Patch "btrfs: fix NULL pointer dereference from free_reloc_roots()" has been added to the 4.13-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Mon, 02 Oct 2017 14:30:04 +0200

This is a note to let you know that I've just added the patch titled

    btrfs: fix NULL pointer dereference from free_reloc_roots()

to the 4.13-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     btrfs-fix-null-pointer-dereference-from-free_reloc_roots.patch
and it can be found in the queue-4.13 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From bb166d7207432d3c7d10c45dc052f12ba3a2121d Mon Sep 17 00:00:00 2001
From: Naohiro Aota <naohiro.aota@xxxxxxx>
Date: Fri, 25 Aug 2017 14:15:14 +0900
Subject: btrfs: fix NULL pointer dereference from free_reloc_roots()

From: Naohiro Aota <naohiro.aota@xxxxxxx>

commit bb166d7207432d3c7d10c45dc052f12ba3a2121d upstream.

__del_reloc_root should be called before freeing up reloc_root->node.
If not, calling __del_reloc_root() dereference reloc_root->node, causing
the system BUG.

Fixes: 6bdf131fac23 ("Btrfs: don't leak reloc root nodes on error")
Signed-off-by: Naohiro Aota <naohiro.aota@xxxxxxx>
Reviewed-by: Nikolay Borisov <nborisov@xxxxxxxx>
Reviewed-by: David Sterba <dsterba@xxxxxxxx>
Signed-off-by: David Sterba <dsterba@xxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
 fs/btrfs/relocation.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/btrfs/relocation.c
+++ b/fs/btrfs/relocation.c
@@ -2393,11 +2393,11 @@ void free_reloc_roots(struct list_head *
 	while (!list_empty(list)) {
 		reloc_root = list_entry(list->next, struct btrfs_root,
 					root_list);
+		__del_reloc_root(reloc_root);
 		free_extent_buffer(reloc_root->node);
 		free_extent_buffer(reloc_root->commit_root);
 		reloc_root->node = NULL;
 		reloc_root->commit_root = NULL;
-		__del_reloc_root(reloc_root);
 	}
 }
 


Patches currently in stable-queue which might be from naohiro.aota@xxxxxxx are

queue-4.13/btrfs-propagate-error-to-btrfs_cmp_data_prepare-caller.patch
queue-4.13/btrfs-fix-null-pointer-dereference-from-free_reloc_roots.patch
queue-4.13/btrfs-clear-ordered-flag-on-cleaning-up-ordered-extents.patch
queue-4.13/btrfs-finish-ordered-extent-cleaning-if-no-progress-is-found.patch






