xfs: fix a use after free in xfs_defer_finish_recovery

dfp will be freed by ->recover_work and thus the tracepoint in case
of an error can lead to a use after free.

Store the defer ops in a local variable to avoid that.

Fixes: 7f2f7531e0d4 ("xfs: store an ops pointer in struct xfs_defer_pending")
Reported-by: kernel test robot <oliver.sang@intel.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Chandan Babu R <chandanbabu@kernel.org>

diff --git a/fs/xfs/libxfs/xfs_defer.c b/fs/xfs/libxfs/xfs_defer.c
index ca7f0ac0489604e79ff4f1b74d612a80f12eaf3c..75c5b3a2c2cba4aaeb2321209c311f568b90f5e7 100644 (file)
--- a/fs/xfs/libxfs/xfs_defer.c
+++ b/fs/xfs/libxfs/xfs_defer.c
@@ -915,12 +915,14 @@ xfs_defer_finish_recovery(
        struct xfs_defer_pending        *dfp,
        struct list_head                *capture_list)
 {
+       const struct xfs_defer_op_type  *ops = dfp->dfp_ops;
        int                             error;
 
-       error = dfp->dfp_ops->recover_work(dfp, capture_list);
+       /* dfp is freed by recover_work and must not be accessed afterwards */
+       error = ops->recover_work(dfp, capture_list);
        if (error)
                trace_xlog_intent_recovery_failed(mp, error,
-                               dfp->dfp_ops->recover_work);
+                               ops->recover_work);
        return error;
 }