On 3/3/14, 4:36 PM, Dave Chinner wrote:
> On Mon, Mar 03, 2014 at 02:41:54PM -0600, Eric Sandeen wrote:
>> Commit "3a19fb7 libxfs: stop caching inode structures"
>> introduced a use after free.
>>
>> libxfs_iput() already does the check for ip->i_itemp, and a
>> kmem_zone_free() if it's present, and then frees the ip pointer.
>> Re-checking ip->i_itemp after the libxfs_iput call will access
>> the freed ip pointer, as will setting ip_>i_itemp to NULL.
>>
>> Simply remove the offending code to fix this up.
>
> which leaves the rest of the ili_done: code looking a little
> strange.
>
> can you convert that now to be:
>
> ili_done:
> if (iip->ili_lock_flags) {
> iip->ili_lock_flags = 0;
> return;
> }
> /* free the inode */
> libxfs_iput(ip, 0);
> }
yeah, I actually had that first. Not sure why I didn't go with it ;)
(Still looks strange to my untrained eye; "if lock flags are set, unset them and don't free the inode, otherwise free it")
Anyway, I'll resend. No need to educate me on these details, for now. ;)
-Eric
> Cheers,
>
> Dave.
>
_______________________________________________
xfs mailing list
xfs@xxxxxxxxxxx
http://oss.sgi.com/mailman/listinfo/xfs
