On Mon, Aug 11, 2008 at 05:57:34PM +1000, Lachlan McIlroy wrote:
> The ticket allocation code got reworked in 2.6.26 and we now free
> tickets whereas before we used to cache them so the use-after-free
> went undetected.
>
> This patch should do the trick.
>
> --- a/fs/xfs/xfs_log.c 2008-08-11 17:47:18.000000000 +1000
> +++ b/fs/xfs/xfs_log.c 2008-08-11 17:53:24.000000000 +1000
> @@ -336,15 +364,12 @@ xfs_log_done(xfs_mount_t *mp,
> } else {
> xlog_trace_loggrant(log, ticket, "xfs_log_done: (permanent)");
> xlog_regrant_reserve_log_space(log, ticket);
> - }
> -
> - /* If this ticket was a permanent reservation and we aren't
> - * trying to release it, reset the inited flags; so next time
> - * we write, a start record will be written out.
> - */
> - if ((ticket->t_flags & XLOG_TIC_PERM_RESERV) &&
> - (flags & XFS_LOG_REL_PERM_RESERV) == 0)
> + /* If this ticket was a permanent reservation and we aren't
> + * trying to release it, reset the inited flags; so next time
> + * we write, a start record will be written out.
> + */
> ticket->t_flags |= XLOG_TIC_INITED;
> + }
>
> return lsn;
> } /* xfs_log_done */
Looks sane, Lachlan. Good catch, though it makes me wonder how we
didn't hit it in debug builds with memory poisoning turned on.
Compiler optimisation, perhaps?
Cheers,
Dave.
--
Dave Chinner
david@xxxxxxxxxxxxx
|