summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChristoph Hellwig <hch@lst.de>2023-12-28 07:24:09 +0000
committerChandan Babu R <chandanbabu@kernel.org>2023-12-29 13:37:05 +0530
commit4f6ac47b55e3ce6e982807928d6074ec105ab66e (patch)
treed717c5d4573530f46e68cd55bea5a5e700f831d4
parent378b6aef9de0f7c3d0de309ecc61c11eb29e57da (diff)
downloadlinux-4f6ac47b55e3ce6e982807928d6074ec105ab66e.tar.gz
linux-4f6ac47b55e3ce6e982807928d6074ec105ab66e.tar.bz2
linux-4f6ac47b55e3ce6e982807928d6074ec105ab66e.zip
xfs: fix a use after free in xfs_defer_finish_recovery
dfp will be freed by ->recover_work and thus the tracepoint in case of an error can lead to a use after free. Store the defer ops in a local variable to avoid that. Fixes: 7f2f7531e0d4 ("xfs: store an ops pointer in struct xfs_defer_pending") Reported-by: kernel test robot <oliver.sang@intel.com> Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: "Darrick J. Wong" <djwong@kernel.org> Signed-off-by: Chandan Babu R <chandanbabu@kernel.org>
Diffstat
-rw-r--r--fs/xfs/libxfs/xfs_defer.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/fs/xfs/libxfs/xfs_defer.c b/fs/xfs/libxfs/xfs_defer.c
index ca7f0ac04896..75c5b3a2c2cb 100644
--- a/fs/xfs/libxfs/xfs_defer.c
+++ b/fs/xfs/libxfs/xfs_defer.c
@@ -915,12 +915,14 @@ xfs_defer_finish_recovery(
struct xfs_defer_pending *dfp,
struct list_head *capture_list)
{
+ const struct xfs_defer_op_type *ops = dfp->dfp_ops;
int error;
- error = dfp->dfp_ops->recover_work(dfp, capture_list);
+ /* dfp is freed by recover_work and must not be accessed afterwards */
+ error = ops->recover_work(dfp, capture_list);
if (error)
trace_xlog_intent_recovery_failed(mp, error,
- dfp->dfp_ops->recover_work);
+ ops->recover_work);
return error;
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-17 05:11:24 +0000