xfs: fix use after free in buf log item unlock assert

The xfs_buf_log_item ->iop_unlock() callback asserts that the buffer
is unlocked when either non-stale or aborted. This assert occurs
after the bli refcount has been dropped and the log item potentially
freed. The aborted check is thus a potential use after free. This
problem has been reproduced with KASAN enabled via generic/475.

Fix up xfs_buf_item_unlock() to query aborted state before the bli
reference is dropped to prevent a potential use after free.

Signed-off-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>

1 files changed, 3 insertions, 1 deletions

diff --git a/fs/xfs/xfs_buf_item.c b/fs/xfs/xfs_buf_item.c
index 010db5f8fb00..65b32acfa0f6 100644
--- a/fs/xfs/xfs_buf_item.c
+++ b/fs/xfs/xfs_buf_item.c
@@ -605,6 +605,8 @@ xfs_buf_item_unlock(
 #if defined(DEBUG) || defined(XFS_WARN)
         bool                    ordered = bip->bli_flags & XFS_BLI_ORDERED;
         bool                    dirty = bip->bli_flags & XFS_BLI_DIRTY;
+        bool                    aborted = test_bit(XFS_LI_ABORTED,
+                                                   &lip->li_flags);
 #endif
 
         trace_xfs_buf_item_unlock(bip);
@@ -633,7 +635,7 @@ xfs_buf_item_unlock(
         released = xfs_buf_item_put(bip);
         if (hold || (stale && !released))
                 return;
-        ASSERT(!stale || test_bit(XFS_LI_ABORTED, &lip->li_flags));
+        ASSERT(!stale || aborted);
         xfs_buf_relse(bp);
 }