In case the right buffer is emptied it's first set to null and
subsequently it's dereferenced to get its size to pass to root_sub_used.
This naturally leads to a null pointer dereference. The correct thing
to do is to pass the stashed right->len in "blocksize".
Fixes #296
Signed-off-by: Nikolay Borisov <nbori...@suse.com>
---
kernel-shared/ctree.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel-shared/ctree.c b/kernel-shared/ctree.c
index 4cc3aebc1412..3a82286cc914 100644
--- a/kernel-shared/ctree.c
+++ b/kernel-shared/ctree.c
@@ -927,7 +927,7 @@ static int balance_level(struct btrfs_trans_handle *trans,
if (wret)
ret = wret;
- root_sub_used(root, right->len);
+ root_sub_used(root, blocksize);
wret = btrfs_free_extent(trans, root, bytenr,
blocksize, 0,
root->root_key.objectid,
--
2.25.1
