KDKernelDiff

commit detail

btrfs: fix use-after-free in relocation on tree-log replay

Prevents an extent buffer from being touched after teardown during tree-log replay, reducing crash and privilege-escalation risk.

a3f9c1dfs/btrfsSecurityBug fixCVE-2026-31840

Technical summary

On replay, reloc_root could be dropped while a pending extent_buffer reference remained queued. The patch reorders the put after the queue drain and adds a NULL guard.

User impact

Most users will never notice this directly, but btrfs users should treat it as an important stability and security hardening fix.

Seen in releases

Provenance

Parsed from commit/trailersAI summary

Changed files

2 files
Mfs/btrfs/relocation.cfs/btrfssource+14-6
Mfs/btrfs/tree-log.cfs/btrfssource+3-1