In btrfs_relocate_block_group(), the structure variable rc is allocated. Then btrfs_relocate_block_group() calls relocate_block_group() -> prepare_to_relocate() -> set_reloc_control(), and assigns rc to the variable fs_info->reloc_ctl. When prepare_to_relocate() returns, it calls btrfs_commit_transaction() -> btrfs_start_dirty_block_groups() -> btrfs_alloc_path() -> kmem_cache_zalloc(), which may fail. When the failure occurs, btrfs_relocate_block_group() detects the error and frees rc and doesn't set fs_info->reloc_ctl to NULL. After that, in btrfs_init_reloc_root(), rc is retrieved from fs_info->reloc_ctl and then used, which may cause a use-after-free bug. This possible bug can be triggered by calling btrfs_ioctl_balance() before calling btrfs_ioctl_defrag(). Refer: https://patchwork.kernel.org/project/linux-btrfs/patch/20220721074829.2905233-1-r33s3n6@gmail.com/
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-3111