Skip to content

L
linux
Commit ddf11d8c authored by Kent Overstreet's avatar Kent Overstreet Committed by Kent Overstreet
Browse files
Options

bcachefs: Fix a use after free 

This fixes a regression from "bcachefs: Stash a copy of key being
overwritten in btree_insert_entry". In btree_key_can_insert_cached(), we
may reallocate the key cache key, invalidating pointers previously
returned by peek() - fix it by issuing a transaction restart.
Signed-off-by: default avatarKent Overstreet <kent.overstreet@gmail.com>
parent 7db4cbd0
Hide whitespace changes
Inline Side-by-side
Showing with 20 additions and 1 deletion
fs/bcachefs/btree_update_leaf.c
View file @ ddf11d8c
......@@ -382,7 +382,18 @@ btree_key_can_insert_cached(struct btree_trans *trans,
ck->u64s = new_u64s;
ck->k = new_k;
return BTREE_INSERT_OK;
/*
* Keys returned by peek() are no longer valid pointers, so we need a
* transaction restart:
*/
trace_trans_restart_key_cache_key_realloced(trans->fn, _RET_IP_,
path->btree_id, &path->pos);
/*
* Not using btree_trans_restart() because we can't unlock here, we have
* write locks held:
*/
trans->restarted = true;
return -EINTR;
}
static inline void do_btree_insert_one(struct btree_trans *trans,
......
fs/bcachefs/trace.h
View file @ ddf11d8c
......@@ -918,6 +918,14 @@ TRACE_EVENT(trans_restart_mem_realloced,
__entry->bytes)
);
DEFINE_EVENT(transaction_restart_iter, trans_restart_key_cache_key_realloced,
TP_PROTO(const char *trans_fn,
unsigned long caller_ip,
enum btree_id btree_id,
struct bpos *pos),
TP_ARGS(trans_fn, caller_ip, btree_id, pos)
);
#endif /* _TRACE_BCACHEFS_H */
/* This part must be outside protection */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7