xfs
[Top] [All Lists]

[PATCH 3/4] xfs: fix double free in xlog_recover_commit_trans

To: xfs@xxxxxxxxxxx
Subject: [PATCH 3/4] xfs: fix double free in xlog_recover_commit_trans
From: Dave Chinner <david@xxxxxxxxxxxxx>
Date: Tue, 26 Aug 2014 11:21:40 +1000
Delivered-to: xfs@xxxxxxxxxxx
In-reply-to: <1409016101-9511-1-git-send-email-david@xxxxxxxxxxxxx>
References: <1409016101-9511-1-git-send-email-david@xxxxxxxxxxxxx>
From: Dave Chinner <dchinner@xxxxxxxxxx>

When an error occurs during buffer submission in
xlog_recover_commit_trans(), we free the trans structure twice. Fix
it by only freeing the structure in the caller regardless of the
success or failure of the function.

Signed-off-by: Dave Chinner <dchinner@xxxxxxxxxx>
---
 fs/xfs/xfs_log_recover.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c
index 460cf98..23895d5 100644
--- a/fs/xfs/xfs_log_recover.c
+++ b/fs/xfs/xfs_log_recover.c
@@ -3524,8 +3524,6 @@ out:
        if (!list_empty(&done_list))
                list_splice_init(&done_list, &trans->r_itemq);
 
-       xlog_recover_free_trans(trans);
-
        error2 = xfs_buf_delwri_submit(&buffer_list);
        return error ? error : error2;
 }
@@ -3571,6 +3569,11 @@ xlog_recovery_process_ophdr(
        if (flags & XLOG_WAS_CONT_TRANS)
                flags &= ~XLOG_CONTINUE_TRANS;
 
+       /*
+        * Callees must not free the trans structure. We own it, so we'll decide
+        * if we need to free it or not based on the operation being done and
+        * it's result.
+        */
        switch (flags) {
        /* expected flag values */
        case 0:
@@ -3582,7 +3585,8 @@ xlog_recovery_process_ophdr(
                break;
        case XLOG_COMMIT_TRANS:
                error = xlog_recover_commit_trans(log, trans, pass);
-               break;
+               xlog_recover_free_trans(trans);
+               return error;
 
        /* unexpected flag values */
        case XLOG_UNMOUNT_TRANS:
-- 
2.0.0

<Prev in Thread] Current Thread [Next in Thread>