Commit 509e708a8929c5b75a16c985c03db5329e09cad4
Committed by
Ben Myers
Ben Myers
1 parent
7031d0e1c4
Exists in
smarc-l5.0.0_1.0.0-ga
and in
5 other branches
xfs: Don't reference the EFI after it is freed
Checking the EFI for whether it is being released from recovery after we've already released the known active reference is a mistake worthy of a brown paper bag. Fix the (now) obvious use after free that it can cause. Reported-by: Dave Jones <davej@redhat.com> Signed-off-by: Dave Chinner <dchinner@redhat.com> Reviewed-by: Brian Foster <bfoster@redhat.com> Signed-off-by: Ben Myers <bpm@sgi.com> (cherry picked from commit 52c24ad39ff02d7bd73c92eb0c926fb44984a41d)
Showing 1 changed file with 3 additions and 2 deletions Side-by-side Diff
fs/xfs/xfs_extfree_item.c
| ... | ... | @@ -305,11 +305,12 @@ |
| 305 | 305 | { |
| 306 | 306 | ASSERT(atomic_read(&efip->efi_next_extent) >= nextents); |
| 307 | 307 | if (atomic_sub_and_test(nextents, &efip->efi_next_extent)) { |
| 308 | - __xfs_efi_release(efip); | |
| 309 | - | |
| 310 | 308 | /* recovery needs us to drop the EFI reference, too */ |
| 311 | 309 | if (test_bit(XFS_EFI_RECOVERED, &efip->efi_flags)) |
| 312 | 310 | __xfs_efi_release(efip); |
| 311 | + | |
| 312 | + __xfs_efi_release(efip); | |
| 313 | + /* efip may now have been freed, do not reference it again. */ | |
| 313 | 314 | } |
| 314 | 315 | } |
| 315 | 316 |