Commit 2a84108 cleans the remaining pending log item entries when log recovery fails. Unfortunately, the cleaning call was not removed from the error path in xlog_recover_commit_trans, This can result in a use after free and a second free of the transaction structure when the cleaning is done in xlog_recover_process_data. Now the log item entry cleaning in xlog_recover_commit_trans is only performed for the non-error case. Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> Signed-off-by: Mark Tinguely <tinguely@xxxxxxx> --- fs/xfs/xfs_log_recover.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) Index: b/fs/xfs/xfs_log_recover.c =================================================================== --- a/fs/xfs/xfs_log_recover.c +++ b/fs/xfs/xfs_log_recover.c @@ -3509,9 +3509,10 @@ out: if (!list_empty(&done_list)) list_splice_init(&done_list, &trans->r_itemq); - xlog_recover_free_trans(trans); - error2 = xfs_buf_delwri_submit(&buffer_list); + /* caller will free transactions in the error path */ + if (!error && !error2) + xlog_recover_free_trans(trans); return error ? error : error2; } _______________________________________________ xfs mailing list xfs@xxxxxxxxxxx http://oss.sgi.com/mailman/listinfo/xfs
