On Mon, Dec 02, 2013 at 03:26:19PM -0500, Jeff Layton wrote: > The DRC code will attempt to reuse an existing, expired cache entry in > preference to allocating a new one. It'll then search the cache, and if > it gets a hit it'll then free the cache entry that it was going to > reuse. > > The cache code doesn't unhash the entry that it's going to reuse > however, so it's possible for it end up designating an entry for reuse > and then subsequently freeing the same entry after it finds it. This > leads it to a later use-after-free situation and usually some list > corruption warnings or an oops. > > Fix this by simply unhashing the entry that we intend to reuse. That > will mean that it's not findable via a search and should prevent this > situation from occurring. The fix looks reasonable to me, Reviewed-by: Christoph Hellwig <hch@xxxxxx> Btw, it seems like this code would benefit from being converted to the list_lru structure. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
