> Fixes: 340f1aa27f36 ("btrfs: qgroups: Move transaction management inside btrfs_quota_enable/disable")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Applied, thanks.
