From f882884358426677e17588462bf9fe237130e2b1 Mon Sep 17 00:00:00 2001 From: Rob Norris Date: Tue, 23 May 2023 10:51:29 +1000 Subject: [PATCH] btree: fix double-free in zfs_btree_remove_idx We applied 03c0ee94b to fix two use-after-free cases, backporting 13f2b8fb9 from upstream. Unfortunately that patch seems to have been misapplied, introducing a double-free in one of them. This commit fixes that. Signed-off-by: Rob Norris --- module/zfs/btree.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/module/zfs/btree.c b/module/zfs/btree.c index 77cb2543e9..e32d556f64 100644 --- a/module/zfs/btree.c +++ b/module/zfs/btree.c @@ -1766,7 +1766,7 @@ zfs_btree_remove_idx(zfs_btree_t *tree, zfs_btree_index_t *where) zfs_btree_poison_node_at(tree, keep_hdr, keep_hdr->bth_count); rm_hdr->bth_count = 0; - zfs_btree_node_destroy(tree, rm_hdr); + /* Remove the emptied node from the parent. */ zfs_btree_remove_from_node(tree, parent, rm_hdr); zfs_btree_node_destroy(tree, rm_hdr);