xfs
[Top] [All Lists]

[PATCH 1/2] xfs: fix double free on error when cleaning log items

To: xfs@xxxxxxxxxxx
Subject: [PATCH 1/2] xfs: fix double free on error when cleaning log items
From: Mark Tinguely <tinguely@xxxxxxx>
Date: Fri, 06 Dec 2013 15:20:28 -0600
Cc: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Delivered-to: xfs@xxxxxxxxxxx
References: <20131206212027.846346746@xxxxxxx>
User-agent: quilt/0.51-1
Commit 2a84108 cleans the remaining pending log item entries
when log recovery fails. Unfortunately, the cleaning call was
not removed from the error path in xlog_recover_commit_trans,
This can result in a use after free and a second free of the
transaction structure when the cleaning is done in
xlog_recover_process_data.

Now the log item entry cleaning in xlog_recover_commit_trans
is only performed for the non-error case.

Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Signed-off-by: Mark Tinguely <tinguely@xxxxxxx>
---
 fs/xfs/xfs_log_recover.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Index: b/fs/xfs/xfs_log_recover.c
===================================================================
--- a/fs/xfs/xfs_log_recover.c
+++ b/fs/xfs/xfs_log_recover.c
@@ -3509,9 +3509,10 @@ out:
        if (!list_empty(&done_list))
                list_splice_init(&done_list, &trans->r_itemq);
 
-       xlog_recover_free_trans(trans);
-
        error2 = xfs_buf_delwri_submit(&buffer_list);
+       /* caller will free transactions in the error path */
+       if (!error && !error2)
+               xlog_recover_free_trans(trans);
        return error ? error : error2;
 }
 


<Prev in Thread] Current Thread [Next in Thread>