On 3/5/14, 11:02 AM, Christoph Hellwig wrote:
> On Mon, Mar 03, 2014 at 02:41:54PM -0600, Eric Sandeen wrote:
>> Commit "3a19fb7 libxfs: stop caching inode structures"
>> introduced a use after free.
>
> I see the use after free, but I don't see how I would have introduced it
> in that commit. Before that libxfs_iput already was freeing the inode
> through the cache code, now we do it directly.
Ok, sorry if I wrongly implicated that commit.
>> @@ -739,12 +738,6 @@ ili_done:
>> } else {
>> libxfs_iput(ip, 0);
>> }
>> -
>> - if (ip->i_itemp)
>> - kmem_zone_free(xfs_ili_zone, ip->i_itemp);
>> - else
>> - ASSERT(0);
>> - ip->i_itemp = NULL;
>> }
>
> Seems like inode_item_done should call into inode_item_unlock, which
> factors the exact sequence we want into a nice helper.
Yeah, that does seem better! Thanks for spotting that.
The difference when calling inode_item_unlock is a bit more zeroing-out:
ip->i_transp = NULL;
iip->ili_flags = 0;
I'm not sure of the implications of that offhand, TBH.
Dave, hold off on my commit I guess ;)
-Eric
_______________________________________________
xfs mailing list
xfs@xxxxxxxxxxx
http://oss.sgi.com/mailman/listinfo/xfs
