diff options
| author | Darrick J. Wong <djwong@kernel.org> | 2023-11-22 10:47:10 -0800 |
|---|---|---|
| committer | Darrick J. Wong <djwong@kernel.org> | 2023-12-06 18:45:14 -0800 |
| commit | deb4cd8ba87f17b12c72b3827820d9c703e9fd95 (patch) | |
| tree | 98a85e6dca65337a4ce0ce7b9e30d71094cdda1a /fs/xfs/libxfs/xfs_log_recover.h | |
| parent | a050acdfa8003a44eae4558fddafc7afb1aef458 (diff) | |
| download | linux-deb4cd8ba87f17b12c72b3827820d9c703e9fd95.tar.gz linux-deb4cd8ba87f17b12c72b3827820d9c703e9fd95.tar.bz2 linux-deb4cd8ba87f17b12c72b3827820d9c703e9fd95.zip | |
xfs: transfer recovered intent item ownership in ->iop_recover
Now that we pass the xfs_defer_pending object into the intent item
recovery functions, we know exactly when ownership of the sole refcount
passes from the recovery context to the intent done item. At that
point, we need to null out dfp_intent so that the recovery mechanism
won't release it. This should fix the UAF problem reported by Long Li.
Note that we still want to recreate the full deferred work state. That
will be addressed in the next patches.
Fixes: 2e76f188fd90 ("xfs: cancel intents immediately if process_intents fails")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Diffstat (limited to 'fs/xfs/libxfs/xfs_log_recover.h')
| -rw-r--r-- | fs/xfs/libxfs/xfs_log_recover.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/xfs/libxfs/xfs_log_recover.h b/fs/xfs/libxfs/xfs_log_recover.h index 271a4ce7375c..13583df9f239 100644 --- a/fs/xfs/libxfs/xfs_log_recover.h +++ b/fs/xfs/libxfs/xfs_log_recover.h @@ -155,5 +155,7 @@ xlog_recover_resv(const struct xfs_trans_res *r) void xlog_recover_intent_item(struct xlog *log, struct xfs_log_item *lip, xfs_lsn_t lsn, unsigned int dfp_type); +void xlog_recover_transfer_intent(struct xfs_trans *tp, + struct xfs_defer_pending *dfp); #endif /* __XFS_LOG_RECOVER_H__ */ |