xfs
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [PATCH] xfsprogs: fix use after free in inode_item_done()

from [Christoph Hellwig] [Permanent Link][Original]
To: Eric Sandeen <sandeen@xxxxxxxxxx>
Subject: Re: [PATCH] xfsprogs: fix use after free in inode_item_done()
From: Christoph Hellwig <hch@xxxxxxxxxxxxx>
Date: Wed, 5 Mar 2014 09:02:56 -0800
Cc: xfs-oss <xfs@xxxxxxxxxxx>
Delivered-to: xfs@xxxxxxxxxxx
In-reply-to: <5314E912.9080708@xxxxxxxxxx>
References: <5314E912.9080708@xxxxxxxxxx>
User-agent: Mutt/1.5.21 (2010-09-15) 
On Mon, Mar 03, 2014 at 02:41:54PM -0600, Eric Sandeen wrote:
> Commit "3a19fb7 libxfs: stop caching inode structures"
> introduced a use after free.

I see the use after free, but I don't see how I would have introduced it
in that commit.  Before that libxfs_iput already was freeing the inode
through the cache code, now we do it directly.

> @@ -739,12 +738,6 @@ ili_done:
>       } else {
>               libxfs_iput(ip, 0);
>       }
> -
> -     if (ip->i_itemp)
> -             kmem_zone_free(xfs_ili_zone, ip->i_itemp);
> -     else
> -             ASSERT(0);
> -     ip->i_itemp = NULL;
>  }

Seems like inode_item_done should call into inode_item_unlock, which
factors the exact sequence we want into a nice helper.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [PATCH 2/2] xfs: use NOIO contexts for vm_map_ram, Christoph Hellwig
Next by Date:  Re: [PATCH 1/2] xfs: xfs_check_page_type buffer checks need help, Christoph Hellwig
Previous by Thread:  Re: [PATCH V2] xfsprogs: fix use after free in inode_item_done(), Dave Chinner
Next by Thread:  Re: [PATCH] xfsprogs: fix use after free in inode_item_done(), Eric Sandeen
Indexes:  [Date] [Thread] [Top] [All Lists]