On Fri, Aug 30, 2024 at 03:45:36PM -0700, Brennan Lamoreaux wrote: > From: Filipe Manana <fdmanana@xxxxxxxx> > > commit 8e7860543a94784d744c7ce34b78a2e11beefa5c upstream. > > At add_ra_bio_pages() we are accessing the extent map to calculate > 'add_size' after we dropped our reference on the extent map, resulting > in a use-after-free. Fix this by computing 'add_size' before dropping our > extent map reference. > > Reported-by: syzbot+853d80cba98ce1157ae6@xxxxxxxxxxxxxxxxxxxxxxxxx > Link: https://lore.kernel.org/linux-btrfs/000000000000038144061c6d18f2@xxxxxxxxxx/ > Fixes: 6a4049102055 ("btrfs: subpage: make add_ra_bio_pages() compatible") > CC: stable@xxxxxxxxxxxxxxx # 6.1+ > Signed-off-by: Filipe Manana <fdmanana@xxxxxxxx> > Reviewed-by: David Sterba <dsterba@xxxxxxxx> > Signed-off-by: David Sterba <dsterba@xxxxxxxx> > Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> > [ Brennan: Applied to v6.1 ] > Signed-off-by: Brennan Lamoreaux <brennan.lamoreaux@xxxxxxxxxxxx> > --- > fs/btrfs/compression.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) Now queued up, thanks. greg k-h
