Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3db296f3 authored by David Chinner's avatar David Chinner Committed by Tim Shimmin
Browse files

[XFS] Fix use-after-free during log unmount. 



Don't reference the log buffer after running the callbacks as the callback
can trigger the log buffers to be freed during unmount.

SGI-PV: 964545
SGI-Modid: xfs-linux-melb:xfs-kern:28567a

Signed-off-by: default avatarDavid Chinner <dgc@sgi.com>
Signed-off-by: default avatarChristoph Hellwig <hch@infradead.org>
Signed-off-by: default avatarTim Shimmin <tes@sgi.com>
parent 40095b64

fs/xfs/xfs_log.c

+9 −7
Original line number Diff line number Diff line
@@ -967,14 +967,16 @@ xlog_iodone(xfs_buf_t *bp) 
	} else if (iclog->ic_state & XLOG_STATE_IOERROR) {

		aborted = XFS_LI_ABORTED;

	}



	/* log I/O is always issued ASYNC */

	ASSERT(XFS_BUF_ISASYNC(bp));

	xlog_state_done_syncing(iclog, aborted);

	if (!(XFS_BUF_ISASYNC(bp))) {

	/*

		 * Corresponding psema() will be done in bwrite().  If we don't

		 * vsema() here, panic.

	 * do not reference the buffer (bp) here as we could race

	 * with it being freed after writing the unmount record to the

	 * log.

	 */

		XFS_BUF_V_IODONESEMA(bp);

	}



}	/* xlog_iodone */



/*