| Message ID | 160140144017.830434.9012644788797432565.stgit@magnolia (mailing list archive) |
|---|---|
| State | Superseded, archived |
| Headers | show |
| Series | xfs: fix inode use-after-free during log recovery | expand |
On Tue, Sep 29, 2020 at 10:44:00AM -0700, Darrick J. Wong wrote: > From: Darrick J. Wong <darrick.wong@oracle.com> > > In most places in XFS, we have a specific order in which we gather > resources: grab the inode, allocate a transaction, then lock the inode. > xfs_bui_item_recover doesn't do it in that order, so fix it to be more > consistent. This also makes the error bailout code a bit less weird. > > Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> > Reviewed-by: Dave Chinner <dchinner@redhat.com> > Reviewed-by: Christoph Hellwig <hch@lst.de> > --- > fs/xfs/xfs_bmap_item.c | 42 ++++++++++++++++++++++-------------------- > 1 file changed, 22 insertions(+), 20 deletions(-) > > > diff --git a/fs/xfs/xfs_bmap_item.c b/fs/xfs/xfs_bmap_item.c > index c1f2cc3c42cb..1c9cb5a04bb5 100644 > --- a/fs/xfs/xfs_bmap_item.c > +++ b/fs/xfs/xfs_bmap_item.c ... > @@ -512,18 +513,19 @@ xfs_bui_item_recover( > xfs_bmap_unmap_extent(tp, ip, &irec); > } > > + /* Commit transaction, which frees tp. */ > error = xfs_defer_ops_capture_and_commit(tp, capture_list); > + if (error) > + goto err_unlock; > + return 0; > + > +err_cancel: > + xfs_trans_cancel(tp); > +err_unlock: > xfs_iunlock(ip, XFS_ILOCK_EXCL); > +err_rele: > xfs_irele(ip); What happened to the unlock and irele in the non-error path? Brian > return error; > - > -err_inode: > - xfs_trans_cancel(tp); > - if (ip) { > - xfs_iunlock(ip, XFS_ILOCK_EXCL); > - xfs_irele(ip); > - } > - return error; > } > > STATIC bool >
On Fri, Oct 02, 2020 at 12:27:54PM -0400, Brian Foster wrote: > On Tue, Sep 29, 2020 at 10:44:00AM -0700, Darrick J. Wong wrote: > > From: Darrick J. Wong <darrick.wong@oracle.com> > > > > In most places in XFS, we have a specific order in which we gather > > resources: grab the inode, allocate a transaction, then lock the inode. > > xfs_bui_item_recover doesn't do it in that order, so fix it to be more > > consistent. This also makes the error bailout code a bit less weird. > > > > Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> > > Reviewed-by: Dave Chinner <dchinner@redhat.com> > > Reviewed-by: Christoph Hellwig <hch@lst.de> > > --- > > fs/xfs/xfs_bmap_item.c | 42 ++++++++++++++++++++++-------------------- > > 1 file changed, 22 insertions(+), 20 deletions(-) > > > > > > diff --git a/fs/xfs/xfs_bmap_item.c b/fs/xfs/xfs_bmap_item.c > > index c1f2cc3c42cb..1c9cb5a04bb5 100644 > > --- a/fs/xfs/xfs_bmap_item.c > > +++ b/fs/xfs/xfs_bmap_item.c > ... > > @@ -512,18 +513,19 @@ xfs_bui_item_recover( > > xfs_bmap_unmap_extent(tp, ip, &irec); > > } > > > > + /* Commit transaction, which frees tp. */ > > error = xfs_defer_ops_capture_and_commit(tp, capture_list); > > + if (error) > > + goto err_unlock; > > + return 0; > > + > > +err_cancel: > > + xfs_trans_cancel(tp); > > +err_unlock: > > xfs_iunlock(ip, XFS_ILOCK_EXCL); > > +err_rele: > > xfs_irele(ip); > > What happened to the unlock and irele in the non-error path? xfs_defer_capture_and_consume did that, but see christoph's reply. --D > Brian > > > return error; > > - > > -err_inode: > > - xfs_trans_cancel(tp); > > - if (ip) { > > - xfs_iunlock(ip, XFS_ILOCK_EXCL); > > - xfs_irele(ip); > > - } > > - return error; > > } > > > > STATIC bool > > >
diff --git a/fs/xfs/xfs_bmap_item.c b/fs/xfs/xfs_bmap_item.c index c1f2cc3c42cb..1c9cb5a04bb5 100644 --- a/fs/xfs/xfs_bmap_item.c +++ b/fs/xfs/xfs_bmap_item.c @@ -475,25 +475,26 @@ xfs_bui_item_recover( (bmap->me_flags & ~XFS_BMAP_EXTENT_FLAGS)) return -EFSCORRUPTED; - error = xfs_trans_alloc(mp, &M_RES(mp)->tr_itruncate, - XFS_EXTENTADD_SPACE_RES(mp, XFS_DATA_FORK), 0, 0, &tp); - if (error) - return error; - - budp = xfs_trans_get_bud(tp, buip); - /* Grab the inode. */ - error = xfs_iget(mp, tp, bmap->me_owner, 0, XFS_ILOCK_EXCL, &ip); + error = xfs_iget(mp, NULL, bmap->me_owner, 0, 0, &ip); if (error) - goto err_inode; + return error; - error = xfs_qm_dqattach_locked(ip, false); + error = xfs_qm_dqattach(ip); if (error) - goto err_inode; + goto err_rele; if (VFS_I(ip)->i_nlink == 0) xfs_iflags_set(ip, XFS_IRECOVERY); + /* Allocate transaction and do the work. */ + error = xfs_trans_alloc(mp, &M_RES(mp)->tr_itruncate, + XFS_EXTENTADD_SPACE_RES(mp, XFS_DATA_FORK), 0, 0, &tp); + if (error) + goto err_rele; + + budp = xfs_trans_get_bud(tp, buip); + xfs_ilock(ip, XFS_ILOCK_EXCL); xfs_trans_ijoin(tp, ip, 0); count = bmap->me_len; @@ -501,7 +502,7 @@ xfs_bui_item_recover( whichfork, bmap->me_startoff, bmap->me_startblock, &count, state); if (error) - goto err_inode; + goto err_cancel; if (count > 0) { ASSERT(bui_type == XFS_BMAP_UNMAP); @@ -512,18 +513,19 @@ xfs_bui_item_recover( xfs_bmap_unmap_extent(tp, ip, &irec); } + /* Commit transaction, which frees tp. */ error = xfs_defer_ops_capture_and_commit(tp, capture_list); + if (error) + goto err_unlock; + return 0; + +err_cancel: + xfs_trans_cancel(tp); +err_unlock: xfs_iunlock(ip, XFS_ILOCK_EXCL); +err_rele: xfs_irele(ip); return error; - -err_inode: - xfs_trans_cancel(tp); - if (ip) { - xfs_iunlock(ip, XFS_ILOCK_EXCL); - xfs_irele(ip); - } - return error; } STATIC bool