aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Chinner <dgc@sgi.com>2007-05-14 04:24:16 -0400
committerTim Shimmin <tes@chook.melbourne.sgi.com>2007-07-14 01:22:34 -0400
commit3db296f341b5902c4f9317022ae5d4da2d59d598 (patch)
treef351eb33c6bac70d82d9f3adf0836d4c424bad92
parent40095b64f5da601a8ab61fbe4b40feb46830052e (diff)
[XFS] Fix use-after-free during log unmount.
Don't reference the log buffer after running the callbacks as the callback can trigger the log buffers to be freed during unmount. SGI-PV: 964545 SGI-Modid: xfs-linux-melb:xfs-kern:28567a Signed-off-by: David Chinner <dgc@sgi.com> Signed-off-by: Christoph Hellwig <hch@infradead.org> Signed-off-by: Tim Shimmin <tes@sgi.com>
-rw-r--r--fs/xfs/xfs_log.c16
1 files changed, 9 insertions, 7 deletions
diff --git a/fs/xfs/xfs_log.c b/fs/xfs/xfs_log.c
index 635f99e6302f..5bb902056e61 100644
--- a/fs/xfs/xfs_log.c
+++ b/fs/xfs/xfs_log.c
@@ -967,14 +967,16 @@ xlog_iodone(xfs_buf_t *bp)
967 } else if (iclog->ic_state & XLOG_STATE_IOERROR) { 967 } else if (iclog->ic_state & XLOG_STATE_IOERROR) {
968 aborted = XFS_LI_ABORTED; 968 aborted = XFS_LI_ABORTED;
969 } 969 }
970
971 /* log I/O is always issued ASYNC */
972 ASSERT(XFS_BUF_ISASYNC(bp));
970 xlog_state_done_syncing(iclog, aborted); 973 xlog_state_done_syncing(iclog, aborted);
971 if (!(XFS_BUF_ISASYNC(bp))) { 974 /*
972 /* 975 * do not reference the buffer (bp) here as we could race
973 * Corresponding psema() will be done in bwrite(). If we don't 976 * with it being freed after writing the unmount record to the
974 * vsema() here, panic. 977 * log.
975 */ 978 */
976 XFS_BUF_V_IODONESEMA(bp); 979
977 }
978} /* xlog_iodone */ 980} /* xlog_iodone */
979 981
980/* 982/*