Btrfs: fix use after free when close_ctree frees the orphan_rsv Near the end of close_ctree, we're calling btrfs_free_block_rsv to free up the orphan rsv. The problem is this call updates the space_info, which has already been freed. This adds a new __ function that directly calls kfree instead of trying to update the space infos. Signed-off-by: Chris Mason <clm@fb.com>

commit: cdfb080e1853660952db5e5332727e59427856df [log] [tgz]
author: Chris Mason <clm@fb.com> Mon Apr 06 18:17:00 2015 -0700
committer: Chris Mason <clm@fb.com> Fri Apr 10 14:07:29 2015 -0700
tree: 43c59bd16f29e6e8fb9ff045ce20a16a4275c715
parent: 1bbc621ef28462456131c035eaeb5567a1a2a2fe [diff] [blame]
diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
index 83051fa..10b6a75 100644
--- a/fs/btrfs/ctree.h
+++ b/fs/btrfs/ctree.h

@@ -3470,6 +3470,7 @@
 					      unsigned short type);
 void btrfs_free_block_rsv(struct btrfs_root *root,
 			  struct btrfs_block_rsv *rsv);
+void __btrfs_free_block_rsv(struct btrfs_block_rsv *rsv);
 int btrfs_block_rsv_add(struct btrfs_root *root,
 			struct btrfs_block_rsv *block_rsv, u64 num_bytes,
 			enum btrfs_reserve_flush_enum flush);
commit	cdfb080e1853660952db5e5332727e59427856df	[log] [tgz]
author	Chris Mason <clm@fb.com>	Mon Apr 06 18:17:00 2015 -0700
committer	Chris Mason <clm@fb.com>	Fri Apr 10 14:07:29 2015 -0700
tree	43c59bd16f29e6e8fb9ff045ce20a16a4275c715
parent	1bbc621ef28462456131c035eaeb5567a1a2a2fe [diff] [blame]