On 05/19/2013 07:51 PM, Dave Chinner wrote:
> From: Dave Chinner <dchinner@xxxxxxxxxx>
>
> Checking the EFI for whether it is being released from recovery
> after we've already released the known active reference is a mistake
> worthy of a brown paper bag. Fix the (now) obvious use after free
> that it can cause.
>
> Reported-by: Dave Jones <davej@xxxxxxxxxx>
> Signed-off-by: Dave Chinner <dchinner@xxxxxxxxxx>
> ---
Looks good to me.
Reviewed-by: Brian Foster <bfoster@xxxxxxxxxx>
> fs/xfs/xfs_extfree_item.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/fs/xfs/xfs_extfree_item.c b/fs/xfs/xfs_extfree_item.c
> index c0f3750..452920a 100644
> --- a/fs/xfs/xfs_extfree_item.c
> +++ b/fs/xfs/xfs_extfree_item.c
> @@ -305,11 +305,12 @@ xfs_efi_release(xfs_efi_log_item_t *efip,
> {
> ASSERT(atomic_read(&efip->efi_next_extent) >= nextents);
> if (atomic_sub_and_test(nextents, &efip->efi_next_extent)) {
> - __xfs_efi_release(efip);
> -
> /* recovery needs us to drop the EFI reference, too */
> if (test_bit(XFS_EFI_RECOVERED, &efip->efi_flags))
> __xfs_efi_release(efip);
> +
> + __xfs_efi_release(efip);
> + /* efip may now have been freed, do not reference it again. */
> }
> }
>
>
|