diff options
author | Lachlan McIlroy <lachlan@sgi.com> | 2008-08-13 02:52:50 -0400 |
---|---|---|
committer | Lachlan McIlroy <lachlan@redback.melbourne.sgi.com> | 2008-08-13 02:52:50 -0400 |
commit | c6a7b0f8a49aa71792dd108efc535435f462bf79 (patch) | |
tree | 45ffdd756cf4e024a1ab6742b2dfa4ed962ea741 /fs | |
parent | c94312de223644e2f18e7064ae8cafa14e5c6ef6 (diff) |
[XFS] Fix use after free in xfs_log_done().
The ticket allocation code got reworked in 2.6.26 and we now free tickets
whereas before we used to cache them so the use-after-free went
undetected.
SGI-PV: 985525
SGI-Modid: xfs-linux-melb:xfs-kern:31877a
Signed-off-by: Lachlan McIlroy <lachlan@sgi.com>
Signed-off-by: David Chinner <david@fromorbit.com>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/xfs/xfs_log.c | 13 |
1 files changed, 5 insertions, 8 deletions
diff --git a/fs/xfs/xfs_log.c b/fs/xfs/xfs_log.c index 1f6f780dbd39..ccba14eb9dbe 100644 --- a/fs/xfs/xfs_log.c +++ b/fs/xfs/xfs_log.c | |||
@@ -336,15 +336,12 @@ xfs_log_done(xfs_mount_t *mp, | |||
336 | } else { | 336 | } else { |
337 | xlog_trace_loggrant(log, ticket, "xfs_log_done: (permanent)"); | 337 | xlog_trace_loggrant(log, ticket, "xfs_log_done: (permanent)"); |
338 | xlog_regrant_reserve_log_space(log, ticket); | 338 | xlog_regrant_reserve_log_space(log, ticket); |
339 | } | 339 | /* If this ticket was a permanent reservation and we aren't |
340 | 340 | * trying to release it, reset the inited flags; so next time | |
341 | /* If this ticket was a permanent reservation and we aren't | 341 | * we write, a start record will be written out. |
342 | * trying to release it, reset the inited flags; so next time | 342 | */ |
343 | * we write, a start record will be written out. | ||
344 | */ | ||
345 | if ((ticket->t_flags & XLOG_TIC_PERM_RESERV) && | ||
346 | (flags & XFS_LOG_REL_PERM_RESERV) == 0) | ||
347 | ticket->t_flags |= XLOG_TIC_INITED; | 343 | ticket->t_flags |= XLOG_TIC_INITED; |
344 | } | ||
348 | 345 | ||
349 | return lsn; | 346 | return lsn; |
350 | } /* xfs_log_done */ | 347 | } /* xfs_log_done */ |