diff options
author | David Chinner <dgc@sgi.com> | 2007-05-14 04:24:16 -0400 |
---|---|---|
committer | Tim Shimmin <tes@chook.melbourne.sgi.com> | 2007-07-14 01:22:34 -0400 |
commit | 3db296f341b5902c4f9317022ae5d4da2d59d598 (patch) | |
tree | f351eb33c6bac70d82d9f3adf0836d4c424bad92 /fs/xfs/xfs_log.c | |
parent | 40095b64f5da601a8ab61fbe4b40feb46830052e (diff) |
[XFS] Fix use-after-free during log unmount.
Don't reference the log buffer after running the callbacks as the callback
can trigger the log buffers to be freed during unmount.
SGI-PV: 964545
SGI-Modid: xfs-linux-melb:xfs-kern:28567a
Signed-off-by: David Chinner <dgc@sgi.com>
Signed-off-by: Christoph Hellwig <hch@infradead.org>
Signed-off-by: Tim Shimmin <tes@sgi.com>
Diffstat (limited to 'fs/xfs/xfs_log.c')
-rw-r--r-- | fs/xfs/xfs_log.c | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/fs/xfs/xfs_log.c b/fs/xfs/xfs_log.c index 635f99e6302f..5bb902056e61 100644 --- a/fs/xfs/xfs_log.c +++ b/fs/xfs/xfs_log.c | |||
@@ -967,14 +967,16 @@ xlog_iodone(xfs_buf_t *bp) | |||
967 | } else if (iclog->ic_state & XLOG_STATE_IOERROR) { | 967 | } else if (iclog->ic_state & XLOG_STATE_IOERROR) { |
968 | aborted = XFS_LI_ABORTED; | 968 | aborted = XFS_LI_ABORTED; |
969 | } | 969 | } |
970 | |||
971 | /* log I/O is always issued ASYNC */ | ||
972 | ASSERT(XFS_BUF_ISASYNC(bp)); | ||
970 | xlog_state_done_syncing(iclog, aborted); | 973 | xlog_state_done_syncing(iclog, aborted); |
971 | if (!(XFS_BUF_ISASYNC(bp))) { | 974 | /* |
972 | /* | 975 | * do not reference the buffer (bp) here as we could race |
973 | * Corresponding psema() will be done in bwrite(). If we don't | 976 | * with it being freed after writing the unmount record to the |
974 | * vsema() here, panic. | 977 | * log. |
975 | */ | 978 | */ |
976 | XFS_BUF_V_IODONESEMA(bp); | 979 | |
977 | } | ||
978 | } /* xlog_iodone */ | 980 | } /* xlog_iodone */ |
979 | 981 | ||
980 | /* | 982 | /* |