xfs: Don't reference the EFI after it is freed

Checking the EFI for whether it is being released from recovery after we've already released the known active reference is a mistake worthy of a brown paper bag. Fix the (now) obvious use after free that it can cause. Reported-by: Dave Jones <davej@redhat.com> Signed-off-by: Dave Chinner <dchinner@redhat.com> Reviewed-by: Brian Foster <bfoster@redhat.com> Signed-off-by: Ben Myers <bpm@sgi.com> (cherry picked from commit 52c24ad39ff02d7bd73c92eb0c926fb44984a41d)
author: Dave Chinner <dchinner@redhat.com> 2013-05-19 19:51:10 -0400
committer: Ben Myers <bpm@sgi.com> 2013-05-24 17:27:57 -0400
commit: 509e708a8929c5b75a16c985c03db5329e09cad4 (patch)
tree: c03099a439d04ef0c911eb250256a2a4a3189b85
parent: 7031d0e1c46e2b1c869458233dd216cb72af41b2 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/fs/xfs/xfs_extfree_item.c b/fs/xfs/xfs_extfree_item.c
index c0f375087efc..452920a3f03f 100644
--- a/fs/xfs/xfs_extfree_item.c
+++ b/fs/xfs/xfs_extfree_item.c
@@ -305,11 +305,12 @@ xfs_efi_release(xfs_efi_log_item_t	*efip,
 {
        ASSERT(atomic_read(&efip->efi_next_extent) >= nextents);
        if (atomic_sub_and_test(nextents, &efip->efi_next_extent)) {
-                __xfs_efi_release(efip);
                /* recovery needs us to drop the EFI reference, too */
                if (test_bit(XFS_EFI_RECOVERED, &efip->efi_flags))
                        __xfs_efi_release(efip);
+                __xfs_efi_release(efip);
+                /* efip may now have been freed, do not reference it again. */
        }
 }
author	Dave Chinner <dchinner@redhat.com>	2013-05-19 19:51:10 -0400
committer	Ben Myers <bpm@sgi.com>	2013-05-24 17:27:57 -0400
commit	509e708a8929c5b75a16c985c03db5329e09cad4 (patch)
tree	c03099a439d04ef0c911eb250256a2a4a3189b85
parent	7031d0e1c46e2b1c869458233dd216cb72af41b2 (diff)