dfp will be freed by ->recover_work and thus the tracepoint in case
of an error can lead to a use after free.
Store the defer ops in a local variable to avoid that.
Fixes: 7f2f7531e0d4 ("xfs: store an ops pointer in struct xfs_defer_pending")
Reported-by: kernel test robot <oliver.sang@xxxxxxxxx>
Signed-off-by: Christoph Hellwig <hch@xxxxxx>
Reviewed-by: Darrick J. Wong <djwong@xxxxxxxxxx>
---
- add a comment
fs/xfs/libxfs/xfs_defer.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/fs/xfs/libxfs/xfs_defer.c b/fs/xfs/libxfs/xfs_defer.c
index ca7f0ac0489604..75c5b3a2c2cba4 100644
--- a/fs/xfs/libxfs/xfs_defer.c
+++ b/fs/xfs/libxfs/xfs_defer.c
@@ -915,12 +915,14 @@ xfs_defer_finish_recovery(
struct xfs_defer_pending *dfp,
struct list_head *capture_list)
{
+ const struct xfs_defer_op_type *ops = dfp->dfp_ops;
int error;
- error = dfp->dfp_ops->recover_work(dfp, capture_list);
+ /* dfp is freed by recover_work and must not be accessed afterwards */
+ error = ops->recover_work(dfp, capture_list);
if (error)
trace_xlog_intent_recovery_failed(mp, error,
- dfp->dfp_ops->recover_work);
+ ops->recover_work);
return error;
}
--
2.39.2
