xfs: reset buffer pointers before freeing them

When we free a vmapped buffer, we need to ensure the vmap address
and length we free is the same as when it was allocated. In various
places in the log code we change the memory the buffer is pointing
to before issuing IO, but we never reset the buffer to point back to
it's original memory (or no memory, if that is the case for the
buffer).

As a result, when we free the buffer it points to memory that is
owned by something else and attempts to unmap and free it. Because
the range does not match any known mapped range, it can trigger
BUG_ON() traps in the vmap code, and potentially corrupt the vmap
area tracking.

Fix this by always resetting these buffers to their original state
before freeing them.

Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Alex Elder <aelder@sgi.com>

1 files changed, 7 insertions, 1 deletions

diff --git a/fs/xfs/xfs_log.c b/fs/xfs/xfs_log.c
index 18fd4beffcc3..211930246f20 100644
--- a/fs/xfs/xfs_log.c
+++ b/fs/xfs/xfs_log.c
@@ -1449,6 +1449,13 @@ xlog_dealloc_log(xlog_t *log)
 
         xlog_cil_destroy(log);
 
+        /*
+         * always need to ensure that the extra buffer does not point to memory
+         * owned by another log buffer before we free it.
+         */
+        xfs_buf_set_empty(log->l_xbuf, log->l_iclog_size);
+        xfs_buf_free(log->l_xbuf);
+
         iclog = log->l_iclog;
         for (i=0; i<log->l_iclog_bufs; i++) {
                 xfs_buf_free(iclog->ic_bp);
@@ -1458,7 +1465,6 @@ xlog_dealloc_log(xlog_t *log)
         }
         spinlock_destroy(&log->l_icloglock);
 
-        xfs_buf_free(log->l_xbuf);
         log->l_mp->m_log = NULL;
         kmem_free(log);
 }       /* xlog_dealloc_log */