[PATCH 5.4 120/120] xfs: fix use-after-free when aborting corrupt attr inactivation

From: "Darrick J. Wong" <darrick.wong@oracle.com>

commit 496b9bcd62b0b3a160be61e3265a086f97adcbd3 upstream.

Log the corrupt buffer before we release the buffer.

Fixes: a5155b870d687 ("xfs: always log corruption errors")
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Acked-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Chandan Babu R <chandan.babu@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/xfs/xfs_attr_inactive.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/xfs/xfs_attr_inactive.c
+++ b/fs/xfs/xfs_attr_inactive.c
@@ -209,8 +209,8 @@ xfs_attr3_node_inactive(
 	 * Since this code is recursive (gasp!) we must protect ourselves.
 	 */
 	if (level > XFS_DA_NODE_MAXDEPTH) {
-		xfs_trans_brelse(*trans, bp);	/* no locks for later trans */
 		xfs_buf_corruption_error(bp);
+		xfs_trans_brelse(*trans, bp);	/* no locks for later trans */
 		return -EFSCORRUPTED;
 	}

• [PATCH 5.4 001/120] of: fdt: fix off-by-one error in unflatten_dt_nodes()
• [PATCH 5.4 002/120] NFSv4: Turn off open-by-filehandle and NFS re-export for NFSv4.0
• [PATCH 5.4 003/120] gpio: mpc8xxx: Fix support for IRQ_TYPE_LEVEL_LOW flow_type in mpc85xx
• [PATCH 5.4 004/120] drm/meson: Correct OSD1 global alpha value
• [PATCH 5.4 005/120] drm/meson: Fix OSD1 RGB to YCbCr coefficient
• [PATCH 5.4 006/120] parisc: ccio-dma: Add missing iounmap in error path in ccio_probe()
• [PATCH 5.4 007/120] efi/libstub: Disable Shadow Call Stack
• [PATCH 5.4 008/120] efi: libstub: Disable struct randomization
• [PATCH 5.4 009/120] ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC
• [PATCH 5.4 010/120] task_stack, x86/cea: Force-inline stack helpers
• [PATCH 5.4 011/120] tracing: hold caller_addr to hardirq_{enable,disable}_ip
• [PATCH 5.4 012/120] cifs: revalidate mapping when doing direct writes
• [PATCH 5.4 013/120] cifs: dont send down the destination address to sendmsg for a SOCK_STREAM
• [PATCH 5.4 014/120] MAINTAINERS: add Chandan as xfs maintainer for 5.4.y
• [PATCH 5.4 015/120] iomap: iomap that extends beyond EOF should be marked dirty
• [PATCH 5.4 016/120] ASoC: nau8824: Fix semaphore unbalance at error paths
• [PATCH 5.4 017/120] regulator: pfuze100: Fix the global-out-of-bounds access in pfuze100_regulator_probe()
• [PATCH 5.4 018/120] rxrpc: Fix local destruction being repeated
• [PATCH 5.4 019/120] rxrpc: Fix calc of resend age
• [PATCH 5.4 020/120] ALSA: hda/sigmatel: Keep power up while beep is enabled
• [PATCH 5.4 021/120] ALSA: hda/tegra: Align BDL entry to 4KB boundary
• [PATCH 5.4 022/120] net: usb: qmi_wwan: add Quectel RM520N
• [PATCH 5.4 023/120] afs: Return -EAGAIN, not -EREMOTEIO, when a file already locked
• [PATCH 5.4 024/120] MIPS: OCTEON: irq: Fix octeon_irq_force_ciu_mapping()
• [PATCH 5.4 025/120] mksysmap: Fix the mismatch of L0 symbols in System.map
• [PATCH 5.4 026/120] video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write
• [PATCH 5.4 027/120] cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all()
• [PATCH 5.4 028/120] ALSA: hda/sigmatel: Fix unused variable warning for beep power change
• [PATCH 5.4 029/120] usb: dwc3: gadget: Avoid starting DWC3 gadget during UDC unbind
• [PATCH 5.4 030/120] usb: dwc3: Issue core soft reset before enabling run/stop
• [PATCH 5.4 031/120] usb: dwc3: gadget: Prevent repeat pullup()
• [PATCH 5.4 032/120] usb: dwc3: gadget: Refactor pullup()
• [PATCH 5.4 033/120] usb: dwc3: gadget: Dont modify GEVNTCOUNT in pullup()
• [PATCH 5.4 034/120] usb: dwc3: gadget: Avoid duplicate requests to enable Run/Stop
• [PATCH 5.4 035/120] usb: xhci-mtk: get the microframe boundary for ESIT
• [PATCH 5.4 036/120] usb: xhci-mtk: add only one extra CS for FS/LS INTR
• [PATCH 5.4 037/120] usb: xhci-mtk: use @sch_tt to check whether need do TT schedule
• [PATCH 5.4 038/120] usb: xhci-mtk: add a function to (un)load bandwidth info
• [PATCH 5.4 039/120] usb: xhci-mtk: add some schedule error number
• [PATCH 5.4 040/120] usb: xhci-mtk: allow multiple Start-Split in a microframe
• [PATCH 5.4 041/120] usb: xhci-mtk: relax TT periodic bandwidth allocation
• [PATCH 5.4 042/120] iio:adc:mcp3911: Switch to generic firmware properties.
• [PATCH 5.4 043/120] iio: adc: mcp3911: correct "microchip,device-addr" property
• [PATCH 5.4 044/120] wifi: mac80211: Fix UAF in ieee80211_scan_rx()
• [PATCH 5.4 045/120] tty/serial: atmel: RS485 & ISO7816: wait for TXRDY before sending data
• [PATCH 5.4 046/120] serial: atmel: remove redundant assignment in rs485_config
• [PATCH 5.4 047/120] tty: serial: atmel: Preserve previous USART mode if RS485 disabled
• [PATCH 5.4 048/120] usb: add quirks for Lenovo OneLink+ Dock
• [PATCH 5.4 049/120] usb: gadget: udc-xilinx: replace memcpy with memcpy_toio
• [PATCH 5.4 050/120] usb: cdns3: fix issue with rearming ISO OUT endpoint
• [PATCH 5.4 051/120] Revert "usb: add quirks for Lenovo OneLink+ Dock"
• [PATCH 5.4 052/120] Revert "usb: gadget: udc-xilinx: replace memcpy with memcpy_toio"
• [PATCH 5.4 053/120] USB: core: Fix RST error in hub.c
• [PATCH 5.4 054/120] USB: serial: option: add Quectel BG95 0x0203 composition
• [PATCH 5.4 055/120] USB: serial: option: add Quectel RM520N
• [PATCH 5.4 056/120] ALSA: hda/tegra: set depop delay for tegra
• [PATCH 5.4 057/120] ALSA: hda: add Intel 5 Series / 3400 PCI DID
• [PATCH 5.4 058/120] ALSA: hda/realtek: Add quirk for Huawei WRT-WX9
• [PATCH 5.4 059/120] ALSA: hda/realtek: Re-arrange quirk table entries
• [PATCH 5.4 060/120] ALSA: hda/realtek: Add pincfg for ASUS G513 HP jack
• [PATCH 5.4 061/120] ALSA: hda/realtek: Add pincfg for ASUS G533Z HP jack
• [PATCH 5.4 062/120] ALSA: hda/realtek: Add quirk for ASUS GA503R laptop
• [PATCH 5.4 063/120] ALSA: hda/realtek: Enable 4-speaker output Dell Precision 5530 laptop
• [PATCH 5.4 064/120] efi: libstub: check Shim mode using MokSBStateRT
• [PATCH 5.4 065/120] mm/slub: fix to return errno if kmalloc() fails
• [PATCH 5.4 066/120] arm64: dts: rockchip: Pull up wlan wake# on Gru-Bob
• [PATCH 5.4 067/120] arm64: dts: rockchip: Set RK3399-Gru PCLK_EDP to 24 MHz
• [PATCH 5.4 068/120] arm64: dts: rockchip: Remove enable-active-low from rk3399-puma
• [PATCH 5.4 069/120] netfilter: nf_conntrack_sip: fix ct_sip_walk_headers
• [PATCH 5.4 070/120] netfilter: nf_conntrack_irc: Tighten matching on DCC message
• [PATCH 5.4 071/120] netfilter: nfnetlink_osf: fix possible bogus match in nf_osf_find()
• [PATCH 5.4 072/120] iavf: Fix cached head and tail value for iavf_get_tx_pending
• [PATCH 5.4 073/120] ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header
• [PATCH 5.4 074/120] net: team: Unsync device addresses on ndo_stop
• [PATCH 5.4 075/120] MIPS: lantiq: export clk_get_io() for lantiq_wdt.ko
• [PATCH 5.4 076/120] MIPS: Loongson32: Fix PHY-mode being left unspecified
• [PATCH 5.4 077/120] iavf: Fix bad page state
• [PATCH 5.4 078/120] iavf: Fix set max MTU size with port VLAN and jumbo frames
• [PATCH 5.4 079/120] i40e: Fix VF set max MTU size
• [PATCH 5.4 080/120] i40e: Fix set max_tx_rate when it is lower than 1 Mbps
• [PATCH 5.4 081/120] of: mdio: Add of_node_put() when breaking out of for_each_xx
• [PATCH 5.4 082/120] net/sched: taprio: avoid disabling offload when it was never enabled
• [PATCH 5.4 083/120] net/sched: taprio: make qdisc_leaf() see the per-netdev-queue pfifo child qdiscs
• [PATCH 5.4 084/120] netfilter: ebtables: fix memory leak when blob is malformed
• [PATCH 5.4 085/120] can: gs_usb: gs_can_open(): fix race dev->can.state condition
• [PATCH 5.4 086/120] perf jit: Include program header in ELF files
• [PATCH 5.4 087/120] perf kcore_copy: Do not check /proc/modules is unchanged
• [PATCH 5.4 088/120] net: sunhme: Fix packet reception for len < RX_COPY_THRESHOLD
• [PATCH 5.4 089/120] net: sched: fix possible refcount leak in tc_new_tfilter()
• [PATCH 5.4 090/120] serial: Create uart_xmit_advance()
• [PATCH 5.4 091/120] serial: tegra: Use uart_xmit_advance(), fixes icount.tx accounting
• [PATCH 5.4 092/120] serial: tegra-tcu: Use uart_xmit_advance(), fixes icount.tx accounting
• [PATCH 5.4 093/120] s390/dasd: fix Oops in dasd_alias_get_start_dev due to missing pavgroup
• [PATCH 5.4 094/120] usb: xhci-mtk: fix issue of out-of-bounds array access
• [PATCH 5.4 095/120] cifs: always initialize struct msghdr smb_msg completely
• [PATCH 5.4 096/120] Drivers: hv: Never allocate anything besides framebuffer from framebuffer memory region
• [PATCH 5.4 097/120] gpio: ixp4xx: Make irqchip immutable
• [PATCH 5.4 098/120] drm/amdgpu: use dirty framebuffer helper
• [PATCH 5.4 099/120] drm/amd/display: Limit user regamma to a valid value
• [PATCH 5.4 100/120] drm/rockchip: Fix return type of cdn_dp_connector_mode_valid
• [PATCH 5.4 101/120] workqueue: dont skip lockdep work dependency in cancel_work_sync()
• [PATCH 5.4 102/120] ext4: fix bug in extents parsing when eh_entries == 0 and eh_depth > 0
• [PATCH 5.4 103/120] ext4: make directory inode spreading reflect flexbg size
• [PATCH 5.4 104/120] xfs: replace -EIO with -EFSCORRUPTED for corrupt metadata
• [PATCH 5.4 105/120] xfs: slightly tweak an assert in xfs_fs_map_blocks
• [PATCH 5.4 106/120] xfs: add missing assert in xfs_fsmap_owner_from_rmap
• [PATCH 5.4 107/120] xfs: range check ri_cnt when recovering log items
• [PATCH 5.4 108/120] xfs: attach dquots and reserve quota blocks during unwritten conversion
• [PATCH 5.4 109/120] xfs: Fix deadlock between AGI and AGF when target_ip exists in xfs_rename()
• [PATCH 5.4 110/120] xfs: convert EIO to EFSCORRUPTED when log contents are invalid
• [PATCH 5.4 111/120] xfs: constify the buffer pointer arguments to error functions
• [PATCH 5.4 112/120] xfs: always log corruption errors
• [PATCH 5.4 113/120] xfs: fix some memory leaks in log recovery
• [PATCH 5.4 114/120] xfs: stabilize insert range start boundary to avoid COW writeback race
• [PATCH 5.4 115/120] xfs: use bitops interface for buf log item AIL flag check
• [PATCH 5.4 116/120] xfs: refactor agfl length computation function
• [PATCH 5.4 117/120] xfs: split the sunit parameter update into two parts
• [PATCH 5.4 118/120] xfs: dont commit sunit/swidth updates to disk if that would cause repair failures
• [PATCH 5.4 119/120] xfs: fix an ABBA deadlock in xfs_rename
• [PATCH 5.4 120/120] xfs: fix use-after-free when aborting corrupt attr inactivation