| To: | "'linux-xfs@xxxxxxxxxxx'" <linux-xfs@xxxxxxxxxxx> |
|---|---|
| Subject: | [PATCH] xfs: avoid double-free in xfs_attr_node_addname |
| From: | Eric Sandeen <sandeen@xxxxxxxxxx> |
| Date: | Wed, 31 Jul 2013 20:18:54 -0500 |
| Delivered-to: | linux-xfs@xxxxxxxxxxx |
| User-agent: | Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 |
xfs_attr_node_addname()'s error handling tests whether it
should free "state" in the out: error handling label:
out:
if (state)
xfs_da_state_free(state);
but an earlier free doesn't set state to NULL afterwards; this
could lead to a double free. Fix it by setting state to NULL
after it's freed.
This was found by Coverity.
Signed-off-by: Eric Sandeen <sandeen@xxxxxxxxxx>
---
Note: Exact same patch should hit xfsprogs - I could send another,
or maybe SGI can just apply it in both trees?
Thanks,
-Eric
diff --git a/fs/xfs/xfs_attr.c b/fs/xfs/xfs_attr.c
index 20fe3fe..aaff8a9 100644
--- a/fs/xfs/xfs_attr.c
+++ b/fs/xfs/xfs_attr.c
@@ -1260,6 +1260,7 @@ restart:
* have been a b-tree.
*/
xfs_da_state_free(state);
+ state = NULL;
xfs_bmap_init(args->flist, args->firstblock);
error = xfs_attr3_leaf_to_node(args);
if (!error) {
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: [PATCH 2/3] xfs: Implement FALLOC_FL_COLLAPSE_RANGE, Dave Chinner |
|---|---|
| Next by Date: | [PATCH] xfs: free bp in xlog_find_zeroed() error path, Eric Sandeen |
| Previous by Thread: | [PATCH] xfsprogs: fix unint var in repair phase6, Eric Sandeen |
| Next by Thread: | [PATCH] xfs: free bp in xlog_find_zeroed() error path, Eric Sandeen |
| Indexes: | [Date] [Thread] [Top] [All Lists] |