diff options
| author | Darrick J. Wong <djwong@kernel.org> | 2023-12-20 08:53:43 -0800 |
|---|---|---|
| committer | Darrick J. Wong <djwong@kernel.org> | 2023-12-21 18:29:13 -0800 |
| commit | b9166aea5eb825bdb603f21d9eb43c7bfe846ca2 (patch) | |
| tree | 1d61123725feb6869b94b0e2b69a1f7b228814ab | |
| parent | af71e8c1f99aaf14f4b008a7468e62b03e60213d (diff) | |
| download | xfsprogs-dev-b9166aea5eb825bdb603f21d9eb43c7bfe846ca2.tar.gz | |
libxfs: don't UAF a requeued EFI
In the kernel, commit 8ebbf262d4684 ("xfs: don't block in busy flushing
when freeing extents") changed the allocator behavior such that AGFL
fixing can return -EAGAIN in response to detection of a deadlock with
the transaction busy extent list. If this happens, we're supposed to
requeue the EFI so that we can roll the transaction and try the item
again.
If a requeue happens, we should not free the xefi pointer in
xfs_extent_free_finish_item or else the retry will walk off a dangling
pointer. There is no extent busy list in userspace so this should
never happen, but let's fix the logic bomb anyway.
We should have ported kernel commit 0853b5de42b47 ("xfs: allow extent
free intents to be retried") to userspace, but neither Carlos nor I
noticed this fine detail. :(
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Chandan Babu R <chandanbabu@kernel.org>
| -rw-r--r-- | libxfs/defer_item.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/libxfs/defer_item.c b/libxfs/defer_item.c index 3f51925204..8731d1834b 100644 --- a/libxfs/defer_item.c +++ b/libxfs/defer_item.c @@ -115,6 +115,13 @@ xfs_extent_free_finish_item( error = xfs_free_extent(tp, xefi->xefi_pag, agbno, xefi->xefi_blockcount, &oinfo, XFS_AG_RESV_NONE); + /* + * Don't free the XEFI if we need a new transaction to complete + * processing of it. + */ + if (error == -EAGAIN) + return error; + xfs_extent_free_put_group(xefi); kmem_cache_free(xfs_extfree_item_cache, xefi); return error; |