This is a note to let you know that I've just added the patch titled xfs: fix double-cleanup when CUI recovery fails to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: xfs-fix-double-cleanup-when-cui-recovery-fails.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From hch@xxxxxx Tue Jan 10 11:31:00 2017 From: Christoph Hellwig <hch@xxxxxx> Date: Mon, 9 Jan 2017 16:39:00 +0100 Subject: xfs: fix double-cleanup when CUI recovery fails To: stable@xxxxxxxxxxxxxxx Cc: linux-xfs@xxxxxxxxxxxxxxx, "Darrick J. Wong" <darrick.wong@xxxxxxxxxx> Message-ID: <1483976343-661-30-git-send-email-hch@xxxxxx> From: "Darrick J. Wong" <darrick.wong@xxxxxxxxxx> commit 7a21272b088894070391a94fdd1c67014020fa1d upstream. Dan Carpenter reported a double-free of rcur if _defer_finish fails while we're recovering CUI items. Fix the error recovery to prevent this. Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx> Cc: Christoph Hellwig <hch@xxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/xfs/xfs_refcount_item.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/fs/xfs/xfs_refcount_item.c +++ b/fs/xfs/xfs_refcount_item.c @@ -526,13 +526,14 @@ xfs_cui_recover( xfs_refcount_finish_one_cleanup(tp, rcur, error); error = xfs_defer_finish(&tp, &dfops, NULL); if (error) - goto abort_error; + goto abort_defer; set_bit(XFS_CUI_RECOVERED, &cuip->cui_flags); error = xfs_trans_commit(tp); return error; abort_error: xfs_refcount_finish_one_cleanup(tp, rcur, error); +abort_defer: xfs_defer_cancel(&dfops); xfs_trans_cancel(tp); return error; Patches currently in stable-queue which might be from hch@xxxxxx are queue-4.9/xfs-always-succeed-when-deduping-zero-bytes.patch queue-4.9/xfs-fix-crash-and-data-corruption-due-to-removal-of-busy-cow-extents.patch queue-4.9/xfs-don-t-allow-di_size-with-high-bit-set.patch queue-4.9/xfs-new-inode-extent-list-lookup-helpers.patch queue-4.9/xfs-don-t-call-xfs_sb_quota_from_disk-twice.patch queue-4.9/xfs-factor-rmap-btree-size-into-the-indlen-calculations.patch queue-4.9/xfs-check-return-value-of-_trans_reserve_quota_nblks.patch queue-4.9/xfs-complain-if-we-don-t-get-nextents-bmap-records.patch queue-4.9/xfs-check-for-bogus-values-in-btree-block-headers.patch queue-4.9/xfs-use-gpf_nofs-when-allocating-btree-cursors.patch queue-4.9/xfs-fix-max_retries-_show-and-_store-functions.patch queue-4.9/xfs-fix-double-cleanup-when-cui-recovery-fails.patch queue-4.9/xfs-don-t-skip-cow-forks-w-delalloc-blocks-in-cowblocks-scan.patch queue-4.9/xfs-track-preallocation-separately-in-xfs_bmapi_reserve_delalloc.patch queue-4.9/xfs-use-the-actual-ag-length-when-reserving-blocks.patch queue-4.9/xfs-ignore-leaf-attr-ichdr.count-in-verifier-during-log-replay.patch queue-4.9/xfs-pass-post-eof-speculative-prealloc-blocks-to-bmapi.patch queue-4.9/xfs-don-t-cap-maximum-dedupe-request-length.patch queue-4.9/xfs-pass-state-not-whichfork-to-trace_xfs_extlist.patch queue-4.9/xfs-move-agi-buffer-type-setting-to-xfs_read_agi.patch queue-4.9/xfs-check-minimum-block-size-for-crc-filesystems.patch queue-4.9/xfs-handle-cow-fork-in-xfs_bmap_trace_exlist.patch queue-4.9/pci-msi-check-for-null-affinity-mask-in-pci_irq_get_affinity.patch queue-4.9/xfs-error-out-if-trying-to-add-attrs-and-anextents-0.patch queue-4.9/xfs-don-t-bug-on-mixed-direct-and-mapped-i-o.patch queue-4.9/xfs-use-new-extent-lookup-helpers-xfs_file_iomap_begin_delay.patch queue-4.9/xfs-fix-unbalanced-inode-reclaim-flush-locking.patch queue-4.9/genirq-affinity-fix-node-generation-from-cpumask.patch queue-4.9/xfs-use-new-extent-lookup-helpers-in-__xfs_reflink_reserve_cow.patch queue-4.9/xfs-don-t-crash-if-reading-a-directory-results-in-an-unexpected-hole.patch queue-4.9/xfs-remove-prev-argument-to-xfs_bmapi_reserve_delalloc.patch queue-4.9/xfs-clean-up-cow-fork-reservation-and-tag-inodes-correctly.patch queue-4.9/xfs-forbid-ag-btrees-with-level-0.patch queue-4.9/xfs-provide-helper-for-counting-extents-from-if_bytes.patch -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html