Commit 41d69d4d authored Apr 16, 2025 by Filipe Manana Committed by David Sterba May 15, 2025

btrfs: exit after state split error at set_extent_bit()



If split_state() returned an error we call extent_io_tree_panic() which
will trigger a BUG() call. However if CONFIG_BUG is disabled, which is an
uncommon and exotic scenario, then we fallthrough and hit a use after free
when calling set_state_bits() since the extent state record which the
local variable 'prealloc' points to was freed by split_state().

So jump to the label 'out' after calling extent_io_tree_panic() and set
the 'prealloc' pointer to NULL since split_state() has already freed it
when it hit an error.

Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>

parent 67f10a10

fs/btrfs/extent-io-tree.c

+4 −1

Original line number	Diff line number	Diff line
		@@ -1250,8 +1250,11 @@ static int set_extent_bit(struct extent_io_tree *tree, u64 start, u64 end,
		if (!prealloc)
		goto search_again;
		ret = split_state(tree, state, prealloc, end + 1);
		if (ret)
		if (ret) {
		extent_io_tree_panic(tree, state, "split", ret);
		prealloc = NULL;
		goto out;
		}

		set_state_bits(tree, prealloc, bits, changeset);
		cache_state(prealloc, cached_state);