From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0679363AC for ; Thu, 28 Dec 2023 06:18:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=lst.de Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=bombadil.srs.infradead.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="LHi8bdU1" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20210309; h=Content-Transfer-Encoding: MIME-Version:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:In-Reply-To:References; bh=7Qkxgofp7WAuVb7kx+ZXLMcp4tZpXpvVtCrCTlkdxR4=; b=LHi8bdU1igFmdO4sBXm0/7yeUq GDNwPP4PXBbyCKZwI2MHMCA+grxV06l+10603wBA5D301Zh7Jjp3h58JYIBkB8arCiYwTT7UzKbOd HJYuoAXeFruPq/ZFAXa56mhX89ItS40q1aCKAXgYd+5k+ArrKjYhAkfhPA6ATvnfCeIAthbXaOC7O hBKNEjZDF0p/1+coHccnpoMSB8ReOYeaAbZUv+w+ImesjQM2gXaIpMIkZEAQyKqQNJ4SCaSOTGoEc yi8sp0jJBtjmkbBQdTfWeZp3v+2N8iptEKaKwGCnIQs7VxfDfWvkJc8ddEyw7k9YcYb4/joWFlEc7 yRC+YmdA==; Received: from 128.red-83-57-75.dynamicip.rima-tde.net ([83.57.75.128] helo=localhost) by bombadil.infradead.org with esmtpsa (Exim 4.96 #2 (Red Hat Linux)) id 1rIjiz-00GDiD-0y; Thu, 28 Dec 2023 06:18:33 +0000 From: Christoph Hellwig To: chandan.babu@oracle.com Cc: djwong@kernel.org, linux-xfs@vger.kernel.org, kernel test robot Subject: [PATCH 1/2] xfs: fix a use after free in xfs_defer_finish_recovery Date: Thu, 28 Dec 2023 06:18:29 +0000 Message-Id: <20231228061830.337279-1-hch@lst.de> X-Mailer: git-send-email 2.39.2 Precedence: bulk X-Mailing-List: linux-xfs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SRS-Rewrite: SMTP reverse-path rewritten from by bombadil.infradead.org. See http://www.infradead.org/rpr.html dfp will be freed by ->recover_work and thus the tracepoint in case of an error can lead to a use after free. Store the defer ops in a local variable to avoid that. Fixes: 7f2f7531e0d4 ("xfs: store an ops pointer in struct xfs_defer_pending") Reported-by: kernel test robot Signed-off-by: Christoph Hellwig --- fs/xfs/libxfs/xfs_defer.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/xfs/libxfs/xfs_defer.c b/fs/xfs/libxfs/xfs_defer.c index ca7f0ac0489604..785c92d2acaa73 100644 --- a/fs/xfs/libxfs/xfs_defer.c +++ b/fs/xfs/libxfs/xfs_defer.c @@ -915,12 +915,13 @@ xfs_defer_finish_recovery( struct xfs_defer_pending *dfp, struct list_head *capture_list) { + const struct xfs_defer_op_type *ops = dfp->dfp_ops; int error; - error = dfp->dfp_ops->recover_work(dfp, capture_list); + error = ops->recover_work(dfp, capture_list); if (error) trace_xlog_intent_recovery_failed(mp, error, - dfp->dfp_ops->recover_work); + ops->recover_work); return error; } -- 2.39.2