Commit 509e708a authored May 20, 2013 by Dave Chinner Committed by Ben Myers May 24, 2013

xfs: Don't reference the EFI after it is freed



Checking the EFI for whether it is being released from recovery
after we've already released the known active reference is a mistake
worthy of a brown paper bag. Fix the (now) obvious use after free
that it can cause.

Reported-by: Dave Jones <davej@redhat.com>
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Ben Myers <bpm@sgi.com>

(cherry picked from commit 52c24ad3)

parent 7031d0e1

fs/xfs/xfs_extfree_item.c

+3 −2

Original line number	Diff line number	Diff line
		@@ -305,11 +305,12 @@ xfs_efi_release(xfs_efi_log_item_t *efip,
		{
		ASSERT(atomic_read(&efip->efi_next_extent) >= nextents);
		if (atomic_sub_and_test(nextents, &efip->efi_next_extent)) {
		__xfs_efi_release(efip);

		/* recovery needs us to drop the EFI reference, too */
		if (test_bit(XFS_EFI_RECOVERED, &efip->efi_flags))
		__xfs_efi_release(efip);

		__xfs_efi_release(efip);
		/* efip may now have been freed, do not reference it again. */
		}
		}