Hi all, In this second series, I try to fix a use-after-free that I discovered during development of the dfops freezer, where BUI recovery releases the inode even if it requeues itself. If the inode gets reclaimed, the fs corrupts memory and explodes. The fix is to make the dfops capture struct take over ownership of the inodes if there's any more work to be done. This is a bit clunky, but it's a simpler mechanism than saving inode pointers and inode numbers and introducing tagged structures so that we can distinguish one from the other. v2: rebase atop the new defer capture code v3: only capture one inode, move as much of the defer capture code to xfs_defer.c as we can v4: make defer capture ihold the inode, and the caller still gets to iunlock and irele it If you're going to start using this mess, you probably ought to just pull from my git trees, which are linked below. This is an extraordinary way to destroy everything. Enjoy! Comments and questions are, as always, welcome. --D kernel git tree: https://git.kernel.org/cgit/linux/kernel/git/djwong/xfs-linux.git/log/?h=fix-bmap-intent-recovery-5.10 --- fs/xfs/libxfs/xfs_defer.c | 43 ++++++++++++++++++++--- fs/xfs/libxfs/xfs_defer.h | 11 +++++- fs/xfs/xfs_bmap_item.c | 84 ++++++++++++++++++++------------------------ fs/xfs/xfs_extfree_item.c | 2 + fs/xfs/xfs_log_recover.c | 7 +++- fs/xfs/xfs_refcount_item.c | 2 + fs/xfs/xfs_rmap_item.c | 2 + 7 files changed, 95 insertions(+), 56 deletions(-)
