git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Darrick J. Wong <djwong@kernel.org>
	Wed, 27 Mar 2024 00:12:16 +0000 (17:12 -0700)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 3 Apr 2024 13:28:47 +0000 (15:28 +0200)
commit	680776e555f3c396603a172bb4264ad6fc64eaf3
tree	4d1e586df2a0c9b7773e5c5459ac82208a25fb94	tree
parent	87db24c8edd372847e7297dd369c00dbd5dd7566	commit \| diff

xfs: transfer recovered intent item ownership in ->iop_recover

commit deb4cd8ba87f17b12c72b3827820d9c703e9fd95 upstream.

Now that we pass the xfs_defer_pending object into the intent item
recovery functions, we know exactly when ownership of the sole refcount
passes from the recovery context to the intent done item.  At that
point, we need to null out dfp_intent so that the recovery mechanism
won't release it.  This should fix the UAF problem reported by Long Li.

Note that we still want to recreate the full deferred work state.  That
will be addressed in the next patches.

Fixes: 2e76f188fd90 ("xfs: cancel intents immediately if process_intents fails")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Catherine Hoang <catherine.hoang@oracle.com>
Acked-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

fs/xfs/libxfs/xfs_log_recover.h		diff \| blob \| blame \| history
fs/xfs/xfs_attr_item.c		diff \| blob \| blame \| history
fs/xfs/xfs_bmap_item.c		diff \| blob \| blame \| history
fs/xfs/xfs_extfree_item.c		diff \| blob \| blame \| history
fs/xfs/xfs_log_recover.c		diff \| blob \| blame \| history
fs/xfs/xfs_refcount_item.c		diff \| blob \| blame \| history
fs/xfs/xfs_rmap_item.c		diff \| blob \| blame \| history