[PATCH] xfs: fix buffer use after free on IO error
Eric Sandeen
sandeen at sandeen.net
Tue Mar 25 11:05:04 CDT 2014
On 3/25/14, 6:17 AM, Christoph Hellwig wrote:
>> On Fri, Mar 21, 2014 at 09:48:50PM -0500, Eric Sandeen wrote:
>>> + /*
>>> + * If _xfs_buf_ioapply failed, we'll get back here with
>>> + * only the reference we took above. _xfs_buf_ioend will
>>> + * drop it to zero, so we'd better not queue it for later,
>>> + * or we'll free it before it's done.
>>> + */
>>> + _xfs_buf_ioend(bp, bp->b_error ? 0 : 1);
>>>
>>
>> Out of curiosity, is there any major reason we don't use 0 here
>> unconditionally? Are we worried about I/O completing before we have a
>> chance to decrement the reference?
>
> I think this should unconditionally avoid the schedule, and while we're
> at it we should kill _xfs_buf_ioend and opencode it here and at the
> other callsite.
And then remove the flag from xfs_buf_ioend which is always 0 at that
point ...
> Also atomic_dec_and_test really just returns true/false - there should
> ne no need for the explicit == 1 in the conditional.
Yeah I have a patch to do that as well; I wanted to separate the
bugfix from the more invasive cleanup, though - and I wanted to
get the fix out for review sooner.
But yeah, I was unsure about whether or not to schedule at all here.
We come here from a lot of callsites and I'm honestly not sure what
the implications are yet.
-Eric
More information about the xfs
mailing list