From patchwork Wed Mar 18 10:33:32 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lukas Czerner X-Patchwork-Id: 451349 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3FE0B140079 for ; Wed, 18 Mar 2015 21:33:38 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755421AbbCRKdh (ORCPT ); Wed, 18 Mar 2015 06:33:37 -0400 Received: from mx1.redhat.com ([209.132.183.28]:45980 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755345AbbCRKdg (ORCPT ); Wed, 18 Mar 2015 06:33:36 -0400 Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) by mx1.redhat.com (Postfix) with ESMTPS id 691092932F9 for ; Wed, 18 Mar 2015 10:33:36 +0000 (UTC) Received: from localhost.localdomain.com (dhcp-27-214.brq.redhat.com [10.34.27.214]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t2IAXZ72000731; Wed, 18 Mar 2015 06:33:35 -0400 From: Lukas Czerner To: linux-ext4@vger.kernel.org Cc: Lukas Czerner Subject: [PATCH] jbd: Fix possible uninitialized memory access when tracing Date: Wed, 18 Mar 2015 11:33:32 +0100 Message-Id: <1426674812-26883-1-git-send-email-lczerner@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26 Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org Currently in journal_commit_transaction() if trace point trace_jbd_end_commit() is enabled, it can access already freed part of the memory via commit_transaction because it might have already been freed earlier using __journal_drop_transaction(). Fix it by moving the tracepoint before the point where we can free commit_transaction and set the commit_transaction to NULL after we free it to make such cases easier to detect in the future. Signed-off-by: Lukas Czerner Reported-by: Dan Carpenter --- fs/jbd/commit.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/jbd/commit.c b/fs/jbd/commit.c index bb217dc..169cf72 100644 --- a/fs/jbd/commit.c +++ b/fs/jbd/commit.c @@ -991,10 +991,12 @@ restart_loop: journal->j_average_commit_time = commit_time; spin_unlock(&journal->j_state_lock); + trace_jbd_end_commit(journal, commit_transaction); if (commit_transaction->t_checkpoint_list == NULL && commit_transaction->t_checkpoint_io_list == NULL) { __journal_drop_transaction(journal, commit_transaction); + commit_transaction = NULL; } else { if (journal->j_checkpoint_transactions == NULL) { journal->j_checkpoint_transactions = commit_transaction; @@ -1013,7 +1015,6 @@ restart_loop: } spin_unlock(&journal->j_list_lock); - trace_jbd_end_commit(journal, commit_transaction); jbd_debug(1, "JBD: commit %d complete, head %d\n", journal->j_commit_sequence, journal->j_tail_sequence);