dm btree remove: fix use after free in rebalance_children()
authorJoe Thornber <ejt@redhat.com>
Wed, 24 Nov 2021 17:07:39 +0000 (12:07 -0500)
committerMike Snitzer <snitzer@redhat.com>
Wed, 24 Nov 2021 17:07:39 +0000 (12:07 -0500)
Move dm_tm_unlock() after dm_tm_dec().

Cc: stable@vger.kernel.org
Signed-off-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
drivers/md/persistent-data/dm-btree-remove.c

index 70532335c7c7ed7b864c392720a89f968918b918..cb670f16e98e9a2003d6a6b7c52e83c50bb284b0 100644 (file)
@@ -423,9 +423,9 @@ static int rebalance_children(struct shadow_spine *s,
 
                memcpy(n, dm_block_data(child),
                       dm_bm_block_size(dm_tm_get_bm(info->tm)));
-               dm_tm_unlock(info->tm, child);
 
                dm_tm_dec(info->tm, dm_block_location(child));
+               dm_tm_unlock(info->tm, child);
                return 0;
        }