[PATCH] xfsprogs: fix use after free in inode_item_done()
Christoph Hellwig
hch at infradead.org
Wed Mar 5 11:02:56 CST 2014
On Mon, Mar 03, 2014 at 02:41:54PM -0600, Eric Sandeen wrote:
> Commit "3a19fb7 libxfs: stop caching inode structures"
> introduced a use after free.
I see the use after free, but I don't see how I would have introduced it
in that commit. Before that libxfs_iput already was freeing the inode
through the cache code, now we do it directly.
> @@ -739,12 +738,6 @@ ili_done:
> } else {
> libxfs_iput(ip, 0);
> }
> -
> - if (ip->i_itemp)
> - kmem_zone_free(xfs_ili_zone, ip->i_itemp);
> - else
> - ASSERT(0);
> - ip->i_itemp = NULL;
> }
Seems like inode_item_done should call into inode_item_unlock, which
factors the exact sequence we want into a nice helper.
More information about the xfs
mailing list