Re: [PATCH 4/7] xfs: don't ever return a stale pointer from __xfs_dir3_free_read

Dave Chinner <david@xxxxxxxxxxxxx> · Wed, 11 Mar 2020 16:47:21 +1100

On Tue, Mar 10, 2020 at 05:47:40PM -0700, Darrick J. Wong wrote:
> From: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
> 
> If we decide that a directory free block is corrupt, we must take care
> not to leak a buffer pointer to the caller.  After xfs_trans_brelse
> returns, the buffer can be freed or reused, which means that we have to
> set *bpp back to NULL.
> 
> Callers are supposed to notice the nonzero return value and not use the
> buffer pointer, but we should code more defensively, even if all current
> callers handle this situation correctly.
> 
> Fixes: de14c5f541e7 ("xfs: verify free block header fields")
> Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
> ---
>  fs/xfs/libxfs/xfs_dir2_node.c |    1 +
>  1 file changed, 1 insertion(+)
> 
> 
> diff --git a/fs/xfs/libxfs/xfs_dir2_node.c b/fs/xfs/libxfs/xfs_dir2_node.c
> index af4f22dc3891..bbd478ec75c9 100644
> --- a/fs/xfs/libxfs/xfs_dir2_node.c
> +++ b/fs/xfs/libxfs/xfs_dir2_node.c
> @@ -228,6 +228,7 @@ __xfs_dir3_free_read(
>  	if (fa) {
>  		__xfs_buf_mark_corrupt(*bpp, fa);
>  		xfs_trans_brelse(tp, *bpp);
> +		*bpp = NULL;
>  		return -EFSCORRUPTED;
>  	}

Looks good. I didn't find any more obvious issues like this from a
quick glance at the code. I really didn't look real close at the rt
code, though...

Reviewed-by: Dave Chinner <dchinner@xxxxxxxxxx>
-- 
Dave Chinner
david@xxxxxxxxxxxxx