From bf3639dc625bf5b07a6f30f065fbfa1cfb349869 Mon Sep 17 00:00:00 2001
From: David Sterba <dsterba@suse.com>
Date: Wed, 26 Aug 2015 13:34:39 +0200
Subject: [PATCH] btrfs-progs: fix use after free in replace start

Commit "btrfs-progs: Add further checks to btrfs replace start command"
accesses device size just after its memory is freed.

Resolves-coverity-id: 1320425
Signed-off-by: David Sterba <dsterba@suse.com>
---
 cmds-replace.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmds-replace.c b/cmds-replace.c
index a980305..9ab8438 100644
--- a/cmds-replace.c
+++ b/cmds-replace.c
@@ -245,13 +245,13 @@ static int cmd_replace_start(int argc, char **argv)
 		for (i = 0; i < fi_args.num_devices; i++)
 			if (start_args.start.srcdevid == di_args[i].devid)
 				break;
+		srcdev_size = di_args[i].total_bytes;
 		free(di_args);
 		if (i == fi_args.num_devices) {
 			fprintf(stderr, "Error: '%s' is not a valid devid for filesystem '%s'\n",
 				srcdev, path);
 			goto leave_with_error;
 		}
-		srcdev_size = di_args[i].total_bytes;
 	} else if (is_block_device(srcdev) > 0) {
 		strncpy((char *)start_args.start.srcdev_name, srcdev,
 			BTRFS_DEVICE_PATH_NAME_MAX);
-- 
2.7.4