A slab-use-after-free read flaw was found in btrfs_search_slot in fs/btrfs/ctree.c The quota assigned ioctl can currently run in parallel with a quota disable ioctl call. The assign ioctl uses the quota root, while the disable ioctl frees that root, and therefore we can have a use-after-free triggered in the assign ioctl. Reference: https://lore.kernel.org/linux-btrfs/35b9a70650ea947387cf352914a8774b4f7e8a6f.1679481128.git.fdmanana@suse.com/
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2181346]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-1611