Btrfs-progs: fix double free when deleting subvolumes

Wang Shilong · masoncl · commit cf822f5dbadd · 2014-01-31T08:22:29.000-08:00
Steps to reproduce: # mkfs.btrfs -f /dev/sda8 # mount /dev/sda8 /mnt # btrfs sub create /mnt/a # touch /mnt/b # btrfs sub create /mnt/c # btrfs sub delete /mnt/* Above steps will trigger following abortion: ERROR: 'b' is not a subvolume *** Error in `btrfs': double free or corruption (out): 0x0000000002116060 *** ======= Backtrace: ========= /lib64/libc.so.6[0x3fa467cef8] /lib64/libc.so.6(closedir+0xd)[0x3fa46b846d] btrfs[0x43e608] btrfs[0x40622f] btrfs[0x403d19] btrfs[0x4062c6] btrfs[0x403f68] We try to fix it by resetting @fd && @dirstream before trying next subvolume deletion. Signed-off-by: Wang Shilong <wangsl.fnst@cn.fujitsu.com> Signed-off-by: David Sterba <dsterba@suse.cz> Signed-off-by: Chris Mason <clm@fb.com>
diff --git a/cmds-subvolume.c b/cmds-subvolume.c
@@ -354,6 +354,9 @@ static int cmd_subvol_delete(int argc, char **argv)
 	cnt++;
 	if (cnt < argc) {
 		close_file_or_dir(fd, dirstream);
+		/* avoid double free */
+		fd = -1;
+		dirstream = NULL;
 		goto again;
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -354,6 +354,9 @@ static int cmd_subvol_delete(int argc, char **argv)`
`354`	`354`	`cnt++;`
`355`	`355`	`if (cnt < argc) {`
`356`	`356`	`close_file_or_dir(fd, dirstream);`
	`357`	`+ /* avoid double free */`
	`358`	`+ fd = -1;`
	`359`	`+ dirstream = NULL;`
`357`	`360`	`goto again;`
`358`	`361`	`}`
`359`	`362`