git.maquefel.me Git - linux.git/commit

author	Darrick J. Wong <djwong@kernel.org>
	Wed, 22 Nov 2023 18:47:10 +0000 (10:47 -0800)
committer	Darrick J. Wong <djwong@kernel.org>
	Thu, 7 Dec 2023 02:45:14 +0000 (18:45 -0800)
commit	deb4cd8ba87f17b12c72b3827820d9c703e9fd95
tree	98a85e6dca65337a4ce0ce7b9e30d71094cdda1a	tree \| snapshot
parent	a050acdfa8003a44eae4558fddafc7afb1aef458	commit \| diff

xfs: transfer recovered intent item ownership in ->iop_recover

Now that we pass the xfs_defer_pending object into the intent item
recovery functions, we know exactly when ownership of the sole refcount
passes from the recovery context to the intent done item.  At that
point, we need to null out dfp_intent so that the recovery mechanism
won't release it.  This should fix the UAF problem reported by Long Li.

Note that we still want to recreate the full deferred work state.  That
will be addressed in the next patches.

Fixes: 2e76f188fd90 ("xfs: cancel intents immediately if process_intents fails")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>

fs/xfs/libxfs/xfs_log_recover.h		diff \| blob \| history
fs/xfs/xfs_attr_item.c		diff \| blob \| history
fs/xfs/xfs_bmap_item.c		diff \| blob \| history
fs/xfs/xfs_extfree_item.c		diff \| blob \| history
fs/xfs/xfs_log_recover.c		diff \| blob \| history
fs/xfs/xfs_refcount_item.c		diff \| blob \| history
fs/xfs/xfs_rmap_item.c		diff \| blob \| history