On Tue, May 02, 2017 at 01:36:33AM +0800, Eryu Guan wrote:
> Commit 28b783e47ad7 ("xfs: bufferhead chains are invalid after
> end_page_writeback") fixed one use-after-free issue by
> pre-calculating the loop conditionals before calling bh->b_end_io()
> in the end_io processing loop, but it assigned 'next' pointer before
> checking end offset boundary & breaking the loop, at which point the
> bh might be freed already, and caused use-after-free.
>
> This is caught by KASAN when running fstests generic/127 on sub-page
> block size XFS.
Looks good,
Reviewed-by: Christoph Hellwig <hch@xxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
