diff options
author | Christoph Hellwig <hch@lst.de> | 2023-12-28 07:24:09 +0000 |
---|---|---|
committer | Chandan Babu R <chandanbabu@kernel.org> | 2023-12-29 13:37:05 +0530 |
commit | 4f6ac47b55e3ce6e982807928d6074ec105ab66e (patch) | |
tree | d717c5d4573530f46e68cd55bea5a5e700f831d4 /fs/xfs | |
parent | 378b6aef9de0f7c3d0de309ecc61c11eb29e57da (diff) | |
download | lwn-4f6ac47b55e3ce6e982807928d6074ec105ab66e.tar.gz lwn-4f6ac47b55e3ce6e982807928d6074ec105ab66e.zip |
xfs: fix a use after free in xfs_defer_finish_recovery
dfp will be freed by ->recover_work and thus the tracepoint in case
of an error can lead to a use after free.
Store the defer ops in a local variable to avoid that.
Fixes: 7f2f7531e0d4 ("xfs: store an ops pointer in struct xfs_defer_pending")
Reported-by: kernel test robot <oliver.sang@intel.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Chandan Babu R <chandanbabu@kernel.org>
Diffstat (limited to 'fs/xfs')
-rw-r--r-- | fs/xfs/libxfs/xfs_defer.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/fs/xfs/libxfs/xfs_defer.c b/fs/xfs/libxfs/xfs_defer.c index ca7f0ac04896..75c5b3a2c2cb 100644 --- a/fs/xfs/libxfs/xfs_defer.c +++ b/fs/xfs/libxfs/xfs_defer.c @@ -915,12 +915,14 @@ xfs_defer_finish_recovery( struct xfs_defer_pending *dfp, struct list_head *capture_list) { + const struct xfs_defer_op_type *ops = dfp->dfp_ops; int error; - error = dfp->dfp_ops->recover_work(dfp, capture_list); + /* dfp is freed by recover_work and must not be accessed afterwards */ + error = ops->recover_work(dfp, capture_list); if (error) trace_xlog_intent_recovery_failed(mp, error, - dfp->dfp_ops->recover_work); + ops->recover_work); return error; } |