On Fri, Nov 23, 2018 at 06:10:15PM +0800, Pan Bian wrote: > The function relocate_block_group calls btrfs_end_transaction to release > trans when update_backref_cache returns 1, and then continues the loop > body. If btrfs_block_rsv_refill fails this time, it will jump out the > loop and the freed trans will be accessed. This may result in a > use-after-free bug. The patch assigns NULL to trans after trans is > released so that it will not be accessed. > > Fixes: 0647bf564f1("Btrfs: improve forever loop when doing balance > relocation") > > Signed-off-by: Pan Bian <bianpan2...@163.com>
Good catch, thanks. Reviewed-by: David Sterba <dste...@suse.com>