Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c6a7b0f8 authored by Lachlan McIlroy's avatar Lachlan McIlroy Committed by Lachlan McIlroy
Browse files

[XFS] Fix use after free in xfs_log_done(). 



The ticket allocation code got reworked in 2.6.26 and we now free tickets
whereas before we used to cache them so the use-after-free went
undetected.

SGI-PV: 985525

SGI-Modid: xfs-linux-melb:xfs-kern:31877a

Signed-off-by: default avatarLachlan McIlroy <lachlan@sgi.com>
Signed-off-by: default avatarDavid Chinner <david@fromorbit.com>
parent c94312de

fs/xfs/xfs_log.c

+5 −8
Original line number Diff line number Diff line
@@ -336,15 +336,12 @@ xfs_log_done(xfs_mount_t *mp, 
	} else {

		xlog_trace_loggrant(log, ticket, "xfs_log_done: (permanent)");

		xlog_regrant_reserve_log_space(log, ticket);

	}



		/* If this ticket was a permanent reservation and we aren't

		 * trying to release it, reset the inited flags; so next time

		 * we write, a start record will be written out.

		 */

	if ((ticket->t_flags & XLOG_TIC_PERM_RESERV) &&

	    (flags & XFS_LOG_REL_PERM_RESERV) == 0)

		ticket->t_flags |= XLOG_TIC_INITED;

	}



	return lsn;

}	/* xfs_log_done */