[PATCH] xfs: fix buffer use after free on IO error
Christoph Hellwig
hch at infradead.org
Tue Mar 25 08:17:05 CDT 2014
> On Fri, Mar 21, 2014 at 09:48:50PM -0500, Eric Sandeen wrote:
> > + /*
> > + * If _xfs_buf_ioapply failed, we'll get back here with
> > + * only the reference we took above. _xfs_buf_ioend will
> > + * drop it to zero, so we'd better not queue it for later,
> > + * or we'll free it before it's done.
> > + */
> > + _xfs_buf_ioend(bp, bp->b_error ? 0 : 1);
> >
>
> Out of curiosity, is there any major reason we don't use 0 here
> unconditionally? Are we worried about I/O completing before we have a
> chance to decrement the reference?
I think this should unconditionally avoid the schedule, and while we're
at it we should kill _xfs_buf_ioend and opencode it here and at the
other callsite.
Also atomic_dec_and_test really just returns true/false - there should
ne no need for the explicit == 1 in the conditional.
More information about the xfs
mailing list