| To: | Christoph Hellwig <hch@xxxxxxxxxxxxx>, Eric Sandeen <sandeen@xxxxxxxxxxx> |
|---|---|
| Subject: | Re: [PATCH] xfsprogs: fix use after free in inode_item_done() |
| From: | Eric Sandeen <sandeen@xxxxxxxxxx> |
| Date: | Wed, 05 Mar 2014 16:40:55 -0600 |
| Cc: | xfs-oss <xfs@xxxxxxxxxxx> |
| Delivered-to: | xfs@xxxxxxxxxxx |
| In-reply-to: | <20140305223612.GA25639@xxxxxxxxxxxxx> |
| References: | <5314E912.9080708@xxxxxxxxxx> <20140305170256.GB11667@xxxxxxxxxxxxx> <53175C97.2050408@xxxxxxxxxxx> <20140305223612.GA25639@xxxxxxxxxxxxx> |
| User-agent: | Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 |
On 3/5/14, 4:36 PM, Christoph Hellwig wrote:
> On Wed, Mar 05, 2014 at 11:19:19AM -0600, Eric Sandeen wrote:
>> Yeah, that does seem better! Thanks for spotting that.
>>
>> The difference when calling inode_item_unlock is a bit more zeroing-out:
>>
>> ip->i_transp = NULL;
>>
>> iip->ili_flags = 0;
>>
>> I'm not sure of the implications of that offhand, TBH.
>>
>> Dave, hold off on my commit I guess ;)
>
> i_itransp nulling is obviously harmless as we are freeing the inode
> right after.
Not in all cases, right?
static void
inode_item_unlock(
xfs_inode_log_item_t *iip)
{
xfs_inode_t *ip = iip->ili_inode;
/* Clear the transaction pointer in the inode. */
ip->i_transp = NULL;
iip->ili_flags = 0;
if (!iip->ili_lock_flags)
libxfs_iput(ip, 0);
else
iip->ili_lock_flags = 0; // <-- not here.
}
> ili_flags is always 0 in libxfs and we might as well just remove it.
>
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: [PATCH 2/2] xfs: inode log reservations are still too small, Christoph Hellwig |
|---|---|
| Next by Date: | XFS crash?, Austin Schuh |
| Previous by Thread: | Re: [PATCH] xfsprogs: fix use after free in inode_item_done(), Eric Sandeen |
| Next by Thread: | rebuilt HW RAID60 array; XFS filesystem looks bad now, Paul Brunk |
| Indexes: | [Date] [Thread] [Top] [All Lists] |