xfs
[Top] [All Lists]

[PATCH 3/5] xfs: Don't reference the EFI after it is freed

To: xfs@xxxxxxxxxxx
Subject: [PATCH 3/5] xfs: Don't reference the EFI after it is freed
From: Dave Chinner <david@xxxxxxxxxxxxx>
Date: Fri, 17 May 2013 11:10:27 +1000
Delivered-to: xfs@xxxxxxxxxxx
In-reply-to: <1368753029-9977-1-git-send-email-david@xxxxxxxxxxxxx>
References: <1368753029-9977-1-git-send-email-david@xxxxxxxxxxxxx>
From: Dave Chinner <dchinner@xxxxxxxxxx>

Checking the EFI for whether it is being released from recovery
after we've already released the known active reference is a mistake
worthy of a brown paper bag. Fix the (now) obvious use after free
that it can cause.

Reported-by: Dave Jones <davej@xxxxxxxxxx>
Signed-off-by: Dave Chinner <dchinner@xxxxxxxxxx>
---
 fs/xfs/xfs_extfree_item.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/fs/xfs/xfs_extfree_item.c b/fs/xfs/xfs_extfree_item.c
index c0f3750..452920a 100644
--- a/fs/xfs/xfs_extfree_item.c
+++ b/fs/xfs/xfs_extfree_item.c
@@ -305,11 +305,12 @@ xfs_efi_release(xfs_efi_log_item_t        *efip,
 {
        ASSERT(atomic_read(&efip->efi_next_extent) >= nextents);
        if (atomic_sub_and_test(nextents, &efip->efi_next_extent)) {
-               __xfs_efi_release(efip);
-
                /* recovery needs us to drop the EFI reference, too */
                if (test_bit(XFS_EFI_RECOVERED, &efip->efi_flags))
                        __xfs_efi_release(efip);
+
+               __xfs_efi_release(efip);
+               /* efip may now have been freed, do not reference it again. */
        }
 }
 
-- 
1.7.10.4

<Prev in Thread] Current Thread [Next in Thread>